redpanda_migrator

A specialised Kafka producer for comprehensive data migration between Apache Kafka and Redpanda clusters.

Introduced in version 4.67.0.

Common

# Common config fields, showing default values
output:
  label: ""
  redpanda_migrator:
    seed_brokers: [] # No default (required)
    schema_registry:
      url: http://localhost:8081 # No default (required)
      enabled: true
      interval: 0s
      include: [] # No default (optional)
      exclude: [] # No default (optional)
      subject: '"prod_${! metadata(''schema_registry_subject'') }"' # No default (optional)
      versions: all
      include_deleted: false
      translate_ids: false
      normalize: false
      strict: false
    consumer_groups:
      enabled: true
      interval: 1m
      fetch_timeout: 10s
      include: [] # No default (optional)
      exclude: [] # No default (optional)
      only_empty: false
    topic: ${! @kafka_topic }
    topic_replication_factor: "3" # No default (optional)
    sync_topic_acls: false

Advanced

# Advanced config fields, showing default values
output:
  label: ""
  redpanda_migrator:
    seed_brokers: [] # No default (required)
    client_id: benthos
    tls:
      enabled: false
      skip_cert_verify: false
      enable_renegotiation: false
      root_cas: ""
      root_cas_file: ""
      client_certs: []
    sasl: [] # No default (optional)
    metadata_max_age: 5m
    request_timeout_overhead: 10s
    conn_idle_timeout: 20s
    partitioner: "" # No default (optional)
    idempotent_write: true
    compression: "" # No default (optional)
    allow_auto_topic_creation: true
    timeout: 10s
    max_message_bytes: 1MiB
    broker_write_max_bytes: 100MiB
    schema_registry:
      url: http://localhost:8081 # No default (required)
      tls:
        enabled: false
        skip_cert_verify: false
        enable_renegotiation: false
        root_cas: ""
        root_cas_file: ""
        client_certs: []
      oauth:
        enabled: false
        consumer_key: ""
        consumer_secret: ""
        access_token: ""
        access_token_secret: ""
      basic_auth:
        enabled: false
        username: ""
        password: ""
      jwt:
        enabled: false
        private_key_file: ""
        signing_method: ""
        claims: {}
        headers: {}
      enabled: true
      interval: 0s
      include: [] # No default (optional)
      exclude: [] # No default (optional)
      subject: '"prod_${! metadata(''schema_registry_subject'') }"' # No default (optional)
      versions: all
      include_deleted: false
      translate_ids: false
      normalize: false
      strict: false
    consumer_groups:
      enabled: true
      interval: 1m
      fetch_timeout: 10s
      include: [] # No default (optional)
      exclude: [] # No default (optional)
      only_empty: false
    topic: ${! @kafka_topic }
    topic_replication_factor: "3" # No default (optional)
    sync_topic_acls: false
    serverless: false

The redpanda_migrator output performs all migration work. It coordinates topics, schema registry, and consumer groups to migrate data from a source Kafka/Redpanda cluster to a destination cluster.

IMPORTANT: This output requires a corresponding redpanda_migrator input in the same pipeline. Each pipeline must have both input and output components configured.

Multiple migrator pairs: When using multiple migrator pairs in a single pipeline, the mapping between input and output components is done based on the label field. The label of the input and output must match exactly for proper coordination.

What gets synchronised:

• Topics

  • Name resolution with interpolation (default: preserve source name)
  • Automatic creation with mirrored partition counts
  • Selectable replication factor (default: inherit from source)
  • Copy of supported topic configuration keys (serverless-aware subset)
  • Optional ACL replication with safe transforms:
    • Excludes ALLOW WRITE entries
    • Downgrades ALLOW ALL to READ
    • Preserves resource pattern type and host filters

• Schema Registry

  • One-shot or periodic syncing
  • Subject selection via include/exclude regex
  • Subject renaming with interpolation
  • Versions: latest or all (default: all)
  • Optional include of soft-deleted subjects
  • ID handling: translate IDs (create-or-reuse) or keep fixed IDs and versions
  • Optional schema normalisation on create
  • Optional per-subject compatibility propagation when explicitly set on source (global mode is not forced)
  • Serverless note: schema metadata and rule sets are not copied in serverless mode

• Consumer Groups

  • Periodic syncing
  • Group selection via include/exclude regex
  • Only groups in Empty state are migrated (active groups are skipped)
  • Timestamp-based offset translation (approximate) per partition using previous-record timestamp and ListOffsetsAfterMilli
  • No rewind guarantee: destination offsets are never moved backwards
  • Commit performed in parallel with per-group metrics
  • Requires matching partition counts between source and destination topics

How it runs:

• Topics: synced on demand. The first write triggers discovery and creation; subsequent writes create on first encounter per topic.
• Schema Registry: one sync at connect, then triggered when topic record has unknown schema; optional background loop controlled by schema_registry.interval.
• Consumer Groups: background loop controlled by consumer_groups.interval and filtered by the current topic mappings.

Guarantees:

• Topics are created with the intended partitioning and configured replication factor. Existing topics are respected; partition mismatches are logged and consumer group migration for mismatched topics is skipped.
• Consumer group offsets are never rewound. Only translated forward positions are committed.
• ACL replication excludes ALLOW WRITE operations and downgrades ALLOW ALL to READ to avoid unsafe grants.

Limitations and requirements:

• Destination Schema Registry must be in READWRITE or IMPORT mode.
• Offset translation is best-effort: if the previous-offset timestamp cannot be read, or no destination offset exists after the timestamp, that partition is skipped.
• Consumer group migration requires identical partition counts for source and destination topics.

Metrics:

The component exposes comprehensive metrics for monitoring migration operations:

Topic Migration Metrics:

• redpanda_migrator_topics_created_total (counter): Total number of topics successfully created on the destination cluster
• redpanda_migrator_topic_create_errors_total (counter): Total number of errors encountered when creating topics
• redpanda_migrator_topic_create_latency_ns (timer): Latency in nanoseconds for topic creation operations

Schema Registry Migration Metrics:

• redpanda_migrator_sr_schemas_created_total (counter): Total number of schemas successfully created in the destination schema registry
• redpanda_migrator_sr_schema_create_errors_total (counter): Total number of errors encountered when creating schemas
• redpanda_migrator_sr_schema_create_latency_ns (timer): Latency in nanoseconds for schema creation operations
• redpanda_migrator_sr_compatibility_updates_total (counter): Total number of compatibility level updates applied to subjects
• redpanda_migrator_sr_compatibility_update_errors_total (counter): Total number of errors encountered when updating compatibility levels
• redpanda_migrator_sr_compatibility_update_latency_ns (timer): Latency in nanoseconds for compatibility level update operations

Consumer Group Migration Metrics (with group label):

• redpanda_migrator_cg_offsets_translated_total (counter): Total number of offsets successfully translated per consumer group
• redpanda_migrator_cg_offset_translation_errors_total (counter): Total number of errors encountered when translating offsets per consumer group
• redpanda_migrator_cg_offset_translation_latency_ns (timer): Latency in nanoseconds for offset translation operations per consumer group
• redpanda_migrator_cg_offsets_committed_total (counter): Total number of offsets successfully committed per consumer group
• redpanda_migrator_cg_offset_commit_errors_total (counter): Total number of errors encountered when committing offsets per consumer group
• redpanda_migrator_cg_offset_commit_latency_ns (timer): Latency in nanoseconds for offset commit operations per consumer group

Consumer Lag Metrics (with topic and partition labels):

• redpanda_lag (gauge): Current consumer lag in messages for each topic partition being consumed by the migrator input. This metric shows the difference between the high water mark and the current consumer position, providing visibility into how far behind the consumer is on each partition. The metric includes labels for topic name and partition number to enable per-partition monitoring.

This component must be paired with the redpanda_migrator input in the same pipeline.

Examples

Basic migration

Migrate topics, schemas and consumer groups from source to destination.

input:
  redpanda_migrator:
    seed_brokers: ["source:9092"]
    topics: ["orders", "payments"]
    consumer_group: "migration"

output:
  redpanda_migrator:
    seed_brokers: ["destination:9092"]
    # Write to the same topic name
    topic: ${! metadata("kafka_topic") }
    schema_registry:
      url: "http://dest-registry:8081"
      translate_ids: true
    consumer_groups:
      interval: 1m

Migration to Redpanda Serverless

Migrate from Confluent/Kafka to Redpanda Cloud serverless cluster with authentication.

input:
  redpanda_migrator:
    seed_brokers: ["source-kafka:9092"]
    topics:
      - '^[^_]'  # All topics not starting with underscore
    regexp_topics: true
    consumer_group: "migrator_cg"
    schema_registry:
      url: "http://source-registry:8081"

output:
  redpanda_migrator:
    seed_brokers: ["serverless-cluster.redpanda.com:9092"]
    tls:
      enabled: true
    sasl:
      - mechanism: SCRAM-SHA-256
        username: "migrator"
        password: "migrator"
    schema_registry:
      url: "https://serverless-cluster.redpanda.com:8081"
      basic_auth:
        enabled: true
        username: "migrator"
        password: "migrator"
      translate_ids: true
    consumer_groups:
      exclude:
        - "migrator_cg"  # Exclude the migration consumer group itself
    serverless: true  # Enable serverless mode for restricted configurations

Fields

seed_brokers

A list of broker addresses to connect to in order to establish connections. If an item of the list contains commas it will be expanded into multiple addresses.

Type: array

# Examples

seed_brokers:
  - localhost:9092

seed_brokers:
  - foo:9092
  - bar:9092

seed_brokers:
  - foo:9092,bar:9092

client_id

An identifier for the client connection.

Type: string

Default: "benthos"

tls

Custom TLS settings can be used to override system defaults.

Type: object

tls.enabled

Whether custom TLS settings are enabled.

Type: bool

Default: false

tls.skip_cert_verify

Whether to skip server side certificate verification.

Type: bool

Default: false

tls.enable_renegotiation

Whether to allow the remote server to repeatedly request renegotiation. Enable this option if you’re seeing the error message local error: tls: no renegotiation.

Type: bool

Default: false Requires version 3.45.0 or newer

tls.root_cas

An optional root certificate authority to use. This is a string, representing a certificate chain from the parent trusted root certificate, to possible intermediate signing certificates, to the host certificate.

Sensitive Information

This field contains sensitive information that usually shouldn’t be added to a config directly, read our secrets page for more info.

Type: string

Default: ""

# Examples

root_cas: |-
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----

tls.root_cas_file

An optional path of a root certificate authority file to use. This is a file, often with a .pem extension, containing a certificate chain from the parent trusted root certificate, to possible intermediate signing certificates, to the host certificate.

Type: string

Default: ""

# Examples

root_cas_file: ./root_cas.pem

tls.client_certs

A list of client certificates to use. For each certificate either the fields cert and key, or cert_file and key_file should be specified, but not both.

Type: array

Default: []

# Examples

client_certs:
  - cert: foo
    key: bar

client_certs:
  - cert_file: ./example.pem
    key_file: ./example.key

tls.client_certs[].cert

A plain text certificate to use.

Type: string

Default: ""

tls.client_certs[].key

A plain text certificate key to use.

Sensitive Information

This field contains sensitive information that usually shouldn’t be added to a config directly, read our secrets page for more info.

Type: string

Default: ""

tls.client_certs[].cert_file

The path of a certificate to use.

Type: string

Default: ""

tls.client_certs[].key_file

The path of a certificate key to use.

Type: string

Default: ""

tls.client_certs[].password

A plain text password for when the private key is password encrypted in PKCS#1 or PKCS#8 format. The obsolete pbeWithMD5AndDES-CBC algorithm is not supported for the PKCS#8 format.

Because the obsolete pbeWithMD5AndDES-CBC algorithm does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.

Sensitive Information

This field contains sensitive information that usually shouldn’t be added to a config directly, read our secrets page for more info.

Type: string

Default: ""

# Examples

password: foo

password: ${KEY_PASSWORD}

sasl

Specify one or more methods of SASL authentication. SASL is tried in order; if the broker supports the first mechanism, all connections will use that mechanism. If the first mechanism fails, the client will pick the first supported mechanism. If the broker does not support any client mechanisms, connections will fail.

Type: array

# Examples

sasl:
  - mechanism: SCRAM-SHA-512
    password: bar
    username: foo

sasl[].mechanism

The SASL mechanism to use.

Type: string

Option	Summary
AWS_MSK_IAM	AWS IAM based authentication as specified by the ‘aws-msk-iam-auth’ java library.
OAUTHBEARER	OAuth Bearer based authentication.
PLAIN	Plain text authentication.
SCRAM-SHA-256	SCRAM based authentication as specified in RFC5802.
SCRAM-SHA-512	SCRAM based authentication as specified in RFC5802.
none	Disable sasl authentication

sasl[].username

A username to provide for PLAIN or SCRAM-* authentication.

Type: string

Default: ""

sasl[].password

A password to provide for PLAIN or SCRAM-* authentication.

