Skip to main content
Quick navigation

Configuration Properties and Environment Variables

Docker image environment variables

ENVSince VersionUntil VersionDefault Value
CDK_DEBUG1.0.0latestfalseFlag to enable platform debug logs. See log configuration for mor details.
CDK_VOLUME_DIR1.0.2latest/var/conduktorVolume directory where Conduktor platform store data **
CDK_IN_CONF_FILE1.0.2latest/opt/conduktor/default-platform-config.yaml)Conduktor platform configuration file location **
CDK_LISTENING_PORT1.2.0latest8080Platform listening port **
CDK_SSL_TRUSTSTORE_PATH1.5.0latestNoneTruststore file path used by platform kafka, SSO, S3, ... clients SSL/TLS verification
CDK_SSL_TRUSTSTORE_PASSWORD1.5.0latestNoneTruststore password (optional)
CDK_SSL_TRUSTSTORE_TYPE1.5.0latestjksTruststore type (optional)
CDK_SSL_DEBUG1.9.0latestfalseEnable SSL/TLS debug logs
CDK_HTTP_PROXY_HOST1.10.0latestNoneSpecify proxy settings that Conduktor Platform should use to access the Internet
CDK_HTTP_PROXY_PORT1.10.0latest80Specify proxy settings that Conduktor Platform should use to access the Internet
CDK_HTTP_NON_PROXY_HOSTS1.10.0latestNoneSpecify proxy settings that Conduktor Platform should use to access the Internet
CDK_HTTP_PROXY_USERNAME1.10.0latestNoneSpecify proxy settings that Conduktor Platform should use to access the Internet
CDK_HTTP_PROXY_PASSWORD1.10.0latestNoneSpecify proxy settings that Conduktor Platform should use to access the Internet
CDK_GLOBAL_JAVA_OPTS1.10.0latestNoneCustom JAVA_OPTS parameters passed to platform modules.
CDK_ROOT_LOG_LEVEL1.11.0latestINFOSet the platform global log level (DEBUG, INFO, WARN, ERROR). See log configuration for mor details.
CDK_ROOT_LOG_COLOR1.11.0latesttrueEnable or disable ANSI colors in logs. See log configuration for mor details.
CDK_ONBOARDING_MODE1.14.0latestautoSpecify whether to start Conduktor with the onboarding wizard enabled. Accepted values: auto, never, always. Defaults to auto that will start onboarding when no configuration is provided.
PROXY_BUFFER_SIZE1.16.0latest8kTune internal Nginx proxy_buffer_size.
CONSOLE_MEMORY_OPTS1.18.0latest-XX:+UseContainerSupport -XX:MaxRAMPercentage=80Configure memory Java options for Console module. See memory setup page for more details

Platform properties reference

Starting from Conduktor Platform 1.2.0 input configuration fields can be provided using environment variables.

Below shows the mapping of configuration fields in the platform-config.yaml to environment variables.

note

Lists start at index 0 and are provided using _idx_ syntax.

Support of shell expansion in yaml configuration file

Console support shell expansion for environment variable and home tilde ~ in YAML configuration file. This is useful if you have to use custom environment variables in your configuration.

For example, you can use the following syntax to use environment variables in your configuration file:


database:
url: "jdbc:postgresql://${DB_LOGIN}:${DB_PWD}@${DB_HOST}:${DB_PORT:-5432}/${DB_NAME}"

with the following environment variables:

  • DB_LOGIN: usr
  • DB_PWD: pwd
  • DB_HOST: some_host
  • DB_NAME: cdk

It will be expanded into the following configuration before being parsed by Console:

database:
url: "jdbc:postgresql://usr:pwd@some_host:5432/cdk"
note

If you want to escape the shell expansion in YAML file, you can use the following syntax: $$. For example if you want admin.password to be secret$123, you should set admin.password: "secret$$123".

Also note that values provided using environment variables will not be expended by Console. So for example if you use CDK_ADMIN_PASSWORD to set password like secret$123, it will be set as is.

Support of *_FILE environment variables

Since release 1.10.0, setting an environment variable matching *_FILE to a file path, the prefixed environment variable will be overridden with the value specified in that file.

For example, setting CDK_LICENSE_FILE to /run/secrets/license will override CDK_LICENSE with the content of the file /run/secrets/license.

danger

Exception: CDK_IN_CONF_FILE is not supported

Global properties

PropertyDescriptionEnvironment VariableMandatoryTypeDefault
organization.nameYour organization's nameCDK_ORGANIZATION_NAMEtruestring"default"
admin.emailYour organization's root administrator account emailCDK_ADMIN_EMAILtruestring
admin.passwordYour organization's root administrator account passwordCDK_ADMIN_PASSWORDtruestring
licenseEnterprise license key. If not provided, fallback to free plan.CDK_LICENSE or LICENSE_KEYfalsestring
platform.external.urlForce Platform external URL. Useful for SSO callback URL when using a reverse proxy. By default, the platform will try to guess it automatically using X-Forwarded-* headers coming from upstream reverse proxy.CDK_PLATFORM_EXTERNAL_URLfalsestring
platform.https.cert.pathPath to the SSL certificate file.CDK_PLATFORM_HTTPS_CERT_PATHfalsestring
platform.https.key.pathPath to the SSL private key file.CDK_PLATFORM_HTTPS_KEY_PATHfalsestring
enable_product_metricsIn order to improve Conduktor Platform, we collect anonymous usage metrics. Set to false, this configuration disable all of our metrics collection.CDK_ENABLE_PRODUCT_METRICSfalsebooleantrue
tip

If you need more that what free plan offer, you can contact us for a trial license.

Database properties

See database configuration documentation for more info

PropertyDescriptionEnvMandatoryTypeDefault
database.urlExternal Postgresql configuration URLCDK_DATABASE_URLfalsestring
in format [jdbc:]postgresql://[user[:password]@]netloc[:port][/dbname][?param1=value1&...]
database.hostExternal Postgresql server hostnameCDK_DATABASE_HOSTfalsestring
database.portExternal Postgresql server portCDK_DATABASE_PORTfalseint
database.nameExternal Postgresql database nameCDK_DATABASE_NAMEfalsestring
database.usernameExternal Postgresql login roleCDK_DATABASE_USERNAMEfalsestring
database.passwordExternal Postgresql login passwordCDK_DATABASE_PASSWORDfalsestring
database.connection_timeoutExternal Postgresql connection timeout in secondsCDK_DATABASE_CONNECTIONTIMEOUTfalseint

Session Lifetime Properties

Optional properties for configuring session lifetime.

PropertyDescriptionEnv VariableMandatoryTypeDefault Value
auth.sessionLifetimeMax session lifetime in secondsCDK_AUTH_SESSIONLIFETIMEfalseint259200
auth.idleTimeoutMax idle session time in seconds (access token lifetime). Should be lower than auth.sessionLifetimeCDK_AUTH_IDLETIMEOUTfalseint259200

Local users properties

Optional local accounts list used to login on conduktor-platform

PropertyDescriptionEnv VariableMandatoryTypeDefault Value
auth.local-users[].emailUser loginCDK_AUTH_LOCAL-USERS_0_EMAILtruestring"admin@conduktor.io"
auth.local-users[].passwordUser passwordCDK_AUTH_LOCAL-USERS_0_PASSWORDtruestring"admin"

Monitoring properties

caution

Starting with version 1.18.0, if you want to benefit from our Monitoring capabilities (dashboard and alerts), you need to deploy a new image along with Console.

Before 1.18:

  • conduktor/conduktor-platform:1.17.3 or below

Starting with 1.18:

  • conduktor/conduktor-platform:1.18.0 or above and
  • conduktor/conduktor-platform-cortex:1.18.0 or above

This new image is based on Cortex and preconfigured to run with Console. Cortex is a custom implementation of Prometheus used in several production systems including Amazon Managed Service for Prometheus (AMP).

