Platform Manager 13.0.0 Readme

Overview

The Management API is part of the Topic Catalog system, designed to serve as a customer portal for managing and interacting with their part of the Axual Platform. It is used to administer the Axual platform to perform activities like:

View Topic availability on different environments
Request Topic deployments
Manage own environments
and more…

Installation & Configuration

Default Roles

When a new user is created in Platform Manager, certain roles can be automatically granted. These roles can be defined in the application.yml config as below:

axual:
  default-roles: APPLICATION_AUTHOR, ENVIRONMENT_AUTHOR, STREAM_AUTHOR

By default, APPLICATION_AUTHOR, ENVIRONMENT_AUTHOR and STREAM_AUTHOR roles are automatically granted to every new user in Self Service.

Schema Compatibility Checks

During stream deployment, a mandatory step is to verify the compatibility of the AVRO, PROTOBUF or Json schema (if changed). In some cases, it is desirable to force the topic apply.

This force field is added in the StreamConfig object.

{
  "keySchemaVersion": "http://localhost:8080/schema_versions/5322f72742cd4c6db07b9a71a825fe4f",
  "force": true
}

Flyway DB Migration

We use Flyway for version control and easy schema evolving of a Platform Manager database. Flyway will automatically run the SQL files to upgrade the database to required level.

By default, CORS is enabled for all origins, methods and headers. To change this behaviour, Cross Origin Resource Sharing can be configured as below:

cors-allowed-origin-patterns is a list of accepted origin urls with which the response can be shared. To accept all, use the value '*'

cors-allowed-methods is a list of allowed HTTP methods in response to a pre-flight request. By default GET, POST, PUT, PATCH, HEAD and DELETE are allowed.

cors-allowed-headers is a list of accepted headers. To accept all, use the value '*'

cors-exposed-headers is a list of headers that can be exposed (accessed by clients). Simple response headers Cache-Control, Content-Language, Content-Type, Expires, Last-Modified and Pragma are already safe-listed so can be ignored in this list. Refer https://developer.mozilla.org/en-US/docs/Glossary/Simple_response_header for more details.

cors-max-age defines the time in seconds the client should cache the pre-flight response. In Platform Manager it is set to 3600 by default.

Example #1 - Allow all origins and all headers, with default methods

axual:
  rest:
    cors-allowed-origin-patterns:
      - '*'
    cors-allowed-headers:
      - '*'

Example #2 - Allow origin http://localhost and https://somewhere to access the service for the GET and POST methods for all headers:

axual:
  rest:
    cors-allowed-origin-patterns:
      - 'http://localhost'
      - 'https://somewhere'
    cors-allowed-methods:
      - 'GET'
      - 'POST'
    cors-allowed-headers:
      - '*'

Example #3 - Allow all origins to access the service for the GET and POST methods for Origin, Content-type and X-Requested-With headers:

axual:
  rest:
    cors-allowed-origin-patterns:
      - 'http://localhost'
      - 'https://somewhere'
    cors-allowed-methods:
      - 'GET'
      - 'POST'
    cors-allowed-headers:
      - 'Origin'
      - 'Content-Type'
      - 'X-Requested-With'

Vault Configuration

Platform Manager supports HashiCorp Vault for secure storage of credentials, certificates, and secrets. There are three distinct vault types, each serving different purposes:

Vault Type	Purpose	Scope
Governance Vault	Stores KSML application secrets, cluster credentials, and schema registry details	Single vault for entire governance system
Connector Vault	Stores connector certificates for Kafka Connect applications	Single vault shared across all tenant-instances
Instance Connector Vault	Stores connector certificates for Kafka Connect applications	Isolated vault per tenant-instance

Vault Type

Purpose

Scope

Governance Vault

Stores KSML application secrets, cluster credentials, and schema registry details

Single vault for entire governance system

Connector Vault

Stores connector certificates for Kafka Connect applications

Single vault shared across all tenant-instances

Instance Connector Vault

Stores connector certificates for Kafka Connect applications

Isolated vault per tenant-instance

Note: Use either Connector Vault OR Instance Connector Vault, not both. Instance Connector Vault provides better isolation for multi-tenant deployments.

Governance Vault

The Governance Vault stores high-level secrets for KSML applications, clusters, and schema registries. It is mandatory for production deployments.

Configuration Properties:

governance:
  vault:
    enabled: true
    uri: https://vault.example.com:8200
    role-id: a876f265-b031-861f-d51b-2113602a1c34
    secret-id: e90bcb18-6a80-a8ee-ea34-5a607ef76bff
    path: governance                    # KV secret engine path (default: governance)
    namespace: my-namespace             # optional - Vault Enterprise namespace
    approle-path: approle               # optional - custom AppRole mount path (default: approle)

Property Required Default Description

Property	Required	Default	Description
`enabled`	Yes	`false`	Enables Governance Vault integration
`uri`	Yes	-	Vault server URI
`role-id`	Yes	-	AppRole Role ID for authentication
`secret-id`	Yes	-	AppRole Secret ID for authentication
`path`	No	`governance`	KV v2 secret engine mount path
`namespace`	No	-	Vault Enterprise namespace (if applicable)
`approle-path`	No	`approle`	Custom AppRole authentication mount path

enabled

Yes

false

Enables Governance Vault integration

uri

Yes

Vault server URI

role-id

Yes

AppRole Role ID for authentication

secret-id

Yes

AppRole Secret ID for authentication

path

governance

KV v2 secret engine mount path

namespace

Vault Enterprise namespace (if applicable)

approle-path

approle

Custom AppRole authentication mount path

Resources Stored:

Resource Path Pattern Description

Resource	Path Pattern	Description
KSML Application Principals	`{path}/{tenant}/{instance}/{environment}/{application}`	Private keys for KSML application authentication
Cluster Credentials	`{path}/{tenant}/{cluster}`	Kafka cluster bootstrap servers and security credentials
Schema Registry Credentials	`{path}/{tenant}/{instance}/{cluster}`	Schema Registry authentication details and Keycloak admin passwords
Distribution Secrets	`{path}/{tenant}/{instance}/{cluster}/distribution`	Distribution deployment credentials

KSML Application Principals

{path}/{tenant}/{instance}/{environment}/{application}

Private keys for KSML application authentication

Cluster Credentials

{path}/{tenant}/{cluster}

Kafka cluster bootstrap servers and security credentials

Schema Registry Credentials

{path}/{tenant}/{instance}/{cluster}

Schema Registry authentication details and Keycloak admin passwords

Distribution Secrets

{path}/{tenant}/{instance}/{cluster}/distribution

Distribution deployment credentials

Connector Vault (Single Vault)

The Connector Vault stores connector certificates for Kafka Connect applications in a single vault shared across all tenant-instances.

Configuration Properties:

vault:
  enabled: true
  uri: https://vault.example.com:8200
  role-id: a876f265-b031-861f-d51b-2113602a1c34
  secret-id: e90bcb18-6a80-a8ee-ea34-5a607ef76bff
  connectors-path: connectors           # KV engine path for SSL certificates
  credentials-path: credentials         # KV engine path for SASL credentials
  private-key-name: private.key         # Key name for private keys in Vault
  cert-chain-key-name: certificate.chain # Key name for certificate chains in Vault
  namespace: my-namespace               # optional - Vault Enterprise namespace
  approle-path: approle                 # optional - custom AppRole mount path (default: approle)

Property Required Default Description

Property	Required	Default	Description
`enabled`	Yes	`false`	Enables Connector Vault integration
`uri`	Yes	-	Vault server URI
`role-id`	Yes	-	AppRole Role ID for authentication
`secret-id`	Yes	-	AppRole Secret ID for authentication
`connectors-path`	Yes	-	KV v2 path for storing SSL certificates
`credentials-path`	Yes	-	KV v2 path for storing SASL credentials
`private-key-name`	Yes	-	Map key name for private keys (e.g., `private.key`)
`cert-chain-key-name`	Yes	-	Map key name for certificate chains (e.g., `certificate.chain`)
`namespace`	No	-	Vault Enterprise namespace (if applicable)
`approle-path`	No	`approle`	Custom AppRole authentication mount path

enabled

Yes

false

Enables Connector Vault integration

uri

Yes

Vault server URI

role-id

Yes

AppRole Role ID for authentication

secret-id

Yes

AppRole Secret ID for authentication

connectors-path

Yes

KV v2 path for storing SSL certificates

credentials-path

Yes

KV v2 path for storing SASL credentials

private-key-name

Yes

Map key name for private keys (e.g., private.key)

cert-chain-key-name

Yes

Map key name for certificate chains (e.g., certificate.chain)

namespace

Vault Enterprise namespace (if applicable)

approle-path

approle

Custom AppRole authentication mount path

Resources Stored:

Resource Engine Path Secret Path Description

Resource	Engine Path	Secret Path	Description
Application SSL Principals	`connectors`	`{tenant}/{instance}/{environment}/{application}`	Private keys and certificate chains for application authentication
SASL/SCRAM Credentials	`credentials`	`{tenant}/{instance}/{environment}/{application}/{credential-type}`	Username/password pairs (SCRAM_SHA_256, SCRAM_SHA_512, PLAIN)

Application SSL Principals

connectors

{tenant}/{instance}/{environment}/{application}

Private keys and certificate chains for application authentication

SASL/SCRAM Credentials

credentials

{tenant}/{instance}/{environment}/{application}/{credential-type}

Username/password pairs (SCRAM_SHA_256, SCRAM_SHA_512, PLAIN)

Instance Connector Vault (Per Tenant-Instance)

The Instance Connector Vault stores connector certificates for Kafka Connect applications, with isolated vaults per tenant-instance for enhanced security and separation. Recommended for multi-tenant installations where strict data isolation is required.

