Connect

redpanda_migrator

Type:

Available in: Cloud, Self-Managed

A Kafka producer for migrating data between Kafka/Redpanda clusters.

The redpanda_migrator output coordinates migration of topics, schemas, and consumer groups from a source Kafka/Redpanda cluster to a destination cluster.

This output must be paired with a redpanda_migrator input in the same pipeline. Each pipeline requires both input and output components.

Introduced in version 4.37.0.

  • Common

  • Advanced

outputs:
  label: ""
  redpanda_migrator:
    seed_brokers: [] # No default (required)
    schema_registry:
      url: "" # No default (required)
      timeout: 5s
      tls:
        enabled: false
        skip_cert_verify: false
        enable_renegotiation: false
        root_cas: ""
        root_cas_file: ""
        client_certs: []
      oauth:
        enabled: false
        consumer_key: ""
        consumer_secret: ""
        access_token: ""
        access_token_secret: ""
      basic_auth:
        enabled: false
        username: ""
        password: ""
      jwt:
        enabled: false
        private_key_file: ""
        signing_method: ""
        claims: {}
        headers: {}
      enabled: true
      interval: 5m
      include: [] # No default (optional)
      exclude: [] # No default (optional)
      subject: "" # No default (optional)
      versions: all
      include_deleted: false
      translate_ids: false
      normalize: false
      strict: false
      max_parallel_http_requests: 10
    consumer_groups:
      enabled: true
      interval: 1m
      fetch_timeout: 10s
      include: [] # No default (optional)
      exclude: [] # No default (optional)
      only_empty: false
    topic: ${! @kafka_topic }
    topic_replication_factor: "" # No default (optional)
    sync_topic_acls: false
    max_in_flight: 10
outputs:
  label: ""
  redpanda_migrator:
    seed_brokers: [] # No default (required)
    client_id: redpanda-connect
    tls:
      enabled: false
      skip_cert_verify: false
      enable_renegotiation: false
      root_cas: ""
      root_cas_file: ""
      client_certs: []
    sasl: [] # No default (optional)
    metadata_max_age: 1m
    request_timeout_overhead: 10s
    conn_idle_timeout: 20s
    tcp:
      connect_timeout: 0s
      keep_alive:
        idle: 15s
        interval: 15s
        count: 9
      tcp_user_timeout: 0s
    partitioner: "" # No default (optional)
    idempotent_write: true
    compression: "" # No default (optional)
    allow_auto_topic_creation: true
    timeout: 10s
    max_message_bytes: 1MiB
    broker_write_max_bytes: 100MiB
    schema_registry:
      url: "" # No default (required)
      timeout: 5s
      tls:
        enabled: false
        skip_cert_verify: false
        enable_renegotiation: false
        root_cas: ""
        root_cas_file: ""
        client_certs: []
      oauth:
        enabled: false
        consumer_key: ""
        consumer_secret: ""
        access_token: ""
        access_token_secret: ""
      basic_auth:
        enabled: false
        username: ""
        password: ""
      jwt:
        enabled: false
        private_key_file: ""
        signing_method: ""
        claims: {}
        headers: {}
      enabled: true
      interval: 5m
      include: [] # No default (optional)
      exclude: [] # No default (optional)
      subject: "" # No default (optional)
      versions: all
      include_deleted: false
      translate_ids: false
      normalize: false
      strict: false
      max_parallel_http_requests: 10
    consumer_groups:
      enabled: true
      interval: 1m
      fetch_timeout: 10s
      include: [] # No default (optional)
      exclude: [] # No default (optional)
      only_empty: false
    topic: ${! @kafka_topic }
    topic_replication_factor: "" # No default (optional)
    sync_topic_interval: 5m
    sync_topic_acls: false
    serverless: false
    provenance_header: redpanda-migrator-provenance
    offset_header: redpanda-migrator-offset
    max_in_flight: 10

Multiple migrator pairs

When using multiple migrator pairs in a pipeline, match the label field exactly between input and output components for correct coordination.

Performance tuning

For high-throughput workloads, adjust the following settings:

On this output component:

  • max_in_flight: Set to the total number of partitions being copied in parallel (up to all partitions in the cluster)

On the paired redpanda_migrator input component:

  • partition_buffer_bytes: Set to 2MB to increase per-partition buffer size

  • max_yield_batch_bytes: Set to 1MB to allow larger batches to be yielded

Synchronization details

Topics

  • Name resolution with interpolation (default: preserve source name)

  • Automatic creation with mirrored partition counts

  • Selectable replication factor (default: inherit from source)

  • Supported topic configuration keys (serverless-aware subset)

  • Optional ACL replication:

  • Excludes ALLOW WRITE entries

  • Downgrades ALLOW ALL to READ

  • Preserves resource pattern type and host filters

Schema Registry

  • One-shot or periodic syncing

  • Subject selection via include/exclude regex

  • Subject renaming with interpolation

  • Versions: latest or all (default: all)

  • Optional include of soft-deleted subjects

  • ID handling: translate IDs or keep fixed

  • Optional schema normalization

  • Compatibility propagation (per-subject only)

  • Schema metadata/rules not copied in Serverless mode

Consumer Groups

  • Periodic syncing

  • Group selection using regex

  • Only Empty state groups migrated

  • Timestamp-based offset translation (approximate)

  • No rewind guarantee: offsets only move forward

  • Requires matching partition counts

How it works

  • Topics: Synced on demand. First write triggers creation.

  • Schema Registry: Synced at connect, then as needed.

  • Consumer Groups: Background loop, filtered by topic mappings.

Guarantees

  • Topics created with intended partitioning/replication.

  • Existing topics respected. Mismatches logged.

  • Consumer group offsets never rewound.

  • ACL replication excludes unsafe grants.

Limitations

  • Destination Schema Registry must be in READWRITE or IMPORT mode.

  • Offset translation is best-effort.

  • Consumer group migration requires identical partition counts.

Metrics

The component exposes comprehensive metrics for monitoring migration operations:

Metric Name Type Labels Description

Topic migration metrics

redpanda_migrator_topics_created_total

counter

Total topics created on destination

redpanda_migrator_topic_create_errors_total

counter

Topic creation errors

redpanda_migrator_topic_create_latency_ns

timer

Topic creation latency (ns)

Schema Registry migration metrics

redpanda_migrator_sr_schemas_created_total

counter

Schemas created in destination registry

redpanda_migrator_sr_schema_create_errors_total

counter

Schema creation errors

redpanda_migrator_sr_schema_create_latency_ns

timer

Schema creation latency (ns)

redpanda_migrator_sr_compatibility_updates_total

counter

Compatibility level updates applied

redpanda_migrator_sr_compatibility_update_errors_total

counter

Compatibility update errors

redpanda_migrator_sr_compatibility_update_latency_ns

timer

Compatibility update latency (ns)

Consumer group migration metrics

redpanda_migrator_cg_offsets_translated_total

counter

group

Offsets translated per consumer group

redpanda_migrator_cg_offset_translation_errors_total

counter

group

Offset translation errors per group

redpanda_migrator_cg_offset_translation_latency_ns

timer

group

Offset translation latency per group (ns)

redpanda_migrator_cg_offsets_committed_total

counter

group

Offsets committed per consumer group

redpanda_migrator_cg_offset_commit_errors_total

counter

group

Offset commit errors per group

redpanda_migrator_cg_offset_commit_latency_ns

timer

group

Offset commit latency per group (ns)

Consumer lag metrics

redpanda_lag

gauge

topic, partition

Current consumer lag in messages for each topic partition. Shows difference between high water mark and current consumer position.

Examples

Basic migration

Migrate topics, schemas and consumer groups from source to destination.

input:
  redpanda_migrator:
    seed_brokers: ["source:9092"]
    topics: ["orders", "payments"]
    consumer_group: "migration"

output:
  redpanda_migrator:
    seed_brokers: ["destination:9092"]
    # Write to the same topic name
    topic: ${! metadata("kafka_topic") }
    schema_registry:
      url: "http://dest-registry:8081"
      translate_ids: true
    consumer_groups:
      interval: 1m

Migration to Redpanda Serverless

Migrate from Confluent/Kafka to Redpanda Cloud serverless cluster with authentication.

input:
  redpanda_migrator:
    seed_brokers: ["source-kafka:9092"]
    regexp_topics_include:
      - '.'
    regexp_topics_exclude:
      - '^_'
    consumer_group: "migrator_cg"
    schema_registry:
      url: "http://source-registry:8081"

output:
  redpanda_migrator:
    seed_brokers: ["serverless-cluster.redpanda.com:9092"]
    tls:
      enabled: true
    sasl:
      - mechanism: SCRAM-SHA-256
        username: "migrator"
        password: "migrator"
    schema_registry:
      url: "https://serverless-cluster.redpanda.com:8081"
      basic_auth:
        enabled: true
        username: "migrator"
        password: "migrator"
      translate_ids: true
    consumer_groups:
      exclude:
        - "migrator_cg"  # Exclude the migration consumer group itself
    serverless: true  # Enable serverless mode for restricted configurations

Fields

allow_auto_topic_creation

Enables topics to be auto created if they do not exist when fetching their metadata.

Type: bool

Default: true

broker_write_max_bytes

The maximum number of bytes this output can write to a broker connection in a single write. This field corresponds to Kafka’s socket.request.max.bytes.

Type: string

Default: 100MiB

# Examples:
broker_write_max_bytes: 128MB

# ---

broker_write_max_bytes: 50mib

client_id

An identifier for the client connection.

Type: string

Default: redpanda-connect

compression

Set an explicit compression type (optional). The default preference is to use snappy when the broker supports it. Otherwise, use none.

Type: string

Options: lz4, snappy, gzip, none, zstd

conn_idle_timeout

The maximum duration that connections can remain idle before they are automatically closed. This field accepts Go duration format strings such as 100ms, 1s, or 5s.

Type: string

Default: 20s

consumer_groups

Type: object

consumer_groups.enabled

Whether consumer group offset migration is enabled. When disabled, no consumer group operations are performed.

Type: bool

Default: true

consumer_groups.exclude[]

Regular expressions for consumer groups to exclude from offset migration. Takes precedence over include patterns. Useful for excluding system or temporary groups.

Type: array

# Examples:
exclude: [".*-test", ".*-temp", "connect-.*"]

# ---

exclude: ["dev-.*", "local-.*"]

consumer_groups.fetch_timeout

Maximum time to wait for data when fetching records for timestamp-based offset translation. Increase for clusters with low message throughput.

Type: string

Default: 10s

# Examples:
fetch_timeout: 1s     # Fast clusters

# ---

fetch_timeout: 10s    # Slower clusters

consumer_groups.include[]

Regular expressions for consumer groups to include in offset migration. If empty, all groups are included (unless excluded).

Type: array

# Examples:
include: ["prod-.*", "staging-.*"]

# ---

include: ["app-.*", "service-.*"]

consumer_groups.interval

How often to synchronise consumer group offsets. Regular syncing helps maintain offset accuracy during ongoing migration.

Type: string

Default: 1m

# Examples:
interval: 0s     # Disabled

# ---

interval: 30s    # Sync every 30 seconds

# ---

interval: 5m     # Sync every 5 minutes

consumer_groups.only_empty

Whether to only migrate Empty consumer groups. When false (default), all statuses except Dead are included; when true, only Empty groups are migrated.

Type: bool

Default: false

idempotent_write

Enable the idempotent write producer option. This requires the IDEMPOTENT_WRITE permission on CLUSTER. Disable this option if the IDEMPOTENT_WRITE permission is unavailable.

Type: bool

Default: true

max_in_flight

The maximum number of batches to send in parallel at any given time. Increase this value to improve throughput during migration.

For optimal performance, set this to match the total number of partitions being migrated. Setting it higher than the partition count provides no additional benefit, as each partition can only have one in-flight batch at a time.

Example: If migrating 100 partitions, set max_in_flight: 100 for maximum throughput.

Type: int

Default: 10

# Examples:
max_in_flight: 64  # For a cluster with 64 partitions

# ---

max_in_flight: 128 # For multiple topics with combined 128 partitions

max_message_bytes

The maximum space in bytes that an individual message may use. Messages larger than this value are rejected. This field corresponds to Kafka’s max.message.bytes.

Type: string

Default: 1MiB

# Examples:
max_message_bytes: 100MB

# ---

max_message_bytes: 50mib

metadata_max_age

The maximum period of time after which metadata is refreshed. This field accepts Go duration format strings such as 100ms, 1s, or 5s.

Lower values provide more responsive topic and partition discovery but may increase broker load. Higher values reduce broker queries but can delay detection of topology changes.

Type: string

Default: 1m

offset_header

The name of a message header to add to migrated records. This header contains the source offset, enabling exact consumer group offset translation during migration.

When left empty (default), no offset header is added and consumer groups are migrated using timestamp-based positioning. This approach works well for most cases, but may be imprecise for consumer groups with no committed offsets when multiple records share the same timestamp (timestamps have millisecond resolution).

