Streaming
Streaming releases
Supported
0
End of life
0
Configure Redpanda Console
Redpanda Console loads configuration properties from three sources, in the following order of precedence:
-
Environment variables
-
YAML file configuration (recommended)
-
Command-line arguments
Environment variables and YAML configurations can overwrite input that is set on the command line.
YAML file configuration
The recommended configuration source is a YAML file. You can specify the path to the configuration file by setting either
the -config.filepath flag or the CONFIG_FILEPATH environment variable.
A reference configuration file is provided under Complete configuration file example.
In Linux package installations, this file is located in /etc/redpanda/redpanda-console-config.yaml by default and Redpanda Console is configured to read from this file path.
In containerized environments, ensure that the configuration file is mounted to a directory accessible by the Redpanda Console container. When the file is mounted, you can specify its file path using the -config.filepath flag or the CONFIG_FILEPATH environment variable.
Environment variables
Configuration options can be configured using environment variables. The key for the environment variable is auto-generated by converting the YAML equivalent to uppercase and adding an underscore for each indentation level. For example:
| YAML | Environment Variable |
|---|---|
|
|
|
|
For configuration properties that expect a list of values, use commas between each value. For example:
KAFKA_BROKERS=redpanda-0:9092,redpanda-1:9092,redpanda-2:9092| You cannot use environment variables to configure object arrays, such as the configuration for Kafka Connect clusters. In this case, use a YAML file, and provide secrets using environment variables or command line arguments. |
Docker Compose example
If you are using Docker Compose, you can mount the configuration file and set the environment variable in your docker-compose.yml file:
console:
container_name: redpanda-console
image: docker.redpanda.com/redpandadata/console:latest
entrypoint: /bin/sh
command: -c 'echo "$$CONSOLE_CONFIG_FILE" > /tmp/config.yml
volumes:
- ./config:/tmp/config/
environment:
CONFIG_FILEPATH: ${CONFIG_FILEPATH:-/tmp/config.yml}
CONSOLE_CONFIG_FILE: |
# Configure a connection to the Redpanda cluster
# See https://docs.redpanda.com/current/console/config/connect-to-redpanda/
kafka:
brokers: ["redpanda-0:9092","redpanda-1:9092","redpanda-2:9092"]Complete configuration file example
The following YAML file contains a complete list of all Redpanda Console configuration properties and their descriptions. All values are default values.
|
redpanda-console-config.yaml
# This is an example configuration file for Redpanda Console v3.x.x
#----------------------------------------------------------------------------
# Kafka configuration
#----------------------------------------------------------------------------
kafka:
# Brokers is a list of bootstrap servers with ports.
brokers:
- "broker-0.mycompany.com:19092"
- "broker-1.mycompany.com:19092"
- "broker-2.mycompany.com:19092"
# Optional: Client ID used to identify Console to the Kafka cluster.
# clientId: "console"
# Optional: Rack identifier to optimize message consumption in multi-zone clusters.
# rackId: "zone-a"
# sasl:
# enabled: true
# Supported mechanisms include:
# - OAUTHBEARER (OIDC)
# - SCRAM-SHA-256 or SCRAM-SHA-512 (basic authentication)
# - GSSAPI (Kerberos); if using Kerberos, ensure impersonateUser is false.
# - AWS_MSK_IAM (AWS MSK IAM)
# mechanism: SCRAM-SHA-256
# impersonateUser: false
# oauth:
# token: "example-oauth-token"
# clientId: "example-client-id"
# clientSecret: "example-client-secret"
# tokenEndpoint: "https://accounts.google.com/token"
# tokenFilepath: "/var/run/secrets/kafka/serviceaccount/token"
# scope: "openid"
# Example for basic authentication (uncomment to use):
# username: "your-username"
# password: "your-password"
# Example for GSSAPI (Kerberos) - impersonateUser must be false:
# gssapi:
# authType: KEYTAB_AUTH
# keyTabPath: "/path/to/keytab"
# kerberosConfigPath: "/path/to/krb5.conf"
# serviceName: "kafka"
# username: "your-username"
# password: "your-password"
# realm: "MY.REALM"
# enableFast: true
# tls:
# enabled: false
# Uncomment and set the following paths if TLS is required:
# caFilepath: "/path/to/ca-cert.pem"
# certFilepath: "/path/to/client-cert.pem"
# keyFilepath: "/path/to/client-key.pem"
# insecureSkipTlsVerify: false
# Startup is a configuration block to specify how often and with what delays
# we should try to connect to the Kafka service. If all attempts fail the
# application exits with code 1.
# startup:
# maxRetries: 5
# retryInterval: 1s
# maxRetryInterval 60s
# backoffMultiplier: 2
#----------------------------------------------------------------------------
# Schema Registry configuration (top-level)
#----------------------------------------------------------------------------
schemaRegistry:
enabled: true
urls:
- "http://schema-registry.mycompany.com:8081"
# Optional: Authentication for Schema Registry.
# authentication:
# basic:
# username: "example-user"
# password: "example-password"
# bearerToken: "example-bearer-token"
tls:
enabled: false
# Uncomment and configure if TLS is required:
# caFilepath: "/path/to/ca-cert.pem"
# certFilepath: "/path/to/client-cert.pem"
# keyFilepath: "/path/to/client-key.pem"
# insecureSkipTlsVerify: false
#----------------------------------------------------------------------------
# Console authentication
#----------------------------------------------------------------------------
authentication:
jwtSigningKey: "secret-value"
useSecureCookies: true
# Optionally enable cookie chunking if cookie size is an issue.
# useCookieChunking: false
# OIDC configuration (if using OIDC):
# oidc:
# enabled: true
# issuerUrl: "https://accounts.google.com"
# clientId: "your-oidc-client-id"
# clientSecret: "your-oidc-client-secret"
# redirectUrl: "http://localhost:9090/auth/callbacks/oidc"
# successfulLoginRedirectUrl: "http://localhost:3000"
# accessType: "offline"
# prompt: "consent"
# issuerTls:
# enabled: true
# caFilepath: "/path/to/ca.pem"
# certFilepath: "/path/to/issuer-cert.pem"
# keyFilepath: "/path/to/issuer-key.pem"
# insecureSkipTlsVerify: false
# Basic authentication is supported by default.
#----------------------------------------------------------------------------
# Console authorization and role bindings
#----------------------------------------------------------------------------
authorization:
roleBindings:
- roleName: admin
users:
- loginType: OIDC
name: "admin@mycompany.com"
- roleName: viewer
users:
- loginType: basic
name: "user@mycompany.com"
#----------------------------------------------------------------------------
# Redpanda Admin API configuration
#----------------------------------------------------------------------------
redpanda:
adminApi:
enabled: true
urls:
- "admin-0.mycompany.com:9644"
- "admin-1.mycompany.com:9644"
authentication:
impersonateUser: true
# If impersonateUser is false, configure static credentials here:
# authentication:
# basic:
# username: "example-user"
# password: "example-password"
startup:
establishConnectionEagerly: true
maxRetries: 5
retryInterval: 1s
maxRetryInterval: 60s
backoffMultiplier: 2
tls:
enabled: true
caFilepath: "/path/to/ca-cert.pem"
certFilepath: "/path/to/client-cert.pem"
keyFilepath: "/path/to/client-key.pem"
insecureSkipTlsVerify: false
#----------------------------------------------------------------------------
# Kafka Connect configuration (optional)
#----------------------------------------------------------------------------
kafkaConnect:
enabled: false
# connectTimeout: 15s
# readTimeout: 60s
# requestTimeout: 6s
clusters: []
# Example:
# clusters:
# - name: my-connect-cluster
# url: "http://connect.mycompany.com:8083"
# tls:
# enabled: false
# username: "connect-user"
# password: "connect-password"
# token: "optional-token"
#----------------------------------------------------------------------------
# Enterprise License configuration (optional)
#----------------------------------------------------------------------------
# To mount an enterprise license, set either license or licenseFilepath.
# This is only required if you want to use an enterprise feature
# such as SSO or RBAC.
# Filepath to your redpanda.license file
# licenseFilepath: ""
# License string.
# license: ""
#----------------------------------------------------------------------------
# Serde settings
#----------------------------------------------------------------------------
serde:
maxDeserializationPayloadSize: 20480
# protobuf:
# enabled: false
# mappings: []
# Map the Proto type names for each of your topics.
# These Proto types will be used for deserialization.
# - topicName: xy
# You can specify the Proto type for the record key
# and/or value (just one will work too)
# valueProtoType: fake_model.Order
# keyProtoType: package.Type
# Configure the fileSystem if you want Redpanda Console to
# search the local file system for the Proto files
# fileSystem:
# enabled: false
# paths: []
# refreshInterval: 5m
# importPaths is a list of paths from which to import Proto files into Redpanda Console.
# Paths are relative to the root directory.
# The `git` configuration must be enabled to use this feature.
#importPaths: []
# Git is where the Proto files come from.
# git:
# enabled: false
# repository:
# url:
# branch: (defaults to primary/default branch)
# baseDirectory: (defaults to the root directory of the repo/branch above)
# How often Redpanda Console pulls the repository to look for new files.
# Set to 0 to disable periodic pulls.
# refreshInterval: 5m
# To use GitHub's personal access tokens, use `token`
# as username and pass the token as password.
# basicAuth:
# enabled: true
# username: token
# Password can also be set using the --serde.protobuf.git.basic-auth.password flag.
# password:
# You can pass the private key file directly using a flag on the command line, or you can specify it in the
# yaml configuration file. Another alternative is to provide the filepath to a mounted key
# file in this configuration block.
# ssh:
# enabled: false
# username:
# privateKey can also be set using the --serde.protobuf.git.ssh.private-key flag.
# privateKey:
# privateKeyFilepath:
# Passphrase can also be set using the --serde.protobuf.git.ssh.passphrase flag.
# passphrase:
# messagePack:
# enabled: false
# List of topic name regexes, defaults to /.*/
# topicNames: ["/.*/"]
#----------------------------------------------------------------------------
# Console settings
#----------------------------------------------------------------------------
console:
topicDocumentation:
enabled: false
# git:
# enabled: false
# repository:
# url:
# branch: (defaults to primary/default branch)
# baseDirectory: .
# How often Console pulls the repository to look for new files.
# Set to 0 to disable periodic pulls.
# refreshInterval: 1m
# To use GitHub's personal access tokens, use `token`
# for the username and pass the token as password.
# basicAuth:
# enabled: true
# username: token
# password:
# ssh:
# enabled: false
# username:
# privateKey:
# privateKeyFilepath:
# passphrase:
#----------------------------------------------------------------------------
# Server settings
#----------------------------------------------------------------------------
server:
listenAddress: "0.0.0.0"
listenPort: 8080
httpsListenPort: 8081
advertisedHttpsListenPort: 443
gracefulShutdownTimeout: 30s
readTimeout: 30s
writeTimeout: 30s
idleTimeout: 30s
compressionLevel: 4
basePath: ""
setBasePathFromXForwardedPrefix: true
stripPrefix: true
tls:
enabled: false
# Uncomment and configure if HTTPS is required:
# certFilepath: "/path/to/https-cert.pem"
# keyFilepath: "/path/to/https-key.pem"
allowedOrigins: []
#----------------------------------------------------------------------------
# Logger settings
#----------------------------------------------------------------------------
logger:
level: info
#----------------------------------------------------------------------------
# Developer settings
#----------------------------------------------------------------------------
# Only relevant for developers who want to run the frontend separately.
# Uncomment the following line to serve the frontend separately.
# serveFrontend: true
#----------------------------------------------------------------------------
# Metrics settings
#----------------------------------------------------------------------------
# Prefix for all exported Prometheus metrics.
# Uncomment and set your metrics namespace.
# metricsNamespace: "console"
#----------------------------------------------------------------------------
# Analytics / telemetry (optional)
#----------------------------------------------------------------------------
analytics:
enabled: trueWas this helpful?
