- Service configuration structure
- Built-in configuration profiles
The CEX loads configuration data from a file (typically backed by a Kubernetes config map). If the service is unable to retrieve the configuration data, it will not start. Refer to the configuration for details.
Service configuration structure
The recommended configuration format is YAML. The below sections describe the officially supported configuration options that influence various aspects of the service functionality. The service may support options other than the ones listed below, but those are not a part of the public API and may be changed or deleted at any time.
General service configuration
CEX uses a standard Spring Boot
server.port property to configure the port to expose the REST API at.
The service-specific configuration properties are located under
server: port: <unsigned short integer> # Server port used to expose the REST API at kaa: cex: commands: command-retention-ttl-hours: <integer> # The time (in hours) that the command invocation will be eligible for the execution by an endpoint.
Many Kaa services can be configured for different behavior depending on the application version of the endpoint the processed data relates to.
This is called appversion-specific behavior and is handled in service configurations under
Alternatively, the application-specific configuration can be sourced from Kaa Tekton.
See the Tekton configuration section to find out how to configure such integration.
Despite CEX currently does not support any appversion-specific configurations, it uses the application and appversion names to validate the API calls and protocols data.
kaa: applications: <application 1 name>: # Kaa application name versions: <application 1 version 1 name>: # Kaa application version name
CEX supports integration with Kaa Tekton for centralized application configuration management. The below configuration options set up the integration interface.
kaa: tekton: enabled: <boolean> # Enables Tekton integration. False by default. Also can be set with the KAA_TEKTON_ENABLED environment variable. url: <string> # URL of the Tekton service. "http://tekton" by default. Also can be set with the KAA_TEKTON_URL environment variable. scmp.consumer: provider.service-instance.name: <string> # Service instance name of the Tekton service. "tekton" by default. Also can be set with the KAA_SCMP_CONSUMER_PROVIDER_SERVICE_INSTANCE_NAME environment variable.
Communication service interface
kaa: cex: communication-service: service-instance: name: <string> # Name of the communication service to use
CEX uses Redis for the command store. The implementation is based on Spring Data Redis. Refer to the corresponding documentation for the list of supported configuration options.
The below parameters configure CEX’s connection to NATS.
NOTE For security, reasons NATS username and password are sourced from the environment variables.
nats: urls: <comma separated list of URL> # NATS connection URLs
Authentication and authorization
CEX’s REST API security is implemented according to OAuth2 protocol with a UMA profile.
CEX REST API protection is controlled with the following configuration options:
security: ignored: <value> # Controls authentication and authorization on REST API endpoints. # Possible values: '/**' to disable security or 'none' to enable. oauth2: client: clientId: <clientId> # Client ID on whose behalf the requests will be made. clientSecret: <secret> # Client secret on whose behalf the requests will be made. accessTokenUri: <URI> # An OAuth2-compliant Token Endpoint for obtaining tokens via the 'Implicit Flow', # 'Direct Grants', or 'Client Grants'. # E.g. "https://your-url-to-auth-server/auth/realms/realm-a/protocol/openid-connect/token" resourceUri: <URI> # An UMA-compliant Resource Registration Endpoint which resource servers can use # to manage their protected resources and scopes. # E.g. "https://your-url-to-auth-server/auth/realms/realm-a/authz/protection/resource_set" resource: userInfoUri: <URI> # URL endpoint for the User Info service described in the OIDC specification. # E.g. "https://your-url-to-auth-server/auth/realms/realm-a/protocol/openid-connect/userinfo"
CEX monitoring and management implementation is based on the Spring Boot Actuator. Refer to the corresponding documentation for the list of supported configuration options.
By default, CEX uses Spring Boot logging configuration with logback for logging. Refer to the corresponding documentation for the list of supported configuration options.
Built-in configuration profiles
For your convenience, CEX comes with a default built-in configuration profile.
Built-in profiles are optimized for a Kubernetes-based production deployment. They do not define any Kaa applications—you have to configure them for a specific Kaa-based solution.
server: port: 80 kaa: cex: communication-service: service-instance: name: kpc commands: command-retention-ttl-hours: 720 nats: urls: nats://nats:4222 management: port: 8080 security: enabled: false spring: redis: host: redis port: 6379 mvc: async: request-timeout: 60000 endpoints: enabled: false health: enabled: true mapping.UNKNOWN: SERVICE_UNAVAILABLE info.enabled: true metrics.enabled: true