This example shows how to secure your Temporal application with mTLS. This is required to connect with Temporal Cloud or any production Temporal deployment.
Before running the example you need to export the following env variables:
- TEMPORAL_ENDPOINT: grpc endpoint, for Temporal Cloud would like
${namespace}.tmprl.cloud:7233
. - TEMPORAL_NAMESPACE: Namespace.
- TEMPORAL_CLIENT_CERT: For Temporal Cloud see requirements here.
- TEMPORAL_CLIENT_KEY: For Temporal Cloud see requirements here.
./gradlew -q execute -PmainClass=io.temporal.samples.ssl.Starter
This sample shows how to start a worker that connects to a temporal cluster with mTLS enabled; created by (tls-simple sample);
SslEnabledWorkerCustomCA demonstrates:
- Passing a custom CA certificate file as parameter
- Overriding the authority name used for TLS handshakes (if needed)
1.Start a temporal cluster with tls
Please follow the temporal server-sample to start simple Temporal mTLS cluster locally: tls-simple
2.Set environment variables
# Environment variables
# paths to ca cert, client cert and client key come from the previous step
export TEMPORAL_CLIENT_CERT="</path/to/client.pem>"
export TEMPORAL_CLIENT_KEY="</path/to/client.key>"
export TEMPORAL_CA_CERT="</path/to/ca.cert>"
export TEMPORAL_ENDPOINT="localhost:7233" # Temporal grpc endpoint
export TEMPORAL_NAMESPACE="default" # Temporal namespace
export TEMPORAL_SERVER_HOSTNAME="tls-sample" # Temporal server host name
3.Start the Worker
./gradlew -q execute -PmainClass="io.temporal.samples.ssl.SslEnabledWorkerCustomCA"
4.Expected result
[main] INFO i.t.s.WorkflowServiceStubsImpl - Created WorkflowServiceStubs for channel: ManagedChannelOrphanWrapper{delegate=ManagedChannelImpl{logId=1, target=localhost:7233}}
[main] INFO io.temporal.internal.worker.Poller - start: Poller{name=Workflow Poller taskQueue="MyTaskQueue", namespace="default"}
Workflow completed:done