Skip to content

ssl

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History
 
 

ssl

README.md

Workflow execution with mTLS

This example shows how to secure your Temporal application with mTLS. This is required to connect with Temporal Cloud or any production Temporal deployment.

Export env variables

Before running the example you need to export the following env variables:

  • TEMPORAL_ENDPOINT: grpc endpoint, for Temporal Cloud would like ${namespace}.tmprl.cloud:7233.
  • TEMPORAL_NAMESPACE: Namespace.
  • TEMPORAL_CLIENT_CERT: For Temporal Cloud see requirements here.
  • TEMPORAL_CLIENT_KEY: For Temporal Cloud see requirements here.

Running this sample

./gradlew -q execute -PmainClass=io.temporal.samples.ssl.Starter

Refreshing credentials

  • TEMPORAL_CREDENTIAL_REFRESH_PERIOD: The period in seconds to refresh the credentials in minutes.

Setting this env variable will cause the worker to periodically update its credentials. For the full documentation see here.

Workflow execution with mTLS and custom Certificate Authority

This sample shows how to start a worker that connects to a temporal cluster with mTLS enabled; created by (tls-simple sample);

SslEnabledWorkerCustomCA demonstrates:

  • Passing a custom CA certificate file as parameter
  • Overriding the authority name used for TLS handshakes (if needed)

This can be useful when connecting to Temporal Cloud through AWS Privatelink

1.Start a temporal cluster with tls

Please follow the temporal server-sample to start simple Temporal mTLS cluster locally: tls-simple

2.Set environment variables

# Environment variables
# paths to ca cert, client cert and client key come from the previous step 
export TEMPORAL_CLIENT_CERT="</path/to/client.pem>"
export TEMPORAL_CLIENT_KEY="</path/to/client.key>"
export TEMPORAL_CA_CERT="</path/to/ca.cert>"    
export TEMPORAL_ENDPOINT="localhost:7233"    # Temporal grpc endpoint       
export TEMPORAL_NAMESPACE="default"          # Temporal namespace            
export TEMPORAL_SERVER_HOSTNAME="tls-sample" # Temporal server host name

3.Start the Worker

./gradlew -q execute -PmainClass="io.temporal.samples.ssl.SslEnabledWorkerCustomCA"

4.Expected result

[main] INFO  i.t.s.WorkflowServiceStubsImpl - Created WorkflowServiceStubs for channel: ManagedChannelOrphanWrapper{delegate=ManagedChannelImpl{logId=1, target=localhost:7233}} 
[main] INFO  io.temporal.internal.worker.Poller - start: Poller{name=Workflow Poller taskQueue="MyTaskQueue", namespace="default"} 
Workflow completed:done