Configuration Properties:

connector-vault:
  enabled: true
  instances:
    axual-qa: # tenant-instance name (format: {tenant}-{instance})
      uri: https://vault.example.com:8200
      role-id: a876f265-b031-861f-d51b-2113602a1c34
      secret-id: e90bcb18-6a80-a8ee-ea34-5a607ef76bff
      connectors-path: connectors
      credentials-path: credentials
      private-key-name: private.key
      cert-chain-key-name: certificate.chain
      namespace: ns1                    # optional - Vault Enterprise namespace
      approle-path: approle             # optional - custom AppRole mount path (default: approle)
      key-store: classpath:client.jks   # optional - client keystore for mTLS
      key-password: notsecret           # optional - private key password
      key-store-password: notsecret     # optional - keystore password
      trust-store: classpath:truststore.jks  # optional - truststore for server verification
      trust-store-password: notsecret   # optional - truststore password
    axual-prod:
      uri: https://vault-prod.example.com:8200
      role-id: b987f376-c142-972g-e62c-3224713b2d45
      secret-id: f01cdc29-7b91-b9ff-fb45-6b718fg87cgg
      connectors-path: connectors
      credentials-path: credentials
      private-key-name: private.key
      cert-chain-key-name: certificate.chain
      namespace: ns2
      approle-path: custom-approle      # example of custom AppRole path

Property Required Default Description

Property	Required	Default	Description
`enabled`	Yes	`false`	Enables Instance Connector Vault integration
`instances.<name>.uri`	Yes	-	Vault server URI for this tenant-instance
`instances.<name>.role-id`	Yes	-	AppRole Role ID for authentication
`instances.<name>.secret-id`	Yes	-	AppRole Secret ID for authentication
`instances.<name>.connectors-path`	Yes	-	KV v2 path for storing SSL certificates
`instances.<name>.credentials-path`	Yes	-	KV v2 path for storing SASL credentials
`instances.<name>.private-key-name`	Yes	-	Map key name for private keys
`instances.<name>.cert-chain-key-name`	Yes	-	Map key name for certificate chains
`instances.<name>.namespace`	No	-	Vault Enterprise namespace
`instances.<name>.approle-path`	No	`approle`	Custom AppRole authentication mount path
`instances.<name>.key-store`	No	-	Path to client keystore for mTLS with Vault
`instances.<name>.key-password`	No	-	Password for the private key in keystore
`instances.<name>.key-store-password`	No	-	Password for the keystore
`instances.<name>.trust-store`	No	-	Path to truststore for Vault server verification
`instances.<name>.trust-store-password`	No	-	Password for the truststore

enabled

Yes

false

Enables Instance Connector Vault integration

instances.<name>.uri

Yes

Vault server URI for this tenant-instance

instances.<name>.role-id

Yes

AppRole Role ID for authentication

instances.<name>.secret-id

Yes

AppRole Secret ID for authentication

instances.<name>.connectors-path

Yes

KV v2 path for storing SSL certificates

instances.<name>.credentials-path

Yes

KV v2 path for storing SASL credentials

instances.<name>.private-key-name

Yes

Map key name for private keys

instances.<name>.cert-chain-key-name

Yes

Map key name for certificate chains

instances.<name>.namespace

Vault Enterprise namespace

instances.<name>.approle-path

approle

Custom AppRole authentication mount path

instances.<name>.key-store

Path to client keystore for mTLS with Vault

instances.<name>.key-password

Password for the private key in keystore

instances.<name>.key-store-password

Password for the keystore

instances.<name>.trust-store

Path to truststore for Vault server verification

instances.<name>.trust-store-password

Password for the truststore

Resources Stored:

Resource Engine Path Secret Path Description

Resource	Engine Path	Secret Path	Description
Application SSL Principals	`connectors`	`{tenant}/{instance}/{environment}/{application}`	Private keys and certificate chains for application authentication
SASL/SCRAM Credentials	`credentials`	`{tenant}/{instance}/{environment}/{application}/{credential-type}`	Username/password pairs (SCRAM_SHA_256, SCRAM_SHA_512, PLAIN)

Application SSL Principals

connectors

{tenant}/{instance}/{environment}/{application}

Private keys and certificate chains for application authentication

SASL/SCRAM Credentials

credentials

{tenant}/{instance}/{environment}/{application}/{credential-type}

Username/password pairs (SCRAM_SHA_256, SCRAM_SHA_512, PLAIN)

AppRole Authentication Path (`approle-path`)

The approle-path configuration allows you to specify a custom mount path for AppRole authentication in HashiCorp Vault. This is useful when:

Your Vault instance has AppRole enabled at a non-standard path
You have multiple AppRole auth methods for different purposes
Your organization uses a naming convention for auth method paths

Default: approle (the standard HashiCorp Vault default)

Example with custom path:

governance:
  vault:
    enabled: true
    uri: https://vault.example.com:8200
    role-id: ...
    secret-id: ...
    approle-path: platform-manager-auth  # Custom AppRole mount path

This corresponds to the Vault CLI command:

vault auth enable -path=platform-manager-auth approle

Development Profile (Database-backed Vault)

For development environments, Platform Manager provides a database-backed vault alternative that doesn’t require a real HashiCorp Vault instance.

Configuration:

spring:
  profiles:
    active: dev

When vault is disabled, credentials are stored in the credentials_store database table. This should never be used in production environments.

Enable Distributed Tracing with OpenTelemetry

Platform Manager supports generating Trace and Span IDs in the B3 format compatible with OpenTelemetry. To export the spans to a remote OpenTelemetry compatible instrumentation backend, set below properties:

management:
  tracing:
    enabled: true
    sampling:
      probability: 1.0
  otlp:
    tracing:
      endpoint: https://api.honeycomb.io
      headers:
        x-honeycomb-team: xxxx

Depending on the instrumentation backend, you may want to add custom headers.

For Elastic APM, refer to https://www.elastic.co/guide/en/apm/get-started/current/open-telemetry-elastic.html
For Grafana Tempo, refer to https://grafana.com/blog/2021/04/13/how-to-send-traces-to-grafana-clouds-tempo-service-with-opentelemetry-collector/
For Honeycomb, refer to https://docs.honeycomb.io/getting-data-in/opentelemetry/otel-collector/

To add additional tracing metrics, please refer to Spring Boot documentation: https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#actuator.micrometer-tracing

Loggers

Below is a per-package breakdown of important packages to help operators configure logging:

Package Logger Description

Package	Logger	Description
`io.axual.governance`	Root Package	Platform Manager root package
`io.axual.governance.applicationmanagement`	Application Management	Kafka application credentials, principals, access grants, and authentication
`io.axual.governance.applicationmanagement.web`	Application API	REST API endpoints for application management operations
`io.axual.governance.applicationlifecycle.connect`	Connect Lifecycle	Kafka Connect connector deployments, lifecycle management, and status monitoring
`io.axual.governance.applicationlifecycle.ksml`	KSML Lifecycle	KSML application deployments, lifecycle operations, and state transitions
`io.axual.governance.streammanagement.processor`	Topic Processing	Topic configuration deployment, resolution, and topic mapping operations
`io.axual.governance.streammanagement.validator`	Topic Validation	Topic configuration validation and ACL collision detection
`io.axual.governance.streammanagement.web`	Topic API	REST API endpoints for Topic management operations
`io.axual.governance.schemamanagement`	Schema Management	Avro, JSON, and Protobuf schema version management and validation
`io.axual.governance.schemamanagement.web`	Schema API	REST API endpoints for schema management operations
`io.axual.governance.systemmanagement.service`	System Management	Cluster, Instance, Environment, and Schema Registry infrastructure management
`io.axual.governance.systemmanagement.connect`	Connect System	Kafka Connect system integration, ACL operations, and cluster operations
`io.axual.governance.systemmanagement.connect.rest`	Connect REST Client	REST client communication with Kafka Connect clusters
`io.axual.governance.systemmanagement.keycloak`	Keycloak Integration	Keycloak SSO integration and client configuration
`io.axual.governance.systemmanagement.web`	System API	REST API endpoints for system management operations
`io.axual.governance.tenantmanagement.user`	User Management	User account and profile management operations
`io.axual.governance.tenantmanagement.group`	Group Management	Group management operations
`io.axual.governance.tenantmanagement.web`	Tenant API	REST API endpoints for tenant operations
`io.axual.governance.kameleon.governance`	Kameleon Governance	Core governance operations on Kafka clusters (topic details, ACL operations)
`io.axual.governance.kameleon.infrastructure.provider.kafka`	Kafka Cluster Operations	Kafka AdminClient operations and cluster management
`io.axual.governance.kameleon.infrastructure.provider.kafka.topic`	Kafka Topic Operations	Topic creation, update, and management operations
`io.axual.governance.kameleon.infrastructure.provider.kafka.acl`	Kafka ACL Operations	ACL binding creation and management
`io.axual.governance.kameleon.clusterimport`	Cluster Import	Cluster discovery and import operations
`io.axual.governance.clusterimportmanagement.processor`	Import Processor	Cluster import processing for topics, ACLs, and system entities
`io.axual.governance.security.filter`	Security Filters	HTTP authentication filters and request processing
`io.axual.governance.security.abac`	ABAC Authorization	Attribute-Based Access Control (ABAC) permission evaluation
`io.axual.governance.notifications.service`	Notification Service	Email and event notifications
`io.axual.governance.kms.db`	DB Vault	Database-backed vault for credential storage (development profile)
`io.axual.governance.kms.hashicorp`	HashiCorp Vault	HashiCorp Vault integration for credential management
`io.axual.governance.offboarding.web`	Offboarding Service	Tenant offboarding and cleanup operations
`io.axual.governance.organizationmanagement.infrastructure.keycloak`	Organization Keycloak	Keycloak event listening and organization SSO integration
`io.axual.governance.subscriptionmanagement.service`	Subscription Service	Subscription and billing operations with Stripe integration
`io.axual.governance.subscriptionmanagement.web`	Subscription API	REST API endpoints for subscription management
`io.axual.governance.core.exception`	Exception Handler	Global exception handling and error responses
`io.axual.governance.auditing`	Audit Service	Audit event listener and trail operations
`io.axual.governance.AuditLogger`	Audit Logger	Main audit logging facility for all governance events and changes
`io.axual.governance.asyncapi.service`	AsyncAPI Documentation	AsyncAPI documentation generation service
`io.axual.governance.distributionlifecycle`	Distribution Lifecycle	Distribution deployment configuration and operations
`io.axual.governance.streambrowse.web`	Topic Browse	Topic data browsing operations

io.axual.governance

Root Package

Platform Manager root package

io.axual.governance.applicationmanagement

Application Management

Kafka application credentials, principals, access grants, and authentication

io.axual.governance.applicationmanagement.web

Application API

REST API endpoints for application management operations

io.axual.governance.applicationlifecycle.connect

Connect Lifecycle

Kafka Connect connector deployments, lifecycle management, and status monitoring

io.axual.governance.applicationlifecycle.ksml

KSML Lifecycle

KSML application deployments, lifecycle operations, and state transitions

io.axual.governance.streammanagement.processor

Topic Processing

Topic configuration deployment, resolution, and topic mapping operations

io.axual.governance.streammanagement.validator

Topic Validation

Topic configuration validation and ACL collision detection

io.axual.governance.streammanagement.web

Topic API

REST API endpoints for Topic management operations

io.axual.governance.schemamanagement

Schema Management

Avro, JSON, and Protobuf schema version management and validation

io.axual.governance.schemamanagement.web

Schema API

REST API endpoints for schema management operations

io.axual.governance.systemmanagement.service

System Management

Cluster, Instance, Environment, and Schema Registry infrastructure management

io.axual.governance.systemmanagement.connect

Connect System

Kafka Connect system integration, ACL operations, and cluster operations

io.axual.governance.systemmanagement.connect.rest

Connect REST Client

REST client communication with Kafka Connect clusters

io.axual.governance.systemmanagement.keycloak

Keycloak Integration

Keycloak SSO integration and client configuration

io.axual.governance.systemmanagement.web

System API

REST API endpoints for system management operations

io.axual.governance.tenantmanagement.user

User Management

User account and profile management operations

io.axual.governance.tenantmanagement.group

Group Management

Group management operations

io.axual.governance.tenantmanagement.web

Tenant API

REST API endpoints for tenant operations

io.axual.governance.kameleon.governance

Kameleon Governance

Core governance operations on Kafka clusters (topic details, ACL operations)

