> ## Documentation Index > Fetch the complete documentation index at: https://docs.conduktor.io/llms.txt > Use this file to discover all available pages before exploring further. # Conduktor Console configuration examples > Console configuration examples: use API/CLI/Terraform for GitOps production, Console UI for quick changes. Console supports multiple configuration methods - choose based on your deployment needs: * **Console API/CLI/Terraform** - recommended for **production and GitOps** environments requiring dynamic configuration management. Enables real-time updates without service interruption. * **Console UI** - ideal for **development, testing, and quick configuration changes** through the Console interface. Changes are not version-controlled or easily repeatable. * **YAML/Environment variables** - best for **initial Console setup and static configurations** that rarely change. Requires container restart to apply configuration changes. This page focuses on **YAML and environment variable** configurations. For API/CLI/Terraform methods [see Console reference](/guide/reference/console-reference). If you want to configure clusters with a GitOps approach, we recommend using [Console API](https://developers.conduktor.io/?product=console) . **Clusters created through the UI are independent** and persist regardless of YAML configurations. We recommend **not mixing configuration methods** to avoid confusion and unwanted overrides. ## Ready-to-use configurations ### Complete production-ready setup for Confluent Cloud This demonstrates a complete configuration for Conduktor Console including database, monitoring, authentication and Confluent Cloud cluster connections with SASL\_SSL/PLAIN security, Schema Registry, and Kafka Connect. ```yaml theme={null} database: hosts: - host: 'postgresql' port: 5432 name: 'conduktor' username: 'conduktor' password: '' connection_timeout: 30 # in seconds monitoring: cortex-url: 'http://conduktor-monitoring:9009/' alert-manager-url: 'http://conduktor-monitoring:9010/' callback-url: 'http://conduktor-console:8080/monitoring/api/' notifications-callback-url: 'http://localhost:8080' admin: email: '' password: '' # Must be at least 8 characters with mixed case, numbers, and symbols sso: oauth2: - name: 'auth0' client-id: '' client-secret: '' openid: issuer: 'https://' scopes: # Optional - 'openid' - 'profile' - 'email' groups-claim: 'groups' # Optional - Default: 'roles' auth: local-users: # Optional - Additional local users beyond admin - email: 'user@example.com' password: '' - email: 'another@example.com' password: '' clusters: - id: 'confluent-prod' name: 'Confluent Production' color: '#FF5733' # Optional icon: 'kafka' # Optional bootstrapServers: 'pkc-xxxxx.region.aws.confluent.cloud:9092' properties: | security.protocol=SASL_SSL sasl.mechanism=PLAIN sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="" password=""; kafkaFlavor: type: "Confluent" key: "" # Confluent Cloud API Key, NOT cluster API Key secret: "" # Confluent Cloud API Secret, NOT cluster API Secret confluentEnvironmentId: "" confluentClusterId: "" organizationId: "" # Optional - Required for RBAC role bindings schemaRegistryId: "" # Optional - Required if managing Schema Registry via API enableRbacRoleBindings: true # Optional - Default: false schemaRegistry: url: 'https://psrc-xxxxx.region.aws.confluent.cloud' security: username: '' password: '' kafkaConnects: - id: 'kafka-connect' name: 'My Kafka Connect' url: 'http://localhost:8083' security: username: '' password: '' license: "" # Enterprise license key ``` ```bash theme={null} environment: CDK_CLUSTERS_0_ID: 'kafka' CDK_CLUSTERS_0_NAME: 'Kafka' CDK_CLUSTERS_0_BOOTSTRAPSERVERS: 'localhost:9092' CDK_CLUSTERS_0_KAFKACONNECTS_0_ID: 'kafka-connect' CDK_CLUSTERS_0_KAFKACONNECTS_0_NAME: 'My Kafka Connect' CDK_CLUSTERS_0_KAFKACONNECTS_0_URL: 'http://localhost:8083' CDK_CLUSTERS_0_KAFKACONNECTS_0_SECURITY_USERNAME: '' CDK_CLUSTERS_0_KAFKACONNECTS_0_SECURITY_PASSWORD: '' ``` ### Amazon MSK with IAM authentication Connect to an MSK cluster with IAM authentication. You can use explicit credentials or inherit them from the environment. Deploying this **CloudFormation** template to your environment might result in billable resources being consumed. [See Amazon MSK pricing for details](https://aws.amazon.com/msk/pricing/) . **Using explicit credentials:** ```yml theme={null} clusters: - id: 'amazon-msk-iam' name: 'Amazon MSK IAM' bootstrapServers: 'b-3-public.