Redpanda Console Configuration
When you install Redpanda Console, a redpanda-console-config.yaml file is installed on each instance in /etc/redpanda/redpanda-console-config.yaml. This file contains configuration properties for Redpanda Console.
Configuration sources
Redpanda Console loads configuration properties from three sources, with the following order of precedence:
-
Environment variables
-
YAML configuration
-
Command line arguments (flags) This means that environment variables and YAML configurations can overwrite input that is set on the command line.
YAML configuration
The recommended configuration source is a YAML file. Specify the path to the file by either setting
the -config.filepath flag or setting the CONFIG_FILEPATH environment variable.
A reference YAML configuration file is provided under Sample configuration.
Environment variables
Configuration options can be configured using environment variables. The key for the environment variable is auto-generated by converting the YAML equivalent to uppercase and adding an underscore for each indentation level. For example:
-
kafka.rackId => KAFKA_RACKID
-
kafka.tls.caFilepath => KAFKA_TLS_CAFILEPATH
For configuration properties that expect a list of values, use commas between each value. For example:
-
KAFKA_BROKERS=redpanda-0:9092,redpanda-1:9092,redpanda-2:9092
:::important You cannot use environment variables to configure object arrays, such as the configuration for Kafka connect clusters. In this case, use a YAML file, and provide secrets using environment variables or command line arguments. :::
Sample configuration
The following config.yaml configuration file contains a complete list of all Console configuration properties and their descriptions. All values are default values.
Provide the filepath to your configuration file by setting either the flag
-config.filepath or the environment variable CONFIG_FILEPATH.
|
kafka:
# Brokers is a list of bootstrap servers with
# port (for example "localhost:9092").
brokers: []
# Client ID that the Kafka client can use to identify itself
# against the target Kafka cluster.
clientId: console
# In multi-zone Kafka clusters, you can reduce traffic costs
# by consuming messages from replica brokers in the same zone
rackId:
# SASL configuration for Console to connect to the Kafka API.
sasl:
enabled: false
username:
# Password can also be set using the --kafka.sasl.password flag.
password:
# Valid mechanisms are: PLAIN, SCRAM-SHA-256,
# SCRAM-SHA-512, GSSAPI, OAUTHBEARER and AWS_MSK_IAM.
mechanism: PLAIN
# Kerberos implements the GSSAPI protocol. Use the following configurations
# to connect Redpanda Console to a Kerberos-protected Kafka API.
gssapi:
# AuthType must be either USER_AUTH or KEYTAB_AUTH
authType:
# Filepath to the keytab file that contains the pairs of Kerberos
# principals and encrypted password keys. AuthType must be set to
# KEYTAB_AUTH to load the keytab file.
keyTabPath:
# Path to the krb5.conf file that contains Kerberos configuration
# information, such as the locations of KDCs.
kerberosConfigPath:
serviceName:
username:
# Password can also be set using the --kafka.sasl.gssapi.password flag
password:
realm:
# EnableFAST enables FAST, which is a pre-authentication framework
# for Kerberos.
enableFast: true
oauth:
# can also be set using the --kafka.sasl.oauth.token flag
token:
awsMskIam:
accessKey:
# can also be set using the --kafka.sasl.aws-msk-iam.secret-key flag
secretKey:
# can also be set using the --kafka.sasl.aws-msk-iam.session-token flag
sessionToken:
userAgent:
tls:
# If you connect to a Cluster that uses commonly trusted
# certificates, enable TLS and do not provide a certificate
# authority in the caFilepath. In this case,
# the system's cert pool is used.
enabled: false
caFilepath:
certFilepath:
keyFilepath:
# Can also be set using the --kafka.tls.passphrase flag
passphrase:
insecureSkipTlsVerify: false
schemaRegistry:
enabled: false
# Url with scheme is required, e.g. ["http://localhost:8081"]
urls: []
# Basic auth username
username:
# Basic auth password. This can also be set using the --schema.registry.password
# flag
password:
# Can also be set using the --schema.registry.token flag
bearerToken:
tls:
# If you connect to a schema registry that uses commonly trusted
# certificates, enable TLS and do not provide a certificate
# authority in the caFilepath. In this case,
# the system's cert pool is used.
enabled: false
caFilepath:
certFilepath:
keyFilepath:
insecureSkipTlsVerify: false
protobuf:
enabled: false
mappings: []
