Configure Redpanda Console
Redpanda Console loads configuration properties from three sources, in the following order of precedence:
-
Environment variables
-
YAML file configuration
-
Command-line arguments
Environment variables and YAML configurations can overwrite input that is set on the command line.
Environment variable mapping
Configuration options can be set using environment variables. The key for the environment variable is auto-generated by converting the YAML equivalent to uppercase and adding an underscore for each indentation level.
For example:
| YAML | Environment variable |
|---|---|
|
|
|
|
For configuration properties that expect a list of values, use commas between each value. For example:
KAFKA_BROKERS=redpanda-0:9092,redpanda-1:9092,redpanda-2:9092| You cannot use environment variables to configure object arrays, such as the configuration for Kafka Connect clusters. In this case, use a YAML file, and provide secrets using environment variables or command line arguments. |
Platform-specific configuration
Redpanda Console can be deployed in several ways. The configuration method and file structure you use depends on your deployment scenario. Use the tabs on this page and throughout the docs to find the instructions and examples for your environment.
-
Standalone (binary, Docker, or systemd): For users running Redpanda Console as a separate service, either on a VM, bare metal, or in a container (not managed by Kubernetes or the Redpanda Operator/Helm chart).
-
Kubernetes embedded: For users running Redpanda Console as part of a Redpanda cluster managed by the Redpanda Operator or the Redpanda Helm chart.
-
Kubernetes standalone: For users deploying Redpanda Console in Kubernetes using the dedicated Redpanda Console Helm chart (not as part of a Redpanda cluster).
-
Standalone
-
Kubernetes embedded
-
Kubernetes standalone
Use this method when deploying Redpanda Console as a standalone service (binary, Docker, or systemd).
The recommended configuration source is a YAML file. You can specify the path to the configuration file by setting either the -config.filepath flag or the CONFIG_FILEPATH environment variable.
In Linux package installations, this file is located in /etc/redpanda/redpanda-console-config.yaml by default and Redpanda Console is configured to read from this file path.
In containerized environments, ensure that the configuration file is mounted to a directory accessible by the Redpanda Console container. When the file is mounted, you can specify its file path using the -config.filepath flag or the CONFIG_FILEPATH environment variable.
Use this method when Redpanda Console is deployed as part of the Redpanda Helm chart or Redpanda Operator.
| When Redpanda Console is embedded in the Redpanda deployment, the Kafka broker configuration is automatically set to connect to the Redpanda cluster in the same deployment. |
-
Operator
-
Helm
Configure Redpanda Console in the console section of your Redpanda custom resource:
redpanda-console.yamlapiVersion: cluster.redpanda.com/v1alpha2
kind: Console
metadata:
name: redpanda-console
spec:
clusterRef:
name: redpanda # Reference to your Redpanda cluster
config:
server:
listenPort: 8080
auditLog:
enabled: false
additionalHeaders:
- "X-Forwarded-For"
- "User-Agent"
# Add any other Redpanda Console configuration hereApply the configuration:
kubectl apply -f redpanda-console.yaml --namespace <namespace>Configure Redpanda Console in the console section of your Redpanda Helm values file:
redpanda-values.yamlconsole:
enabled: true
console:
config:
#kafka:
#brokers: [] # You can leave this empty. The chart is already auto-configured to connect to your Redpanda cluster
server:
listenPort: 8080
auditLog:
enabled: false # default; set to true to write audit logs to stdout
additionalHeaders: # specifies HTTP headers to include in audit logs
# Add any other Redpanda Console configuration hereApply the configuration:
helm upgrade --install redpanda redpanda/redpanda \
--namespace <namespace> \
--values redpanda-values.yamlUse this method when deploying Redpanda Console as a standalone service in Kubernetes using the dedicated Redpanda Console Helm chart.
When using the standalone Redpanda Console Helm chart, configure Redpanda Console through the config section of your values file:
console-values.yamlconfig:
kafka:
brokers:
- redpanda-0.redpanda.svc.cluster.local:9092
- redpanda-1.redpanda.svc.cluster.local:9092
server:
listenPort: 8080
auditLog:
enabled: false # default; set to true to write audit logs to stdout
additionalHeaders: # specifies HTTP headers to include in audit logs
- "X-Forwarded-For"
- "User-Agent"
# Add any other Redpanda Console configuration hereApply the configuration:
helm upgrade --install console redpanda/console \
--namespace redpanda \
--values console-values.yamlDocker Compose example
If you are using Docker Compose, you can mount the configuration file and set the environment variable in your docker-compose.yml file:
console:
container_name: redpanda-console
image: docker.redpanda.com/redpandadata/console:v3.7.3
entrypoint: /bin/sh
command: -c 'echo "$$CONSOLE_CONFIG_FILE" > /tmp/config.yml'
volumes:
- ./config:/tmp/config/
environment:
CONFIG_FILEPATH: ${CONFIG_FILEPATH:-/tmp/config.yml}
CONSOLE_CONFIG_FILE: |
# Configure a connection to the Redpanda cluster
# See https://docs.redpanda.com/current/console/config/connect-to-redpanda/
kafka:
brokers: ["redpanda-0:9092","redpanda-1:9092","redpanda-2:9092"]
auditLog:
enabled: false # default; set to true to write audit logs to stdout
additionalHeaders: # specifies HTTP headers to include in audit logs
- "X-Forwarded-For"
- "User-Agent"Complete configuration file example
The following YAML file contains a complete list of all Redpanda Console configuration properties and their descriptions. All values are default values.
|
# This is an example configuration file for Redpanda Console v3.x.x
#----------------------------------------------------------------------------
# Kafka configuration
#----------------------------------------------------------------------------
kafka:
# Brokers is a list of bootstrap servers with ports.
brokers:
- "broker-0.mycompany.com:19092"
- "broker-1.mycompany.com:19092"
- "broker-2.mycompany.com:19092"
# Optional: Client ID used to identify Redpanda Console to the Kafka cluster.
# clientId: "console"
# Optional: Rack identifier to optimize message consumption in multi-zone clusters.
# rackId: "zone-a"
# sasl:
# enabled: true
# Supported mechanisms include:
# - OAUTHBEARER (OIDC)
# - SCRAM-SHA-256 or SCRAM-SHA-512 (basic authentication)
# - GSSAPI (Kerberos); if using Kerberos, ensure impersonateUser is false.
# - AWS_MSK_IAM (AWS MSK IAM)
# mechanism: SCRAM-SHA-256
# impersonateUser: false
# oauth:
# token: "example-oauth-token"
# clientId: "example-client-id"
# clientSecret: "example-client-secret"
# tokenEndpoint: "https://accounts.google.com/token"
# tokenFilepath: "/var/run/secrets/kafka/serviceaccount/token"
# scope: "openid"
# Example for basic authentication (uncomment to use):
# username: "your-username"
# password: "your-password"
# Example for GSSAPI (Kerberos) - impersonateUser must be false:
# gssapi:
# authType: KEYTAB_AUTH
# keyTabPath: "/path/to/keytab"
# kerberosConfigPath: "/path/to/krb5.conf"
# serviceName: "kafka"
# username: "your-username"
# password: "your-password"
# realm: "MY.REALM"
# enableFast: true
# tls:
# enabled: false
# Uncomment and set the following paths if TLS is required:
# caFilepath: "/path/to/ca-cert.pem"
# certFilepath: "/path/to/client-cert.pem"
# keyFilepath: "/path/to/client-key.pem"
# insecureSkipTlsVerify: false
# Startup is a configuration block to specify how often and with what delays
# we should try to connect to the Kafka service. If all attempts fail the
# application exits with code 1.
# startup:
# maxRetries: 5
# retryInterval: 1s
# maxRetryInterval 60s
# backoffMultiplier: 2
#----------------------------------------------------------------------------
# Schema Registry configuration (top-level)
#----------------------------------------------------------------------------
schemaRegistry:
enabled: true
urls:
- "http://schema-registry.mycompany.com:8081"
