pulsar-resources-operator icon indicating copy to clipboard operation
pulsar-resources-operator copied to clipboard
verified publisher icon streamnative

Can't add oauth2 credentials to PulsarSource

Open olivierboudet opened this issue 4 months ago • 0 comments

Description

Hi, I'm currently using the Pulsar Resources Operator to manage a PulsarSource. The manifests looks like this :

apiVersion: resource.streamnative.io/v1alpha1
kind: PulsarSource
metadata:
  name: debezium
spec:
  name: debezium
  tenant: "debezium"
  namespace: "debezium"
  topicName: "debezium"
  connectionRef:
    name: "myConnection"
  archive:
    url: "file:///pulsar/connectors/pulsar-io-debezium-mysql-4.0.5.nar"
  configs:
    pulsar.service.url: "pulsar://pulsar-broker:6650"
    snapshot.mode: "schema_only"
    database.hostname: "mariadb.staging.svc.cluster.local"
    database.port: "3306"
    database.user: "debezium"
    database.password: "debezium"
    database.server.id: "1"
    database.server.name: "mydatabase"
    database.include.list: "mydatabase"
    topic.prefix: "myprefix"
    database.history: "org.apache.pulsar.io.debezium.PulsarDatabaseHistory"
    database.history.pulsar.topic: "debezium-history"
    key.converter: "org.apache.kafka.connect.json.JsonConverter"
    value.converter: "org.apache.kafka.connect.json.JsonConverter"
    offset.storage.topic: "debezium-offset"
  lifecyclePolicy: CleanUpAfterDeletion

The Operator automatically generates a pulsar-admin functions download command, like this :

/pulsar/bin/pulsar-admin --admin-url http://pulsar-broker:8080/ functions download --tenant debezium --namespace debezium --name debezium --destination-file /pulsar/download/pulsar_functions/pulsar-io-debezium-mysql-4.0.5.nar && SHARD_ID=${POD_NAME##*-} && echo shardId=${SHARD_ID} && exec java -cp /pulsar/instances/java-instance.jar:/pulsar/instances/deps/* -Dpulsar.functions.extra.dependencies.dir=/pulsar/instances/deps -Dpulsar.functions.instance.classpath=/pulsar/conf:::/pulsar/lib/*: [.....truncated for readabiility....]

However, in our environment, OAuth2 authentication is required to access the Pulsar Admin API.

In the pulsar-admin CLI, we usually use something like:

--auth-plugin org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2
--auth-params '{"issuerUrl":"https://auth.mydomain.com/","privateKey":"file:///pulsar/conf/oauth2.json","audience":"pulsar"}'

Problem

I could not find any documentation about configuring OAuth2 authentication in the Operator CRDs, e.g. in docs/pulsar_source.md

Questions:

  • Is OAuth2 authentication currently supported for PulsarSource ?
  • If yes, which fields should be used in the CRDs ?
  • If not supported yet, is there any plan to add this feature?

olivierboudet avatar Aug 27 '25 14:08 olivierboudet