Security

Temporalio provides an array of features that enable an operator to secure their deployment. This guide describes the implementation of security features such as client-side encryption, authentication and authorization.

Ingress TLS

Charmed Temporal can terminate the Transport Layer Security (TLS) at the ingress by leveraging the Nginx Ingress Integrator Charm as outlined in this page of the tutorial.

Authentication

Charmed Temporal supports Google IAM-based authentication through the web UI and through the temporal-lib-py and temporal-lib-go client libraries. More details can be found in the Authentication page.

Authorization

Charmed Temporal supports authorization using Google IAM and OpenFGA. Through a set of juju actions exposed by the charmed operator, the necessary authorization rules can be created in OpenFGA. More details can be found in the Authorization page.

Client-side Encryption

Through the use of the temporal-lib-py and temporal-lib-go client libraries, users of Charmed Temporal are able to encrypt their workflow inputs and outputs, ensuring that any sensitive information remains obfuscated both in transit and at rest. It is worth noting that when encrypting workflow payloads, the same key must also be set on the Charmed Temporal Worker application using the encryption_key configuration option.