From ea808553c855db3c9a010856bec96c92f287b084 Mon Sep 17 00:00:00 2001 From: MyMirelHub <15373565+MyMirelHub@users.noreply.github.com> Date: Tue, 13 Jan 2026 22:28:48 +0100 Subject: [PATCH 1/2] Enhance Pulsar setup documentation with OAuth2 credential options and examples Signed-off-by: MyMirelHub <15373565+MyMirelHub@users.noreply.github.com> --- .../supported-pubsub/setup-pulsar.md | 75 ++++++++++++++++++- 1 file changed, 72 insertions(+), 3 deletions(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-pubsub/setup-pulsar.md b/daprdocs/content/en/reference/components-reference/supported-pubsub/setup-pulsar.md index 12a503fea7e..e9eb9984f78 100644 --- a/daprdocs/content/en/reference/components-reference/supported-pubsub/setup-pulsar.md +++ b/daprdocs/content/en/reference/components-reference/supported-pubsub/setup-pulsar.md @@ -131,15 +131,22 @@ It is recommended that you use a secret reference for the client secret. The pulsar OAuth2 authenticator is not specifically complaint with OIDC so it is your responsibility to ensure fields are compliant. For example, the issuer URL must use the `https` protocol, the requested scopes include `openid`, etc. If the `oauth2TokenCAPEM` field is omitted then the system's certificate pool is used for connecting to the OAuth2 issuer if using `https`. +Provide credentials either via `oauth2CredentialsFile` (JSON file) or individual metadata fields. OAuth2 cannot be used with token authentication. + +**Note:** Metadata values override file values. + | Field | Required | Details | Example | |--------|:--------:|---------|---------| -| oauth2TokenURL | N | URL to request the OIDC client_credentials token from. Must not be empty. | "https://oauth.example.com/o/oauth2/token"` | +| oauth2CredentialsFile | N | JSON file with `client_id`, `client_secret`, `issuer_url`. Use this **OR** individual fields below. | `"/path/to/credentials.json"` | +| oauth2TokenURL | N | URL to request the OIDC client_credentials token from. Required if not using `oauth2CredentialsFile`. | `"https://oauth.example.com/token"` | +| oauth2ClientID | N | OIDC client ID. Required if not using `oauth2CredentialsFile`. | `"my-client-id"` | +| oauth2ClientSecret | N | OIDC client secret. Required if using `oauth2ClientID` (not `oauth2ClientSecretPath`). | `"my-client-secret"` | +| oauth2ClientSecretPath | N | Plain text file with client secret. Requires `oauth2ClientID` and `oauth2TokenURL`. | `"/path/to/client_secret.txt"` | | oauth2TokenCAPEM | N | CA PEM certificate bundle to connect to the OAuth2 issuer. If not defined, the system's certificate pool will be used. | `"---BEGIN CERTIFICATE---\n...\n---END CERTIFICATE---"` | -| oauth2ClientID | N | OIDC client ID. Must not be empty. | `"my-client-id"` | -| oauth2ClientSecret | N | OIDC client secret. Must not be empty. | `"my-client-secret"` | | oauth2Audiences | N | Comma separated list of audiences to request for. Must not be empty. | `"my-audience-1,my-audience-2"` | | oauth2Scopes | N | Comma separated list of scopes to request. Must not be empty. | `"openid,profile,email"` | +#### Using metadata fields directly ```yaml apiVersion: dapr.io/v1alpha1 @@ -168,6 +175,68 @@ spec: value: "openid,profile,email" ``` +#### Using a JSON credentials file + +You can store credentials in a JSON file with the following format: + +```json +{ + "client_id": "my-client-id", + "client_secret": "my-client-secret", + "issuer_url": "https://oauth.example.com/o/oauth2/token" +} +``` + +```yaml +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: messagebus +spec: + type: pubsub.pulsar + version: v1 + metadata: + - name: host + value: "pulsar.example.com:6650" + - name: oauth2CredentialsFile + value: "/path/to/oauth2/credentials.json" + - name: oauth2TokenCAPEM + value: "---BEGIN CERTIFICATE---\n...\n---END CERTIFICATE---" + - name: oauth2Audiences + value: "my.pulsar.example.com,another.pulsar.example.com" + - name: oauth2Scopes + value: "openid,profile,email" +``` + +#### Using a plain text secret file + +You can store just the client secret in a plain text file: + +```yaml +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: messagebus +spec: + type: pubsub.pulsar + version: v1 + metadata: + - name: host + value: "pulsar.example.com:6650" + - name: oauth2TokenURL + value: https://oauth.example.com/o/oauth2/token + - name: oauth2ClientID + value: my-client-id + - name: oauth2ClientSecretPath + value: "/path/to/oauth2/client_secret.txt" + - name: oauth2TokenCAPEM + value: "---BEGIN CERTIFICATE---\n...\n---END CERTIFICATE---" + - name: oauth2Audiences + value: "my.pulsar.example.com,another.pulsar.example.com" + - name: oauth2Scopes + value: "openid,profile,email" +``` + ### Enabling message delivery retries The Pulsar pub/sub component has no built-in support for retry strategies. This means that sidecar sends a message to the service only once and is not retried in case of failures. To make Dapr use more spohisticated retry policies, you can apply a [retry resiliency policy]({{% ref "retries-overview.md" %}}) to the Pulsar pub/sub component. Note that it will be the same Dapr sidecar retrying the redelivery the message to the same app instance and not other instances. From 8e655fbc00969dbdda131c48ef454e4406114231 Mon Sep 17 00:00:00 2001 From: MyMirelHub <15373565+MyMirelHub@users.noreply.github.com> Date: Sun, 18 Jan 2026 18:48:40 +0100 Subject: [PATCH 2/2] Clarify OAuth2 credential options in Pulsar setup documentation Signed-off-by: MyMirelHub <15373565+MyMirelHub@users.noreply.github.com> --- .../components-reference/supported-pubsub/setup-pulsar.md | 1 - 1 file changed, 1 deletion(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-pubsub/setup-pulsar.md b/daprdocs/content/en/reference/components-reference/supported-pubsub/setup-pulsar.md index e9eb9984f78..656a69fbb64 100644 --- a/daprdocs/content/en/reference/components-reference/supported-pubsub/setup-pulsar.md +++ b/daprdocs/content/en/reference/components-reference/supported-pubsub/setup-pulsar.md @@ -131,7 +131,6 @@ It is recommended that you use a secret reference for the client secret. The pulsar OAuth2 authenticator is not specifically complaint with OIDC so it is your responsibility to ensure fields are compliant. For example, the issuer URL must use the `https` protocol, the requested scopes include `openid`, etc. If the `oauth2TokenCAPEM` field is omitted then the system's certificate pool is used for connecting to the OAuth2 issuer if using `https`. -Provide credentials either via `oauth2CredentialsFile` (JSON file) or individual metadata fields. OAuth2 cannot be used with token authentication. **Note:** Metadata values override file values.