Docs Connect Components Catalog Outputs redpanda_migrator redpanda_migrator Type: Output ▼ OutputInput Available in: Cloud, Self-Managed A Kafka producer for migrating data between Kafka/Redpanda clusters. The redpanda_migrator output coordinates migration of topics, schemas, and consumer groups from a source Kafka/Redpanda cluster to a destination cluster. This output must be paired with a redpanda_migrator input in the same pipeline. Each pipeline requires both input and output components. Introduced in version 4.37.0. Common Advanced outputs: label: "" redpanda_migrator: seed_brokers: [] # No default (required) schema_registry: url: "" # No default (required) tls: enabled: false skip_cert_verify: false enable_renegotiation: false root_cas: "" root_cas_file: "" client_certs: cert: "" key: "" cert_file: "" key_file: "" password: "" oauth: enabled: false consumer_key: "" consumer_secret: "" access_token: "" access_token_secret: "" basic_auth: enabled: false username: "" password: "" jwt: enabled: false private_key_file: "" signing_method: "" claims: {} headers: {} enabled: true interval: 0s include: [] # No default (optional) exclude: [] # No default (optional) subject: "" # No default (optional) versions: all include_deleted: false translate_ids: false normalize: false strict: false consumer_groups: enabled: true interval: 1m fetch_timeout: 10s include: [] # No default (optional) exclude: [] # No default (optional) only_empty: false topic: ${! @kafka_topic } topic_replication_factor: "" # No default (optional) sync_topic_acls: false outputs: label: "" redpanda_migrator: seed_brokers: [] # No default (required) client_id: benthos tls: enabled: false skip_cert_verify: false enable_renegotiation: false root_cas: "" root_cas_file: "" client_certs: cert: "" key: "" cert_file: "" key_file: "" password: "" sasl: mechanism: "" # No default (required) username: "" password: "" token: "" extensions: "" # No default (optional) aws: region: "" # No default (optional) endpoint: "" # No default (optional) credentials: profile: "" # No default (optional) id: "" # No default (optional) secret: "" # No default (optional) token: "" # No default (optional) from_ec2_role: "" # No default (optional) role: "" # No default (optional) role_external_id: "" # No default (optional) metadata_max_age: 5m request_timeout_overhead: 10s conn_idle_timeout: 20s partitioner: "" # No default (optional) idempotent_write: true compression: "" # No default (optional) allow_auto_topic_creation: true timeout: 10s max_message_bytes: 1MiB broker_write_max_bytes: 100MiB schema_registry: url: "" # No default (required) tls: enabled: false skip_cert_verify: false enable_renegotiation: false root_cas: "" root_cas_file: "" client_certs: cert: "" key: "" cert_file: "" key_file: "" password: "" oauth: enabled: false consumer_key: "" consumer_secret: "" access_token: "" access_token_secret: "" basic_auth: enabled: false username: "" password: "" jwt: enabled: false private_key_file: "" signing_method: "" claims: {} headers: {} enabled: true interval: 0s include: [] # No default (optional) exclude: [] # No default (optional) subject: "" # No default (optional) versions: all include_deleted: false translate_ids: false normalize: false strict: false consumer_groups: enabled: true interval: 1m fetch_timeout: 10s include: [] # No default (optional) exclude: [] # No default (optional) only_empty: false topic: ${! @kafka_topic } topic_replication_factor: "" # No default (optional) sync_topic_acls: false serverless: false Multiple migrator pairs When using multiple migrator pairs in a pipeline, match the label field exactly between input and output components for correct coordination. Performance tuning For high-throughput workloads, adjust buffer sizes on the input component. See input docs for tuning advice. Synchronization details Topics Name resolution with interpolation (default: preserve source name) Automatic creation with mirrored partition counts Selectable replication factor (default: inherit from source) Supported topic configuration keys (serverless-aware subset) Optional ACL replication: Excludes ALLOW WRITE entries Downgrades ALLOW ALL to READ Preserves resource pattern type and host filters Schema Registry One-shot or periodic syncing Subject selection via include/exclude regex Subject renaming with interpolation Versions: latest or all (default: all) Optional include of soft-deleted subjects ID handling: translate IDs or keep fixed Optional schema normalization Compatibility propagation (per-subject only) Schema metadata/rules not copied in Serverless mode Consumer Groups Periodic syncing Group selection using regex Only Empty state groups migrated Timestamp-based offset translation (approximate) No rewind guarantee: offsets only move forward Requires matching partition counts How it works Topics: Synced on demand. First write triggers creation. Schema Registry: Synced at connect, then as needed. Consumer Groups: Background loop, filtered by topic mappings. Guarantees Topics created with intended partitioning/replication. Existing topics respected. Mismatches logged. Consumer group offsets never rewound. ACL replication excludes unsafe grants. Limitations Destination Schema Registry must be in READWRITE or IMPORT mode. Offset translation is best-effort. Consumer group migration requires identical partition counts. Metrics The component exposes comprehensive metrics for monitoring migration operations: Metric Name Type Labels Description Topic migration metrics redpanda_migrator_topics_created_total counter Total topics created on destination redpanda_migrator_topic_create_errors_total counter Topic creation errors redpanda_migrator_topic_create_latency_ns timer Topic creation latency (ns) Schema Registry migration metrics redpanda_migrator_sr_schemas_created_total counter Schemas created in destination registry redpanda_migrator_sr_schema_create_errors_total counter Schema creation errors redpanda_migrator_sr_schema_create_latency_ns timer Schema creation latency (ns) redpanda_migrator_sr_compatibility_updates_total counter Compatibility level updates applied redpanda_migrator_sr_compatibility_update_errors_total counter Compatibility update errors redpanda_migrator_sr_compatibility_update_latency_ns timer Compatibility update latency (ns) Consumer group migration metrics redpanda_migrator_cg_offsets_translated_total counter group Offsets translated per consumer group redpanda_migrator_cg_offset_translation_errors_total counter group Offset translation errors per group redpanda_migrator_cg_offset_translation_latency_ns timer group Offset translation latency per group (ns) redpanda_migrator_cg_offsets_committed_total counter group Offsets committed per consumer group redpanda_migrator_cg_offset_commit_errors_total counter group Offset commit errors per group redpanda_migrator_cg_offset_commit_latency_ns timer group Offset commit latency per group (ns) Consumer lag metrics redpanda_lag gauge topic, partition Current consumer lag in messages for each topic partition. Shows difference between high water mark and current consumer position. Examples Basic migration Migrate topics, schemas and consumer groups from source to destination. input: redpanda_migrator: seed_brokers: ["source:9092"] topics: ["orders", "payments"] consumer_group: "migration" output: redpanda_migrator: seed_brokers: ["destination:9092"] # Write to the same topic name topic: ${! metadata("kafka_topic") } schema_registry: url: "http://dest-registry:8081" translate_ids: true consumer_groups: interval: 1m Migration to Redpanda Serverless Migrate from Confluent/Kafka to Redpanda Cloud serverless cluster with authentication. input: redpanda_migrator: seed_brokers: ["source-kafka:9092"] topics: - '^[^_]' # All topics not starting with underscore regexp_topics: true consumer_group: "migrator_cg" schema_registry: url: "http://source-registry:8081" output: redpanda_migrator: seed_brokers: ["serverless-cluster.redpanda.com:9092"] tls: enabled: true sasl: - mechanism: SCRAM-SHA-256 username: "migrator" password: "migrator" schema_registry: url: "https://serverless-cluster.redpanda.com:8081" basic_auth: enabled: true username: "migrator" password: "migrator" translate_ids: true consumer_groups: exclude: - "migrator_cg" # Exclude the migration consumer group itself serverless: true # Enable serverless mode for restricted configurations Fields allow_auto_topic_creation Enables topics to be auto created if they do not exist when fetching their metadata. Type: bool Default: true broker_write_max_bytes The maximum number of bytes this output can write to a broker connection in a single write. This field corresponds to Kafka’s socket.request.max.bytes. Type: string Default: 100MiB # Examples: broker_write_max_bytes: 128MB broker_write_max_bytes: 50mib client_id An identifier for the client connection. Type: string Default: benthos compression Set an explicit compression type (optional). The default preference is to use snappy when the broker supports it. Otherwise, use none. Type: string Options: lz4, snappy, gzip, none, zstd conn_idle_timeout The maximum duration that connections can remain idle before they are automatically closed. This field accepts Go duration format strings such as 100ms, 1s, or 5s. Type: string Default: 20s consumer_groups Type: object consumer_groups.enabled Whether consumer group offset migration is enabled. When disabled, no consumer group operations are performed. Type: bool Default: true consumer_groups.exclude[] Regular expressions for consumer groups to exclude from offset migration. Takes precedence over include patterns. Useful for excluding system or temporary groups. Type: array # Examples: exclude: - "[".*-test", ".*-temp", "connect-.*"]" - "["dev-.*", "local-.*"]" consumer_groups.fetch_timeout Maximum time to wait for data when fetching records for timestamp-based offset translation. Increase for clusters with low message throughput. Type: string Default: 10s # Examples: fetch_timeout: 1s # Fast clusters fetch_timeout: 10s # Slower clusters consumer_groups.include[] Regular expressions for consumer groups to include in offset migration. If empty, all groups are included (unless excluded). Type: array # Examples: include: - "["prod-.*", "staging-.*"]" - "["app-.*", "service-.*"]" consumer_groups.interval How often to synchronise consumer group offsets. Regular syncing helps maintain offset accuracy during ongoing migration. Type: string Default: 1m # Examples: interval: 0s # Disabled interval: 30s # Sync every 30 seconds interval: 5m # Sync every 5 minutes consumer_groups.only_empty Whether to only migrate Empty consumer groups. When false (default), all statuses except Dead are included; when true, only Empty groups are migrated. Type: bool Default: false idempotent_write Enable the idempotent write producer option. This requires the IDEMPOTENT_WRITE permission on CLUSTER. Disable this option if the IDEMPOTENT_WRITE permission is unavailable. Type: bool Default: true max_message_bytes The maximum space in bytes that an individual message may use. Messages larger than this value are rejected. This field corresponds to Kafka’s max.message.bytes. Type: string Default: 1MiB # Examples: max_message_bytes: 100MB max_message_bytes: 50mib metadata_max_age The maximum period of time after which metadata is refreshed. This field accepts Go duration format strings such as 100ms, 1s, or 5s. Type: string Default: 5m partitioner Override the default murmur2 hashing partitioner. Type: string Option Summary least_backup Chooses the least backed up partition (the partition with the fewest amount of buffered records). Partitions are selected per batch. manual Manually select a partition for each message, requires the field partition to be specified. murmur2_hash Kafka’s default hash algorithm that uses a 32-bit murmur2 hash of the key to compute which partition the record will be on. round_robin Round-robin’s messages through all available partitions. This algorithm has lower throughput and causes higher CPU load on brokers, but can be useful if you want to ensure an even distribution of records to partitions. request_timeout_overhead Grants an additional buffer or overhead to requests that have timeout fields defined. This field is based on the behavior of Apache Kafka’s request.timeout.ms parameter, but with the option to extend the timeout deadline. Type: string Default: 10s sasl[] Specify one or more methods of SASL authentication, which are tried in order. If the broker supports the first mechanism, all connections will use that mechanism. If the first mechanism fails, the client picks the first supported mechanism. Connections fail if the broker does not support any client mechanisms. Type: object # Examples: sasl: - mechanism: SCRAM-SHA-512 password: bar username: foo sasl[].aws Contains AWS specific fields for when the mechanism is set to AWS_MSK_IAM. Type: object sasl[].aws.credentials Optional manual configuration of AWS credentials to use. More information can be found in Amazon Web Services. Type: object sasl[].aws.credentials.from_ec2_role Use the credentials of a host EC2 machine configured to assume an IAM role associated with the instance. Requires version 4.2.0 or later. Type: bool sasl[].aws.credentials.id The ID of credentials to use. Type: string sasl[].aws.credentials.profile A profile from ~/.aws/credentials to use. Type: string sasl[].aws.credentials.role A role ARN to assume. Type: string sasl[].aws.credentials.role_external_id An external ID to provide when assuming a role. Type: string sasl[].aws.credentials.secret The secret for the credentials being used. This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. Type: string sasl[].aws.credentials.token The token for the credentials being used, required when using short term credentials. Type: string sasl[].aws.endpoint Allows you to specify a custom endpoint for the AWS API. Type: string sasl[].aws.region The AWS region to target. Type: string sasl[].extensions Key/value pairs to add to OAUTHBEARER authentication requests. Type: string sasl[].mechanism The SASL mechanism to use. Type: string Option Summary AWS_MSK_IAM AWS IAM based authentication as specified by the 'aws-msk-iam-auth' java library. OAUTHBEARER OAuth Bearer based authentication. PLAIN Plain text authentication. SCRAM-SHA-256 SCRAM based authentication as specified in RFC5802. SCRAM-SHA-512 SCRAM based authentication as specified in RFC5802. none Disable sasl authentication sasl[].password A password to provide for PLAIN or SCRAM-* authentication. This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. Type: string Default: "" sasl[].token The token to use for a single session’s OAUTHBEARER authentication. Type: string Default: "" sasl[].username A username to provide for PLAIN or SCRAM-* authentication. Type: string Default: "" schema_registry Configuration for schema registry integration. Enables migration of schema subjects, versions, and compatibility settings between clusters. Type: object schema_registry.basic_auth Allows you to specify basic authentication. Type: object schema_registry.basic_auth.enabled Whether to use basic authentication in requests. Type: bool Default: false schema_registry.basic_auth.password A password to authenticate with. This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. Type: string Default: "" schema_registry.basic_auth.username A username to authenticate as. Type: string Default: "" schema_registry.enabled Whether schema registry migration is enabled. When disabled, no schema operations are performed. Type: bool Default: true schema_registry.exclude[] Regular expressions for schema subjects to exclude from migration. Takes precedence over include patterns. Type: array # Examples: exclude: - "[".*-test", ".*-temp"]" - "["dev-.*", "local-.*"]" schema_registry.include[] Regular expressions for schema subjects to include in migration. If empty, all subjects are included (unless excluded). Type: array # Examples: include: - "["prod-.*", "staging-.*"]" - "["user-.*", "order-.*"]" schema_registry.include_deleted Whether to include soft-deleted schemas in migration. Useful for complete migration but may not be supported by all schema registries. Type: bool Default: false schema_registry.interval How often to synchronise schema registry subjects. Set to 0s for one-time sync at startup only. Type: string Default: 0s # Examples: interval: 0s # One-time sync only interval: 5m # Sync every 5 minutes interval: 30m # Sync every 30 minutes schema_registry.jwt Beta Allows you to specify JWT authentication. Type: object schema_registry.jwt.claims A value used to identify the claims that issued the JWT. Type: object Default: {} schema_registry.jwt.enabled Whether to use JWT authentication in requests. Type: bool Default: false schema_registry.jwt.headers Add optional key/value headers to the JWT. Type: object Default: {} schema_registry.jwt.private_key_file A file with the PEM encoded via PKCS1 or PKCS8 as private key. Type: string Default: "" schema_registry.jwt.signing_method A method used to sign the token such as RS256, RS384, RS512 or EdDSA. Type: string Default: "" schema_registry.normalize Whether to normalize schemas when creating them in the destination registry. Type: bool Default: false schema_registry.oauth Allows you to specify open authentication via OAuth version 1. Type: object schema_registry.oauth.access_token A value used to gain access to the protected resources on behalf of the user. Type: string Default: "" schema_registry.oauth.access_token_secret A secret provided in order to establish ownership of a given access token. This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. Type: string Default: "" schema_registry.oauth.consumer_key A value used to identify the client to the service provider. Type: string Default: "" schema_registry.oauth.consumer_secret A secret used to establish ownership of the consumer key. This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. Type: string Default: "" schema_registry.oauth.enabled Whether to use OAuth version 1 in requests. Type: bool Default: false schema_registry.strict Error on unknown schema IDs. Only relevant when translate_ids is true. When false (default), unknown schema IDs are passed through unchanged, allowing migration of topics with mixed message formats. Note: messages with 0-byte prefixes (e.g., protobuf) cannot be distinguished from schema registry headers and may fail when strict is enabled. Type: bool Default: false schema_registry.subject Template for transforming subject names during migration. Use interpolation to rename subjects systematically. This field supports interpolation functions. Type: string # Examples: subject: "prod_${! metadata('schema_registry_subject') }" subject: "${! metadata('schema_registry_subject') | replace('dev_', 'prod_') }" schema_registry.tls Custom TLS settings can be used to override system defaults. Type: object schema_registry.tls.client_certs[] A list of client certificates to use. For each certificate either the fields cert and key, or cert_file and key_file should be specified, but not both. Type: object Default: [] # Examples: client_certs: - cert: foo key: bar - cert_file: ./example.pem key_file: ./example.key schema_registry.tls.client_certs[].cert A plain text certificate to use. Type: string Default: "" schema_registry.tls.client_certs[].cert_file The path of a certificate to use. Type: string Default: "" schema_registry.tls.client_certs[].key A plain text certificate key to use. This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. Type: string Default: "" schema_registry.tls.client_certs[].key_file The path of a certificate key to use. Type: string Default: "" schema_registry.tls.client_certs[].password A plain text password for when the private key is password encrypted in PKCS#1 or PKCS#8 format. The obsolete pbeWithMD5AndDES-CBC algorithm is not supported for the PKCS#8 format. Because the obsolete pbeWithMD5AndDES-CBC algorithm does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext. This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. Type: string Default: "" # Examples: password: foo password: ${KEY_PASSWORD} schema_registry.tls.enable_renegotiation Whether to allow the remote server to repeatedly request renegotiation. Enable this option if you’re seeing the error message local error: tls: no renegotiation. Requires version 3.45.0 or later. Type: bool Default: false schema_registry.tls.enabled Whether custom TLS settings are enabled. Type: bool Default: false schema_registry.tls.root_cas An optional root certificate authority to use. This is a string, representing a certificate chain from the parent trusted root certificate, to possible intermediate signing certificates, to the host certificate. This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. Type: string Default: "" # Examples: root_cas: |- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- schema_registry.tls.root_cas_file An optional path of a root certificate authority file to use. This is a file, often with a .pem extension, containing a certificate chain from the parent trusted root certificate, to possible intermediate signing certificates, to the host certificate. Type: string Default: "" # Examples: root_cas_file: ./root_cas.pem schema_registry.tls.skip_cert_verify Whether to skip server side certificate verification. Type: bool Default: false schema_registry.translate_ids Whether to translate schema IDs during migration. Type: bool Default: false schema_registry.url The base URL of the schema registry service. Required for schema migration functionality. Type: string # Examples: url: http://localhost:8081 url: https://schema-registry.example.com:8081 schema_registry.versions Which schema versions to migrate. 'latest' migrates only the current version, 'all' migrates complete version history for better compatibility. Type: string Default: all Options: latest, all seed_brokers[] A list of broker addresses to connect to. Use commas to separate multiple addresses in a single list item. Type: array # Examples: seed_brokers: - "localhost:9092" - "foo:9092" - "bar:9092" - "foo:9092,bar:9092" serverless Enable serverless mode for Redpanda Cloud serverless clusters. This restricts topic configurations and schema features to those supported by serverless environments. Type: bool Default: false sync_topic_acls Whether to synchronise topic ACLs from source to destination cluster. ACLs are transformed safely: ALLOW WRITE permissions are excluded, and ALLOW ALL is downgraded to ALLOW READ to prevent conflicts. Type: bool Default: false timeout The maximum period of time to wait for message sends before abandoning the request and retrying. Type: string Default: 10s tls Configure Transport Layer Security (TLS) settings to secure network connections. This includes options for standard TLS as well as mutual TLS (mTLS) authentication where both client and server authenticate each other using certificates. Key configuration options include enabled to enable TLS, client_certs for mTLS authentication, root_cas/root_cas_file for custom certificate authorities, and skip_cert_verify for development environments. Type: object tls.client_certs[] A list of client certificates for mutual TLS (mTLS) authentication. Configure this field to enable mTLS, authenticating the client to the server with these certificates. You must set tls.enabled: true for the client certificates to take effect. Certificate pairing rules: For each certificate item, provide either: Inline PEM data using both cert and key or File paths using both cert_file and key_file. Mixing inline and file-based values within the same item is not supported. Type: object Default: [] # Examples: client_certs: - cert: foo key: bar - cert_file: ./example.pem key_file: ./example.key tls.client_certs[].cert A plain text certificate to use. Type: string Default: "" tls.client_certs[].cert_file The path of a certificate to use. Type: string Default: "" tls.client_certs[].key A plain text certificate key to use. This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. Type: string Default: "" tls.client_certs[].key_file The path of a certificate key to use. Type: string Default: "" tls.client_certs[].password A plain text password for when the private key is password encrypted in PKCS#1 or PKCS#8 format. The obsolete pbeWithMD5AndDES-CBC algorithm is not supported for the PKCS#8 format. Because the obsolete pbeWithMD5AndDES-CBC algorithm does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext. This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. Type: string Default: "" # Examples: password: foo password: ${KEY_PASSWORD} tls.enable_renegotiation Whether to allow the remote server to repeatedly request renegotiation. Enable this option if you’re seeing the error message local error: tls: no renegotiation. Requires version 3.45.0 or later. Type: bool Default: false tls.enabled Whether custom TLS settings are enabled. Type: bool Default: false tls.root_cas Specify a root certificate authority to use (optional). This is a string that represents a certificate chain from the parent-trusted root certificate, through possible intermediate signing certificates, to the host certificate. Use either this field for inline certificate data or root_cas_file for file-based certificate loading. This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. Type: string Default: "" # Examples: root_cas: |- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- tls.root_cas_file Specify the path to a root certificate authority file (optional). This is a file, often with a .pem extension, which contains a certificate chain from the parent-trusted root certificate, through possible intermediate signing certificates, to the host certificate. Use either this field for file-based certificate loading or root_cas for inline certificate data. Type: string Default: "" # Examples: root_cas_file: ./root_cas.pem tls.skip_cert_verify Whether to skip server-side certificate verification. Set to true only for testing environments as this reduces security by disabling certificate validation. When using self-signed certificates or in development, this may be necessary, but should never be used in production. Consider using root_cas or root_cas_file to specify trusted certificates instead of disabling verification entirely. Type: bool Default: false topic A topic to write messages to. This field supports interpolation functions. Type: string Default: ${! @kafka_topic } # Examples: topic: prod_${! @kafka_topic } topic_replication_factor The replication factor for created topics. If not specified, inherits the replication factor from source topics. Useful when migrating to clusters with different sizes. Type: int # Examples: topic_replication_factor: 3 topic_replication_factor: 1 # For single-node clusters Back to top × Simple online edits For simple changes, such as fixing a typo, you can edit the content directly on GitHub. Edit on GitHub Or, open an issue to let us know about something that you want us to change. Open an issue Contribution guide For extensive content updates, or if you prefer to work locally, read our contribution guide . Was this helpful? thumb_up thumb_down group Ask in the community mail Share your feedback group_add Make a contribution 🎉 Thanks for your feedback! redpanda_common redpanda_migrator_bundle