EronWright commented on issue #19771: URL: https://github.com/apache/pulsar/issues/19771#issuecomment-1463029346
One of the practical use cases for this is in combination with Kubernetes Service Account Token Projection. We could configure Pulsar to accept OIDC tokens from one or more Kubernetes clusters, based on the [discovery feature](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-issuer-discovery). This would allow a Pulsar function pod to authenticate based on their Kubernetes Service Account (KSA) using the standard token plugin. Kubernetes automatically mounts an OIDC token file into the pod, and rotates the token to keep it fresh. I believe that the token plugin reloads the token file automatically. In this scenario, there's no need for `KubernetesSecretsAuthProvider`. @michaeljmarshall may I suggest that the new plugin be tested for compatibility with this feature of Kubernetes. In practice, it's very easy to use. There's one caveat that I'm aware of: the `issuer` field of the disco document should be the value that would be expected in the token's `iss` claim. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
