Skip to content

[Feature Request] Support dynamic/reloadable client certificates (ResolvesClientCert) in TlsOptions #1338

Description

@Tarang

Is your feature request related to a problem? Please describe.

We run Rust services — both clients that start workflows and long-running workers that authenticate to Temporal Cloud with short-lived mTLS certs issued by Vault and rotated on disk by a sidecar. Today the cert is read once and turned into a static tonic::transport::Identity in add_tls_to_channel, which bakes it into the Arc<ClientConfig> at Connection::connect. When the on-disk cert rotates, the running process keeps presenting the original cert; once it expires, the next (re)handshake is rejected with CertificateExpired,
and the only remedy is a process restart.

The Go SDK doesn't hit this: ConnectionOptions.TLS accepts a *tls.Config, and tls.Config.GetClientCertificate is invoked per handshake so a rotated cert is picked up transparently for both clients and pollers, no reconnect.

Describe the solution you'd like

To be able to easily and smoothly rotate temporal certificates

Additional context

The Go Sdk can do it

Metadata

Metadata

Labels

Rust SDKIssues about or asking for Rust SDK releaseenhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions