Skip to main content
Ensure the following infrastructure components are available before starting the CMS service:
  • MongoDB
  • Redis
  • Kafka
  • Elasticsearch
The service is pre-configured with most default values. However, some environment variables require customization during setup.

Dependencies overview


Configuration

Set application defaults

Define the default application name for retrieving content:
If this configuration is not provided, the default value will be set to flowx.

Configuring authorization & access roles

The CMS validates incoming tokens with the JWT public key mechanism. It does not initiate service-to-service calls, so it has no service-account client registration:
Upgrading from 5.1.x? Remove the legacy opaque-token env vars: SECURITY_OAUTH2_REALM, SECURITY_OAUTH2_CLIENT_CLIENTID, and SECURITY_OAUTH2_CLIENT_CLIENTSECRET. These belong to the removed introspection model and prevent the service from starting on 5.9.x. See the authentication and IAM migration guide for the full list.

Configuring Runtime Manager service account

The CMS service requires access to the Runtime Manager service account for operations such as merging media file updates, managing builds, and handling application version transitions.
This service account is required for CMS to perform operations like merging media file updates and coordinating with the Runtime Manager service. The service account must exist in Keycloak with the appropriate roles assigned.

Configuring MongoDB

The CMS requires MongoDB for taxonomy and content storage. Configure MongoDB with the following variables:
Set MONGOCK_TRANSACTIONENABLED to false due to known issues with transactions in MongoDB version 5.

Configuring MongoDB (runtime database - additional data)

CMS also connects to a Runtime MongoDB instance for operational data. It reuses the same DB_USERNAME and DB_PASSWORD as the primary connection — there are no separate runtime credential variables:

Configuring Redis

CMS uses Redis for caching content. Configure Redis connection using the standard Redis environment variables. Quick reference:
Both SPRING_DATA_REDIS_* and SPRING_REDIS_* variable prefixes are supported. The SPRING_DATA_REDIS_* prefix is the modern Spring Boot standard and is recommended for new deployments.
For advanced Redis deployment modes (Sentinel, Cluster) and SSL/TLS setup, see the Redis Configuration guide. Note that Sentinel and Cluster modes are only supported by the Events Gateway service.

Configuring Kafka

Connection settings

Auth and retry configuration

Consumer group configuration

Consumer thread configuration

Topic naming configuration

Content request topics

Audit topics

Application resource usage validation

All actions that match a configured pattern will be consumed by the engine.

Inter-Service topic coordination

When configuring Kafka topics in the FlowX ecosystem, it’s critical to ensure proper coordination between services:
  1. Topic name matching: Output topics from one service must match the expected input topics of another service. For example:
    • KAFKA_TOPIC_APPLICATION_RESOURCE_RESELEMUSAGEVALIDATION_OUT_CMS on Application Manager must match KAFKA_TOPIC_APPLICATION_IN_RESUSAGEVALIDATION on CMS
  2. Pattern consistency: The pattern values must be consistent across services:
    • Process Engine listens to topics matching: ai.flowx.engine.receive.*
    • Integration Designer listens to topics matching: ai.flowx.integration.receive.*
  3. Communication flow:
    • Other services write to topics matching the Engine’s pattern → Process Engine listens
    • Process Engine writes to topics matching the Integration Designer’s pattern → Integration Designer listens
The exact pattern value isn’t critical, but it must be identical across all connected services. Some deployments require manually creating Kafka topics in advance rather than dynamically. In these cases, all topic names must be explicitly defined and coordinated.

Kafka authentication

For secure environments, enable OAuth authentication with the following environment variables:
When using the kafka-auth profile, the security protocol will automatically be set to SASL_PLAINTEXT and the SASL mechanism will be set to OAUTHBEARER.

CAS lib configuration


Configuring logging


Configuring file storage

Public storage

Private storage

Private CMS securely stores uploaded documents and AI-generated documents, ensuring they are accessible only via authenticated endpoints.
Private CMS ensures secure file storage by keeping documents hidden from the Media Library and accessible only through authenticated endpoints with access token permissions. Files can be retrieved using tags (e.g., ai_document, ref:UUID_doc) and are excluded from application builds.

Configuring file upload size

Setting high file size limits may increase vulnerability to potential attacks. Consider security implications before increasing these limits.

Configuring application management


Ingress and CORS

The CMS Core service is exposed on both the admin and public hosts. Routing is configured through the FlowX Helm chart, which renders either a Kubernetes Ingress (default) or a Gateway API HTTPRoute per service. CORS handling lives in the service code; only the allowed-origins list is deployment-specific.

Service routes

Paths are set through services.cms-core.ingress.admin.path / services.cms-core.ingress.public.path (or the corresponding gateway.<key>.paths) in the chart values.

CORS configuration

Allowed methods, allowed headers (including Authorization, Content-Type, Fx-Workspace-Id), and credential handling are baked into the service’s application.yaml with safe defaults. Override these only if you have a non-standard requirement. For the complete route reference, Gateway API HTTPRoute configuration, and route customization, see the ingress configuration guide.

Troubleshooting

Common issues

Symptoms: Service crashes on startup or fails health checks.Solutions:
  1. Verify MongoDB connection URI is correct and the cms-core database is accessible
  2. Check that Kafka bootstrap servers are reachable and topic names are properly configured
  3. Ensure Redis is running and connection parameters are correct
  4. Review startup logs for specific error messages related to database migrations (MONGOCK_TRANSACTIONENABLED should be false)
Symptoms: Enumeration values are outdated or not appearing across services.Solutions:
  1. Verify Kafka topics for content translation are correctly configured (KAFKA_TOPIC_REQUEST_CONTENT_IN and KAFKA_TOPIC_REQUEST_CONTENT_OUT)
  2. Check that consumer group IDs are unique and not conflicting with other service instances
  3. Ensure Redis cache is not serving stale data — restart the CMS service to force cache invalidation
  4. Confirm the resource usage validation topic (KAFKA_TOPIC_APPLICATION_IN_RESUSAGEVALIDATION) is properly configured
Symptoms: File uploads return errors or files are not visible in the Media Library.Solutions:
  1. Verify S3/MinIO server URL and bucket configuration (APPLICATION_FILESTORAGE_S3_SERVERURL, APPLICATION_FILESTORAGE_S3_BUCKETNAME)
  2. Check that the bucket exists or APPLICATION_FILESTORAGE_S3_CREATEBUCKET is set to true
  3. Ensure file size limits are appropriate (SPRING_SERVLET_MULTIPART_MAXFILESIZE and SPRING_SERVLET_MULTIPART_MAXREQUESTSIZE)
  4. For private storage, verify access key and secret key credentials are correct
Symptoms: CMS content (enumerations, media files) is not visible in the FlowX Designer.Solutions:
  1. Verify CMS service is running and healthy by checking the /actuator/health endpoint
  2. Ensure the CMS service is reachable from the Designer — check network policies and ingress configuration
  3. Verify CORS settings allow requests from the Designer domain
  4. Check that the authorization configuration is correct and the Designer can authenticate with the CMS service

Enumerations

Manage taxonomies and enumeration values for your applications

Media Library

Store and manage media assets used across your applications

Redis Configuration

Complete Redis setup including Sentinel and Cluster modes
Last modified on June 8, 2026