Platform Manager 9.1.1 Readme

Overview

The Management API is part of the Topic Catalog system, designed to serve as a customer portal for managing and interacting with their part of the Axual Platform. It is used to administer the Axual platform to perform activities like:

View Topic availability on different environments
Request Topic deployments
Manage own environments
and more…

Installation & Configuration

Default Roles

When a new user is created in Platform Manager, certain roles can be automatically granted. These roles can be defined in the application.yml config as below:

axual:
  default-roles: APPLICATION_AUTHOR, ENVIRONMENT_AUTHOR, STREAM_AUTHOR

By default, APPLICATION_AUTHOR, ENVIRONMENT_AUTHOR and STREAM_AUTHOR roles are automatically granted to every new user in Self Service.

Schema Compatibility Checks

During stream deployment, a mandatory step is to verify the compatibility of the AVRO, PROTOBUF or Json schema (if changed). In some cases, it is desirable to force the topic apply.

This force field is added in the StreamConfig object.

{
  "keySchemaVersion": "http://localhost:8080/schema_versions/5322f72742cd4c6db07b9a71a825fe4f",
  "force": true
}

Flyway DB Migration

We use Flyway for version control and easy schema evolving of a Platform Manager database. Flyway will automatically run the SQL files to upgrade the database to required level.

By default, CORS is enabled for all origins, methods and headers. To change this behaviour, Cross Origin Resource Sharing can be configured as below:

cors-allowed-origin-patterns is a list of accepted origin urls with which the response can be shared. To accept all, use the value '*'

cors-allowed-methods is a list of allowed HTTP methods in response to a pre-flight request. By default GET, POST, PUT, PATCH, HEAD and DELETE are allowed.

cors-allowed-headers is a list of accepted headers. To accept all, use the value '*'

cors-exposed-headers is a list of headers that can be exposed (accessed by clients). Simple response headers Cache-Control, Content-Language, Content-Type, Expires, Last-Modified and Pragma are already safe-listed so can be ignored in this list. Refer https://developer.mozilla.org/en-US/docs/Glossary/Simple_response_header for more details.

cors-max-age defines the time in seconds the client should cache the pre-flight response. In Flux API it is set to 3600 by default.

Example #1 - Allow all origins and all headers, with default methods

axual:
  rest:
    cors-allowed-origin-patterns:
      - '*'
    cors-allowed-headers:
      - '*'

Example #2 - Allow origin http://localhost and https://somewhere to access the service for the GET and POST methods for all headers:

axual:
  rest:
    cors-allowed-origin-patterns:
      - 'http://localhost'
      - 'https://somewhere'
    cors-allowed-methods:
      - 'GET'
      - 'POST'
    cors-allowed-headers:
      - '*'

Example #3 - Allow all origins to access the service for the GET and POST methods for Origin, Content-type and X-Requested-With headers:

axual:
  rest:
    cors-allowed-origin-patterns:
      - 'http://localhost'
      - 'https://somewhere'
    cors-allowed-methods:
      - 'GET'
      - 'POST'
    cors-allowed-headers:
      - 'Origin'
      - 'Content-Type'
      - 'X-Requested-With'

Enable connector vault for storing credentials

Use below YAML configuration to enable storing connector certificates for each tenant-instance. The configuration is disabled as a default. If the configuration is enabled, the definitions must be done for each tenant-instance. uri, role-id, secret-id, connectors-path, private-key-name and cert-chain-key-name fields are mandatory. The other fields are optional.

connector-vault:
  enabled: true
  instances:
    axual-qa:
      uri: https://localhost:8201
      namespace: ns1  #optional
      role-id: a876f265-b031-861f-d51b-2113602a1c34
      secret-id: e90bcb18-6a80-a8ee-ea34-5a607ef76bff
      connectors-path: connectors
      private-key-name: private.key
      cert-chain-key-name: certificate.chain
      key-store: classpath:axual-api.jks  #optional
      key-password: notsecret  #optional
      key-store-password: notsecret  #optional
      truststore: classpath:axual-truststore.jks  #optional
      truststore-password: notsecret  #optional
    axual-ota:
      uri: https://localhost:8201
      namespace: ns2  #optional
      role-id: a876f265-b031-861f-d51b-2113602a1c34
      secret-id: e90bcb18-6a80-a8ee-ea34-5a607ef76bff
      connectors-path: connectors
      private-key-name: private.key
      cert-chain-key-name: certificate.chain
      key-store: classpath:axual-api.jks  #optional
      key-password: notsecret  #optional
      key-store-password: notsecret  #optional
      truststore: classpath:axual-truststore.jks  #optional
      truststore-password: notsecret  #optional

Enable Distributed Tracing with OpenTelemetry

Platform Manager supports generating Trace and Span IDs in the B3 format compatible with OpenTelemetry. To export the spans to a remote OpenTelemetry compatible instrumentation backend, set below properties:

management:
  tracing:
    enabled: true
    sampling:
      probability: 1.0
  otlp:
    tracing:
      endpoint: https://api.honeycomb.io
      headers:
        x-honeycomb-team: xxxx

Depending on the instrumentation backend, you may want to add custom headers.

For Elastic APM, refer to https://www.elastic.co/guide/en/apm/get-started/current/open-telemetry-elastic.html
For Grafana Tempo, refer to https://grafana.com/blog/2021/04/13/how-to-send-traces-to-grafana-clouds-tempo-service-with-opentelemetry-collector/
For Honeycomb, refer to https://docs.honeycomb.io/getting-data-in/opentelemetry/otel-collector/

To add additional tracing metrics, please refer to Spring Boot documentation: https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#actuator.micrometer-tracing

Docker environment variables

In this table, you can find a description of each environment variable that should be configured for deploying the application.

Name Possible Values Required Description

Name	Possible Values	Required	Description
SPRING_DATASOURCE_URL	A string of jdbc url “no default”	YES	Specifies the JDBC URL used to connect to any database.
SPRING_DATASOURCE_NAME	A string defining the datasource name default value: fluxdb	NO	This is typically used when you have multiple data sources in your application. It provides a name or identifier for the datasource.
SPRING_DATASOURCE_DRIVER-CLASS-NAME	A string defining the datasource driverClassName com.mysql.cj.jdbc.Driver \| org.mariadb.jdbc.Driver “no default”	YES	Specifies the fully-qualified class name of the JDBC driver that should be used for the database connection.
SPRING_DATASOURCE_USERNAME	A string defining the username “no default”	YES	This sets the username used to authenticate with the database.
SPRING_DATASOURCE_PASSWORD	A string defining the password “no default”	YES	This sets the password for the database connection.
SPRING_JPA_HIBERNATE_DATABASE-PLATFORM	org.hibernate.dialect.MariaDBDialect \| org.hibernate.dialect.MySQLDialect “no default”	YES	This is used to specify the SQL dialect that should be used by JPA and Hibernate when generating or interpreting SQL statements for a specific database.
SPRING_JPA_HIBERNATE_DDL-AUTO	none \| validate \| update \| create \| create-drop Default value: validate	NO	controls the behavior of database schema generation and modification during application startup. none: This is the default value. It means that no schema generation or modification is done by Hibernate. You are responsible for managing the database schema manually. validate: Hibernate validates the existing schema against the current entity mappings. It will not make any changes to the schema, but it will report any discrepancies or errors. update: Hibernate updates the schema automatically based on the entity mappings. It will create tables, columns, and constraints if they don’t exist in the database. However, it will not drop any tables or columns that are no longer needed. create: Hibernate creates the schema from scratch during application startup. It will drop and re-create the tables every time the application starts. Be cautious with this option as it can result in data loss in a production environment. create-drop: Similar to create, but it also drops the schema when the application shuts down. This is typically used for testing and development environments.
SPRING_FLYWAY_VENDOR	mysql/mariadb Default value: mariadb	NO	This is used to specify the database vendor for which Flyway should generate or apply database migration scripts.
SPRING_MAIL_HOST	A string defining SMTP server “no default”	Conditionally YES	Specifies the SMTP server that will be used to send emails. Possible values include domain names or IP addresses of SMTP servers, e.g., `smtp.gmail.com`. It is mandatory if `AXUAL_NOTIFICATIONS_SMTP_ENABLED=true`
SPRING_MAIL_PORT	A valid port number “no default” Possible value to be set for SMTP using TLS/STARTTLS is 587, using SSL is 465.	Conditionally YES	Specifies the port number of the SMTP server, is mandatory if `AXUAL_NOTIFICATIONS_SMTP_ENABLED=true`.
SPRING_MAIL_USERNAME	A string defining the username “no default”	Conditionally YES	Specifies the username used to authenticate with the SMTP server. It corresponds to the email account from which emails will be sent, is mandatory if `AXUAL_NOTIFICATIONS_SMTP_ENABLED=true`
SPRING_MAIL_PASSWORD	A string defining the password “no default”	Conditionally YES	Specifies the password used to authenticate with the SMTP server. It should be the password associated with the provided username, is mandatory if `AXUAL_NOTIFICATIONS_SMTP_ENABLED=true`
SPRING_MAIL_PROPERTIES_MAIL_SMTP_AUTH	A boolean value [true \| false] Default value: false	Conditionally YES	Specifies whether authentication (user identification) is required by the SMTP server, it is mandatory to be set as `true` if `AXUAL_NOTIFICATIONS_SMTP_ENABLED=true`
SPRING_MAIL_PROPERTIES_MAIL_SMTP_STARTTLS_ENABLE	A boolean value [true \| false] Default value: false	Conditionally YES	Specifies whether to enable the use of the STARTTLS command (which initiates a secure connection) when connecting to the SMTP server, it is mandatory to be set as `true` if `AXUAL_NOTIFICATIONS_SMTP_ENABLED=true`
VAULT_ENABLED	A boolean value [true \| false] “no default”	YES	Controls supporting Vault for persisting application credentials.
VAULT_URI	A valid uri “no default”	Conditionally YES	Specifies the uri of the Vault. It is mandatory only if `VAULT_ENABLED=true`
VAULT_ROLE-ID	A valid RoleId “no default”	Conditionally YES	Role ID is used to identify the specific AppRole configured in Vault that the application is using for authentication. It is mandatory only if `VAULT_ENABLED=true`
VAULT_SECRET-ID	A valid secretId “no default”	Conditionally YES	The Secret ID is a secret token associated with a particular Role ID that proves the application’s identity and authorization to access secrets. It is mandatory only if `VAULT_ENABLED=true`
AZURE_KEY-VAULT_ENABLED	A boolean value [true \| false] Default value: false	NO	Controls supporting Azure Key Vault for governance. if it’s enabled, the `GOVERNANCE_VAULT_ENABLED` property should be set to `false` and vice versa.
AZURE_KEY-VAULT_URI	A valid uri “no default”	Conditionally YES	Specifies the URI or endpoint of the Azure Key Vault instance. It is mandatory only if `AZURE_KEY-VAULT_ENABLED=true`.
AZURE_KEY-VAULT_LOGIN-URI	A valid uri Default value: https://login.microsoftonline.com/	Conditionally YES	Specifies the URI for Azure AD login. It is mandatory only if `AZURE_KEY-VAULT_ENABLED=true`.
AZURE_KEY-VAULT_SCOPE	The base URL for Azure Key Vault containing granted permissions Default value: https://vault.azure.net	Conditionally YES	Specifies the scope of the Azure Key Vault instance. It represents the specific resources and operations that our application is authorized to access within Azure Key Vault. It is mandatory only if `AZURE_KEY-VAULT_ENABLED=true`.
AZURE_KEY-VAULT_CLIENT-ID	A valid clientId “no default”	Conditionally YES	Specifies the Azure AD client ID associated with this application. The client ID identifies this application when it interacts with Azure Key Vault. It is mandatory only if `AZURE_KEY-VAULT_ENABLED=true`.
AZURE_KEY-VAULT_CLIENT-KEY	A valid clientKey “no default”	Conditionally YES	Represents the client secret or client key associated with our application. It is mandatory only if `AZURE_KEY-VAULT_ENABLED=true`.
AZURE_KEY-VAULT_TENANT-ID	A valid tenantId “no default”	Conditionally YES	specifies the Azure AD tenant ID. It is mandatory only if `AZURE_KEY-VAULT_ENABLED=true`.
SERVER_HTTP2_ENABLED	A boolean value [true \| false] Default value: false	NO	Is used in the configuration of a web server to enable or disable HTTP/2 support.
SERVER_SSL_ENABLED	A boolean value [true \| false] Default value: true	NO	Enables SSL/TLS support for secure communication.
SERVER_SSL_KEY_STORE	A string of file path to the key-store “no default”	Conditionally YES	Specifies the file path to the Java KeyStore (JKS) file that contains the server’s SSL certificate and private key, is mandatory only if `SERVER_SSL_ENABLED=true`.
SERVER_SSL_KEY_STORE_PASSWORD	A string defining the password “no default”	Conditionally YES	Specifies the password required to access the keystore itself, is mandatory only if `SERVER_SSL_ENABLED=true`.
SERVER_SSL_ENABLED-PROTOCOLS	A comma separated list of these values [TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3] “no default”	Conditionally YES	Specifies the list of allowed SSL/TLS protocols, is mandatory only if `SERVER_SSL_ENABLED=true`.
AXUAL_API_AVAILABLE_AUTH_METHODS	A comma seperated list of String containing these items : SSL,SCRAM_SHA_256,SCRAM_SHA_512,PLAIN Default value: SSL	NO	Specifies the available authentication methods which can be used for applications to be authenticated while getting access to topics.
AXUAL_MULTI_TENANT	A boolean value [true \| false] Default value: true	NO	Specifies if the cluster is multi-tenant or not. In case it is set to `true`, the cluster will be shared among multiple tenants.
AXUAL_DEFAULT_ROLES	A comma seperated List of strings containing default user roles. The list of existing roles in Axual is as follows: SUPER_ADMIN, TENANT_ADMIN, APPLICATION_ADMIN, STREAM_ADMIN, ENVIRONMENT_ADMIN, APPLICATION_AUTHOR, STREAM_AUTHOR, ENVIRONMENT_AUTHOR, BILLING_INTERNAL, BILLING_VIEWE, SCHEMA_AUTHOR, SCHEMA_ADMIN Default value: APPLICATION_AUTHOR, ENVIRONMENT_AUTHOR, STREAM_AUTHOR	NO	Specifies the default roles which can be automatically granted to a user when a new user is created.
AXUAL_DEFAULT_PARTITIONS	A valid number Default value: 2	NO	Specifies the number of partitions per each topic. Must be at least 1 and at most 120000.
AXUAL_DEFAULT_REPLICATION_FACTOR	A valid number “no default”	YES	Specifies how many copies (replicas) of each partition of a Kafka topic should be maintained across different broker nodes. It’s a crucial factor for ensuring fault tolerance and high availability in Kafka clusters.
AXUAL_DEFAULT_SEGMENT_TIME	A valid number (time in milliseconds) Default value: 604800000 (7 days)	NO	Controls the period of time after which Kafka will force the log to roll even if the segment file isn’t full to ensure that retention can delete or compact old data.
AXUAL_DEFAULT_RETENTION_TIME	A valid number (time in milliseconds) Default value: 604800000 (7 days)	NO	Controls the maximum time Kafka will retain a log before discarding old log segments to free up space if the retention policy is equal to “delete”. This represents an SLA on how soon consumers must read their data. If set to `-1`, no time limit is applied.
AXUAL_DEFAULT_CLEANUP_POLICY	delete \| compact \| delete,compact \| compact,delete Default value: delete	NO	Specifies the cleanup policy for log segments in a topic. This property determines when log segments can be deleted to reclaim disk space. delete: This is the default cleanup policy. When this policy is applied, Kafka will delete log segments as soon as they are no longer needed for any active consumers or replication. compact: This policy is used for log compaction. With this policy, Kafka retains the latest value for each unique key in the log and deletes older versions of the same key. Log compaction is often used for Kafka topics that store changelog or event sourcing data, ensuring that the latest state of each key is always available.delete,compact: This policy combines both deletion and compaction. It deletes log segments that are no longer needed by any active consumers while also performing log compaction on the remaining data.compact,delete: Similar to the previous option, this policy combines both deletion and compaction, but it prioritizes log compaction before deletion.
AXUAL_DEFAULT_ENVIRONMENT_COLOR	A string defining a hexadecimal color code Default value: “#80affe”	NO	Specifies the default color of environment in UI.
AXUAL_BILLING_ENABLED	A boolean value [true \| false] Default value: false	NO	This is used to enable billing component.
AXUAL_CSRF_ENABLED	A boolean value [true \| false] Default value: false	NO	This is used for enabling Cross-Site Request Forgery (CSRF) protection.
AXUAL_ALLOW_OVERLAPPING_CA	A boolean value [true \| false] Default value: false	NO	Allows Using one CERTIFICATE AUTHORITY (CA) on multiple tenants if it’s set to `true`.
AXUAL_VALIDATE_DUPLICATE_SCHEMAS	A boolean value [true \| false] Default value: true	NO	Controls validation of a duplicate schema. If it’s set to `false`, the `/schemas/check-parse` API won’t check the uniqueness of the uploaded schema-version.
AXUAL_CREATE_STREAM_DISABLE_TIME	A valid number [0, …] Default value: 0	NO	Controls Disabling the StreamConfig resource creation for the specified time in minutes.
AXUAL_CLIENT_SOCKET_TIMEOUT	A valid number Default value: 90000	NO	Specifies the maximum amount of time in milliseconds that a client will wait for a response from a server before considering the operation as timed out or failed
AXUAL_INSTANCE_API_AVAILABLE	A boolean value [true \| false] Default value: true	NO	Controls the connection to instance-api, If it’s disabled and the environment is not BYOK, any action on topics won’t be applied to the cluster. In BYOK environment, this should be set to `false`.
AXUAL_INSTANCE_API_AUTHORIZER	tls \| basic Default value: true	Conditionally YES	Specifies the type of authorization, is mandatory if `AXUAL_INSTANCE_API_AVAILABLE=true`. "`tls`" means that the communication between PlatformManager and InstanceManager is secured using TLS encryption and mutual authentication and both required to present valid SSL/TLS certificates to each other to establish a secure connection. "`basic`" refers to Basic Authentication, which involves sending a username and password as part of the HTTP request header.
AXUAL_INSTANCE_API_USERNAME	A string defining the username “no default”	Conditionally YES	This sets the username used to authenticate with the Instance-api, is mandatory if `AXUAL_INSTANCE_API_AVAILABLE=true` and `AXUAL_INSTANCE_API_AUTHORIZER=basic`
AXUAL_INSTANCE_API_PASSWORD	A string defining the password “no default”	Conditionally YES	This sets the password for the Instance-api connection, is mandatory if `AXUAL_INSTANCE_API_AVAILABLE=true` and `AXUAL_INSTANCE_API_AUTHORIZER=basic`.
AXUAL_INSTANCE_API_TRUST_STORE	A string of file path to the trust-store “no default”	Conditionally YES	Specifies the file path to the trust store, is mandatory if `AXUAL_INSTANCE_API_AVAILABLE=true` and `AXUAL_INSTANCE_API_AUTHORIZER=tls`.
AXUAL_INSTANCE_API_TRUST_STORE_PASSWORD	A string defining the password “no default”	Conditionally YES	Specifies the password required to access and manipulate the trust store, is mandatory if `AXUAL_INSTANCE_API_AVAILABLE=true` and `AXUAL_INSTANCE_API_AUTHORIZER=tls`.
AXUAL_INSTANCE_API_KEY_STORE	A string of file path to the key-store “no default”	Conditionally YES	Specifies the file path to the key store, is mandatory if `AXUAL_INSTANCE_API_AVAILABLE=true` and `AXUAL_INSTANCE_API_AUTHORIZER=tls`.
AXUAL_INSTANCE_API_KEY_STORE_PASSWORD	A string defining the password “no default”	Conditionally YES	Specifies the password required to access and manipulate the client’s key store, is mandatory if `AXUAL_INSTANCE_API_AVAILABLE=true` and `AXUAL_INSTANCE_API_AUTHORIZER=tls`.
AXUAL_INSTANCE_API_KEY_PASSWORD	A string defining the password “no default”	Conditionally YES	Specifies the password required to unlock the client’s private key within the key store, is mandatory if `AXUAL_INSTANCE_API_AVAILABLE=true` and `AXUAL_INSTANCE_API_AUTHORIZER=tls`.
AXUAL_ORGANIZATION_MANAGER_AUTH_PROVIDER	Supported auth provider: none, keycloak Default value: none	NO	Determines the authorization server for authenticating local users. ‘none’ disabled Organization Manager module.
AXUAL_ORGANIZATION_MANAGER_KEYCLOAK_URL	URL to access Keycloak “no default”:	YES	URL to access Keycloak.
AXUAL_ORGANIZATION_MANAGER_KEYCLOAK_USERNAME	Username to authenticate with Keycloak “no default”:	YES	Username to authenticate with Keycloak.
AXUAL_ORGANIZATION_MANAGER_KEYCLOAK_PASSWORD	Password to authenticate with Keycloak “no default”:	YES	Password to authenticate with Keycloak.
AXUAL_ORGANIZATION_MANAGER_KEYCLOAK_LOCAL_REALM	Name of local realm in Keycloak Default value: local	YES	Name of local realm in Keycloak.
AXUAL_ORGANIZATION_MANAGER_KEYCLOAK_MASTER_REALM	Name of master realm in Keycloak Default value: master	YES	Name of master realm in Keycloak.
AXUAL_ORGANIZATION_MANAGER_KEYCLOAK_CLIENT_ID	Client ID to use when authenticating with master realm of Keycloak Default value: admin-cli	YES	Admin client to authenticate with Keycloak.
AXUAL_OPERATION_MANAGER_AVAILABLE	A boolean value [true \| false] Default value: true	NO	Controls the connection to Operation-Manager, which is an intermediate component to make connection between PlatformManager and Axual-Connect. If it’s set to `true`, the `AXUAL_CONNECT_AVAILABLE should` be false and vice versa.
AXUAL_OPERATION_MANAGER_AUTHORIZER	tls \| basic Default value: basic	Conditionally YES	Specifies the type of authorization, is mandatory if `AXUAL_OPERATION_MANAGER_AVAILABLE =true`. "`tls`" means that the communication between PlatformManager and InstanceManager is secured using TLS encryption and mutual authentication and both required to present valid SSL/TLS certificates to each other to establish a secure connection. "`basic`" refers to Basic Authentication, which involves sending a username and password as part of the HTTP request header.
AXUAL_OPERATION_MANAGER_USERNAME	A string defining the username “no default”	Conditionally YES	This sets the username used to authenticate with the Instance-api, is mandatory if `AXUAL_OPERATION_MANAGER_AVAILABLE =true` and `AXUAL_OPERATION_MANAGER_AUTHORIZER=basic`
AXUAL_OPERATION_MANAGER_PASSWORD	A string defining the password “no default”	Conditionally YES	This sets the password for the Operation-Manager connection, is mandatory if `AXUAL_OPERATION_MANAGER_AVAILABLE =true` and `AXUAL_OPERATION_MANAGER_AUTHORIZER=basic`.
AXUAL_OPERATION_MANAGER_TRUST_STORE	A string of file path to the trust-store “no default”	Conditionally YES	Specifies the file path to the trust store, is mandatory if `AXUAL_OPERATION_MANAGER_AVAILABLE =true` and `AXUAL_INSTANCE_API_AUTHORIZER=tls`.
AXUAL_OPERATION_MANAGER_TRUST_STORE_PASSWORD	A string defining the password “no default”	Conditionally YES	Specifies the password required to access and manipulate the trust store, is mandatory if `AXUAL_OPERATION_MANAGER_AVAILABLE =true` and `AXUAL_OPERATION_MANAGER_AUTHORIZER=tls`.
AXUAL_OPERATION_MANAGER_KEY_STORE	A string of file path to the key-store “no default”	Conditionally YES	Specifies the file path to the key store, is mandatory if `AXUAL_OPERATION_MANAGER_AVAILABLE =true` and `AXUAL_INSTANCE_API_AUTHORIZER=tls`.
AXUAL_OPERATION_MANAGER_KEY_STORE_PASSWORD	A string defining the password “no default”	Conditionally YES	Specifies the password required to access and manipulate the client’s key store, is mandatory if `AXUAL_OPERATION_MANAGER_AVAILABLE =true` and `AXUAL_OPERATION_MANAGER_AUTHORIZER=tls`.
AXUAL_OPERATION_MANAGER_KEY_PASSWORD	A string defining the password “no default”	Conditionally YES	Specifies the password required to unlock the client’s private key within the key store, is mandatory if `AXUAL_OPERATION_MANAGER_AVAILABLE =true` and `AXUAL_OPERATION_MANAGER_AUTHORIZER=tls`.
AXUAL_OPERATION_MANAGER_BASE_URI	A valid uri “no default”	YES	Specifies the base uri of Operation-Manager.
AXUAL_SECURITY_DOCS-USERNAME	A string defining the username Default value: axual	NO	This sets the username used to authenticate with the docs.
AXUAL_SECURITY_DOCS-PASSWORD	A string defining the password Default value: notsecret	NO	This sets the password used to authenticate with the docs.
AXUAL_SECURITY_TRUST_STORE	A string of file path to the trust-store “no default”	YES	Specifies the file path to the trust store.
AXUAL_SECURITY_TRUST_STORE_PASSWORD	A string defining the password “no default”	YES	Specifies the password required to access and manipulate the trust store.
AXUAL_SECURITY_KEY_STORE	A string of file path to the key-store “no default”	YES	Specifies the file path to the key store.
AXUAL_SECURITY_KEY_STORE_PASSWORD	A string defining the key-strore password “no default”	YES	Specifies the password required to access and manipulate the key store.
AXUAL_SECURITY_KE_PASSWORD	A string defining the key password “no default”	YES	Specifies the password required to unlock the private key within the key store.
AXUAL_SECURITY_HEADER-BASED-AUTH	A boolean value [true \| false] Default value: false	NO	Controls using OAuth2 mechanism for securing APIs. If it’s set to `true`, disables OAuth2 and relies on headers passed from API Gateway. It should be enabled only when Management API is behind a secured API Gateway.
AXUAL_SECURITY_AUTH-MODE	AUTH0 \| KEYCLOAK “no default”	YES	Specifies the IAM service provider. if `AXUAL_SECURITY_HEADER-BASED-AUTH=true` this property can be set to `AUTH0`.
AXUAL_SECURITY_AUTH0-ISSUER	The Issuer URL for Auth0 “no default”	Conditionally YES	Is used to configure the Issuer URL for Auth0 when integrating Auth0 as an identity and authentication provider. It is required only `AXUAL_SECURITY_HEADER-BASED-AUTH=true` AND `AXUAL_SECURITY_AUTH-MODE=AUTH0`.
AXUAL_SECURITY_AUTH0-AUDIENCE	AUTH0 \| KEYCLOAK “no default”	Conditionally YES	Specifies the “audience” or “audience identifier” to which authentication and authorization requests are directed . It is required only `AXUAL_SECURITY_HEADER-BASED-AUTH=true` AND `AXUAL_SECURITY_AUTH-MODE=AUTH0`.
AXUAL_KEYCLOAK_AUTH_SERVER_URL	The URL of the Keycloak authentication server “no default”	Conditionally YES	Represents the base URL of the Keycloak authentication server. The application would use this URL to interact with Keycloak’s authentication and authorization services. It is required only if `AXUAL_SECURITY_HEADER-BASED-AUTH=true` AND `AXUAL_SECURITY_AUTH-MODE=KEYCLOAK`
AXUAL_KEYCLOAK_USERNAME	A string defining the username Default value: admin	YES	The administrative username that would be used to log in to the Keycloak administration console or authenticate API requests.
AXUAL_KEYCLOAK_PASSWORD	A string defining the password Default value: admin123	YES	The administrative password that would be used to log in to the Keycloak administration console or authenticate API requests.
AXUAL_CONNECT_AVAILABLE	A boolean value [true \| false] Default value: false	Conditionally YES	Controls the direct connection to Axual-Connect, if it’s set to `true`, the `AXUAL_OPERATION_MANAGER_AVAILABLE` must be false and vice-versa.
AXUAL_CONNECT_INSTANCE-CONNECT-CREDENTIALS_[tenantShortName-instanceShortName]_AUTHORIZER	basic Default value: basic	Conditionally YES	Specifies the type of authorization per tenant-instance, is mandatory if `AXUAL_CONNECT_AVAILABLE=true`
AXUAL_CONNECT_INSTANCE-CONNECT-CREDENTIALS_[tenantShortName-instanceShortName]_USERNAME	A string defining the username “no default”	Conditionally YES	This sets the username per tenant-instance used to authenticate with the Axual-Connect, is mandatory if `AXUAL_CONNECT_AVAILABLE=true`.
AXUAL_CONNECT_INSTANCE-CONNECT-CREDENTIALS_[tenantShortName-instanceShortName]_PASSWORD	A string defining the password “no default”	Conditionally YES	This sets the password per tenant-instance used to authenticate with the Axual-Connect, is mandatory if `AXUAL_CONNECT_AVAILABLE=true`.
AXUAL_DEFAULT-CLUSTER-PATTERN_TOPIC-RESOLVER	A string of fully-qualified class name of topicResolver Default value: “io.axual.common.resolver.TopicPatternResolver”	NO	Specifies the fully-qualified class name of topicResolver which is used for resolving topics.
AXUAL_DEFAULT-CLUSTER-PATTERN_TOPIC-PATTERN	A string of topic pattern [“{topic}” \| “{environment}-{topic}” \| {instance}-{environment}-{topic} \| {tenant}-{instance}-{environment}-{topic} ] Default value: “{topic}”	NO	Specifies the topic pattern for any kafka cluster owned by a Tenant and not having a defined topic pattern. This pattern is used when resolving the kafka topic name. “{topic}” this pattern means that this cluster does not support multi-environment, multi_instance and multi-tenant “{environment}-{topic}” this pattern means that the cluster is a multi-environment one and combination of `environment-topic` identifies a unique topic {instance}-{environment}-{topic} this pattern means that the cluster is a multi-environment and multi-instance one and combination of `instance-environment-topic` identifies a unique topic “{tenant}-{instance}-{environment}-{topic}” this pattern means that the cluster is a multi-environment, multi-instance and multi_tenant and combination of `tenant-instance-environment-topic` identifies a unique topic.
AXUAL_DEFAULT-CLUSTER-PATTERN_GROUP-ID-RESOLVER	A string of fully-qualified class name of groupIdResolver Default value: “io.axual.common.resolver.GroupPatternResolver”	NO	Specifies the fully-qualified class name of groupIdResolver which is used for resolving groups.
AXUAL_DEFAULT-CLUSTER-PATTERN_GROUP-ID-PATTERN	A string of groupId pattern [“{group}” \| “{environment}-{group}” \| {instance}-{environment}-{group} \| {tenant}-{instance}-{environment}-{group} ] Default value: “{group}”	NO	Specifies the groupId pattern for any kafka cluster owned by a Tenant and not having a defined groupId pattern. This pattern is used when resolving the group name. “{group}” this pattern means that this cluster does not support multi-environment, multi_instance and multi-tenant “{environment}-{group}” this pattern means that the cluster is a multi-environment one and combination of `environment-group` identifies a unique group {instance}-{environment}-{group} this pattern means that the cluster is a multi-environment and multi-instance one and combination of `instance-environment-group` identifies a unique group. “{tenant}-{instance}-{environment}-{group}” this pattern means that the cluster is a multi-environment, multi-instance and multi_tenant and combination of `tenant-instance-environment-group` identifies a unique group.
