[Feature Request] Support configuring mTLS trust roots #158
Description
Is your feature request related to a problem? Please describe.
We host our own temporal cluster that is configured with an mTLS certificate signed by an internal certificate authority. When the worker controller tries to connect to the cluster it fails because the CA is not part of the default set of trusted roots, causing an error like this:
{"level":"error","ts":1761258082.056627,"msg":"unable to create TemporalClient","controller":"temporalworkerdeployment","controllerGroup":"temporal.io","controllerKind":"TemporalWorkerDeployment","TemporalWorkerDeployment" {"name":"foo","namespace":"bar"},"namespace":"bar","name":"foo","reconcileID":"a2862153-3c5e-49ab-b7f0-a4221df7deba","error":"failed reaching server: connection error: desc = \"transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority\"","stacktrace":"github.com/temporalio/temporal-worker-controller/internal/controller.(*TemporalWorkerDeploymentReconciler).Reconcile\n\t..."}
Describe the solution you'd like
We need some way to configure the RootCAs in the tls.Config here, similar to how the server allows it to be configured here.