Configuration

The AAC loads configuration data from a file (typically backed by a Kubernetes config map). If the service is unable to retrieve the configuration data, it will not start. Refer to the configuration for details.

Service configuration structure

The recommended configuration format is YAML. The below sections describe the officially supported configuration options that influence various aspects of the service functionality. The service may support options other than the ones listed below, but those are not a part of the public API and may be changed or deleted at any time.

General

AAC uses a standard Spring Boot server.port property to configure the port to expose the REST API at.

The service-specific configuration properties are located under kaa.aac.

server:
  port: <integer>  # Server port used to expose the REST API at

SMTP configuration

spring:
  mail:
    host: <string>      # SMTP server host 
    port: <integer>     # SMTP server port 
    username: <string>  # SMTP server login username
    password: <string>  # SMTP server login password
  properties:
    mail:
      smtp:
        auth: <bool>    # must be true if SMTP service has authorization

kaa:
  aac:
    email:
      default-sender: username@hostname   # sender used for sending emails to verify recipients

Supported automation invocation types

AAC supports the next automation invocation types:

  • email-notification - sends email with subject, text, and recipient specified in the automation invocation event
kaa:
  automation-invocation:
    - type: <automation invocation type> # automation invocation type that AAC listens to
      trigger:
        service-instance-name: <automation trigger service instance name> # Instance name of the automation trigger service

NATS

The below parameters configure AAC’s connection to NATS.

NOTE For security reasons NATS username and password are sourced from the environment variables.

nats:
  urls: <comma separated list of URL>                  # NATS connection URLs. 'nats://nats:4222' by default.
  request-timeout: <unsigned integer>                  # How long to wait for a response message (in msec). Default is 10000.
  concurrency:
    max-threads: <unsigned integer>                    # The maximum number of threads to read and process incoming messages. Default is 50.
    core-pool-size: <unsigned integer>                 # The number of threads to keep in the pool, even if they are idle. Default is 3.
    keep-alive-time-millis: <unsigned integer>         # When the number of threads is greater than the core, this is the maximum time that excess idle threads will wait for new tasks before terminating. Default is 10000.

Management

AAC monitoring and management implementation is based on the Spring Boot Actuator. Refer to the corresponding documentation for the list of supported configuration options.

Authentication, authorization, and multi-tenancy

AAC supports two integrations for security:

  • OAuth2 protocol with a UMA profile. Enabled when kaa.security.enabled is true and kaa.security.iamcore.enabled is false.
  • iamcore. Enabled when both kaa.security.enabled and kaa.security.iamcore.enabled are true.

OAuth2 with UMA profile

Authentication and authorization is handled within the scope of a given Kaa tenant. Each tenant has a separate OAuth 2.0 issuer, managed by the Kaa Tenant Manager. When multi-tenancy is disabled, all authentication and authorization is conducted in the default system tenant (“kaa”).

AAC OAuth2 with UMA profile security is controlled with the following configuration options (for security reasons it is advised to set these via environment variables).

kaa:
  security:
    enabled: <boolean>      # Enables authentication and authorization. False by default.
    issuer:
      public-url: <string>  # OAuth 2.0 issuer public URL for the system tenant ("kaa").
      private-url: <string> # OAuth 2.0 issuer private URL for the system tenant ("kaa").
    client-id: <string>     # Client ID for making requests in the system tenant scope.
    client-secret: <string> # Client secret for making requests in the system tenant scope.
    multitenancy:
      enabled: <boolean>    # Enables multitenancy via integration with the Kaa Tenant Manager. Only effective when kaa.security.enabled is set to true. False by default.
      tenant-manager:
        url: <string>       # URL of the Kaa Tenant Manager that provides security configurations for tenants. "http://tenant-manager" by default.

iamcore

Authentication and authorization is handled by iamcore.

AAC iamcore security is controlled with the following configuration options (for security reasons it is advised to set these via environment variables).

kaa:
  security:
    enabled: <boolean>      # Enables authentication and authorization. False by default.
    iamcore:
      enabled: <boolean>    # Enables iamcore integration. False by default.
      api-key: <string>     # iamcore API KEY
      url: <string>         # iamcore server URL. "https://cloud.iamcore.io" by default.
      application: <string> # iamcore application. "kaa" by default

Logging

By default, AAC uses Spring Boot logging configuration with logback for logging. Refer to the corresponding documentation for the list of supported configuration options.

Built-in configuration profiles

For your convenience, AAC comes with a default built-in configuration profile.

Built-in profiles are optimized for a Kubernetes-based production deployment. They do not define any Kaa applications—you have to configure them for a specific Kaa-based solution.

Default

rest:
  connection-request-timeout: 10000
  connect-timeout: 10000
  read-timeout: 10000
  connection-pool:
    default-max-per-route: 15
    max-total: 30

server:
  port: 80
  compression:
    enabled: true
    mime-types: application/json

nats:
  urls: nats://nats:4222

spring:
  application:
    name: ${instanceName:aac}
  jackson:
    default-property-inclusion: NON_NULL
    time-zone: GMT
    serialization:
      WRITE_DATES_AS_TIMESTAMPS: false
    deserialization:
      FAIL_ON_UNKNOWN_PROPERTIES: false
      ACCEPT_EMPTY_STRING_AS_NULL_OBJECT: true
  mvc:
    async:
      request-timeout: 60000

kaa:
  service:
    name: aac
    instance:
      replica-id: ${replicaId:${random.uuid}}    # initialized by UUID if service is not inside Docker container
  automation-invocation:
    - type: email-notification
      trigger:
        service-instance-name: aa
        
management:
  server:
    port: 8080
  endpoint:
    health:
      enabled: true
      show-details: always
      status:
        http-mapping:
          UNKNOWN: 503
          DOWN: 503
          FATAL: 503
    shutdown:
      enabled: true
    metrics:
      enabled: true
    prometheus:
      enabled: true
  metrics:
    export:
      prometheus:
        enabled: true
    tags:
      service: aac
  endpoints:
    web:
      base-path: /
      exposure:
        include: info,health,metrics,prometheus