Redpanda Console Configuration

Configuration sources

Redpanda Console loads configuration properties from three sources, with the following order of precedence:

  • Environment variables

  • YAML configuration

  • Command line arguments (flags) This means that environment variables and YAML configurations can overwrite input that is set on the command line.

YAML configuration

The recommended configuration source is a YAML file. Specify the path to the file by either setting the -config.filepath flag or setting the CONFIG_FILEPATH environment variable. A reference YAML configuration file is provided under Sample configuration.

Environment variables

Configuration options can be configured using environment variables. The key for the environment variable is auto-generated by converting the YAML equivalent to uppercase and adding an underscore for each indentation level. For example:

  • kafka.rackId => KAFKA_RACKID

  • kafka.tls.caFilepath => KAFKA_TLS_CAFILEPATH

For configuration properties that expect a list of values, use commas between each value. For example:

  • KAFKA_BROKERS=redpanda-0:9092,redpanda-1:9092,redpanda-2:9092

You cannot use environment variables to configure object arrays, such as the configuration for Kafka connect clusters. In this case, use a YAML file, and provide secrets using environment variables or command line arguments.

Sample configuration

The following config.yaml configuration file contains a complete list of all Console configuration properties and their descriptions. All values are default values.

Provide the filepath to your configuration file by setting either the flag -config.filepath or the environment variable CONFIG_FILEPATH.

This configuration file contains both Redpanda Enterprise and Redpanda Community configurations. If you don’t provide a Redpanda Enterprise license, Console ignores configurations for Redpanda Enterprise features.
kafka:
  # Brokers is a list of bootstrap servers with
  # port (for example "localhost:9092").
  brokers: []
  # Client ID that the Kafka client can use to identify itself
  # against the target Kafka cluster.
  clientId: console
  # In multi-zone Kafka clusters, you can reduce traffic costs
  # by consuming messages from replica brokers in the same zone
  rackId:
  # SASL configuration for Console to connect to the Kafka API.
  sasl:
    enabled: false
    username:
    # Password can also be set using the --kafka.sasl.password flag.
    password:
    # Valid mechanisms are: PLAIN, SCRAM-SHA-256,
    # SCRAM-SHA-512, GSSAPI, OAUTHBEARER and AWS_MSK_IAM.
    mechanism: PLAIN
    # Kerberos implements the GSSAPI protocol. Use the following configurations
    # to connect Redpanda Console to a Kerberos-protected Kafka API.
    gssapi:
      # AuthType must be either USER_AUTH or KEYTAB_AUTH
      authType:
      # Filepath to the keytab file that contains the pairs of Kerberos
      # principals and encrypted password keys. AuthType must be set to
      # KEYTAB_AUTH to load the keytab file.
      keyTabPath:
      # Path to the krb5.conf file that contains Kerberos configuration
      # information, such as the locations of KDCs.
      kerberosConfigPath:
      serviceName:
      username:
      # Password can also be set using the --kafka.sasl.gssapi.password flag
      password:
      realm:
      # EnableFAST enables FAST, which is a pre-authentication framework
      # for Kerberos.
      enableFast: true
    oauth:
      # can also be set using the --kafka.sasl.oauth.token flag
      token:
    awsMskIam:
      accessKey:
      # can also be set using the --kafka.sasl.aws-msk-iam.secret-key flag
      secretKey:
      # can also be set using the --kafka.sasl.aws-msk-iam.session-token flag
      sessionToken:
      userAgent:
  tls:
    # If you connect to a Cluster that uses commonly trusted
    # certificates, enable TLS and do not provide a certificate
    # authority in the caFilepath. In this case,
    # the system's cert pool is used.
    enabled: false
    caFilepath:
    certFilepath:
    keyFilepath:
    # Can also be set using the --kafka.tls.passphrase flag
    passphrase:
    insecureSkipTlsVerify: false
  schemaRegistry:
    enabled: false
    # Url with scheme is required, e.g. ["http://localhost:8081"]
    urls: []
    # Basic auth username
    username:
    # Basic auth password. This can also be set using the --schema.registry.password
    # flag
    password:
    # Can also be set using the --schema.registry.token flag
    bearerToken:
    tls:
      # If you connect to a schema registry that uses commonly trusted
      # certificates, enable TLS and do not provide a certificate
      # authority in the caFilepath. In this case,
      # the system's cert pool is used.
      enabled: false
      caFilepath:
      certFilepath:
      keyFilepath:
      insecureSkipTlsVerify: false
  protobuf:
    enabled: false
    mappings: []
      # Map the proto type names for each of your topics.
      # These proto types will be used for deserialization
      # - topicName: xy
          # You can specify the proto type for the record key
          # and/or value (just one will work too)
          # valueProtoType: fake_model.Order
          # keyProtoType: package.Type
    # SchemaRegistry does not require any mappings to be specified.
    # The schema registry client that is configured in the
    # kafka config block will be reused.
    schemaRegistry:
      enabled: false
      refreshInterval: 5m
    # Configure the fileSystem if you want Redpanda Console to
    # search the local file system for the .proto files
    fileSystem:
      enabled: false
      paths: []
      refreshInterval: 5m
    # Git is where the .proto files come from
    git:
      enabled: false
      repository:
        url:
        branch: (defaults to primary/default branch)
      # How often Redpanda Console pulls the repository to look for new files.
      # Set to 0 to disable periodic pulls
      refreshInterval: 1m
      # Basic Auth
      # To use GitHub's personal access tokens, use `token`
      # as username and pass the token as password
      basicAuth:
        enabled: true
        username: token
        password:
      # SSH Auth
      # You can pass the private key file directly using a flag on the command line, or you can specify it in the
      # yaml configuration file. Another alternative is to provide the filepath to a mounted key
      # file in this configuration block.
      ssh:
        enabled: false
        username:
        privateKey:
        privateKeyFilepath:
        passphrase:
  messagePack:
    enabled: false
    topicNames: ["/.*/"] # List of topic name regexes, defaults to /.*/

connect:
  enabled: false
  # The default for clusters is an empty array. To start Redpanda Console,
  # specify at least one cluster as soon as you enable Kafka connect.
  clusters: []
    - name: xy
      url: http://my-cluster:8083
      tls:
        # Trusted certificates are still allowed if TLS is not enabled.
        enabled: false
        # caFilepath:
        # certFilepath:
        # keyFilepath:
        # insecureSkipTlsVerify: false
      username:
      password:
      token:
  connectTimeout: 15s # used to test cluster connectivity
  readTimeout: 60s    # overall REST timeout
  requestTimeout: 6s  # timeout for REST requests

console:
  # Configuration to use for embedded topic documentation
  topicDocumentation:
    enabled: false
    # Configure the git repository that contains the topic documentation.
    # Redpanda Console clones the git repository and periodically pulls for new
    # changes so it can render the markdown files within the topic view.
    git:
      enabled: false
      repository:
        url:
        branch: (defaults to primary/default branch)
        baseDirectory: .
      # How often Console pulls the repository to look for new files.
      # Set to 0 to disable periodic pulls.
      refreshInterval: 1m
      # To use GitHub's personal access tokens, use `token`
      # for the username and pass the token as password.
      basicAuth:
        enabled: true
        username: token
        password:
      ssh:
        enabled: false
        username:
        privateKey:
        privateKeyFilepath:
        passphrase:

redpanda:
  # Redpanda Admin API configuration that enables additional Redpanda-specific features.
  adminApi:
    enabled: false
    # HTTP urls (such as http://localhost:9644) that Redpanda Console should send admin api requests to.
    urls: []
    # Username for basic auth
    username:
    # Password for basic auth
    password:
    tls:
      enabled: false
      caFilepath:
      certFilepath:
      keyFilepath:
      insecureSkipTlsVerify:

# Filepath to your redpanda.license file
# This is only required if you want to use an Enterprise feature
# such as SSO or RBAC.
licenseFilepath:

# Login contains all configurations in order to protect Redpanda Console
# with a login screen. To support SSO, configure one or more of the identity
# providers below.
# This feature requires an Enterprise license.
login:
  enabled: false
  # jwtSecret is a secret string that signs and encrypts
  # the JSON Web tokens used by the backend for session management.
  jwtSecret: redacted
  google:
    enabled: false
    clientId: redacted.apps.googleusercontent.com
    clientSecret: redacted
    # The directory configuration is only required if you use
    # Google groups in your RBAC role bindings.
    directory:
      # Filepath to the mounted service account key file in JSON format.
      serviceAccountFilepath: /etc/secrets/google-sa.json
      # targetPrincipal is the user that will be impersonated
      # for the Google Admin API calls.
      targetPrincipal: admin@mycompany.com
  oidc:
    enabled: false
    clientId: redacted
    clientSecret: redacted
    domain: example-endpoint.us.auth0.com # OIDC endpoint
    userIdentifyingClaimKey: sub
  github:
    enabled: false
    clientId: redacted
    clientSecret: redacted
    # The directory configuration is only required if you use
    # GitHub teams in your RBAC role bindings.
    directory:
      personalAccessToken: redacted
  okta:
    enabled: false
    clientId: redacted
    clientSecret: redacted
    # The directory configuration is only required if you
    # use Okta groups in your RBAC role bindings.
    directory:
      apiToken: redacted

# The enterprise block contains configurations for features that
# can only be used with a valid Enterprise license.
enterprise:
  rbac:
    # Whether or not RBAC is used. This must be enabled
    # if login is enabled. By default, no authenticated user
    # has any permissions.
    enabled: false
    # Path to YAML file that contains all role bindings
    roleBindingsFilepath:

# Server configures Redpanda Console's HTTP server that serves all resources, including the Frontend application.
server:
  listenPort: 8080
  listenAddress:
  gracefulShutdownTimeout: 30s
  readTimeout: 30s
  writeTimeout: 30s
  idleTimeout: 30s
  compressionLevel: 4
  # Sub-path under which Redpanda Console is hosted. See Features / HTTP path rewrites.
  basePath: ""
  # Whether or not to check the 'X-Forwarded-Prefix' header to (potentially)
  # override 'basePath'. See Features / HTTP path rewrites.
  setBasePathFromXForwardedPrefix: true
  # Whether or not Redpanda Console should strip the prefix internally.
  stripPrefix: true

logger:
  level: info # Valid values are debug, info, warn, error, and fatal

# Prefix for all exported Prometheus metrics
metricsNamespace: console