AXUAL_DEFAULT-CLUSTER-PATTERN_TRANSACTIONAL-ID-RESOLVER	A string of fully-qualified class name of transactionalIdResolver Default value: “io.axual.common.resolver.TransactionalIdPatternResolver”	NO	Specifies the fully-qualified class name of transactionalIdResolver which is used for resolving transactions.
AXUAL_DEFAULT-CLUSTER-PATTERN_TRANSACTIONAL-ID-PATTERN	A string of transactionalId pattern [“\{transactional.id}” \| “{environment}-\{app.id}” \| {instance}-{environment}-\{transactional.id} \| {tenant}-{instance}-{environment}-\{transactional.id} ] Default value: “\{transactional.id}”	NO	Specifies the transactionalId pattern for any kafka cluster owned by a Tenant and not having a defined transactionalId pattern. This pattern is used when resolving the transactionalId. “\{transactional.id}” this pattern means that the cluster does not support multi-environment, multi_instance and multi-tenant “{environment}-\{transactional.id}” this pattern means that the cluster is multi-environment and combination of `environment-transactionalId-` identifies a unique prefixed transactional.id {instance}-{environment}-\{transactional.id} this pattern means that the cluster is multi-environment and multi-instance and combination of `instance-environment-transactionalId` identifies a unique prefixed transactional.id “{tenant}-{instance}-{environment}-{topic}” this pattern means that the cluster is multi-environment, multi-instance and multi-tenant and combination of `tenant-instance-environment-transactionalId-` identifies a unique prefixed transactional.id.
AXUAL_DEFAULT-CLUSTER-PATTERN_MULTI-TENANT-TOPIC-PATTERN	A string of multi-tenant topic pattern Default value: “{tenant}-{instance}-{environment}-{topic}”	NO	Specifies the topic pattern for any kafka cluster not owned by a Tenant and not having a defined topic pattern. This pattern is used when resolving the kafka topic name. “{tenant}-{instance}-{environment}-{topic}” this pattern means that the cluster is a multi-environment, multi-instance and multi_tenant and combination of `tenant-instance-environment-topic` identifies a unique topic.
AXUAL_DEFAULT-CLUSTER-PATTERN_MULTI-TENANT-GROUP-ID-PATTERN	A string of multi-tenant groupId pattern Default value: “{tenant}-{instance}-{environment}-{group}”	NO	Specifies the groupId pattern for any kafka cluster not owned by a Tenant and not having a defined groupId pattern. This pattern is used when resolving the kafka group name. “{tenant}-{instance}-{environment}-{group}” this pattern means that the cluster is a multi-environment, multi-instance and multi_tenant and combination of `tenant-instance-environment-group` identifies a unique group.
AXUAL_DEFAULT-CLUSTER-PATTERN_MULTI-TENANT-TRANSACTIONAL-ID-PATTERN	A string of multi-tenant transactionalId pattern Default value: “{tenant}-{instance}-{environment}-\{transactional.id}”	NO	Specifies the transactionalId pattern for any kafka cluster not owned by a Tenant and not having a defined transactionalId pattern. This pattern is used when resolving the transactionalId. “{tenant}-{instance}-{environment}-\{transactional.id}” this pattern means that the cluster is multi-environment, multi-instance and multi-tenant and combination of `tenant-instance-environment-transactionalId-` identifies a unique prefixed transactional.id.
AXUAL_NOTIFICATIONS_ENABLED	A boolean value [true \| false] Default value: false	NO	Enables Notification service for the application.
AXUAL_NOTIFICATIONS_BASEURL	A valid URL of the running host “no default” As an example, for the axual cloud should be set to `https://axual.cloud/governance`	Conditionally YES	Represents the UI advertised URL of the the running self-service application, it is mandatory if `AXUAL_NOTIFICATIONS_ENABLED=true`
AXUAL_NOTIFICATIONS_SENDER	A valid email address “no default”	Conditionally YES	Represents the email address of the notification sender, it can be the same value as `SPRING_MAIL_USERNAME` property, it is mandatory if `AXUAL_NOTIFICATIONS_ENABLED=true`
AXUAL_NOTIFICATIONS_SMTP_ENABLED	A boolean value [true \| false] no default:	Conditionally YES	Enables Notification service to use SMTP for on-prem installation. It is mandatory if `AXUAL_NOTIFICATIONS_ENABLED=true` and `AXUAL_NOTIFICATIONS_MAILCHIMP_ENABLED=false`
AXUAL_NOTIFICATIONS_MAILCHIMP_ENABLED	A boolean value [true \| false] no default:	Conditionally YES	Enables Notification service to use mailchimp for SAAS installation. It is mandatory if `AXUAL_NOTIFICATIONS_ENABLED=true` and `AXUAL_NOTIFICATIONS_SMTP_ENABLED=false`
SUBSCRIPTION-MANAGEMENT_ENABLED	A boolean value [true \| false] Default value: false	NO	Enables Stripe Subscription-Management for the application.
SUBSCRIPTION-MANAGEMENT_SLACK_CHANNEL_ALERTING	A string “no default”	NO	This is the Slack channel where alerts and notifications related to subscription management may be sent.
SUBSCRIPTION-MANAGEMENT_SLACK_CHANNEL_SALES	A string “no default”	NO	This is the Slack channel where sales-related notifications may be sent.
SUBSCRIPTION-MANAGEMENT_STRIPE_API-KEY	A string Default value: secret	Conditionally YES	This is the Stripe API key used for authenticating the application with Stripe, only if `SUBSCRIPTION-MANAGEMENT_ENABLED=true`
SUBSCRIPTION-MANAGEMENT_STRIPE_ENDPOINT-SECRET	A string Default value: secret	Conditionally YES	This is used for webhook event verification, only if `SUBSCRIPTION-MANAGEMENT_ENABLED=true`
SUBSCRIPTION-MANAGEMENT_STRIPE_RETRIES-COUNT	A number Default value: 10	Conditionally YES	Specifies the number of retries to attempt in case of Stripe-related failure, only if `SUBSCRIPTION-MANAGEMENT_ENABLED=true`
SUBSCRIPTION-MANAGEMENT_PRICING-TABLE_PLANS-IDS	A list of plan-ids “no default”	Conditionally YES	Specifies a list of plan IDs, only if `SUBSCRIPTION-MANAGEMENT_ENABLED=true`
SUBSCRIPTION-MANAGEMENT_PRICING-TABLE_HIGHLIGHTED-PLAN-ID	A string defining plan-id “no default”	Conditionally YES	This property highlights a specific plan ID, only if `SUBSCRIPTION-MANAGEMENT_ENABLED=true`
SUBSCRIPTION-MANAGEMENT_PRICING-TABLE_TRIAL-PERIOD-DAYS	A number Default value: 30	Conditionally YES	Specifies the duration of the trial period in days, only if `SUBSCRIPTION-MANAGEMENT_ENABLED=true`
SUBSCRIPTION-MANAGEMENT_SUBSCRIPTIONS_TRIAL-PRICE-ID	A string defining price-id “no default”	Conditionally YES	Specifies the ID of a trial price, only if `SUBSCRIPTION-MANAGEMENT_ENABLED=true`
GOVERNANCE_VAULT_ENABLED	A boolean value [true \| false] Default value: false	Conditionally YES	Controls supporting Hashicorp Key Vault for governance to persist application credentials. if it’s enabled, the `AZURE_KEY-VAULT_ENABLED` should be set to `false` and vice-versa
GOVERNANCE_VAULT_URI	A valid uri “no default”	Conditionally YES	Specifies the URI or endpoint of the Hashicorp Key Vault instance. It is mandatory only if `GOVERNANCE_VAULT_ENABLED=true`.
GOVERNANCE_VAULT_ROLE-ID	A valid RoleId “no default”	Conditionally YES	Role ID is used to identify the specific AppRole configured in Hashicorp Vault that the application is using for authentication. It is mandatory only if `GOVERNANCE_VAULT_ENABLED=true`
GOVERNANCE_VAULT_SECRET-ID	A valid secretId “no default”	Conditionally YES	The Secret ID is a secret token associated with a particular Role ID that proves the application’s identity and authorization to access secrets. It is mandatory only if `GOVERNANCE_VAULT_ENABLED=true`
GOVERNANCE_VAULT_PATH	A string defining path Default value: “governance”	Conditionally YES	Defines the specific path within Vault’s storage hierarchy where the application expects to read or write secrets or other data. It is mandatory only if `GOVERNANCE_VAULT_ENABLED=true`
GOVERNANCE_VAULT_NAMESPACE	A string defining the namespace “no default”	Conditionally YES	Specifies the Vault namespace to use. A Vault namespace allows you to create isolated environments within a Vault server, is mandatory if `GOVERNANCE_VAULT_ENABLED=true`
AIVEN_ENDPOINT	A valid uri Default value: https://api.aiven.io/v1	NO	Defines the endpoint of external provider Aiven.
CONFLUENTCLOUD_ENDPOINT	A valid uri Default value: https://api.confluent.cloud/	NO	Defines the endpoint of external provider ConfluentCloud.
CONFLUENTCLOUD_SECONDARY_ENDPOINT	A valid uri Default value: https://confluent.cloud	NO	Defines a secondary endpoint of external provider ConfluentCloud.
SCHEDULER_RECONCILIATION_CONNECT_PLUGINS_CRON	A string defining a cron expression Default value: “0 * _/12 ? _ *” (evey 12 hours)	NO	Specifies the schedule or frequency at which `reconciling plugins of managed instances` task should be executed.
SCHEDULER_RECONCILIATION_CONNECT_DEPLOYMENTS_CRON	A string defining a cron expression Default value: “0 * _/6 ? _ *” (evey 6 hours)	NO	Specifies the schedule or frequency at which `reconciling deployments of managed instances` task should be executed.
CONNECTOR-VAULT_ENABLED	A boolean value [true \| false] Default value: false	Conditionally YES	Controls supporting Vault for persisting connectors secrets per tenant-instance.
CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_URI	The URI of the vault “no default”	Conditionally YES	Specifies the type of authorization per tenant-instance, is mandatory if `CONNECTOR-VAULT_ENABLED=true`
CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_ROLE-ID	A valid RoleId “no default”	Conditionally YES	Role ID is used to identify the specific AppRole per tenant-instance configured in Hashicorp Vault that the application is using for authentication, is mandatory if `CONNECTOR-VAULT_ENABLED=true`
CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_SECRET-ID	A valid secretId “no default”	Conditionally YES	The Secret ID is a secret token associated with a particular Role ID per tenant-instance that proves the application’s identity and authorization to access secrets, is mandatory if `CONNECTOR-VAULT_ENABLED=true`
CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_NAMESPACE	A string defining the namespace “no default”	Conditionally YES	Specifies the Vault namespace per tenant-instance to use. A Vault namespace allows you to create isolated environments within a Vault server, is mandatory if `CONNECTOR-VAULT_ENABLED=true`
CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_CONNECTORS-PATH	A string defining path “no default”	Conditionally YES	Specifies a path within Vault per tenant-instance where connectors or secrets may be stored or managed, is mandatory if `CONNECTOR-VAULT_ENABLED=true`
CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_PRIVATE-KEY-NAME	A string defining the privateKey name “no default”	Conditionally YES	Specifies the name of a private key per tenant-instance within Vault, is mandatory if `CONNECTOR-VAULT_ENABLED=true`
CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_CERT-CHAIN-KEY-NAME	A string defining the certChainKey name “no default”	Conditionally YES	Specifies the name of a certificate chain or certificate-related resource per tenant-instance within Vault per tenant-instance, is mandatory if `CONNECTOR-VAULT_ENABLED=true`
CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_TRUST-STORE	A string of file path to the trust-store “no default”	NO	Specifies the file path to the trust store within Vault per tenant-instance, if it’s not set, the `AXUAL_SECURITY_TRUST_STORE` value will be set as default value.
CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_TRUST-STORE-PASSWORD	A string defining the password “no default”	NO	Specifies the password required to access and manipulate the trust store within Vault per tenant-instance, if it’s not set, the `AXUAL_SECURITY_TRUST_STORE_PASSWORD` value will be set as default value.
CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_KEY-STORE	A string of file path to the key-store “no default”	NO	Specifies the file path to the key store within Vault per tenant-instance, if it’s not set, the `AXUAL_SECURITY_KEY_STORE` value will be set as default value.
CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_KEY-STORE-PASSWORD	A string defining the key-store password “no default”	NO	Specifies the password required to access and manipulate the key store within Vault per tenant-instance, if it’s not set, the `AXUAL_SECURITY_KEY_STORE_PASSWORD` value will be set as default value.
CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_KEY-PASSWORD	A string defining the key password “no default”	NO	Specifies the password required to unlock the client’s private key within the key store within Vault per tenant-instance, if it’s not set, the `AXUAL_SECURITY_KEY_STORE_PASSWORD` value will be set as default value.

SPRING_DATASOURCE_URL

A string of jdbc url “no default”

YES

Specifies the JDBC URL used to connect to any database.

SPRING_DATASOURCE_NAME

A string defining the datasource name default value: fluxdb

This is typically used when you have multiple data sources in your application. It provides a name or identifier for the datasource.

SPRING_DATASOURCE_DRIVER-CLASS-NAME

A string defining the datasource driverClassName com.mysql.cj.jdbc.Driver | org.mariadb.jdbc.Driver “no default”

YES

Specifies the fully-qualified class name of the JDBC driver that should be used for the database connection.

SPRING_DATASOURCE_USERNAME

A string defining the username “no default”

YES

This sets the username used to authenticate with the database.

SPRING_DATASOURCE_PASSWORD

A string defining the password “no default”

YES

This sets the password for the database connection.

SPRING_JPA_HIBERNATE_DATABASE-PLATFORM

org.hibernate.dialect.MariaDBDialect | org.hibernate.dialect.MySQLDialect “no default”

YES

This is used to specify the SQL dialect that should be used by JPA and Hibernate when generating or interpreting SQL statements for a specific database.

SPRING_JPA_HIBERNATE_DDL-AUTO

none | validate | update | create | create-drop Default value: validate

controls the behavior of database schema generation and modification during application startup. none: This is the default value. It means that no schema generation or modification is done by Hibernate. You are responsible for managing the database schema manually. validate: Hibernate validates the existing schema against the current entity mappings. It will not make any changes to the schema, but it will report any discrepancies or errors. update: Hibernate updates the schema automatically based on the entity mappings. It will create tables, columns, and constraints if they don’t exist in the database. However, it will not drop any tables or columns that are no longer needed. create: Hibernate creates the schema from scratch during application startup. It will drop and re-create the tables every time the application starts. Be cautious with this option as it can result in data loss in a production environment. create-drop: Similar to create, but it also drops the schema when the application shuts down. This is typically used for testing and development environments.

SPRING_FLYWAY_VENDOR

mysql/mariadb Default value: mariadb

This is used to specify the database vendor for which Flyway should generate or apply database migration scripts.

SPRING_MAIL_HOST

A string defining SMTP server “no default”

Conditionally YES

Specifies the SMTP server that will be used to send emails. Possible values include domain names or IP addresses of SMTP servers, e.g., smtp.gmail.com. It is mandatory if AXUAL_NOTIFICATIONS_SMTP_ENABLED=true

SPRING_MAIL_PORT

A valid port number “no default” Possible value to be set for SMTP using TLS/STARTTLS is 587, using SSL is 465.

Conditionally YES

Specifies the port number of the SMTP server, is mandatory if AXUAL_NOTIFICATIONS_SMTP_ENABLED=true.

SPRING_MAIL_USERNAME

A string defining the username “no default”

Conditionally YES

Specifies the username used to authenticate with the SMTP server. It corresponds to the email account from which emails will be sent, is mandatory if AXUAL_NOTIFICATIONS_SMTP_ENABLED=true

SPRING_MAIL_PASSWORD

A string defining the password “no default”

Conditionally YES

Specifies the password used to authenticate with the SMTP server. It should be the password associated with the provided username, is mandatory if AXUAL_NOTIFICATIONS_SMTP_ENABLED=true

SPRING_MAIL_PROPERTIES_MAIL_SMTP_AUTH

A boolean value [true | false] Default value: false

Conditionally YES

Specifies whether authentication (user identification) is required by the SMTP server, it is mandatory to be set as true if AXUAL_NOTIFICATIONS_SMTP_ENABLED=true

SPRING_MAIL_PROPERTIES_MAIL_SMTP_STARTTLS_ENABLE

A boolean value [true | false] Default value: false

Conditionally YES

Specifies whether to enable the use of the STARTTLS command (which initiates a secure connection) when connecting to the SMTP server, it is mandatory to be set as true if AXUAL_NOTIFICATIONS_SMTP_ENABLED=true

VAULT_ENABLED

A boolean value [true | false] “no default”

YES

Controls supporting Vault for persisting application credentials.

VAULT_URI

A valid uri “no default”

Conditionally YES

Specifies the uri of the Vault. It is mandatory only if VAULT_ENABLED=true

VAULT_ROLE-ID

A valid RoleId “no default”

Conditionally YES

Role ID is used to identify the specific AppRole configured in Vault that the application is using for authentication. It is mandatory only if VAULT_ENABLED=true

VAULT_SECRET-ID

A valid secretId “no default”

Conditionally YES

The Secret ID is a secret token associated with a particular Role ID that proves the application’s identity and authorization to access secrets. It is mandatory only if VAULT_ENABLED=true

AZURE_KEY-VAULT_ENABLED

A boolean value [true | false] Default value: false

Controls supporting Azure Key Vault for governance. if it’s enabled, the GOVERNANCE_VAULT_ENABLED property should be set to false and vice versa.

AZURE_KEY-VAULT_URI

A valid uri “no default”

Conditionally YES

Specifies the URI or endpoint of the Azure Key Vault instance. It is mandatory only if AZURE_KEY-VAULT_ENABLED=true.

AZURE_KEY-VAULT_LOGIN-URI

A valid uri Default value: https://login.microsoftonline.com/

Conditionally YES

Specifies the URI for Azure AD login. It is mandatory only if AZURE_KEY-VAULT_ENABLED=true.

AZURE_KEY-VAULT_SCOPE

The base URL for Azure Key Vault containing granted permissions Default value: https://vault.azure.net

Conditionally YES

Specifies the scope of the Azure Key Vault instance. It represents the specific resources and operations that our application is authorized to access within Azure Key Vault. It is mandatory only if AZURE_KEY-VAULT_ENABLED=true.

AZURE_KEY-VAULT_CLIENT-ID

A valid clientId “no default”

Conditionally YES

Specifies the Azure AD client ID associated with this application. The client ID identifies this application when it interacts with Azure Key Vault. It is mandatory only if AZURE_KEY-VAULT_ENABLED=true.

AZURE_KEY-VAULT_CLIENT-KEY

A valid clientKey “no default”

Conditionally YES

Represents the client secret or client key associated with our application. It is mandatory only if AZURE_KEY-VAULT_ENABLED=true.

AZURE_KEY-VAULT_TENANT-ID

A valid tenantId “no default”

Conditionally YES

specifies the Azure AD tenant ID. It is mandatory only if AZURE_KEY-VAULT_ENABLED=true.

SERVER_HTTP2_ENABLED

A boolean value [true | false] Default value: false

Is used in the configuration of a web server to enable or disable HTTP/2 support.

SERVER_SSL_ENABLED

A boolean value [true | false] Default value: true

Enables SSL/TLS support for secure communication.

SERVER_SSL_KEY_STORE

A string of file path to the key-store “no default”

Conditionally YES

Specifies the file path to the Java KeyStore (JKS) file that contains the server’s SSL certificate and private key, is mandatory only if SERVER_SSL_ENABLED=true.

SERVER_SSL_KEY_STORE_PASSWORD

A string defining the password “no default”

Conditionally YES

Specifies the password required to access the keystore itself, is mandatory only if SERVER_SSL_ENABLED=true.

