# Configure Redpanda Console > For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [streaming-full.txt](https://docs.redpanda.com/streaming-full.txt) --- title: Configure Redpanda Console latest-redpanda-tag: v25.1.1 latest-console-tag: v3.7.3 latest-operator-version: v26.1.4 # EOL = End-of-Life (support lifecycle status) page-is-nearing-eol: "false" page-is-past-eol: "true" page-eol-date: April 7, 2026 latest-connect-version: 4.93.0 docname: config/configure-console page-component-name: streaming page-version: "25.1" page-component-version: "25.1" page-component-title: Streaming page-relative-src-path: config/configure-console.adoc page-edit-url: https://github.com/redpanda-data/docs/edit/v/25.1/modules/console/pages/config/configure-console.adoc description: Redpanda Console configuration file with property descriptions. page-git-created-date: "2024-09-11" page-git-modified-date: "2025-06-18" support-status: past end-of-life --- Redpanda Console loads configuration properties from three sources, in the following order of precedence: 1. Environment variables 2. YAML file configuration (recommended) 3. Command-line arguments Environment variables and YAML configurations can overwrite input that is set on the command line. ## [](#yaml-file-configuration)YAML file configuration The recommended configuration source is a YAML file. You can specify the path to the configuration file by setting either the `-config.filepath` flag or the `CONFIG_FILEPATH` environment variable. A reference configuration file is provided under [Complete configuration file example](#complete-configuration-file-example). In Linux package installations, this file is located in `/etc/redpanda/redpanda-console-config.yaml` by default and Redpanda Console is configured to read from this file path. In containerized environments, ensure that the configuration file is mounted to a directory accessible by the Redpanda Console container. When the file is mounted, you can specify its file path using the `-config.filepath` flag or the `CONFIG_FILEPATH` environment variable. ## [](#environment-variables)Environment variables Configuration options can be configured using environment variables. The key for the environment variable is auto-generated by converting the YAML equivalent to uppercase and adding an underscore for each indentation level. For example: | YAML | Environment Variable | | --- | --- | | kafka.rackId | KAFKA_RACKID | | kafka.tls.caFilepath | KAFKA_TLS_CAFILEPATH | For configuration properties that expect a list of values, use commas between each value. For example: ```bash KAFKA_BROKERS=redpanda-0:9092,redpanda-1:9092,redpanda-2:9092 ``` > 📝 **NOTE** > > You cannot use environment variables to configure object arrays, such as the configuration for Kafka Connect clusters. In this case, use a YAML file, and provide secrets using environment variables or command line arguments. ## [](#docker-compose-example)Docker Compose example If you are using Docker Compose, you can mount the configuration file and set the environment variable in your `docker-compose.yml` file: ```yaml console: container_name: redpanda-console image: docker.redpanda.com/redpandadata/console:latest entrypoint: /bin/sh command: -c 'echo "$$CONSOLE_CONFIG_FILE" > /tmp/config.yml volumes: - ./config:/tmp/config/ environment: CONFIG_FILEPATH: ${CONFIG_FILEPATH:-/tmp/config.yml} CONSOLE_CONFIG_FILE: | # Configure a connection to the Redpanda cluster # See https://docs.redpanda.com/current/console/config/connect-to-redpanda/ kafka: brokers: ["redpanda-0:9092","redpanda-1:9092","redpanda-2:9092"] ``` ## [](#complete-configuration-file-example)Complete configuration file example The following YAML file contains a complete list of all Redpanda Console configuration properties and their descriptions. All values are default values. > ⚠️ **CAUTION** > > - Where necessary, ensure that values are enclosed in quotes and escaped. For example, put passwords with special characters in single quotes. > > - This configuration file contains both Redpanda Enterprise and Redpanda Community Edition configurations. If you don’t provide an enterprise license, Redpanda Console ignores configurations for enterprise features. [Download the sample file](https://docs.redpanda.com/streaming/25.1/shared/_attachments/redpanda-console-config.yaml). redpanda-console-config.yaml ```yaml # This is an example configuration file for Redpanda Console v3.x.x #---------------------------------------------------------------------------- # Kafka configuration #---------------------------------------------------------------------------- kafka: # Brokers is a list of bootstrap servers with ports. brokers: - "broker-0.mycompany.com:19092" - "broker-1.mycompany.com:19092" - "broker-2.mycompany.com:19092" # Optional: Client ID used to identify Console to the Kafka cluster. # clientId: "console" # Optional: Rack identifier to optimize message consumption in multi-zone clusters. # rackId: "zone-a" # sasl: # enabled: true # Supported mechanisms include: # - OAUTHBEARER (OIDC) # - SCRAM-SHA-256 or SCRAM-SHA-512 (basic authentication) # - GSSAPI (Kerberos); if using Kerberos, ensure impersonateUser is false. # - AWS_MSK_IAM (AWS MSK IAM) # mechanism: SCRAM-SHA-256 # impersonateUser: false # oauth: # token: "example-oauth-token" # clientId: "example-client-id" # clientSecret: "example-client-secret" # tokenEndpoint: "https://accounts.google.com/token" # tokenFilepath: "/var/run/secrets/kafka/serviceaccount/token" # scope: "openid" # Example for basic authentication (uncomment to use): # username: "your-username" # password: "your-password" # Example for GSSAPI (Kerberos) - impersonateUser must be false: # gssapi: # authType: KEYTAB_AUTH # keyTabPath: "/path/to/keytab" # kerberosConfigPath: "/path/to/krb5.conf" # serviceName: "kafka" # username: "your-username" # password: "your-password" # realm: "MY.REALM" # enableFast: true # tls: # enabled: false # Uncomment and set the following paths if TLS is required: # caFilepath: "/path/to/ca-cert.pem" # certFilepath: "/path/to/client-cert.pem" # keyFilepath: "/path/to/client-key.pem" # insecureSkipTlsVerify: false # Startup is a configuration block to specify how often and with what delays # we should try to connect to the Kafka service. If all attempts fail the # application exits with code 1. # startup: # maxRetries: 5 # retryInterval: 1s # maxRetryInterval 60s # backoffMultiplier: 2 #---------------------------------------------------------------------------- # Schema Registry configuration (top-level) #---------------------------------------------------------------------------- schemaRegistry: enabled: true urls: - "http://schema-registry.mycompany.com:8081" # Optional: Authentication for Schema Registry. # authentication: # basic: # username: "example-user" # password: "example-password" # bearerToken: "example-bearer-token" tls: enabled: false # Uncomment and configure if TLS is required: # caFilepath: "/path/to/ca-cert.pem" # certFilepath: "/path/to/client-cert.pem" # keyFilepath: "/path/to/client-key.pem" # insecureSkipTlsVerify: false #---------------------------------------------------------------------------- # Console authentication #---------------------------------------------------------------------------- authentication: jwtSigningKey: "secret-value" useSecureCookies: true # Optionally enable cookie chunking if cookie size is an issue. # useCookieChunking: false # OIDC configuration (if using OIDC): # oidc: # enabled: true # issuerUrl: "https://accounts.google.com" # clientId: "your-oidc-client-id" # clientSecret: "your-oidc-client-secret" # redirectUrl: "http://localhost:9090/auth/callbacks/oidc" # successfulLoginRedirectUrl: "http://localhost:3000" # accessType: "offline" # prompt: "consent" # issuerTls: # enabled: true # caFilepath: "/path/to/ca.pem" # certFilepath: "/path/to/issuer-cert.pem" # keyFilepath: "/path/to/issuer-key.pem" # insecureSkipTlsVerify: false # Basic authentication is supported by default. #---------------------------------------------------------------------------- # Console authorization and role bindings #---------------------------------------------------------------------------- authorization: roleBindings: - roleName: admin users: - loginType: OIDC name: "admin@mycompany.com" - roleName: viewer users: - loginType: basic name: "user@mycompany.com" #---------------------------------------------------------------------------- # Redpanda Admin API configuration #---------------------------------------------------------------------------- redpanda: adminApi: enabled: true urls: - "admin-0.mycompany.com:9644" - "admin-1.mycompany.com:9644" authentication: impersonateUser: true # If impersonateUser is false, configure static credentials here: # authentication: # basic: # username: "example-user" # password: "example-password" startup: establishConnectionEagerly: true maxRetries: 5 retryInterval: 1s maxRetryInterval: 60s backoffMultiplier: 2 tls: enabled: true caFilepath: "/path/to/ca-cert.pem" certFilepath: "/path/to/client-cert.pem" keyFilepath: "/path/to/client-key.pem" insecureSkipTlsVerify: false #---------------------------------------------------------------------------- # Kafka Connect configuration (optional) #---------------------------------------------------------------------------- kafkaConnect: enabled: false # connectTimeout: 15s # readTimeout: 60s # requestTimeout: 6s clusters: [] # Example: # clusters: # - name: my-connect-cluster # url: "http://connect.mycompany.com:8083" # tls: # enabled: false # username: "connect-user" # password: "connect-password" # token: "optional-token" #---------------------------------------------------------------------------- # Enterprise License configuration (optional) #---------------------------------------------------------------------------- # To mount an enterprise license, set either license or licenseFilepath. # This is only required if you want to use an enterprise feature # such as SSO or RBAC. # Filepath to your redpanda.license file # licenseFilepath: "" # License string. # license: "" #---------------------------------------------------------------------------- # Serde settings #---------------------------------------------------------------------------- serde: maxDeserializationPayloadSize: 20480 # protobuf: # enabled: false # mappings: [] # Map the Proto type names for each of your topics. # These Proto types will be used for deserialization. # - topicName: xy # You can specify the Proto type for the record key # and/or value (just one will work too) # valueProtoType: fake_model.Order # keyProtoType: package.Type # Configure the fileSystem if you want Redpanda Console to # search the local file system for the Proto files # fileSystem: # enabled: false # paths: [] # refreshInterval: 5m # importPaths is a list of paths from which to import Proto files into Redpanda Console. # Paths are relative to the root directory. # The `git` configuration must be enabled to use this feature. #importPaths: [] # Git is where the Proto files come from. # git: # enabled: false # repository: # url: # branch: (defaults to primary/default branch) # baseDirectory: (defaults to the root directory of the repo/branch above) # How often Redpanda Console pulls the repository to look for new files. # Set to 0 to disable periodic pulls. # refreshInterval: 5m # To use GitHub's personal access tokens, use `token` # as username and pass the token as password. # basicAuth: # enabled: true # username: token # Password can also be set using the --serde.protobuf.git.basic-auth.password flag. # password: # You can pass the private key file directly using a flag on the command line, or you can specify it in the # yaml configuration file. Another alternative is to provide the filepath to a mounted key # file in this configuration block. # ssh: # enabled: false # username: # privateKey can also be set using the --serde.protobuf.git.ssh.private-key flag. # privateKey: # privateKeyFilepath: # Passphrase can also be set using the --serde.protobuf.git.ssh.passphrase flag. # passphrase: # messagePack: # enabled: false # List of topic name regexes, defaults to /.*/ # topicNames: ["/.*/"] #---------------------------------------------------------------------------- # Console settings #---------------------------------------------------------------------------- console: topicDocumentation: enabled: false # git: # enabled: false # repository: # url: # branch: (defaults to primary/default branch) # baseDirectory: . # How often Console pulls the repository to look for new files. # Set to 0 to disable periodic pulls. # refreshInterval: 1m # To use GitHub's personal access tokens, use `token` # for the username and pass the token as password. # basicAuth: # enabled: true # username: token # password: # ssh: # enabled: false # username: # privateKey: # privateKeyFilepath: # passphrase: #---------------------------------------------------------------------------- # Server settings #---------------------------------------------------------------------------- server: listenAddress: "0.0.0.0" listenPort: 8080 httpsListenPort: 8081 advertisedHttpsListenPort: 443 gracefulShutdownTimeout: 30s readTimeout: 30s writeTimeout: 30s idleTimeout: 30s compressionLevel: 4 basePath: "" setBasePathFromXForwardedPrefix: true stripPrefix: true tls: enabled: false # Uncomment and configure if HTTPS is required: # certFilepath: "/path/to/https-cert.pem" # keyFilepath: "/path/to/https-key.pem" allowedOrigins: [] #---------------------------------------------------------------------------- # Logger settings #---------------------------------------------------------------------------- logger: level: info #---------------------------------------------------------------------------- # Developer settings #---------------------------------------------------------------------------- # Only relevant for developers who want to run the frontend separately. # Uncomment the following line to serve the frontend separately. # serveFrontend: true #---------------------------------------------------------------------------- # Metrics settings #---------------------------------------------------------------------------- # Prefix for all exported Prometheus metrics. # Uncomment and set your metrics namespace. # metricsNamespace: "console" #---------------------------------------------------------------------------- # Analytics / telemetry (optional) #---------------------------------------------------------------------------- analytics: enabled: true ```