> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flowx.ai/llms.txt
> Use this file to discover all available pages before exploring further.
# Application Manager setup
> Set up the Application Manager backend microservice for managing FlowX apps, libraries, versions, manifests, and builds.
The Application Manager is a backend microservice in FlowX.AI that:
✅ Manages FlowX applications, versions, manifests, and configurations.\
✅ Acts as a proxy for front-end resource requests.
## Infrastructure prerequisites
Before you start setting up the Application Manager service, ensure the following infrastructure components are in place:
| Component | Purpose |
| ------------- | -------------------------- |
| PostgreSQL | Storing application data |
| MongoDB | Managing runtime builds |
| Redis | Caching needs |
| Kafka | Event-driven communication |
| OAuth2 Server | Authentication |
Ensure that the database for storing application data is properly set up and configured before starting the service.
## Dependencies
The Application Manager relies on other FlowX services and components to function properly:
* [**Database configuration**](#database-configuration): For storing application details, manifests, and configurations.
* [**Authorization & Access Management**](#authentication-configuration): For securing access to resources and managing roles.
* [**Kafka Event Bus**](#kafka-configuration): For enabling event-driven operations.
* [**Resource Proxy**](#resource-proxy-configuration): To forward resource-related requests to appropriate services.
## Core configuration environment variables
### Basic service configuration
| Environment Variable | Description | Default Value |
| ---------------------------- | -------------------------- | -------------------- |
| `MULTIPART_MAX_FILE_SIZE` | Maximum file upload size | `25MB` |
| `MULTIPART_MAX_REQUEST_SIZE` | Maximum request size | `25MB` |
| `LOGGING_CONFIG_FILE` | Logging configuration file | `logback-spring.xml` |
### Database configuration
#### PostgreSQL configuration
| Environment Variable | Description | Default Value |
| ----------------------------------- | ------------------- | ----------------------------------------------- |
| `SPRING_DATASOURCE_URL` | PostgreSQL JDBC URL | `jdbc:postgresql://postgresql:5432/app_manager` |
| `SPRING_DATASOURCE_USERNAME` | Database username | `flowx` |
| `SPRING_DATASOURCE_PASSWORD` | Database password | `password` |
| `SPRING_DATASOURCE_DRIVERCLASSNAME` | JDBC driver class | `org.postgresql.Driver` |
#### MongoDB configuration
The Application Manager requires MongoDB to store runtime build information. Use the following environment variables for configuration:
| Environment Variable | Description | Default Value |
| ----------------------------- | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `SPRING_DATA_MONGODB_URI` | MongoDB connection URI | `mongodb://${DB_USERNAME}:${DB_PASSWORD}@mongodb-0.mongodb-headless,mongodb-1.mongodb-headless,mongodb-arbiter-0.mongodb-arbiter-headless:27017/app-runtime?retryWrites=false` |
| `DB_USERNAME` | MongoDB username | `app-runtime` |
| `DB_PASSWORD` | MongoDB password | `password` |
| `SPRING_DATA_MONGODB_STORAGE` | Storage type (Azure environments only) | `mongodb` (alternative: `cosmosdb`) |
## Redis configuration
Application Manager uses Redis for caching when required. Configure Redis connection using the standard Redis environment variables.
**Quick reference:**
| Environment Variable | Description | Example Value | Status |
| ---------------------------- | ----------------------------- | ------------- | --------------- |
| `SPRING_DATA_REDIS_HOST` | Redis server hostname | `localhost` | **Recommended** |
| `SPRING_DATA_REDIS_PORT` | Redis server port | `6379` | **Recommended** |
| `SPRING_DATA_REDIS_PASSWORD` | Redis authentication password | - | **Recommended** |
| `REDIS_TTL` | Cache TTL in milliseconds | `5000000` | Optional |
Both `SPRING_DATA_REDIS_*` and `SPRING_REDIS_*` variable prefixes are supported. The `SPRING_DATA_REDIS_*` prefix is the modern Spring Boot standard and is recommended for new deployments.
For advanced Redis deployment modes (Sentinel, Cluster) and SSL/TLS setup, see the [Redis Configuration](/5.1/setup-guides/redis-configuration) guide. Note that Sentinel and Cluster modes are only supported by the Events Gateway service.
## Kafka configuration
### Kafka connection and security variables
| Environment Variable | Description | Default Value |
| -------------------------------- | ---------------------- | ---------------------------------- |
| `SPRING_KAFKA_BOOTSTRAPSERVERS` | Kafka broker addresses | `kafka-flowx-kafka-bootstrap:9092` |
| `SPRING_KAFKA_SECURITY_PROTOCOL` | Security protocol | `PLAINTEXT` |
| `KAFKA_MESSAGE_MAX_BYTES` | Maximum message size | `52428800` (50MB) |
| `FLOWX_KAFKA_PAYLOADSIZELIMIT` | Payload size limit | `512000` (500KB) |
### Kafka producer configuration
| Environment Variable | Description | Default Value |
| --------------------------------------------------- | -------------------- | -------------------------------------------------------- |
| `SPRING_KAFKA_PRODUCER_KEYSERIALIZER` | Key serializer class | `org.apache.kafka.common.serialization.StringSerializer` |
| `SPRING_KAFKA_PRODUCER_PROPERTIES_MAX_REQUEST_SIZE` | Maximum request size | `52428800` (50MB) |
### OAuth authentication variables (when using SASL\_PLAINTEXT)
| Environment Variable | Description | Default Value |
| -------------------------------- | -------------------- | ---------------------- |
| `KAFKA_OAUTH_CLIENT_ID` | OAuth client ID | `kafka` |
| `KAFKA_OAUTH_CLIENT_SECRET` | OAuth client secret | `kafka-secret` |
| `KAFKA_OAUTH_TOKEN_ENDPOINT_URI` | OAuth token endpoint | `kafka.auth.localhost` |
When using the `kafka-auth` profile, the security protocol will automatically be set to `SASL_PLAINTEXT` and the SASL mechanism will be set to `OAUTHBEARER`.
### Kafka consumer configuration
| Environment Variable | Description | Default Value |
| ------------------------------------------------------------------------ | --------------------------------------------- | ------------------------------------------ |
| `KAFKA_CONSUMER_GROUPID_APPLICATION_RESOURCE_EXPORT` | Application export consumer group | `app-resource-export-group` |
| `KAFKA_CONSUMER_GROUPID_APPLICATION_RESOURCE_IMPORT` | Application import consumer group | `app-resource-import-group` |
| `KAFKA_CONSUMER_GROUPID_APPLICATION_RESOURCE_USAGES` | Resource usages consumer group | `app-resource-usages-group` |
| `KAFKA_CONSUMER_GROUPID_APPLICATION_RESOURCE_RESELEMUSAGEVALIDATIONRESP` | Resource element validation group | `app-resource-elem-usage-validation-resp` |
| `KAFKA_CONSUMER_GROUPID_APPLICATION_RESOURCE_COPY` | Resource copy consumer group | `app-resource-copy-group` |
| `KAFKA_CONSUMER_GROUPID_APPLICATION_RESOURCE_SYNC` | Resource sync consumer group | `app-resource-sync-group` |
| `KAFKA_CONSUMER_GROUPID_APPLICATION_RESOURCE_UPDATEPROPAGATION` | Resource update propagation consumer group | `app-resource-update-propagation-group` |
| `KAFKA_CONSUMER_GROUPID_APPLICATION_CORRECTIONAFTERAPPOPERATION` | Correction after app operation consumer group | `app-correction-after-app-operation-group` |
| `KAFKA_CONSUMER_GROUPID_APPLICATION_MERGE` | Application merge consumer group | `app-merge-item-group` |
| `KAFKA_CONSUMER_GROUPID_BUILD_CREATE` | Build create consumer group | `build-create-group` |
| `KAFKA_CONSUMER_GROUPID_BUILD_UPDATE` | Build update consumer group | `build-update-group` |
| `KAFKA_CONSUMER_GROUPID_BUILD_RESOURCE_EXPORT` | Build export consumer group | `build-resource-export-group` |
| `KAFKA_CONSUMER_GROUPID_BUILD_RESOURCE_IMPORT` | Build import consumer group | `build-resource-import-group` |
| `KAFKA_CONSUMER_GROUPID_BUILD_RUNTIMEDATA` | Build runtime data consumer group | `build-runtime-data-group` |
| `KAFKA_CONSUMER_GROUPID_BUILD_STARTTIMEREVENTS_UPDATES` | Build timer events updates consumer | `build-start-timer-events-updates-group` |
| `KAFKA_CONSUMER_GROUPID_PROCESS_START` | Process start consumer group | `process-start-group` |
| `KAFKA_AUTH_EXCEPTION_RETRY_INTERVAL` | Auth exception retry interval (seconds) | `10` |
### Kafka consumer threads configuration
| Environment Variable | Description | Default Value |
| ------------------------------------------------------------------------ | ----------------------------------------------- | ------------- |
| `KAFKA_CONSUMER_THREADS_APPLICATION_RESOURCE_EXPORT` | Application export consumer threads | `3` |
| `KAFKA_CONSUMER_THREADS_APPLICATION_RESOURCE_IMPORT` | Application import consumer threads | `3` |
| `KAFKA_CONSUMER_THREADS_APPLICATION_RESOURCE_USAGES` | Resource usages consumer threads | `3` |
| `KAFKA_CONSUMER_THREADS_APPLICATION_RESOURCE_RESELEMUSAGEVALIDATIONRESP` | Resource validation response threads | `3` |
| `KAFKA_CONSUMER_THREADS_APPLICATION_RESOURCE_COPY` | Resource copy consumer threads | `3` |
| `KAFKA_CONSUMER_THREADS_APPLICATION_RESOURCE_SYNC` | Resource sync consumer threads | `3` |
| `KAFKA_CONSUMER_THREADS_APPLICATION_UPDATEPROPAGATION` | Resource update propagation consumer threads | `3` |
| `KAFKA_CONSUMER_THREADS_APPLICATION_MERGE` | Application merge consumer threads | `3` |
| `KAFKA_CONSUMER_THREADS_APPLICATION_CORRECTIONAFTERAPPOPERATION` | Correction after app operation consumer threads | `3` |
| `KAFKA_CONSUMER_THREADS_BUILD_CREATE` | Build create consumer threads | `2` |
| `KAFKA_CONSUMER_THREADS_BUILD_UPDATE` | Build update consumer threads | `4` |
| `KAFKA_CONSUMER_THREADS_BUILD_RUNTIMEDATA` | Build runtime data consumer threads | `2` |
| `KAFKA_CONSUMER_THREADS_BUILD_RESOURCE_EXPORT` | Build export consumer threads | `3` |
| `KAFKA_CONSUMER_THREADS_BUILD_RESOURCE_IMPORT` | Build import consumer threads | `3` |
| `KAFKA_CONSUMER_THREADS_BUILD_STARTTIMEREVENTS_UPDATES` | Build timer events updates consumer threads | `3` |
### Topic naming convention and pattern creation
The Application Manager uses a sophisticated topic naming convention that follows a structured pattern. This ensures consistency across environments and makes topics easily identifiable.
### Topic naming components
| Component | Default Value | Environment Variable | Description |
| ------------- | ---------------------------------------------------------------- | -------------------------------- | ------------------------------------- |
| `package` | `ai.flowx.` | `KAFKA_TOPIC_NAMING_PACKAGE` | Base package identifier |
| `environment` | ` ` | `KAFKA_TOPIC_NAMING_ENVIRONMENT` | Deployment environment |
| `version` | `.v1` | `KAFKA_TOPIC_NAMING_VERSION` | Topic version |
| `separator` | `.` | `KAFKA_TOPIC_NAMING_SEPARATOR` | Main separator (referred to as `dot`) |
| `separator2` | `-` | `KAFKA_TOPIC_NAMING_SEPARATOR2` | Secondary separator (as `dash`) |
| `prefix` | `${KAFKA_TOPIC_NAMING_PACKAGE}${KAFKA_TOPIC_NAMING_ENVIRONMENT}` | `KAFKA_TOPIC_NAMING_PREFIX` | Combined `package` and `environment` |
| `suffix` | `${KAFKA_TOPIC_NAMING_VERSION}` | `KAFKA_TOPIC_NAMING_SUFFIX` | The version suffix |
### Topic pattern creation
Topics are constructed using the following pattern:
```
{prefix} + service + {separator/dot} + action + {separator/dot} + detail + {suffix}
```
For example, a typical topic might look like:
```
ai.flowx.application-version.export.v1
```
Where:
* `ai.flowx` is the prefix (package + environment)
* `application-version` is the service
* `export` is the action
* `.v1` is the suffix (version)
For more complex topics, additional components are added:
```
ai.flowx.application-version.resources-usages.sub-res-validation.response.v1
```
Where:
* `resources-usages` represents the resource type
* `sub-res-validation` represents the operation type
* `response` indicates it's a response message
### Kafka topic configuration
#### Application resource topics
| Environment Variable | Description | Default Pattern |
| ----------------------------------------------------------------------------------- | ---------------------------------------------------------- | ------------------------------------------------------------------------------------------ |
| `KAFKA_TOPIC_APPLICATION_RESOURCE_EXPORT` | Application resource export topic | `ai.flowx.application-version.export.v1` |
| `KAFKA_TOPIC_APPLICATION_RESOURCE_IMPORT` | Application resource import topic | `ai.flowx.application-version.import.v1` |
| `KAFKA_TOPIC_APPLICATION_RESOURCE_USAGES_IN` | Resource usages in topic | `ai.flowx.application-version.resources-usages.operations.bulk.v1` |
| `KAFKA_TOPIC_APPLICATION_RESOURCE_USAGES_OUT` | Resource usages out topic | `ai.flowx.application-version.resources-usages.operations.bulk.v1` |
| `KAFKA_TOPIC_APPLICATION_RESOURCE_USAGES_REFRESH` | Resource usages refresh topic | `ai.flowx.application-version.resources-usages.refresh.v1` |
| `KAFKA_TOPIC_APPLICATION_RESOURCE_RESELEMUSAGEVALIDATION_RESPONSE` | Resource element usage validation response | `ai.flowx.application-version.resources-usages.sub-res-validation.response.v1` |
| `KAFKA_TOPIC_APPLICATION_RESOURCE_RESELEMUSAGEVALIDATION_OUT_INTEGRATION` | Resource validation integration topic | `ai.flowx.application-version.resources-usages.sub-res-validation.request-integration.v1` |
| `KAFKA_TOPIC_APPLICATION_RESOURCE_RESELEMUSAGEVALIDATION_OUT_CMS` | Resource validation CMS topic | `ai.flowx.application-version.resources-usages.sub-res-validation.cms.v1` |
| `KAFKA_TOPIC_APPLICATION_RESOURCE_COPY` | Resource copy topic | `ai.flowx.application-version.copy-resource.v1` |
| `KAFKA_TOPIC_APPLICATION_MERGE` | Application merge topic | `ai.flowx.application-version.merge.v1` |
| `KAFKA_TOPIC_APPLICATION_RESOURCE_CORRECTIONAFTERAPPOPERATION_IN` | Correction after app operation response (in) | `ai.flowx.application-version.correction-after-app-operation.response.v1` |
| `KAFKA_TOPIC_APPLICATION_RESOURCE_CORRECTIONAFTERAPPOPERATION_OUT_PROCESS` | Correction after app operation → process request | `ai.flowx.application-version.correction-after-app-operation.process.request.v1` |
| `KAFKA_TOPIC_APPLICATION_RESOURCE_CORRECTIONAFTERAPPOPERATION_OUT_BUSINESSRULE` | Correction after app operation → business-rule request | `ai.flowx.application-version.correction-after-app-operation.business-rule.request.v1` |
| `KAFKA_TOPIC_APPLICATION_RESOURCE_CORRECTIONAFTERAPPOPERATION_OUT_REUSABLETEMPLATE` | Correction after app operation → reusable-template request | `ai.flowx.application-version.correction-after-app-operation.reusable-template.request.v1` |
| `KAFKA_TOPIC_APPLICATION_RESOURCE_CORRECTIONAFTERAPPOPERATION_OUT_SYSTEM` | Correction after app operation → system request | `ai.flowx.application-version.correction-after-app-operation.system.request.v1` |
| `KAFKA_TOPIC_APPLICATION_RESOURCE_CORRECTIONAFTERAPPOPERATION_OUT_WORKFLOW` | Correction after app operation → workflow request | `ai.flowx.application-version.correction-after-app-operation.workflow.request.v1` |
| `KAFKA_TOPIC_APPLICATION_RESOURCE_CORRECTIONAFTERAPPOPERATION_OUT_UIFLOW` | Correction after app operation → UI flow request | `ai.flowx.application-version.correction-after-app-operation.ui-flow.request.v1` |
| `KAFKA_TOPIC_APPLICATION_RESOURCE_SYNC_OUT_PROCESS` | Sync → process (in) | `ai.flowx.application-version.sync.process.in.v1` |
| `KAFKA_TOPIC_APPLICATION_RESOURCE_SYNC_OUT_BUSINESSRULE` | Sync → business-rule (in) | `ai.flowx.application-version.sync.business-rule.in.v1` |
| `KAFKA_TOPIC_APPLICATION_RESOURCE_SYNC_OUT_REUSABLETEMPLATE` | Sync → reusable-template (in) | `ai.flowx.application-version.sync.reusable-template.in.v1` |
| `KAFKA_TOPIC_APPLICATION_RESOURCE_SYNC_OUT_SYSTEM` | Sync → system (in) | `ai.flowx.application-version.sync.system.in.v1` |
| `KAFKA_TOPIC_APPLICATION_RESOURCE_SYNC_OUT_WORKFLOW` | Sync → workflow (in) | `ai.flowx.application-version.sync.workflow.in.v1` |
| `KAFKA_TOPIC_APPLICATION_RESOURCE_SYNC_OUT_UIFLOW` | Sync → UI flow (in) | `ai.flowx.application-version.sync.ui-flow.in.v1` |
| `KAFKA_TOPIC_APPLICATION_RESOURCE_SYNC_IN` | Sync in (general response channel) | `ai.flowx.application-version.sync.out.v1` |
| `KAFKA_TOPIC_APPLICATION_RESOURCE_UPDATEPROPAGATION` | Resource update propagation | `ai.flowx.application-version.resource.update.propagation.v1` |
#### Build resource topics
| Environment Variable | Description | Default Pattern |
| ----------------------------------------------- | -------------------------- | ------------------------------------------------- |
| `KAFKA_TOPIC_BUILD_UPDATE` | Build update topic | `ai.flowx.build.update.v1` |
| `KAFKA_TOPIC_BUILD_CREATE` | Build create topic | `ai.flowx.build.create.v1` |
| `KAFKA_TOPIC_BUILD_RESOURCE_EXPORT` | Build export topic | `ai.flowx.build.export.v1` |
| `KAFKA_TOPIC_BUILD_RESOURCE_IMPORT` | Build import topic | `ai.flowx.build.import.v1` |
| `KAFKA_TOPIC_BUILD_STARTTIMEREVENTS_IN_UPDATES` | Timer events updates topic | `ai.flowx.build.start-timer-events.updates.in.v1` |
| `KAFKA_TOPIC_BUILD_RUNTIMEDATA` | Build runtime data topic | `ai.flowx.build.runtime-data.v1` |
#### Process topics
| Environment Variable | Description | Default Pattern |
| --------------------------------------------------- | ------------------------------- | ------------------------------------------------------------------- |
| `KAFKA_TOPIC_PROCESS_STARTFOREVENT_IN` | Process start for event topic | `ai.flowx.core.trigger.start-for-event.process.v1` |
| `KAFKA_TOPIC_PROCESS_STARTBYNAME_IN` | Process start by name topic | `ai.flowx.core.trigger.start-by-name.process.v1` |
| `KAFKA_TOPIC_PROCESS_STARTBYNAME_OUT` | Process start by name out topic | `ai.flowx.engine.receive.core.trigger.start-by-name.process.out.v1` |
| `KAFKA_TOPIC_PROCESS_SCHEDULEDTIMEREVENTS_OUT_SET` | Set timer schedule topic | `ai.flowx.core.trigger.set.timer-event-schedule.v1` |
| `KAFKA_TOPIC_PROCESS_SCHEDULEDTIMEREVENTS_OUT_STOP` | Stop timer schedule topic | `ai.flowx.core.trigger.stop.timer-event-schedule.v1` |
#### Other topics
| Environment Variable | Description | Default Pattern |
| --------------------------------------- | ----------------------------- | ------------------------------------------------ |
| `KAFKA_TOPIC_AUDIT_OUT` | Audit topic | `ai.flowx.core.trigger.save.audit.v1` |
| `KAFKA_TOPIC_EVENTSGATEWAY_OUT_MESSAGE` | Events gateway messages topic | `ai.flowx.eventsgateway.receive.copyresource.v1` |
These Kafka topics use predefined naming conventions for ease of use. Optional adjustments may be made if the desired topic name cannot be achieved with the standard structure.
## Authentication configuration
### Security type
| Environment Variable | Description | Default Value |
| --------------------------------------------------------- | --------------------------------------------------------------------- | -------------------------------------- |
| `SECURITY_TYPE` | Token validation mechanism (JWT public key validation) | `jwt-public-key` |
| `SECURITY_OAUTH2_BASESERVERURL` | Base URL of the Keycloak server | |
| `SECURITY_OAUTH2_SAREALM` | Service-accounts realm ID | `00000002-0002-4002-8002-000000000002` |
| `FLOWX_LIB_SECURITY_SERVICES_ORGANIZATIONMANAGER_BASEURL` | URL of the organization-manager service, used by the security library | `http://organization-manager:80` |
### Service account configuration
| Environment Variable | Description | Default Value |
| --------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- |
| `SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_MAINIDENTITY_CLIENTID` | Service account client ID | `flowx-runtime-manager-sa` |
| `SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_MAINIDENTITY_CLIENTSECRET` | Service account client secret (Keycloak-issued) | |
| `SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_ANONYMOUSIDENTITY_CLIENTID` | Anonymous service account client ID, used for [anonymous runtime access](/5.9/docs/platform-deep-dive/user-roles-management/anonymous-runtime-access) | `flowx-anonymous-sa` |
| `SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_ANONYMOUSIDENTITY_CLIENTSECRET` | Anonymous service account client secret | |
| `SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_MAINAUTHPROVIDER_TOKENURI` | Provider token URI, resolved against the service-accounts realm | `${SECURITY_OAUTH2_BASESERVERURL}/realms/${SECURITY_OAUTH2_SAREALM}/protocol/openid-connect/token` |
The Application Manager and the Runtime Manager are built from the same artifact and share the `flowx-runtime-manager-sa` service account, which is why the default client ID here is not `flowx-application-manager-sa`.
**Upgrading from 5.1.x?** Remove the legacy opaque-token env vars: `SECURITY_OAUTH2_REALM`, `SECURITY_OAUTH2_CLIENT_CLIENTID`, `SECURITY_OAUTH2_CLIENT_CLIENTSECRET`, and `SECURITY_OAUTH2_SERVICEACCOUNT_ADMIN_*`. These belong to the removed introspection model and prevent the service from starting on 5.9.x. See the [authentication and IAM migration guide](/5.9/migrating-from-5.1-lts/authentication-iam) for the full list.
