Overview
SpiceDB is a database for managing authorization policies. It is used to store and manage the authorization policies for the Authorization Service in FlowX 5.0βs multi-tenant architecture.For more information about SpiceDB, see the SpiceDB documentation.
Prerequisites
Infrastructure
- Kubernetes cluster with admin access
- PostgreSQL database server
- Network connectivity between SpiceDB and FlowX services
FlowX Integration
- FlowX 5.0+ platform components that will integrate with SpiceDB
- CAS client library configuration in all FlowX services
- Proper secret management for authentication
Installation Steps
Step 1: Install SpiceDB Operator
First, install the SpiceDB Operator in your Kubernetes cluster:Step 2: Create SpiceDB Database
Create a dedicated PostgreSQL database and user for SpiceDB:SpiceDB requires a dedicated PostgreSQL database. Do not share with other FlowX services.
Step 3: Create Kubernetes Secret
Create thespicedb
secret with the required credentials:
Generate a secure preshared key using:
openssl rand -base64 32
Step 4: Deploy SpiceDBCluster
Create and apply the SpiceDBCluster custom resource:Step 5: Update FlowX Services
The following services need a cas-lib configuration:
- authorization-service
- application-manager
- authorization-system
- cms-core
- data-sync
- document-plugin
- integration-designer
- notification-plugin
- process-engine
- runtime-manager
- task-management-plugin
Helm values configuration
Add the token reference to your Helm values usingextraEnvVarsMultipleSecretsCustomKeys
:
This configuration tells Helm to:
- Look for the existing Kubernetes Secret named
spicedb
(created in Step 3) - Take the value from the
preshared_key
key in that secret - Mount it as environment variable
FLOWX_SPICEDB_TOKEN
in FlowX service pods
Token Synchronization: The
preshared_key
value in the SpiceDB secret must match the FLOWX_SPICEDB_TOKEN
in all FlowX microservices.Verification
Verify your SpiceDB deployment:1
Check SpiceDB Pods
Ensure SpiceDB pods are running:
2
Test Connectivity
Verify SpiceDB is accessible on port 50051:
3
Check FlowX Integration
Review FlowX service logs for successful SpiceDB connection:
Configuration reference
Required environment variables
Variable | Required | Description | Default Value | Notes |
---|---|---|---|---|
SPICEDB_DATASTORE_ENGINE | β | Database engine type | postgres | Only PostgreSQL is supported in FlowX |
SPICEDB_DATASTORE_CONN_URI | β | PostgreSQL connection string | postgres://postgres:password@postgresql:5432/spicedb?sslmode=disable | Use Kubernetes Secret - include sslmode=disable for internal cluster communication |
SPICEDB_GRPC_PRESHARED_KEY | β | Pre-shared key for gRPC authentication | your-secure-key-here | This becomes FLOWX_SPICEDB_TOKEN in FlowX services |
Optional configuration
Variable | Required | Description | Default Value | Notes |
---|---|---|---|---|
SPICEDB_DISPATCH_CLUSTER_ENABLED | β οΈ | Enable cluster mode for multiple replicas | true | Required for production deployments with multiple replicas |
SPICEDB_LOG_LEVEL | β οΈ | Logging verbosity level | debug | Use debug for troubleshooting, info for production |
Customer-specific configuration
Required Customization: These values must be updated for each deployment environment.
- Database Connection: Update
datastore_uri
with your PostgreSQL credentials and hostname - Security Token: Generate a unique
preshared_key
for your deployment