Dbz 9419 add connection validator pulsar

[pxcamus]

WIP PR to add Apache Pulsar connection validation.

[github-actions]

Hi @pxcamus, thanks for your contribution. Please prefix the commit message(s) with the debezium/dbz#xxx GitHub issue key.

[mfvitale]

Hi @pxcamus thanks for the PR. Could you please prefix the commit messages with debezium/dbz#1083? Thanks.

[mfvitale]

Why you changed the KAFKA?

[pxcamus]

My bad, I will put it back!

[mfvitale]

@pxcamus The general approach looks good. Let's continue with the other auth and then I'll do another review pass.

[Naros]

If this isn't needed, let's remove it.

[Naros]

Same, remove if its no longer needed.

[pxcamus]

I finally got around to fix the tests. I will create a PulsarConnectionValidatorTest.java very soon as well, and hoping later today to add more tests for the different auth handlers.

[mfvitale]

@pxcamus Could you please rebase with latest main?

[pxcamus]

@pxcamus Could you please rebase with latest main?

Done!

[github-actions]

Hi @pxcamus, thanks for your contribution. Please prefix the commit message(s) with the debezium/dbz#xxx GitHub issue key.

[pxcamus]

@mfvitale If you could please take a look at the approach I used for testing JWT auth. I am going to add IT tests with expired token, etc... then switch to OAuth2. Thanks!

[mfvitale]

@mfvitale If you could please take a look at the approach I used for testing JWT auth. I am going to add IT tests with expired token, etc... then switch to OAuth2. Thanks!

@pxcamus It LGTM until now. 🚀

[pxcamus]

@mfvitale If you could please take a look at the approach I used for testing JWT auth. I am going to add IT tests with expired token, etc... then switch to OAuth2. Thanks!

@pxcamus It LGTM until now. 🚀

One small question please @mfvitale : for integration tests, should I spinnup an actual OAuth2 provider, such as Keycloak or Hydra? Or mock one to return hardcoded tokens? If using an actual provider, any preference? Thanks!

[mfvitale]

@mfvitale If you could please take a look at the approach I used for testing JWT auth. I am going to add IT tests with expired token, etc... then switch to OAuth2. Thanks!

@pxcamus It LGTM until now. 🚀

One small question please @mfvitale : for integration tests, should I spinnup an actual OAuth2 provider, such as Keycloak or Hydra? Or mock one to return hardcoded tokens? If using an actual provider, any preference? Thanks!

Honestly for now I'll go with a mocked one.

[pxcamus]

@mfvitale If you could please take a look at the approach I used for testing JWT auth. I am going to add IT tests with expired token, etc... then switch to OAuth2. Thanks!

@pxcamus It LGTM until now. 🚀

One small question please @mfvitale : for integration tests, should I spinnup an actual OAuth2 provider, such as Keycloak or Hydra? Or mock one to return hardcoded tokens? If using an actual provider, any preference? Thanks!

Honestly for now I'll go with a mocked one.

@mfvitale Should the OAuth2 connection validation include the retrieval of the token? I.e. do I request the client credentials and request a token first? My concern is that the OAuth2 provider could be un-reachable from the platform conductor, right?

The other option is to just collect the token through the stage UI and validate the connection.

I have a working OAuth2 provider implementation for the integration tests, so can use the actual flow.

[Naros]

From my PoV, once the following is addressed then LGTM.

[Naros]

Suggested change

	if (authType == null || authType.trim().isEmpty()) {
	if (Strings.isNullorEmpty(authType)) {

[mfvitale]

@mfvitale If you could please take a look at the approach I used for testing JWT auth. I am going to add IT tests with expired token, etc... then switch to OAuth2. Thanks!

@pxcamus It LGTM until now. 🚀

One small question please @mfvitale : for integration tests, should I spinnup an actual OAuth2 provider, such as Keycloak or Hydra? Or mock one to return hardcoded tokens? If using an actual provider, any preference? Thanks!

Honestly for now I'll go with a mocked one.

@mfvitale Should the OAuth2 connection validation include the retrieval of the token? I.e. do I request the client credentials and request a token first? My concern is that the OAuth2 provider could be un-reachable from the platform conductor, right?

The other option is to just collect the token through the stage UI and validate the connection.

I have a working OAuth2 provider implementation for the integration tests, so can use the actual flow.

This is a good point. We should not only think about the validation phase but also what happens when a connection is then validated and used in the DS instance deployed by the platform.

@pxcamus So for now since there is no support for loading credentials file.
In https://pulsar.apache.org/docs/next/security-oauth2/ I see that the client requires to use the keyFile so I will not support it for now in the validation.

[pxcamus]

@mfvitale If you could please take a look at the approach I used for testing JWT auth. I am going to add IT tests with expired token, etc... then switch to OAuth2. Thanks!

@pxcamus It LGTM until now. 🚀

One small question please @mfvitale : for integration tests, should I spinnup an actual OAuth2 provider, such as Keycloak or Hydra? Or mock one to return hardcoded tokens? If using an actual provider, any preference? Thanks!

Honestly for now I'll go with a mocked one.

@mfvitale Should the OAuth2 connection validation include the retrieval of the token? I.e. do I request the client credentials and request a token first? My concern is that the OAuth2 provider could be un-reachable from the platform conductor, right?
The other option is to just collect the token through the stage UI and validate the connection.
I have a working OAuth2 provider implementation for the integration tests, so can use the actual flow.

This is a good point. We should not only think about the validation phase but also what happens when a connection is then validated and used in the DS instance deployed by the platform.

@pxcamus So for now since there is no support for loading credentials file. In https://pulsar.apache.org/docs/next/security-oauth2/ I see that the client requires to use the keyFile so I will not support it for now in the validation.

@mfvitale unless I missed something, it can be loaded as a base64 encoded string, right?

But to clarify, do I then wrap up the PR by passing the token for the validation?

[mfvitale]

@mfvitale If you could please take a look at the approach I used for testing JWT auth. I am going to add IT tests with expired token, etc... then switch to OAuth2. Thanks!

@pxcamus It LGTM until now. 🚀

One small question please @mfvitale : for integration tests, should I spinnup an actual OAuth2 provider, such as Keycloak or Hydra? Or mock one to return hardcoded tokens? If using an actual provider, any preference? Thanks!

Honestly for now I'll go with a mocked one.

@mfvitale Should the OAuth2 connection validation include the retrieval of the token? I.e. do I request the client credentials and request a token first? My concern is that the OAuth2 provider could be un-reachable from the platform conductor, right?
The other option is to just collect the token through the stage UI and validate the connection.
I have a working OAuth2 provider implementation for the integration tests, so can use the actual flow.

This is a good point. We should not only think about the validation phase but also what happens when a connection is then validated and used in the DS instance deployed by the platform.
@pxcamus So for now since there is no support for loading credentials file. In https://pulsar.apache.org/docs/next/security-oauth2/ I see that the client requires to use the keyFile so I will not support it for now in the validation.

@mfvitale unless I missed something, it can be loaded as a base64 encoded string, right?

But to clarify, do I then wrap up the PR by passing the token for the validation?

Where you get this infos?

[pxcamus]

@mfvitale If you could please take a look at the approach I used for testing JWT auth. I am going to add IT tests with expired token, etc... then switch to OAuth2. Thanks!

@pxcamus It LGTM until now. 🚀

One small question please @mfvitale : for integration tests, should I spinnup an actual OAuth2 provider, such as Keycloak or Hydra? Or mock one to return hardcoded tokens? If using an actual provider, any preference? Thanks!

Honestly for now I'll go with a mocked one.

@mfvitale Should the OAuth2 connection validation include the retrieval of the token? I.e. do I request the client credentials and request a token first? My concern is that the OAuth2 provider could be un-reachable from the platform conductor, right?
The other option is to just collect the token through the stage UI and validate the connection.
I have a working OAuth2 provider implementation for the integration tests, so can use the actual flow.

This is a good point. We should not only think about the validation phase but also what happens when a connection is then validated and used in the DS instance deployed by the platform.
@pxcamus So for now since there is no support for loading credentials file. In https://pulsar.apache.org/docs/next/security-oauth2/ I see that the client requires to use the keyFile so I will not support it for now in the validation.

@mfvitale unless I missed something, it can be loaded as a base64 encoded string, right?

But to clarify, do I then wrap up the PR by passing the token for the validation?

Where you get this infos?

https://pulsar.apache.org/docs/4.1.x/security-oauth2/

[mfvitale]

@mfvitale unless I missed something, it can be loaded as a base64 encoded string, right?

But to clarify, do I then wrap up the PR by passing the token for the validation?

Where you get this infos?

https://pulsar.apache.org/docs/4.1.x/security-oauth2/

Well then it should work but is not the best from the security point, since this base64 string will be then passed in the CRD definition.

Let's add the support for the validation for now.

[pxcamus]

@mfvitale I am done AFAIK. One question (hopefully not too stupid): when rebasing the latest main on my branch, I saw the following entry added to POM.xml:

<dependency> <groupId>io.debezium</groupId> <artifactId>debezium-connector-common</artifactId> <version>${version.debezium}</version> </dependency>

But I cannot resolve this dependency. How do I build it locally? Thanks!

[pxcamus]

@pxcamus Could you please check the failure?

@mfvitale I am struggling so much to run my branch to update the ITs 😅 When trying to build the project:

Downloading from confluent: https://packages.confluent.io/maven/io/debezium/debezium-quarkus-outbox/3.6.0-SNAPSHOT/debezium-quarkus-outbox-3.6.0-SNAPSHOT.jar Downloading from confluent: https://packages.confluent.io/maven/io/debezium/debezium-operator-api/3.6.0-SNAPSHOT/debezium-operator-api-3.6.0-SNAPSHOT.jar [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 22.820 s [INFO] Finished at: 2026-04-01T19:02:04+02:00 [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal on project debezium-platform-conductor: Could not resolve dependencies for project io.debezium:debezium-platform-conductor:jar:3.6.0-SNAPSHOT [ERROR] dependency: io.debezium:debezium-quarkus-outbox:jar:3.6.0-SNAPSHOT (compile) [ERROR] Could not find artifact io.debezium:debezium-quarkus-outbox:jar:3.6.0-SNAPSHOT in confluent (https://packages.confluent.io/maven/) [ERROR] dependency: io.debezium:debezium-operator-api:jar:3.6.0-SNAPSHOT (compile) [ERROR] Could not find artifact io.debezium:debezium-operator-api:jar:3.6.0-SNAPSHOT in confluent (https://packages.confluent.io/maven/)

But then when trying to build debezium-quarkus-outbox, I get an issue with something else (debezium-connector-informix). I suspect I am doing something stupid, but can't figure out what exactly...

[Naros]

There are now a few cross-repo dependencies, and it's probably something we should try to document clearly, particularly for first-time contributors. The debezium-quarkus repo now requires debezium-connector-informix to be built up-front. So if you clone that repository and build it, then that should solve your issue. Just be mindful that the Informix repo likely will require the main debezium/debezium repo to be built as well.

So build

1. debezium/debezium
2. debezium/debezium-connector-informix
3. debezium/debezium-quarkus
4. debezium/debezium-platform

[pxcamus]

There are now a few cross-repo dependencies, and it's probably something we should try to document clearly, particularly for first-time contributors. The debezium-quarkus repo now requires debezium-connector-informix to be built up-front. So if you clone that repository and build it, then that should solve your issue. Just be mindful that the Informix repo likely will require the main debezium/debezium repo to be built as well.

So build

1. debezium/debezium
2. debezium/debezium-connector-informix
3. debezium/debezium-quarkus
4. debezium/debezium-platform

Hi @Naros , I was able to resolve everything last night, except the Informix connector:

[INFO] DOCKER> [debezium/informix-test-database:15]: Created docker-build.tar in 26 milliseconds
[INFO] DOCKER> Credentials helper reply for "docker-credential-desktop" is docker-credential-osxkeychain (github.com/docker/docker-credential-helpers) v0.9.5
[ERROR] DOCKER> Unable to pull 'icr.io/informix/informix-developer-database:15.0' from registry 'icr.io' : {"message":"failed to resolve reference "icr.io/informix/informix-developer-database:15.0": icr.io/informix/informix-developer-database:15.0: not found"} (Not Found: 404) [{"message":"failed to resolve reference "icr.io/informix/informix-developer-database:15.0": icr.io/informix/informix-developer-database:15.0: not found"} (Not Found: 404)]

[Naros]

@pxcamus for the meantime can you try -Pinformix14 or -Pinformix12 to use the 14 or 12 images, do that work for you?

[pxcamus]

@pxcamus for the meantime can you try -Pinformix14 or -Pinformix12 to use the 14 or 12 images, do that work for you?

That worked, thanks!

[pxcamus]

@pxcamus for the meantime can you try -Pinformix14 or -Pinformix12 to use the 14 or 12 images, do that work for you?

@Naros actually a few more issues but on macOS ARM. the debezium-quarkus-testsuite-deployment produces a test JAR. So I could not run mvn install -Dmaven.test.skip=true. But when trying to skip just the execution of tests with mvn install -DskipTests I am getting this error:

[ERROR] Failed to execute goal io.fabric8:docker-maven-plugin:0.48.0:start (start-mongodb) on project debezium-quarkus-mongodb-integration-tests: I/O Error: Unable to pull 'quay.io/debezium/mongo:6.0' from registry 'quay.io' : {"message":"no matching manifest for linux/arm64/v8 in the manifest list entries: no match for platform in manifest: not found"} (Not Found: 404) -> [Help 1]

I tried everything I could think of: setting up a default profile in ~/.m2/settings.xml:

<profiles> <profile> <id>default</id> <properties> <docker.host>unix://${user.home}/.docker/run/docker.sock</docker.host> <docker.platform>linux/amd64</docker.platform> </properties> </profile> </profiles>

I downloaded the image before running the Maven command:

docker pull --platform linux/amd64 quay.io/debezium/mongo:6.0

Then tried passing in various way a flag: DOCKER_DEFAULT_PLATFORM=linux/amd64 mvn install -DskipTests.

I think next I will have to modify the POM files to pass <platform>${docker.platform}</platform>.

Good news is that I am saving to buy a Linux workstation 😅

[mfvitale]

@pxcamus snapshots should now be published on maven central so you could just try to run test on your branch and dependencies should be resolved.

[pxcamus]

@pxcamus snapshots should now be published on maven central so you could just try to run test on your branch and dependencies should be resolved.

Still seeing this @mfvitale :

[ERROR] Failed to execute goal on project debezium-platform-conductor: Could not resolve dependencies for project io.debezium:debezium-platform-conductor:jar:3.6.0-SNAPSHOT [ERROR] dependency: io.debezium:debezium-operator-api:jar:3.6.0-SNAPSHOT (compile) [ERROR] Could not find artifact io.debezium:debezium-operator-api:jar:3.6.0-SNAPSHOT in confluent (https://packages.confluent.io/maven/)

[vsantonastaso]

@pxcamus for the meantime can you try -Pinformix14 or -Pinformix12 to use the 14 or 12 images, do that work for you?

@Naros actually a few more issues but on macOS ARM. the debezium-quarkus-testsuite-deployment produces a test JAR. So I could not run mvn install -Dmaven.test.skip=true. But when trying to skip just the execution of tests with mvn install -DskipTests I am getting this error:

[ERROR] Failed to execute goal io.fabric8:docker-maven-plugin:0.48.0:start (start-mongodb) on project debezium-quarkus-mongodb-integration-tests: I/O Error: Unable to pull 'quay.io/debezium/mongo:6.0' from registry 'quay.io' : {"message":"no matching manifest for linux/arm64/v8 in the manifest list entries: no match for platform in manifest: not found"} (Not Found: 404) -> [Help 1]

I tried everything I could think of: setting up a default profile in ~/.m2/settings.xml:

<profiles> <profile> <id>default</id> <properties> <docker.host>unix://${user.home}/.docker/run/docker.sock</docker.host> <docker.platform>linux/amd64</docker.platform> </properties> </profile> </profiles>

I downloaded the image before running the Maven command:

docker pull --platform linux/amd64 quay.io/debezium/mongo:6.0

Then tried passing in various way a flag: DOCKER_DEFAULT_PLATFORM=linux/amd64 mvn install -DskipTests.

I think next I will have to modify the POM files to pass <platform>${docker.platform}</platform>.

Good news is that I am saving to buy a Linux workstation 😅

Hi @pxcamus,
The ~/.m2/settings.xml approach couldn't work because docker-maven-plugin doesn't
automatically inherit properties from there.
You could try with:

1. Add <docker.platform>linux/amd64</docker.platform> to the properties section
2. Add ${docker.platform} inside each block
3. run mvn command with -Ddocker.platform. e.g. mvn clean install -Ddocker.platform=linux/amd64

Ah for sure you have to enable Rosetta emulation in your docker engine

[pxcamus]

Thanks @vsantonastaso , that's what I thought I would have to do, but @mfvitale helped me out, and I was able to build.