Security/Auth between SDK client and Temporal Server (Helm chart)

For my PoC, I did run both Temporal and the SDK Workers within a Kubernetes cluster, without any kind of security for the cluster-internal communication. With our real world use case, we will also need to make temporal available over the internet. I did read the Server Security page, but still have some questions about this.

  1. Is there a recommended form of authentication, and if yes, is it by using TLS?

  2. In case of TLS, I did find this snippet as an example in the Cluster Configuration. I am assuming that for the helm chart, this needs to be added into the server-configmap.yaml, but do I need to mount the actual ca files only to the frontend-deployment, or to other temporal pods as well?

    global:
      tls:
        frontend:
          server:
            clientCaFiles:
              - /path/to/sdkClientPool1/ca
              - /path/to/sdkClientPool2/ca
    
  3. Would it make sense to extend the temporal helm chart with an easy possibility to add clientCaFiles? I’d assume that it is a pretty common use case to require authentication/authorization?

  4. In my opinion, a simple API-key based approach would lower the entry-barrier to securely use Temporal, are there any plans to offer this as well at some point in time, as an alternative to certificates?

  5. Does anybody have by any chance also experience with integrating Azure AD in temporal? I’m right now assuming that this would work by implementing golang server plugins, as described here, but was just wondering if there are reusable resources available for this as well.

All in all, the documentation seems to cover the most important aspects, but some step-by-step guide or bast practice/recommendations for using Temporal securely would be a great way to make it easier getting started. Ideally, this works in a way where the default Docker images can be reused, without having to build custom images. Thanks for any recommendations/discussions

  1. Do you mean network communication, then yes, TLS. For authentication see this section in docs.
  2. Take a look at configs in the samples-server repo.
  3. Yes, there is an open issue to add tls support to helm charts repo. I think adding this would be great.
  4. We have had users bring this up before, will ask server team and report back.

For 5. I’ll let others chime in, as don’t have experience with Azure AD.

Hope this helps.

1 Like