Configuration Reference
Ice Flow is configured via environment variables, application properties, or JVM
system properties, or passed as JVM flags with -D.
Extension Properties
| Property | Env variable | Description | Required |
|---|---|---|---|
| — | SYMPHONY_TOKEN | Authentication token for the extension service. | Yes |
JVM Flags
| Flag | Description |
|---|---|
-Djdbc.extra.driver.jars=<paths> | Comma-separated list of absolute paths to additional JDBC driver JAR files for database-backed catalogs. Example: -Djdbc.extra.driver.jars=/opt/drivers/postgresql.jar |
-Dsun.security.krb5.debug=true | Enable detailed Kerberos debug logging for troubleshooting authentication issues |
--add-opens=java.security.jgss/sun.security.krb5=ALL-UNNAMED | Required for Kerberos catalogs. Lets Ice Flow refresh the JVM's Kerberos config singleton when catalog snippets change. The shipped RPM and Docker images set this automatically; custom launchers must include it or the Authentication page will report that JGSS is using stale realm data. |
Deployment Options
Bare Metal / VM (systemd)
Installed via RPM package. Configuration files:
| File | Purpose |
|---|---|
/etc/cirata/symphony/extensions/iceflow/iceflow.env | Environment variables (SYMPHONY_TOKEN, JVM_XMS, JVM_XMX) |
/etc/cirata/symphony/extensions/iceflow/application.properties | Spring Boot properties |
/etc/cirata/symphony/extensions/iceflow/logback.xml | Logging configuration |
Service management:
systemctl start cirata-iceflow
systemctl stop cirata-iceflow
systemctl status cirata-iceflow
journalctl -u cirata-iceflow -f
Docker
| Setting | Default |
|---|---|
| Base image | gcr.io/distroless/java17-debian12:nonroot |
| JVM heap | -Xms512m -Xmx2g |
| Config directory | /etc/cirata/ |
| User | nonroot |
docker run -e SYMPHONY_TOKEN=<token> cirata/iceflow:latest
Kubernetes (Helm)
Key Helm values:
| Value | Default | Description |
|---|---|---|
image.repository | cirata/iceflow | Container image |
image.tag | latest | Image tag |
symphony.hostname | symphony.cirata.com | Symphony hostname (from JWT token) |
symphony.serviceName | symphony-service | In-cluster Symphony service (empty to skip) |
symphony.token | "" | API token for registration |
symphony.existingSecret | "" | Name of existing Secret with token |
jvm.xms | 512m | JVM minimum heap |
jvm.xmx | 2g | JVM maximum heap |
jvm.extraArgs | "" | Additional JVM arguments |
healthCheck.enabled | false | Enable liveness/readiness probes |
resources.requests.memory | 768Mi | Memory request |
resources.limits.memory | 2560Mi | Memory limit |
tls.caSecretName | "" | Secret with ca.crt for custom CA |
helm install my-iceflow iceflow-0.1.0.tgz \
--set symphony.token=<token>
Logging
Ice Flow uses structured JSON logging. Each log entry includes:
| Field | Description |
|---|---|
timestamp | ISO 8601 timestamp (UTC) |
message | Log message |
logger_name | Java logger name |
level | Log level (ERROR, WARN, INFO, DEBUG) |
extension | Always iceflow |
version | Extension version |
Customise logging by providing a logback.xml file. The RPM and Docker
deployments include a default configuration.