# Optional: Authentication for Schema Registry.
# authentication:
# basic:
# username: "example-user"
# password: "example-password"
# bearerToken: "example-bearer-token"
tls:
enabled: false
# Uncomment and configure if TLS is required:
# caFilepath: "/path/to/ca-cert.pem"
# certFilepath: "/path/to/client-cert.pem"
# keyFilepath: "/path/to/client-key.pem"
# insecureSkipTlsVerify: false
#----------------------------------------------------------------------------
# Redpanda Console authentication
#----------------------------------------------------------------------------
authentication:
jwtSigningKey: "secret-value"
useSecureCookies: true
# Maximum browser session age (Enterprise). Accepts duration strings (for example, "90d", "24h", "30m"). Default: 1 year.
# maximumSessionAge: "90d"
# Optionally enable cookie chunking if cookie size is an issue.
# useCookieChunking: false
# OIDC configuration (if using OIDC):
# oidc:
# enabled: true
# issuerUrl: "https://accounts.google.com"
# clientId: "your-oidc-client-id"
# clientSecret: "your-oidc-client-secret"
# redirectUrl: "http://localhost:9090/auth/callbacks/oidc"
# successfulLoginRedirectUrl: "http://localhost:3000"
# accessType: "offline"
# prompt: "consent"
# issuerTls:
# enabled: true
# caFilepath: "/path/to/ca.pem"
# certFilepath: "/path/to/issuer-cert.pem"
# keyFilepath: "/path/to/issuer-key.pem"
# insecureSkipTlsVerify: false
# Basic authentication is supported by default.
#----------------------------------------------------------------------------
# Redpanda Console authorization and role bindings
#----------------------------------------------------------------------------
authorization:
roleBindings:
- roleName: admin
users:
- loginType: oidc
name: "admin@mycompany.com"
- roleName: viewer
users:
- loginType: basic
name: "user@mycompany.com"
#----------------------------------------------------------------------------
# Redpanda Admin API configuration
#----------------------------------------------------------------------------
redpanda:
adminApi:
enabled: true
urls:
- "admin-0.mycompany.com:9644"
- "admin-1.mycompany.com:9644"
authentication:
impersonateUser: true
# If impersonateUser is false, configure static credentials here:
# authentication:
# basic:
# username: "example-user"
# password: "example-password"
startup:
establishConnectionEagerly: true
maxRetries: 5
retryInterval: 1s
maxRetryInterval: 60s
backoffMultiplier: 2
tls:
enabled: true
caFilepath: "/path/to/ca-cert.pem"
certFilepath: "/path/to/client-cert.pem"
keyFilepath: "/path/to/client-key.pem"
insecureSkipTlsVerify: false
#----------------------------------------------------------------------------
# Kafka Connect configuration (optional)
#----------------------------------------------------------------------------
kafkaConnect:
enabled: false
# connectTimeout: 15s
# readTimeout: 60s
# requestTimeout: 6s
clusters: []
# Example:
# clusters:
# - name: my-connect-cluster
# url: "http://connect.mycompany.com:8083"
# tls:
# enabled: false
# username: "connect-user"
# password: "connect-password"
# token: "optional-token"
#----------------------------------------------------------------------------
# Enterprise License configuration (optional)
#----------------------------------------------------------------------------
# To mount an enterprise license, set either license or licenseFilepath.
# This is only required if you want to use an enterprise feature
# such as SSO or RBAC.
# Filepath to your redpanda.license file
# licenseFilepath: ""
# License string.
# license: ""
#----------------------------------------------------------------------------
# Serde settings
#----------------------------------------------------------------------------
serde:
maxDeserializationPayloadSize: 20480
# protobuf:
# enabled: false
# mappings: []
# Map the Proto type names for each of your topics.
# These Proto types will be used for deserialization.
# - topicName: xy
# You can specify the Proto type for the record key
# and/or value (just one will work too)
# valueProtoType: fake_model.Order
# keyProtoType: package.Type
# Configure the fileSystem if you want Redpanda Console to
# search the local file system for the Proto files
# fileSystem:
# enabled: false
# paths: []
# refreshInterval: 5m
# importPaths is a list of paths from which to import Proto files into Redpanda Console.
# Paths are relative to the root directory.
# The `git` configuration must be enabled to use this feature.
#importPaths: []
# Git is where the Proto files come from.
# git:
# enabled: false
# repository:
# url:
# branch: (defaults to primary/default branch)
# baseDirectory: (defaults to the root directory of the repo/branch above)
# How often Redpanda Console pulls the repository to look for new files.
# Set to 0 to disable periodic pulls.
# refreshInterval: 5m
# To use GitHub's personal access tokens, use `token`
# as username and pass the same token as password.
# basicAuth:
# enabled: true
# username:
# Password can also be set using the --serde.protobuf.git.basic-auth.password flag.
# password:
# You can pass the private key file directly using a flag on the command line, or you can specify it in the
# yaml configuration file. Another alternative is to provide the filepath to a mounted key
# file in this configuration block.
# ssh:
# enabled: false
# username:
# privateKey can also be set using the --serde.protobuf.git.ssh.private-key flag.
# privateKey:
# privateKeyFilepath:
# Passphrase can also be set using the --serde.protobuf.git.ssh.passphrase flag.
# passphrase:
# messagePack:
# enabled: false
# List of topic name regexes, defaults to /.*/
# topicNames: ["/.*/"]
#----------------------------------------------------------------------------
# Redpanda Console settings
#----------------------------------------------------------------------------
console:
topicDocumentation:
enabled: false
# git:
# enabled: false
# repository:
# url:
# branch: (defaults to primary/default branch)
# baseDirectory: .
# # How often Redpanda Console pulls the repository to look for new files.
# # Set to 0 to disable periodic pulls.
# # refreshInterval: 1m
# # To use GitHub's personal access tokens, use `token` as username and pass the actual token as the password.
# basicAuth:
# enabled: true
# username: token
# password: <your_github_token>
# # You can pass the private key file directly using a flag on the command line, or you can specify it in the yaml configuration file. Another alternative is to provide the filepath to a mounted key file in this configuration block.
# ssh:
# enabled: false
# username: git
# privateKey: |
# -----BEGIN PRIVATE KEY-----
# ...
# -----END PRIVATE KEY-----
# privateKeyFilepath: /path/to/private/key
# passphrase: <optional_passphrase>
auditLog:
enabled: false # default; set to true to write audit logs to stdout
additionalHeaders: # specifies HTTP headers to include in audit logs
- "X-Forwarded-For"
- "User-Agent"
#----------------------------------------------------------------------------
# Server settings
#----------------------------------------------------------------------------
server:
listenAddress: "0.0.0.0"
listenPort: 8080
httpsListenPort: 8081
advertisedHttpsListenPort: 443
gracefulShutdownTimeout: 30s
readTimeout: 30s
writeTimeout: 30s
idleTimeout: 30s
compressionLevel: 4
basePath: ""
setBasePathFromXForwardedPrefix: true
stripPrefix: true
tls:
enabled: false
# Uncomment and configure if HTTPS is required:
# certFilepath: "/path/to/https-cert.pem"
# keyFilepath: "/path/to/https-key.pem"
allowedOrigins: []
#----------------------------------------------------------------------------
# Logger settings
#----------------------------------------------------------------------------
logger:
level: info
#----------------------------------------------------------------------------
# Developer settings
#----------------------------------------------------------------------------
# Only relevant for developers who want to run the frontend separately.
# Uncomment the following line to serve the frontend separately.
# serveFrontend: true
#----------------------------------------------------------------------------
# Metrics settings
#----------------------------------------------------------------------------
# Prefix for all exported Prometheus metrics.
# Uncomment and set your metrics namespace.
# metricsNamespace: "console"
#----------------------------------------------------------------------------
# Analytics / telemetry (optional)
#----------------------------------------------------------------------------
analytics:
enabled: true