Dependencies
Before setting up the Webhook Gateway, ensure you have the following dependencies in place:- PostgreSQL database for storing webhook registration data
- Kafka for publishing process start events
- Keycloak (or compatible OAuth2 provider) for authentication and authorization
- SpiceDB for fine-grained authorization
Infrastructure prerequisites
Configuration
Authorization configuration
The Webhook Gateway validates incoming tokens with the JWT public key mechanism and authenticates to other FlowX services with a dedicated service account (themainIdentity client registration) in the service-accounts realm:
The Webhook Gateway exposes
/webhooks/** as public (unauthenticated) paths for receiving incoming webhooks. The /api/** paths require a valid JWT token.PostgreSQL configuration
The Webhook Gateway uses its own dedicated PostgreSQL database for storing webhook registration data.Kafka configuration
The Webhook Gateway is a producer-only service β it publishes messages to Kafka but does not consume from any topics. It publishes to two topics: one for starting new processes and one for resuming waiting process instances.Core Kafka settings
OAuth authentication (when using SASL_PLAINTEXT)
When using the
kafka-auth profile, the security protocol will automatically be set to SASL_PLAINTEXT and the SASL mechanism will be set to OAUTHBEARER.Topic naming configuration
Kafka topics
The Webhook Gateway publishes to the following Kafka topics:CAS lib configuration (SpiceDB)
Service communication
The Webhook Gateway communicates with the following FlowX services:Logging configuration
Secrets management
The Webhook Gateway requires several secrets to be configured. These should be stored securely and referenced via Kubernetes secrets or a secrets management solution.Deployment
Helm values example
Below is an example Helm values configuration for deploying the Webhook Gateway:Unlike most FlowX services, the Webhook Gateway requires ingress to be enabled because it receives incoming HTTP requests from external systems on the
/webhooks path.Network policies
The Webhook Gateway requires network access to the following services:Monitoring
The Webhook Gateway exposes Prometheus metrics for monitoring. Turn on scraping by setting the pod label:Health endpoints
Verify your setup
The Webhook Gateway pod is running and healthy:
kubectl get pods -l app=webhook-gatewayThe health endpoint returns HTTP 200:
curl http://webhook-gateway:8080/actuator/healthDatabase migrations completed successfully β check pod logs for
Liquibase: Update has been successfulSpiceDB connection is established β check pod logs for successful CAS client initialization
The
/webhooks ingress path is accessible from external systemsIngress and CORS
The Webhook Gateway is exposed externally on the admin host. Routing is configured through the FlowX Helm chart, which renders either a Kubernetes Ingress (default) or a Gateway API HTTPRoute per service. The path is preserved end-to-end (no rewrite), because the webhook endpoint URL is the same on the backend as on the client.Service route
The path is set through
services.webhook-gateway.ingress.admin.path (or services.webhook-gateway.gateway.admin.paths) in the chart values. No rewrite is applied β webhook URLs your upstream systems POST to must match the path exactly.
CORS configuration
Allowed methods, allowed headers, and credential handling are baked into the serviceβs
application.yaml with safe defaults. Override these only if you have a non-standard requirement.
For the complete route reference, Gateway API HTTPRoute configuration, and route customization, see the ingress configuration guide.
Troubleshooting
Database connection failures
Database connection failures
Symptoms: Service fails to start with database connection errors.Solutions:
- Verify the
webhook_gatewaydatabase exists in PostgreSQL - Check that the database user has appropriate permissions
- Ensure network connectivity between the pod and PostgreSQL service
- Verify the JDBC URL format is correct
SpiceDB connection failures
SpiceDB connection failures
Symptoms: Authorization errors or service fails to initialize CAS client.Solutions:
- Verify SpiceDB is running and reachable at the configured host and port
- Check that the SpiceDB token is correct
- Ensure network policies allow gRPC traffic to SpiceDB on port
50051 - Review pod logs for specific CAS client error messages
Kafka publishing failures
Kafka publishing failures
Symptoms: Webhook events not triggering process starts.Solutions:
- Verify Kafka bootstrap servers are reachable
- Check that the
ai.flowx.core.trigger.start-for-event.process.v1topic exists - Ensure the service has producer permissions on the topic
- Review pod logs for Kafka producer errors
Webhook endpoint not reachable
Webhook endpoint not reachable
Symptoms: External systems cannot reach the webhook URL.Solutions:
- Verify ingress is enabled and the
/webhookspath is configured - Check that network policies allow inbound traffic to the Webhook Gateway
- Ensure DNS resolves correctly for the webhook URL
- Verify the service is listening on port
8080
Service account authentication errors
Service account authentication errors
Symptoms: 401/403 errors when communicating with other FlowX services.Solutions:
- Verify the Keycloak service account is properly configured
- Check that client secrets match between configuration and Keycloak
- Ensure the service account has required roles assigned
- Verify
SECURITY_TYPEis set tojwt-public-key
Related resources
SpiceDB Configuration
Fine-grained authorization setup
Kafka Authentication
Configure Kafka security and authentication
IAM Configuration
Identity and access management setup

