feat(connection): add tlsServerName for TLS SNI override#378
Open
jclinford wants to merge 2 commits into
Open
Conversation
|
|
Contributor
|
@jclinford hey, thank you very much for this contribution! please do see the comment above about signing the contributor license agreement. |
jaypipes
requested changes
Jun 17, 2026
Add an optional `tlsServerName` field to ConnectionSpec that overrides the server name used for TLS certificate verification. When set, the controller sets tls.Config.ServerName on its own Temporal client connections (mTLS, API-key, and no-credential paths) and injects TEMPORAL_TLS_SERVER_NAME into worker pods so SDK envconfig-based workers verify against the same name. This is needed when the Connection's hostPort points at an address that differs from the hostname on the server certificate -- for example, when reaching Temporal Cloud through an internal load balancer (TCP passthrough) whose DNS name differs from the certificate SANs. The field participates in the connection-spec hash and the client-pool cache key so connections are re-established when it changes.
jclinford
force-pushed
the
add-connection-tls-server-name
branch
from
f79747c to
fffdbf1
Compare
jaypipes
approved these changes
Jun 23, 2026
jaypipes
left a comment
jaypipes
left a comment
Contributor
There was a problem hiding this comment.
Thanks @jclinford, lgtm!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds an optional
tlsServerNamefield toConnectionSpec(and theConnectionCRD) that overrides the server name used for TLS certificate verification.When set, the controller:
tls.Config.ServerNameon its own Temporal client connections across all auth paths (mTLS, API key, and no-credential), andTEMPORAL_TLS_SERVER_NAMEinto worker pods so SDK envconfig-based workers verify against the same name.The field participates in the connection-spec hash and the client-pool cache key, so clients are re-established when it changes.
Why
When a
Connection'shostPortresolves to an address whose name differs from the hostname on the server's TLS certificate, verification fails. The concrete case: reaching Temporal Cloud through an internal AWS NLB (TCP passthrough) — the NLB's DNS name differs from the certificate SANs (*.aws.api.temporal.io).tlsServerNamelets the controller (and workers) verify against the correct name while still dialing the load balancer address.Testing
make manifests generate(CRD + deepcopy regenerated)go build ./...,go vet ./...ServerNameoverride on the mTLS, API-key, and no-credential dial pathsTEMPORAL_TLS_SERVER_NAMEenv injection + connection-spec hash sensitivitygo test ./...passes