Skip to main content

Conduktor CLI overview

Conduktor CLI (Command Line Interface) helps you to manage your Console and Gateway resources via commands or CI/CD pipelines.
From our blog: Houston, we have 7 CLI tools and zero answers The CLI fragmentation problem for Kafka teams and how a unified toolchain changes the game.

Install

You have three options to install Conduktor CLI:
  • Native binary - for individual use and testing
  • Homebrew - for individual use and testing on MacOS
  • Docker - for integration in CI/CD pipelines

Native binary

Download the latest binary from GitHub on Windows, Linux or MacOS. In the Assets list, download the build that corresponds to your machine (for Apple Silicon use darwin-arm64).

Homebrew

Use the Homebrew package manager to install our CLI:

Docker

Pull the latest Dockerhub version of the CLI using the following command line:

Upgrade

Homebrew

To upgrade to the latest version of the CLI:

Native binary

Download the latest binary from GitHub and replace your existing installation.

Docker

Pull the latest version:

Configure

To use the Conduktor CLI, you need to set:
  • the URL of your Conduktor Console and/or Gateway API
  • the authentication mechanism: either by using an API key, or user credentials

Authenticate to Console using API keys

These are the necessary environment variables for this authentication method::
There are two types of API keys: admin and Self-service application.
Admin API keys grant the maximum permissions in Console.
Generate an admin key named 'my-admin-key'

Authenticate to Console using user credentials

You can simply set the username and password of the local or LDAP user and use the CLI, or create an associated short-lived API key. This type of API key will have the permissions of the user who created it. This kind of authentication will be valid for the same duration as the configured session timeout.
Generate a short-lived API key

Authenticate to Console using external authentication

By default, the Conduktor CLI authenticates with Console using a Console API key, or generates one based on the given credentials. This is the console authentication mode (CDK_AUTH_MODE is console or empty). Alternatively, you can use the external authentication mode to bypass token generation and use credentials from your identity provider or the API proxy instead. For that, set the CDK_AUTH_MODE environment variable to external:
Set up external authentication with a bearer token
Set up external authentication with client credentials

Authenticate to Gateway using API credentials

To use the CLI to manage Gateway objects, you need to set the URL of the Gateway API and the API credentials.

Environment variables

This is the list of the supported environment variables:
Environment variablesDescription
Console
CDK_BASE_URLConsole base URL, e.g. http://localhost:8080
CDK_API_KEYConsole API key (admin or application key)
CDK_USERConsole local or LDAP user username
CDK_PASSWORDConsole local or LDAP user password
CDK_AUTH_MODEAuthentication mode (external, console or empty (default))
Gateway
CDK_GATEWAY_BASE_URLGateway base URL, e.g. http://localhost:8888
CDK_GATEWAY_USERGateway user login email
CDK_GATEWAY_PASSWORDGateway user login password
TLS and mTLS
CDK_CACERTRoot CA certificate to verify the Conduktor Console certificate (.pem)
CDK_INSECURESkip the TLS verification of the Conduktor Console. Defaults to false.
CDK_CERTCertificate to authenticate the CLI (.pem)
CDK_KEYKey to authenticate the CLI (.pem)

CLI commands

The CLI offers a set of commands to manage Conduktor resources. You can use it to create, update, delete and get resources.

Apply

The apply command allows you to deploy any resource.
The --parallelism flag allows you to run multiple applies at the same time, in parallel. This is useful when applying a large number of resources. Be careful not to set it too high, as it may overload the Console/Gateway API.
Examples:
Apply all resources in multiple directories
Apply a specific file
Apply all resources in the current directory and its subfolders

Template

The template command allows you to get an example of a resource definition:
You can also save the output in a file, in order to edit it before applying it:

Delete

The delete command allows you to delete a resource. It works the same way as the apply.
Resources are deleted instantly and can’t be recovered. Any data or access associated with the resource is permanently lost.
Examples:
Delete all resources in multiple directories
Delete a specific file
Delete all resources in the current directory and its subfolders

Get

The get command allows you to retrieve resources. You can specify a kind, a name, or list all the resources.
Examples:
Get all users
Get a specific Kafka connect cluster
Get all the Console resources with a 'name' output format

Token

To run your CI/CD pipelines, you can use the token command to manage your API keys.
Create an admin API keys
List Console admin API keys
Create an application instance API key
List API keys of an application instance
Delete an API key

Run

The run command allows you to run a few actions:
Examples:
Generate a service account password for a virtual cluster
Generate a Partner Zone service account password
Get information about the credentials configured in the CLI

Manage state

State management is available in CLI v0.7.0 and above.
State management is an optional feature that tracks resources applied via the CLI. It helps detect orphaned resources (resources in state but no longer in your configuration files) and automatically removes them. Enable state management with the --enable-state flag:
Apply with local state tracking

Local state

By default, the state file is stored locally at:
PlatformDefault location
Linux$XDG_DATA_HOME/.local/share/conduktor/cli-state.json
macOS$HOME/Library/Application Support/conduktor/cli-state.json
Windows$APPDATA/conduktor/cli-state.json
Use --state-file to specify a custom path:
The state file is a JSON document containing metadata about tracked resources:

Remote state

For team collaboration and CI/CD pipelines, store state in remote object storage using --state-remote-uri:
Also supports S3-compatible services like MinIO or DigitalOcean Spaces.See S3 URI options and authentication methods.

Environment variables

You can enable state management globally using environment variables:
Environment variableDescription
CDK_STATE_ENABLEDEnable state tracking globally
CDK_STATE_FILECustom local state file path
CDK_STATE_REMOTE_URIRemote storage URI (S3, GCS, Azure Blob)
See detailed URI options, authentication methods and best practices.

Version

Check the current version of your CLI:
Check CLI version

CI/CD pipeline integration example

Conduktor CLI can be easily integrated to a CI/CD pipeline. This example presents two pipelines:
  • The first one triggers on each new PR and launches the CLI using the --dry-run flag, generating a report confirming that the resources can be successfully created or modified.
  • The second one triggers on a push to the main branch, making the changes live.
For a fuller, production-ready Self-service example — splitting platform and application resources, using scope-based tokens, isolating remote state per workflow, and enforcing review with CODEOWNERS — start from the conduktor/self-service-template reference repository.
Consider the following folder structure:
.github/workflows/on-pr.yml
.github/workflows/on-push.yml

Environment variables for secrets

The Conduktor CLI automatically substitutes environment variables in YAML manifests using ${ENV_VAR} patterns. This keeps sensitive data like credentials out of configuration files. You can set a default value using POSIX notation ${ENV:-default}. By default, the CLI fails if an environment variable is undefined or empty, ensuring all required variables are properly configured. Use the --permissive flag to replace missing or empty variables with empty strings instead of failing.

Escape sequences for Interceptor configs

When you use environment variables in Gateway Interceptor configurations, you have to escape dollar signs with double dollar signs $$ for secured templates. This applies to:
  • Encryption keys
  • Passwords
  • API tokens
  • Any secret values in Interceptor config blocks
Example:
Without the $$ escape sequence, the CLI will not correctly substitute the environment variable in the Interceptor configuration.

Kafka cluster example

The example below shows a Conduktor cluster configuration with credentials secured using environment variables: