Redpanda Console Configuration

Configuration sources

Redpanda Console loads configuration properties from three sources, with the following order of precedence:

Environment variables
YAML configuration
Command line arguments (flags) This means that environment variables and YAML configurations can overwrite input that is set on the command line.

YAML configuration

The recommended configuration source is a YAML file. Specify the path to the file by either setting the -config.filepath flag or setting the CONFIG_FILEPATH environment variable. A reference YAML configuration file is provided under Sample configuration.

Environment variables

Configuration options can be configured using environment variables. The key for the environment variable is auto-generated by converting the YAML equivalent to uppercase and adding an underscore for each indentation level. For example:

kafka.rackId => KAFKA_RACKID
kafka.tls.caFilepath => KAFKA_TLS_CAFILEPATH

For configuration properties that expect a list of values, use commas between each value. For example:

KAFKA_BROKERS=redpanda-0:9092,redpanda-1:9092,redpanda-2:9092

You cannot use environment variables to configure object arrays, such as the configuration for Kafka connect clusters. In this case, use a YAML file, and provide secrets using environment variables or command line arguments.

Sample configuration

The following config.yaml configuration file contains a complete list of all Console configuration properties and their descriptions. All values are default values.

Provide the filepath to your configuration file by setting either the flag -config.filepath or the environment variable CONFIG_FILEPATH.

This configuration file contains both Redpanda Enterprise and Redpanda Community configurations. If you don’t provide a Redpanda Enterprise license, Console ignores configurations for Redpanda Enterprise features.

kafka:
  # Brokers is a list of bootstrap servers with
  # port (for example "localhost:9092").
  brokers: []
  # Client ID that the Kafka client can use to identify itself
  # against the target Kafka cluster.
  clientId: console
  # In multi-zone Kafka clusters, you can reduce traffic costs
  # by consuming messages from replica brokers in the same zone
  rackId:
  # SASL configuration for Console to connect to the Kafka API.
  sasl:
    enabled: false
    username:
    # Password can also be set using the --kafka.sasl.password flag.
    password:
    # Valid mechanisms are: PLAIN, SCRAM-SHA-256,
    # SCRAM-SHA-512, GSSAPI, OAUTHBEARER and AWS_MSK_IAM.
    mechanism: PLAIN
    # Kerberos implements the GSSAPI protocol. Use the following configurations
    # to connect Redpanda Console to a Kerberos-protected Kafka API.
    gssapi:
      # AuthType must be either USER_AUTH or KEYTAB_AUTH
      authType:
      # Filepath to the keytab file that contains the pairs of Kerberos
      # principals and encrypted password keys. AuthType must be set to
      # KEYTAB_AUTH to load the keytab file.
      keyTabPath:
      # Path to the krb5.conf file that contains Kerberos configuration
      # information, such as the locations of KDCs.
      kerberosConfigPath:
      serviceName:
      username:
      # Password can also be set using the --kafka.sasl.gssapi.password flag
      password:
      realm:
      # EnableFAST enables FAST, which is a pre-authentication framework
      # for Kerberos.
      enableFast: true
    oauth:
      # can also be set using the --kafka.sasl.oauth.token flag
      token:
    awsMskIam:
      accessKey:
      # can also be set using the --kafka.sasl.aws-msk-iam.secret-key flag
      secretKey:
      # can also be set using the --kafka.sasl.aws-msk-iam.session-token flag
      sessionToken:
      userAgent:
  tls:
    # If you connect to a Cluster that uses commonly trusted
    # certificates, enable TLS and do not provide a certificate
    # authority in the caFilepath. In this case,
    # the system's cert pool is used.
    enabled: false
    caFilepath:
    certFilepath:
    keyFilepath:
    # Can also be set using the --kafka.tls.passphrase flag
    passphrase:
    insecureSkipTlsVerify: false
  schemaRegistry:
    enabled: false
    # Url with scheme is required, e.g. ["http://localhost:8081"]
    urls: []
    # Basic auth username
    username:
    # Basic auth password. This can also be set using the --schema.registry.password
    # flag
    password:
    # Can also be set using the --schema.registry.token flag
    bearerToken:
    tls:
      # If you connect to a schema registry that uses commonly trusted
      # certificates, enable TLS and do not provide a certificate
      # authority in the caFilepath. In this case,
      # the system's cert pool is used.
      enabled: false
      caFilepath:
      certFilepath:
      keyFilepath:
      insecureSkipTlsVerify: false
  protobuf:
    enabled: false
    mappings: []
      # Map the proto type names for each of your topics.
      # These proto types will be used for deserialization
      # - topicName: xy
          # You can specify the proto type for the record key
          # and/or value (just one will work too)
          # valueProtoType: fake_model.Order
          # keyProtoType: package.Type
    # SchemaRegistry does not require any mappings to be specified.
    # The schema registry client that is configured in the
    # kafka config block will be reused.
    schemaRegistry:
      enabled: false
      refreshInterval: 5m
    # Configure the fileSystem if you want Redpanda Console to
    # search the local file system for the .proto files
    fileSystem:
      enabled: false
      paths: []
      refreshInterval: 5m
    # Git is where the .proto files come from
    git:
      enabled: false
      repository:
        url:
        branch: (defaults to primary/default branch)
      # How often Redpanda Console pulls the repository to look for new files.
      # Set to 0 to disable periodic pulls
      refreshInterval: 1m
      # Basic Auth
      # To use GitHub's personal access tokens, use `token`
      # as username and pass the token as password
      basicAuth:
        enabled: true
        username: token
        password:
      # SSH Auth
      # You can pass the private key file directly using a flag on the command line, or you can specify it in the
      # yaml configuration file. Another alternative is to provide the filepath to a mounted key
      # file in this configuration block.
      ssh:
        enabled: false
        username:
        privateKey:
        privateKeyFilepath:
        passphrase:
  messagePack:
    enabled: false
    topicNames: ["/.*/"] # List of topic name regexes, defaults to /.*/

