Is your feature request related to a problem? Please describe.
We run Rust services — both clients that start workflows and long-running workers that authenticate to Temporal Cloud with short-lived mTLS certs issued by Vault and rotated on disk by a sidecar. Today the cert is read once and turned into a static tonic::transport::Identity in add_tls_to_channel, which bakes it into the Arc<ClientConfig> at Connection::connect. When the on-disk cert rotates, the running process keeps presenting the original cert; once it expires, the next (re)handshake is rejected with CertificateExpired,
and the only remedy is a process restart.
The Go SDK doesn't hit this: ConnectionOptions.TLS accepts a *tls.Config, and tls.Config.GetClientCertificate is invoked per handshake so a rotated cert is picked up transparently for both clients and pollers, no reconnect.
Describe the solution you'd like
To be able to easily and smoothly rotate temporal certificates
Additional context
The Go Sdk can do it
Is your feature request related to a problem? Please describe.
We run Rust services — both clients that start workflows and long-running workers that authenticate to Temporal Cloud with short-lived mTLS certs issued by Vault and rotated on disk by a sidecar. Today the cert is read once and turned into a static
tonic::transport::Identityinadd_tls_to_channel, which bakes it into theArc<ClientConfig>atConnection::connect. When the on-disk cert rotates, the running process keeps presenting the original cert; once it expires, the next (re)handshake is rejected withCertificateExpired,and the only remedy is a process restart.
The Go SDK doesn't hit this:
ConnectionOptions.TLSaccepts a*tls.Config, andtls.Config.GetClientCertificateis invoked per handshake so a rotated cert is picked up transparently for both clients and pollers, no reconnect.Describe the solution you'd like
To be able to easily and smoothly rotate temporal certificates
Additional context
The Go Sdk can do it