io.axual.governance.kameleon.infrastructure.provider.kafka

Kafka Cluster Operations

Kafka AdminClient operations and cluster management

io.axual.governance.kameleon.infrastructure.provider.kafka.topic

Kafka Topic Operations

Topic creation, update, and management operations

io.axual.governance.kameleon.infrastructure.provider.kafka.acl

Kafka ACL Operations

ACL binding creation and management

io.axual.governance.kameleon.clusterimport

Cluster Import

Cluster discovery and import operations

io.axual.governance.clusterimportmanagement.processor

Import Processor

Cluster import processing for topics, ACLs, and system entities

io.axual.governance.security.filter

Security Filters

HTTP authentication filters and request processing

io.axual.governance.security.abac

ABAC Authorization

Attribute-Based Access Control (ABAC) permission evaluation

io.axual.governance.notifications.service

Notification Service

Email and event notifications

io.axual.governance.kms.db

DB Vault

Database-backed vault for credential storage (development profile)

io.axual.governance.kms.hashicorp

HashiCorp Vault

HashiCorp Vault integration for credential management

io.axual.governance.offboarding.web

Offboarding Service

Tenant offboarding and cleanup operations

io.axual.governance.organizationmanagement.infrastructure.keycloak

Organization Keycloak

Keycloak event listening and organization SSO integration

io.axual.governance.subscriptionmanagement.service

Subscription Service

Subscription and billing operations with Stripe integration

io.axual.governance.subscriptionmanagement.web

Subscription API

REST API endpoints for subscription management

io.axual.governance.core.exception

Exception Handler

Global exception handling and error responses

io.axual.governance.auditing

Audit Service

Audit event listener and trail operations

io.axual.governance.AuditLogger

Audit Logger

Main audit logging facility for all governance events and changes

io.axual.governance.asyncapi.service

AsyncAPI Documentation

AsyncAPI documentation generation service

io.axual.governance.distributionlifecycle

Distribution Lifecycle

Distribution deployment configuration and operations

io.axual.governance.streambrowse.web

Topic Browse

Topic data browsing operations

Notifications Service Configuration

You can enable Notifications service using SMTP server for the Platform Manager, to notify application and stream owners by receiving emails whenever something important happens with their Applications or Topics. Below you can find the configurations that are defined to enable/disable the Notifications service for the Platform Manager application. Currently, we only support the SMTP server, and it needs to be enabled when the notifications is enabled.

platform-manager:

  config:
    axual:
      # Notifications Configuration
      notifications:
        enabled: true
        baseUrl: [UI advertised URL of the the running self-service application]
        sender: [email address of the notification sender]
        smtp:
          enabled: true

Then you need to provide Spring configurations of the SMTP server:

platform-manager:

  config:
    spring:
      mail:
        host: [domain names or IP addresses of SMTP servers, e.g : smtp.gmail.com]
        port: [port number of the SMTP server]
        username: [username corresponds to the sender email account]
        password: [password corresponds to the sender email account]
        properties:
          mail:
            smtp:
              auth: true
              starttls:
                enable: true

Event Publication Completion Mode Configuration

By default, event publications are marked as completed when a transactional execution completes successfully. The completion is registered by setting the completion date on an EventPublication. This means that completed publications remain in the Event Publication Registry indefinitely, and the database table will grow unbounded over time.

Spring Modulith provides the spring.modulith.events.completion-mode configuration property to control how completed event publications are handled. The default mode for Axual Platform Manager is DELETE, which automatically removes event publications from the database upon completion.

platform-manager:

  config:
    spring:
      modulith:
        events:
          # -- Completion mode for event publications (UPDATE, DELETE, or ARCHIVE)
          completion-mode: DELETE

With the DELETE mode enabled, completed event publications are automatically removed from the database, preventing the persistence store from growing unbounded. The CompletedEventPublications interface will not return any publications. If you are upgrading from a previous configuration where completed events were being accumulated, you can clean up existing completed event publications using the following SQL script:

--
-- Clear completed event publications from the EVENT_PUBLICATION table
-- This script removes all completed event publications to prevent database bloat.
-- With spring.modulith.events.completion-mode=DELETE, new completed publications
-- will be automatically deleted from the database.
--

DELETE FROM EVENT_PUBLICATION
WHERE COMPLETION_DATE IS NOT NULL;

Docker environment variables

In this table, you can find a description of each environment variable that should be configured for deploying the application.

