Skip to main content
The Application Manager is a backend microservice in FlowX.AI that: βœ… Manages FlowX applications, versions, manifests, and configurations.
βœ… Acts as a proxy for front-end resource requests.

Infrastructure prerequisites

Before you start setting up the Application Manager service, ensure the following infrastructure components are in place:
Ensure that the database for storing application data is properly set up and configured before starting the service.

Dependencies

The Application Manager relies on other FlowX services and components to function properly:

Core configuration environment variables

Basic service configuration

Database configuration

PostgreSQL configuration

MongoDB configuration

The Application Manager requires MongoDB to store runtime build information. Use the following environment variables for configuration:

Redis configuration

Application Manager uses Redis for caching when required. Configure Redis connection using the standard Redis environment variables. Quick reference:
Both SPRING_DATA_REDIS_* and SPRING_REDIS_* variable prefixes are supported. The SPRING_DATA_REDIS_* prefix is the modern Spring Boot standard and is recommended for new deployments.
For advanced Redis deployment modes (Sentinel, Cluster) and SSL/TLS setup, see the Redis Configuration guide. Note that Sentinel and Cluster modes are only supported by the Events Gateway service.

Kafka configuration

Kafka connection and security variables

Kafka producer configuration

OAuth authentication variables (when using SASL_PLAINTEXT)

When using the kafka-auth profile, the security protocol will automatically be set to SASL_PLAINTEXT and the SASL mechanism will be set to OAUTHBEARER.

Kafka consumer configuration

Kafka consumer threads configuration

Topic naming convention and pattern creation

The Application Manager uses a sophisticated topic naming convention that follows a structured pattern. This ensures consistency across environments and makes topics easily identifiable.

Topic naming components

Topic pattern creation

Topics are constructed using the following pattern:
For example, a typical topic might look like:
Where:
  • ai.flowx is the prefix (package + environment)
  • application-version is the service
  • export is the action
  • .v1 is the suffix (version)
For more complex topics, additional components are added:
Where:
  • resources-usages represents the resource type
  • sub-res-validation represents the operation type
  • response indicates it’s a response message

Kafka topic configuration

Application resource topics

Build resource topics

Process topics

Other topics

These Kafka topics use predefined naming conventions for ease of use. Optional adjustments may be made if the desired topic name cannot be achieved with the standard structure.

Authentication configuration

Security type

Service account configuration

The Application Manager and the Runtime Manager are built from the same artifact and share the flowx-runtime-manager-sa service account, which is why the default client ID here is not flowx-application-manager-sa.
Upgrading from 5.1.x? Remove the legacy opaque-token env vars: SECURITY_OAUTH2_REALM, SECURITY_OAUTH2_CLIENT_CLIENTID, SECURITY_OAUTH2_CLIENT_CLIENTSECRET, and SECURITY_OAUTH2_SERVICEACCOUNT_ADMIN_*. These belong to the removed introspection model and prevent the service from starting on 5.9.x. See the authentication and IAM migration guide for the full list.
Refer to the dedicated section for configuring user roles and access rights:

Access Management

File storage configuration

S3 is used in the Application Manager for:
  • Storing imported and exported resources
  • Storing application versions and builds that are imported or exported

Monitoring and health check configuration

Resource proxy configuration

The Resource Proxy module forwards resource-related requests to appropriate services, handling CRUD operations on the manifest. It requires proper configuration of proxy endpoints:
FLOWX_RUNTIMEEXECUTIONPROXY_WEBCLIENT_MAXINMEMORYSIZE - Specifies the maximum size (in bytes) of in-memory data for REST requests. This is particularly useful when dealing with large payloads to prevent excessive memory consumption.
  • Default Value: 5242880 (5 MB)
  • Usage Example: Set to 10485760 (10 MB) to allow larger in-memory request sizes.

Proxy connection merge configuration

Configuration for how proxy connection resources are handled during application merges (import, export, conflict resolution).

Scheduler configuration

The Application Manager scheduler supports retrying failed deployments:

Retry failed deployments

Configures a cron job to retry updating builds in the runtime database every minute when previous attempts have failed.

Configuring logging

To control the logging levels for the Application Manager, use the following environment variables:

CAS lib configuration

Data model overview

The Application Manager stores application data using a relational database schema, with key entities such as application, application_version, and application_manifest. Below are descriptions of primary entities:
  • Application - Defines an application with its details like name, type, and metadata.
  • Application Branch - Represents branches for versioning within an application.
  • Application Version - Keeps track of each version of an application, including committed and WIP statuses.
  • Application Manifest - Contains the list of resources associated with a specific application version.

Ingress and CORS

The Application Manager service is exposed externally on the admin host. Routing is configured through the FlowX Helm chart, which renders either a Kubernetes Ingress (default) or a Gateway API HTTPRoute per service. CORS handling lives in the service code; only the allowed-origins list is deployment-specific.

Service route

The path is set through services.application-manager.ingress.admin.path (or services.application-manager.gateway.admin.paths) in the chart values. The chart also applies nginx.ingress.kubernetes.io/proxy-body-size: 50m by default to allow larger application-manifest uploads β€” adjust the annotation if you need a different limit.

CORS configuration

Allowed methods, allowed headers (including Authorization, Content-Type, Fx-Workspace-Id), and credential handling are baked into the service’s application.yaml with safe defaults. Override these only if you have a non-standard requirement. For the complete route reference, Gateway API HTTPRoute configuration, and route customization, see the ingress configuration guide.
Last modified on June 10, 2026