apache · codelipenghui · Nov 21, 2020 · Nov 20, 2020 · Nov 20, 2020
diff --git a/site2/docs/functions-worker.md b/site2/docs/functions-worker.md
@@ -99,6 +99,7 @@ If you want to enable security on functions workers, you *should*:
 - [Enable TLS transport encryption](#enable-tls-transport-encryption)
 - [Enable Authentication Provider](#enable-authentication-provider)
 - [Enable Authorization Provider](#enable-authorization-provider)
+- [Enable End-to-End Encryption](#enable-end-to-end-encryption)
 
 ##### Enable TLS transport encryption
 
@@ -180,6 +181,29 @@ superUserRoles:
   - role3
 ```
 
+##### Enable End-to-End Encryption
+
+You can use the public and private key pair that the application configures to perform encryption. Only the consumers with a valid key can decrypt the encrypted messages.
+
+To enable End-to-End encryption on Functions Worker, you can set it by specifying `--producer-config` in the command line terminal, for more information, please refer to [here](security-encryption.md).
+
+We include the relevant configuration information of `CryptoConfig` into `ProducerConfig`. The specific configurable field information about `CryptoConfig` is as follows:
+
+```text
+public class CryptoConfig {
+    private String cryptoKeyReaderClassName;
+    private Map<String, Object> cryptoKeyReaderConfig;
+
+    private String[] encryptionKeys;
+    private ProducerCryptoFailureAction producerCryptoFailureAction;
+
+    private ConsumerCryptoFailureAction consumerCryptoFailureAction;
+}
+```
+
+- `producerCryptoFailureAction`: define the action if producer fail to encrypt data one of `FAIL`, `SEND`.
+- `consumerCryptoFailureAction`: define the action if consumer fail to decrypt data one of `FAIL`, `DISCARD`, `CONSUME`.
+
 #### BookKeeper Authentication
 
 If authentication is enabled on the BookKeeper cluster, you need configure the BookKeeper authentication settings as follows:

diff --git a/site2/docs/io-cli.md b/site2/docs/io-cli.md
@@ -71,6 +71,7 @@ $ pulsar-admin sources create options
 | `--source-config-file` | The path to a YAML config file specifying the source's configuration.
 | `-t`, `--source-type` | The source's connector provider.
 | `--tenant` | The source's tenant.
+|`--producer-config`| The custom producer configuration (as a JSON string).
 
 ### `update`
 
@@ -273,6 +274,7 @@ $ pulsar-admin sources localrun options
 |`--tls-allow-insecure`|Allow insecure tls connection.<br>**Default value: false**.
 |`--tls-trust-cert-path`|The tls trust cert file path.
 |`--use-tls`|Use tls connection.<br>**Default value: false**.
+|`--producer-config`| The custom producer configuration (as a JSON string).
 
 ### `available-sources`
 

diff --git a/site2/docs/reference-pulsar-admin.md b/site2/docs/reference-pulsar-admin.md
@@ -464,6 +464,7 @@ Options
 |`--tls-allow-insecure`|Allow insecure tls connection|false|
 |`--tls-trust-cert-path`|The tls trust cert file path||
 |`--use-tls`|Use tls connection|false|
+|`--producer-config`| The custom producer configuration (as a JSON string) | |
 
 
 ### `create`
@@ -509,6 +510,7 @@ Options
 |`--max-message-retries`|How many times should we try to process a message before giving up||
 |`--retain-ordering`|Function consumes and processes messages in order||
 |`--timeout-ms`|The message timeout in milliseconds||
+|`--producer-config`| The custom producer configuration (as a JSON string) | |
 
 
 ### `delete`
@@ -572,6 +574,7 @@ Options
 |`--max-message-retries`|How many times should we try to process a message before giving up||
 |`--retain-ordering`|Function consumes and processes messages in order||
 |`--timeout-ms`|The message timeout in milliseconds||
+|`--producer-config`| The custom producer configuration (as a JSON string) | |
 
 
 ### `get`