Deployment
Deployment guide for the Approval Workflow Engine — local development with Docker Compose, Helm chart installation, configuration reference, Keycloak prerequisites, operational runbook, and security c
Local development
With Docker Compose (one command)
docker compose up --buildSmoke test (create policy → request → approve)
# Dev token with the AWE_ADMIN role — accepted by dev-mode auth.
TOKEN='eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJkZXYtYWRtaW4iLCJlbWFpbCI6ImRldkBsb2NhbCIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJBV0VfQURNSU4iXX19.'
# 1. Create a policy
curl -sX POST http://localhost:8000/v1/awe/policies \
-H "authorization: Bearer $TOKEN" \
-H 'content-type: application/json' -d '{
"policy_key": "demo.v1",
"name": "Demo approval",
"artifact_type": "demo.artifact",
"stages": [{
"name": "Demo stage",
"stage_order": 1,
"mode": "any-n",
"mode_value": 1,
"rules": [{"rule_type": "user", "rule_value": {"user_id": "u-alice"}}]
}]
}'
# 2. Activate it
curl -sX POST http://localhost:8000/v1/awe/policies/demo.v1/versions/1/activate \
-H "authorization: Bearer $TOKEN"
# 3. Caller creates a request
curl -sX POST http://localhost:8000/v1/awe/requests \
-H "authorization: Bearer $TOKEN" \
-H 'content-type: application/json' -d '{
"policy_key": "demo.v1",
"artifact_type": "demo.artifact",
"artifact_id": "demo-1",
"context": {}
}'
# → { "request_id": "...", "status": "in_review", "tasks": [...] }
# 4. Alice approves
TASK_ID=<from previous response>
curl -sX POST "http://localhost:8000/v1/awe/tasks/$TASK_ID/decision" \
-H "authorization: Bearer $TOKEN" \
-H 'content-type: application/json' -d '{"action": "approve"}'
# 5. Verify terminal state
curl -s "http://localhost:8000/v1/awe/requests/<request_id>" \
-H "authorization: Bearer $TOKEN" | jq .status
# → "approved"With hot reload (UI + API)
Kubernetes install via Helm
Chart deploys two Deployments + one Istio VirtualService
Prerequisites
What the Keycloak integration provisions
Client
Purpose
Type
Client-secret sync and service-account roles
- RoleWhy AWE needs it
Role rules: realm vs client
Why awe-admin-portal is a public client (and should stay that way)
awe-admin-portal is a public client (and should stay that way)Install
Uninstall / teardown
Flag
What it does
Configuration reference
Service metadata
Key
Default
Purpose
Webhook dispatch
Key
Default
Purpose
Resolver
Key
Default
Purpose
SLA
Key
Default
Purpose
Keycloak
Key
Default
Purpose
Notifier
Key
Default
Purpose
Operational runbook
A webhook delivery is stuck in pending beyond schedule
pending beyond scheduleA delivery is marked exhausted
exhaustedA stage is stuck — no tasks appeared
A request is stuck in in_review after all approvers decided
in_review after all approvers decidedRotating the webhook signing secret
Security considerations
Last updated
Was this helpful?