Sensitive Information

This field contains sensitive information that usually shouldn’t be added to a config directly, read our secrets page for more info.

Type: string

Default: ""

sasl[].token

The token to use for a single session’s OAUTHBEARER authentication.

Type: string

Default: ""

sasl[].extensions

Key/value pairs to add to OAUTHBEARER authentication requests.

Type: object

sasl[].aws

Contains AWS specific fields for when the mechanism is set to AWS_MSK_IAM.

Type: object

sasl[].aws.region

The AWS region to target.

Type: string

sasl[].aws.endpoint

Allows you to specify a custom endpoint for the AWS API.

Type: string

sasl[].aws.credentials

Optional manual configuration of AWS credentials to use. More information can be found in xref:guides:cloud/aws.adoc[].

Type: object

sasl[].aws.credentials.profile

A profile from ~/.aws/credentials to use.

Type: string

sasl[].aws.credentials.id

The ID of credentials to use.

Type: string

sasl[].aws.credentials.secret

The secret for the credentials being used.

Sensitive Information

This field contains sensitive information that usually shouldn’t be added to a config directly, read our secrets page for more info.

Type: string

sasl[].aws.credentials.token

The token for the credentials being used, required when using short term credentials.

Type: string

sasl[].aws.credentials.from_ec2_role

Use the credentials of a host EC2 machine configured to assume an IAM role associated with the instance.

Type: bool

Requires version 4.2.0 or newer

sasl[].aws.credentials.role

A role ARN to assume.

Type: string

sasl[].aws.credentials.role_external_id

An external ID to provide when assuming a role.

Type: string

metadata_max_age

The maximum age of metadata before it is refreshed. This interval also controls how frequently regex topic patterns are re-evaluated to discover new matching topics.

Type: string

Default: "5m"

request_timeout_overhead

The request time overhead. Uses the given time as overhead while deadlining requests. Roughly equivalent to request.timeout.ms, but grants additional time to requests that have timeout fields.

Type: string

Default: "10s"

conn_idle_timeout

The rough amount of time to allow connections to idle before they are closed.

Type: string

Default: "20s"

partitioner

Override the default murmur2 hashing partitioner.

Type: string

Option	Summary
least_backup	Chooses the least backed up partition (the partition with the fewest amount of buffered records). Partitions are selected per batch.
manual	Manually select a partition for each message, requires the field partition to be specified.
murmur2_hash	Kafka’s default hash algorithm that uses a 32-bit murmur2 hash of the key to compute which partition the record will be on.
round_robin	Round-robin’s messages through all available partitions. This algorithm has lower throughput and causes higher CPU load on brokers, but can be useful if you want to ensure an even distribution of records to partitions.

idempotent_write

Enable the idempotent write producer option. This requires the IDEMPOTENT_WRITE permission on CLUSTER and can be disabled if this permission is not available.

Type: bool

Default: true

compression

Optionally set an explicit compression type. The default preference is to use snappy when the broker supports it, and fall back to none if not.

Type: string

Options: lz4 , snappy , gzip , none , zstd .

allow_auto_topic_creation

Enables topics to be auto created if they do not exist when fetching their metadata.

Type: bool

Default: true

timeout

The maximum period of time to wait for message sends before abandoning the request and retrying

Type: string

Default: "10s"

max_message_bytes

The maximum space in bytes than an individual message may take, messages larger than this value will be rejected. This field corresponds to Kafka’s max.message.bytes.

Type: string

Default: "1MiB"

# Examples

max_message_bytes: 100MB

max_message_bytes: 50mib

broker_write_max_bytes

The upper bound for the number of bytes written to a broker connection in a single write. This field corresponds to Kafka’s socket.request.max.bytes.

Type: string

Default: "100MiB"

# Examples

broker_write_max_bytes: 128MB

broker_write_max_bytes: 50mib

schema_registry

Configuration for schema registry integration. Enables migration of schema subjects, versions, and compatibility settings between clusters.

Type: object

schema_registry.url

The base URL of the schema registry service. Required for schema migration functionality.

Type: string

# Examples

url: http://localhost:8081

url: https://schema-registry.example.com:8081

schema_registry.tls

Custom TLS settings can be used to override system defaults.

Type: object

schema_registry.tls.enabled

Whether custom TLS settings are enabled.

Type: bool

Default: false

schema_registry.tls.skip_cert_verify

Whether to skip server side certificate verification.

Type: bool

Default: false

schema_registry.tls.enable_renegotiation

Whether to allow the remote server to repeatedly request renegotiation. Enable this option if you’re seeing the error message local error: tls: no renegotiation.

Type: bool

Default: false Requires version 3.45.0 or newer

schema_registry.tls.root_cas

An optional root certificate authority to use. This is a string, representing a certificate chain from the parent trusted root certificate, to possible intermediate signing certificates, to the host certificate.

Sensitive Information

This field contains sensitive information that usually shouldn’t be added to a config directly, read our secrets page for more info.

Type: string

Default: ""

# Examples

root_cas: |-
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----

schema_registry.tls.root_cas_file

An optional path of a root certificate authority file to use. This is a file, often with a .pem extension, containing a certificate chain from the parent trusted root certificate, to possible intermediate signing certificates, to the host certificate.

Type: string

Default: ""

# Examples

root_cas_file: ./root_cas.pem

schema_registry.tls.client_certs

A list of client certificates to use. For each certificate either the fields cert and key, or cert_file and key_file should be specified, but not both.

Type: array

Default: []

# Examples

client_certs:
  - cert: foo
    key: bar

client_certs:
  - cert_file: ./example.pem
    key_file: ./example.key

schema_registry.tls.client_certs[].cert

A plain text certificate to use.

Type: string

Default: ""

schema_registry.tls.client_certs[].key

A plain text certificate key to use.

Sensitive Information

This field contains sensitive information that usually shouldn’t be added to a config directly, read our secrets page for more info.

Type: string

Default: ""

schema_registry.tls.client_certs[].cert_file

The path of a certificate to use.

Type: string

Default: ""

schema_registry.tls.client_certs[].key_file

The path of a certificate key to use.

Type: string

Default: ""

schema_registry.tls.client_certs[].password

A plain text password for when the private key is password encrypted in PKCS#1 or PKCS#8 format. The obsolete pbeWithMD5AndDES-CBC algorithm is not supported for the PKCS#8 format.

Because the obsolete pbeWithMD5AndDES-CBC algorithm does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.

Sensitive Information

This field contains sensitive information that usually shouldn’t be added to a config directly, read our secrets page for more info.

Type: string

Default: ""

# Examples

password: foo

password: ${KEY_PASSWORD}

schema_registry.oauth

Allows you to specify open authentication via OAuth version 1.

Type: object

schema_registry.oauth.enabled

Whether to use OAuth version 1 in requests.

Type: bool

Default: false

schema_registry.oauth.consumer_key

A value used to identify the client to the service provider.

Type: string

Default: ""

schema_registry.oauth.consumer_secret

A secret used to establish ownership of the consumer key.

Sensitive Information

This field contains sensitive information that usually shouldn’t be added to a config directly, read our secrets page for more info.

Type: string

Default: ""

schema_registry.oauth.access_token

A value used to gain access to the protected resources on behalf of the user.

Type: string

Default: ""

schema_registry.oauth.access_token_secret

A secret provided in order to establish ownership of a given access token.

Sensitive Information

This field contains sensitive information that usually shouldn’t be added to a config directly, read our secrets page for more info.

Type: string

Default: ""

schema_registry.basic_auth

Allows you to specify basic authentication.

Type: object

schema_registry.basic_auth.enabled

Whether to use basic authentication in requests.

Type: bool

Default: false

schema_registry.basic_auth.username

A username to authenticate as.

Type: string

Default: ""

schema_registry.basic_auth.password

A password to authenticate with.

Sensitive Information

This field contains sensitive information that usually shouldn’t be added to a config directly, read our secrets page for more info.

Type: string

Default: ""

schema_registry.jwt

BETA: Allows you to specify JWT authentication.

Type: object

schema_registry.jwt.enabled

Whether to use JWT authentication in requests.

Type: bool

Default: false

schema_registry.jwt.private_key_file

A file with the PEM encoded via PKCS1 or PKCS8 as private key.

Type: string

Default: ""

schema_registry.jwt.signing_method

A method used to sign the token such as RS256, RS384, RS512 or EdDSA.

Type: string

Default: ""

schema_registry.jwt.claims

A value used to identify the claims that issued the JWT.

Type: object

Default: {}

schema_registry.jwt.headers

Add optional key/value headers to the JWT.

Type: object

Default: {}

schema_registry.enabled

Whether schema registry migration is enabled. When disabled, no schema operations are performed.

Type: bool

Default: true

schema_registry.interval

How often to synchronise schema registry subjects. Set to 0s for one-time sync at startup only.

Type: string

Default: "0s"

# Examples

interval: '0s     # One-time sync only'

interval: '5m     # Sync every 5 minutes'

interval: '30m    # Sync every 30 minutes'

schema_registry.include

Regular expressions for schema subjects to include in migration. If empty, all subjects are included (unless excluded).

Type: array

# Examples

include: '["prod-.*", "staging-.*"]'

include: '["user-.*", "order-.*"]'

schema_registry.exclude

Regular expressions for schema subjects to exclude from migration. Takes precedence over include patterns.

Type: array

# Examples

exclude: '[".*-test", ".*-temp"]'

exclude: '["dev-.*", "local-.*"]'

schema_registry.subject

Template for transforming subject names during migration. Use interpolation to rename subjects systematically. This field supports interpolation functions.

Type: string

# Examples

subject: '"prod_${! metadata(''schema_registry_subject'') }"'

subject: '"${! metadata(''schema_registry_subject'') | replace(''dev_'', ''prod_'') }"'

schema_registry.versions

Which schema versions to migrate. ‘latest’ migrates only the current version, ‘all’ migrates complete version history for better compatibility.

Type: string

Default: "all"

Options: latest , all .

schema_registry.include_deleted

Whether to include soft-deleted schemas in migration. Useful for complete migration but may not be supported by all schema registries.

Type: bool

Default: false

schema_registry.translate_ids

Whether to translate schema IDs during migration.

Type: bool

Default: false

schema_registry.normalize

Whether to normalize schemas when creating them in the destination registry.

Type: bool

Default: false

schema_registry.strict

Error on unknown schema IDs. Only relevant when translate_ids is true. When false (default), unknown schema IDs are passed through unchanged, allowing migration of topics with mixed message formats. Note: messages with 0-byte prefixes (e.g., protobuf) cannot be distinguished from schema registry headers and may fail when strict is enabled.

Type: bool

Default: false

consumer_groups

Sorry! This field is missing documentation.

Type: object

consumer_groups.enabled

Whether consumer group offset migration is enabled. When disabled, no consumer group operations are performed.

Type: bool

Default: true

consumer_groups.interval

How often to synchronise consumer group offsets. Regular syncing helps maintain offset accuracy during ongoing migration.

Type: string

Default: "1m"

# Examples

interval: '0s     # Disabled'

interval: '30s    # Sync every 30 seconds'

interval: '5m     # Sync every 5 minutes'

consumer_groups.fetch_timeout

Maximum time to wait for data when fetching records for timestamp-based offset translation. Increase for clusters with low message throughput.

Type: string

Default: "10s"

# Examples

fetch_timeout: '1s     # Fast clusters'

fetch_timeout: '10s    # Slower clusters'

consumer_groups.include

Regular expressions for consumer groups to include in offset migration. If empty, all groups are included (unless excluded).

Type: array

# Examples

include: '["prod-.*", "staging-.*"]'

include: '["app-.*", "service-.*"]'

consumer_groups.exclude

Regular expressions for consumer groups to exclude from offset migration. Takes precedence over include patterns. Useful for excluding system or temporary groups.

Type: array

# Examples

exclude: '[".*-test", ".*-temp", "connect-.*"]'

exclude: '["dev-.*", "local-.*"]'

consumer_groups.only_empty

Whether to only migrate Empty consumer groups. When false (default), all statuses except Dead are included; when true, only Empty groups are migrated.

Type: bool

Default: false

topic

The topic to write messages to. Use interpolation to derive destination topic names from source topics. The source topic name is available as ‘kafka_topic’ metadata. This field supports interpolation functions.

Type: string

Default: "${! @kafka_topic }"

# Examples

topic: prod_${! @kafka_topic }

topic_replication_factor

The replication factor for created topics. If not specified, inherits the replication factor from source topics. Useful when migrating to clusters with different sizes.

Type: int

# Examples

topic_replication_factor: "3"

topic_replication_factor: '1  # For single-node clusters'

sync_topic_acls

Whether to synchronise topic ACLs from source to destination cluster. ACLs are transformed safely: ALLOW WRITE permissions are excluded, and ALLOW ALL is downgraded to ALLOW READ to prevent conflicts.

Type: bool

Default: false

serverless

Enable serverless mode for Redpanda Cloud serverless clusters. This restricts topic configurations and schema features to those supported by serverless environments.

Type: bool

Default: false