Docker-compose deployment with mutual TLS

Community Support
1

After deploying Temporal using the provided docker-compose-postgres.yml file I’ve been trying to enable mutual TLS between the Temporal server and users (Temporal CLI users or other custom applications).

From what I understand, and please correct me if I’m wrong, only the global tls frontend config details need to be specified. I started with just TLS and unfortunately ran into some problems:

global:
    tls:
        frontend:
            server:
                certFile: /data/temporalserver.crt
                keyFile: /data/temporalserver.key
            client:
                serverName: temporal-server
                rootCAFiles:
                  - /data/rootca.crt

The temporalio/auto-setup:0.26.0 container loops on tctl errors:

temporal-server_1  | + tctl --ns default namespace describe
temporal-server_1  | Error: Operation DescribeNamespace failed.
temporal-server_1  | Error Details: last connection error: connection closed
temporal-server_1  | Stack trace:
temporal-server_1  | goroutine 1 [running]:
temporal-server_1  | runtime/debug.Stack(0xd, 0x0, 0x0)
temporal-server_1  |    /usr/local/go/src/runtime/debug/stack.go:24 +0x9d
temporal-server_1  | runtime/debug.PrintStack()
temporal-server_1  |    /usr/local/go/src/runtime/debug/stack.go:16 +0x22
temporal-server_1  | github.com/temporalio/temporal/tools/cli.printError(0x1c61852, 0x23, 0x2003e20, 0xc000648560)
temporal-server_1  |    /temporal/tools/cli/util.go:526 +0x2ad
temporal-server_1  | github.com/temporalio/temporal/tools/cli.ErrorAndExit(0x1c61852, 0x23, 0x2003e20, 0xc000648560)
temporal-server_1  |    /temporal/tools/cli/util.go:537 +0x49
temporal-server_1  | github.com/temporalio/temporal/tools/cli.(*namespaceCLIImpl).DescribeNamespace(0xc00000df80, 0xc0000b7b80)
temporal-server_1  |    /temporal/tools/cli/namespaceCommands.go:306 +0x2cc
temporal-server_1  | github.com/temporalio/temporal/tools/cli.newNamespaceCommands.func3(0xc0000b7b80)
temporal-server_1  |    /temporal/tools/cli/namespace.go:95 +0x48
temporal-server_1  | github.com/urfave/cli.HandleAction(0x18cf500, 0x1cc9ce0, 0xc0000b7b80, 0xc0000b7b80, 0x0)
temporal-server_1  |    /go/pkg/mod/github.com/urfave/cli@v1.22.4/app.go:528 +0x7c
temporal-server_1  | github.com/urfave/cli.Command.Run(0x1c2c395, 0x8, 0x0, 0x0, 0xc00061e840, 0x1, 0x1, 0x1c63ff5, 0x24, 0x0, ...)
temporal-server_1  |    /go/pkg/mod/github.com/urfave/cli@v1.22.4/command.go:174 +0x57a
temporal-server_1  | github.com/urfave/cli.(*App).RunAsSubcommand(0xc0004a1880, 0xc0000b7600, 0x0, 0x0)
temporal-server_1  |    /go/pkg/mod/github.com/urfave/cli@v1.22.4/app.go:407 +0x915
temporal-server_1  | github.com/urfave/cli.Command.startApp(0x1c2de44, 0x9, 0x0, 0x0, 0xc00061ebd0, 0x1, 0x1, 0x1c4bc97, 0x1a, 0x0, ...)
temporal-server_1  |    /go/pkg/mod/github.com/urfave/cli@v1.22.4/command.go:373 +0x845
temporal-server_1  | github.com/urfave/cli.Command.Run(0x1c2de44, 0x9, 0x0, 0x0, 0xc00061ebd0, 0x1, 0x1, 0x1c4bc97, 0x1a, 0x0, ...)
temporal-server_1  |    /go/pkg/mod/github.com/urfave/cli@v1.22.4/command.go:102 +0xa2b
temporal-server_1  | github.com/urfave/cli.(*App).Run(0xc0004a1500, 0xc000080050, 0x5, 0x5, 0x0, 0x0)
temporal-server_1  |    /go/pkg/mod/github.com/urfave/cli@v1.22.4/app.go:279 +0x7c7
temporal-server_1  | main.main()
temporal-server_1  |    /temporal/cmd/tools/cli/main.go:37 +0x4b

Any help would be greatly appreciated.

1 Like
3

Thanks for posting Jocelyn!

Currently, TLS isn’t supported by the CLI (coming soon), so you will need to setup your namespace using the SDK or before enabling TLS using the CLI.

Additionally, Backend roles consume the Frontend API in some scenarios and use their ServerCertificate to connect therefore Internode TLS is currently required in order to enable Frontend TLS.

2 Likes
4

Thank you for your response, it helped me getting this working. For anyone trying to get mTLS working within the temporalio/server container, you can set your certs CN and serverName in global-tls details to your docker-compose service name. Something like:

global:
    tls:
        internode:
            server:
                certFile: /data/internodeserver.crt
                keyFile: /data/internodeserver.key
                requireClientAuth: true
                clientCaFiles:
                  - /data/internodeca.cert.pem
            client:
                serverName: temporal-server
                rootCaFiles:
                  - /data/internodeca.cert.pem
        frontend:
            server:
                certFile: /data/frontendserver.crt
                keyFile: /data/frontendserver.key
                requireClientAuth: true
                clientCaFiles:
                  - /data/internodeca.cert.pem
            client:
                serverName: temporal-server
                rootCaFiles:
                  - /data/frontendca.cert.pem

For a docker-compose file like:

version: '3.7'
services:
  temporal-server:
    image: temporalio/server:${SERVER_TAG:-0.27.0}
    environment:
      - "AUTO_SETUP=false"
      - "DB=postgres"
      - "DB_PORT=5432"
      - "POSTGRES_USER=temporal"
      - "POSTGRES_PWD=placeholder"
      - "POSTGRES_SEEDS=postgres"
      - "DYNAMIC_CONFIG_FILE_PATH=config/dynamicconfig/development.yaml"
...
3 Likes
5

@shawn are you saying that internode TLS is currently supported? Thanks

6

@Kevin_Flynn - Yes! See how to configure internode tls here - https://docs.temporal.io/docs/configure-temporal-server#tls

1 Like
7

Ok great thanks @shawn