Name Possible Values Required Description

Name	Possible Values	Required	Description
SPRING_DATASOURCE_URL	A string of jdbc url “no default”	YES	Specifies the JDBC URL used to connect to any database.
SPRING_DATASOURCE_NAME	A string defining the datasource name default value: governancedb	NO	This is typically used when you have multiple data sources in your application. It provides a name or identifier for the datasource.
SPRING_DATASOURCE_DRIVER-CLASS-NAME	A string defining the datasource driverClassName com.mysql.cj.jdbc.Driver \| org.mariadb.jdbc.Driver “no default”	YES	Specifies the fully-qualified class name of the JDBC driver that should be used for the database connection.
SPRING_DATASOURCE_USERNAME	A string defining the username “no default”	YES	This sets the username used to authenticate with the database.
SPRING_DATASOURCE_PASSWORD	A string defining the password “no default”	YES	This sets the password for the database connection.
SPRING_JPA_HIBERNATE_DATABASE-PLATFORM	org.hibernate.dialect.MariaDBDialect \| org.hibernate.dialect.MySQLDialect “no default”	YES	This is used to specify the SQL dialect that should be used by JPA and Hibernate when generating or interpreting SQL statements for a specific database.
SPRING_JPA_HIBERNATE_DDL-AUTO	none \| validate \| update \| create \| create-drop Default value: validate	NO	controls the behavior of database schema generation and modification during application startup. none: This is the default value. It means that no schema generation or modification is done by Hibernate. You are responsible for managing the database schema manually. validate: Hibernate validates the existing schema against the current entity mappings. It will not make any changes to the schema, but it will report any discrepancies or errors. update: Hibernate updates the schema automatically based on the entity mappings. It will create tables, columns, and constraints if they don’t exist in the database. However, it will not drop any tables or columns that are no longer needed. create: Hibernate creates the schema from scratch during application startup. It will drop and re-create the tables every time the application starts. Be cautious with this option as it can result in data loss in a production environment. create-drop: Similar to create, but it also drops the schema when the application shuts down. This is typically used for testing and development environments.
SPRING_FLYWAY_VENDOR	mysql/mariadb Default value: mariadb	NO	This is used to specify the database vendor for which Flyway should generate or apply database migration scripts.
SPRING_MODULITH_EVENTS_COMPLETION-MODE	UPDATE \| DELETE \| ARCHIVE Spring default: UPDATE Configured value: DELETE	NO	Controls how completed event publications from the Spring Modulith event publication system are handled. `UPDATE` (Spring default) keeps completed publications in the registry and requires manual purging. `DELETE` removes completed publications immediately after processing to prevent database bloat. `ARCHIVE` moves completed publications to an archive table while removing them from the main registry for auditability. Platform Manager is configured to use `DELETE` for operational simplicity.
SPRING_MAIL_HOST	A string defining SMTP server “no default”	Conditionally YES	Specifies the SMTP server that will be used to send emails. Possible values include domain names or IP addresses of SMTP servers, e.g., `smtp.gmail.com`. It is mandatory if `AXUAL_NOTIFICATIONS_SMTP_ENABLED=true`
SPRING_MAIL_PORT	A valid port number “no default” Possible value to be set for SMTP using TLS/STARTTLS is 587, using SSL is 465.	Conditionally YES	Specifies the port number of the SMTP server, is mandatory if `AXUAL_NOTIFICATIONS_SMTP_ENABLED=true`.
SPRING_MAIL_USERNAME	A string defining the username “no default”	Conditionally YES	Specifies the username used to authenticate with the SMTP server. It corresponds to the email account from which emails will be sent, is mandatory if `AXUAL_NOTIFICATIONS_SMTP_ENABLED=true`
SPRING_MAIL_PASSWORD	A string defining the password “no default”	Conditionally YES	Specifies the password used to authenticate with the SMTP server. It should be the password associated with the provided username, is mandatory if `AXUAL_NOTIFICATIONS_SMTP_ENABLED=true`
SPRING_MAIL_PROPERTIES_MAIL_SMTP_AUTH	A boolean value [true \| false] Default value: false	Conditionally YES	Specifies whether authentication (user identification) is required by the SMTP server, it is mandatory to be set as `true` if `AXUAL_NOTIFICATIONS_SMTP_ENABLED=true`
SPRING_MAIL_PROPERTIES_MAIL_SMTP_STARTTLS_ENABLE	A boolean value [true \| false] Default value: false	Conditionally YES	Specifies whether to enable the use of the STARTTLS command (which initiates a secure connection) when connecting to the SMTP server, it is mandatory to be set as `true` if `AXUAL_NOTIFICATIONS_SMTP_ENABLED=true`
SPRING_MAIL_PROPERTIES_MAIL_SMTP_LOCALHOST	A string representing the HELO/EHLO domain name. “no default” if it’s not set, the system’s hostname (e.g., Internal Kubernetes pod name) will be appear in the header	Conditionally YES	Specifies the domain name sent in the SMTP HELO/EHLO command. Setting this prevents the default pod hostname from appearing in email headers, such as “Received”. It helps mask internal infrastructure details when sending emails from a Kubernetes pod. it is mandatory to be set if `AXUAL_NOTIFICATIONS_SMTP_ENABLED=true`
VAULT_ENABLED	A boolean value [true \| false] “no default”	YES	Controls supporting Vault for persisting application credentials.
VAULT_URI	A valid uri “no default”	Conditionally YES	Specifies the uri of the Vault. It is mandatory only if `VAULT_ENABLED=true`
VAULT_ROLE-ID	A valid RoleId “no default”	Conditionally YES	Role ID is used to identify the specific AppRole configured in Vault that the application is using for authentication. It is mandatory only if `VAULT_ENABLED=true`
VAULT_SECRET-ID	A valid secretId “no default”	Conditionally YES	The Secret ID is a secret token associated with a particular Role ID that proves the application’s identity and authorization to access secrets. It is mandatory only if `VAULT_ENABLED=true`
SERVER_HTTP2_ENABLED	A boolean value [true \| false] Default value: false	NO	Is used in the configuration of a web server to enable or disable HTTP/2 support.
SERVER_SSL_ENABLED	A boolean value [true \| false] Default value: true	NO	Enables SSL/TLS support for secure communication.
SERVER_SSL_KEY_STORE	A string of file path to the key-store “no default”	Conditionally YES	Specifies the file path to the Java KeyStore (JKS) file that contains the server’s SSL certificate and private key, is mandatory only if `SERVER_SSL_ENABLED=true`.
SERVER_SSL_KEY_STORE_PASSWORD	A string defining the password “no default”	Conditionally YES	Specifies the password required to access the keystore itself, is mandatory only if `SERVER_SSL_ENABLED=true`.
SERVER_SSL_ENABLED-PROTOCOLS	A comma separated list of these values [TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3] “no default”	Conditionally YES	Specifies the list of allowed SSL/TLS protocols, is mandatory only if `SERVER_SSL_ENABLED=true`.
AXUAL_API_AVAILABLE_AUTH_METHODS	A comma seperated list of String containing these items : SSL,SCRAM_SHA_256,SCRAM_SHA_512,PLAIN Default value: SSL	NO	Specifies the available authentication methods which can be used for applications to be authenticated while getting access to topics.
AXUAL_MULTI_TENANT	A boolean value [true \| false] Default value: true	NO	Specifies if the cluster is multi-tenant or not. In case it is set to `true`, the cluster will be shared among multiple tenants.
AXUAL_DEFAULT_ROLES	A comma seperated List of strings containing default user roles. The list of existing roles in Axual is as follows: SUPER_ADMIN, TENANT_ADMIN, APPLICATION_ADMIN, STREAM_ADMIN, ENVIRONMENT_ADMIN, APPLICATION_AUTHOR, STREAM_AUTHOR, ENVIRONMENT_AUTHOR, BILLING_INTERNAL, BILLING_VIEWE, SCHEMA_AUTHOR, SCHEMA_ADMIN Default value: APPLICATION_AUTHOR, ENVIRONMENT_AUTHOR, STREAM_AUTHOR	NO	Specifies the default roles which can be automatically granted to a user when a new user is created.
AXUAL_DEFAULT_PARTITIONS	A valid number Default value: 2	NO	Specifies the number of partitions per each topic. Must be at least 1 and at most 120000.
AXUAL_DEFAULT_REPLICATION_FACTOR	A valid number “no default”	YES	Specifies how many copies (replicas) of each partition of a Kafka topic should be maintained across different broker nodes. It’s a crucial factor for ensuring fault tolerance and high availability in Kafka clusters.
AXUAL_DEFAULT_SEGMENT_TIME	A valid number (time in milliseconds) Default value: 604800000 (7 days)	NO	Controls the period of time after which Kafka will force the log to roll even if the segment file isn’t full to ensure that retention can delete or compact old data.
AXUAL_DEFAULT_RETENTION_TIME	A valid number (time in milliseconds) Default value: 604800000 (7 days)	NO	Controls the maximum time Kafka will retain a log before discarding old log segments to free up space if the retention policy is equal to “delete”. This represents an SLA on how soon consumers must read their data. If set to `-1`, no time limit is applied.
AXUAL_DEFAULT_CLEANUP_POLICY	delete \| compact \| delete,compact \| compact,delete Default value: delete	NO	Specifies the cleanup policy for log segments in a topic. This property determines when log segments can be deleted to reclaim disk space. delete: This is the default cleanup policy. When this policy is applied, Kafka will delete log segments as soon as they are no longer needed for any active consumers or replication. compact: This policy is used for log compaction. With this policy, Kafka retains the latest value for each unique key in the log and deletes older versions of the same key. Log compaction is often used for Kafka topics that store changelog or event sourcing data, ensuring that the latest state of each key is always available.delete,compact: This policy combines both deletion and compaction. It deletes log segments that are no longer needed by any active consumers while also performing log compaction on the remaining data.compact,delete: Similar to the previous option, this policy combines both deletion and compaction, but it prioritizes log compaction before deletion.
AXUAL_DEFAULT_ENVIRONMENT_COLOR	A string defining a hexadecimal color code Default value: “#80affe”	NO	Specifies the default color of environment in UI.
AXUAL_BILLING_ENABLED	A boolean value [true \| false] Default value: false	NO	This is used to enable billing component.
AXUAL_CSRF_ENABLED	A boolean value [true \| false] Default value: false	NO	This is used for enabling Cross-Site Request Forgery (CSRF) protection.
AXUAL_ALLOW_OVERLAPPING_CA	A boolean value [true \| false] Default value: false	NO	Allows Using one CERTIFICATE AUTHORITY (CA) on multiple tenants if it’s set to `true`.
AXUAL_VALIDATE_DUPLICATE_SCHEMAS	A boolean value [true \| false] Default value: true	NO	Controls validation of a duplicate schema. If it’s set to `false`, the `/schemas/check-parse` API won’t check the uniqueness of the uploaded schema-version.
AXUAL_CREATE_STREAM_DISABLE_TIME	A valid number [0, …] Default value: 0	NO	Controls Disabling the StreamConfig resource creation for the specified time in minutes.
AXUAL_CLIENT_SOCKET_TIMEOUT	A valid number Default value: 90000	NO	Specifies the maximum amount of time in milliseconds that a client will wait for a response from a server before considering the operation as timed out or failed
AXUAL_ORGANIZATION_MANAGER_AUTH_PROVIDER	Supported auth provider: none, keycloak Default value: none	NO	Determines the authorization server for authenticating local users. ‘none’ disabled Organization Manager module.
AXUAL_ORGANIZATION_MANAGER_KEYCLOAK_URL	URL to access Keycloak “no default”:	YES	URL to access Keycloak.
AXUAL_ORGANIZATION_MANAGER_KEYCLOAK_USERNAME	Username to authenticate with Keycloak “no default”:	YES	Username to authenticate with Keycloak.
AXUAL_ORGANIZATION_MANAGER_KEYCLOAK_PASSWORD	Password to authenticate with Keycloak “no default”:	YES	Password to authenticate with Keycloak.
AXUAL_ORGANIZATION_MANAGER_KEYCLOAK_LOCAL_REALM	Name of local realm in Keycloak Default value: local	YES	Name of local realm in Keycloak.
AXUAL_ORGANIZATION_MANAGER_KEYCLOAK_MASTER_REALM	Name of master realm in Keycloak Default value: master	YES	Name of master realm in Keycloak.
AXUAL_ORGANIZATION_MANAGER_KEYCLOAK_CLIENT_ID	Client ID to use when authenticating with master realm of Keycloak Default value: admin-cli	YES	Admin client to authenticate with Keycloak.
AXUAL_SECURITY_DOCS-USERNAME	A string defining the username Default value: axual	NO	This sets the username used to authenticate with the docs.
AXUAL_SECURITY_DOCS-PASSWORD	A string defining the password Default value: notsecret	NO	This sets the password used to authenticate with the docs.
AXUAL_SECURITY_TRUST_STORE	A string of file path to the trust-store “no default”	YES	Specifies the file path to the trust store.
AXUAL_SECURITY_TRUST_STORE_PASSWORD	A string defining the password “no default”	YES	Specifies the password required to access and manipulate the trust store.
AXUAL_SECURITY_KEY_STORE	A string of file path to the key-store “no default”	YES	Specifies the file path to the key store.
AXUAL_SECURITY_KEY_STORE_PASSWORD	A string defining the key-strore password “no default”	YES	Specifies the password required to access and manipulate the key store.
AXUAL_SECURITY_KEY_PASSWORD	A string defining the key password “no default”	YES	Specifies the password required to unlock the private key within the key store.
AXUAL_KEYCLOAK_USERNAME	A string defining the username Default value: admin	YES	The administrative username that would be used to log in to the Keycloak administration console or authenticate API requests.
AXUAL_KEYCLOAK_PASSWORD	A string defining the password Default value: admin123	YES	The administrative password that would be used to log in to the Keycloak administration console or authenticate API requests.
AXUAL_CONNECT_AVAILABLE	A boolean value [true \| false] Default value: false	Conditionally YES	Controls the direct connection to Axual-Connect.
AXUAL_CONNECT_INSTANCE-CONNECT-CREDENTIALS_[tenantShortName-instanceShortName]_AUTHORIZER	basic Default value: basic	Conditionally YES	Specifies the type of authorization per tenant-instance, is mandatory if `AXUAL_CONNECT_AVAILABLE=true`
AXUAL_CONNECT_INSTANCE-CONNECT-CREDENTIALS_[tenantShortName-instanceShortName]_USERNAME	A string defining the username “no default”	Conditionally YES	This sets the username per tenant-instance used to authenticate with the Axual-Connect, is mandatory if `AXUAL_CONNECT_AVAILABLE=true`.