Refer to the dedicated section for configuring user roles and access rights:
## File storage configuration
S3 is used in the Application Manager for:
* Storing imported and exported resources
* Storing application versions and builds that are imported or exported
| Environment Variable | Description | Default Value | Default |
| ---------------------------------------------- | ---------------------- | ------------------------------------------ | --------------------- |
| `APPLICATION_FILESTORAGE_S3_SERVERURL` | S3 server URL | `http://minio:9000` | None |
| `APPLICATION_FILESTORAGE_S3_ACCESSKEY` | S3 access key | `Ha0wvtOE9gQ2NSzghEcs` | None |
| `APPLICATION_FILESTORAGE_S3_SECRETKEY` | S3 secret key | `jY7nYLVtNh9JzMflliQKu3noPpjxD3prxIkliErX` | None |
| `APPLICATION_FILESTORAGE_TYPE` | Storage type | `s3` | `s3` |
| `APPLICATION_FILESTORAGE_DELETIONSTRATEGY` | File deletion strategy | `delete` | `delete` |
| `APPLICATION_FILESTORAGE_S3_ENABLED` | Enable S3 storage | `true` | `true` |
| `APPLICATION_FILESTORAGE_S3_ENCRYPTIONENABLED` | Enable S3 encryption | `false` | `false` |
| `APPLICATION_FILESTORAGE_S3_BUCKETPREFIX` | S3 bucket name prefix | `applications-bucket` | `applications-bucket` |
## Monitoring and health check configuration
| Environment Variable | Description | Default Value | Default |
| ---------------------------------------------------- | ----------------------- | ------------------------------------------------------------------------------- | ------- |
| `MANAGEMENT_METRICS_EXPORT_PROMETHEUS_ENABLED` | Prometheus metrics | `true` | `false` |
| `MANAGEMENT_HEALTH_KUBERNETES_ENABLED` | Kubernetes health check | `false` | `true` |
| `MANAGEMENT_HEALTH_REDIS_ENABLED` | Redis health check | `false` | `true` |
| `MANAGEMENT_HEALTH_KAFKA_ENABLED` | Kafka health check | `true` | `true` |
| `MANAGEMENT_HEALTH_LIVENESSSTATE_ENABLED` | Liveness state | `true` | `false` |
| `MANAGEMENT_HEALTH_READINESSSTATE_ENABLED` | Readiness state | `true` | `false` |
| `MANAGEMENT_ENDPOINT_HEALTH_GROUP_LIVENESS_INCLUDE` | Liveness probes | `ping,diskSpace,accessInfo,buildInfo,db,mongo,kafkaClusterHealthCheckIndicator` | `ping` |
| `MANAGEMENT_ENDPOINT_HEALTH_GROUP_READINESS_INCLUDE` | Readiness probes | `ping,diskSpace,accessInfo,buildInfo` | `ping` |
## Resource proxy configuration
The Resource Proxy module forwards resource-related requests to appropriate services, handling CRUD operations on the manifest. It requires proper configuration of proxy endpoints:
| Environment Variable | Description | Default Value | Default |
| ------------------------------------------------------- | ---------------------------------- | ---------------- | --------- |
| `RESOURCE_PROXY_MANIFEST_URL` | Manifest URL for resource proxy | URL value | None |
| `RESOURCE_PROXY_TARGET_URL` | Target URL for resource forwarding | URL value | None |
| `FLOWX_RESOURCEPROXY_RETRYGETRESOURCETIMEOUTMS` | Resource retrieval timeout | `500` | `500` |
| `FLOWX_RESOURCEPROXY_RETRYGETRESOURCEMAXCOUNT` | Maximum resource retrieval retries | `10` | `10` |
| `FLOWX_RESOURCEPROXY_WEBCLIENT_RETRYATTEMPTS` | Web client retry attempts | `2` | `2` |
| `FLOWX_RESOURCEPROXY_WEBCLIENT_RETRYBACKOFF` | Retry backoff time (seconds) | `1` | `1` |
| `FLOWX_RESOURCEPROXY_WEBCLIENT_MAXINMEMORYSIZE` | Maximum in-memory size | `5MB` | `5MB` |
| `FLOWX_RUNTIMEEXECUTIONPROXY_WEBCLIENT_MAXINMEMORYSIZE` | Maximum REST request size | `5242880` (5 MB) | `5242880` |
`FLOWX_RUNTIMEEXECUTIONPROXY_WEBCLIENT_MAXINMEMORYSIZE` - Specifies the maximum size (in bytes) of in-memory data for REST requests. This is particularly useful when dealing with large payloads to prevent excessive memory consumption.
* Default Value: 5242880 (5 MB)
* Usage Example: Set to 10485760 (10 MB) to allow larger in-memory request sizes.
## Proxy connection merge configuration
Configuration for how proxy connection resources are handled during application merges (import, export, conflict resolution).
| Environment Variable | Description | Default Value |
| ----------------------------------------------------------------------------------- | ------------------------------------------------------------ | ---------------------------------- |
| `FLOWX_APPLICATION_MERGE_RESOURCES_PROXY_CONNECTION_RESOURCE_ID_FIELD` | Resource ID field for proxy connection merge | `resourceId` |
| `FLOWX_APPLICATION_MERGE_RESOURCES_PROXY_CONNECTION_FLATTENMAP_ID_FIELDS` | Flatten map ID fields for proxy connection merge | `resourceId, name` |
| `FLOWX_APPLICATION_MERGE_RESOURCES_PROXY_CONNECTION_FLATTENMAP_EXCLUDED_JSON_PATHS` | Excluded JSON paths for proxy connection flatten map | `authorization.configuration` |
| `FLOWX_APPLICATION_MERGE_RESOURCES_PROXY_CONNECTION_COMPARE_REMOVED_JSON_PATHS` | Excluded JSON paths when comparing removed proxy connections | `resourceId, resourceDefinitionId` |
| `FLOWX_APPLICATION_MERGE_RESOURCES_PROXY_CONNECTION_CONFLICT_EXCLUDED_JSON_PATHS` | Excluded JSON paths for proxy connection conflict detection | `resourceId, resourceDefinitionId` |
***
## Scheduler configuration
The Application Manager scheduler supports retrying failed deployments:
| Environment Variable | Description | Default Value |
| -------------------------------------------- | ---------------------------- | ------------- |
| `FLOWX_SCHEDULER_RETRYFAILEDDEPLOYMENTSCRON` | Failed deployment retry cron | `0 * * * * *` |
### Retry failed deployments
Configures a cron job to retry updating builds in the runtime database every minute when previous attempts have failed.
## Configuring logging
To control the logging levels for the Application Manager, use the following environment variables:
| Environment Variable | Description | Default Value |
| -------------------- | ------------------------------- | ------------- |
| `LOGGING_LEVEL_ROOT` | Root Spring Boot logs level | `INFO` |
| `LOGGING_LEVEL_APP` | Application-level logs level | `INFO` |
| `LOGGING_LEVEL_DB` | Database interactions log level | `INFO` |
## CAS lib configuration
| Environment Variable | Description | Default Value |
| --------------------- | ---------------------------- | --------------- |
| `FLOWX_SPICEDB_HOST` | SpiceDB server hostname | `spicedb` |
| `FLOWX_SPICEDB_PORT` | SpiceDB server port | `50051` |
| `FLOWX_SPICEDB_TOKEN` | SpiceDB authentication token | `spicedb-token` |
## Data model overview
The Application Manager stores application data using a relational database schema, with key entities such as application, application\_version, and application\_manifest. Below are descriptions of primary entities:
* **Application** - Defines an application with its details like name, type, and metadata.
* **Application Branch** - Represents branches for versioning within an application.
* **Application Version** - Keeps track of each version of an application, including committed and WIP statuses.
* **Application Manifest** - Contains the list of resources associated with a specific application version.
## Ingress and CORS
The Application Manager service is exposed externally on the admin host. Routing is configured through the FlowX Helm chart, which renders either a Kubernetes Ingress (default) or a Gateway API HTTPRoute per service. CORS handling lives in the service code; only the allowed-origins list is deployment-specific.
### Service route
| Host group | External path | Backend receives |
| ---------- | ------------- | ---------------- |
| admin | `/appmanager` | `/` |
The path is set through `services.application-manager.ingress.admin.path` (or `services.application-manager.gateway.admin.paths`) in the chart values. The chart also applies `nginx.ingress.kubernetes.io/proxy-body-size: 50m` by default to allow larger application-manifest uploads — adjust the annotation if you need a different limit.
### CORS configuration
| Environment Variable | Description | Default Value |
| ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
| `APPLICATION_CORS_ALLOW_ORIGIN` | Comma-separated list of origins allowed to call this service from the browser. Supports wildcard subdomains. Must include every Designer and integration domain that issues browser requests against Application Manager. | `-` |
Allowed methods, allowed headers (including `Authorization`, `Content-Type`, `Fx-Workspace-Id`), and credential handling are baked into the service's `application.yaml` with safe defaults. Override these only if you have a non-standard requirement.
For the complete route reference, Gateway API HTTPRoute configuration, and route customization, see the [ingress configuration guide](./ingress-configuration).