New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add optional explicit ForceTLS option to ClientTLS config #2036
Conversation
@thewmo Thank you so much for digging into the TLS code and submitting this! I want to bring up a potential alternative here. We added What if instead of passing The benefits I see is that we wouldn't need to change What do yo think? |
@sergeybykov Thank you for reviewing my PR. Apologies that I based it off the commit tagged I definitely can see that a solution that doesn't change the interface of One option might be adding an explicit Thanks again for looking at this, I have no objection to whatever you all ultimately decide to do, so long as I can configure the worker client to use TLS without having the frontend running TLS. :-) |
I feel that I'm missing something here. Please help me understand. Similarly, on the client side (system worker is a client) we need to tell it what certificate and key to use for connecting to the frontend. My thinking was that if we change the code to use TLS for system worker whenever
here to an equivalent of
Is this similar to what you meant by the following sentence? Would this resolve the issue for you?
Then I lost you again on
If you like, we can do a quick Zoom call to clear my misunderstanding. Can you rebase this on top of the latest master? I can help with that if needed. |
6c6e757
to
cd4f956
Compare
I'm sure any confusion is on me. I have rebased my branch on master. I would be happy to do a Zoom. I'm in the MDT timezone and I'm on the Temporal Slack so feel free to reach out to me there. Most of my day tomorrow is free. To simplify what I'm trying to say, consider the scenario where no mutual TLS is used but the frontend is behind a TLS-terminating load balancer, and the worker client can find the CA cert for that server cert in the system store. In that scenario it would seem that potentially no configuration at all under Thanks for your patience, I hope we can connect soon. |
I'm not sure how to find you on Slack without a full name. Could you DM me there, and we'll arrange a call. |
@thewmo Thank you for explaining your use case on the call today. |
@sergeybykov yes, adding such an option to the I do think though, that for this comment to be most accurate:
Code would need to be added to also enable TLS when a server CA is set (in either |
This reverts commit cd4f956.
This is to enable worker connection to frontend running with no TLS configuration behind a TLS-enabled load balancer.
…and isSystemWorker()
@sergeybykov this looks good to me. I don't know why you couldn't push to my branch, I do have the "allow maintainers..." box checked. I went ahead and invited you explicitly to my repo. Feel free to push to it, or I will pull your branch when I'm back in front of my work computer. |
Thank you, @thewmo. I was able to push now. |
Thank you, @thewmo! |
What changed?
Add an optional
useTls
config property underpublicClient
to override whether or not TLS is used when connecting to the endpoint, regardless of thetls.frontend.server
configuration.Why?
To fix issue 2035, which I encountered while setting up Temporal under ECS in AWS with a frontend ALB load balancer terminating TLS.
How did you test it?
Tested locally and in my nonproduction environment.
Potential risks
Worker role may fail to start if property is incorrectly set. Not setting the property at all results in the status quo behavior where TLS is based on configuration present in
tls.frontend.server
.Is hotfix candidate?
No
Note that I'm a newb to golang and am more than open to recommendations here.