Set this field to enable precise offset translation, especially when migrating consumer groups that are caught up or have minimal lag.

Note: This header is only added when consumer group migration is enabled.

Type: string

Default: redpanda-migrator-offset

partitioner

Override the default murmur2 hashing partitioner.

Type: string

Option Summary

least_backup

Chooses the least backed up partition (the partition with the fewest amount of buffered records). Partitions are selected per batch.

manual

Manually select a partition for each message, requires the field partition to be specified.

murmur2_hash

Kafka’s default hash algorithm that uses a 32-bit murmur2 hash of the key to compute which partition the record will be on.

round_robin

Round-robin’s messages through all available partitions. This algorithm has lower throughput and causes higher CPU load on brokers, but can be useful if you want to ensure an even distribution of records to partitions.

provenance_header

Header name to add to migrated records indicating their source cluster. When set, each migrated message receives a header with this name containing the source cluster’s seed broker addresses, enabling downstream systems to track message origins for auditing, debugging, or multi-cluster orchestration workflows.

If empty, no provenance header is added to messages. The header value format is a comma-separated list of the source cluster’s seed_brokers.

Example: Setting provenance_header: "rp-source-cluster" adds a header like rp-source-cluster: "kafka-1:9092,kafka-2:9092".

Type: string

Default: redpanda-migrator-provenance

request_timeout_overhead

Grants an additional buffer or overhead to requests that have timeout fields defined. This field is based on the behavior of Apache Kafka’s request.timeout.ms parameter, but with the option to extend the timeout deadline.

Type: string

Default: 10s

sasl[]

Specify one or more methods of SASL authentication, which are tried in order. If the broker supports the first mechanism, all connections will use that mechanism. If the first mechanism fails, the client picks the first supported mechanism. Connections fail if the broker does not support any client mechanisms.

Type: object

# Examples:
sasl:
  - mechanism: SCRAM-SHA-512
    password: bar
    username: foo

sasl[].aws

Contains AWS specific fields for when the mechanism is set to AWS_MSK_IAM.

Type: object

sasl[].aws.credentials

Optional manual configuration of AWS credentials to use. More information can be found in Amazon Web Services.

Type: object

sasl[].aws.credentials.from_ec2_role

Use the credentials of a host EC2 machine configured to assume an IAM role associated with the instance.

Requires version 4.2.0 or later.

Type: bool

sasl[].aws.credentials.id

The ID of credentials to use.

Type: string

sasl[].aws.credentials.profile

A profile from ~/.aws/credentials to use.

Type: string

sasl[].aws.credentials.role

A role ARN to assume.

Type: string

sasl[].aws.credentials.role_external_id

An external ID to provide when assuming a role.

Type: string

sasl[].aws.credentials.secret

The secret for the credentials being used.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

sasl[].aws.credentials.token

The token for the credentials being used, required when using short term credentials.

Type: string

sasl[].aws.endpoint

Allows you to specify a custom endpoint for the AWS API.

Type: string

sasl[].aws.region

The AWS region to target.

Type: string

sasl[].aws.tcp

TCP socket configuration.

Type: object

sasl[].aws.tcp.connect_timeout

Maximum amount of time a dial will wait for a connect to complete. Zero disables.

Type: string

Default: 0s

sasl[].aws.tcp.keep_alive

TCP keep-alive probe configuration.

Type: object

sasl[].aws.tcp.keep_alive.count

Maximum unanswered keep-alive probes before dropping the connection. Zero defaults to 9.

Type: int

Default: 9

sasl[].aws.tcp.keep_alive.idle

Duration the connection must be idle before sending the first keep-alive probe. Zero defaults to 15s. Negative values disable keep-alive probes.

Type: string

Default: 15s

sasl[].aws.tcp.keep_alive.interval

Duration between keep-alive probes. Zero defaults to 15s.

Type: string

Default: 15s

sasl[].aws.tcp.tcp_user_timeout

Maximum time to wait for acknowledgment of transmitted data before killing the connection. Linux-only (kernel 2.6.37+), ignored on other platforms. When enabled, keep_alive.idle must be greater than this value per RFC 5482. Zero disables.

Type: string

Default: 0s

sasl[].extensions

Key/value pairs to add to OAUTHBEARER authentication requests.

Type: string

sasl[].mechanism

The SASL mechanism to use.