AXUAL_CONNECT_INSTANCE-CONNECT-CREDENTIALS_[tenantShortName-instanceShortName]_PASSWORD	A string defining the password “no default”	Conditionally YES	This sets the password per tenant-instance used to authenticate with the Axual-Connect, is mandatory if `AXUAL_CONNECT_AVAILABLE=true`.
AXUAL_DEFAULT-CLUSTER-PATTERN_TOPIC-RESOLVER	A string of fully-qualified class name of topicResolver Default value: “io.axual.common.resolver.TopicPatternResolver”	NO	Specifies the fully-qualified class name of topicResolver which is used for resolving topics.
AXUAL_DEFAULT-CLUSTER-PATTERN_TOPIC-PATTERN	A string of topic pattern [“{topic}” \| “{environment}-{topic}” \| {instance}-{environment}-{topic} \| {tenant}-{instance}-{environment}-{topic} ] Default value: “{topic}”	NO	Specifies the topic pattern for any kafka cluster owned by a Tenant and not having a defined topic pattern. This pattern is used when resolving the kafka topic name. “{topic}” this pattern means that this cluster does not support multi-environment, multi_instance and multi-tenant “{environment}-{topic}” this pattern means that the cluster is a multi-environment one and combination of `environment-topic` identifies a unique topic {instance}-{environment}-{topic} this pattern means that the cluster is a multi-environment and multi-instance one and combination of `instance-environment-topic` identifies a unique topic “{tenant}-{instance}-{environment}-{topic}” this pattern means that the cluster is a multi-environment, multi-instance and multi_tenant and combination of `tenant-instance-environment-topic` identifies a unique topic.
AXUAL_DEFAULT-CLUSTER-PATTERN_GROUP-ID-RESOLVER	A string of fully-qualified class name of groupIdResolver Default value: “io.axual.common.resolver.GroupPatternResolver”	NO	Specifies the fully-qualified class name of groupIdResolver which is used for resolving groups.
AXUAL_DEFAULT-CLUSTER-PATTERN_GROUP-ID-PATTERN	A string of groupId pattern [“{group}” \| “{environment}-{group}” \| {instance}-{environment}-{group} \| {tenant}-{instance}-{environment}-{group} ] Default value: “{group}”	NO	Specifies the groupId pattern for any kafka cluster owned by a Tenant and not having a defined groupId pattern. This pattern is used when resolving the group name. “{group}” this pattern means that this cluster does not support multi-environment, multi_instance and multi-tenant “{environment}-{group}” this pattern means that the cluster is a multi-environment one and combination of `environment-group` identifies a unique group {instance}-{environment}-{group} this pattern means that the cluster is a multi-environment and multi-instance one and combination of `instance-environment-group` identifies a unique group. “{tenant}-{instance}-{environment}-{group}” this pattern means that the cluster is a multi-environment, multi-instance and multi_tenant and combination of `tenant-instance-environment-group` identifies a unique group.
AXUAL_DEFAULT-CLUSTER-PATTERN_TRANSACTIONAL-ID-RESOLVER	A string of fully-qualified class name of transactionalIdResolver Default value: “io.axual.common.resolver.TransactionalIdPatternResolver”	NO	Specifies the fully-qualified class name of transactionalIdResolver which is used for resolving transactions.
AXUAL_DEFAULT-CLUSTER-PATTERN_TRANSACTIONAL-ID-PATTERN	A string of transactionalId pattern [“{transactional.id}” \| “{environment}-{app.id}” \| {instance}-{environment}-{transactional.id} \| {tenant}-{instance}-{environment}-{transactional.id} ] Default value: “{transactional.id}”	NO	Specifies the transactionalId pattern for any kafka cluster owned by a Tenant and not having a defined transactionalId pattern. This pattern is used when resolving the transactionalId. “{transactional.id}” this pattern means that the cluster does not support multi-environment, multi_instance and multi-tenant “{environment}-{transactional.id}” this pattern means that the cluster is multi-environment and combination of `environment-transactionalId-` identifies a unique prefixed transactional.id {instance}-{environment}-{transactional.id} this pattern means that the cluster is multi-environment and multi-instance and combination of `instance-environment-transactionalId` identifies a unique prefixed transactional.id “{tenant}-{instance}-{environment}-{topic}” this pattern means that the cluster is multi-environment, multi-instance and multi-tenant and combination of `tenant-instance-environment-transactionalId-` identifies a unique prefixed transactional.id.
AXUAL_DEFAULT-CLUSTER-PATTERN_MULTI-TENANT-TOPIC-PATTERN	A string of multi-tenant topic pattern Default value: “{tenant}-{instance}-{environment}-{topic}”	NO	Specifies the topic pattern for any kafka cluster not owned by a Tenant and not having a defined topic pattern. This pattern is used when resolving the kafka topic name. “{tenant}-{instance}-{environment}-{topic}” this pattern means that the cluster is a multi-environment, multi-instance and multi_tenant and combination of `tenant-instance-environment-topic` identifies a unique topic.
AXUAL_DEFAULT-CLUSTER-PATTERN_MULTI-TENANT-GROUP-ID-PATTERN	A string of multi-tenant groupId pattern Default value: “{tenant}-{instance}-{environment}-{group}”	NO	Specifies the groupId pattern for any kafka cluster not owned by a Tenant and not having a defined groupId pattern. This pattern is used when resolving the kafka group name. “{tenant}-{instance}-{environment}-{group}” this pattern means that the cluster is a multi-environment, multi-instance and multi_tenant and combination of `tenant-instance-environment-group` identifies a unique group.
AXUAL_DEFAULT-CLUSTER-PATTERN_MULTI-TENANT-TRANSACTIONAL-ID-PATTERN	A string of multi-tenant transactionalId pattern Default value: “{tenant}-{instance}-{environment}-{transactional.id}”	NO	Specifies the transactionalId pattern for any kafka cluster not owned by a Tenant and not having a defined transactionalId pattern. This pattern is used when resolving the transactionalId. “{tenant}-{instance}-{environment}-{transactional.id}” this pattern means that the cluster is multi-environment, multi-instance and multi-tenant and combination of `tenant-instance-environment-transactionalId-` identifies a unique prefixed transactional.id.
AXUAL_NOTIFICATIONS_ENABLED	A boolean value [true \| false] Default value: false	NO	Enables Notification service for the application.
AXUAL_NOTIFICATIONS_BASEURL	A valid URL of the running host “no default” As an example, for the axual cloud should be set to `https://axual.cloud/governance`	Conditionally YES	Represents the UI advertised URL of the the running self-service application, it is mandatory if `AXUAL_NOTIFICATIONS_ENABLED=true`
AXUAL_NOTIFICATIONS_SENDER	A valid email address “no default”	Conditionally YES	Represents the email address of the notification sender, it can be the same value as `SPRING_MAIL_USERNAME` property, it is mandatory if `AXUAL_NOTIFICATIONS_ENABLED=true`
AXUAL_NOTIFICATIONS_SMTP_ENABLED	A boolean value [true \| false] no default:	Conditionally YES	Enables Notification service to use SMTP for on-prem installation. It is mandatory if `AXUAL_NOTIFICATIONS_ENABLED=true`
SUBSCRIPTION-MANAGEMENT_ENABLED	A boolean value [true \| false] Default value: false	NO	Enables Stripe Subscription-Management for the application.
SUBSCRIPTION-MANAGEMENT_SLACK_CHANNEL_ALERTING	A string “no default”	NO	This is the Slack channel where alerts and notifications related to subscription management may be sent.
SUBSCRIPTION-MANAGEMENT_SLACK_CHANNEL_SALES	A string “no default”	NO	This is the Slack channel where sales-related notifications may be sent.
SUBSCRIPTION-MANAGEMENT_STRIPE_API-KEY	A string Default value: secret	Conditionally YES	This is the Stripe API key used for authenticating the application with Stripe, only if `SUBSCRIPTION-MANAGEMENT_ENABLED=true`
SUBSCRIPTION-MANAGEMENT_STRIPE_ENDPOINT-SECRET	A string Default value: secret	Conditionally YES	This is used for webhook event verification, only if `SUBSCRIPTION-MANAGEMENT_ENABLED=true`
SUBSCRIPTION-MANAGEMENT_STRIPE_RETRIES-COUNT	A number Default value: 10	Conditionally YES	Specifies the number of retries to attempt in case of Stripe-related failure, only if `SUBSCRIPTION-MANAGEMENT_ENABLED=true`
SUBSCRIPTION-MANAGEMENT_PRICING-TABLE_PLANS-IDS	A list of plan-ids “no default”	Conditionally YES	Specifies a list of plan IDs, only if `SUBSCRIPTION-MANAGEMENT_ENABLED=true`
SUBSCRIPTION-MANAGEMENT_PRICING-TABLE_HIGHLIGHTED-PLAN-ID	A string defining plan-id “no default”	Conditionally YES	This property highlights a specific plan ID, only if `SUBSCRIPTION-MANAGEMENT_ENABLED=true`
SUBSCRIPTION-MANAGEMENT_PRICING-TABLE_TRIAL-PERIOD-DAYS	A number Default value: 30	Conditionally YES	Specifies the duration of the trial period in days, only if `SUBSCRIPTION-MANAGEMENT_ENABLED=true`
SUBSCRIPTION-MANAGEMENT_SUBSCRIPTIONS_TRIAL-PRICE-ID	A string defining price-id “no default”	Conditionally YES	Specifies the ID of a trial price, only if `SUBSCRIPTION-MANAGEMENT_ENABLED=true`
GOVERNANCE_VAULT_ENABLED	A boolean value [true \| false] Default value: false	Conditionally YES	Controls supporting Hashicorp Key Vault for governance to persist application credentials.
GOVERNANCE_VAULT_URI	A valid uri “no default”	Conditionally YES	Specifies the URI or endpoint of the Hashicorp Key Vault instance. It is mandatory only if `GOVERNANCE_VAULT_ENABLED=true`.
GOVERNANCE_VAULT_ROLE-ID	A valid RoleId “no default”	Conditionally YES	Role ID is used to identify the specific AppRole configured in Hashicorp Vault that the application is using for authentication. It is mandatory only if `GOVERNANCE_VAULT_ENABLED=true`
GOVERNANCE_VAULT_SECRET-ID	A valid secretId “no default”	Conditionally YES	The Secret ID is a secret token associated with a particular Role ID that proves the application’s identity and authorization to access secrets. It is mandatory only if `GOVERNANCE_VAULT_ENABLED=true`
GOVERNANCE_VAULT_PATH	A string defining path Default value: “governance”	Conditionally YES	Defines the specific path within Vault’s storage hierarchy where the application expects to read or write secrets or other data. It is mandatory only if `GOVERNANCE_VAULT_ENABLED=true`
GOVERNANCE_VAULT_NAMESPACE	A string defining the namespace “no default”	Conditionally YES	Specifies the Vault namespace to use. A Vault namespace allows you to create isolated environments within a Vault server, is mandatory if `GOVERNANCE_VAULT_ENABLED=true`
SCHEDULER_RECONCILIATION_CONNECT_PLUGINS_CRON	A string defining a cron expression Default value: “0 * _/12 ? _ *” (evey 12 hours)	NO	Specifies the schedule or frequency at which `reconciling plugins of managed instances` task should be executed.
SCHEDULER_RECONCILIATION_CONNECT_DEPLOYMENTS_CRON	A string defining a cron expression Default value: “0 _/5 _ ? * *” (evey 5 minutes)	NO	Specifies the schedule or frequency at which `reconciling deployments of managed instances` task should be executed.
CONNECTOR-VAULT_ENABLED	A boolean value [true \| false] Default value: false	Conditionally YES	Controls supporting Vault for persisting connectors secrets per tenant-instance.
CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_URI	The URI of the vault “no default”	Conditionally YES	Specifies the type of authorization per tenant-instance, is mandatory if `CONNECTOR-VAULT_ENABLED=true`
CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_ROLE-ID	A valid RoleId “no default”	Conditionally YES	Role ID is used to identify the specific AppRole per tenant-instance configured in Hashicorp Vault that the application is using for authentication, is mandatory if `CONNECTOR-VAULT_ENABLED=true`
CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_SECRET-ID	A valid secretId “no default”	Conditionally YES	The Secret ID is a secret token associated with a particular Role ID per tenant-instance that proves the application’s identity and authorization to access secrets, is mandatory if `CONNECTOR-VAULT_ENABLED=true`
CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_NAMESPACE	A string defining the namespace “no default”	Conditionally YES	Specifies the Vault namespace per tenant-instance to use. A Vault namespace allows you to create isolated environments within a Vault server, is mandatory if `CONNECTOR-VAULT_ENABLED=true`
CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_CONNECTORS-PATH	A string defining path “no default”	Conditionally YES	Specifies a path within Vault per tenant-instance where connectors or secrets may be stored or managed, is mandatory if `CONNECTOR-VAULT_ENABLED=true`
CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_PRIVATE-KEY-NAME	A string defining the privateKey name “no default”	Conditionally YES	Specifies the name of a private key per tenant-instance within Vault, is mandatory if `CONNECTOR-VAULT_ENABLED=true`
CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_CERT-CHAIN-KEY-NAME	A string defining the certChainKey name “no default”	Conditionally YES	Specifies the name of a certificate chain or certificate-related resource per tenant-instance within Vault per tenant-instance, is mandatory if `CONNECTOR-VAULT_ENABLED=true`
CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_TRUST-STORE	A string of file path to the trust-store “no default”	NO	Specifies the file path to the trust store within Vault per tenant-instance, if it’s not set, the `AXUAL_SECURITY_TRUST_STORE` value will be set as default value.
CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_TRUST-STORE-PASSWORD	A string defining the password “no default”	NO	Specifies the password required to access and manipulate the trust store within Vault per tenant-instance, if it’s not set, the `AXUAL_SECURITY_TRUST_STORE_PASSWORD` value will be set as default value.
CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_KEY-STORE	A string of file path to the key-store “no default”	NO	Specifies the file path to the key store within Vault per tenant-instance, if it’s not set, the `AXUAL_SECURITY_KEY_STORE` value will be set as default value.
CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_KEY-STORE-PASSWORD	A string defining the key-store password “no default”	NO	Specifies the password required to access and manipulate the key store within Vault per tenant-instance, if it’s not set, the `AXUAL_SECURITY_KEY_STORE_PASSWORD` value will be set as default value.
CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_KEY-PASSWORD	A string defining the key password “no default”	NO	Specifies the password required to unlock the client’s private key within the key store within Vault per tenant-instance, if it’s not set, the `AXUAL_SECURITY_KEY_STORE_PASSWORD` value will be set as default value.
AXUAL_AUDIT_ENABLED	A boolean value [true \| false] Default value: false	NO	Enables Auditing for the application.