# Map the proto type names for each of your topics.
# These proto types will be used for deserialization
# - topicName: xy
# You can specify the proto type for the record key
# and/or value (just one will work too)
# valueProtoType: fake_model.Order
# keyProtoType: package.Type
# importPaths is a list of paths from which to import Proto files into Redpanda Console.
# Paths are relative to the root directory.
# The `git` configuration must be enabled to use this feature.
importPaths: []
# SchemaRegistry does not require any mappings to be specified.
# The schema registry client that is configured in the
# kafka config block will be reused.
schemaRegistry:
enabled: false
refreshInterval: 5m
# Configure the fileSystem if you want Redpanda Console to
# search the local file system for the .proto files
fileSystem:
enabled: false
paths: []
refreshInterval: 5m
# Git is where the .proto files come from
git:
enabled: false
repository:
url:
branch: (defaults to primary/default branch)
# How often Redpanda Console pulls the repository to look for new files.
# Set to 0 to disable periodic pulls
refreshInterval: 1m
# Basic Auth
# To use GitHub's personal access tokens, use `token`
# as username and pass the token as password
basicAuth:
enabled: true
username: token
password:
# SSH Auth
# You can pass the private key file directly using a flag on the command line, or you can specify it in the
# yaml configuration file. Another alternative is to provide the filepath to a mounted key
# file in this configuration block.
ssh:
enabled: false
username:
privateKey:
privateKeyFilepath:
passphrase:
messagePack:
enabled: false
topicNames: ["/.*/"] # List of topic name regexes, defaults to /.*/
connect:
enabled: false
# The default for clusters is an empty array. To start Redpanda Console,
# specify at least one cluster as soon as you enable Kafka connect.
clusters: []
- name: xy
url: http://my-cluster:8083
tls:
# Trusted certificates are still allowed if TLS is not enabled.
enabled: false
# caFilepath:
# certFilepath:
# keyFilepath:
# insecureSkipTlsVerify: false
username:
password:
token:
connectTimeout: 15s # used to test cluster connectivity
readTimeout: 60s # overall REST timeout
requestTimeout: 6s # timeout for REST requests
console:
# Configuration to use for embedded topic documentation
topicDocumentation:
enabled: false
# Configure the git repository that contains the topic documentation.
# Redpanda Console clones the git repository and periodically pulls for new
# changes so it can render the markdown files within the topic view.
git:
enabled: false
repository:
url:
branch: (defaults to primary/default branch)
baseDirectory: .
# How often Console pulls the repository to look for new files.
# Set to 0 to disable periodic pulls.
refreshInterval: 1m
# To use GitHub's personal access tokens, use `token`
# for the username and pass the token as password.
basicAuth:
enabled: true
username: token
password:
ssh:
enabled: false
username:
privateKey:
privateKeyFilepath:
passphrase:
redpanda:
# Redpanda Admin API configuration that enables additional Redpanda-specific features.
adminApi:
enabled: false
# HTTP urls (such as http://localhost:9644) that Redpanda Console should send admin api requests to.
urls: []
# Username for basic auth
username:
# Password for basic auth
password:
tls:
enabled: false
caFilepath:
certFilepath:
keyFilepath:
insecureSkipTlsVerify:
# Filepath to your redpanda.license file
# This is only required if you want to use an Enterprise feature
# such as SSO or RBAC.
licenseFilepath:
# Login contains all configurations in order to protect Redpanda Console
# with a login screen. To support SSO, configure one or more of the identity
# providers below.
# This feature requires an Enterprise license.
login:
enabled: false
# jwtSecret is the secret key you must use to sign and encrypt the JSON
# web token used to store user sessions. This secret key is
# critical for the security of Redpanda Console's authentication and
# authorization system. Use a long, complex key with a combination of
# numbers, letters, and special characters. While you must use a minimum of
# 10 characters, Redpanda recommends using more than 32
# characters. For additional security, use a different secret key for
# each environment. jwtSecret can be securely generated with the following
# command: LC_ALL=C tr -dc '[:alnum:]' < /dev/random | head -c32
#
# If you update this secret key, any users who are
# already logged into Redpanda Console will be logged out and will have
# to log in again.
jwtSecret: ""
# Redpanda Console stores users' session data in cookies with no fixed size.
# Because some browsers enforce a maximum size limit on cookies,
# you can enable useCookieChunking to split a single big cookie into multiple
# smaller ones. When you enable useCookieChunking, cookies are kept below 4KiB,
# which is a maximum size limit set by most browsers.
useCookieChunking: false
google:
enabled: false
clientId: redacted.apps.googleusercontent.com
clientSecret: redacted
# The directory configuration is only required if you use
# Google groups in your RBAC role bindings.
directory:
# Filepath to the mounted service account key file in JSON format.
serviceAccountFilepath: /etc/secrets/google-sa.json
# targetPrincipal is the user that will be impersonated
# for the Google Admin API calls.
targetPrincipal: admin@mycompany.com
oidc:
enabled: false
clientId: redacted
clientSecret: redacted
# IssuerUrl is the identity provider's URL; for example, https://accounts.google.com.
# Redpanda Console will send a GET request to `${issuerUrl}/.well-known/openid-configuration`
# and the `issuer` returned in the response has to match this issuer url.
issuerUrl: https://login.microsoftonline.com/your-uuid/v2.0
# IssuerTLS is the TLS configuration used by the HTTP client to send requests
# to the IssuerURL. If you don't set any certificate paths, the IssuerTLS defaults to
# the system cert pool.
issuerTls:
caFilepath:
certFilepath:
keyFilepath:
userIdentifyingClaimKey: sub
github:
enabled: false
clientId: redacted
clientSecret: redacted
# The directory configuration is only required if you use
# GitHub teams in your RBAC role bindings.
directory:
personalAccessToken: redacted
okta:
enabled: false
clientId: redacted
clientSecret: redacted
# The directory configuration is only required if you
# use Okta groups in your RBAC role bindings.
directory:
apiToken: redacted
# The enterprise block contains configurations for features that
# can only be used with a valid Enterprise license.
enterprise:
rbac:
# Whether or not RBAC is used. This must be enabled
# if login is enabled. By default, no authenticated user
# has any permissions.
enabled: false
# Path to YAML file that contains all role bindings
roleBindingsFilepath:
# analytics configures the telemetry service that sends anonymized usage statistics to Redpanda.
# Redpanda uses these statistics to evaluate feature usage.
analytics:
enabled: true
# Server configures Redpanda Console's HTTP server that serves all resources, including the Frontend application.
server:
listenPort: 8080
listenAddress:
gracefulShutdownTimeout: 30s
readTimeout: 30s
writeTimeout: 30s
idleTimeout: 30s
compressionLevel: 4
# Sub-path under which Redpanda Console is hosted. See Features / HTTP path rewrites.
basePath: ""
# Whether or not to check the 'X-Forwarded-Prefix' header to (potentially)
# override 'basePath'. See Features / HTTP path rewrites.
setBasePathFromXForwardedPrefix: true
# Whether or not Redpanda Console should strip the prefix internally.
stripPrefix: true
logger:
level: info # Valid values are debug, info, warn, error, and fatal
# Prefix for all exported Prometheus metrics
metricsNamespace: consoleWas this helpful?