Type: string

Option Summary

AWS_MSK_IAM

AWS IAM based authentication as specified by the 'aws-msk-iam-auth' java library.

OAUTHBEARER

OAuth Bearer based authentication.

PLAIN

Plain text authentication.

REDPANDA_CLOUD_SERVICE_ACCOUNT

Redpanda Cloud Service Account authentication when running in Redpanda Cloud.

SCRAM-SHA-256

SCRAM based authentication as specified in RFC5802.

SCRAM-SHA-512

SCRAM based authentication as specified in RFC5802.

none

Disable sasl authentication

sasl[].password

A password to provide for PLAIN or SCRAM-* authentication.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

Default: ""

sasl[].token

The token to use for a single session’s OAUTHBEARER authentication.

Type: string

Default: ""

sasl[].username

A username to provide for PLAIN or SCRAM-* authentication.

Type: string

Default: ""

schema_registry

Configuration for schema registry integration. Enables migration of schema subjects, versions, and compatibility settings between clusters.

Type: object

schema_registry.basic_auth

Allows you to specify basic authentication.

Type: object

schema_registry.basic_auth.enabled

Whether to use basic authentication in requests.

Type: bool

Default: false

schema_registry.basic_auth.password

A password to authenticate with.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

Default: ""

schema_registry.basic_auth.username

A username to authenticate as.

Type: string

Default: ""

schema_registry.enabled

Whether schema registry migration is enabled. When disabled, no schema operations are performed.

Type: bool

Default: true

schema_registry.exclude[]

Regular expressions for schema subjects to exclude from migration. Takes precedence over include patterns. Note: the migrator consumer group is always ignored.

Type: array

# Examples:
exclude: [".*-test", ".*-temp"]

# ---

exclude: ["dev-.*", "local-.*"]

schema_registry.include[]

Regular expressions for schema subjects to include in migration. If empty, all subjects are included (unless excluded). Note: the migrator consumer group is always ignored.

Type: array

# Examples:
include: ["prod-.*", "staging-.*"]

# ---

include: ["user-.*", "order-.*"]

schema_registry.include_deleted

Whether to include soft-deleted schemas in migration. Useful for complete migration but may not be supported by all schema registries.

Type: bool

Default: false

schema_registry.interval

How often to synchronise schema registry subjects. Set to 0s for one-time sync at startup only.

Type: string

Default: 5m

# Examples:
interval: 0s     # One-time sync only

# ---

interval: 5m     # Sync every 5 minutes

# ---

interval: 30m    # Sync every 30 minutes

schema_registry.jwt

Beta

Allows you to specify JWT authentication.

Type: object

schema_registry.jwt.claims

A value used to identify the claims that issued the JWT.

Type: object

Default: {}

schema_registry.jwt.enabled

Whether to use JWT authentication in requests.

Type: bool

Default: false

schema_registry.jwt.headers

Add optional key/value headers to the JWT.

Type: object

Default: {}

schema_registry.jwt.private_key_file

A file with the PEM encoded via PKCS1 or PKCS8 as private key.

Type: string

Default: ""

schema_registry.jwt.signing_method

A method used to sign the token such as RS256, RS384, RS512 or EdDSA.

Type: string

Default: ""

schema_registry.max_parallel_http_requests

Maximum number of parallel HTTP requests to the schema registry. Controls concurrency when syncing multiple schemas.

Type: int

Default: 10

schema_registry.normalize

Whether to normalize schemas when creating them in the destination registry.

Type: bool

Default: false

schema_registry.oauth

Allows you to specify open authentication via OAuth version 1.

Type: object

schema_registry.oauth.access_token

A value used to gain access to the protected resources on behalf of the user.

Type: string

Default: ""

schema_registry.oauth.access_token_secret

A secret provided in order to establish ownership of a given access token.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

Default: ""

schema_registry.oauth.consumer_key

A value used to identify the client to the service provider.

Type: string

Default: ""

schema_registry.oauth.consumer_secret

A secret used to establish ownership of the consumer key.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

Default: ""

schema_registry.oauth.enabled

Whether to use OAuth version 1 in requests.

Type: bool

Default: false

schema_registry.strict

Error on unknown schema IDs. Only relevant when translate_ids is true. When false (default), unknown schema IDs are passed through unchanged, allowing migration of topics with mixed message formats. Note: messages with 0-byte prefixes (e.g., protobuf) cannot be distinguished from schema registry headers and may fail when strict is enabled.

Type: bool

Default: false

schema_registry.subject

Template for transforming subject names during migration. Use interpolation to rename subjects systematically.

This field supports interpolation functions.

Type: string

# Examples:
subject: prod_${! metadata("schema_registry_subject") }

# ---

subject: ${! metadata("schema_registry_subject") | replace("dev_", "prod_") }

schema_registry.timeout

HTTP client timeout for schema registry requests.

Type: string

Default: 5s

schema_registry.tls

Custom TLS settings can be used to override system defaults.

Type: object

schema_registry.tls.client_certs[]

A list of client certificates to use. For each certificate either the fields cert and key, or cert_file and key_file should be specified, but not both.

Type: object

Default: []

# Examples:
client_certs:
  - cert: foo
    key: bar


# ---

client_certs:
  - cert_file: ./example.pem
    key_file: ./example.key

schema_registry.tls.client_certs[].cert

A plain text certificate to use.

Type: string

Default: ""

schema_registry.tls.client_certs[].cert_file

The path of a certificate to use.

Type: string

Default: ""

schema_registry.tls.client_certs[].key

A plain text certificate key to use.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

Default: ""

schema_registry.tls.client_certs[].key_file

The path of a certificate key to use.

Type: string

Default: ""

schema_registry.tls.client_certs[].password

A plain text password for when the private key is password encrypted in PKCS#1 or PKCS#8 format. The obsolete pbeWithMD5AndDES-CBC algorithm is not supported for the PKCS#8 format.

Because the obsolete pbeWithMD5AndDES-CBC algorithm does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

Default: ""

# Examples:
password: foo

# ---

password: ${KEY_PASSWORD}

schema_registry.tls.enable_renegotiation

Whether to allow the remote server to repeatedly request renegotiation. Enable this option if you’re seeing the error message local error: tls: no renegotiation.

Requires version 3.45.0 or later.

Type: bool

Default: false

schema_registry.tls.enabled

Whether custom TLS settings are enabled.

Type: bool

Default: false

schema_registry.tls.root_cas

An optional root certificate authority to use. This is a string, representing a certificate chain from the parent trusted root certificate, to possible intermediate signing certificates, to the host certificate.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

Default: ""

# Examples:
root_cas: |-
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----

schema_registry.tls.root_cas_file

An optional path of a root certificate authority file to use. This is a file, often with a .pem extension, containing a certificate chain from the parent trusted root certificate, to possible intermediate signing certificates, to the host certificate.

Type: string

Default: ""

# Examples:
root_cas_file: ./root_cas.pem

schema_registry.tls.skip_cert_verify

Whether to skip server side certificate verification.

Type: bool

Default: false

schema_registry.translate_ids

Whether to translate schema IDs during migration.

Type: bool

Default: false

schema_registry.url

The base URL of the schema registry service. Required for schema migration functionality.

Type: string

# Examples:
url: http://localhost:8081

# ---

url: https://schema-registry.example.com:8081

schema_registry.versions

Which schema versions to migrate. 'latest' migrates only the current version, 'all' migrates complete version history for better compatibility.

Type: string

Default: all

Options: latest, all

seed_brokers[]

A list of broker addresses to connect to. Use commas to separate multiple addresses in a single list item.

Type: array

# Examples:
seed_brokers:
  - "localhost:9092"

# ---

seed_brokers:
  - "foo:9092"
  - "bar:9092"

# ---

seed_brokers:
  - "foo:9092,bar:9092"

serverless

Enable serverless mode for Redpanda Cloud serverless clusters. This restricts topic configurations and schema features to those supported by serverless environments.

Type: bool

Default: false

sync_topic_acls

Whether to synchronise topic ACLs from source to destination cluster. ACLs are transformed safely: ALLOW WRITE permissions are excluded, and ALLOW ALL is downgraded to ALLOW READ to prevent conflicts.

Type: bool

Default: false

sync_topic_interval

How often to synchronize topics from the source cluster to the destination. This creates destination topics for any new source topics, including empty topics with no message flow. Set to 0s to disable periodic sync (topics are still created on first message).

Type: string

Default: 5m

# Examples:
sync_topic_interval: 0s     # Disable periodic sync

# ---

sync_topic_interval: 1m     # Sync every minute

# ---

sync_topic_interval: 5m     # Sync every 5 minutes

tcp

TCP socket configuration.

Type: object

tcp.connect_timeout

Maximum amount of time a dial will wait for a connect to complete. Zero disables.

