spicedb_watch

Available in: Cloud, Self-Managed

Consumes messages from the Watch API of a SpiceDB instance. This input is useful if you have downstream applications that need to react to real-time changes in data managed by SpiceDB.

Introduced in version 4.39.0.

# Common configuration fields, showing default values
input:
  label: ""
  spicedb_watch:
    endpoint: grpc.authzed.com:443 # No default (required)
    bearer_token: ""
    cache: "" # No default (required)
yml

Authentication

For this input to authenticate with your SpiceDB instance, you must provide:

Configure a cache

You must use a cache resource to store the ZedToken (ID) of the latest message consumed and acknowledged by this input. Ideally, the cache should persist across restarts. This means that every time the input is initialized, it starts reading from the newest data updates. The following example uses a redis cache.

# Example
input:
  label: ""
  spicedb_watch:
    endpoint: grpc.authzed.com:443
    bearer_token: ""
    cache: "spicedb_cache"
cache_resources:
  - label: "spicedb_cache"
    redis:
      url: redis://:6379
yml

To learn more about cache configuration, see Resources and the Caches section, which includes a range of cache components.

Fields

endpoint

The endpoint of your SpiceDB instance.

Type: string

# Examples

endpoint: grpc.authzed.com:443
yml

bearer_token

The SpiceDB bearer token to use to authenticate with your SpiceDB instance.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

Default: ""

max_receive_message_bytes

The maximum message size (in bytes) this input can receive. If a message exceeds this limit, an rpc error is written to the Redpanda Connect logs.

Type: string

Default: 4MB

# Examples

max_receive_message_bytes: 100MB

max_receive_message_bytes: 50mib
yml

cache

The cache resource that you must configure to store the ZedToken (ID) of the last message processed. The ZedToken is stored in the cache within the ACK function of the message. This means that a ZedToken is only stored when a message is successfully routed through all processors and outputs in the data pipeline.

cache_key

The key identifier to use when storing the ZedToken (ID) of the last message received.

Type: string

Default: authzed.com/spicedb/watch/last_zed_token

tls

Override system defaults with custom TLS settings.

Type: object

tls.enabled

Whether custom TLS settings are enabled.

Type: bool

Default: false

tls.skip_cert_verify

Whether to skip server-side certificate verification.

Type: bool

Default: false

tls.enable_renegotiation

Whether to allow the remote server to request renegotiation. Enable this option if you’re seeing the error message local error: tls: no renegotiation.

Type: bool

Default: false

Requires version 3.45.0 or newer

tls.root_cas

Specify a certificate authority to use (optional). This is a string that represents a certificate chain from the parent trusted root certificate, through possible intermediate signing certificates, to the host certificate.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

Default: ""

# Examples

root_cas: |-
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----
yml

tls.root_cas_file

Specify the path to a root certificate authority file (optional). This is a file, often with a .pem extension, which contains a certificate chain from the parent trusted root certificate, through possible intermediate signing certificates, to the host certificate.certificate.

Type: string

Default: ""

# Examples

root_cas_file: ./root_cas.pem
yml

tls.client_certs

A list of client certificates to use. For each certificate specify values for either the cert and key fields, or cert_file and key_file fields.

Type: array

Default: []

# Examples

client_certs:
  - cert: foo
    key: bar

client_certs:
  - cert_file: ./example.pem
    key_file: ./example.key
yml

tls.client_certs[].cert

The plain text certificate to use.

Type: string

Default: ""

tls.client_certs[].key

The plain text certificate key to use.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

Default: ""

tls.client_certs[].cert_file

The path to the certificate to use.

Type: string

Default: ""

tls.client_certs[].key_file

The path of a certificate key to use.

Type: string

Default: ""

tls.client_certs[].password

The plain text password for when the private key is password encrypted in PKCS#1 or PKCS#8 format. The obsolete pbeWithMD5AndDES-CBC algorithm is not supported for the PKCS#8 format.

The pbeWithMD5AndDES-CBC algorithm does not authenticate ciphertext, and is vulnerable to padding oracle attacks which may allow an attacker to recover the plain text password.

This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets.

Type: string

Default: ""

# Examples

password: foo

password: ${KEY_PASSWORD}
yml