cadence-workflow
diff --git a/‎Makefile‎
Lines changed: 6 additions & 0 deletions b/‎Makefile‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎cmd/samples/common/factory.go‎
Lines changed: 87 additions & 6 deletions b/‎cmd/samples/common/factory.go‎
Lines changed: 87 additions & 6 deletions
diff --git a/‎cmd/samples/recipes/tls/README.md‎
Lines changed: 102 additions & 0 deletions b/‎cmd/samples/recipes/tls/README.md‎
Lines changed: 102 additions & 0 deletions
@@ -37,6 +37,7 @@ PROGS = helloworld \
 	sideeffect \
 	sleep \
 	dataconverter \
+	tls \
 
 TEST_ARG ?= -race -v -timeout 5m
 BUILD := ./build
@@ -72,6 +73,7 @@ TEST_DIRS=./cmd/samples/cron \
 	./cmd/samples/recipes/signalcounter \
 	./cmd/samples/recipes/sleep \
 	./cmd/samples/recipes/dataconverter \
+	./cmd/samples/recipes/tls \
 	./cmd/samples/recovery \
 	./cmd/samples/pso \
 
@@ -186,6 +188,9 @@ versioning:
 dataconverter:
 	go build -o bin/dataconverter cmd/samples/recipes/dataconverter/*.go
 
+tls:
+	go build -o bin/tls cmd/samples/recipes/tls/*.go
+
 bins: helloworld \
 	versioning \
 	delaystart \
@@ -219,6 +224,7 @@ bins: helloworld \
 	sideeffect \
 	sleep \
 	dataconverter \
+	tls \
 
 test: bins
 	@rm -f test
 
@@ -1,7 +1,10 @@
 package common
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"errors"
+	"io/ioutil"
 
 	"github.com/opentracing/opentracing-go"
 	"github.com/uber-go/tally"
@@ -12,8 +15,11 @@ import (
 	"go.uber.org/cadence/encoded"
 	"go.uber.org/cadence/workflow"
 	"go.uber.org/yarpc"
+	"go.uber.org/yarpc/peer"
+	"go.uber.org/yarpc/peer/hostport"
 	"go.uber.org/yarpc/transport/grpc"
 	"go.uber.org/zap"
+	"google.golang.org/grpc/credentials"
 )
 
 const (
@@ -32,6 +38,10 @@ type WorkflowClientBuilder struct {
 	ctxProps       []workflow.ContextPropagator
 	dataConverter  encoded.DataConverter
 	tracer         opentracing.Tracer
+	tlsConfig      *tls.Config
+	clientCertPath string
+	clientKeyPath  string
+	caCertPath     string
 }
 
 // NewBuilder creates a new WorkflowClientBuilder
@@ -89,6 +99,20 @@ func (b *WorkflowClientBuilder) SetTracer(tracer opentracing.Tracer) *WorkflowCl
 	return b
 }
 
+// SetTLSConfig sets the TLS configuration for the builder
+func (b *WorkflowClientBuilder) SetTLSConfig(tlsConfig *tls.Config) *WorkflowClientBuilder {
+	b.tlsConfig = tlsConfig
+	return b
+}
+
+// SetTLSCertificates sets the TLS certificate paths for the builder
+func (b *WorkflowClientBuilder) SetTLSCertificates(clientCertPath, clientKeyPath, caCertPath string) *WorkflowClientBuilder {
+	b.clientCertPath = clientCertPath
+	b.clientKeyPath = clientKeyPath
+	b.caCertPath = caCertPath
+	return b
+}
+
 // BuildCadenceClient builds a client to cadence service
 func (b *WorkflowClientBuilder) BuildCadenceClient() (client.Client, error) {
 	service, err := b.BuildServiceClient()
@@ -163,12 +187,42 @@ func (b *WorkflowClientBuilder) build() error {
 		zap.String("ServiceName", _cadenceFrontendService),
 		zap.String("HostPort", b.hostPort))
 
-	b.dispatcher = yarpc.NewDispatcher(yarpc.Config{
-		Name: _cadenceClientName,
-		Outbounds: yarpc.Outbounds{
-			_cadenceFrontendService: {Unary: grpc.NewTransport().NewSingleOutbound(b.hostPort)},
-		},
-	})
+	// Check if TLS is configured
+	if b.tlsConfig != nil || (b.clientCertPath != "" && b.clientKeyPath != "" && b.caCertPath != "") {
+		// Build TLS configuration if certificate paths are provided but tlsConfig is not
+		if b.tlsConfig == nil {
+			tlsConfig, err := b.buildTLSConfig()
+			if err != nil {
+				return err
+			}
+			b.tlsConfig = tlsConfig
+		}
+
+		// Create TLS-enabled gRPC transport
+		grpcTransport := grpc.NewTransport()
+		var dialOptions []grpc.DialOption
+
+		creds := credentials.NewTLS(b.tlsConfig)
+		dialOptions = append(dialOptions, grpc.DialerCredentials(creds))
+
+		dialer := grpcTransport.NewDialer(dialOptions...)
+		outbound := grpcTransport.NewOutbound(peer.NewSingle(hostport.PeerIdentifier(b.hostPort), dialer))
+
+		b.dispatcher = yarpc.NewDispatcher(yarpc.Config{
+			Name: _cadenceClientName,
+			Outbounds: yarpc.Outbounds{
+				_cadenceFrontendService: {Unary: outbound},
+			},
+		})
+	} else {
+		// Create standard non-TLS dispatcher
+		b.dispatcher = yarpc.NewDispatcher(yarpc.Config{
+			Name: _cadenceClientName,
+			Outbounds: yarpc.Outbounds{
+				_cadenceFrontendService: {Unary: grpc.NewTransport().NewSingleOutbound(b.hostPort)},
+			},
+		})
+	}
 