Type: string

Default: 0s

tcp.keep_alive

TCP keep-alive probe configuration.

Type: object

tcp.keep_alive.count

Maximum unanswered keep-alive probes before dropping the connection. Zero defaults to 9.

Type: int

Default: 9

tcp.keep_alive.idle

Duration the connection must be idle before sending the first keep-alive probe. Zero defaults to 15s. Negative values disable keep-alive probes.

Type: string

Default: 15s

tcp.keep_alive.interval

Duration between keep-alive probes. Zero defaults to 15s.

Type: string

Default: 15s

tcp.tcp_user_timeout

Maximum time to wait for acknowledgment of transmitted data before killing the connection. Linux-only (kernel 2.6.37+), ignored on other platforms. When enabled, keep_alive.idle must be greater than this value per RFC 5482. Zero disables.

Type: string

Default: 0s

timeout

The maximum period of time to wait for message sends before abandoning the request and retrying.

Type: string

Default: 10s

tls

Configure Transport Layer Security (TLS) settings to secure network connections. This includes options for standard TLS as well as mutual TLS (mTLS) authentication where both client and server authenticate each other using certificates. Key configuration options include enabled to enable TLS, client_certs for mTLS authentication, root_cas/root_cas_file for custom certificate authorities, and skip_cert_verify for development environments.

Type: object

tls.client_certs[]

A list of client certificates for mutual TLS (mTLS) authentication. Configure this field to enable mTLS, authenticating the client to the server with these certificates.

You must set tls.enabled: true for the client certificates to take effect.

Certificate pairing rules: For each certificate item, provide either:

  • Inline PEM data using both cert and key or

  • File paths using both cert_file and key_file.

Mixing inline and file-based values within the same item is not supported.

Type: object

Default: []

# Examples:
client_certs:
  - cert: foo
    key: bar


# ---

client_certs:
  - cert_file: ./example.pem
    key_file: ./example.key

tls.client_certs[].cert

A plain text certificate to use.

Type: string

Default: ""

tls.client_certs[].cert_file

The path of a certificate to use.

Type: string

Default: ""

tls.client_certs[].key

A plain text certificate key to use.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

Default: ""

tls.client_certs[].key_file

The path of a certificate key to use.

Type: string

Default: ""

tls.client_certs[].password

A plain text password for when the private key is password encrypted in PKCS#1 or PKCS#8 format. The obsolete pbeWithMD5AndDES-CBC algorithm is not supported for the PKCS#8 format.

Because the obsolete pbeWithMD5AndDES-CBC algorithm does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

Default: ""

# Examples:
password: foo

# ---

password: ${KEY_PASSWORD}

tls.enable_renegotiation

Whether to allow the remote server to repeatedly request renegotiation. Enable this option if you’re seeing the error message local error: tls: no renegotiation.

Requires version 3.45.0 or later.

Type: bool

Default: false

tls.enabled

Whether custom TLS settings are enabled.

Type: bool

Default: false

tls.root_cas

Specify a root certificate authority to use (optional). This is a string that represents a certificate chain from the parent-trusted root certificate, through possible intermediate signing certificates, to the host certificate. Use either this field for inline certificate data or root_cas_file for file-based certificate loading.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

Default: ""

# Examples:
root_cas: |-
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----

tls.root_cas_file

Specify the path to a root certificate authority file (optional). This is a file, often with a .pem extension, which contains a certificate chain from the parent-trusted root certificate, through possible intermediate signing certificates, to the host certificate. Use either this field for file-based certificate loading or root_cas for inline certificate data.

Type: string

Default: ""

# Examples:
root_cas_file: ./root_cas.pem

tls.skip_cert_verify

Whether to skip server-side certificate verification. Set to true only for testing environments as this reduces security by disabling certificate validation. When using self-signed certificates or in development, this may be necessary, but should never be used in production. Consider using root_cas or root_cas_file to specify trusted certificates instead of disabling verification entirely.

Type: bool

Default: false

topic

A topic to write messages to.

This field supports interpolation functions.

Type: string

Default: ${! @kafka_topic }

# Examples:
topic: prod_${! @kafka_topic }

topic_replication_factor

The replication factor for created topics. If not specified, inherits the replication factor from source topics. Useful when migrating to clusters with different sizes.

Type: int

# Examples:
topic_replication_factor: 3

# ---

topic_replication_factor: 1  # For single-node clusters