spicedb_watch
Consumes messages from the Watch API of a SpiceDB instance. This input is useful if you have downstream applications that need to react to real-time changes in data managed by SpiceDB.
Introduced in version 4.39.0.
-
Common
-
Advanced
# Common configuration fields, showing default values
input:
label: ""
spicedb_watch:
endpoint: grpc.authzed.com:443 # No default (required)
bearer_token: ""
cache: "" # No default (required)
# All configuration fields, showing default values
input:
label: ""
spicedb_watch:
endpoint: grpc.authzed.com:443 # No default (required)
bearer_token: ""
max_receive_message_bytes: 4MB
cache: "" # No default (required)
cache_key: authzed.com/spicedb/watch/last_zed_token
tls:
enabled: false
skip_cert_verify: false
enable_renegotiation: false
root_cas: ""
root_cas_file: ""
client_certs: []
Authentication
For this input to authenticate with your SpiceDB instance, you must provide:
-
The
endpoint
of the SpiceDB instance
Configure a cache
You must use a cache resource to store the ZedToken (ID) of the latest message consumed and acknowledged by this input. Ideally, the cache should persist across restarts. This means that every time the input is initialized, it starts reading from the newest data updates. The following example uses a redis
cache.
# Example
input:
label: ""
spicedb_watch:
endpoint: grpc.authzed.com:443
bearer_token: ""
cache: "spicedb_cache"
cache_resources:
- label: "spicedb_cache"
redis:
url: redis://:6379
To learn more about cache configuration, see Resources and the Caches section, which includes a range of cache components.
Fields
bearer_token
The SpiceDB bearer token to use to authenticate with your SpiceDB instance.
This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. |
Type: string
Default: ""
# Examples:
bearer_token: t_your_token_here_1234567deadbeef
cache
The cache resource that you must configure to store the ZedToken (ID) of the last message processed. The ZedToken is stored in the cache within the ACK
function of the message. This means that a ZedToken is only stored when a message is successfully routed through all processors and outputs in the data pipeline.
Type: string
cache_key
The key identifier to use when storing the ZedToken (ID) of the last message received.
Type: string
Default: authzed.com/spicedb/watch/last_zed_token
endpoint
The endpoint of your SpiceDB instance.
Type: string
# Examples:
endpoint: grpc.authzed.com:443
max_receive_message_bytes
The maximum message size (in bytes) this input can receive. If a message exceeds this limit, an rpc error
is written to the Redpanda Connect logs.
Type: string
Default: 4MB
# Examples:
max_receive_message_bytes: 100MB
max_receive_message_bytes: 50mib
tls.client_certs[]
A list of client certificates to use. For each certificate specify values for either the cert
and key
fields, or cert_file
and key_file
fields.
Type: object
Default: []
# Examples:
client_certs:
- cert: foo
key: bar
- cert_file: ./example.pem
key_file: ./example.key
tls.client_certs[].key
A plain text certificate key to use.
This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. |
Type: string
Default: ""
tls.client_certs[].password
A plain text password for when the private key is password encrypted in PKCS#1 or PKCS#8 format. The obsolete pbeWithMD5AndDES-CBC
algorithm is not supported for the PKCS#8 format.
Because the obsolete pbeWithMD5AndDES-CBC algorithm does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.
This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. |
Type: string
Default: ""
# Examples:
password: foo
password: ${KEY_PASSWORD}
tls.enable_renegotiation
Whether to allow the remote server to request renegotiation. Enable this option if you’re seeing the error message local error:
tls: no renegotiation
.
Requires version 3.45.0 or later.
Type: bool
Default: false
tls.root_cas
Specify a certificate authority to use (optional). This is a string that represents a certificate chain from the parent trusted root certificate, through possible intermediate signing certificates, to the host certificate.
This field contains sensitive information that usually shouldn’t be added to a configuration directly. For more information, see Secrets. |
Type: string
Default: ""
# Examples:
root_cas: |-
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
tls.root_cas_file
Specify the path to a root certificate authority file (optional). This is a file, often with a .pem
extension, which contains a certificate chain from the parent trusted root certificate, through possible intermediate signing certificates, to the host certificate.certificate.
Type: string
Default: ""
# Examples:
root_cas_file: ./root_cas.pem