Add mTLS sample.

robholland · robholland · commit 1baffcb90db8 · 2025-04-30T12:28:16.000+01:00
Closes #7.
diff --git a/README.md b/README.md
@@ -21,6 +21,7 @@ Prerequisites:
 <!-- Keep this list in alphabetical order -->
 * [activity_simple](activity_simple) - Simple workflow that calls two activities.
 * [activity_worker](activity_worker) - Use Ruby activities from a workflow in another language.
+* [client_mtls](client_mtls) - Demonstrates how to use mutual TLS (mTLS) authentication with the Temporal Ruby SDK.
 * [coinbase_ruby](coinbase_ruby) - Demonstrate interoperability with the
   [Coinbase Ruby SDK](https://github.com/coinbase/temporal-ruby).
 * [context_propagation](context_propagation) - Use interceptors to propagate thread/fiber local data from clients
diff --git a/client_mtls/README.md b/client_mtls/README.md
@@ -0,0 +1,77 @@
+# Client mTLS Sample
+
+This sample demonstrates how to use mutual TLS (mTLS) authentication with the Temporal Ruby SDK.
+
+## Overview
+
+mTLS (mutual Transport Layer Security) provides secure, encrypted communication where both client and server authenticate each other. This is required to connect to Temporal Cloud, or to a self-hosted Temporal deployment that is secured with TLS.
+
+The sample includes:
+
+- A simple workflow that executes an activity
+- A worker and starter that accept certificate parameters for mTLS authentication
+- Command-line options to configure connection parameters
+
+## Prerequisites
+
+Before running this sample, you'll need:
+
+1. A Temporal server with mTLS enabled
+2. TLS certificates:
+   - Client certificate and private key
+   - Server root CA certificate (optional, depending on your setup)
+
+## Running the Sample
+
+### 1. Start the Worker
+
+```bash
+ruby worker.rb \
+  --client-cert /path/to/client.pem \
+  --client-key /path/to/client.key \
+  [--server-root-ca-cert /path/to/ca.pem] \
+  [--target-host your-temporal-server:7233] \
+  [--namespace your-namespace] \
+  [--task-queue custom-task-queue]
+```
+
+### 2. Execute the Workflow
+
+In a separate terminal:
+
+```bash
+ruby starter.rb \
+  --client-cert /path/to/client.pem \
+  --client-key /path/to/client.key \
+  [--server-root-ca-cert /path/to/ca.pem] \
+  [--target-host your-temporal-server:7233] \
+  [--namespace your-namespace] \
+  [--task-queue custom-task-queue]
+```
+
+## Common Configurations
+
+### Temporal Cloud with mTLS
+
+When connecting to Temporal Cloud:
+
+- **Address**: Use the mTLS endpoint from Temporal Cloud (e.g., `namespace.tmprl.cloud:7233`)
+- **Namespace**: Include the account identifier suffix (e.g., `my-namespace.abc123`)
+- **Server Root CA Certificate**: Not typically needed as Temporal Cloud uses well-known Root CAs
+
+### Self-Hosted Temporal with mTLS
+
+For a self-hosted Temporal cluster:
+
+- **Server Root CA Certificate**: Required if your server uses a certificate signed by a private CA
+- You'll need both client certificate and key files
+
+## Notes on Certificate Files
+
+Certificate and key files should be in PEM format. The client certificate file may include the full certificate chain if needed.
+
+## Troubleshooting
+
+- If you see TLS handshake errors, verify your certificate paths are correct
+- Make sure certificates haven't expired
+- For Temporal Cloud, confirm you're using the correct endpoint and namespace 
diff --git a/client_mtls/my_activities.rb b/client_mtls/my_activities.rb
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+require 'temporalio/activity'
+
+module ClientMtls
+  module Activities
+    # Simple activity definition following SDK patterns
+    class ComposeGreeting < Temporalio::Activity::Definition
+      def execute(greeting, name)
+        "#{greeting}, #{name}!"
+      end
+    end
+  end
+end
diff --git a/client_mtls/my_workflow.rb b/client_mtls/my_workflow.rb
@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require_relative 'my_activities'
+require 'temporalio/workflow'
+
+module ClientMtls
+  class GreetingWorkflow < Temporalio::Workflow::Definition
+    def execute(name)
+      # Execute activity and return result
+      Temporalio::Workflow.execute_activity(
+        Activities::ComposeGreeting,
+        'Hello',
+        name,
+        start_to_close_timeout: 10
+      )
+    end
+  end
+end
diff --git a/client_mtls/starter.rb b/client_mtls/starter.rb
@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+require_relative 'my_workflow'
+require 'optparse'
+require 'temporalio/client'
+
+# Define options parser to handle certificate paths and other parameters
+options = {
+  target_host: 'localhost:7233',
+  namespace: 'default',
+  task_queue: 'mtls-task-queue',
+  server_root_ca_cert: nil,
+  client_cert: nil,
+  client_key: nil
+}
+
+OptionParser.new do |opts|
+  opts.banner = 'Usage: starter.rb [options]'
+
+  opts.on('--target-host HOST', 'Host:port for the server (default: localhost:7233)') do |v|
+    options[:target_host] = v
+  end
+
+  opts.on('--namespace NAMESPACE', 'Namespace to use (default: default)') do |v|
+    options[:namespace] = v
+  end
+
+  opts.on('--task-queue QUEUE', 'Task queue to use (default: mtls-task-queue)') do |v|
+    options[:task_queue] = v
+  end
+
+  opts.on('--server-root-ca-cert PATH', 'Path to the server root CA certificate') do |v|
+    options[:server_root_ca_cert] = v
+  end
+
+  opts.on('--client-cert PATH', 'Path to the client certificate (required for mTLS)') do |v|
+    options[:client_cert] = v
+  end
+
+  opts.on('--client-key PATH', 'Path to the client key (required for mTLS)') do |v|
+    options[:client_key] = v
+  end
+end.parse!
+
+# Check for required certificates for mTLS
+if options[:client_cert].nil? || options[:client_key].nil?
+  puts 'Error: Client certificate and key are required for mTLS'
+  puts 'Usage: ruby starter.rb --client-cert PATH --client-key PATH'
+  exit 1
+end
+
+puts "Connecting to Temporal Server at #{options[:target_host]} with mTLS..."
+puts "Using namespace: #{options[:namespace]}"
+
+# Create client with mTLS configuration
+tls_options = Temporalio::Client::Connection::TLSOptions.new(
+  client_cert: File.read(options[:client_cert]),
+  client_private_key: File.read(options[:client_key])
+)
+
+# Add server root CA cert if provided
+if options[:server_root_ca_cert]
+  tls_options = tls_options.with(server_root_ca_cert: File.read(options[:server_root_ca_cert]))
+end
+
+# Connect to Temporal server
+client = Temporalio::Client.connect(
+  options[:target_host],
+  options[:namespace],
+  tls: tls_options
+)
+
+# Execute the workflow
+puts 'Starting workflow with mTLS...'
+handle = client.start_workflow(
+  ClientMtls::GreetingWorkflow,
+  'World',
+  id: "mtls-workflow-#{Time.now.to_i}",
+  task_queue: options[:task_queue]
+)
+
+puts "Started workflow. WorkflowID: #{handle.id}"
+
+# Wait for workflow completion
+result = handle.result
+puts "Workflow completed with result: #{result}"
diff --git a/client_mtls/worker.rb b/client_mtls/worker.rb
@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+require_relative 'my_activities'
+require_relative 'my_workflow'
+require 'optparse'
+require 'temporalio/client'
+require 'temporalio/worker'
+
+# Define options parser to handle certificate paths and other parameters
+options = {
+  target_host: 'localhost:7233',
+  namespace: 'default',
+  task_queue: 'mtls-task-queue',
+  server_root_ca_cert: nil,
+  client_cert: nil,
+  client_key: nil
+}
+
+OptionParser.new do |opts|
+  opts.banner = 'Usage: worker.rb [options]'
+
+  opts.on('--target-host HOST', 'Host:port for the server (default: localhost:7233)') do |v|
+    options[:target_host] = v
+  end
+
+  opts.on('--namespace NAMESPACE', 'Namespace to use (default: default)') do |v|
+    options[:namespace] = v
+  end
+
+  opts.on('--task-queue QUEUE', 'Task queue to use (default: mtls-task-queue)') do |v|
+    options[:task_queue] = v
+  end
+
+  opts.on('--server-root-ca-cert PATH', 'Path to the server root CA certificate') do |v|
+    options[:server_root_ca_cert] = v
+  end
+
+  opts.on('--client-cert PATH', 'Path to the client certificate (required for mTLS)') do |v|
+    options[:client_cert] = v
+  end
+
+  opts.on('--client-key PATH', 'Path to the client key (required for mTLS)') do |v|
+    options[:client_key] = v
+  end
+end.parse!
+
+# Check for required certificates for mTLS
+if options[:client_cert].nil? || options[:client_key].nil?
+  puts 'Error: Client certificate and key are required for mTLS'
+  puts 'Usage: ruby worker.rb --client-cert PATH --client-key PATH'
+  exit 1
+end
+
+puts "Connecting to Temporal Server at #{options[:target_host]} with mTLS..."
+puts "Using namespace: #{options[:namespace]}"
+
+# Create client with mTLS configuration
+tls_options = Temporalio::Client::Connection::TLSOptions.new(
+  client_cert: File.read(options[:client_cert]),
+  client_private_key: File.read(options[:client_key])
+)
+
+# Add server root CA cert if provided
+if options[:server_root_ca_cert]
+  tls_options = tls_options.with(server_root_ca_cert: File.read(options[:server_root_ca_cert]))
+end
+
+# Connect to Temporal server
+client = Temporalio::Client.connect(
+  options[:target_host],
+  options[:namespace],
+  tls: tls_options
+)
+
+# Start worker with activities and workflows registered
+puts 'Starting worker connected with mTLS...'
+puts "Task queue: #{options[:task_queue]}"
+Temporalio::Worker.new(
+  client:,
+  task_queue: options[:task_queue],
+  workflows: [ClientMtls::GreetingWorkflow],
+  activities: [ClientMtls::Activities::ComposeGreeting]
+).run(shutdown_signals: ['SIGINT'])