You can choose to not deploy conduktor/conduktor-platform-cortex (Cortex) image. In this case, you will not be able to access to the following pages anymore:

The configuration is split in 2 chapters:

  • Console Configuration for Cortex conduktor/conduktor-platform
  • Cortex Configuration conduktor/conduktor-platform-cortex

Console Configuration for Cortex

First, we need to configure Console to connect to Cortex services. Cortex ports are configured like this by default:

  • Query port 9009
  • Alert Manager port 9010
PropertyDescriptionEnvMandatoryTypeDefaultSince
monitoring.cortex-urlCortex Search Query URL with port 9009CDK_MONITORING_CORTEX-URLtruestring1.18.0
monitoring.alert-manager-urlCortex Alert Manager URL with port 9010CDK_MONITORING_ALERT-MANAGER-URLtruestring1.18.0
monitoring.callback-urlConsole APICDK_MONITORING_CALLBACK-URLtruestring1.18.0
monitoring.notifications-callback-urlWhere the Slack notification should redirectCDK_MONITORING_NOTIFICATIONS-CALLBACK-URLtruestring1.18.0
monitoring.clusters-refresh-intervalRefresh rate in seconds for metrics (Optional)CDK_MONITORING_CLUSTERS-REFRESH-INTERVALfalseint601.18.0

Cortex Configuration

See Cortex configuration page for more info

SSO properties

SSO authentication properties (only on enterprise and team plans). See authentication documentation for snippets.

PropertyDescriptionEnvMandatoryTypeDefaultSince
sso.ignoreUntrustedCertificateDisable SSL checks.CDK_SSO_IGNOREUNTRUSTEDCERTIFICATEfalsebooleanfalse1.3.0
sso.trustedCertificatesSSL public certificates for SSO authentication (LDAPS and Oauth2) as PEM format.CDK_SSO_TRUSTEDCERTIFICATESfalsestring1.14.0

LDAP properties

PropertyDescriptionEnvMandatoryTypeDefaultSince
sso.ldap[].nameLdap connection nameCDK_SSO_LDAP_0_NAMEtruestring
sso.ldap[].serverLdap server host and portCDK_SSO_LDAP_0_SERVERtruestring
sso.ldap[].managerDnSets the manager DNCDK_SSO_LDAP_0_MANAGERDNtruestring
sso.ldap[].managerPasswordSets the manager passwordCDK_SSO_LDAP_0_MANAGERPASSWORDtruestring
sso.ldap[].search-subtreeSets if the subtree should be searched.CDK_SSO_LDAP_0_SEARCH-SUBTREEfalsebooleantrue1.5.0
sso.ldap[].search-baseSets the base DN to search.CDK_SSO_LDAP_0_SEARCH-BASEtruestring
sso.ldap[].search-filterSets the search filter. By default, the filter is set to (uid={0}) for users using class type InetOrgPerson.CDK_SSO_LDAP_0_SEARCH-FILTERfalsestring"(uid={0})"1.5.0
sso.ldap[].search-attributesSets the attributes list to return. By default, all attributes are returned. Platform search for uid, cn, mail, email, givenName, sn, displayName attributes to map into user token.CDK_SSO_LDAP_0_SEARCH-ATTRIBUTESfalsestring array[]1.5.0
sso.ldap[].groups-enabledSets if group search is enabled.CDK_SSO_LDAP_0_GROUPS-ENABLEDfalsebooleanfalse1.5.0
sso.ldap[].groups-subtreeSets if the subtree should be searched.CDK_SSO_LDAP_0_GROUPS-SUBTREEfalsebooleantrue1.5.0
sso.ldap[].groups-baseSets the base DN to search from.CDK_SSO_LDAP_0_GROUPS-BASEtruestring
sso.ldap[].groups-filterSets the group search filter. If using group class type GroupOfUniqueNames use the filter "uniqueMember={0}". For group class GroupOfNames use "member={0}". By default, the filter is set to "uniqueMember={0}".CDK_SSO_LDAP_0_GROUPS-FILTERfalsestring"uniquemember={0}"1.5.0
sso.ldap[].groups-filter-attributeSets the name of the user attribute to bind to the group search filter. Defaults to the user’s DN.CDK_SSO_LDAP_0_GROUPS-FILTER-ATTRIBUTEfalsestring1.5.0
sso.ldap[].groups-attributeSets the group attribute name. Defaults to cn.CDK_SSO_LDAP_0_GROUPS-ATTRIBUTEfalsestring"cn"1.5.0
sso.ldap[].propertiesAdditional properties that will be passed to identity provider context.CDK_SSO_LDAP_0_PROPERTIESfalsedictionary1.11.0

Oauth2 properties

PropertyDescriptionEnvMandatoryTypeDefault
sso.oauth2[].nameOauth2 connection nameCDK_SSO_OAUTH2_0_NAMEtruestring
sso.oauth2[].defaultUse as defaultCDK_SSO_OAUTH2_0_DEFAULTtrueboolean
sso.oauth2[].client-idOauth2 client idCDK_SSO_OAUTH2_0_CLIENT-IDtruestring
sso.oauth2[].client-secretOauth2 client secretCDK_SSO_OAUTH2_0_CLIENT-SECRETtruestring
sso.oauth2[].openid.issuerIssuer to check on tokenCDK_SSO_OAUTH2_0_OPENID_ISSUERtruestring
sso.oauth2[].scopesScope to be requested in the client credentials request.CDK_SSO_OAUTH2_0_SCOPEStruestring[]
sso.oauth2[].groups-claim Configure Group ClaimsCDK_SSO_OAUTH2_0_GROUPS-CLAIMfalsestring
sso.oauth2[].allow-unsigned-id-tokens Allow unsigned ID tokensCDK_SSO_OAUTH2_0_ALLOW-UNSIGNED-ID-TOKENSfalsebooleanfalse
sso.oauth2[].preferred-jws-algorithm Configure preferred JWS algorithmCDK_SSO_OAUTH2_0_PREFERRED-JWS-ALGORITHMfalsestring one of: "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES256K", "ES384", "ES512", "PS256", "PS384", "PS512", "EdDSA"

Kafka clusters properties

For more information on configuring your Kafka clusters using GitOps processes, see GitOps: Managing Cluster Configurations.

You can find sample configurations on the Configuration Snippets page

PropertyDescriptionEnvMandatoryTypeDefault
clusters[].idString used to uniquely identify your Kafka clusterCDK_CLUSTERS_0_IDtruestring
clusters[].nameAlias or user-friendly name for your Kafka clusterCDK_CLUSTERS_0_NAMEtruestring
clusters[].colorAttach a color to associate with your cluster in the UICDK_CLUSTERS_0_COLORfalsestring in hexadecimal format (#FFFFFF)random
clusters[].ignoreUntrustedCertificateSkip SSL certificate validationCDK_CLUSTERS_0_IGNOREUNTRUSTEDCERTIFICATEfalsebooleanfalse
clusters[].bootstrapServersList of host:port for your Kafka brokers separated by coma ,CDK_CLUSTERS_0_BOOTSTRAPSERVERStruestring
clusters[].zookeeperServerZookeeper server urlCDK_CLUSTERS_0_ZOOKEEPERSERVERfalsestring
clusters[].propertiesAny cluster configuration properties.CDK_CLUSTERS_0_PROPERTIESfalsestring where each line is a property
clusters[].jmxScrapePortJMX-exporter port used to scrape kafka broker metrics for monitoringCDK_CLUSTERS_0_JMXSCRAPEPORTfalseint9101
clusters[].nodeScrapePortNode-exporter port used to scrape kafka host metrics for monitoringCDK_CLUSTERS_0_NODESCRAPEPORTfalseint9100

Kafka vendor specific properties

Note that you do not need to set any of these additional properties to use the core features of the Console. However, by setting them you can get additional benefits such as managing service accounts and ACLs through Conduktor.