connect:
  enabled: false
  # The default for clusters is an empty array. To start Redpanda Console,
  # specify at least one cluster as soon as you enable Kafka connect.
  clusters: []
    - name: xy
      url: http://my-cluster:8083
      tls:
        # Trusted certificates are still allowed if TLS is not enabled.
        enabled: false
        # caFilepath:
        # certFilepath:
        # keyFilepath:
        # insecureSkipTlsVerify: false
      username:
      password:
      token:
  connectTimeout: 15s # used to test cluster connectivity
  readTimeout: 60s    # overall REST timeout
  requestTimeout: 6s  # timeout for REST requests

console:
  # Configuration to use for embedded topic documentation
  topicDocumentation:
    enabled: false
    # Configure the git repository that contains the topic documentation.
    # Redpanda Console clones the git repository and periodically pulls for new
    # changes so it can render the markdown files within the topic view.
    git:
      enabled: false
      repository:
        url:
        branch: (defaults to primary/default branch)
        baseDirectory: .
      # How often Console pulls the repository to look for new files.
      # Set to 0 to disable periodic pulls.
      refreshInterval: 1m
      # To use GitHub's personal access tokens, use `token`
      # for the username and pass the token as password.
      basicAuth:
        enabled: true
        username: token
        password:
      ssh:
        enabled: false
        username:
        privateKey:
        privateKeyFilepath:
        passphrase:

redpanda:
  # Redpanda Admin API configuration that enables additional Redpanda-specific features.
  adminApi:
    enabled: false
    # HTTP urls (such as http://localhost:9644) that Redpanda Console should send admin api requests to.
    urls: []
    # Username for basic auth
    username:
    # Password for basic auth
    password:
    tls:
      enabled: false
      caFilepath:
      certFilepath:
      keyFilepath:
      insecureSkipTlsVerify:

# Filepath to your redpanda.license file
# This is only required if you want to use an Enterprise feature
# such as SSO or RBAC.
licenseFilepath:

# Login contains all configurations in order to protect Redpanda Console
# with a login screen. To support SSO, configure one or more of the identity
# providers below.
# This feature requires an Enterprise license.
login:
  enabled: false
  # jwtSecret is a secret string that signs and encrypts
  # the JSON Web tokens used by the backend for session management.
  jwtSecret: redacted
  google:
    enabled: false
    clientId: redacted.apps.googleusercontent.com
    clientSecret: redacted
    # The directory configuration is only required if you use
    # Google groups in your RBAC role bindings.
    directory:
      # Filepath to the mounted service account key file in JSON format.
      serviceAccountFilepath: /etc/secrets/google-sa.json
      # targetPrincipal is the user that will be impersonated
      # for the Google Admin API calls.
      targetPrincipal: admin@mycompany.com
  oidc:
    enabled: false
    clientId: redacted
    clientSecret: redacted
    domain: example-endpoint.us.auth0.com # OIDC endpoint
    userIdentifyingClaimKey: sub
  github:
    enabled: false
    clientId: redacted
    clientSecret: redacted
    # The directory configuration is only required if you use
    # GitHub teams in your RBAC role bindings.
    directory:
      personalAccessToken: redacted
  okta:
    enabled: false
    clientId: redacted
    clientSecret: redacted
    # The directory configuration is only required if you
    # use Okta groups in your RBAC role bindings.
    directory:
      apiToken: redacted

# The enterprise block contains configurations for features that
# can only be used with a valid Enterprise license.
enterprise:
  rbac:
    # Whether or not RBAC is used. This must be enabled
    # if login is enabled. By default, no authenticated user
    # has any permissions.
    enabled: false
    # Path to YAML file that contains all role bindings
    roleBindingsFilepath:

# Server configures Redpanda Console's HTTP server that serves all resources, including the Frontend application.
server:
  listenPort: 8080
  listenAddress:
  gracefulShutdownTimeout: 30s
  readTimeout: 30s
  writeTimeout: 30s
  idleTimeout: 30s
  compressionLevel: 4
  # Sub-path under which Redpanda Console is hosted. See Features / HTTP path rewrites.
  basePath: ""
  # Whether or not to check the 'X-Forwarded-Prefix' header to (potentially)
  # override 'basePath'. See Features / HTTP path rewrites.
  setBasePathFromXForwardedPrefix: true
  # Whether or not Redpanda Console should strip the prefix internally.
  stripPrefix: true

logger:
  level: info # Valid values are debug, info, warn, error, and fatal

# Prefix for all exported Prometheus metrics
metricsNamespace: console

Was this helpful?

Ask in the community

Share your feedback

Make a contribution

What do you like about this doc?

Let us know what we do well:

Let us contact you about your feedback:

What did you not like about this doc?

Let us know what we can improve: