Skip to content

[1.16] Docs for pulsar file auth #5001

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
msfussell merged 3 commits into from
Jan 27, 2026
Merged

[1.16] Docs for pulsar file auth #5001

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d4ddff4
Enhance Pulsar setup documentation with OAuth2 credential options and…
MyMirelHub Jan 13, 2026
61b6d9b
Clarify OAuth2 credential options in Pulsar setup documentation
MyMirelHub Jan 18, 2026
5cc64f4
Merge branch 'v1.16' into add-file-oidc-pulsar-auth
msfussell Jan 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 71 additions & 3 deletions ...docs/content/en/reference/components-reference/supported-pubsub/setup-pulsar.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,15 +131,21 @@ It is recommended that you use a secret reference for the client secret.
The pulsar OAuth2 authenticator is not specifically complaint with OIDC so it is your responsibility to ensure fields are compliant. For example, the issuer URL must use the `https` protocol, the requested scopes include `openid`, etc.
If the `oauth2TokenCAPEM` field is omitted then the system's certificate pool is used for connecting to the OAuth2 issuer if using `https`.


**Note:** Metadata values override file values.

| Field | Required | Details | Example |
|--------|:--------:|---------|---------|
| oauth2TokenURL | N | URL to request the OIDC client_credentials token from. Must not be empty. | "https://oauth.example.com/o/oauth2/token"` |
| oauth2CredentialsFile | N | JSON file with `client_id`, `client_secret`, `issuer_url`. Use this **OR** individual fields below. | `"/path/to/credentials.json"` |
| oauth2TokenURL | N | URL to request the OIDC client_credentials token from. Required if not using `oauth2CredentialsFile`. | `"https://oauth.example.com/token"` |
| oauth2ClientID | N | OIDC client ID. Required if not using `oauth2CredentialsFile`. | `"my-client-id"` |
| oauth2ClientSecret | N | OIDC client secret. Required if using `oauth2ClientID` (not `oauth2ClientSecretPath`). | `"my-client-secret"` |
| oauth2ClientSecretPath | N | Plain text file with client secret. Requires `oauth2ClientID` and `oauth2TokenURL`. | `"/path/to/client_secret.txt"` |
| oauth2TokenCAPEM | N | CA PEM certificate bundle to connect to the OAuth2 issuer. If not defined, the system's certificate pool will be used. | `"---BEGIN CERTIFICATE---\n...\n---END CERTIFICATE---"` |
| oauth2ClientID | N | OIDC client ID. Must not be empty. | `"my-client-id"` |
| oauth2ClientSecret | N | OIDC client secret. Must not be empty. | `"my-client-secret"` |
| oauth2Audiences | N | Comma separated list of audiences to request for. Must not be empty. | `"my-audience-1,my-audience-2"` |
| oauth2Scopes | N | Comma separated list of scopes to request. Must not be empty. | `"openid,profile,email"` |

#### Using metadata fields directly

```yaml
apiVersion: dapr.io/v1alpha1
Expand Down Expand Up @@ -168,6 +174,68 @@ spec:
value: "openid,profile,email"
```

#### Using a JSON credentials file

You can store credentials in a JSON file with the following format:

```json
{
"client_id": "my-client-id",
"client_secret": "my-client-secret",
"issuer_url": "https://oauth.example.com/o/oauth2/token"
}
```

```yaml
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: messagebus
spec:
type: pubsub.pulsar
version: v1
metadata:
- name: host
value: "pulsar.example.com:6650"
- name: oauth2CredentialsFile
value: "/path/to/oauth2/credentials.json"
- name: oauth2TokenCAPEM
value: "---BEGIN CERTIFICATE---\n...\n---END CERTIFICATE---"
- name: oauth2Audiences
value: "my.pulsar.example.com,another.pulsar.example.com"
- name: oauth2Scopes
value: "openid,profile,email"
```

#### Using a plain text secret file

You can store just the client secret in a plain text file:

```yaml
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: messagebus
spec:
type: pubsub.pulsar
version: v1
metadata:
- name: host
value: "pulsar.example.com:6650"
- name: oauth2TokenURL
value: https://oauth.example.com/o/oauth2/token
- name: oauth2ClientID
value: my-client-id
- name: oauth2ClientSecretPath
value: "/path/to/oauth2/client_secret.txt"
- name: oauth2TokenCAPEM
value: "---BEGIN CERTIFICATE---\n...\n---END CERTIFICATE---"
- name: oauth2Audiences
value: "my.pulsar.example.com,another.pulsar.example.com"
- name: oauth2Scopes
value: "openid,profile,email"
```

### Enabling message delivery retries

The Pulsar pub/sub component has no built-in support for retry strategies. This means that sidecar sends a message to the service only once and is not retried in case of failures. To make Dapr use more spohisticated retry policies, you can apply a [retry resiliency policy]({{% ref "retries-overview.md" %}}) to the Pulsar pub/sub component. Note that it will be the same Dapr sidecar retrying the redelivery the message to the same app instance and not other instances.
Expand Down
Loading