SPRING_DATASOURCE_URL

A string of jdbc url “no default”

YES

Specifies the JDBC URL used to connect to any database.

SPRING_DATASOURCE_NAME

A string defining the datasource name default value: governancedb

This is typically used when you have multiple data sources in your application. It provides a name or identifier for the datasource.

SPRING_DATASOURCE_DRIVER-CLASS-NAME

A string defining the datasource driverClassName com.mysql.cj.jdbc.Driver | org.mariadb.jdbc.Driver “no default”

YES

Specifies the fully-qualified class name of the JDBC driver that should be used for the database connection.

SPRING_DATASOURCE_USERNAME

A string defining the username “no default”

YES

This sets the username used to authenticate with the database.

SPRING_DATASOURCE_PASSWORD

A string defining the password “no default”

YES

This sets the password for the database connection.

SPRING_JPA_HIBERNATE_DATABASE-PLATFORM

org.hibernate.dialect.MariaDBDialect | org.hibernate.dialect.MySQLDialect “no default”

YES

This is used to specify the SQL dialect that should be used by JPA and Hibernate when generating or interpreting SQL statements for a specific database.

SPRING_JPA_HIBERNATE_DDL-AUTO

none | validate | update | create | create-drop Default value: validate

controls the behavior of database schema generation and modification during application startup. none: This is the default value. It means that no schema generation or modification is done by Hibernate. You are responsible for managing the database schema manually. validate: Hibernate validates the existing schema against the current entity mappings. It will not make any changes to the schema, but it will report any discrepancies or errors. update: Hibernate updates the schema automatically based on the entity mappings. It will create tables, columns, and constraints if they don’t exist in the database. However, it will not drop any tables or columns that are no longer needed. create: Hibernate creates the schema from scratch during application startup. It will drop and re-create the tables every time the application starts. Be cautious with this option as it can result in data loss in a production environment. create-drop: Similar to create, but it also drops the schema when the application shuts down. This is typically used for testing and development environments.

SPRING_FLYWAY_VENDOR

mysql/mariadb Default value: mariadb

This is used to specify the database vendor for which Flyway should generate or apply database migration scripts.

SPRING_MODULITH_EVENTS_COMPLETION-MODE

UPDATE | DELETE | ARCHIVE Spring default: UPDATE Configured value: DELETE

Controls how completed event publications from the Spring Modulith event publication system are handled. UPDATE (Spring default) keeps completed publications in the registry and requires manual purging. DELETE removes completed publications immediately after processing to prevent database bloat. ARCHIVE moves completed publications to an archive table while removing them from the main registry for auditability. Platform Manager is configured to use DELETE for operational simplicity.

SPRING_MAIL_HOST

A string defining SMTP server “no default”

Conditionally YES

Specifies the SMTP server that will be used to send emails. Possible values include domain names or IP addresses of SMTP servers, e.g., smtp.gmail.com. It is mandatory if AXUAL_NOTIFICATIONS_SMTP_ENABLED=true

SPRING_MAIL_PORT

A valid port number “no default” Possible value to be set for SMTP using TLS/STARTTLS is 587, using SSL is 465.

Conditionally YES

Specifies the port number of the SMTP server, is mandatory if AXUAL_NOTIFICATIONS_SMTP_ENABLED=true.

SPRING_MAIL_USERNAME

A string defining the username “no default”

Conditionally YES

Specifies the username used to authenticate with the SMTP server. It corresponds to the email account from which emails will be sent, is mandatory if AXUAL_NOTIFICATIONS_SMTP_ENABLED=true

SPRING_MAIL_PASSWORD

A string defining the password “no default”

Conditionally YES

Specifies the password used to authenticate with the SMTP server. It should be the password associated with the provided username, is mandatory if AXUAL_NOTIFICATIONS_SMTP_ENABLED=true

SPRING_MAIL_PROPERTIES_MAIL_SMTP_AUTH

A boolean value [true | false] Default value: false

Conditionally YES

Specifies whether authentication (user identification) is required by the SMTP server, it is mandatory to be set as true if AXUAL_NOTIFICATIONS_SMTP_ENABLED=true

SPRING_MAIL_PROPERTIES_MAIL_SMTP_STARTTLS_ENABLE

A boolean value [true | false] Default value: false

Conditionally YES

Specifies whether to enable the use of the STARTTLS command (which initiates a secure connection) when connecting to the SMTP server, it is mandatory to be set as true if AXUAL_NOTIFICATIONS_SMTP_ENABLED=true

SPRING_MAIL_PROPERTIES_MAIL_SMTP_LOCALHOST

A string representing the HELO/EHLO domain name. “no default” if it’s not set, the system’s hostname (e.g., Internal Kubernetes pod name) will be appear in the header

Conditionally YES

Specifies the domain name sent in the SMTP HELO/EHLO command. Setting this prevents the default pod hostname from appearing in email headers, such as “Received”. It helps mask internal infrastructure details when sending emails from a Kubernetes pod. it is mandatory to be set if AXUAL_NOTIFICATIONS_SMTP_ENABLED=true

VAULT_ENABLED

A boolean value [true | false] “no default”

YES

Controls supporting Vault for persisting application credentials.

VAULT_URI

A valid uri “no default”

Conditionally YES

Specifies the uri of the Vault. It is mandatory only if VAULT_ENABLED=true

VAULT_ROLE-ID

A valid RoleId “no default”

Conditionally YES

Role ID is used to identify the specific AppRole configured in Vault that the application is using for authentication. It is mandatory only if VAULT_ENABLED=true

VAULT_SECRET-ID

A valid secretId “no default”

Conditionally YES

The Secret ID is a secret token associated with a particular Role ID that proves the application’s identity and authorization to access secrets. It is mandatory only if VAULT_ENABLED=true

SERVER_HTTP2_ENABLED

A boolean value [true | false] Default value: false

Is used in the configuration of a web server to enable or disable HTTP/2 support.

SERVER_SSL_ENABLED

A boolean value [true | false] Default value: true

Enables SSL/TLS support for secure communication.

SERVER_SSL_KEY_STORE

A string of file path to the key-store “no default”

Conditionally YES

Specifies the file path to the Java KeyStore (JKS) file that contains the server’s SSL certificate and private key, is mandatory only if SERVER_SSL_ENABLED=true.

SERVER_SSL_KEY_STORE_PASSWORD

A string defining the password “no default”

Conditionally YES

Specifies the password required to access the keystore itself, is mandatory only if SERVER_SSL_ENABLED=true.

SERVER_SSL_ENABLED-PROTOCOLS

A comma separated list of these values [TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3] “no default”

Conditionally YES

Specifies the list of allowed SSL/TLS protocols, is mandatory only if SERVER_SSL_ENABLED=true.

AXUAL_API_AVAILABLE_AUTH_METHODS

A comma seperated list of String containing these items : SSL,SCRAM_SHA_256,SCRAM_SHA_512,PLAIN Default value: SSL

Specifies the available authentication methods which can be used for applications to be authenticated while getting access to topics.

AXUAL_MULTI_TENANT

A boolean value [true | false] Default value: true

Specifies if the cluster is multi-tenant or not. In case it is set to true, the cluster will be shared among multiple tenants.

AXUAL_DEFAULT_ROLES

A comma seperated List of strings containing default user roles. The list of existing roles in Axual is as follows: SUPER_ADMIN, TENANT_ADMIN, APPLICATION_ADMIN, STREAM_ADMIN, ENVIRONMENT_ADMIN, APPLICATION_AUTHOR, STREAM_AUTHOR, ENVIRONMENT_AUTHOR, BILLING_INTERNAL, BILLING_VIEWE, SCHEMA_AUTHOR, SCHEMA_ADMIN Default value: APPLICATION_AUTHOR, ENVIRONMENT_AUTHOR, STREAM_AUTHOR

Specifies the default roles which can be automatically granted to a user when a new user is created.

AXUAL_DEFAULT_PARTITIONS

A valid number Default value: 2

Specifies the number of partitions per each topic. Must be at least 1 and at most 120000.

AXUAL_DEFAULT_REPLICATION_FACTOR

A valid number “no default”

YES

Specifies how many copies (replicas) of each partition of a Kafka topic should be maintained across different broker nodes. It’s a crucial factor for ensuring fault tolerance and high availability in Kafka clusters.

AXUAL_DEFAULT_SEGMENT_TIME

A valid number (time in milliseconds) Default value: 604800000 (7 days)

Controls the period of time after which Kafka will force the log to roll even if the segment file isn’t full to ensure that retention can delete or compact old data.

AXUAL_DEFAULT_RETENTION_TIME

A valid number (time in milliseconds) Default value: 604800000 (7 days)

Controls the maximum time Kafka will retain a log before discarding old log segments to free up space if the retention policy is equal to “delete”. This represents an SLA on how soon consumers must read their data. If set to -1, no time limit is applied.

AXUAL_DEFAULT_CLEANUP_POLICY

delete | compact | delete,compact | compact,delete Default value: delete

Specifies the cleanup policy for log segments in a topic. This property determines when log segments can be deleted to reclaim disk space. delete: This is the default cleanup policy. When this policy is applied, Kafka will delete log segments as soon as they are no longer needed for any active consumers or replication. compact: This policy is used for log compaction. With this policy, Kafka retains the latest value for each unique key in the log and deletes older versions of the same key. Log compaction is often used for Kafka topics that store changelog or event sourcing data, ensuring that the latest state of each key is always available.delete,compact: This policy combines both deletion and compaction. It deletes log segments that are no longer needed by any active consumers while also performing log compaction on the remaining data.compact,delete: Similar to the previous option, this policy combines both deletion and compaction, but it prioritizes log compaction before deletion.

AXUAL_DEFAULT_ENVIRONMENT_COLOR

A string defining a hexadecimal color code Default value: “#80affe”

Specifies the default color of environment in UI.

AXUAL_BILLING_ENABLED

A boolean value [true | false] Default value: false

This is used to enable billing component.

AXUAL_CSRF_ENABLED

A boolean value [true | false] Default value: false

This is used for enabling Cross-Site Request Forgery (CSRF) protection.

AXUAL_ALLOW_OVERLAPPING_CA

A boolean value [true | false] Default value: false

Allows Using one CERTIFICATE AUTHORITY (CA) on multiple tenants if it’s set to true.

AXUAL_VALIDATE_DUPLICATE_SCHEMAS

A boolean value [true | false] Default value: true

Controls validation of a duplicate schema. If it’s set to false, the /schemas/check-parse API won’t check the uniqueness of the uploaded schema-version.

AXUAL_CREATE_STREAM_DISABLE_TIME

A valid number [0, …] Default value: 0

Controls Disabling the StreamConfig resource creation for the specified time in minutes.

AXUAL_CLIENT_SOCKET_TIMEOUT

A valid number Default value: 90000

Specifies the maximum amount of time in milliseconds that a client will wait for a response from a server before considering the operation as timed out or failed

AXUAL_ORGANIZATION_MANAGER_AUTH_PROVIDER

Supported auth provider: none, keycloak Default value: none

Determines the authorization server for authenticating local users. ‘none’ disabled Organization Manager module.

AXUAL_ORGANIZATION_MANAGER_KEYCLOAK_URL

URL to access Keycloak “no default”:

YES

URL to access Keycloak.

AXUAL_ORGANIZATION_MANAGER_KEYCLOAK_USERNAME

Username to authenticate with Keycloak “no default”:

YES

Username to authenticate with Keycloak.

AXUAL_ORGANIZATION_MANAGER_KEYCLOAK_PASSWORD

Password to authenticate with Keycloak “no default”:

YES

Password to authenticate with Keycloak.

AXUAL_ORGANIZATION_MANAGER_KEYCLOAK_LOCAL_REALM

Name of local realm in Keycloak Default value: local

YES

Name of local realm in Keycloak.

AXUAL_ORGANIZATION_MANAGER_KEYCLOAK_MASTER_REALM

Name of master realm in Keycloak Default value: master

YES

Name of master realm in Keycloak.

AXUAL_ORGANIZATION_MANAGER_KEYCLOAK_CLIENT_ID

Client ID to use when authenticating with master realm of Keycloak Default value: admin-cli

YES

Admin client to authenticate with Keycloak.

AXUAL_SECURITY_DOCS-USERNAME

A string defining the username Default value: axual

This sets the username used to authenticate with the docs.

AXUAL_SECURITY_DOCS-PASSWORD

A string defining the password Default value: notsecret

This sets the password used to authenticate with the docs.

AXUAL_SECURITY_TRUST_STORE

A string of file path to the trust-store “no default”

YES

Specifies the file path to the trust store.

AXUAL_SECURITY_TRUST_STORE_PASSWORD

A string defining the password “no default”

YES

Specifies the password required to access and manipulate the trust store.

AXUAL_SECURITY_KEY_STORE

A string of file path to the key-store “no default”

YES

Specifies the file path to the key store.

AXUAL_SECURITY_KEY_STORE_PASSWORD

A string defining the key-strore password “no default”

YES

Specifies the password required to access and manipulate the key store.

AXUAL_SECURITY_KEY_PASSWORD

A string defining the key password “no default”

YES

Specifies the password required to unlock the private key within the key store.

AXUAL_KEYCLOAK_USERNAME

A string defining the username Default value: admin

YES

The administrative username that would be used to log in to the Keycloak administration console or authenticate API requests.

AXUAL_KEYCLOAK_PASSWORD

A string defining the password Default value: admin123

YES

The administrative password that would be used to log in to the Keycloak administration console or authenticate API requests.

AXUAL_CONNECT_AVAILABLE

A boolean value [true | false] Default value: false

Conditionally YES

Controls the direct connection to Axual-Connect.

AXUAL_CONNECT_INSTANCE-CONNECT-CREDENTIALS_[tenantShortName-instanceShortName]_AUTHORIZER

basic Default value: basic

Conditionally YES

Specifies the type of authorization per tenant-instance, is mandatory if AXUAL_CONNECT_AVAILABLE=true

AXUAL_CONNECT_INSTANCE-CONNECT-CREDENTIALS_[tenantShortName-instanceShortName]_USERNAME

A string defining the username “no default”

Conditionally YES

This sets the username per tenant-instance used to authenticate with the Axual-Connect, is mandatory if AXUAL_CONNECT_AVAILABLE=true.

AXUAL_CONNECT_INSTANCE-CONNECT-CREDENTIALS_[tenantShortName-instanceShortName]_PASSWORD

A string defining the password “no default”

Conditionally YES

This sets the password per tenant-instance used to authenticate with the Axual-Connect, is mandatory if AXUAL_CONNECT_AVAILABLE=true.

AXUAL_DEFAULT-CLUSTER-PATTERN_TOPIC-RESOLVER

A string of fully-qualified class name of topicResolver Default value: “io.axual.common.resolver.TopicPatternResolver”

Specifies the fully-qualified class name of topicResolver which is used for resolving topics.

AXUAL_DEFAULT-CLUSTER-PATTERN_TOPIC-PATTERN

A string of topic pattern [“{topic}” | “{environment}-{topic}” | {instance}-{environment}-{topic} | {tenant}-{instance}-{environment}-{topic} ] Default value: “{topic}”

Specifies the topic pattern for any kafka cluster owned by a Tenant and not having a defined topic pattern. This pattern is used when resolving the kafka topic name. “{topic}” this pattern means that this cluster does not support multi-environment, multi_instance and multi-tenant “{environment}-{topic}” this pattern means that the cluster is a multi-environment one and combination of environment-topic identifies a unique topic {instance}-{environment}-{topic} this pattern means that the cluster is a multi-environment and multi-instance one and combination of instance-environment-topic identifies a unique topic “{tenant}-{instance}-{environment}-{topic}” this pattern means that the cluster is a multi-environment, multi-instance and multi_tenant and combination of tenant-instance-environment-topic identifies a unique topic.

AXUAL_DEFAULT-CLUSTER-PATTERN_GROUP-ID-RESOLVER

A string of fully-qualified class name of groupIdResolver Default value: “io.axual.common.resolver.GroupPatternResolver”

Specifies the fully-qualified class name of groupIdResolver which is used for resolving groups.

AXUAL_DEFAULT-CLUSTER-PATTERN_GROUP-ID-PATTERN

A string of groupId pattern [“{group}” | “{environment}-{group}” | {instance}-{environment}-{group} | {tenant}-{instance}-{environment}-{group} ] Default value: “{group}”

Specifies the groupId pattern for any kafka cluster owned by a Tenant and not having a defined groupId pattern. This pattern is used when resolving the group name. “{group}” this pattern means that this cluster does not support multi-environment, multi_instance and multi-tenant “{environment}-{group}” this pattern means that the cluster is a multi-environment one and combination of environment-group identifies a unique group {instance}-{environment}-{group} this pattern means that the cluster is a multi-environment and multi-instance one and combination of instance-environment-group identifies a unique group. “{tenant}-{instance}-{environment}-{group}” this pattern means that the cluster is a multi-environment, multi-instance and multi_tenant and combination of tenant-instance-environment-group identifies a unique group.

AXUAL_DEFAULT-CLUSTER-PATTERN_TRANSACTIONAL-ID-RESOLVER

A string of fully-qualified class name of transactionalIdResolver Default value: “io.axual.common.resolver.TransactionalIdPatternResolver”

Specifies the fully-qualified class name of transactionalIdResolver which is used for resolving transactions.

AXUAL_DEFAULT-CLUSTER-PATTERN_TRANSACTIONAL-ID-PATTERN

A string of transactionalId pattern [“{transactional.id}” | “{environment}-{app.id}” | {instance}-{environment}-{transactional.id} | {tenant}-{instance}-{environment}-{transactional.id} ] Default value: “{transactional.id}”

Specifies the transactionalId pattern for any kafka cluster owned by a Tenant and not having a defined transactionalId pattern. This pattern is used when resolving the transactionalId. “{transactional.id}” this pattern means that the cluster does not support multi-environment, multi_instance and multi-tenant “{environment}-{transactional.id}” this pattern means that the cluster is multi-environment and combination of environment-transactionalId- identifies a unique prefixed transactional.id {instance}-{environment}-{transactional.id} this pattern means that the cluster is multi-environment and multi-instance and combination of instance-environment-transactionalId identifies a unique prefixed transactional.id “{tenant}-{instance}-{environment}-{topic}” this pattern means that the cluster is multi-environment, multi-instance and multi-tenant and combination of tenant-instance-environment-transactionalId- identifies a unique prefixed transactional.id.

AXUAL_DEFAULT-CLUSTER-PATTERN_MULTI-TENANT-TOPIC-PATTERN

A string of multi-tenant topic pattern Default value: “{tenant}-{instance}-{environment}-{topic}”

Specifies the topic pattern for any kafka cluster not owned by a Tenant and not having a defined topic pattern. This pattern is used when resolving the kafka topic name. “{tenant}-{instance}-{environment}-{topic}” this pattern means that the cluster is a multi-environment, multi-instance and multi_tenant and combination of tenant-instance-environment-topic identifies a unique topic.

AXUAL_DEFAULT-CLUSTER-PATTERN_MULTI-TENANT-GROUP-ID-PATTERN

A string of multi-tenant groupId pattern Default value: “{tenant}-{instance}-{environment}-{group}”

Specifies the groupId pattern for any kafka cluster not owned by a Tenant and not having a defined groupId pattern. This pattern is used when resolving the kafka group name. “{tenant}-{instance}-{environment}-{group}” this pattern means that the cluster is a multi-environment, multi-instance and multi_tenant and combination of tenant-instance-environment-group identifies a unique group.

AXUAL_DEFAULT-CLUSTER-PATTERN_MULTI-TENANT-TRANSACTIONAL-ID-PATTERN

A string of multi-tenant transactionalId pattern Default value: “{tenant}-{instance}-{environment}-{transactional.id}”

Specifies the transactionalId pattern for any kafka cluster not owned by a Tenant and not having a defined transactionalId pattern. This pattern is used when resolving the transactionalId. “{tenant}-{instance}-{environment}-{transactional.id}” this pattern means that the cluster is multi-environment, multi-instance and multi-tenant and combination of tenant-instance-environment-transactionalId- identifies a unique prefixed transactional.id.

AXUAL_NOTIFICATIONS_ENABLED

A boolean value [true | false] Default value: false

Enables Notification service for the application.

AXUAL_NOTIFICATIONS_BASEURL

A valid URL of the running host “no default” As an example, for the axual cloud should be set to https://axual.cloud/governance

Conditionally YES

Represents the UI advertised URL of the the running self-service application, it is mandatory if AXUAL_NOTIFICATIONS_ENABLED=true

AXUAL_NOTIFICATIONS_SENDER

A valid email address “no default”

Conditionally YES

Represents the email address of the notification sender, it can be the same value as SPRING_MAIL_USERNAME property, it is mandatory if AXUAL_NOTIFICATIONS_ENABLED=true

AXUAL_NOTIFICATIONS_SMTP_ENABLED

A boolean value [true | false] no default:

Conditionally YES

Enables Notification service to use SMTP for on-prem installation. It is mandatory if AXUAL_NOTIFICATIONS_ENABLED=true

SUBSCRIPTION-MANAGEMENT_ENABLED

A boolean value [true | false] Default value: false

Enables Stripe Subscription-Management for the application.

SUBSCRIPTION-MANAGEMENT_SLACK_CHANNEL_ALERTING

A string “no default”

This is the Slack channel where alerts and notifications related to subscription management may be sent.

SUBSCRIPTION-MANAGEMENT_SLACK_CHANNEL_SALES

A string “no default”

This is the Slack channel where sales-related notifications may be sent.

SUBSCRIPTION-MANAGEMENT_STRIPE_API-KEY

A string Default value: secret

Conditionally YES

This is the Stripe API key used for authenticating the application with Stripe, only if SUBSCRIPTION-MANAGEMENT_ENABLED=true

SUBSCRIPTION-MANAGEMENT_STRIPE_ENDPOINT-SECRET

A string Default value: secret

Conditionally YES

This is used for webhook event verification, only if SUBSCRIPTION-MANAGEMENT_ENABLED=true

SUBSCRIPTION-MANAGEMENT_STRIPE_RETRIES-COUNT

A number Default value: 10

Conditionally YES

Specifies the number of retries to attempt in case of Stripe-related failure, only if SUBSCRIPTION-MANAGEMENT_ENABLED=true

SUBSCRIPTION-MANAGEMENT_PRICING-TABLE_PLANS-IDS

A list of plan-ids “no default”

Conditionally YES

Specifies a list of plan IDs, only if SUBSCRIPTION-MANAGEMENT_ENABLED=true

SUBSCRIPTION-MANAGEMENT_PRICING-TABLE_HIGHLIGHTED-PLAN-ID

A string defining plan-id “no default”

Conditionally YES

This property highlights a specific plan ID, only if SUBSCRIPTION-MANAGEMENT_ENABLED=true

SUBSCRIPTION-MANAGEMENT_PRICING-TABLE_TRIAL-PERIOD-DAYS

A number Default value: 30

Conditionally YES

Specifies the duration of the trial period in days, only if SUBSCRIPTION-MANAGEMENT_ENABLED=true

SUBSCRIPTION-MANAGEMENT_SUBSCRIPTIONS_TRIAL-PRICE-ID

A string defining price-id “no default”

Conditionally YES

Specifies the ID of a trial price, only if SUBSCRIPTION-MANAGEMENT_ENABLED=true

GOVERNANCE_VAULT_ENABLED

A boolean value [true | false] Default value: false

Conditionally YES

Controls supporting Hashicorp Key Vault for governance to persist application credentials.

GOVERNANCE_VAULT_URI

A valid uri “no default”

Conditionally YES

Specifies the URI or endpoint of the Hashicorp Key Vault instance. It is mandatory only if GOVERNANCE_VAULT_ENABLED=true.

GOVERNANCE_VAULT_ROLE-ID

A valid RoleId “no default”

Conditionally YES

Role ID is used to identify the specific AppRole configured in Hashicorp Vault that the application is using for authentication. It is mandatory only if GOVERNANCE_VAULT_ENABLED=true

GOVERNANCE_VAULT_SECRET-ID

A valid secretId “no default”

Conditionally YES

The Secret ID is a secret token associated with a particular Role ID that proves the application’s identity and authorization to access secrets. It is mandatory only if GOVERNANCE_VAULT_ENABLED=true

GOVERNANCE_VAULT_PATH

A string defining path Default value: “governance”

Conditionally YES

Defines the specific path within Vault’s storage hierarchy where the application expects to read or write secrets or other data. It is mandatory only if GOVERNANCE_VAULT_ENABLED=true

GOVERNANCE_VAULT_NAMESPACE

A string defining the namespace “no default”

Conditionally YES

Specifies the Vault namespace to use. A Vault namespace allows you to create isolated environments within a Vault server, is mandatory if GOVERNANCE_VAULT_ENABLED=true

SCHEDULER_RECONCILIATION_CONNECT_PLUGINS_CRON

A string defining a cron expression Default value: “0 * _/12 ? _ *” (evey 12 hours)

Specifies the schedule or frequency at which reconciling plugins of managed instances task should be executed.

SCHEDULER_RECONCILIATION_CONNECT_DEPLOYMENTS_CRON

A string defining a cron expression Default value: “0 _/5 _ ? * *” (evey 5 minutes)

Specifies the schedule or frequency at which reconciling deployments of managed instances task should be executed.

CONNECTOR-VAULT_ENABLED

A boolean value [true | false] Default value: false

Conditionally YES

Controls supporting Vault for persisting connectors secrets per tenant-instance.

CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_URI

The URI of the vault “no default”

Conditionally YES

Specifies the type of authorization per tenant-instance, is mandatory if CONNECTOR-VAULT_ENABLED=true

CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_ROLE-ID

A valid RoleId “no default”

Conditionally YES

Role ID is used to identify the specific AppRole per tenant-instance configured in Hashicorp Vault that the application is using for authentication, is mandatory if CONNECTOR-VAULT_ENABLED=true

CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_SECRET-ID

A valid secretId “no default”

Conditionally YES

The Secret ID is a secret token associated with a particular Role ID per tenant-instance that proves the application’s identity and authorization to access secrets, is mandatory if CONNECTOR-VAULT_ENABLED=true

CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_NAMESPACE

A string defining the namespace “no default”

Conditionally YES

Specifies the Vault namespace per tenant-instance to use. A Vault namespace allows you to create isolated environments within a Vault server, is mandatory if CONNECTOR-VAULT_ENABLED=true

CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_CONNECTORS-PATH

A string defining path “no default”

Conditionally YES

Specifies a path within Vault per tenant-instance where connectors or secrets may be stored or managed, is mandatory if CONNECTOR-VAULT_ENABLED=true

CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_PRIVATE-KEY-NAME

A string defining the privateKey name “no default”

Conditionally YES

Specifies the name of a private key per tenant-instance within Vault, is mandatory if CONNECTOR-VAULT_ENABLED=true

CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_CERT-CHAIN-KEY-NAME

A string defining the certChainKey name “no default”

Conditionally YES

Specifies the name of a certificate chain or certificate-related resource per tenant-instance within Vault per tenant-instance, is mandatory if CONNECTOR-VAULT_ENABLED=true

CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_TRUST-STORE

A string of file path to the trust-store “no default”

Specifies the file path to the trust store within Vault per tenant-instance, if it’s not set, the AXUAL_SECURITY_TRUST_STORE value will be set as default value.

CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_TRUST-STORE-PASSWORD

A string defining the password “no default”

Specifies the password required to access and manipulate the trust store within Vault per tenant-instance, if it’s not set, the AXUAL_SECURITY_TRUST_STORE_PASSWORD value will be set as default value.

CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_KEY-STORE

A string of file path to the key-store “no default”

Specifies the file path to the key store within Vault per tenant-instance, if it’s not set, the AXUAL_SECURITY_KEY_STORE value will be set as default value.

CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_KEY-STORE-PASSWORD

A string defining the key-store password “no default”

Specifies the password required to access and manipulate the key store within Vault per tenant-instance, if it’s not set, the AXUAL_SECURITY_KEY_STORE_PASSWORD value will be set as default value.

CONNECTOR-VAULT_INSTANCES_[tenantShortName-instanceShortName]_KEY-PASSWORD

A string defining the key password “no default”

Specifies the password required to unlock the client’s private key within the key store within Vault per tenant-instance, if it’s not set, the AXUAL_SECURITY_KEY_STORE_PASSWORD value will be set as default value.

AXUAL_AUDIT_ENABLED

A boolean value [true | false] Default value: false

Enables Auditing for the application.

Platform Manager 13.0.0 Readme

Overview

Installation & Configuration

Default Roles

Schema Compatibility Checks

Flyway DB Migration

Cross Origin Resource Sharing (CORS)

Vault Configuration

Governance Vault

Connector Vault (Single Vault)

Instance Connector Vault (Per Tenant-Instance)

AppRole Authentication Path (approle-path)

Development Profile (Database-backed Vault)

Enable Distributed Tracing with OpenTelemetry

Loggers

Notifications Service Configuration

Event Publication Completion Mode Configuration

Docker environment variables

AppRole Authentication Path (`approle-path`)