Appearance

Configuration Management Guide

Complete guide to configuring KafkaGuard using configuration files, environment variables, and command-line flags.

Table of Contents

Configuration Overview

KafkaGuard supports three configuration methods that can be used independently or combined:

  1. Configuration File (.kafkaguard.yaml) - YAML file with all settings
  2. Environment Variables (KAFKAGUARD_* prefix) - Shell environment variables
  3. Command-Line Flags - Direct CLI arguments

When to Use Each Method

MethodBest ForAdvantagesDisadvantages
Configuration FilePersistent settings, team sharingEasy to version control, readableMay contain sensitive data if not careful
Environment VariablesCredentials, CI/CD, containerized environmentsSecure (no file storage), easy to injectLess readable, harder to document
Command-Line FlagsOne-off scans, quick overridesExplicit, temporaryVerbose, credentials visible in process list

Best Practice: Use configuration files for general settings, environment variables for credentials, and CLI flags for overrides.

Configuration Precedence

When the same option is specified in multiple places, KafkaGuard uses this precedence order:

1. Command-line flags (highest precedence)

2. Environment variables

3. Configuration file

4. Default values (lowest precedence)

Precedence Example

Given these configurations:

yaml
# .kafkaguard.yaml
bootstrap: "kafka-config:9092"
policy: "policies/baseline-dev.yaml"
timeout: 300
bash
# Environment variables
export KAFKAGUARD_BOOTSTRAP="kafka-env:9092"
export KAFKAGUARD_TIMEOUT=600

# Command line
kafkaguard scan --bootstrap kafka-cli:9092

Result:

  • bootstrap: kafka-cli:9092 (from CLI flag - highest precedence)
  • policy: policies/baseline-dev.yaml (from config file - no override)
  • timeout: 600 (from environment variable - overrides config file)

Configuration File Format

KafkaGuard uses YAML format for configuration files (.kafkaguard.yaml).

Basic Configuration File Structure

yaml
# .kafkaguard.yaml - KafkaGuard Configuration File

# Kafka Connection Settings
bootstrap: "kafka1:9092,kafka2:9092,kafka3:9092"
timeout: 300

# Policy Settings
policy: "policies/enterprise-default.yaml"

# Report Settings
out: "./reports"
format: ["json", "html", "pdf"]
fail-on: "high"

# Logging
log-level: "info"

# Security Settings
security:
  protocol: "SASL_SSL"
  sasl:
    mechanism: "SCRAM-SHA-512"
    username: "admin"
    # Password should be set via environment variable for security
    # password: "${KAFKA_PASSWORD}"
  tls:
    ca-cert: "/etc/kafkaguard/certs/ca.pem"
    client-cert: "/etc/kafkaguard/certs/client.pem"
    client-key: "/etc/kafkaguard/certs/client-key.pem"
    skip-verify: false

# Performance Settings (optional)
scan:
  parallel: true
  max-collectors: 6

Environment Variable References in Config Files

You can reference environment variables in configuration files using ${VAR_NAME} syntax:

yaml
bootstrap: "${KAFKA_BROKER}"
security:
  sasl:
    username: "${KAFKA_USERNAME}"
    password: "${KAFKA_PASSWORD}"

This allows you to keep sensitive data out of configuration files while still using them.

All Configuration Options

Complete reference of all available configuration options:

Connection Options

OptionTypeDefaultDescriptionCLI FlagEnv Var
bootstrapstring(required)Kafka bootstrap servers (comma-separated)--bootstrap, -bKAFKAGUARD_BOOTSTRAP
timeoutint300Scan timeout in seconds--timeoutKAFKAGUARD_TIMEOUT

Policy Options

OptionTypeDefaultDescriptionCLI FlagEnv Var
policystringpolicies/baseline-dev.yamlPath to policy YAML file--policy, -pKAFKAGUARD_POLICY

Report Options

OptionTypeDefaultDescriptionCLI FlagEnv Var
outstring./reportsOutput directory for reports--out, -oKAFKAGUARD_OUT
formatstring[]["json"]Report formats (json, html, pdf, csv)--format, -fKAFKAGUARD_FORMAT
fail-onstringhighFail threshold severity (high, medium, low, none)--fail-onKAFKAGUARD_FAIL_ON

Security Options

Protocol Settings

OptionTypeDefaultDescriptionCLI FlagEnv Var
security.protocolstringauto-detectSecurity protocol (PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL)--security-protocolKAFKAGUARD_SECURITY_PROTOCOL

SASL Settings

OptionTypeDefaultDescriptionCLI FlagEnv Var
security.sasl.mechanismstring-SASL mechanism (PLAIN, SCRAM-SHA-256, SCRAM-SHA-512)--sasl-mechanismKAFKAGUARD_SASL_MECHANISM
security.sasl.usernamestring-SASL username--sasl-usernameKAFKAGUARD_SASL_USERNAME
security.sasl.passwordstring-SASL password (use env var recommended)--sasl-passwordKAFKAGUARD_SASL_PASSWORD

TLS Settings

OptionTypeDefaultDescriptionCLI FlagEnv Var
security.tls.ca-certstring-Path to CA certificate file--tls-ca-certKAFKAGUARD_TLS_CA_CERT
security.tls.client-certstring-Path to client certificate (mTLS)--tls-client-certKAFKAGUARD_TLS_CLIENT_CERT
security.tls.client-keystring-Path to client private key (mTLS)--tls-client-keyKAFKAGUARD_TLS_CLIENT_KEY
security.tls.skip-verifyboolfalseSkip TLS certificate verification (testing only)--tls-insecure-skip-verifyKAFKAGUARD_TLS_INSECURE_SKIP_VERIFY

Environment Variables

All KafkaGuard configuration options can be set via environment variables using the KAFKAGUARD_ prefix.

Environment Variable Naming Convention

  1. Prefix all variables with KAFKAGUARD_
  2. Convert option names to UPPERCASE
  3. Replace hyphens (-) with underscores (_)
  4. For nested options, use underscores to separate levels

Complete Environment Variable Reference

Connection Variables

bash
export KAFKAGUARD_BOOTSTRAP="kafka1:9092,kafka2:9092"
export KAFKAGUARD_TIMEOUT="600"

Security Variables

bash
# Protocol
export KAFKAGUARD_SECURITY_PROTOCOL="SASL_SSL"

# SASL
export KAFKAGUARD_SASL_MECHANISM="SCRAM-SHA-512"
export KAFKAGUARD_SASL_USERNAME="admin"
export KAFKAGUARD_SASL_PASSWORD="secret"

# TLS
export KAFKAGUARD_TLS_CA_CERT="/etc/kafkaguard/certs/ca.pem"
export KAFKAGUARD_TLS_CLIENT_CERT="/etc/kafkaguard/certs/client.pem"
export KAFKAGUARD_TLS_CLIENT_KEY="/etc/kafkaguard/certs/client-key.pem"
export KAFKAGUARD_TLS_INSECURE_SKIP_VERIFY="false"

Sensitive Data Handling

Protect credentials and sensitive configuration data:

Best Practices

✅ DO: Use Environment Variables for Credentials

yaml
# .kafkaguard.yaml (safe - no credentials)
security:
  sasl:
    mechanism: "SCRAM-SHA-512"
    username: "${KAFKA_USERNAME}"  # Reference env var
    password: "${KAFKA_PASSWORD}"  # Reference env var
bash
# Set credentials via environment
export KAFKA_USERNAME="admin"
export KAFKA_PASSWORD="secret"
kafkaguard scan

❌ DON'T: Store Credentials in Config Files

yaml
# .kafkaguard.yaml (UNSAFE - DO NOT DO THIS)
security:
  sasl:
    username: "admin"
    password: "secret"  # ❌ Credentials in plain text

Configuration Examples

Example 1: Development Environment

File: .kafkaguard.yaml

yaml
# Development cluster configuration
bootstrap: "localhost:9092"
policy: "policies/baseline-dev.yaml"
out: "./reports"
format: ["html", "json"]
log-level: "debug"
timeout: 300

# No security (PLAINTEXT)
security:
  protocol: "PLAINTEXT"

Usage:

bash
kafkaguard scan  # Uses config file

Example 2: Production Environment

File: /etc/kafkaguard/config.yaml

yaml
# Production cluster configuration
bootstrap: "kafka1.prod.example.com:9095,kafka2.prod.example.com:9095,kafka3.prod.example.com:9095"
policy: "policies/enterprise-default.yaml"
out: "/var/reports/kafkaguard"
format: ["json", "html", "pdf"]
fail-on: "high"
log-level: "info"
timeout: 600

# Security settings (credentials via environment variables)
security:
  protocol: "SASL_SSL"
  sasl:
    mechanism: "SCRAM-SHA-512"
    username: "${KAFKA_USERNAME}"
    password: "${KAFKA_PASSWORD}"
  tls:
    ca-cert: "/etc/kafkaguard/certs/ca.pem"
    skip-verify: false

# Performance tuning for large cluster
scan:
  parallel: true
  max-collectors: 10

Usage:

bash
# Set credentials via environment
export KAFKA_USERNAME="kafkaguard-prod"
export KAFKA_PASSWORD="$(vault kv get -field=password secret/kafka/prod)"

# Run scan
kafkaguard scan --config /etc/kafkaguard/config.yaml

Next Steps

Need Help?

Ready to Get Started?

Book a demo to see KafkaGuard in action and learn how it can help secure your Kafka clusters.

📅 Book a Demo