TransportError - "tls handshake eof" - docker swarm overlay network

When running Temoporal on a docker network bridge external clients can successfully connect using the container host.

However, when temporal is changed to run within a docker swarm using an overlay network external clients are unable to connect to the published port. Clients within the swarm can connect.

The error -

tonic::transport::Error(Transport, ConnectError(Custom { kind: UnexpectedEof, error: “tls handshake eof” }))
from /@temporalio/worker/src/connection.ts:52:15)

The port is published and is listening for connections through the docker-proxy.

Has anyone else experience this issue?

Temporal is version 1.27 and the temporal client and worker is 1.11.7
This is the section from the docker compose for temporal.

temporal:
container_name: temporal
depends_on:
- postgresql
- elasticsearch
environment:
- “TEMPORAL_DEBUG=true”
- “DB=postgres12”
- “DB_PORT=${POSTGRES_DEFAULT_PORT}”
- “POSTGRES_USER=${POSTGRES_USER}”
- “POSTGRES_PWD=${POSTGRES_PASSWORD}”
- “POSTGRES_SEEDS=postgresql”
- “DYNAMIC_CONFIG_FILE_PATH=config/dynamicconfig/development.yaml”
- “ENABLE_ES=true”
- “ES_SEEDS=elasticsearch”
- “ES_PORT=9201”
- “ES_VERSION=v7”
- “SKIP_DEFAULT_NAMESPACE_CREATION=true”
- “SERVICES=frontend:matching:history:internal-frontend:worker”
- “TEMPORAL_TLS_SERVER_CA_CERT=${TEMPORAL_TLS_CERTS_DIR}/SirtRootCA.crt”
- “TEMPORAL_TLS_SERVER_CERT=${TEMPORAL_TLS_CERTS_DIR}/${TEMPORAL_HOST_NAME}.cert.pem”
- “TEMPORAL_TLS_SERVER_KEY=${TEMPORAL_TLS_CERTS_DIR}/${TEMPORAL_HOST_NAME}.key.pem”
- “TEMPORAL_TLS_REQUIRE_CLIENT_AUTH=true”
- “TEMPORAL_TLS_FRONTEND_CERT=${TEMPORAL_TLS_CERTS_DIR}/${TEMPORAL_HOST_NAME}.cert.pem”
- “TEMPORAL_TLS_FRONTEND_KEY=${TEMPORAL_TLS_CERTS_DIR}/${TEMPORAL_HOST_NAME}.key.pem”
- “TEMPORAL_TLS_CLIENT1_CA_CERT=${TEMPORAL_TLS_CERTS_DIR}/SirtRootCA.crt”
- “TEMPORAL_TLS_CLIENT2_CA_CERT=${TEMPORAL_TLS_CERTS_DIR}/SirtRootCA.crt”
- “TEMPORAL_TLS_INTERNODE_SERVER_NAME=${TEMPORAL_HOST_NAME}”
- “TEMPORAL_TLS_FRONTEND_SERVER_NAME=${TEMPORAL_HOST_NAME}”
- “TEMPORAL_TLS_FRONTEND_DISABLE_HOST_VERIFICATION=true”
- “TEMPORAL_TLS_INTERNODE_DISABLE_HOST_VERIFICATION=true”
- “TEMPORAL_ADDRESS=temporal:7236”
- “TEMPORAL_CLI_ADDRESS=temporal:7236”
- “TEMPORAL_CLI_TLS_CA=${TEMPORAL_TLS_CERTS_DIR}/SirtRootCA.crt”
- “TEMPORAL_CLI_TLS_CERT=${TEMPORAL_TLS_CERTS_DIR}/${TEMPORAL_WF_CLIENT_HOST_NAME}.cert.pem”
- “TEMPORAL_CLI_TLS_KEY=${TEMPORAL_TLS_CERTS_DIR}/${TEMPORAL_WF_CLIENT_HOST_NAME}.key.pem”
- “TEMPORAL_CLI_TLS_ENABLE_HOST_VERIFICATION=false”
- “TEMPORAL_CLI_TLS_SERVER_NAME=${TEMPORAL_HOST_NAME}”
- “TEMPORAL_TLS_CA=${TEMPORAL_TLS_CERTS_DIR}/SirtRootCA.crt”
- “TEMPORAL_TLS_CERT=${TEMPORAL_TLS_CERTS_DIR}/${TEMPORAL_WF_CLIENT_HOST_NAME}.cert.pem”
- “TEMPORAL_TLS_KEY=${TEMPORAL_TLS_CERTS_DIR}/${TEMPORAL_WF_CLIENT_HOST_NAME}.key.pem”
- “TEMPORAL_TLS_ENABLE_HOST_VERIFICATION=false”
- “TEMPORAL_TLS_SERVER_NAME=${TEMPORAL_HOST_NAME}”

  # - BIND_ON_IP:0.0.0.0"
  # - TEMPORAL_BROADCAST_ADDRESS:temporal"
  # "Enable jwt authorization"
  - "USE_INTERNAL_FRONTEND=true"
  # "Enable default authorizer and claim mapper"
  - "TEMPORAL_AUTH_AUTHORIZER=default"
  - "TEMPORAL_AUTH_CLAIM_MAPPER=default"
  # "specify the permissions source property in jwt token"
  - "TEMPORAL_JWT_PERMISSIONS_CLAIM=roles"
  - "TEMPORAL_JWT_KEY_SOURCE1=https://login.microsoftonline.com/0b65b008-95d7-4abc-bafc-3ffc20c039c0/discovery/v2.0/keys"
  - "TEMPORAL_JWT_KEY_REFRESH=30m"
image: temporalio/auto-setup:${TEMPORAL_VERSION}
restart: always
networks:
  - ${NETWORK_NAME}
ports:
  - "7233:7233"
volumes:
  - ${TEMPORAL_LOCAL_CERT_DIR}:${TEMPORAL_TLS_CERTS_DIR}
  - ./dynamicconfig:/etc/temporal/config/dynamicconfig