SERVER_SSL_ENABLED-PROTOCOLS

A comma separated list of these values [TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3] “no default”

Conditionally YES

Specifies the list of allowed SSL/TLS protocols, is mandatory only if SERVER_SSL_ENABLED=true.

AXUAL_API_AVAILABLE_AUTH_METHODS

A comma seperated list of String containing these items : SSL,SCRAM_SHA_256,SCRAM_SHA_512,PLAIN Default value: SSL

Specifies the available authentication methods which can be used for applications to be authenticated while getting access to topics.

AXUAL_MULTI_TENANT

A boolean value [true | false] Default value: true

Specifies if the cluster is multi-tenant or not. In case it is set to true, the cluster will be shared among multiple tenants.

AXUAL_DEFAULT_ROLES

A comma seperated List of strings containing default user roles. The list of existing roles in Axual is as follows: SUPER_ADMIN, TENANT_ADMIN, APPLICATION_ADMIN, STREAM_ADMIN, ENVIRONMENT_ADMIN, APPLICATION_AUTHOR, STREAM_AUTHOR, ENVIRONMENT_AUTHOR, BILLING_INTERNAL, BILLING_VIEWE, SCHEMA_AUTHOR, SCHEMA_ADMIN Default value: APPLICATION_AUTHOR, ENVIRONMENT_AUTHOR, STREAM_AUTHOR

Specifies the default roles which can be automatically granted to a user when a new user is created.

AXUAL_DEFAULT_PARTITIONS

A valid number Default value: 2

Specifies the number of partitions per each topic. Must be at least 1 and at most 120000.

AXUAL_DEFAULT_REPLICATION_FACTOR

A valid number “no default”

YES

Specifies how many copies (replicas) of each partition of a Kafka topic should be maintained across different broker nodes. It’s a crucial factor for ensuring fault tolerance and high availability in Kafka clusters.

AXUAL_DEFAULT_SEGMENT_TIME

A valid number (time in milliseconds) Default value: 604800000 (7 days)

Controls the period of time after which Kafka will force the log to roll even if the segment file isn’t full to ensure that retention can delete or compact old data.

AXUAL_DEFAULT_RETENTION_TIME

A valid number (time in milliseconds) Default value: 604800000 (7 days)

Controls the maximum time Kafka will retain a log before discarding old log segments to free up space if the retention policy is equal to “delete”. This represents an SLA on how soon consumers must read their data. If set to -1, no time limit is applied.

AXUAL_DEFAULT_CLEANUP_POLICY

delete | compact | delete,compact | compact,delete Default value: delete

Specifies the cleanup policy for log segments in a topic. This property determines when log segments can be deleted to reclaim disk space. delete: This is the default cleanup policy. When this policy is applied, Kafka will delete log segments as soon as they are no longer needed for any active consumers or replication. compact: This policy is used for log compaction. With this policy, Kafka retains the latest value for each unique key in the log and deletes older versions of the same key. Log compaction is often used for Kafka topics that store changelog or event sourcing data, ensuring that the latest state of each key is always available.delete,compact: This policy combines both deletion and compaction. It deletes log segments that are no longer needed by any active consumers while also performing log compaction on the remaining data.compact,delete: Similar to the previous option, this policy combines both deletion and compaction, but it prioritizes log compaction before deletion.

AXUAL_DEFAULT_ENVIRONMENT_COLOR

A string defining a hexadecimal color code Default value: “#80affe”

Specifies the default color of environment in UI.

AXUAL_BILLING_ENABLED

A boolean value [true | false] Default value: false

This is used to enable billing component.

AXUAL_CSRF_ENABLED

A boolean value [true | false] Default value: false

This is used for enabling Cross-Site Request Forgery (CSRF) protection.

AXUAL_ALLOW_OVERLAPPING_CA

A boolean value [true | false] Default value: false

Allows Using one CERTIFICATE AUTHORITY (CA) on multiple tenants if it’s set to true.

AXUAL_VALIDATE_DUPLICATE_SCHEMAS

A boolean value [true | false] Default value: true

Controls validation of a duplicate schema. If it’s set to false, the /schemas/check-parse API won’t check the uniqueness of the uploaded schema-version.

AXUAL_CREATE_STREAM_DISABLE_TIME

A valid number [0, …] Default value: 0

Controls Disabling the StreamConfig resource creation for the specified time in minutes.

AXUAL_CLIENT_SOCKET_TIMEOUT

A valid number Default value: 90000

Specifies the maximum amount of time in milliseconds that a client will wait for a response from a server before considering the operation as timed out or failed

AXUAL_INSTANCE_API_AVAILABLE

A boolean value [true | false] Default value: true

Controls the connection to instance-api, If it’s disabled and the environment is not BYOK, any action on topics won’t be applied to the cluster. In BYOK environment, this should be set to false.

AXUAL_INSTANCE_API_AUTHORIZER

tls | basic Default value: true

Conditionally YES

Specifies the type of authorization, is mandatory if AXUAL_INSTANCE_API_AVAILABLE=true. "`tls`" means that the communication between PlatformManager and InstanceManager is secured using TLS encryption and mutual authentication and both required to present valid SSL/TLS certificates to each other to establish a secure connection. "`basic`" refers to Basic Authentication, which involves sending a username and password as part of the HTTP request header.

AXUAL_INSTANCE_API_USERNAME

A string defining the username “no default”

Conditionally YES

This sets the username used to authenticate with the Instance-api, is mandatory if AXUAL_INSTANCE_API_AVAILABLE=true and AXUAL_INSTANCE_API_AUTHORIZER=basic

AXUAL_INSTANCE_API_PASSWORD

A string defining the password “no default”

Conditionally YES

This sets the password for the Instance-api connection, is mandatory if AXUAL_INSTANCE_API_AVAILABLE=true and AXUAL_INSTANCE_API_AUTHORIZER=basic.

AXUAL_INSTANCE_API_TRUST_STORE

A string of file path to the trust-store “no default”

Conditionally YES

Specifies the file path to the trust store, is mandatory if AXUAL_INSTANCE_API_AVAILABLE=true and AXUAL_INSTANCE_API_AUTHORIZER=tls.

AXUAL_INSTANCE_API_TRUST_STORE_PASSWORD

A string defining the password “no default”

Conditionally YES

Specifies the password required to access and manipulate the trust store, is mandatory if AXUAL_INSTANCE_API_AVAILABLE=true and AXUAL_INSTANCE_API_AUTHORIZER=tls.

AXUAL_INSTANCE_API_KEY_STORE

A string of file path to the key-store “no default”

Conditionally YES

Specifies the file path to the key store, is mandatory if AXUAL_INSTANCE_API_AVAILABLE=true and AXUAL_INSTANCE_API_AUTHORIZER=tls.

AXUAL_INSTANCE_API_KEY_STORE_PASSWORD

A string defining the password “no default”

Conditionally YES

Specifies the password required to access and manipulate the client’s key store, is mandatory if AXUAL_INSTANCE_API_AVAILABLE=true and AXUAL_INSTANCE_API_AUTHORIZER=tls.

AXUAL_INSTANCE_API_KEY_PASSWORD

A string defining the password “no default”

Conditionally YES

Specifies the password required to unlock the client’s private key within the key store, is mandatory if AXUAL_INSTANCE_API_AVAILABLE=true and AXUAL_INSTANCE_API_AUTHORIZER=tls.

AXUAL_ORGANIZATION_MANAGER_AUTH_PROVIDER

Supported auth provider: none, keycloak Default value: none

Determines the authorization server for authenticating local users. ‘none’ disabled Organization Manager module.

AXUAL_ORGANIZATION_MANAGER_KEYCLOAK_URL

URL to access Keycloak “no default”:

YES

URL to access Keycloak.

AXUAL_ORGANIZATION_MANAGER_KEYCLOAK_USERNAME

Username to authenticate with Keycloak “no default”:

YES

Username to authenticate with Keycloak.

AXUAL_ORGANIZATION_MANAGER_KEYCLOAK_PASSWORD

Password to authenticate with Keycloak “no default”:

YES

Password to authenticate with Keycloak.

AXUAL_ORGANIZATION_MANAGER_KEYCLOAK_LOCAL_REALM

Name of local realm in Keycloak Default value: local

YES

Name of local realm in Keycloak.

AXUAL_ORGANIZATION_MANAGER_KEYCLOAK_MASTER_REALM

Name of master realm in Keycloak Default value: master

YES

Name of master realm in Keycloak.

AXUAL_ORGANIZATION_MANAGER_KEYCLOAK_CLIENT_ID

Client ID to use when authenticating with master realm of Keycloak Default value: admin-cli

YES

Admin client to authenticate with Keycloak.

AXUAL_OPERATION_MANAGER_AVAILABLE

A boolean value [true | false] Default value: true

Controls the connection to Operation-Manager, which is an intermediate component to make connection between PlatformManager and Axual-Connect. If it’s set to true, the AXUAL_CONNECT_AVAILABLE should be false and vice versa.

AXUAL_OPERATION_MANAGER_AUTHORIZER

tls | basic Default value: basic

Conditionally YES

Specifies the type of authorization, is mandatory if AXUAL_OPERATION_MANAGER_AVAILABLE =true. "`tls`" means that the communication between PlatformManager and InstanceManager is secured using TLS encryption and mutual authentication and both required to present valid SSL/TLS certificates to each other to establish a secure connection. "`basic`" refers to Basic Authentication, which involves sending a username and password as part of the HTTP request header.

AXUAL_OPERATION_MANAGER_USERNAME

A string defining the username “no default”

Conditionally YES

This sets the username used to authenticate with the Instance-api, is mandatory if AXUAL_OPERATION_MANAGER_AVAILABLE =true and AXUAL_OPERATION_MANAGER_AUTHORIZER=basic

AXUAL_OPERATION_MANAGER_PASSWORD

A string defining the password “no default”

Conditionally YES

This sets the password for the Operation-Manager connection, is mandatory if AXUAL_OPERATION_MANAGER_AVAILABLE =true and AXUAL_OPERATION_MANAGER_AUTHORIZER=basic.

AXUAL_OPERATION_MANAGER_TRUST_STORE

A string of file path to the trust-store “no default”

Conditionally YES

Specifies the file path to the trust store, is mandatory if AXUAL_OPERATION_MANAGER_AVAILABLE =true and AXUAL_INSTANCE_API_AUTHORIZER=tls.

AXUAL_OPERATION_MANAGER_TRUST_STORE_PASSWORD

A string defining the password “no default”

Conditionally YES

Specifies the password required to access and manipulate the trust store, is mandatory if AXUAL_OPERATION_MANAGER_AVAILABLE =true and AXUAL_OPERATION_MANAGER_AUTHORIZER=tls.

AXUAL_OPERATION_MANAGER_KEY_STORE

A string of file path to the key-store “no default”

Conditionally YES

Specifies the file path to the key store, is mandatory if AXUAL_OPERATION_MANAGER_AVAILABLE =true and AXUAL_INSTANCE_API_AUTHORIZER=tls.

AXUAL_OPERATION_MANAGER_KEY_STORE_PASSWORD

A string defining the password “no default”

Conditionally YES

Specifies the password required to access and manipulate the client’s key store, is mandatory if AXUAL_OPERATION_MANAGER_AVAILABLE =true and AXUAL_OPERATION_MANAGER_AUTHORIZER=tls.

AXUAL_OPERATION_MANAGER_KEY_PASSWORD

A string defining the password “no default”

Conditionally YES

Specifies the password required to unlock the client’s private key within the key store, is mandatory if AXUAL_OPERATION_MANAGER_AVAILABLE =true and AXUAL_OPERATION_MANAGER_AUTHORIZER=tls.

AXUAL_OPERATION_MANAGER_BASE_URI

A valid uri “no default”

YES

Specifies the base uri of Operation-Manager.

AXUAL_SECURITY_DOCS-USERNAME

A string defining the username Default value: axual

This sets the username used to authenticate with the docs.

AXUAL_SECURITY_DOCS-PASSWORD

A string defining the password Default value: notsecret

This sets the password used to authenticate with the docs.

AXUAL_SECURITY_TRUST_STORE

A string of file path to the trust-store “no default”

YES

Specifies the file path to the trust store.

AXUAL_SECURITY_TRUST_STORE_PASSWORD

A string defining the password “no default”

YES

Specifies the password required to access and manipulate the trust store.

AXUAL_SECURITY_KEY_STORE

A string of file path to the key-store “no default”

YES

Specifies the file path to the key store.

AXUAL_SECURITY_KEY_STORE_PASSWORD

A string defining the key-strore password “no default”

YES

Specifies the password required to access and manipulate the key store.

AXUAL_SECURITY_KE_PASSWORD

A string defining the key password “no default”

YES

Specifies the password required to unlock the private key within the key store.

AXUAL_SECURITY_HEADER-BASED-AUTH

A boolean value [true | false] Default value: false

Controls using OAuth2 mechanism for securing APIs. If it’s set to true, disables OAuth2 and relies on headers passed from API Gateway. It should be enabled only when Management API is behind a secured API Gateway.

AXUAL_SECURITY_AUTH-MODE

AUTH0 | KEYCLOAK “no default”

YES

Specifies the IAM service provider. if AXUAL_SECURITY_HEADER-BASED-AUTH=true this property can be set to AUTH0.

AXUAL_SECURITY_AUTH0-ISSUER

The Issuer URL for Auth0 “no default”

Conditionally YES

Is used to configure the Issuer URL for Auth0 when integrating Auth0 as an identity and authentication provider. It is required only AXUAL_SECURITY_HEADER-BASED-AUTH=true AND AXUAL_SECURITY_AUTH-MODE=AUTH0.

AXUAL_SECURITY_AUTH0-AUDIENCE

AUTH0 | KEYCLOAK “no default”

Conditionally YES

Specifies the “audience” or “audience identifier” to which authentication and authorization requests are directed . It is required only AXUAL_SECURITY_HEADER-BASED-AUTH=true AND AXUAL_SECURITY_AUTH-MODE=AUTH0.

AXUAL_KEYCLOAK_AUTH_SERVER_URL

The URL of the Keycloak authentication server “no default”

Conditionally YES

Represents the base URL of the Keycloak authentication server. The application would use this URL to interact with Keycloak’s authentication and authorization services. It is required only if AXUAL_SECURITY_HEADER-BASED-AUTH=true AND AXUAL_SECURITY_AUTH-MODE=KEYCLOAK

AXUAL_KEYCLOAK_USERNAME

A string defining the username Default value: admin

YES

The administrative username that would be used to log in to the Keycloak administration console or authenticate API requests.

AXUAL_KEYCLOAK_PASSWORD

A string defining the password Default value: admin123

YES

The administrative password that would be used to log in to the Keycloak administration console or authenticate API requests.

AXUAL_CONNECT_AVAILABLE

A boolean value [true | false] Default value: false

Conditionally YES

Controls the direct connection to Axual-Connect, if it’s set to true, the AXUAL_OPERATION_MANAGER_AVAILABLE must be false and vice-versa.

AXUAL_CONNECT_INSTANCE-CONNECT-CREDENTIALS_[tenantShortName-instanceShortName]_AUTHORIZER

basic Default value: basic

Conditionally YES

Specifies the type of authorization per tenant-instance, is mandatory if AXUAL_CONNECT_AVAILABLE=true

AXUAL_CONNECT_INSTANCE-CONNECT-CREDENTIALS_[tenantShortName-instanceShortName]_USERNAME

A string defining the username “no default”

Conditionally YES

This sets the username per tenant-instance used to authenticate with the Axual-Connect, is mandatory if AXUAL_CONNECT_AVAILABLE=true.

AXUAL_CONNECT_INSTANCE-CONNECT-CREDENTIALS_[tenantShortName-instanceShortName]_PASSWORD

A string defining the password “no default”

Conditionally YES

This sets the password per tenant-instance used to authenticate with the Axual-Connect, is mandatory if AXUAL_CONNECT_AVAILABLE=true.

AXUAL_DEFAULT-CLUSTER-PATTERN_TOPIC-RESOLVER

A string of fully-qualified class name of topicResolver Default value: “io.axual.common.resolver.TopicPatternResolver”

Specifies the fully-qualified class name of topicResolver which is used for resolving topics.

AXUAL_DEFAULT-CLUSTER-PATTERN_TOPIC-PATTERN

A string of topic pattern [“{topic}” | “{environment}-{topic}” | {instance}-{environment}-{topic} | {tenant}-{instance}-{environment}-{topic} ] Default value: “{topic}”

Specifies the topic pattern for any kafka cluster owned by a Tenant and not having a defined topic pattern. This pattern is used when resolving the kafka topic name. “{topic}” this pattern means that this cluster does not support multi-environment, multi_instance and multi-tenant “{environment}-{topic}” this pattern means that the cluster is a multi-environment one and combination of environment-topic identifies a unique topic {instance}-{environment}-{topic} this pattern means that the cluster is a multi-environment and multi-instance one and combination of instance-environment-topic identifies a unique topic “{tenant}-{instance}-{environment}-{topic}” this pattern means that the cluster is a multi-environment, multi-instance and multi_tenant and combination of tenant-instance-environment-topic identifies a unique topic.

AXUAL_DEFAULT-CLUSTER-PATTERN_GROUP-ID-RESOLVER

A string of fully-qualified class name of groupIdResolver Default value: “io.axual.common.resolver.GroupPatternResolver”

Specifies the fully-qualified class name of groupIdResolver which is used for resolving groups.

AXUAL_DEFAULT-CLUSTER-PATTERN_GROUP-ID-PATTERN

A string of groupId pattern [“{group}” | “{environment}-{group}” | {instance}-{environment}-{group} | {tenant}-{instance}-{environment}-{group} ] Default value: “{group}”

Specifies the groupId pattern for any kafka cluster owned by a Tenant and not having a defined groupId pattern. This pattern is used when resolving the group name. “{group}” this pattern means that this cluster does not support multi-environment, multi_instance and multi-tenant “{environment}-{group}” this pattern means that the cluster is a multi-environment one and combination of environment-group identifies a unique group {instance}-{environment}-{group} this pattern means that the cluster is a multi-environment and multi-instance one and combination of instance-environment-group identifies a unique group. “{tenant}-{instance}-{environment}-{group}” this pattern means that the cluster is a multi-environment, multi-instance and multi_tenant and combination of tenant-instance-environment-group identifies a unique group.

AXUAL_DEFAULT-CLUSTER-PATTERN_TRANSACTIONAL-ID-RESOLVER

A string of fully-qualified class name of transactionalIdResolver Default value: “io.axual.common.resolver.TransactionalIdPatternResolver”

Specifies the fully-qualified class name of transactionalIdResolver which is used for resolving transactions.

AXUAL_DEFAULT-CLUSTER-PATTERN_TRANSACTIONAL-ID-PATTERN

A string of transactionalId pattern [“\{transactional.id}” | “{environment}-\{app.id}” | {instance}-{environment}-\{transactional.id} | {tenant}-{instance}-{environment}-\{transactional.id} ] Default value: “\{transactional.id}”

Specifies the transactionalId pattern for any kafka cluster owned by a Tenant and not having a defined transactionalId pattern. This pattern is used when resolving the transactionalId. “\{transactional.id}” this pattern means that the cluster does not support multi-environment, multi_instance and multi-tenant “{environment}-\{transactional.id}” this pattern means that the cluster is multi-environment and combination of environment-transactionalId- identifies a unique prefixed transactional.id {instance}-{environment}-\{transactional.id} this pattern means that the cluster is multi-environment and multi-instance and combination of instance-environment-transactionalId identifies a unique prefixed transactional.id “{tenant}-{instance}-{environment}-{topic}” this pattern means that the cluster is multi-environment, multi-instance and multi-tenant and combination of tenant-instance-environment-transactionalId- identifies a unique prefixed transactional.id.

AXUAL_DEFAULT-CLUSTER-PATTERN_MULTI-TENANT-TOPIC-PATTERN

A string of multi-tenant topic pattern Default value: “{tenant}-{instance}-{environment}-{topic}”

Specifies the topic pattern for any kafka cluster not owned by a Tenant and not having a defined topic pattern. This pattern is used when resolving the kafka topic name. “{tenant}-{instance}-{environment}-{topic}” this pattern means that the cluster is a multi-environment, multi-instance and multi_tenant and combination of tenant-instance-environment-topic identifies a unique topic.

AXUAL_DEFAULT-CLUSTER-PATTERN_MULTI-TENANT-GROUP-ID-PATTERN

A string of multi-tenant groupId pattern Default value: “{tenant}-{instance}-{environment}-{group}”

Specifies the groupId pattern for any kafka cluster not owned by a Tenant and not having a defined groupId pattern. This pattern is used when resolving the kafka group name. “{tenant}-{instance}-{environment}-{group}” this pattern means that the cluster is a multi-environment, multi-instance and multi_tenant and combination of tenant-instance-environment-group identifies a unique group.