****.kafka.eu-west-1.amazonaws.com:9198' properties: | security.protocol=SASL_SSL sasl.mechanism=AWS_MSK_IAM sasl.jaas.config=software.amazon.msk.auth.iam.IAMLoginModule required; sasl.client.callback.handler.class=io.conduktor.aws.IAMClientCallbackHandler aws_access_key_id= aws_secret_access_key= ``` ### Complete production-ready setup for Aiven This demonstrates a complete configuration for Conduktor Console including database, monitoring, authentication and Aiven cluster connections using mTLS with the Aiven flavor. You should have three files: * Your access key (in the keystore.jks file). * Your access certificate (in the keystore.jks file). * Your CA certificate (in the truststore.jks file). Make sure the content is on a single line. ```yaml theme={null} database: hosts: - host: 'postgresql' port: 5432 name: 'conduktor' username: 'conduktor' password: '' connection_timeout: 30 # in seconds monitoring: cortex-url: 'http://conduktor-monitoring:9009/' alert-manager-url: 'http://conduktor-monitoring:9010/' callback-url: 'http://conduktor-console:8080/monitoring/api/' notifications-callback-url: 'http://localhost:8080' admin: email: '' password: '' # Must be at least 8 characters with mixed case, numbers, and symbols sso: oauth2: - name: 'auth0' client-id: '' client-secret: '' openid: issuer: 'https://' scopes: # Optional - 'openid' - 'profile' - 'email' groups-claim: 'groups' # Optional - Default: 'roles' auth: local-users: # Optional - Additional local users beyond admin - email: 'user@example.com' password: '' - email: 'another@example.com' password: '' clusters: - id: 'aiven-ssl' name: 'Aiven SSL' color: '#FF5733' # Optional icon: 'kafka' # Optional bootstrapServers: 'kafka-09ba.aivencloud.com:21650' properties: | security.protocol=SSL ssl.truststore.type=PEM ssl.truststore.certificates=-----BEGIN CERTIFICATE----- -----END CERTIFICATE----- ssl.keystore.type=PEM ssl.keystore.key=-----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- ssl.keystore.certificate.chain=-----BEGIN CERTIFICATE----- -----END CERTIFICATE----- kafkaFlavor: type: "Aiven" apiToken: "" project: "" serviceName: "kafka-xxxx" # kafka cluster id (service name) license: "" # Enterprise license key ``` ```bash theme={null} environment: # Enterprise license key CDK_LICENSE: '' # Database configuration CDK_DATABASE_URL: 'postgresql://conduktor:@postgresql:5432/conduktor' # Connection to Conduktor Cortex container CDK_MONITORING_CORTEX-URL: 'http://conduktor-monitoring:9009/' CDK_MONITORING_ALERT-MANAGER-URL: 'http://conduktor-monitoring:9010/' CDK_MONITORING_CALLBACK-URL: 'http://conduktor-console:8080/monitoring/api/' CDK_MONITORING_NOTIFICATIONS-CALLBACK-URL: 'http://localhost:8080' # Admin username/password CDK_ADMIN_EMAIL: '' CDK_ADMIN_PASSWORD: '' # Must be at least 8 characters with mixed case, numbers, and symbols # SSO configuration CDK_SSO_OAUTH2_0_NAME: 'auth0' CDK_SSO_OAUTH2_0_CLIENT-ID: '' CDK_SSO_OAUTH2_0_CLIENT-SECRET: '' CDK_SSO_OAUTH2_0_OPENID_ISSUER: 'https://' CDK_SSO_OAUTH2_0_SCOPES: 'openid,profile,email' # Optional - Comma-separated list CDK_SSO_OAUTH2_0_GROUPS-CLAIM: 'groups' # Optional # Local users configuration (optional - additional users beyond admin) CDK_AUTH_LOCAL-USERS_0_EMAIL: 'user@example.com' CDK_AUTH_LOCAL-USERS_0_PASSWORD: '' CDK_AUTH_LOCAL-USERS_1_EMAIL: 'another@example.com' CDK_AUTH_LOCAL-USERS_1_PASSWORD: '' # Kafka cluster configuration CDK_CLUSTERS_0_ID: 'aiven-ssl' CDK_CLUSTERS_0_NAME: 'Aiven SSL' CDK_CLUSTERS_0_COLOR: '#FF5733' # Optional CDK_CLUSTERS_0_ICON: 'kafka' # Optional CDK_CLUSTERS_0_BOOTSTRAPSERVERS: 'kafka-09ba.aivencloud.com:21650' CDK_CLUSTERS_0_PROPERTIES: "security.protocol=SSL\nssl.truststore.type=PEM\nssl.truststore.certificates=-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----\nssl.keystore.type=PEM\nssl.keystore.key=-----BEGIN PRIVATE KEY----- -----END PRIVATE KEY-----\nssl.keystore.certificate.chain=-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----" # Aiven flavor configuration CDK_CLUSTERS_0_KAFKAFLAVOR_TYPE: "Aiven" CDK_CLUSTERS_0_KAFKAFLAVOR_APITOKEN: "" CDK_CLUSTERS_0_KAFKAFLAVOR_PROJECT: "" CDK_CLUSTERS_0_KAFKAFLAVOR_SERVICENAME: "kafka-xxxx" ``` ## Kafka Cluster configuration Basic connection without authentication or encryption. ```yaml theme={null} clusters: - id: 'local-kafka' name: 'Local Development' bootstrapServers: 'localhost:9092' ``` ```bash theme={null} CDK_CLUSTERS_0_ID: 'local-kafka' CDK_CLUSTERS_0_NAME: 'Local Development' CDK_CLUSTERS_0_BOOTSTRAPSERVERS: 'localhost:9092' ``` SASL can be used with PLAINTEXT or SSL transport, supporting multiple mechanisms: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512, GSSAPI and OAUTHBEARER. ```yaml theme={null} clusters: - id: 'sasl-plain-plaintext' name: 'SASL PLAIN (Plaintext)' bootstrapServers: 'broker.example.com:9092' properties: | security.protocol=SASL_PLAINTEXT sasl.mechanism=PLAIN sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="" password=""; ``` ```bash theme={null} CDK_CLUSTERS_0_ID: 'sasl-plain-plaintext' CDK_CLUSTERS_0_NAME: 'SASL PLAIN (Plaintext)' CDK_CLUSTERS_0_BOOTSTRAPSERVERS: 'broker.example.com:9092' CDK_CLUSTERS_0_PROPERTIES: "security.protocol=SASL_PLAINTEXT\nsasl.mechanism=PLAIN\nsasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username=\"\" password=\"\";" ``` ```yaml theme={null} clusters: - id: 'sasl-scram-plaintext' name: 'SASL SCRAM (Plaintext)' bootstrapServers: 'broker.example.com:9092' properties: | security.protocol=SASL_PLAINTEXT sasl.mechanism=SCRAM-SHA-256 sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="" password=""; ``` ```bash theme={null} CDK_CLUSTERS_0_ID: 'sasl-scram-plaintext' CDK_CLUSTERS_0_NAME: 'SASL SCRAM (Plaintext)' CDK_CLUSTERS_0_BOOTSTRAPSERVERS: 'broker.example.com:9092' CDK_CLUSTERS_0_PROPERTIES: "security.protocol=SASL_PLAINTEXT\nsasl.mechanism=SCRAM-SHA-256\nsasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username=\"\" password=\"\";" ``` ```yaml theme={null} clusters: - id: 'sasl-plain-ssl' name: 'SASL PLAIN (SSL)' bootstrapServers: 'broker.example.com:9093' properties: | security.protocol=SASL_SSL sasl.mechanism=PLAIN sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="" password=""; ``` ```bash theme={null} CDK_CLUSTERS_0_ID: 'sasl-plain-ssl' CDK_CLUSTERS_0_NAME: 'SASL PLAIN (SSL)' CDK_CLUSTERS_0_BOOTSTRAPSERVERS: 'broker.example.com:9093' CDK_CLUSTERS_0_PROPERTIES: "security.protocol=SASL_SSL\nsasl.mechanism=PLAIN\nsasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username=\"\" password=\"\";" ``` ```yaml theme={null} clusters: - id: 'sasl-scram-ssl' name: 'SASL SCRAM (SSL)' bootstrapServers: 'broker.example.com:9093' properties: | security.protocol=SASL_SSL sasl.mechanism=SCRAM-SHA-512 sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="" password=""; ssl.truststore.type=PEM ssl.truststore.certificates=-----BEGIN CERTIFICATE----- -----END CERTIFICATE----- ``` ```bash theme={null} CDK_CLUSTERS_0_ID: 'sasl-scram-ssl' CDK_CLUSTERS_0_NAME: 'SASL SCRAM (SSL)' CDK_CLUSTERS_0_BOOTSTRAPSERVERS: 'broker.example.com:9093' CDK_CLUSTERS_0_PROPERTIES: "security.protocol=SASL_SSL\nsasl.mechanism=SCRAM-SHA-512\nsasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username=\"\" password=\"\";\nssl.truststore.type=PEM\nssl.truststore.certificates=-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----" ``` OIDC authentication (available since Kafka 3.1 - [KIP-768](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=186877575)) ```yaml theme={null} clusters: - id: 'sasl-oauth-ssl' name: 'SASL OAuth (SSL)' bootstrapServers: 'broker.example.com:9093' properties: | security.protocol=SASL_SSL sasl.mechanism=OAUTHBEARER sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required clientId="" clientSecret=""; sasl.oauthbearer.token.endpoint.url=https://auth.example.com/oauth2/token sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler ``` ```bash theme={null} CDK_CLUSTERS_0_ID: 'sasl-oauth-ssl' CDK_CLUSTERS_0_NAME: 'SASL OAuth (SSL)' CDK_CLUSTERS_0_BOOTSTRAPSERVERS: 'broker.example.com:9093' CDK_CLUSTERS_0_PROPERTIES: "security.protocol=SASL_SSL\nsasl.mechanism=OAUTHBEARER\nsasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required clientId=\"\" clientSecret=\"\";\nsasl.oauthbearer.token.endpoint.url=https://auth.example.com/oauth2/token\nsasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler" ``` Server authentication only. ```yaml theme={null} clusters: - id: 'ssl-oneway' name: 'SSL One-way TLS' bootstrapServers: 'broker.example.com:9093' properties: | security.protocol=SSL ssl.truststore.type=PEM ssl.truststore.certificates=-----BEGIN CERTIFICATE----- -----END CERTIFICATE----- ``` ```bash theme={null} CDK_CLUSTERS_0_ID: 'ssl-oneway' CDK_CLUSTERS_0_NAME: 'SSL One-way TLS' CDK_CLUSTERS_0_BOOTSTRAPSERVERS: 'broker.example.com:9093' CDK_CLUSTERS_0_PROPERTIES: "security.protocol=SSL\nssl.truststore.type=PEM\nssl.truststore.certificates=-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----" ``` Client and server authentication. ```yaml theme={null} clusters: - id: 'ssl-mtls' name: 'SSL Mutual TLS' bootstrapServers: 'broker.example.com:9093' properties: | security.protocol=SSL ssl.truststore.type=PEM ssl.truststore.certificates=-----BEGIN CERTIFICATE----- -----END CERTIFICATE----- ssl.keystore.type=PEM ssl.keystore.key=-----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- ssl.keystore.certificate.chain=-----BEGIN CERTIFICATE----- -----END CERTIFICATE----- ``` ```bash theme={null} CDK_CLUSTERS_0_ID: 'ssl-mtls' CDK_CLUSTERS_0_NAME: 'SSL Mutual TLS' CDK_CLUSTERS_0_BOOTSTRAPSERVERS: 'broker.example.com:9093' CDK_CLUSTERS_0_PROPERTIES: "security.protocol=SSL\nssl.truststore.type=PEM\nssl.truststore.certificates=-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----\nssl.keystore.type=PEM\nssl.keystore.key=-----BEGIN PRIVATE KEY----- -----END PRIVATE KEY-----\nssl.keystore.certificate.chain=-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----" ``` Credentials inherited from environment. ```yaml theme={null} clusters: - id: 'aws-msk-iam' name: 'AWS MSK with IAM' bootstrapServers: 'b-1.cluster.kafka.region.amazonaws.com:9098' properties: | security.protocol=SASL_SSL sasl.mechanism=AWS_MSK_IAM sasl.jaas.config=software.amazon.msk.auth.iam.IAMLoginModule required; sasl.client.callback.handler.class=software.amazon.msk.auth.iam.IAMClientCallbackHandler ``` ```bash theme={null} CDK_CLUSTERS_0_ID: 'aws-msk-iam' CDK_CLUSTERS_0_NAME: 'AWS MSK with IAM' CDK_CLUSTERS_0_BOOTSTRAPSERVERS: 'b-1.cluster.kafka.region.amazonaws.com:9098' CDK_CLUSTERS_0_PROPERTIES: "security.protocol=SASL_SSL\nsasl.mechanism=AWS_MSK_IAM\nsasl.jaas.config=software.amazon.msk.auth.iam.IAMLoginModule required;\nsasl.client.callback.handler.class=software.amazon.msk.auth.iam.IAMClientCallbackHandler" ``` You can also override the `default` profile or role: * Profile: `sasl.jaas.config = software.amazon.msk.auth.iam.IAMLoginModule required awsProfileName="";` * Role: `sasl.jaas.config = software.amazon.msk.auth.iam.IAMLoginModule required awsRoleArn="";` Credentials from explicit configuration. ```yaml theme={null} clusters: - id: 'aws-msk-iam' name: 'AWS MSK with IAM' bootstrapServers: 'b-1.cluster.kafka.region.amazonaws.com:9098' properties: | security.protocol=SASL_SSL sasl.mechanism=AWS_MSK_IAM sasl.jaas.config=software.amazon.msk.auth.iam.IAMLoginModule required; sasl.client.callback.handler.class=io.conduktor.aws.IAMClientCallbackHandler