dapr
/
docs
mirror of https://github.com/dapr/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'v1.12' into k8s-multi-app-run

This commit is contained in:
Mark Fussell 2023-09-18 11:46:19 -07:00 committed by GitHub
parent a6487b9570 c2fc0a18da
commit cc9158a055
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 71 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
daprdocs/content/en/reference/components-reference/supported-pubsub/setup-pulsar.md
View File

@ -73,7 +73,6 @@ The above example uses secrets as plain strings. It is recommended to use a [sec
|--------------------|:--------:|---------|---------|
| host | Y | Address of the Pulsar broker. Default is `"localhost:6650"` | `"localhost:6650"` OR `"http://pulsar-pj54qwwdpz4b-pulsar.ap-sg.public.pulsar.com:8080"`|
| enableTLS | N | Enable TLS. Default: `"false"` | `"true"`, `"false"` |
| token | N | Enable Authentication. | [How to create pulsar token](https://pulsar.apache.org/docs/en/security-jwt/#generate-tokens)|
| tenant | N | The topic tenant within the instance. Tenants are essential to multi-tenancy in Pulsar, and spread across clusters. Default: `"public"` | `"public"` |
| consumerID | N | Used to set the subscription name or consumer ID. | `"channel1"`
| namespace | N | The administrative unit of the topic, which acts as a grouping mechanism for related topics. Default: `"default"` | `"default"`
@ -91,6 +90,77 @@ The above example uses secrets as plain strings. It is recommended to use a [sec
| subscribeType | N | Pulsar supports four kinds of [subscription types](https://pulsar.apache.org/docs/3.0.x/concepts-messaging/#subscription-types). Default: `"shared"` | `"shared"`, `"exclusive"`, `"failover"`, `"key_shared"`|
| partitionKey | N | Sets the key of the message for routing policy. Default: `""` | |
### Authenticate using Token
To authenticate to pulsar using a static [JWT token](https://pulsar.apache.org/docs/en/security-jwt), you can use the following metadata field:
| Field | Required | Details | Example |
|--------|:--------:|---------|---------|
| token | N | Token used for authentication. | [How to create Pulsar token](https://pulsar.apache.org/docs/en/security-jwt/#generate-tokens)|
```yaml
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: messagebus
spec:
type: pubsub.pulsar
version: v1
metadata:
- name: host
value: "pulsar.example.com:6650"
- name: token
secretKeyRef:
name: pulsar
key: token
```
### Authenticate using OIDC
Since `v3.0`, [Pulsar supports OIDC authentication](https://pulsar.apache.org/docs/3.0.x/security-openid-connect/).
To enable OIDC authentication, you need to provide the following OAuth2 parameters to the component spec.
OAuth2 authentication cannot be used in combination with token authentication.
It is recommended that you use a secret reference for the client secret.
The pulsar OAuth2 authenticator is not specifically complaint with OIDC so it is your responsibility to ensure fields are compliant. For example, the issuer URL must use the `https` protocol, the requested scopes include `openid`, etc.
If the `oauth2TokenCAPEM` field is omitted then the system's certificate pool is used for connecting to the OAuth2 issuer if using `https`.
| Field | Required | Details | Example |
|--------|:--------:|---------|---------|
| oauth2TokenURL | N | URL to request the OIDC client_credentials token from. Must not be empty. | "https://oauth.example.com/o/oauth2/token"` |
| oauth2TokenCAPEM | N | CA PEM certificate bundle to connect to the OAuth2 issuer. If not defined, the system's certificate pool will be used. | `"---BEGIN CERTIFICATE---\n...\n---END CERTIFICATE---"` |
| oauth2ClientID | N | OIDC client ID. Must not be empty. | `"my-client-id"` |
| oauth2ClientSecret | N | OIDC client secret. Must not be empty. | `"my-client-secret"` |
| oauth2Audiences | N | Comma separated list of audiences to request for. Must not be empty. | `"my-audience-1,my-audience-2"` |
| oauth2Scopes | N | Comma separated list of scopes to request. Must not be empty. | `"openid,profile,email"` |
```yaml
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: messagebus
spec:
type: pubsub.pulsar
version: v1
metadata:
- name: host
value: "pulsar.example.com:6650"
- name: oauth2TokenURL
value: https://oauth.example.com/o/oauth2/token
- name: oauth2TokenCAPEM
value: "---BEGIN CERTIFICATE---\n...\n---END CERTIFICATE---"
- name: oauth2ClientID
value: my-client-id
- name: oauth2ClientSecret
secretKeyRef:
name: pulsar-oauth2
key: my-client-secret
- name: oauth2Audiences
value: "my.pulsar.example.com,another.pulsar.example.com"
- name: oauth2Scopes
value: "openid,profile,email"
```
### Enabling message delivery retries
The Pulsar pub/sub component has no built-in support for retry strategies. This means that sidecar sends a message to the service only once and is not retried in case of failures. To make Dapr use more spohisticated retry policies, you can apply a [retry resiliency policy]({{< ref "policies.md#retries" >}}) to the Pulsar pub/sub component. Note that it will be the same Dapr sidecar retrying the redelivery the message to the same app instance and not other instances.