[💡 FEATURE REQUEST]: Enable TLS client certificate rotation

[benkelukas]

Plugin

Temporal

I have an idea!

Hi,

we have an infrastructure issuing client certificates for mTLS connection.

Currently, when those certificates expire and they are rotated and re-mounted into the application, the connection does not know about this and does not use the rotated certificates, leading to a connection error and a need to restart the application, which is not ideal as it introduces some additional operational overhead and uses resources to restart the application - k8s pods in our case.

We've solved it in our Go apps using Temporal by using tls.Config::getClientCertificate method instead of passing the already built certificates into the structs Certificates field. The solution is inspired by this article

For our PHP apps, we'd like to emulate the same functionality in this plugin.

I'm attaching a pull request that does that and would appreciate any feedback, if you are interested in incorporating this into the codebase :)

Thanks!

[rustatian]

Hey @benkelukas 👋 Thanks for the PR 👍 Yes, this is true, there are two methods to use certificates, I implemented a similar thing for the RR http plugin: link. I think in the future it might be worth implementing ACME support as well.

[benkelukas]

Hi @rustatian 👋

thanks for reviewing the PR! Happy to contribute :)

ACME support sounds like something people might use for Temporal. I was not aware of ACME before, so would have to do some studying on how the implementation for Temporal might look like, but sounds like a great addition 👍