aws_access_key_id= aws_secret_access_key= ``` ```bash theme={null} CDK_CLUSTERS_0_ID: 'aws-msk-iam' CDK_CLUSTERS_0_NAME: 'AWS MSK with IAM' CDK_CLUSTERS_0_BOOTSTRAPSERVERS: 'b-1.cluster.kafka.region.amazonaws.com:9098' CDK_CLUSTERS_0_PROPERTIES: "security.protocol=SASL_SSL\nsasl.mechanism=AWS_MSK_IAM\nsasl.jaas.config=software.amazon.msk.auth.iam.IAMLoginModule required;\nsasl.client.callback.handler.class=io.conduktor.aws.IAMClientCallbackHandler\naws_access_key_id=\naws_secret_access_key=" ``` ## Schema Registry configuration To enable Schema Registry support, attach these code examples to any of the cluster configurations above. ```yaml theme={null} schemaRegistry: url: 'https://psrc-xxxx.region.aws.confluent.cloud' ``` ```bash theme={null} CDK_CLUSTERS_0_SCHEMAREGISTRY_URL: 'https://psrc-xxxx.region.aws.confluent.cloud' ``` ```yaml theme={null} schemaRegistry: url: 'https://psrc-xxxxx.region.aws.confluent.cloud' security: username: '' password: '' ``` ```bash theme={null} CDK_CLUSTERS_0_SCHEMAREGISTRY_URL: 'https://psrc-xxxxx.region.aws.confluent.cloud' CDK_CLUSTERS_0_SCHEMAREGISTRY_SECURITY_USERNAME: '' CDK_CLUSTERS_0_SCHEMAREGISTRY_SECURITY_PASSWORD: '' ``` ```yaml theme={null} schemaRegistry: url: 'https://psrc-xxxxx.region.aws.confluent.cloud' security: token: '' ``` ```bash theme={null} CDK_CLUSTERS_0_SCHEMAREGISTRY_URL: 'https://psrc-xxxxx.region.aws.confluent.cloud' CDK_CLUSTERS_0_SCHEMAREGISTRY_SECURITY_TOKEN: '' ``` ```yaml theme={null} schemaRegistry: url: 'https://psrc-xxxxx.region.aws.confluent.cloud' security: key: -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- certificateChain: -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- ``` ```bash theme={null} CDK_CLUSTERS_0_SCHEMAREGISTRY_URL: 'https://psrc-xxxxx.region.aws.confluent.cloud' CDK_CLUSTERS_0_SCHEMAREGISTRY_SECURITY_KEY: '-----BEGIN PRIVATE KEY----- -----END PRIVATE KEY-----' CDK_CLUSTERS_0_SCHEMAREGISTRY_SECURITY_CERTIFICATECHAIN: '-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----' ``` Connect MSK clusters with AWS Glue Schema Registry using different authentication methods. ```yaml theme={null} schemaRegistry: region: '' registryName: '' # optional amazonSecurity: type: 'Credentials' accessKeyId: '' secretKey: '' ``` ```bash theme={null} CDK_CLUSTERS_0_SCHEMAREGISTRY_REGION: '' CDK_CLUSTERS_0_SCHEMAREGISTRY_REGISTRYNAME: '' # optional CDK_CLUSTERS_0_SCHEMAREGISTRY_AMAZONSECURITY_TYPE: 'Credentials' CDK_CLUSTERS_0_SCHEMAREGISTRY_AMAZONSECURITY_ACCESSKEYID: '' CDK_CLUSTERS_0_SCHEMAREGISTRY_AMAZONSECURITY_SECRETKEY: '' ``` ```yaml theme={null} schemaRegistry: region: '' registryName: '' # optional amazonSecurity: type: 'FromContext' profile: '' # optional, inherited from environment by default ``` ```bash theme={null} CDK_CLUSTERS_0_SCHEMAREGISTRY_REGION: '' CDK_CLUSTERS_0_SCHEMAREGISTRY_AMAZONSECURITY_TYPE: 'FromContext' CDK_CLUSTERS_0_SCHEMAREGISTRY_AMAZONSECURITY_PROFILE: '' # optional, inherited from environment by default ``` ```yaml theme={null} schemaRegistry: region: '' registryName: '' # optional amazonSecurity: type: 'FromRole' role: '' ``` ```bash theme={null} CDK_CLUSTERS_0_SCHEMAREGISTRY_REGION: '' CDK_CLUSTERS_0_SCHEMAREGISTRY_AMAZONSECURITY_TYPE: 'FromRole' CDK_CLUSTERS_0_SCHEMAREGISTRY_AMAZONSECURITY_ROLE: '' ``` ## Kafka Connect configuration To add Kafka Connect to your cluster configuration use the code examples below. ```yaml theme={null} kafkaConnects: - id: 'kafka-connect' name: 'My Kafka Connect' url: 'http://localhost:8083' headers: 'myHeader=myValue' ignoreUntrustedCertificate: false ``` ```bash theme={null} CDK_CLUSTERS_0_KAFKACONNECTS_0_ID: 'kafka-connect' CDK_CLUSTERS_0_KAFKACONNECTS_0_NAME: 'My Kafka Connect' CDK_CLUSTERS_0_KAFKACONNECTS_0_URL: 'http://localhost:8083' CDK_CLUSTERS_0_KAFKACONNECTS_0_HEADERS: 'myHeader=myValue' CDK_CLUSTERS_0_KAFKACONNECTS_0_IGNOREUNTRUSTEDCERTIFICATE: 'false' ``` ```yaml theme={null} kafkaConnects: - id: 'kafka-connect' name: 'My Kafka Connect' url: 