Merge branch 'v1.17' into workflow-reminder-policy-cli

Author: msfussell

daprdocs/content/en/reference/components-reference/supported-pubsub/setup-pulsar.md

@@ -131,15 +131,21 @@ It is recommended that you use a secret reference for the client secret.
 The pulsar OAuth2 authenticator is not specifically complaint with OIDC so it is your responsibility to ensure fields are compliant. For example, the issuer URL must use the `https` protocol, the requested scopes include `openid`, etc.
 If the `oauth2TokenCAPEM` field is omitted then the system's certificate pool is used for connecting to the OAuth2 issuer if using `https`.
 
+
+**Note:** Metadata values override file values.
+
 | Field  | Required | Details | Example |
 |--------|:--------:|---------|---------|
-| oauth2TokenURL | N | URL to request the OIDC client_credentials token from. Must not be empty. | "https://oauth.example.com/o/oauth2/token"` |
+| oauth2CredentialsFile | N | JSON file with `client_id`, `client_secret`, `issuer_url`. Use this **OR** individual fields below. | `"/path/to/credentials.json"` |
+| oauth2TokenURL | N | URL to request the OIDC client_credentials token from. Required if not using `oauth2CredentialsFile`. | `"https://oauth.example.com/token"` |
+| oauth2ClientID | N | OIDC client ID. Required if not using `oauth2CredentialsFile`. | `"my-client-id"` |
+| oauth2ClientSecret | N | OIDC client secret. Required if using `oauth2ClientID` (not `oauth2ClientSecretPath`). | `"my-client-secret"` |
+| oauth2ClientSecretPath | N | Plain text file with client secret. Requires `oauth2ClientID` and `oauth2TokenURL`. | `"/path/to/client_secret.txt"` |
 | oauth2TokenCAPEM | N | CA PEM certificate bundle to connect to the OAuth2 issuer. If not defined, the system's certificate pool will be used. | `"---BEGIN CERTIFICATE---\n...\n---END CERTIFICATE---"` |
-| oauth2ClientID | N | OIDC client ID. Must not be empty. | `"my-client-id"` |
-| oauth2ClientSecret | N | OIDC client secret. Must not be empty. | `"my-client-secret"` |
 | oauth2Audiences | N | Comma separated list of audiences to request for. Must not be empty. | `"my-audience-1,my-audience-2"` |
 | oauth2Scopes | N | Comma separated list of scopes to request. Must not be empty. | `"openid,profile,email"` |
 
+#### Using metadata fields directly
 
 ```yaml
 apiVersion: dapr.io/v1alpha1
@@ -168,6 +174,68 @@ spec:
     value: "openid,profile,email"
 ```
 
+#### Using a JSON credentials file
+
+You can store credentials in a JSON file with the following format:
+
+```json
+{
+  "client_id": "my-client-id",
+  "client_secret": "my-client-secret",
+  "issuer_url": "https://oauth.example.com/o/oauth2/token"
+}
+```
+
+```yaml
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: messagebus
+spec:
+  type: pubsub.pulsar
+  version: v1
+  metadata:
+  - name: host
+    value: "pulsar.example.com:6650"
+  - name: oauth2CredentialsFile
+    value: "/path/to/oauth2/credentials.json"
+  - name: oauth2TokenCAPEM
+    value: "---BEGIN CERTIFICATE---\n...\n---END CERTIFICATE---"
+  - name: oauth2Audiences
+    value: "my.pulsar.example.com,another.pulsar.example.com"
+  - name: oauth2Scopes
+    value: "openid,profile,email"
+```
+
+#### Using a plain text secret file
+
+You can store just the client secret in a plain text file:
+
+```yaml
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: messagebus
+spec:
+  type: pubsub.pulsar
+  version: v1
+  metadata:
+  - name: host
+    value: "pulsar.example.com:6650"
+  - name: oauth2TokenURL
+    value: https://oauth.example.com/o/oauth2/token
+  - name: oauth2ClientID
+    value: my-client-id
+  - name: oauth2ClientSecretPath
+    value: "/path/to/oauth2/client_secret.txt"
+  - name: oauth2TokenCAPEM
+    value: "---BEGIN CERTIFICATE---\n...\n---END CERTIFICATE---"
+  - name: oauth2Audiences
+    value: "my.pulsar.example.com,another.pulsar.example.com"
+  - name: oauth2Scopes
+    value: "openid,profile,email"
+```
+
 ### Enabling message delivery retries
 
 The Pulsar pub/sub component has no built-in support for retry strategies. This means that sidecar sends a message to the service only once and is not retried in case of failures. To make Dapr use more spohisticated retry policies, you can apply a [retry resiliency policy]({{% ref "retries-overview.md" %}}) to the Pulsar pub/sub component. Note that it will be the same Dapr sidecar retrying the redelivery the message to the same app instance and not other instances.