Context
Follow-up to #1338 / #1340.
The dynamic client_cert_resolver currently returns an error when combined with dns_load_balancing. The DNS LB path creates per-IP endpoints via build_endpoint(), each needing its own TLS config, but Channel::balance_channel only accepts Endpoint entries — there's no API to pass a custom connector per-endpoint.
Current behavior
client_cert_resolver is not yet supported with dns_load_balancing.
Use client_tls_options for static certificates, or disable dns_load_balancing.
Proposed approach
Build channels manually (via connect_with_connector on each endpoint) and use a custom tower::discover::Discover implementation instead of balance_channel.
Priority
Low — Temporal Cloud has its own frontend load balancer, so DNS LB + dynamic certs is rare in practice.
References
Context
Follow-up to #1338 / #1340.
The dynamic
client_cert_resolvercurrently returns an error when combined withdns_load_balancing. The DNS LB path creates per-IP endpoints viabuild_endpoint(), each needing its own TLS config, butChannel::balance_channelonly acceptsEndpointentries — there's no API to pass a custom connector per-endpoint.Current behavior
Proposed approach
Build channels manually (via
connect_with_connectoron each endpoint) and use a customtower::discover::Discoverimplementation instead ofbalance_channel.Priority
Low — Temporal Cloud has its own frontend load balancer, so DNS LB + dynamic certs is rare in practice.
References
dns.rs:96-103