Skip to content

💥 [BREAKING] enable TLS if api key specified#2126

Merged
THardy98 merged 5 commits into
masterfrom
enable-tls-api-key
Dec 10, 2025
Merged

💥 [BREAKING] enable TLS if api key specified#2126
THardy98 merged 5 commits into
masterfrom
enable-tls-api-key

Conversation

@THardy98

@THardy98 THardy98 commented Dec 4, 2025

Copy link
Copy Markdown
Contributor

What was changed

DWISOTT

  1. Part of Assume TLS enabled if API key provided in SDKs features#687

  2. How was this tested:
    internals/credentials_test.go

  3. Any docs updates needed?
    Maybe

@THardy98 THardy98 requested a review from a team as a code owner December 4, 2025 04:54

@cretz cretz left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(leaving main review to Go SDK owners, just a couple of notes here)

Comment thread internal/client.go
// TLS configures connection level security credentials.
TLS *tls.Config

// TLSDisabled explicitly disables TLS. When true, TLS will not be used even

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When true, TLS will not be used

Reading the code here, this is not true, TLS will still be enable if the TLS field is set. IMO you should either 1) disallow both this being true and the TLS field being set (my preference), or 2) document that this being true means anything in the TLS field is ignored, and then respect that in code.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah I should've tested this. Added validation to make it mutually exclusive + test

Comment thread internal/client.go

func (apiKeyCredentials) applyToOptions(*ConnectionOptions) error { return nil }
func (apiKeyCredentials) applyToOptions(opts *ConnectionOptions) error {
// Auto-enable TLS when API key is provided and TLS is not explicitly set/disabled

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might as well document to users that we do this where API key is set by users (i.e. in the Godoc on the NewAPIKey* functions)

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added a little line to the new api key methods noting the auto TLS behavior

@Quinn-With-Two-Ns

Copy link
Copy Markdown
Contributor

I'll note there is another approach where you instead add a method to Credentials like defaultTLS() *tls.Config and then provide different Credentials implementations that enable or disable TLS by default, but what you have here is fine other then @cretz comments.

@THardy98

THardy98 commented Dec 4, 2025

Copy link
Copy Markdown
Contributor Author

I'll note there is another approach where you instead add a method to Credentials like defaultTLS() *tls.Config and then provide different Credentials implementations that enable or disable TLS by default, but what you have here is fine other then @cretz comments.

Added validation to make TLS/TLSDisabled mutually exclusive + a test

@cretz cretz left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but would want to wait for Go SDK owner(s) approval. No preference on approach @Quinn-With-Two-Ns said vs what's here (hopefully it's rarely/never used anyways, heh)

Comment thread client/client.go Outdated
Comment thread client/client.go Outdated
@THardy98 THardy98 merged commit 85a0559 into master Dec 10, 2025
62 of 68 checks passed
@THardy98 THardy98 deleted the enable-tls-api-key branch December 10, 2025 02:11
rohansood10 added a commit to rohansood10/keda that referenced this pull request Feb 19, 2026
When using API key authentication with Temporal Cloud, KEDA was
explicitly creating a TLS config and passing it to the Temporal SDK.
This overrode the SDK's built-in auto-TLS behavior for API key auth,
causing 'tls: certificate required' errors because the explicit config
lacked the client certificate that Temporal Cloud's mTLS endpoint
expects.

The Temporal Go SDK (since temporalio/sdk-go#2126) auto-enables TLS
with the correct configuration when an API key is provided and TLS is
not explicitly set. By only creating an explicit TLS config when the
user has provided custom TLS settings (CA cert, server name, or
unsafeSsl), we allow the SDK to handle the standard Temporal Cloud
case correctly.

Fixes kedacore#7443

Signed-off-by: rohansood10 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants