Hi, there is a new feature of 1.15 which have a separate mTLS configuration section for the remote clusters.
How does it work compare to 1.14+?
Is this a breaking change?
If you have multiple Temporal Clusters and use cross cluster replication, this allows you to set TLS for the replication/cross cluster traffic.
If you don’t use the replication feature, then you don’t need to use this config.
This is not a breaking change.
Good it is not a breaking change!
1.14 multi-cluster uses the internode certificates to authorise with the remote as there was no way to specify the cert.
1.15 have the new feature (undocumented yet) to set the remote certificates. Are those certificates the client certs which would be presented to the remote cluster frontend? What would be the format of the certificate block?
That’s right. This will allow you to use different certs between internode communication which happens with in a cluster v.s. cross cluster traffic.
These are similar to client certs for a cluster, although you can setup different ones for the actual cert key. The cert format remains the same as the current internode cert or others as they share the same config struct.
We are working on the doc. [Feature Request] Add documentation on how to setup mTLS between clusters · Issue #964 · temporalio/documentation · GitHub for tracking.
1 Like
@meiliang86 we have updated the cluster to 1.15.2 and unfortunately change does look like a breaking one as communication between the cluster is now expected to work via the frontend proper. Is there any doc created around the new feature?
Anyway - have figured it out
Current cluster should have a remote cluster block describing which certificate to present while communicating to the remote cluster
remoteClusters:
<remote cluster FQDN>:
server:
requireClientAuth: true
certFile: /etc/temporal/remote-certificates/server.pem
keyFile: /etc/temporal/remote-certificates/server.key
clientCaFiles:
- /etc/temporal/remote-certificates/ca.pem
client:
serverName: <remote cluster FQDN>
rootCaFiles:
- /etc/temporal/remote-certificates/ca.pem
Remove cluster should have either a catch-all TLS server configuration which require client to present a common mTLS cert or the host override like this to auth on per client basis for the specific call
frontend:
...
hostOverrides:
<remote cluster FQDN>:
requireClientAuth: true
certFile: /etc/temporal/remote-certificates/server.pem
keyFile: /etc/temporal/remote-certificates/server.key
clientCaFiles:
- /etc/temporal/remote-certificates/ca.pem
2 Likes