Skip to main content
Version: 22.2

Redpanda Console Configuration

Configuration sources

Redpanda Console loads configuration properties from three sources, with the following order of precedence:

  • Environment variables
  • YAML configuration
  • Command line arguments (flags) This means that environment variables and YAML configurations can overwrite input that is set on the command line.

YAML configuration

The recommended configuration source is a YAML file. Specify the path to the file by either setting the -config.filepath flag or setting the CONFIG_FILEPATH environment variable. A reference YAML configuration file is provided under Sample configuration.

Environment variables

Configuration options can be configured using environment variables. The key for the environment variable is auto-generated by converting the YAML equivalent to uppercase and adding an underscore for each indentation level. For example:

  • kafka.rackId => KAFKA_RACKID
  • kafka.tls.caFilepath => KAFKA_TLS_CAFILEPATH

For configuration properties that expect a list of values, use commas between each value. For example:

  • KAFKA_BROKERS=redpanda-0:9092,redpanda-1:9092,redpanda-2:9092
info

You cannot use environment variables to configure object arrays, such as the configuration for Kafka connect clusters. In this case, use a YAML file, and provide secrets using environment variables or command line arguments.

Sample configuration

The following config.yaml configuration file contains a complete list of all Console configuration properties and their descriptions. All values are default values.

Provide the filepath to your configuration file by setting either the flag -config.filepath or the environment variable CONFIG_FILEPATH.

note

This configuration file contains both Redpanda Enterprise and Redpanda Community configurations. If you don't provide a Redpanda Enterprise license, Console ignores configurations for Redpanda Enterprise features.

kafka:
# Brokers is a list of bootstrap servers with
# port (for example "localhost:9092").
brokers: []
# Client ID that the Kafka client can use to identify itself
# against the target Kafka cluster.
clientId: console
# In multi-zone Kafka clusters, you can reduce traffic costs
# by consuming messages from replica brokers in the same zone
rackId:
# SASL configuration for Console to connect to the Kafka API.
sasl:
enabled: false
username:
# Password can also be set using the --kafka.sasl.password flag.
password:
# Valid mechanisms are: PLAIN, SCRAM-SHA-256,
# SCRAM-SHA-512, GSSAPI, OAUTHBEARER and AWS_MSK_IAM.
mechanism: PLAIN
# Kerberos implements the GSSAPI protocol. Use the following configurations
# to connect Redpanda Console to a Kerberos-protected Kafka API.
gssapi:
# AuthType must be either USER_AUTH or KEYTAB_AUTH
authType:
# Filepath to the keytab file that contains the pairs of Kerberos
# principals and encrypted password keys. AuthType must be set to
# KEYTAB_AUTH to load the keytab file.
keyTabPath:
# Path to the krb5.conf file that contains Kerberos configuration
# information, such as the locations of KDCs.
kerberosConfigPath:
serviceName:
username:
# Password can also be set using the --kafka.sasl.gssapi.password flag
password:
realm:
# EnableFAST enables FAST, which is a pre-authentication framework
# for Kerberos.
enableFast: true
oauth:
# can also be set using the --kafka.sasl.oauth.token flag
token:
awsMskIam:
accessKey:
# can also be set using the --kafka.sasl.aws-msk-iam.secret-key flag
secretKey:
# can also be set using the --kafka.sasl.aws-msk-iam.session-token flag
sessionToken:
userAgent:
tls:
# If you connect to a Cluster that uses commonly trusted
# certificates, enable TLS and do not provide a certificate
# authority in the caFilepath. In this case,
# the system's cert pool is used.
enabled: false
caFilepath:
certFilepath:
keyFilepath:
# Can also be set using the --kafka.tls.passphrase flag
passphrase:
insecureSkipTlsVerify: false
schemaRegistry:
enabled: false
# Url with scheme is required, e.g. ["http://localhost:8081"]
urls: []
# Basic auth username
username:
# Basic auth password. This can also be set using the --schema.registry.password
# flag
password:
# Can also be set using the --schema.registry.token flag
bearerToken:
tls:
# If you connect to a schema registry that uses commonly trusted
# certificates, enable TLS and do not provide a certificate
# authority in the caFilepath. In this case,
# the system's cert pool is used.
enabled: false
caFilepath:
certFilepath:
keyFilepath:
insecureSkipTlsVerify: false
protobuf:
enabled: false
mappings: []
# Map the proto type names for each of your topics.
# These proto types will be used for deserialization
# - topicName: xy
# You can specify the proto type for the record key
# and/or value (just one will work too)
# valueProtoType: fake_model.Order
# keyProtoType: package.Type
# SchemaRegistry does not require any mappings to be specified.
# The schema registry client that is configured in the
# kafka config block will be reused.
schemaRegistry:
enabled: false
refreshInterval: 5m
# Configure the fileSystem if you want Redpanda Console to
# search the local file system for the .proto files
fileSystem:
enabled: false
paths: []
refreshInterval: 5m
# Git is where the .proto files come from
git:
enabled: false
repository:
url:
branch: (defaults to primary/default branch)
# How often Redpanda Console pulls the repository to look for new files.
# Set to 0 to disable periodic pulls
refreshInterval: 1m
# Basic Auth
# To use GitHub's personal access tokens, use `token`
# as username and pass the token as password
basicAuth:
enabled: true
username: token
password:
# SSH Auth
# You can pass the private key file directly using a flag on the command line, or you can specify it in the
# yaml configuration file. Another alternative is to provide the filepath to a mounted key
# file in this configuration block.
ssh:
enabled: false
username:
privateKey:
privateKeyFilepath:
passphrase:
messagePack:
enabled: false
topicNames: ["/.*/"] # List of topic name regexes, defaults to /.*/

connect:
enabled: false
# The default for clusters is an empty array. To start Redpanda Console,
# specify at least one cluster as soon as you enable Kafka connect.
clusters: []
- name: xy
url: http://my-cluster:8083
tls:
# Trusted certificates are still allowed if TLS is not enabled.
enabled: false
# caFilepath:
# certFilepath:
# keyFilepath:
# insecureSkipTlsVerify: false
username:
password:
token:
connectTimeout: 15s # used to test cluster connectivity
readTimeout: 60s # overall REST timeout
requestTimeout: 6s # timeout for REST requests

console:
# Configuration to use for embedded topic documentation
topicDocumentation:
enabled: false
# Configure the git repository that contains the topic documentation.
# Redpanda Console clones the git repository and periodically pulls for new
# changes so it can render the markdown files within the topic view.
git:
enabled: false
repository:
url:
branch: (defaults to primary/default branch)
baseDirectory: .
# How often Console pulls the repository to look for new files.
# Set to 0 to disable periodic pulls.
refreshInterval: 1m
# To use GitHub's personal access tokens, use `token`
# for the username and pass the token as password.
basicAuth:
enabled: true
username: token
password:
ssh:
enabled: false
username:
privateKey:
privateKeyFilepath:
passphrase:

redpanda:
# Redpanda Admin API configuration that enables additional Redpanda-specific features.
adminApi:
enabled: false
# HTTP urls (such as http://localhost:9644) that Redpanda Console should send admin api requests to.
urls: []
# Username for basic auth
username:
# Password for basic auth
password:
tls:
enabled: false
caFilepath:
certFilepath:
keyFilepath:
insecureSkipTlsVerify:

# Filepath to your redpanda.license file
# This is only required if you want to use an Enterprise feature
# such as SSO or RBAC.
licenseFilepath:

# Login contains all configurations in order to protect Redpanda Console
# with a login screen. To support SSO, configure one or more of the identity
# providers below.
# This feature requires an Enterprise license.
login:
enabled: false
# jwtSecret is a secret string that signs and encrypts
# the JSON Web tokens used by the backend for session management.
jwtSecret: redacted
google:
enabled: false
clientId: redacted.apps.googleusercontent.com
clientSecret: redacted
# The directory configuration is only required if you use
# Google groups in your RBAC role bindings.
directory:
# Filepath to the mounted service account key file in JSON format.
serviceAccountFilepath: /etc/secrets/google-sa.json
# targetPrincipal is the user that will be impersonated
# for the Google Admin API calls.
targetPrincipal: admin@mycompany.com
oidc:
enabled: false
clientId: redacted
clientSecret: redacted
domain: example-endpoint.us.auth0.com # OIDC endpoint
userIdentifyingClaimKey: sub
github:
enabled: false
clientId: redacted
clientSecret: redacted
# The directory configuration is only required if you use
# GitHub teams in your RBAC role bindings.
directory:
personalAccessToken: redacted
okta:
enabled: false
clientId: redacted
clientSecret: redacted
# The directory configuration is only required if you
# use Okta groups in your RBAC role bindings.
directory:
apiToken: redacted

# The enterprise block contains configurations for features that
# can only be used with a valid Enterprise license.
enterprise:
rbac:
# Whether or not RBAC is used. This must be enabled
# if login is enabled. By default, no authenticated user
# has any permissions.
enabled: false
# Path to YAML file that contains all role bindings
roleBindingsFilepath:

# Server configures Redpanda Console's HTTP server that serves all resources, including the Frontend application.
server:
listenPort: 8080
listenAddress:
gracefulShutdownTimeout: 30s
readTimeout: 30s
writeTimeout: 30s
idleTimeout: 30s
compressionLevel: 4
# Sub-path under which Redpanda Console is hosted. See Features / HTTP path rewrites.
basePath: ""
# Whether or not to check the 'X-Forwarded-Prefix' header to (potentially)
# override 'basePath'. See Features / HTTP path rewrites.
setBasePathFromXForwardedPrefix: true
# Whether or not Redpanda Console should strip the prefix internally.
stripPrefix: true

logger:
level: info # Valid values are debug, info, warn, error, and fatal

# Prefix for all exported Prometheus metrics
metricsNamespace: console