Docs Self-Managed Manage Redpanda Console Configuration Configure Console You are viewing the Self-Managed v25.1 beta documentation. We welcome your feedback at the Redpanda Community Slack #beta-feedback channel. To view the latest available version of the docs, see v24.3. Configure Redpanda Console Redpanda Console loads configuration properties from three sources, in the following order of precedence: Environment variables YAML file configuration (recommended) Command-line arguments Environment variables and YAML configurations can overwrite input that is set on the command line. YAML file configuration The recommended configuration source is a YAML file. You can specify the path to the configuration file by setting either the -config.filepath flag or the CONFIG_FILEPATH environment variable. A reference configuration file is provided under [Example Redpanda Console configuration file]. In Linux package installations, this file is located in /etc/redpanda/redpanda-console-config.yaml by default and Redpanda Console is configured to read from this file path. In containerized environments, ensure that the configuration file is mounted to a directory accessible by the Redpanda Console container. When the file is mounted, you can specify its file path using the -config.filepath flag or the CONFIG_FILEPATH environment variable. Environment variables Configuration options can be configured using environment variables. The key for the environment variable is auto-generated by converting the YAML equivalent to uppercase and adding an underscore for each indentation level. For example: YAML Environment Variable kafka.rackId KAFKA_RACKID kafka.tls.caFilepath KAFKA_TLS_CAFILEPATH For configuration properties that expect a list of values, use commas between each value. For example: KAFKA_BROKERS=redpanda-0:9092,redpanda-1:9092,redpanda-2:9092 You cannot use environment variables to configure object arrays, such as the configuration for Kafka Connect clusters. In this case, use a YAML file, and provide secrets using environment variables or command line arguments. Docker Compose example If you are using Docker Compose, you can mount the configuration file and set the environment variable in your docker-compose.yml file: console: container_name: redpanda-console image: docker.redpanda.com/redpandadata/console:latest entrypoint: /bin/sh command: -c 'echo "$$CONSOLE_CONFIG_FILE" > /tmp/config.yml volumes: - ./config:/tmp/config/ environment: CONFIG_FILEPATH: ${CONFIG_FILEPATH:-/tmp/config.yml} CONSOLE_CONFIG_FILE: | # Configure a connection to the Redpanda cluster # See https://docs.redpanda.com/current/console/config/connect-to-redpanda/ kafka: brokers: ["redpanda-0:9092","redpanda-1:9092","redpanda-2:9092"] Complete configuration file example The following YAML file contains a complete list of all Redpanda Console configuration properties and their descriptions. All values are default values. Where necessary, ensure that values are enclosed in quotes and escaped. For example, put passwords with special characters in single quotes. This configuration file contains both Redpanda Enterprise and Redpanda Community Edition configurations. If you don’t provide an enterprise license, Redpanda Console ignores configurations for enterprise features. Download the sample file. redpanda-console-config.yaml # This is an example configuration file for Redpanda Console v3.x.x #---------------------------------------------------------------------------- # Kafka configuration #---------------------------------------------------------------------------- kafka: # Brokers is a list of bootstrap servers with ports. brokers: - "broker-0.mycompany.com:19092" - "broker-1.mycompany.com:19092" - "broker-2.mycompany.com:19092" # Optional: Client ID used to identify Console to the Kafka cluster. # clientId: "console" # Optional: Rack identifier to optimize message consumption in multi-zone clusters. # rackId: "zone-a" # sasl: # enabled: true # Supported mechanisms include: # - OAUTHBEARER (OIDC) # - SCRAM-SHA-256 or SCRAM-SHA-512 (basic authentication) # - GSSAPI (Kerberos); if using Kerberos, ensure impersonateUser is false. # - AWS_MSK_IAM (AWS MSK IAM) # mechanism: SCRAM-SHA-256 # impersonateUser: false # oauth: # token: "example-oauth-token" # clientId: "example-client-id" # clientSecret: "example-client-secret" # tokenEndpoint: "https://accounts.google.com/token" # scope: "openid" # Example for basic authentication (uncomment to use): # username: "your-username" # password: "your-password" # Example for GSSAPI (Kerberos) - impersonateUser must be false: # gssapi: # authType: KEYTAB_AUTH # keyTabPath: "/path/to/keytab" # kerberosConfigPath: "/path/to/krb5.conf" # serviceName: "kafka" # username: "your-username" # password: "your-password" # realm: "MY.REALM" # enableFast: true # tls: # enabled: false # Uncomment and set the following paths if TLS is required: # caFilepath: "/path/to/ca-cert.pem" # certFilepath: "/path/to/client-cert.pem" # keyFilepath: "/path/to/client-key.pem" # insecureSkipTlsVerify: false # Startup is a configuration block to specify how often and with what delays # we should try to connect to the Kafka service. If all attempts fail the # application exits with code 1. # startup: # maxRetries: 5 # retryInterval: 1s # maxRetryInterval 60s # backoffMultiplier: 2 #---------------------------------------------------------------------------- # Schema Registry configuration (top-level) #---------------------------------------------------------------------------- schemaRegistry: enabled: true urls: - "http://schema-registry.mycompany.com:8081" # Optional: Authentication for Schema Registry. # authentication: # basic: # username: "example-user" # password: "example-password" # bearerToken: "example-bearer-token" tls: enabled: false # Uncomment and configure if TLS is required: # caFilepath: "/path/to/ca-cert.pem" # certFilepath: "/path/to/client-cert.pem" # keyFilepath: "/path/to/client-key.pem" # insecureSkipTlsVerify: false #---------------------------------------------------------------------------- # Console authentication #---------------------------------------------------------------------------- authentication: jwtSigningSecret: "secret-value" useSecureCookies: true # Optionally enable cookie chunking if cookie size is an issue. # useCookieChunking: false # OIDC configuration (if using OIDC): # oidc: # enabled: true # issuerUrl: "https://accounts.google.com" # clientId: "your-oidc-client-id" # clientSecret: "your-oidc-client-secret" # redirectUrl: "http://localhost:9090/auth/callbacks/oidc" # successfulLoginRedirectUrl: "http://localhost:3000" # accessType: "offline" # prompt: "consent" # issuerTls: # enabled: true # caFilepath: "/path/to/ca.pem" # certFilepath: "/path/to/issuer-cert.pem" # keyFilepath: "/path/to/issuer-key.pem" # insecureSkipTlsVerify: false # Basic authentication is supported by default. #---------------------------------------------------------------------------- # Console authorization and role bindings #---------------------------------------------------------------------------- authorization: roleBindings: - roleName: admin users: - loginType: OIDC name: "admin@mycompany.com" - roleName: viewer users: - loginType: basic name: "user@mycompany.com" #---------------------------------------------------------------------------- # Redpanda Admin API configuration #---------------------------------------------------------------------------- redpanda: adminApi: enabled: true urls: - "admin-0.mycompany.com:9644" - "admin-1.mycompany.com:9644" authentication: impersonateUser: true # If impersonateUser is false, configure static credentials here: # authentication: # basic: # username: "example-user" # password: "example-password" startup: establishConnectionEagerly: true maxRetries: 5 retryInterval: 1s maxRetryInterval: 60s backoffMultiplier: 2 tls: enabled: true caFilepath: "/path/to/ca-cert.pem" certFilepath: "/path/to/client-cert.pem" keyFilepath: "/path/to/client-key.pem" insecureSkipTlsVerify: false #---------------------------------------------------------------------------- # Kafka Connect configuration (optional) #---------------------------------------------------------------------------- kafkaConnect: enabled: false # connectTimeout: 15s # readTimeout: 60s # requestTimeout: 6s clusters: [] # Example: # clusters: # - name: my-connect-cluster # url: "http://connect.mycompany.com:8083" # tls: # enabled: false # username: "connect-user" # password: "connect-password" # token: "optional-token" #---------------------------------------------------------------------------- # Enterprise License configuration (optional) #---------------------------------------------------------------------------- # To mount an enterprise license, set either license or licenseFilepath. # This is only required if you want to use an enterprise feature # such as SSO or RBAC. # Filepath to your redpanda.license file # licenseFilepath: "" # License string. # license: "" #---------------------------------------------------------------------------- # Serde settings #---------------------------------------------------------------------------- serde: maxDeserializationPayloadSize: 20480 # protobuf: # enabled: false # mappings: [] # Map the Proto type names for each of your topics. # These Proto types will be used for deserialization. # - topicName: xy # You can specify the Proto type for the record key # and/or value (just one will work too) # valueProtoType: fake_model.Order # keyProtoType: package.Type # Configure the fileSystem if you want Redpanda Console to # search the local file system for the Proto files # fileSystem: # enabled: false # paths: [] # refreshInterval: 5m # importPaths is a list of paths from which to import Proto files into Redpanda Console. # Paths are relative to the root directory. # The `git` configuration must be enabled to use this feature. #importPaths: [] # Git is where the Proto files come from. # git: # enabled: false # repository: # url: # branch: (defaults to primary/default branch) # baseDirectory: (defaults to the root directory of the repo/branch above) # How often Redpanda Console pulls the repository to look for new files. # Set to 0 to disable periodic pulls. # refreshInterval: 5m # To use GitHub's personal access tokens, use `token` # as username and pass the token as password. # basicAuth: # enabled: true # username: token # Password can also be set using the via the --git.basic-auth.password flag. # password: # You can pass the private key file directly using a flag on the command line, or you can specify it in the # yaml configuration file. Another alternative is to provide the filepath to a mounted key # file in this configuration block. # ssh: # enabled: false # username: # privateKey can also be set using the --git.ssh.private-key flag. # privateKey: # privateKeyFilepath: # Passphrase can also be set using the --git.ssh.passphrase flag. # passphrase: # messagePack: # enabled: false # List of topic name regexes, defaults to /.*/ # topicNames: ["/.*/"] #---------------------------------------------------------------------------- # Console settings #---------------------------------------------------------------------------- console: topicDocumentation: enabled: false # git: # enabled: false # repository: # url: # branch: (defaults to primary/default branch) # baseDirectory: . # How often Console pulls the repository to look for new files. # Set to 0 to disable periodic pulls. # refreshInterval: 1m # To use GitHub's personal access tokens, use `token` # for the username and pass the token as password. # basicAuth: # enabled: true # username: token # password: # ssh: # enabled: false # username: # privateKey: # privateKeyFilepath: # passphrase: #---------------------------------------------------------------------------- # Server settings #---------------------------------------------------------------------------- server: listenAddress: "0.0.0.0" listenPort: 8080 httpsListenPort: 8081 advertisedHttpsListenPort: 443 gracefulShutdownTimeout: 30s readTimeout: 30s writeTimeout: 30s idleTimeout: 30s compressionLevel: 4 basePath: "" setBasePathFromXForwardedPrefix: true stripPrefix: true tls: enabled: false # Uncomment and configure if HTTPS is required: # certFilepath: "/path/to/https-cert.pem" # keyFilepath: "/path/to/https-key.pem" allowedOrigins: [] #---------------------------------------------------------------------------- # Logger settings #---------------------------------------------------------------------------- logger: level: info #---------------------------------------------------------------------------- # Developer settings #---------------------------------------------------------------------------- # Only relevant for developers who want to run the frontend separately. # Uncomment the following line to serve the frontend separately. # serveFrontend: true #---------------------------------------------------------------------------- # Metrics settings #---------------------------------------------------------------------------- # Prefix for all exported Prometheus metrics. # Uncomment and set your metrics namespace. # metricsNamespace: "console" #---------------------------------------------------------------------------- # Analytics / telemetry (optional) #---------------------------------------------------------------------------- analytics: enabled: true Back to top × Simple online edits For simple changes, such as fixing a typo, you can edit the content directly on GitHub. Edit on GitHub Or, open an issue to let us know about something that you want us to change. Open an issue Contribution guide For extensive content updates, or if you prefer to work locally, read our contribution guide . Was this helpful? thumb_up thumb_down group Ask in the community mail Share your feedback group_add Make a contribution Configuration Add an Enterprise License