'http://localhost:8083' headers: 'myHeader=myValue' ignoreUntrustedCertificate: false security: username: '' password: '' ``` ```bash theme={null} CDK_CLUSTERS_0_KAFKACONNECTS_0_ID: 'kafka-connect' CDK_CLUSTERS_0_KAFKACONNECTS_0_NAME: 'My Kafka Connect' CDK_CLUSTERS_0_KAFKACONNECTS_0_URL: 'http://localhost:8083' CDK_CLUSTERS_0_KAFKACONNECTS_0_HEADERS: 'myHeader=myValue' CDK_CLUSTERS_0_KAFKACONNECTS_0_IGNOREUNTRUSTEDCERTIFICATE: 'false' CDK_CLUSTERS_0_KAFKACONNECTS_0_SECURITY_USERNAME: '' CDK_CLUSTERS_0_KAFKACONNECTS_0_SECURITY_PASSWORD: '' ``` ```yaml theme={null} kafkaConnects: - id: 'kafka-connect' name: 'My Kafka Connect' url: 'http://localhost:8083' headers: 'myHeader=myValue' ignoreUntrustedCertificate: false security: token: '' ``` ```bash theme={null} CDK_CLUSTERS_0_KAFKACONNECTS_0_ID: 'kafka-connect' CDK_CLUSTERS_0_KAFKACONNECTS_0_NAME: 'My Kafka Connect' CDK_CLUSTERS_0_KAFKACONNECTS_0_URL: 'http://localhost:8083' CDK_CLUSTERS_0_KAFKACONNECTS_0_HEADERS: 'myHeader=myValue' CDK_CLUSTERS_0_KAFKACONNECTS_0_IGNOREUNTRUSTEDCERTIFICATE: 'false' CDK_CLUSTERS_0_KAFKACONNECTS_0_SECURITY_TOKEN: '' ``` ```yaml theme={null} kafkaConnects: - id: 'kafka-connect' name: 'My Kafka Connect' url: 'http://localhost:8083' headers: 'myHeader=myValue' ignoreUntrustedCertificate: false security: key: -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- certificateChain: -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- ``` ```bash theme={null} CDK_CLUSTERS_0_KAFKACONNECTS_0_ID: 'kafka-connect' CDK_CLUSTERS_0_KAFKACONNECTS_0_NAME: 'My Kafka Connect' CDK_CLUSTERS_0_KAFKACONNECTS_0_URL: 'http://localhost:8083' CDK_CLUSTERS_0_KAFKACONNECTS_0_HEADERS: 'myHeader=myValue' CDK_CLUSTERS_0_KAFKACONNECTS_0_IGNOREUNTRUSTEDCERTIFICATE: 'false' CDK_CLUSTERS_0_KAFKACONNECTS_0_SECURITY_KEY: '-----BEGIN PRIVATE KEY----- -----END PRIVATE KEY-----' CDK_CLUSTERS_0_KAFKACONNECTS_0_SECURITY_CERTIFICATECHAIN: '-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----' ``` ## ksqlDB configuration OAUTHBEARER with OIDC Authentication is possible since Kafka 3.1 and [KIP-768](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=186877575) . To demonstrate OIDC authentication, you can connect to NASA's GCN Kafka cluster after you [sign up](https://gcn.nasa.gov/quickstart) . Here's a configuration example (adapt the values to your needs): ```yaml theme={null} ksqlDBs: - id: 'ksqldb-basic' name: 'My ksqlDB Server' url: 'http://localhost:8088' ignoreUntrustedCertificate: false headers: 'myHeader=myValue' ``` ```bash theme={null} CDK_CLUSTERS_0_KSQLDBS_0_ID: 'ksqldb-basic' CDK_CLUSTERS_0_KSQLDBS_0_NAME: 'My ksqlDB Server' CDK_CLUSTERS_0_KSQLDBS_0_URL: 'http://localhost:8088' CDK_CLUSTERS_0_KSQLDBS_0_IGNOREUNTRUSTEDCERTIFICATE: 'false' CDK_CLUSTERS_0_KSQLDBS_0_HEADERS: 'myHeader=myValue' ``` ```yaml theme={null} ksqlDBs: - id: 'ksqldb-basic-auth' name: 'My ksqlDB Server' url: 'http://localhost:8088' ignoreUntrustedCertificate: false headers: 'myHeader=myValue' security: username: '' password: '' ``` ```bash theme={null} CDK_CLUSTERS_0_KSQLDBS_0_ID: 'ksqldb-basic-auth' CDK_CLUSTERS_0_KSQLDBS_0_NAME: 'My ksqlDB Server' CDK_CLUSTERS_0_KSQLDBS_0_URL: 'http://localhost:8088' CDK_CLUSTERS_0_KSQLDBS_0_IGNOREUNTRUSTEDCERTIFICATE: 'false' CDK_CLUSTERS_0_KSQLDBS_0_HEADERS: 'myHeader=myValue' CDK_CLUSTERS_0_KSQLDBS_0_SECURITY_USERNAME: '' CDK_CLUSTERS_0_KSQLDBS_0_SECURITY_PASSWORD: '' ``` ```yaml theme={null} ksqlDBs: - id: 'ksqldb-token-auth' name: 'My ksqlDB Server' url: 'http://localhost:8088' ignoreUntrustedCertificate: false headers: 'myHeader=myValue' security: token: '' ``` ```bash theme={null} CDK_CLUSTERS_0_KSQLDBS_0_ID: 'ksqldb-token-auth' CDK_CLUSTERS_0_KSQLDBS_0_NAME: 'My ksqlDB Server' CDK_CLUSTERS_0_KSQLDBS_0_URL: 'http://localhost:8088' CDK_CLUSTERS_0_KSQLDBS_0_IGNOREUNTRUSTEDCERTIFICATE: 'false' CDK_CLUSTERS_0_KSQLDBS_0_HEADERS: 'myHeader=myValue' CDK_CLUSTERS_0_KSQLDBS_0_SECURITY_TOKEN: '' ``` ```yaml theme={null} ksqlDBs: - id: 'ksqldb-ssl-auth' name: 'My ksqlDB Server' url: 'http://localhost:8088' ignoreUntrustedCertificate: false headers: 'myHeader=myValue' security: key: -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- certificateChain: -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- ``` ```bash theme={null} CDK_CLUSTERS_0_KSQLDBS_0_ID: 'ksqldb-ssl-auth' CDK_CLUSTERS_0_KSQLDBS_0_NAME: 'My ksqlDB Server' CDK_CLUSTERS_0_KSQLDBS_0_URL: 'http://localhost:8088' CDK_CLUSTERS_0_KSQLDBS_0_IGNOREUNTRUSTEDCERTIFICATE: 'false' CDK_CLUSTERS_0_KSQLDBS_0_HEADERS: 'myHeader=myValue' CDK_CLUSTERS_0_KSQLDBS_0_SECURITY_KEY: '-----BEGIN PRIVATE KEY----- -----END PRIVATE KEY-----' CDK_CLUSTERS_0_KSQLDBS_0_SECURITY_CERTIFICATECHAIN: '-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----' ``` ## Provider configuration To enable enhanced provider-specific capabilities, attach the following snippets to any of the above cluster configurations. Connect to Confluent Cloud with enhanced management capabilities for service accounts, API keys, and ACLs. ```yaml theme={null} kafkaFlavor: type: "Confluent" key: "" # Confluent Cloud API Key, NOT cluster API Key secret: "" # Confluent Cloud API Secret, NOT cluster API Secret confluentEnvironmentId: "" confluentClusterId: "" organizationId: "" # Optional - Required for RBAC role bindings schemaRegistryId: "" # Optional - Required if managing Schema Registry via API enableRbacRoleBindings: true # Optional - Default: false ``` ```bash theme={null} CDK_CLUSTERS_0_KAFKAFLAVOR_TYPE: "Confluent" CDK_CLUSTERS_0_KAFKAFLAVOR_KEY: "" CDK_CLUSTERS_0_KAFKAFLAVOR_SECRET: "" CDK_CLUSTERS_0_KAFKAFLAVOR_CONFLUENTENVIRONMENTID: "" CDK_CLUSTERS_0_KAFKAFLAVOR_CONFLUENTCLUSTERID: "" CDK_CLUSTERS_0_KAFKAFLAVOR_ORGANIZATIONID: "" # Optional CDK_CLUSTERS_0_KAFKAFLAVOR_SCHEMAREGISTRYID: "" # Optional CDK_CLUSTERS_0_KAFKAFLAVOR_ENABLERBACROLEBINDINGS: "true" # Optional ``` Connect to Confluent Platform with enhanced management capabilities for service accounts and RBAC role bindings via the Metadata Service (MDS). ```yaml theme={null} kafkaFlavor: type: "ConfluentPlatform" kafkaClusterId: "" mdsUrl: "https://mds.example.com:8090" # Optional - Required for RBAC role bindings authentication: username: "" # LDAP user with SystemAdmin privileges password: "" schemaRegistryClusterId: "" # Optional - Required for subject role bindings enableRbacRoleBindings: true # Optional - Default: false ignoreUntrustedCertificate: false # Optional - Default: false ``` ```bash theme={null} CDK_CLUSTERS_0_KAFKAFLAVOR_TYPE: "ConfluentPlatform" CDK_CLUSTERS_0_KAFKAFLAVOR_KAFKACLUSTERID: "" CDK_CLUSTERS_0_KAFKAFLAVOR_MDSURL: "https://mds.example.com:8090" # Optional CDK_CLUSTERS_0_KAFKAFLAVOR_AUTHENTICATION_USERNAME: "" CDK_CLUSTERS_0_KAFKAFLAVOR_AUTHENTICATION_PASSWORD: "" CDK_CLUSTERS_0_KAFKAFLAVOR_SCHEMAREGISTRYCLUSTERID: "" # Optional CDK_CLUSTERS_0_KAFKAFLAVOR_ENABLERBACROLEBINDINGS: "true" # Optional CDK_CLUSTERS_0_KAFKAFLAVOR_IGNOREUNTRUSTEDCERTIFICATE: "false" # Optional ``` Connect to Aiven Kafka with enhanced management capabilities for service accounts and ACLs. ```yaml theme={null} kafkaFlavor: type: "Aiven" apiToken: "" project: "" serviceName: "kafka-18350d67" # kafka cluster id (service name) ``` ```bash theme={null} CDK_CLUSTERS_0_KAFKAFLAVOR_TYPE: "Aiven" CDK_CLUSTERS_0_KAFKAFLAVOR_APITOKEN: "" CDK_CLUSTERS_0_KAFKAFLAVOR_PROJECT: "" CDK_CLUSTERS_0_KAFKAFLAVOR_SERVICENAME: "kafka-18350d67" ``` Connect Console to Conduktor Gateway for centralized Interceptor management through the Console UI. ```yaml theme={null} kafkaFlavor: type: "Gateway" url: "http://conduktor-gateway:8888" user: "" password: "" virtualCluster: "passthrough" ``` ```bash theme={null} CDK_CLUSTERS_0_KAFKAFLAVOR_TYPE: "Gateway" CDK_CLUSTERS_0_KAFKAFLAVOR_URL: "http://conduktor-gateway:8888" CDK_CLUSTERS_0_KAFKAFLAVOR_USER: "" CDK_CLUSTERS_0_KAFKAFLAVOR_PASSWORD: "" CDK_CLUSTERS_0_KAFKAFLAVOR_VIRTUALCLUSTER: "passthrough" ``` ## Logging configuration ### Global log settings Configure Console-wide logging behavior using these environment variables: | Environment variable | Default value | Description | | --------------------- | ------------- | ------------------------------------------------------------------------ | | `CDK_ROOT_LOG_LEVEL` | `INFO` | Global Console log level, one of `OFF`, `ERROR`, `WARN`, `INFO`, `DEBUG` | | `CDK_ROOT_LOG_FORMAT` | `TEXT` | Log format, one of `TEXT` or `JSON` | | `CDK_ROOT_LOG_COLOR` | `true` | Enable color in logs when possible | For backward compatibility, `CDK_DEBUG: true` is still supported and is equivalent to `CDK_ROOT_LOG_LEVEL: DEBUG`. ### Module-specific log settings Configure logging levels for individual Console modules: Possible values for all of them are: `OFF`, `ERROR`, `WARN`, `INFO`, `DEBUG`, and `TRACE`. | Environment variable | Default value | Description | | ----------------------------- | -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | | `PLATFORM_STARTUP_LOG_LEVEL` | `INFO` | Set the setup/configuration process logs level. By default, it is set to `INFO`, but switches to `DEBUG` if `CDK_ROOT_LOG_LEVEL: DEBUG`. | | `CONSOLE_ROOT_LOG_LEVEL` | `CDK_ROOT_LOG_LEVEL` | Logs related to any actions done in the Console UI | | `PLATFORM_API_ROOT_LOG_LEVEL` | `CDK_ROOT_LOG_LEVEL` | Internal platform API logs (health endpoints) | ### Log level inheritance If you don't explicitly set the log level for a module, it will inherit the `CDK_ROOT_LOG_LEVEL`. For instance, if you only set ```yaml theme={null} CDK_ROOT_LOG_LEVEL: DEBUG # CONSOLE_ROOT_LOG_LEVEL isn't set ``` Then, `CONSOLE_ROOT_LOG_LEVEL` will be automatically set to `DEBUG`. Similarly, if you set: ```yaml theme={null} CDK_ROOT_LOG_LEVEL: INFO CONSOLE_ROOT_LOG_LEVEL: DEBUG ``` Then, `CONSOLE_ROOT_LOG_LEVEL` will still be set to `DEBUG`, and isn't overridden. If you want to further customize your logging at an individual logger-level, you can use a per-module logback configuration file. By default, all logback configuration files are in **/opt/conduktor/loggers/** with `READ-ONLY` permissions. At startup, Console will copy all (missing) logback configuration files from `/opt/conduktor/loggers/` to `/var/conduktor/configs/loggers/` directory with `READ-WRITE` permissions. Because all logback configuration files are set to reload themselves every 15 seconds, you can then edit them inside the container volume in **/var/conduktor/configs/loggers/** to tune log level per logger. All logback configuration files declare some expected appenders: | Appender name | Description | | -------------------- | ------------------------------------------------------------- | | `STDOUT` | Appender that writes logs to stdout | | `STDOUT_COLOR` | Appender that writes logs to stdout with color | | `ASYNC_STDOUT` | Appender that writes logs to stdout asynchronously | | `ASYNC_STDOUT_COLOR` | Appender that writes logs to stdout asynchronously with color | ### JSON structured logging Enable structured logging by setting `CDK_ROOT_LOG_FORMAT=JSON`. Logs will use this JSON format: ```json theme={null} { "timestamp": "2024-06-14T10:09:25.802542476+00:00", "level": "", "message": "", "logger": "", "thread": "", "stack_trace": "", "mdc": { "key": "value" } } ``` The log `timestamp` is encoded in [ISO-8601 format](https://en.wikipedia.org/wiki/ISO_8601) . When structured logging is enabled, `CDK_ROOT_LOG_COLOR` is always ignored. ### Runtime logger API Console provides runtime log level management via [REST API](https://developers.conduktor.io/?product=console#tag/logging). **This requires an admin API key**. The `loggerName` filter used to GET or SET a logger level uses a **contains** so you can either use the fully qualified cardinal name or just a part of it, meaning that the filter `authenticator` will match `io.conduktor.authenticator` or `io.conduktor.authenticator.ConduktorUserProfile` loggers, among others. The `logLevel` is **case-insensitive** and can be: `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`, `OFF`.