From c14d2059714b3c13f3877a96ad78763ba5cd4556 Mon Sep 17 00:00:00 2001 From: Shakeel Rao Date: Mon, 13 May 2024 16:50:37 -0400 Subject: [PATCH 1/3] opt mtls --- README.md | 2 +- VERSION | 2 +- temporal/api/cloud/namespace/v1/message.proto | 25 ++++++++++++++++--- 3 files changed, 23 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 3b308f2..e5e39c1 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ Copy over the protobuf files under [temporal](temporal) directory to the project ### API Version -The client is expected to pass in a `temporal-cloud-api-version` header with the api version identifier with every request it makes to the apis. The backend will use the version to safely mutate resources. +The client is expected to pass in a `temporal-cloud-api-version` header with the api version identifier with every request it makes to the apis. The backend will use the version to safely mutate resources. The `temporal:versioning:min_version` label indicates the minimun version of the API required to use the field. Current Version: diff --git a/VERSION b/VERSION index f69cc61..b54cee0 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2023-10-01-00 +2024-05-13-00 diff --git a/temporal/api/cloud/namespace/v1/message.proto b/temporal/api/cloud/namespace/v1/message.proto index 4904c31..98cef73 100644 --- a/temporal/api/cloud/namespace/v1/message.proto +++ b/temporal/api/cloud/namespace/v1/message.proto @@ -36,6 +36,16 @@ message MtlsAuthSpec { // This allows limiting access to specific end-entity certificates. // Optional, default is empty. repeated CertificateFilterSpec certificate_filters = 2; + // Flag to enable mTLS auth (default: disabled). + // Note: disabling mTLS auth will cause existing mTLS connections to fail. + // temporal:versioning:min_version=2024-05-13-00 + bool enabled = 3; +} + +message ApiKeyAuthSpec { + // Flag to enable API key auth (default: disabled). + // Note: disabling API key auth will cause existing API key connections to fail. + bool enabled = 1; } message CodecServerSpec { @@ -56,15 +66,20 @@ message NamespaceSpec { // Specifying more than one region makes the namespace "global", which is currently a preview only feature with restricted access. // Please reach out to Temporal support for more information on global namespaces. // When provisioned the global namespace will be active on the first region in the list and passive on the rest. - // Number of supported regions is 2. + // Number of supported regions is 2. // The regions is immutable. Once set, it cannot be changed. repeated string regions = 2; // The number of days the workflows data will be retained for. // Changes to the retention period may impact your storage costs. // Any changes to the retention period will be applied to all new running workflows. int32 retention_days = 3; - // The mtls authentication and authorization to enforce on the namespace. + // The mTLS auth configuration for the namespace. + // If unspecified, mTLS will be disabled. MtlsAuthSpec mtls_auth = 4; + // The API key auth configuration for the namespace. + // If unspecified, API keys will be disabled. + // temporal:versioning:min_version=2024-05-13-00 + ApiKeyAuthSpec api_key_auth = 7; // The custom search attributes to use for the namespace. // The name of the attribute is the key and the type is the value. // Supported attribute types: text, keyword, int, double, bool, datetime, keyword_list. @@ -77,10 +92,12 @@ message NamespaceSpec { } message Endpoints { - // The web ui address. + // The web UI address. string web_address = 1; - // The grpc hostport address that the temporal workers, clients and tctl connect to. + // The gRPC address for API key client connections (may be empty if API keys are disabled). string grpc_address = 2; + // The gRPC address for mTLS client connections (may be empty if mTLS is disabled). + string mtls_grpc_address = 3; } message Limits { From 24db56377d0cd772e24f467f3b2b2000d1964e15 Mon Sep 17 00:00:00 2001 From: Shakeel Rao Date: Mon, 13 May 2024 17:17:35 -0400 Subject: [PATCH 2/3] wire --- temporal/api/cloud/namespace/v1/message.proto | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/temporal/api/cloud/namespace/v1/message.proto b/temporal/api/cloud/namespace/v1/message.proto index 98cef73..c60c5bb 100644 --- a/temporal/api/cloud/namespace/v1/message.proto +++ b/temporal/api/cloud/namespace/v1/message.proto @@ -94,10 +94,10 @@ message NamespaceSpec { message Endpoints { // The web UI address. string web_address = 1; - // The gRPC address for API key client connections (may be empty if API keys are disabled). - string grpc_address = 2; // The gRPC address for mTLS client connections (may be empty if mTLS is disabled). - string mtls_grpc_address = 3; + string mtls_grpc_address = 2; + // The gRPC address for API key client connections (may be empty if API keys are disabled). + string grpc_address = 3; } message Limits { From 385032107eb9fc9e8ce0cea2b6b4db9dcfee73f0 Mon Sep 17 00:00:00 2001 From: Shakeel Rao Date: Mon, 13 May 2024 17:18:10 -0400 Subject: [PATCH 3/3] switch wire temporarily --- buf.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buf.yaml b/buf.yaml index 69baf0f..3edc46e 100644 --- a/buf.yaml +++ b/buf.yaml @@ -3,7 +3,7 @@ deps: - buf.build/googleapis/googleapis breaking: use: - - FILE + - WIRE lint: use: - DEFAULT