Added full config file description (#54)

germanosin · web-flow · commit 278e925d35f8 · 2025-05-26T15:52:56.000+02:00
diff --git a/configuration/configuration-file.md b/configuration/configuration-file.md
@@ -14,6 +14,238 @@ We will mostly provide examples of configs in YAML format, but sometimes single
 
 Rather than writing your config from a scratch, it would be more convenient to use one of the ready-to-go [compose examples](compose-examples.md) and adjust it to your needs.
 
+#### Config file description ####
+
+```yaml
+# ======================================================
+# Kafka Clusters Configuration
+# Define all Kafka cluster-specific settings and related integrations.
+# ======================================================
+kafka:
+  clusters:
+    - name: local  # Unique name identifier for the Kafka cluster
+      bootstrap-servers: kafka1:9092,kafka2:9092  # List of Kafka broker addresses
+
+      # SSL configuration for secure connection to Kafka brokers
+      ssl:
+        truststore-location: path/to/truststore/file.jks  # Path to truststore JKS file
+        truststore-password: password  # Password to access the truststore
+        verify-ssl: true  # Enable SSL certificate verification
+
+      # Schema Registry connection and authentication details
+      schemaRegistry: http://schema-registry:8085
+      schema-registry-auth:
+        username: schema registry username
+        password: schema registry password
+      schema-registry-ssl:
+        keystore-location: path/to/keystore/file.jks
+        keystore-password: password
+
+      # ksqlDB connection and security settings
+      ksqldb-server: http://ksqldb-host:8088
+      ksqldb-server-auth:
+        username: ksqldb-username
+        password: ksqdb-passsword
+      ksqldb-server-ssl:
+        keystore-location: path/to/keystore/file.jks
+        keystore-password: password
+
+      # Kafka Connect REST endpoint and optional authentication
+      kafka-connect:
+        - name: first  # Identifier for the Connect cluster
+          address: http://kafka-connect-host:8083
+          username: Auth username
+          password: Auth password
+          keystore-location: path/to/keystore/file.jks
+          keystore-password: keystore password
+
+      # Custom SerDe (Serializer/Deserializer) for interpreting topic data
+      serde:
+        - name: CustomeHexWithEditedDelimiter
+          class-name: io.kafbat.ui.serdes.builtin.HexSerde
+          file-path: /var/lib/kui-serde/my-kui-serde.jar
+          topic-keys-pattern: ".*-events"  # Regex to match applicable topic keys
+          topic-values-pattern: ".*-events"  # Regex to match applicable topic values
+          properties:
+            uppercase: "false"  # Output lowercase hex
+            delimiter: ":"  # Byte delimiter
+
+      default-key-serde: String  # Default SerDe for message keys
+      default-value-serde: SchemaRegistry  # Default SerDe for message values
+
+      # Monitoring and metrics collection from the cluster
+      metrics:
+        type: JMX  # Available options: JMX or PROMETHEUS
+        port: 9997  # Port to collect JMX metrics
+        username: Auth username
+        password: Auth password
+        ssl: false  # Whether to use SSL for metrics endpoint
+        keystore-location: path/to/keystore/file.jks
+        keystore-password: password
+
+      # Global Kafka client properties
+      properties:
+        "security.protocol": SASL_SSL
+        "sasl.mechanism": SCRAM-SHA-512
+        "sasl.jaas.config": org.apache.kafka.common.security.scram.ScramLoginModule required username="your-username" password="your-password";
+
+      # Kafka Consumer configuration overrides
+      consumer-properties:
+        "max.partition.fetch.bytes": 1048576
+
+      # Kafka Producer configuration overrides
+      producer-properties:
+        "enable.idempotence": false
+
+      read-only: true  # Prevent write operations from the UI
+
+      polling-throttle-rate: 0  # Delay (seconds) between polling intervals in UI; 0 = no throttling
+
+      # Data masking rules for messages shown in the UI
+      masking:
+        - type: MASK  # Action: MASK, REMOVE, or REPLACE
+          fields: [ "id", "name" ]  # Specific fields to apply masking to
+          fields-name-pattern: "id.*"  # Regex pattern to match field names
+          masking-chars-replacement: ["A", "a", "N", "_"]  # Optional: override default mask characters
+          replacement: "***MASKED_FIELD_NAME***"  # Replacement string for masked field names
+          topic-values-pattern: events-with-ids-.*  # Apply on topic values matching this pattern
+          topic-keys-pattern: events-with-ids-.*  # Apply on topic keys matching this pattern
+
+      # Audit logging configuration
+      audit:
+        topic-audit-enabled: false  # Enable/disable Kafka topic audit logs
+        console-audit-enabled: false  # Enable/disable console audit output
+        topic: audit-topic-name  # Kafka topic for audit entries
+        audit-topics-partitions: 3  # Number of partitions for the audit topic
+        level: ALL  # ALL = log all actions, ALTER_ONLY = only mutating actions
+        audit-topic-properties:
+          "retention.ms": 43200000  # Audit log retention in ms (12 hours)
+
+  # Prefix to identify internal Kafka topics used by system tools
+  internalTopicPrefix: "__"
+
+  # Timeout for admin Kafka operations (in milliseconds)
+  admin-client-timeout: 30000
+
+  # Polling behavior for consumer previews in the UI
+  polling:
+    poll-timeout-ms: 1000  # How long to wait for new records (ms)
+    max-page-size: 500  # Maximum number of records per poll
+    default-page-size: 100  # Default number of records per poll
+
+# ======================================================
+# Model Context Protocol config
+# ======================================================
+mcp:
+  enabled: true # Enable MCP (ModelContextProtocol) endpoint
+
+# ======================================================
+# OAuth2 Authentication Configuration
+# Used for authenticating users via external identity providers.
+# ======================================================
+auth:
+  oauth2:
+    client:
+      client_name:
+        client-id: xxx
+        client-secret: yyy
+        scope: openid
+        client-name: cognito  # Display name on the login screen
+        provider: <provider>  # Path alias used in redirect URI
+        redirect-uri: http://localhost:8080/login/oauth2/code/<provider>
+        authorization-grant-type: authorization_code
+        issuer-uri: https://xxx  # Identity provider URL
+        jwk-set-uri: https://yyy/.well-known/jwks.json  # Public key set URL
+        user-name-attribute: <zzz>  # JWT field used as the user's name
+        custom-params:
+          type: <provider_type>  # Optional RBAC integration type (e.g. cognito, google, github, oauth)
+          roles-field: groups  # Field containing user roles/groups
+
+    resource-server:
+      jwt:
+        jwk-set-uri: http://jwk/uri
+        jws-algorithms: ["RS256"]
+        issuer-uri: http://issuer/uri
+        public-key-location:  # Optional path to JWT public key
+        audiences: []  # List of accepted audience values in JWT
+        authority_prefix:  # Optional prefix added to authorities
+        authorities-claim-delimiter:  # Regex delimiter for splitting roles
+        authorities-claim-name:  # Claim name holding roles/permissions
+        principal-claim-name:  # Claim used for determining the username
+
+      opaque-token:
+        client-id:  # Client ID used for introspection
+        client-secret:  # Secret used for introspection
+        introspection-uri:  # URL to the introspection endpoint
+
+# ======================================================
+# LDAP Configuration
+# Used for user and group resolution in RBAC when using LDAP.
+# ======================================================
+spring:
+  ldap:
+    urls: ldap://localhost:10389
+    base: "cn={0},ou=people,dc=planetexpress,dc=com"
+    admin-user: "cn=admin,dc=planetexpress,dc=com"
+    admin-password: "GoodNewsEveryone"
+    user-filter-search-base: "dc=planetexpress,dc=com"
+    user-filter-search-filter: "(&(uid={0})(objectClass=inetOrgPerson))"
+    group-filter-search-base: "ou=people,dc=planetexpress,dc=com"
+
+# ======================================================
+# Role-Based Access Control (RBAC)
+# Configure roles, user/group bindings, and permissions.
+# ======================================================
+rbac:
+  roles:
+    - name: "memelords"  # Role name
+      clusters:
+        - local  # Clusters this role applies to
+      subjects:
+        - provider: oauth_google  # e.g. oauth_{client_name}, ldap
+          type: domain  # domain, organization, user, group
+          value: "kafbat.dev"
+      permissions:
+        - resource: applicationconfig  # Resource types: applicationconfig, clusterconfig, topic, consumer, schema, connect, ksql, acl, audit
+          value: ".*"
+          actions: all  # Allowed actions: read, write, all
+
+# ======================================================
+# WebClient Settings
+# Configuration for HTTP clients used by the app.
+# ======================================================
+webclient:
+  response-timeout-ms: 20000  # Timeout for all outgoing HTTP requests
+  max-in-memory-buffer-size: 20MB  # Maximum buffer size for handling responses
+
+# ======================================================
+# Spring Boot Actuator
+# Enables health, info, and Prometheus endpoints for monitoring.
+# ======================================================
+management:
+  endpoint:
+    info:
+      enabled: true
+    health:
+      enabled: true
+  endpoints:
+    web:
+      exposure:
+        include: "info,health,prometheus"
+
+# ======================================================
+# Application Logging Configuration
+# Configure logging levels for specific packages.
+# ======================================================
+logging:
+  level:
+    root: INFO
+    io.kafbat.ui: DEBUG
+    reactor.netty.http.server.AccessLog: INFO
+    org.hibernate.validator: WARN
+
+```
+
 #### Providing a config path for the app instance:
 
 **Docker**: 
@@ -42,33 +274,3 @@ services:
 ```
 
 **Jar**: `java -Dspring.config.additional-location=<path-to-application-local.yml> -jar <path-to-jar>.jar`
-
-#### Basic config structure
-
-```yaml
-kafka:
-  clusters:
-    -
-      name: local
-      bootstrapServers: localhost:29091
-      schemaRegistry: http://localhost:8085
-      schemaRegistryAuth:
-        username: username
-        password: password
-#     schemaNameTemplate: "%s-value"
-      metrics:
-        port: 9997
-        type: JMX
-```
-
-* `name`: cluster name
-* `bootstrapServers`: where to connect
-* `schemaRegistry`: schemaRegistry's address
-* `schemaRegistryAuth.username`: schemaRegistry's basic authentication username
-* `schemaRegistryAuth.password`: schemaRegistry's basic authentication password
-* `schemaNameTemplate`: how keys are saved to Schema Registry
-* `metrics.port`: open the JMX port of a broker
-* `metrics.type`: Type of metrics, either JMX or PROMETHEUS. Defaulted to JMX.
-* `readOnly`: enable read-only mode
-
-Configure as many clusters as you need by adding their configs below separated with `-`.
