Hi,
this my current configuration:
tls:
refreshInterval: 0s
expirationChecks:
warningWindow: 0s
errorWindow: 0s
checkInterval: 0s
internode:
# This server section configures the TLS certificate that internal temporal
# cluster nodes (history or matching) present to other clients within the Temporal Cluster.
server:
requireClientAuth: false
certFile: /test/server/certs/cluster.pem
keyFile: /test/server/certs/cluster.key
clientCaFiles:
- /test/server/certs/ca.cert
certData:
keyData:
# This client section is used to configure the TLS clients within
# the Temporal Cluster that connect to an Internode (history or matching)
client:
serverName: tls-sample
disableHostVerification: true
rootCaFiles:
- /test/server/certs/ca.cert
frontend:
# This server section configures the TLS certificate that the Frontend
# server presents to all clients (specifically the Worker role within
# the Temporal Cluster and all External SDKs connecting to the Cluster)
server:
requireClientAuth: true
certFile: /test/server/certs/cluster.pem
keyFile: /test/server/certs/cluster.key
clientCaFiles:
- /test/server/certs/ca.cert
certData:
keyData:
# This client section is used to configure the TLS clients within
# the Temporal Cluster (specifically the Worker role) that connect to the Frontend service
client:
serverName: tls-sample
disableHostVerification: false
rootCaFiles:
- /test/server/certs/ca.cert
I would implement the following two cases:
- connection with worker (A2A) → use mTLS with no JWT
- connection with tctl (U2A) → use onely JWT without mTLS
I use tctl with no certs I observe that the request is blocked and the code GetClaims is not reached (it seems that the “requireClientAuth: true” set “tls.RequireAndVerifyClientCert” and so only a client with valid certificate is accepted)
Otherwise if I set “requireClientAuth: false” no certificate is taken into consideration and so I cannot implement “case 1”
Thanks
Regards