Redpanda Console Configuration
When you install Redpanda Console, a redpanda-console-config.yaml
file is installed on each instance in /etc/redpanda/redpanda-console-config.yaml
. This file contains configuration properties for Redpanda Console.
Configuration sources
Redpanda Console loads configuration properties from three sources, with the following order of precedence:
-
Environment variables
-
YAML configuration
-
Command line arguments (flags) This means that environment variables and YAML configurations can overwrite input that is set on the command line.
YAML configuration
The recommended configuration source is a YAML file. Specify the path to the file by either setting
the -config.filepath
flag or setting the CONFIG_FILEPATH
environment variable.
A reference YAML configuration file is provided under Sample configuration.
Environment variables
Configuration options can be configured using environment variables. The key for the environment variable is auto-generated by converting the YAML equivalent to uppercase and adding an underscore for each indentation level. For example:
-
kafka.rackId => KAFKA_RACKID
-
kafka.tls.caFilepath => KAFKA_TLS_CAFILEPATH
For configuration properties that expect a list of values, use commas between each value. For example:
-
KAFKA_BROKERS=redpanda-0:9092,redpanda-1:9092,redpanda-2:9092
You cannot use environment variables to configure object arrays, such as the configuration for Kafka connect clusters. In this case, use a YAML file, and provide secrets using environment variables or command line arguments. |
Sample configuration
The following config.yaml
configuration file contains a complete list of all Console configuration properties and their descriptions. All values are default values.
Provide the filepath to your configuration file by setting either the flag
-config.filepath
or the environment variable CONFIG_FILEPATH
.
|
# Commented config settings are optional and show the defaults
kafka:
brokers:
- broker-0.mycompany.com:19092
- broker-1.mycompany.com:19092
- broker-2.mycompany.com:19092
# clientId: console
# rackId: # In multi zone Kafka clusters you can reduce traffic costs by consuming messages from replica brokers in the same zone
# sasl:
# enabled: false
# username:
# password: # This can be set via the --kafka.sasl.password flag as well
# mechanism: PLAIN # PLAIN, SCRAM-SHA-256, SCRAM-SHA-512, GSSAPI, OAUTHBEARER and AWS_MSK_IAM are supported
# gssapi:
# authType:
# keyTabPath:
# kerberosConfigPath:
# serviceName:
# username:
# password: # can be set via the --kafka.sasl.gssapi.password flag as well
# realm:
# enableFast: true
# oauth:
# token: # can be set via the --kafka.sasl.oauth.token flag as well
# awsMskIam:
# accessKey:
# secretKey: # can be set via the --kafka.sasl.aws-msk-iam.secret-key flag as well
# sessionToken: # can be set via the --kafka.sasl.aws-msk-iam.session-token flag as well
# userAgent:
# tls:
# enabled: false
# caFilepath:
# certFilepath:
# keyFilepath:
# passphrase: # This can be set via the --kafka.tls.passphrase flag as well
# insecureSkipTlsVerify: false
# schemaRegistry:
# enabled: false
# urls: [] # Url with scheme is required, e.g. ["http://localhost:8081"]
# username: # Basic auth username
# password: # Basic auth password. This can be set via the --schema.registry.password flag as well
# bearerToken: # This can be set via the --schema.registry.token flag as well
# tls:
# enabled: false # Enable Client certificate connexion to the schemaRegistry
# caFilepath: # Path to a custom CA file. If not specified the system's / trusted root ca is used.
# certFilepath:
# keyFilepath: # key should not be encrypted by a passphrase
# insecureSkipTlsVerify: false
# protobuf:
# enabled: false
# mappings: []
# # Map the proto type names for each of your topics. These proto types will be used for deserialization
# # - topicName: xy
# # valueProtoType: fake_model.Order # You can specify the proto type for the record key and/or value (just one will work too)
# # keyProtoType: package.Type
# # SchemaRegistry does not require any mappings to be specified. The schema registry client configured on the kafka level will be reused.
# schemaRegistry:
# enabled: false
# refreshInterval: 5m
# # FileSystem can be configured if you want Console to search the local file system for the .proto files
# fileSystem:
# enabled: false
# paths: []
# refreshInterval: 5m
# importPaths is a list of paths from which to import Proto files into Redpanda Console.
# Paths are relative to the root directory.
# The `git` configuration must be enabled to use this feature.
# importPaths: []
# # Git is where the .proto files come from, in the future there might be additional options
# git:
# enabled: false
# repository:
# url:
# branch: (defaults to primary/default branch)
# baseDirectory: (defaults to the root directory of the repo/branch above)
# # How often Console shall pull the repository to look for new files. Set 0 to disable periodic pulls
# refreshInterval: 1m
# # Basic Auth
# # If you want to use GitHub's personal access tokens use `token` as username and pass the token as password
# basicAuth:
# enabled: true
# username: token
# password: # This can be set via the via the --owl.topic-documentation.git.basic-auth.password flag as well
# # SSH Auth
# # You can either pass the private key file directly via flag or yaml config or refer to a mounted key file
# ssh:
# enabled: false
# username:
# privateKey: # This can be set via the via the --owl.topic-documentation.git.ssh.private-key flag as well
# privateKeyFilepath:
# passphrase: # This can be set via the via the --owl.topic-documentation.git.ssh.passphrase flag as well
# messagePack:
# enabled: false
# topicNames: ["/.*/"] # List of topic name regexes, defaults to /.*/
# Startup is a configuration block to specify how often and with what delays
# we should try to connect to the Kafka service. If all attempts have failed the
# application will exit with code 1.
# startup:
# maxRetries: 5
# retryInterval: 1s
# maxRetryInterval 60s
# backoffMultiplier: 2
# connect:
# enabled: false
# # An empty array for clusters is the default, but you have to specify at least one cluster, as soon as
# # you enable Kafka connect. Otherwise you'll not be able to start Console.
# clusters: []
# - name: xy
# url: http://my-cluster:8083
# tls:
# enabled: false # Trusted certificates are still allowed if TLS is not enabled.
# # caFilepath:
# # certFilepath:
# # keyFilepath:
# # insecureSkipTlsVerify: false
# username:
# password: # This can be set via the via the --connect.clusters.i.password flag as well (i to be replaced with the array index)
# token: # This can be set via the via the --connect.clusters.i.token flag as well (i to be replaced with the array index)
# connectTimeout: 15s # used to test cluster connectivity
# readTimeout: 60s # overall REST timeout
# requestTimeout: 6s # timeout for REST requests
# console:
# # Config to use for embedded topic documentation, see /docs/features/topic-documentation.md for more details
# topicDocumentation:
# enabled: false
# # Git is where the topic documentation can come from, in the future there might be additional options
# git:
# enabled: false
# repository:
# url:
# branch: (defaults to primary/default branch)
# baseDirectory: .
# # How often Console shall pull the repository to look for new files. Set 0 to disable periodic pulls
# refreshInterval: 1m
# # Basic Auth
# # If you want to use GitHub's personal access tokens use `token` as username and pass the token as password
# basicAuth:
# enabled: true
# username: token
# password: # This can be set via the via the --console.topic-documentation.git.basic-auth.password flag as well
# # SSH Auth
# # You can either pass the private key file directly via flag or yaml config or refer to a mounted key file
# ssh:
# enabled: false
# username:
# privateKey: # This can be set via the via the --console.topic-documentation.git.ssh.private-key flag as well
# privateKeyFilepath:
# passphrase: # This can be set via the via the --console.topic-documentation.git.ssh.passphrase flag as well
# analytics configures the telemetry service that sends anonymized usage statistics to Redpanda.
# Redpanda uses these statistics to evaluate feature usage.
# analytics:
# enabled: true
# server:
# listenAddress:
# listenPort: 8080
# # HTTPSListenPort and HTTPListenPort are separate so that we can listen
# # on both and redirect users to the HTTPS url.
# httpsListenPort: 8081
# # AdvertisedHTTPSListenPort is the HTTPS port that will be used for
# # redirecting the user in the browser. If your application is serving
# # the TLS port on 8081 but some LoadBalancer between the user and your
# # Go application remaps this to 443 you want to set this port to
# # 443 as well. Otherwise, users will be redirected to your httpsListenPort.
# advertisedHttpsListenPort:
# gracefulShutdownTimeout: 30s
# listenPort: 8080
# readTimeout: 30s
# writeTimeout: 30s
# idleTimeout: 30s
# compressionLevel: 4
# basePath: # Sub-path under which Console is hosted. See 'docs/features/hosting.md' for more information
# setBasePathFromXForwardedPrefix: true # Whether or not to check the 'X-Forwarded-Prefix' header to (potentially) override 'basePath'
# stripPrefix: true # Whether or not Console should strip the prefix internally
# # TLS contains the configuration properties for the HTTP
# # TLS configuration. If enabled, the HTTP server will serve on
# # HTTPS and terminate TLS. Additional to the TLS server Console
# # will start an HTTP server that is in charge of redirecting HTTP
# # requests to the HTTPS version.
# tls:
# enabled: false
# certFilepath:
# keyFilepath:
# # AllowedOrigins is a list of origins that can send requests from a browser to the Console
# # API. By default, a same-site policy is enforced to prevent CSRF-attacks.
# # Only in very specific deployment models you may need to change the secure default.
# allowedOrigins: []
# logger:
# level: info # Valid values are: debug, info, warn, error, fatal
# Only relevant for developers, who might want to run the frontend separately
# serveFrontend: true
# Prefix for all exported prometheus metrics
# metricsNamespace: console