Redpanda Console Configuration
Redpanda Console loads configuration properties from three sources, with the following order of precedence:
Command line arguments (flags) This means that environment variables and YAML configurations can overwrite input that is set on the command line.
The recommended configuration source is a YAML file. Specify the path to the file by either setting
-config.filepath flag or setting the
CONFIG_FILEPATH environment variable.
A reference YAML configuration file is provided under Sample configuration.
Configuration options can be configured using environment variables. The key for the environment variable is auto-generated by converting the YAML equivalent to uppercase and adding an underscore for each indentation level. For example:
kafka.rackId => KAFKA_RACKID
kafka.tls.caFilepath => KAFKA_TLS_CAFILEPATH
For configuration properties that expect a list of values, use commas between each value. For example:
|You cannot use environment variables to configure object arrays, such as the configuration for Kafka connect clusters. In this case, use a YAML file, and provide secrets using environment variables or command line arguments.|
config.yaml configuration file contains a complete list of all Console configuration properties and their descriptions. All values are default values.
Provide the filepath to your configuration file by setting either the flag
-config.filepath or the environment variable
|This configuration file contains both Redpanda Enterprise and Redpanda Community configurations. If you don’t provide a Redpanda Enterprise license, Console ignores configurations for Redpanda Enterprise features.|
kafka: # Brokers is a list of bootstrap servers with # port (for example "localhost:9092"). brokers:  # Client ID that the Kafka client can use to identify itself # against the target Kafka cluster. clientId: console # In multi-zone Kafka clusters, you can reduce traffic costs # by consuming messages from replica brokers in the same zone rackId: # SASL configuration for Console to connect to the Kafka API. sasl: enabled: false username: # Password can also be set using the --kafka.sasl.password flag. password: # Valid mechanisms are: PLAIN, SCRAM-SHA-256, # SCRAM-SHA-512, GSSAPI, OAUTHBEARER and AWS_MSK_IAM. mechanism: PLAIN # Kerberos implements the GSSAPI protocol. Use the following configurations # to connect Redpanda Console to a Kerberos-protected Kafka API. gssapi: # AuthType must be either USER_AUTH or KEYTAB_AUTH authType: # Filepath to the keytab file that contains the pairs of Kerberos # principals and encrypted password keys. AuthType must be set to # KEYTAB_AUTH to load the keytab file. keyTabPath: # Path to the krb5.conf file that contains Kerberos configuration # information, such as the locations of KDCs. kerberosConfigPath: serviceName: username: # Password can also be set using the --kafka.sasl.gssapi.password flag password: realm: # EnableFAST enables FAST, which is a pre-authentication framework # for Kerberos. enableFast: true oauth: # can also be set using the --kafka.sasl.oauth.token flag token: awsMskIam: accessKey: # can also be set using the --kafka.sasl.aws-msk-iam.secret-key flag secretKey: # can also be set using the --kafka.sasl.aws-msk-iam.session-token flag sessionToken: userAgent: tls: # If you connect to a Cluster that uses commonly trusted # certificates, enable TLS and do not provide a certificate # authority in the caFilepath. In this case, # the system's cert pool is used. enabled: false caFilepath: certFilepath: keyFilepath: # Can also be set using the --kafka.tls.passphrase flag passphrase: insecureSkipTlsVerify: false schemaRegistry: enabled: false # Url with scheme is required, e.g. ["http://localhost:8081"] urls:  # Basic auth username username: # Basic auth password. This can also be set using the --schema.registry.password # flag password: # Can also be set using the --schema.registry.token flag bearerToken: tls: # If you connect to a schema registry that uses commonly trusted # certificates, enable TLS and do not provide a certificate # authority in the caFilepath. In this case, # the system's cert pool is used. enabled: false caFilepath: certFilepath: keyFilepath: insecureSkipTlsVerify: false protobuf: enabled: false mappings:  # Map the proto type names for each of your topics. # These proto types will be used for deserialization # - topicName: xy # You can specify the proto type for the record key # and/or value (just one will work too) # valueProtoType: fake_model.Order # keyProtoType: package.Type # SchemaRegistry does not require any mappings to be specified. # The schema registry client that is configured in the # kafka config block will be reused. schemaRegistry: enabled: false refreshInterval: 5m # Configure the fileSystem if you want Redpanda Console to # search the local file system for the .proto files fileSystem: enabled: false paths:  refreshInterval: 5m # Git is where the .proto files come from git: enabled: false repository: url: branch: (defaults to primary/default branch) # How often Redpanda Console pulls the repository to look for new files. # Set to 0 to disable periodic pulls refreshInterval: 1m # Basic Auth # To use GitHub's personal access tokens, use `token` # as username and pass the token as password basicAuth: enabled: true username: token password: # SSH Auth # You can pass the private key file directly using a flag on the command line, or you can specify it in the # yaml configuration file. Another alternative is to provide the filepath to a mounted key # file in this configuration block. ssh: enabled: false username: privateKey: privateKeyFilepath: passphrase: messagePack: enabled: false topicNames: ["/.*/"] # List of topic name regexes, defaults to /.*/ connect: enabled: false # The default for clusters is an empty array. To start Redpanda Console, # specify at least one cluster as soon as you enable Kafka connect. clusters:  - name: xy url: http://my-cluster:8083 tls: # Trusted certificates are still allowed if TLS is not enabled. enabled: false # caFilepath: # certFilepath: # keyFilepath: # insecureSkipTlsVerify: false username: password: token: connectTimeout: 15s # used to test cluster connectivity readTimeout: 60s # overall REST timeout requestTimeout: 6s # timeout for REST requests console: # Configuration to use for embedded topic documentation topicDocumentation: enabled: false # Configure the git repository that contains the topic documentation. # Redpanda Console clones the git repository and periodically pulls for new # changes so it can render the markdown files within the topic view. git: enabled: false repository: url: branch: (defaults to primary/default branch) baseDirectory: . # How often Console pulls the repository to look for new files. # Set to 0 to disable periodic pulls. refreshInterval: 1m # To use GitHub's personal access tokens, use `token` # for the username and pass the token as password. basicAuth: enabled: true username: token password: ssh: enabled: false username: privateKey: privateKeyFilepath: passphrase: redpanda: # Redpanda Admin API configuration that enables additional Redpanda-specific features. adminApi: enabled: false # HTTP urls (such as http://localhost:9644) that Redpanda Console should send admin api requests to. urls:  # Username for basic auth username: # Password for basic auth password: tls: enabled: false caFilepath: certFilepath: keyFilepath: insecureSkipTlsVerify: # Filepath to your redpanda.license file # This is only required if you want to use an Enterprise feature # such as SSO or RBAC. licenseFilepath: # Login contains all configurations in order to protect Redpanda Console # with a login screen. To support SSO, configure one or more of the identity # providers below. # This feature requires an Enterprise license. login: enabled: false # jwtSecret is a secret string that signs and encrypts # the JSON Web tokens used by the backend for session management. jwtSecret: redacted google: enabled: false clientId: redacted.apps.googleusercontent.com clientSecret: redacted # The directory configuration is only required if you use # Google groups in your RBAC role bindings. directory: # Filepath to the mounted service account key file in JSON format. serviceAccountFilepath: /etc/secrets/google-sa.json # targetPrincipal is the user that will be impersonated # for the Google Admin API calls. targetPrincipal: email@example.com oidc: enabled: false clientId: redacted clientSecret: redacted domain: example-endpoint.us.auth0.com # OIDC endpoint userIdentifyingClaimKey: sub github: enabled: false clientId: redacted clientSecret: redacted # The directory configuration is only required if you use # GitHub teams in your RBAC role bindings. directory: personalAccessToken: redacted okta: enabled: false clientId: redacted clientSecret: redacted # The directory configuration is only required if you # use Okta groups in your RBAC role bindings. directory: apiToken: redacted # The enterprise block contains configurations for features that # can only be used with a valid Enterprise license. enterprise: rbac: # Whether or not RBAC is used. This must be enabled # if login is enabled. By default, no authenticated user # has any permissions. enabled: false # Path to YAML file that contains all role bindings roleBindingsFilepath: # Server configures Redpanda Console's HTTP server that serves all resources, including the Frontend application. server: listenPort: 8080 listenAddress: gracefulShutdownTimeout: 30s readTimeout: 30s writeTimeout: 30s idleTimeout: 30s compressionLevel: 4 # Sub-path under which Redpanda Console is hosted. See Features / HTTP path rewrites. basePath: "" # Whether or not to check the 'X-Forwarded-Prefix' header to (potentially) # override 'basePath'. See Features / HTTP path rewrites. setBasePathFromXForwardedPrefix: true # Whether or not Redpanda Console should strip the prefix internally. stripPrefix: true logger: level: info # Valid values are debug, info, warn, error, and fatal # Prefix for all exported Prometheus metrics metricsNamespace: console