The ADX loads configuration data from a file (typically backed by a Kubernetes config map). The location of the configuration file is sourced from an environment variable. If the service is unable to retrieve the configuration data, it will not start. Refer to the configuration for details.

Service configuration structure

The recommended configuration format is YAML. The below sections describe the officially supported configuration options that influence various aspects of the service functionality. The service may support options other than the ones listed below, but those are not a part of the public API and may be changed or deleted at any time.


ADX uses its service instance name and replica ID for communication with other services and load balancing across replicas (for example, see 3/ISM). You can control the values with the following configuration options:

    name: <string>          # Service instance name, should be unique cluster-wide. "adx" by default. <string>    # Service instance replica ID, should be unique cluster-wide. Random string by default.
  graceful-shutdown: <uint> # Allowed service graceful shutdown period in seconds. 30 seconds by default.

Response format

By default, the service responds with the attribute JSON value verbatim as found in ADX configuration by the query path. But you can also configure ADX to wrap the response as a JSON record with the query path used as the key:

  wrap-response: <boolean>    # Enables wrapping response, false by default

Let’s take a look at an example.

Assume that the we have the following request:

    "q": "attributeA"

Let us also assume that the configuration is as follows:

    "attributeA": "valueA",
    "attributeB": "valueB"

If you enable the service.wrap-response option, the response of the service will be as follows:



ADX requires application and appversion configuration data from Kaa Tekton. The below configuration options set up the integration interface.

    enabled: <boolean>    # Enables Tekton integration. False by default. Also can be set with the KAA_TEKTON_ENABLED environment variable.
    url: <string>         # URL of the Tekton service. "http://tekton" by default. Also can be set with the KAA_TEKTON_URL environment variable.
    provider.service-instance-name: <string>  # Service instance name of the Tekton service. "tekton" by default.
    queue-length: <uint>                      # Maximum queue length for 17/SCMP messages from Tekton. 256 by default.

For the Tekton integration to function, there must be no kaa.applications key in the configuration file. Such configuration, when present, takes precedence over the Tekton-supplied application-specific configs.


The below parameters configure ADX’s connection to NATS broker, as well as the NATS message adapters used by ADX. Note that for security reasons NATS username and password are sourced from the environment variables.

  urls: <comma separated list of URL>       # NATS connection URLs
    concurrency: <uint>                     # Number of concurrent workers to read messages from communication service. 16 by default.
    queue-length: <uint>                    # The maximum amount of messages in the ESP server queue. When the queue is full, new messages will be dropped. 64 * `kaa.esp.server.concurrency` by default.
    concurrency: <uint>                     # Number of concurrent workers to read messages from data receivers. 16 by default.
    queue-length: <uint>                    # The maximum amount of messages in the DSTP transmitter queue. When the queue is full, new messages will be dropped. 64 * `kaa.dstp.transmitter.concurrency` by default.

Consider configuring concurrency options to at least match the number of CPUs available on your infrastructure.

Authentication, authorization, and multi-tenancy

ADX uses OAuth2 for authentication and authorization when making REST API calls to other services. Authentication and authorization is handled within the scope of a given Kaa tenant. Each tenant has a separate OAuth 2.0 issuer, managed by the Kaa Tenant Manager. When multi-tenancy is disabled, all authentication and authorization is conducted in the default system tenant (“kaa”).

ADX security is controlled with the following configuration options (for security reasons it is advised to set these via environment variables).

    enabled: <boolean>      # Enables authentication and authorization. False by default.
    issuer: <string>        # OAuth 2.0 issuer URL for the system tenant ("kaa").
    client-id: <string>     # Client ID for making requests in the system tenant scope.
    client-secret: <string> # Client secret for making requests in the system tenant scope.

      enabled: <boolean>    # Enables multitenancy via integration with the Kaa Tenant Manager. Only effective when is set to true. False by default.
        url: <string>       # URL of the Kaa Tenant Manager that provides security configurations for tenants. "http://tenant-manager" by default.


To control the ADX management interface, use the following configuration options.

  disabled: <boolean>   # Disables the monitoring interface entirely. False by default.
  port: <uint>          # TCP port to expose the monitoring server on. 8080 by default.


ADX writes logs to stdout. By default, the service only produces logs at startup, shutdown, or in case of errors. To enable debug level logging, use the following option:

  debug: <boolean>    # Enables debug level logging, false by default

Keep in mind that enabling debug level logging will produce significantly more log output and degrade the service performance.

Default configuration

Summarizing the above, the default ADX configuration is as follows. Note that no Kaa applications are defined by default—you have to configure those for any specific Kaa-based solution.

    name: "adx" "<random string generated on boot>"
    disabled: false
    port: 8080
  graceful-shutdown: 30 # seconds

    concurrency: 16
    queue-length: 1024
  applications: # none

  urls: nats://nats:4222