Skip to main content
This guide provides a comprehensive reference for configuring the FlowX Admin microservice using environment variables and configuration files.

Infrastructure prerequisites

Before setting up the Admin microservice, ensure the following components are properly set up:
  • Database Instance: The Admin microservice connects to the same database as the FlowX.AI Engine.
  • MongoDB: For additional data management.
  • Redis: For caching and transient data storage.
  • Kafka: For audit logs, events, and messaging (if using FlowX.AI Audit functionality).

Core configuration

Server configuration


Database configuration

The Admin microservice connects to the same PostgreSQL or Oracle database as the FlowX.AI Engine for storing process definitions.
You will need to make sure that the user, password, connection link and database name are configured correctly, otherwise, you will receive errors at start time.
The database schema is managed by a Liquibase script provided with the Engine.

MongoDB configuration

The Admin microservice also connects to a MongoDB database instance for additional data management.
Ensure that the MongoDB configuration is compatible with the same database requirements as the FlowX.AI Engine, especially if sharing database instances.

Redis and caching configuration

Admin Service uses Redis for caching and storing transient data. Configure Redis connection using the standard Redis environment variables. Quick reference:
Both SPRING_DATA_REDIS_* and SPRING_REDIS_* variable prefixes are supported. The SPRING_DATA_REDIS_* prefix is the modern Spring Boot standard and is recommended for new deployments.
For advanced Redis deployment modes (Sentinel, Cluster) and SSL/TLS setup, see the Redis Configuration guide. Note that Sentinel and Cluster modes are only supported by the Events Gateway service.

Kafka configuration

The Admin microservice uses Kafka for sending audit logs, managing scheduled timer events, platform component versions, and start timer event updates.

General Kafka settings

Kafka producer configuration

Kafka consumer configuration

Topic naming configuration

Kafka topics configuration

Application topics

Audit topics

Platform Topics

Events gateway topics

Build topics

Resource topics

OAuth authentication for Kafka

When using the kafka-auth profile, the following variables configure OAuth for Kafka:
When using the kafka-auth profile, the security protocol will automatically be set to SASL_PLAINTEXT and the SASL mechanism will be set to OAUTHBEARER.

CAS lib configuration


Logging configuration

The FlowX Admin microservice provides granular control over logging levels for different components:

Changing log levels at runtime

You can adjust log levels dynamically without restarting the service using Spring Boot Actuator endpoints. This is particularly useful for troubleshooting and debugging in production environments. Example: Change log level for a specific package
Common logger packages:
  • ai.flowx.admin - Application-specific logs
  • org.springframework - Spring Framework logs
  • org.mongodb.driver - MongoDB driver logs
  • org.apache.kafka - Kafka client logs
Available log levels: TRACE, DEBUG, INFO, WARN, ERROR, OFF
Using DEBUG or TRACE log levels in production may impact performance and generate large log volumes. Revert to INFO or WARN after troubleshooting is complete.

Localization settings


Health monitoring

Platform health configuration


Multi-edit and undo/redo configuration


Resources usage configuration


Authentication and Authorization Configuration

The FlowX Admin microservice supports authentication and authorization through OpenID Connect (with Keycloak as the default provider) and allows detailed role-based access control.

Security type

Service account configuration

The Admin service authenticates to other FlowX services with a dedicated service account (the mainIdentity client registration) in the service-accounts realm:
Upgrading from 5.1.x? Remove the legacy opaque-token env vars: SECURITY_OAUTH2_REALM, SECURITY_OAUTH2_CLIENT_CLIENTID, SECURITY_OAUTH2_CLIENT_CLIENTSECRET, and SECURITY_OAUTH2_SERVICEACCOUNT_ADMIN_*. These belong to the removed introspection model and prevent the service from starting on 5.9.x. The OPENID_PROVIDER / OPENID_KEYCLOAK_* / OPENID_ENTRA_* identity-provider block was also removed from the Admin service in 5.9.0. See the authentication and IAM migration guide for the full list.
When deploying with the FlowX Helm chart, SECURITY_OAUTH2_BASESERVERURL is supplied through the chart value flowx.keycloak.baseServerUrl and the service-account client secrets are injected from the chart-managed Keycloak secret. The remaining values ship as image defaults.

Designer authentication client

The role-based access control is configured in the application YAML and grants specific permissions for platform management, user management, process management, integrations management, and configuration management.

Ingress and CORS

The Admin service is exposed externally on the admin host. Routing is configured through the FlowX Helm chart, which renders either a Kubernetes Ingress (default) or a Gateway API HTTPRoute per service. CORS handling lives in the service code; only the allowed-origins list is deployment-specific.

Service route

The path is set through services.admin.ingress.admin.path (or services.admin.gateway.admin.paths) in the chart values. Override only if you serve FlowX Admin under a different prefix.

CORS configuration

Allowed methods, allowed headers (including Authorization, Content-Type, Fx-Workspace-Id), and credential handling are baked into the service’s application.yaml with safe defaults. Override these only if you have a non-standard requirement. For the complete route reference, Gateway API HTTPRoute configuration, and route customization, see the ingress configuration guide.
In production environments, never use the default service account credentials. Always configure secure, environment-specific credentials for authentication.
Sensitive information such as passwords and client secrets should be managed securely using environment variables or a secrets management solution in production environments.

Troubleshooting

Common issues

Symptoms: Service crashes on startup or fails health checks.Solutions:
  1. Verify PostgreSQL connection parameters (SPRING_DATASOURCE_URL, credentials) are correct and the database is reachable
  2. Check that MongoDB is running and the connection URI is valid
  3. Ensure Kafka brokers are accessible at the configured SPRING_KAFKA_BOOTSTRAPSERVERS address
  4. Review startup logs for specific error messages indicating which dependency is unavailable
Symptoms: Import/export operations fail with permission or authentication errors.Solutions:
  1. Verify the Keycloak service account has the required roles for import/export operations
  2. Check that SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_MAINIDENTITY_CLIENTID and SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_MAINIDENTITY_CLIENTSECRET are configured correctly
  3. Ensure the service account has canImport access rights in the target workspace
  4. Confirm the target application version is in a WIP state
Symptoms: Creating a build returns errors or times out.Solutions:
  1. Check connectivity between Admin and the application-manager service
  2. Verify that the Kafka topics for build operations (KAFKA_TOPIC_BUILD_RUNTIMEDATA) are created and accessible
  3. Ensure version compatibility between Admin and application-manager services
  4. Review Kafka consumer group lag for build-related topics
Symptoms: Designer interface fails to render or returns blank pages.Solutions:
  1. Verify the Designer service is running and healthy
  2. Check ingress configuration β€” ensure the Admin ingress (admin-admin) is correctly routing traffic
  3. Review CORS settings in the Ingress Configuration Guide
  4. Confirm that the Fx-Workspace-Id header is being passed correctly through the ingress

Configuring an IAM Solution

Identity and access management setup for Keycloak and Microsoft Entra ID

Redis Configuration

Complete Redis setup including Sentinel and Cluster modes

Ingress Configuration

Centralized ingress guide with CORS configuration and best practices
Last modified on June 25, 2026