AXUAL_DEFAULT-CLUSTER-PATTERN_MULTI-TENANT-TRANSACTIONAL-ID-PATTERN

A string of multi-tenant transactionalId pattern Default value: “{tenant}-{instance}-{environment}-\{transactional.id}”

Specifies the transactionalId pattern for any kafka cluster not owned by a Tenant and not having a defined transactionalId pattern. This pattern is used when resolving the transactionalId. “{tenant}-{instance}-{environment}-\{transactional.id}” this pattern means that the cluster is multi-environment, multi-instance and multi-tenant and combination of tenant-instance-environment-transactionalId- identifies a unique prefixed transactional.id.

AXUAL_NOTIFICATIONS_ENABLED

A boolean value [true | false] Default value: false

Enables Notification service for the application.

AXUAL_NOTIFICATIONS_BASEURL

A valid URL of the running host “no default” As an example, for the axual cloud should be set to https://axual.cloud/governance

Conditionally YES

Represents the UI advertised URL of the the running self-service application, it is mandatory if AXUAL_NOTIFICATIONS_ENABLED=true

AXUAL_NOTIFICATIONS_SENDER

A valid email address “no default”

Conditionally YES

Represents the email address of the notification sender, it can be the same value as SPRING_MAIL_USERNAME property, it is mandatory if AXUAL_NOTIFICATIONS_ENABLED=true

AXUAL_NOTIFICATIONS_SMTP_ENABLED

A boolean value [true | false] no default:

Conditionally YES

Enables Notification service to use SMTP for on-prem installation. It is mandatory if AXUAL_NOTIFICATIONS_ENABLED=true and AXUAL_NOTIFICATIONS_MAILCHIMP_ENABLED=false

AXUAL_NOTIFICATIONS_MAILCHIMP_ENABLED

A boolean value [true | false] no default:

Conditionally YES

Enables Notification service to use mailchimp for SAAS installation. It is mandatory if AXUAL_NOTIFICATIONS_ENABLED=true and AXUAL_NOTIFICATIONS_SMTP_ENABLED=false

SUBSCRIPTION-MANAGEMENT_ENABLED

A boolean value [true | false] Default value: false

Enables Stripe Subscription-Management for the application.

SUBSCRIPTION-MANAGEMENT_SLACK_CHANNEL_ALERTING

A string “no default”

This is the Slack channel where alerts and notifications related to subscription management may be sent.

SUBSCRIPTION-MANAGEMENT_SLACK_CHANNEL_SALES

A string “no default”

This is the Slack channel where sales-related notifications may be sent.

SUBSCRIPTION-MANAGEMENT_STRIPE_API-KEY

A string Default value: secret

Conditionally YES

This is the Stripe API key used for authenticating the application with Stripe, only if SUBSCRIPTION-MANAGEMENT_ENABLED=true

SUBSCRIPTION-MANAGEMENT_STRIPE_ENDPOINT-SECRET

A string Default value: secret

Conditionally YES

This is used for webhook event verification, only if SUBSCRIPTION-MANAGEMENT_ENABLED=true

SUBSCRIPTION-MANAGEMENT_STRIPE_RETRIES-COUNT

A number Default value: 10

Conditionally YES

Specifies the number of retries to attempt in case of Stripe-related failure, only if SUBSCRIPTION-MANAGEMENT_ENABLED=true

SUBSCRIPTION-MANAGEMENT_PRICING-TABLE_PLANS-IDS

A list of plan-ids “no default”

Conditionally YES

Specifies a list of plan IDs, only if SUBSCRIPTION-MANAGEMENT_ENABLED=true

SUBSCRIPTION-MANAGEMENT_PRICING-TABLE_HIGHLIGHTED-PLAN-ID

A string defining plan-id “no default”

Conditionally YES

This property highlights a specific plan ID, only if SUBSCRIPTION-MANAGEMENT_ENABLED=true

SUBSCRIPTION-MANAGEMENT_PRICING-TABLE_TRIAL-PERIOD-DAYS

A number Default value: 30

Conditionally YES

Specifies the duration of the trial period in days, only if SUBSCRIPTION-MANAGEMENT_ENABLED=true

SUBSCRIPTION-MANAGEMENT_SUBSCRIPTIONS_TRIAL-PRICE-ID

A string defining price-id “no default”

Conditionally YES

Specifies the ID of a trial price, only if SUBSCRIPTION-MANAGEMENT_ENABLED=true

GOVERNANCE_VAULT_ENABLED

A boolean value [true | false] Default value: false

Conditionally YES

Controls supporting Hashicorp Key Vault for governance to persist application credentials. if it’s enabled, the AZURE_KEY-VAULT_ENABLED should be set to false and vice-versa

GOVERNANCE_VAULT_URI

A valid uri “no default”

Conditionally YES

Specifies the URI or endpoint of the Hashicorp Key Vault instance. It is mandatory only if GOVERNANCE_VAULT_ENABLED=true.

GOVERNANCE_VAULT_ROLE-ID

A valid RoleId “no default”

Conditionally YES

Role ID is used to identify the specific AppRole configured in Hashicorp Vault that the application is using for authentication. It is mandatory only if GOVERNANCE_VAULT_ENABLED=true

GOVERNANCE_VAULT_SECRET-ID

A valid secretId “no default”

Conditionally YES

The Secret ID is a secret token associated with a particular Role ID that proves the application’s identity and authorization to access secrets. It is mandatory only if GOVERNANCE_VAULT_ENABLED=true

GOVERNANCE_VAULT_PATH

A string defining path Default value: “governance”

Conditionally YES

Defines the specific path within Vault’s storage hierarchy where the application expects to read or write secrets or other data. It is mandatory only if GOVERNANCE_VAULT_ENABLED=true

GOVERNANCE_VAULT_NAMESPACE

A string defining the namespace “no default”

Conditionally YES

Specifies the Vault namespace to use. A Vault namespace allows you to create isolated environments within a Vault server, is mandatory if GOVERNANCE_VAULT_ENABLED=true

AIVEN_ENDPOINT

A valid uri Default value: https://api.aiven.io/v1

Defines the endpoint of external provider Aiven.

CONFLUENTCLOUD_ENDPOINT

A valid uri Default value: https://api.confluent.cloud/

Defines the endpoint of external provider ConfluentCloud.

CONFLUENTCLOUD_SECONDARY_ENDPOINT

A valid uri Default value: https://confluent.cloud

Defines a secondary endpoint of external provider ConfluentCloud.

SCHEDULER_RECONCILIATION_CONNECT_PLUGINS_CRON

A string defining a cron expression Default value: “0 * _/12 ? _ *” (evey 12 hours)

Specifies the schedule or frequency at which reconciling plugins of managed instances task should be executed.

SCHEDULER_RECONCILIATION_CONNECT_DEPLOYMENTS_CRON

A string defining a cron expression Default value: “0 * _/6 ? _ *” (evey 6 hours)

Specifies the schedule or frequency at which reconciling deployments of managed instances task should be executed.

CONNECTOR-VAULT_ENABLED

A boolean value [true | false] Default value: false

Conditionally YES

Controls supporting Vault for persisting connectors secrets per tenant-instance.

CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_URI

The URI of the vault “no default”

Conditionally YES

Specifies the type of authorization per tenant-instance, is mandatory if CONNECTOR-VAULT_ENABLED=true

CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_ROLE-ID

A valid RoleId “no default”

Conditionally YES

Role ID is used to identify the specific AppRole per tenant-instance configured in Hashicorp Vault that the application is using for authentication, is mandatory if CONNECTOR-VAULT_ENABLED=true

CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_SECRET-ID

A valid secretId “no default”

Conditionally YES

The Secret ID is a secret token associated with a particular Role ID per tenant-instance that proves the application’s identity and authorization to access secrets, is mandatory if CONNECTOR-VAULT_ENABLED=true

CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_NAMESPACE

A string defining the namespace “no default”

Conditionally YES

Specifies the Vault namespace per tenant-instance to use. A Vault namespace allows you to create isolated environments within a Vault server, is mandatory if CONNECTOR-VAULT_ENABLED=true

CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_CONNECTORS-PATH

A string defining path “no default”

Conditionally YES

Specifies a path within Vault per tenant-instance where connectors or secrets may be stored or managed, is mandatory if CONNECTOR-VAULT_ENABLED=true

CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_PRIVATE-KEY-NAME

A string defining the privateKey name “no default”

Conditionally YES

Specifies the name of a private key per tenant-instance within Vault, is mandatory if CONNECTOR-VAULT_ENABLED=true

CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_CERT-CHAIN-KEY-NAME

A string defining the certChainKey name “no default”

Conditionally YES

Specifies the name of a certificate chain or certificate-related resource per tenant-instance within Vault per tenant-instance, is mandatory if CONNECTOR-VAULT_ENABLED=true

CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_TRUST-STORE

A string of file path to the trust-store “no default”

Specifies the file path to the trust store within Vault per tenant-instance, if it’s not set, the AXUAL_SECURITY_TRUST_STORE value will be set as default value.

CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_TRUST-STORE-PASSWORD

A string defining the password “no default”

Specifies the password required to access and manipulate the trust store within Vault per tenant-instance, if it’s not set, the AXUAL_SECURITY_TRUST_STORE_PASSWORD value will be set as default value.

CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_KEY-STORE

A string of file path to the key-store “no default”

Specifies the file path to the key store within Vault per tenant-instance, if it’s not set, the AXUAL_SECURITY_KEY_STORE value will be set as default value.

CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_KEY-STORE-PASSWORD

A string defining the key-store password “no default”

Specifies the password required to access and manipulate the key store within Vault per tenant-instance, if it’s not set, the AXUAL_SECURITY_KEY_STORE_PASSWORD value will be set as default value.

CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_KEY-PASSWORD

A string defining the key password “no default”

Specifies the password required to unlock the client’s private key within the key store within Vault per tenant-instance, if it’s not set, the AXUAL_SECURITY_KEY_STORE_PASSWORD value will be set as default value.

Platform Manager 9.1.1 Readme

Overview

Installation & Configuration

Default Roles

Schema Compatibility Checks

Flyway DB Migration

Cross Origin Resource Sharing (CORS)

Enable connector vault for storing credentials

Enable Distributed Tracing with OpenTelemetry

Docker environment variables