Skip to content

Comments

fix(temporal): let SDK handle TLS when using API key auth#7462

Open
rohansood10 wants to merge 1 commit intokedacore:mainfrom
rohansood10:fix/temporal-apikey-tls-7443
Open

fix(temporal): let SDK handle TLS when using API key auth#7462
rohansood10 wants to merge 1 commit intokedacore:mainfrom
rohansood10:fix/temporal-apikey-tls-7443

Conversation

@rohansood10
Copy link

@rohansood10 rohansood10 commented Feb 19, 2026
edited by rickbrouwer
Loading

Description

Fixes the recurring 'tls: certificate required' error when connecting to Temporal Cloud using API key authentication.

Root Cause

When apiKey is provided, KEDA explicitly creates a TLS config via CreateTLSClientConfig() and passes it to the Temporal SDK. This overrides the SDK's built-in auto-TLS behavior for API key auth. The Temporal Go SDK (since temporalio/sdk-go#2126) auto-enables TLS with the correct configuration when an API key is provided and TLS is not explicitly set/disabled.

By explicitly setting a TLS config, KEDA was preventing the SDK from applying its own Temporal Cloud-compatible TLS settings, resulting in the server rejecting the connection because no client certificate was presented.

Fix

Only create an explicit TLS config when the user has provided custom TLS settings (CA cert, server name, or unsafeSsl). For the standard API key auth case, let the SDK handle TLS automatically.

Testing

All existing Temporal scaler tests pass. This fix requires integration testing with Temporal Cloud (API key auth) to fully validate — @cheelim1 has previously offered to test builds.

Checklist

  • When introducing a new scaler, I agree with the scaling governance policy
  • I have verified that my change is according to the deprecations & breaking changes policy
  • Tests have been added (if applicable)
  • Ensure make generate-scalers-schema has been run to update any outdated generated files
  • Changelog has been updated and is aligned with our changelog requirements, only when the change impacts end users
  • A PR is opened to update our Helm chart (repo) (if applicable, ie. when deployment manifests are modified)
  • A PR is opened to update the documentation on (repo) (if applicable)
  • Commits are signed with Developer Certificate of Origin (DCO - learn more)

Fixes #7443
Related: #7343, #6865

@rohansood10
fix(temporal): let SDK handle TLS when using API key auth
dc8ee28 
When using API key authentication with Temporal Cloud, KEDA was
explicitly creating a TLS config and passing it to the Temporal SDK.
This overrode the SDK's built-in auto-TLS behavior for API key auth,
causing 'tls: certificate required' errors because the explicit config
lacked the client certificate that Temporal Cloud's mTLS endpoint
expects.

The Temporal Go SDK (since temporalio/sdk-go#2126) auto-enables TLS
with the correct configuration when an API key is provided and TLS is
not explicitly set. By only creating an explicit TLS config when the
user has provided custom TLS settings (CA cert, server name, or
unsafeSsl), we allow the SDK to handle the standard Temporal Cloud
case correctly.

Fixes kedacore#7443

Signed-off-by: rohansood10 <rohansood10@users.noreply.github.com>
@keda-automation keda-automation requested review from a team February 19, 2026 17:40
@github-actions
Copy link

github-actions bot commented Feb 19, 2026

Thank you for your contribution! 🙏

Please understand that we will do our best to review your PR and give you feedback as soon as possible, but please bear with us if it takes a little longer as expected.

While you are waiting, make sure to:

  • Add an entry in our changelog in alphabetical order and link related issue
  • Update the documentation, if needed
  • Add unit & e2e tests for your changes
  • GitHub checks are passing
  • Is the DCO check failing? Here is how you can fix DCO issues

Once the initial tests are successful, a KEDA member will ensure that the e2e tests are run. Once the e2e tests have been successfully completed, the PR may be merged at a later date. Please be patient.

Learn more about our contribution guide.

@snyk-io
Copy link

snyk-io bot commented Feb 19, 2026

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@rohansood10 rohansood10 mentioned this pull request Feb 20, 2026
Open
8 tasks
@rickbrouwer
Copy link
Member

rickbrouwer commented Feb 20, 2026

All existing Temporal scaler tests pass. This fix requires integration testing with Temporal Cloud (API key auth) to fully validate — @cheelim1 has previously offered to test builds.

@cheelim1 I see from the description that you want to test this. If so, will you create a build yourself to test it? Or would you like me to create one for you? Thanks 🙂

@rohansood10 rohansood10 marked this pull request as ready for review February 22, 2026 18:03
@cheelim1
Copy link

cheelim1 commented Feb 23, 2026

@rickbrouwer i will build it myself and test it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Keda 2.19.0 Temporal ScaledObject facing error reading server preface: remote error: tls: certificate required

3 participants

@rohansood10 @rickbrouwer @cheelim1