Confluent Cloud

Note you need only set Kafka cluster properties to use the core features of Console. Setting these additional properties will enable you to manage Confluent Cloud service accounts, API keys and ACLs.

PropertyDescriptionEnvMandatoryTypeDefaultValuesSince
clusters[].kafkaFlavor.typeKafka flavor type indicating the cluster is Confluent CloudCDK_CLUSTERS_0_KAFKAFLAVOR_TYPEfalsestringConfluent, Aiven, Gateway1.19.x
clusters[].kafkaFlavor.keyConfluent Cloud API KeyCDK_CLUSTERS_0_KAFKAFLAVOR_KEYtruestring-1.19.x
clusters[].kafkaFlavor.secretConfluent Cloud API SecretCDK_CLUSTERS_0_KAFKAFLAVOR_SECRETtruestring-1.19.x
clusters[].kafkaFlavor.confluentEnvironmentIdConfluent Environment IdCDK_CLUSTERS_0_KAFKAFLAVOR_CONFLUENTENVIRONMENTIDtruestring-1.19.x
clusters[].kafkaFlavor.confluentClusterIdConfluent Cluster IdCDK_CLUSTERS_0_KAFKAFLAVOR_CONFLUENTCLUSTERIDtruestring-1.19.x

Aiven

Note you need only set Kafka cluster properties to use the core features of Console. Setting these additional properties will enable you to manage Aiven service accounts and ACLs.

PropertyDescriptionEnvMandatoryTypeDefaultValuesSince
clusters[].kafkaFlavor.typeKafka flavor type indicating the cluster is AivenCDK_CLUSTERS_0_KAFKAFLAVOR_TYPEfalsestringConfluent, Aiven, Gateway1.19.x
clusters[].kafkaFlavor.apiTokenAiven API tokenCDK_CLUSTERS_0_KAFKAFLAVOR_APITOKENtruestring-1.19.x
clusters[].kafkaFlavor.projectAiven projectCDK_CLUSTERS_0_KAFKAFLAVOR_PROJECTtruestring-1.19.x
clusters[].kafkaFlavor.serviceNameAiven service nameCDK_CLUSTERS_0_KAFKAFLAVOR_SERVICENAMEtruestring-1.19.x

Conduktor Gateway

Configuring Gateway properties will enable you to deploy and manage interceptors on your virtual clusters.

PropertyDescriptionEnvMandatoryTypeDefaultValuesSince
clusters[].kafkaFlavor.typeKafka flavor type indicating the cluster is GatewayCDK_CLUSTERS_0_KAFKAFLAVOR_TYPEfalsestringConfluent, Aiven, Gateway1.19.x
clusters[].kafkaFlavor.urlGateway endpoint URLCDK_CLUSTERS_0_KAFKAFLAVOR_URLtruestring-1.19.x
clusters[].kafkaFlavor.userGateway usernameCDK_CLUSTERS_0_KAFKAFLAVOR_USERtruestring-1.19.x
clusters[].kafkaFlavor.passwordGateway passwordCDK_CLUSTERS_0_KAFKAFLAVOR_PASSWORDtruestring-1.19.x
clusters[].kafkaFlavor.virtualClusterGateway virtual clusterCDK_CLUSTERS_0_KAFKAFLAVOR_VIRTUALCLUSTERtruestring-1.19.x

Schema registry properties

PropertyDescriptionEnvMandatoryTypeDefault
clusters[].schemaRegistry.idString used to uniquely identify your schema registryCDK_CLUSTERS_0_SCHEMAREGISTRY_IDtruestring
clusters[].schemaRegistry.urlThe schema registry URLCDK_CLUSTERS_0_SCHEMAREGISTRY_URLtruestring
clusters[].schemaRegistry.ignoreUntrustedCertificateSkip SSL certificate validationCDK_CLUSTERS_0_SCHEMAREGISTRY_IGNOREUNTRUSTEDCERTIFICATEfalsebooleanfalse
clusters[].schemaRegistry.propertiesAny schema registry configuration parametersCDK_CLUSTERS_0_SCHEMAREGISTRY_PROPERTIESfalsestring where each line is a property

If you need to authenticate with basic auth, you can use the following properties:

PropertyDescriptionEnvMandatoryTypeDefault
clusters[].schemaRegistry.security.usernameBasic auth usernameCDK_CLUSTERS_0_SCHEMAREGISTRY_SECURITY_USERNAMEfalsestring
clusters[].schemaRegistry.security.passwordBasic auth passwordCDK_CLUSTERS_0_SCHEMAREGISTRY_SECURITY_PASSWORDfalsestring

If you need to authenticate with bearer auth, you can use the following property:

PropertyDescriptionEnvironment VariableMandatoryTypeDefault
clusters[].schemaRegistry.security.tokenBearer auth tokenCDK_CLUSTERS_0_SCHEMAREGISTRY_SECURITY_TOKENfalsestring

Amazon Glue schema registry properties

PropertyDescriptionEnvMandatoryTypeDefaultValuesSince
clusters[].schemaRegistry.regionThe Glue schema registry regionCDK_CLUSTERS_0_SCHEMAREGISTRY_REGIONtruestring-1.x.x
clusters[].schemaRegistry.registryNameThe Glue schema registry nameCDK_CLUSTERS_0_SCHEMAREGISTRY_REGISTRYNAMEfalsestring-1.x.x
clusters[].schemaRegistry.amazonSecurity.typeAuthentication with credentialsCDK_CLUSTERS_0_SCHEMAREGISTRY_AMAZONSECURITY_TYPEtruestringCredentials, FromContext, FromRole1.x.x

If amazonSecurity.type is Credentials, you must use the following properties:

PropertyDescriptionEnvMandatoryTypeDefaultSince
clusters[].schemaRegistry.amazonSecurity.accessKeyIdCredentials auth access keyCDK_CLUSTERS_0_SCHEMAREGISTRY_AMAZONSECURITY_ACCESSKEYIDtruestring1.x.x
clusters[].schemaRegistry.amazonSecurity.secretKeyCredentials auth secret keyCDK_CLUSTERS_0_SCHEMAREGISTRY_AMAZONSECURITY_SECRETKEYtruestring1.x.x

If amazonSecurity.type is FromContext, you must use the following properties:

PropertyDescriptionEnvMandatoryTypeDefaultSince
clusters[].schemaRegistry.amazonSecurity.profileAuthentication profileCDK_CLUSTERS_0_SCHEMAREGISTRY_AMAZONSECURITY_PROFILEfalsestring1.x.x

If amazonSecurity.type is FromRole, you must use the following properties:

PropertyDescriptionEnvMandatoryTypeDefaultSince
clusters[].schemaRegistry.amazonSecurity.roleAuthentication roleCDK_CLUSTERS_0_SCHEMAREGISTRY_AMAZONSECURITY_ROLEtruestring1.x.x

Kafka Connect properties

PropertyDescriptionEnvironment VariableMandatoryTypeDefault
clusters[].kafkaConnects[].idString used to uniquely identify your Kafka ConnectCDK_CLUSTERS_0_KAFKACONNECTS_0_IDtruestring
clusters[].kafkaConnects[].urlThe Kafka connect URLCDK_CLUSTERS_0_KAFKACONNECTS_0_URLtruestring
clusters[].kafkaConnects[].security.usernameBasic auth usernameCDK_CLUSTERS_0_KAFKACONNECTS_0_SECURITY_USERNAMEfalsestring
clusters[].kafkaConnects[].security.passwordBasic auth passwordCDK_CLUSTERS_0_KAFKACONNECTS_0_SECURITY_PASSWORDfalsestring
clusters[].kafkaConnects[].security.tokenBearer tokenCDK_CLUSTERS_0_KAFKACONNECTS_0_SECURITY_TOKENfalsestring
clusters[].kafkaConnects[].ignoreUntrustedCertificateSkip SSL certificate validationCDK_CLUSTERS_0_KAFKACONNECTS_0_IGNOREUNTRUSTEDCERTIFICATEfalsestring