 	if b.dispatcher != nil {
 		if err := b.dispatcher.Start(); err != nil {
@@ -178,3 +232,30 @@ func (b *WorkflowClientBuilder) build() error {
 
 	return nil
 }
+
+// buildTLSConfig creates a TLS configuration from certificate paths
+func (b *WorkflowClientBuilder) buildTLSConfig() (*tls.Config, error) {
+	// Present client cert for mutual TLS (if enabled on server)
+	clientCert, err := tls.LoadX509KeyPair(b.clientCertPath, b.clientKeyPath)
+	if err != nil {
+		b.Logger.Fatal("Failed to load client certificate: %v", zap.Error(err))
+		return nil, err
+	}
+
+	// Load server CA
+	caCert, err := ioutil.ReadFile(b.caCertPath)
+	if err != nil {
+		b.Logger.Fatal("Failed to load server CA certificate: %v", zap.Error(err))
+		return nil, err
+	}
+	caCertPool := x509.NewCertPool()
+	caCertPool.AppendCertsFromPEM(caCert)
+
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: true,
+		RootCAs:            caCertPool,
+		Certificates:       []tls.Certificate{clientCert},
+	}
+
+	return tlsConfig, nil
+}
@@ -0,0 +1,102 @@
+# TLS Connection Verification Recipe
+
+This recipe demonstrates how to verify TLS connections between Cadence SDK and frontend using a Cadence workflow, showing both successful and unsuccessful scenarios.
+
+## What This Recipe Shows
+
+1. **TLS Workflow Execution** - Orchestrates TLS testing using Cadence workflow and activities
+2. **Certificate Management** - Automated certificate creation and cleanup
+3. **TLS Connection Testing** - Tests connections with valid certificates
+4. **Error Handling** - Tests connections with missing certificates
+5. **Standard Connection Fallback** - Tests non-TLS connections
+
+## Prerequisites
+
+- Cadence server running on `localhost:7933`
+- OpenSSL installed for certificate generation
+- Go environment set up
+
+## Steps to Run Sample
+
+1. You need a cadence service running. See details in cmd/samples/README.md
+
+2. Run the following command to start the worker:
+   ```
+   ./bin/tls -m worker
+   ```
+
+3. Run the following command to execute the workflow:
+   ```
+   ./bin/tls -m trigger
+   ```
+
+## Workflow Structure
+
+The recipe follows the standard Cadence worker/trigger pattern:
+
+- **Worker Mode**: Starts a Cadence worker that can execute the TLS workflow and activities
+- **Trigger Mode**: Triggers a new execution of the TLS workflow
+
+## Activities
+
+1. **setupCertificatesActivity** - Creates fresh TLS certificates for testing
+2. **testTLSConnectionActivity** - Tests TLS connections with provided certificates
+3. **testStandardConnectionActivity** - Tests standard non-TLS connections
+4. **cleanupCertificatesActivity** - Cleans up generated certificates
+
+## Expected Workflow Output
+
+When you run the trigger mode, the workflow will execute and you'll see logs showing:
+
+```
+INFO  TLS Workflow started
+INFO  Setting up certificates for testing
+INFO  Certificates setup completed
+INFO  Testing TLS connection with valid certificates
+INFO  Valid TLS connection test result: SUCCESS - TLS connection established
+INFO  Testing TLS connection with missing certificates
+INFO  Missing certificates test failed as expected
+INFO  Testing standard non-TLS connection
+INFO  Standard connection test result: SUCCESS - Standard connection established
+INFO  Cleaning up certificates
+INFO  Certificate cleanup completed
+INFO  TLS Workflow completed successfully
+```
+
+## Certificate Management
+
+The workflow automatically:
+- Creates a `cmd/samples/recipes/tls/certs/` directory
+- Generates CA, server, and client certificates using OpenSSL
+- Tests connections with the generated certificates
+- Cleans up all certificate files after testing
+
+Generated certificates include:
+- `ca.key` / `ca.crt` - Certificate Authority
+- `server.key` / `server.crt` - Server certificates
+- `client.key` / `client.crt` - Client certificates
+
+## Key Features
+
+- **Workflow Orchestration**: Uses Cadence workflow to coordinate TLS testing
+- **Automated Certificate Generation**: No manual certificate setup required
+- **Comprehensive Testing**: Tests multiple TLS scenarios in sequence
+- **Error Handling**: Graceful handling of connection failures
+- **Clean Resource Management**: Automatic cleanup of generated certificates
+- **Production Patterns**: Demonstrates proper Cadence workflow and activity patterns
+
+## Code Structure
+
+### Main Components
+- `main.go` - Worker/trigger entry point following Cadence patterns
+- `tls_workflow.go` - Workflow and activity definitions
+
+### Key Functions
+- `tlsWorkflow()` - Main workflow that orchestrates TLS testing
+- `setupCertificatesActivity()` - Activity to create test certificates
+- `testTLSConnectionActivity()` - Activity to test TLS connections
+- `testStandardConnectionActivity()` - Activity to test non-TLS connections
+- `cleanupCertificatesActivity()` - Activity to clean up certificates
+- `createTLSClient()` - Helper to create TLS-enabled Cadence client
+
+This recipe demonstrates how to integrate TLS configuration testing into Cadence workflows, making it suitable for production environments where TLS verification is part of automated testing or deployment processes.