I have deployed Temporal on Kubernetes using the Helm chart and the default settings.
When I use the CLI it works:
> temporal env set alp.address <HOST>:443
> temporal operator cluster health --env alp --tls
SERVING
> temporal operator namespace --env alp --tls list
NamespaceInfo.Name temporal-system
NamespaceInfo.Id 32049b68-7872-4094-8e63-d0dd59896a83
NamespaceInfo.Description Temporal internal system namespace
NamespaceInfo.OwnerEmail temporal-core@temporal.io
...
I was also able to create a namespace with the CLI.
Now, in my .Net code, I use
builder.Services.AddTemporalClient(opts =>
{
opts.TargetHost = "<HOST>:443";
opts.Namespace = "<NAMESPACE>";
opts.Tls = new TlsOptions();
});
Any operation I try leads to:
System.InvalidOperationException: Connection failed: Server connection error: tonic::transport::Error(Transport, Os { code: 13, kind: PermissionDenied, message: "Permission denied" })
at Temporalio.Bridge.Client.ConnectAsync(Runtime runtime, TemporalConnectionOptions options)
at Temporalio.Client.TemporalConnection.GetBridgeClientAsync()
at Temporalio.Extensions.Hosting.TemporalWorkerService.ExecuteAsync(CancellationToken stoppingToken)
at Microsoft.Extensions.Hosting.Internal.Host.TryExecuteBackgroundServiceAsync(BackgroundService backgroundService)
Evidently what the CLI and the .Net SDK do is different.
I looked at the logs, but can’t find anything.
My setup is using Istio to terminate the TLS connection and forward to Temporal frontend. I have used that setup with my own gRPC services, there is no problem there, it is basic HTTP(2) proxying, and again the CLI works just fine so it must be on the .Net SDK side.
This is on Ubuntu 22.04 if that matters.