Temporal Cloud: Support SSL

[melloware]

From the docs here: https://docs.temporal.io/develop/java/temporal-clients#connect-to-temporal-cloud

/ Generate an SSL context
            InputStream clientCertInputStream = new FileInputStream(clientCertPath);
            InputStream clientKeyInputStream = new FileInputStream(clientKeyPath);
            SslContext sslContext = SimpleSslContextBuilder.forPKCS8(clientCertInputStream, clientKeyInputStream).build();

            // Set the Service Stub options (SSL context and gRPC endpoint)
            WorkflowServiceStubsOptions stubsOptions = WorkflowServiceStubsOptions
                .newBuilder()
                .setSslContext(sslContext)
                .setTarget(gRPCEndpoint)
                .build();

[rmanibus]

is the idea to expose the cert and key as config ?

[rmanibus]

should we allow the use of a keystore ?

[rmanibus]

Also we can probably leverage the Quarkus TLS Centralized Registry

I will have a look into this if I have some time over the weekend !

[melloware]

Yep my thought was the tls resigtry. I haven't thought it all the way through but thought we should support it for people using their cloud product.

[melloware]

I assigned it to you.

[melloware]

I really like this statement and it makes using the TlsRegistry a no brainer i think for this

The TlsConfiguration object contains the key stores, trust stores, cipher suites, protocols, and other properties. It also provides a way to create an SSLContext from the configuration.

[rmanibus]

The TLS registry has been introduced in quarkus 3.12.0, we will need to make this the lowest required version if we want to use this

[melloware]

Ok I think I will cut 1.0.0 after we merge your last change then we can start on 2.0.x on Quarkus 3.12. Sound good?

[melloware]

That way we have at least a version for people staying on LTS

[rmanibus]

another callout:
Temporal Service Stub option is taking a io.grpc.netty.shaded.io.netty.handler.ssl.SslContext, when the TLS registry is providing a javax.net.ssl.SSLContext.

I still think it is valuable to pursue this route, but this will require some more digging

[rmanibus]

about the version, I think that quarkus 3.15 is around the corner and will be the next LTS. maybe we should wait for this one for our 2.0.x ?

[melloware]

ok great idea. for now we can just add two config params for the certificates i have seen a lot of other extensions do this in the codebase. Then maybe we switch to TLS Registry in 3.15?

[rmanibus]

I have been exploring options, and I am starting to wonder if implementing our own SSL config is the right thing to do.

Instead, we could inject a managed channel into the temporal client. This way, the TLS config would be done within the quarkus grpc extension directly.

But I would love some feedback from the folks contributing in the quarkus GRPC space

[rmanibus]

@mkouba Any though about using a quarkus-managed channel in the temporal client instead of creating our own (or more exactly to let the client create his own) ?

The setChannel method documentation of the temporal client mention:

Sets fully custom user-configured gRPC channel to use.
Before supplying a fully custom channel using this method, it's recommended to first consider using setTarget(String) + other options of WorkflowServiceStubsOptions. Builder + setChannelInitializer(Consumer) for some rarely used configuration. This option is not intended for the majority of users as it disables some Temporal connection management features and can lead to outages if the channel is configured or managed improperly.
Mutually exclusive with setTarget(String), setChannelInitializer(Consumer), setSslContext(SslContext), setGrpcReconnectFrequency(Duration) and setConnectionBackoffResetFrequency(Duration). These options are ignored if the custom channel is supplied.

[rmanibus]

it is mostly working (see the attached PR), the only things that stand out is that we would need to map the config key
quarkus.temporal.target to quarkus.grpc.clients.temporal-client.host and quarkus.grpc.clients.temporal-client.port

[rmanibus]

Is there a build item that can be used to set a value of a config property ?

[melloware]

Nice. As far as your config item question I am pretty sure they are meant to be read only and not changed by anything but I could be wrong. I will let the experts weigh in.

[melloware]

Actually let me look i think i did see somewhere recently they were updating a config item.

[melloware]

@rmanibus should we add a documentation section on how to connect to Temporal Cloud using the GRCP certificate?

[shrikanthkr]

We are trying to use temporal cloud from quarkus via this extension. I have the latest version 0.0.9. Anyways I could use client cert path and client key to be used?
I have they secrets stored in aws secrets, also finding a challenge on how to bring it in. Any help or workarounds would be of great use.

[rmanibus]

hey @shrikanthkr, I will break a new release today.
You have two ways of doing this:

• use a quarkus managed channel, and configure TLS via quarkus grpc (quarkus.grpc.clients.temporal-client ...) : https://quarkus.io/guides/grpc-reference#configuring-mtls
• using the build in channel, the new version expose quarkus.temporal.client-cert-path and quarkus.temporal.client-key-path

[rmanibus]

note that this is still an early release, I would love to get your feedback on using it in real life !

[melloware]

We also need to add this to our docs because others will ask the same thing

[melloware]

@shrikanthkr also you can use Amazon Secrets Manager to bring in your secrets: https://docs.quarkiverse.io/quarkus-amazon-services/dev/amazon-secretsmanager.html

[melloware]

@all-contributors add @shrikanthkr for testing

[allcontributors]

@melloware

I've put up a pull request to add @shrikanthkr! 🎉

[shrikanthkr]

@rmanibus @melloware Thank you. I will try it out and let you know if I come across any challenges. Thank you so much for the quick response.

[shrikanthkr]

@melloware I tried the 0.0.10 version today. Having the mlts certpath and certkey locally on resources folder works. Am trying to figure out a way to get it from aws secrets directly.
Overall connections to temporal cloud and worker processing it via quarkus works.

[melloware]

@shrikanthkr awesome news!!! As for AWS secret this post has example code on how to get those vlaues as AWS Secrets: quarkiverse/quarkus-amazon-services#510