Merge remote-tracking branch 'origin/main'

2025-10-29 01:50:00 +00:00
parent 297be27028 44e634cabb
commit 970b1f28a7
3 changed files with 18 additions and 18 deletions
--- a/README.md
+++ b/README.md
@ -22,3 +22,8 @@ Deploy using the `-c` flag to specify one or multiple compose files.
 ```
 docker stack deploy temporal --detach=true -c compose.yaml
 ```
+
+## Next Steps and notes
+
+- Need to better understand how static config files are managed in this setup.
+  - Are they baked into the image, or mounted at runtime? Where are they stored? What is a good default location?
--- a/oci-image/Containerfile
+++ b/oci-image/Containerfile
@ -17,4 +17,5 @@ RUN --mount=type=cache,target=/go/pkg/mod \
 	CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -o /workspace/bin/temporal-server .

 FROM ${TEMPORAL_IMAGE} AS runtime
+WORKDIR /etc/temporal
 COPY --from=build /workspace/bin/temporal-server /usr/local/bin/temporal-server
--- a/oci-image/main.go
+++ b/oci-image/main.go
@ -21,29 +21,23 @@ func main() {

 	logger := templog.NewCLILogger()

-	authorizer, err := authorization.GetAuthorizerFromConfig(&cfg.Global.Authorization)
-	if err != nil {
-		log.Fatalf("authorizer: %v", err)
-	}
-
-	claimMapper, err := authorization.GetClaimMapperFromConfig(&cfg.Global.Authorization, logger)
-	if err != nil {
-		log.Fatalf("claim mapper: %v", err)
-	}
-
-	audienceMapper, err := authorization.GetAudienceMapperFromConfig(&cfg.Global.Authorization)
-	if err != nil {
-		log.Fatalf("audience mapper: %v", err)
-	}
-
 	srv, err := temporal.NewServer(
 		temporal.ForServices(temporal.DefaultServices),
 		temporal.WithConfig(cfg),
 		temporal.WithLogger(logger),
 		temporal.InterruptOn(temporal.InterruptCh()),
-		temporal.WithAuthorizer(authorizer),
-		temporal.WithClaimMapper(func(*config.Config) authorization.ClaimMapper { return claimMapper }),
-		temporal.WithAudienceGetter(func(*config.Config) authorization.JWTAudienceMapper { return audienceMapper }),
+		temporal.WithAuthorizer(authorization.NewDefaultAuthorizer()),
+		temporal.WithClaimMapper(func(cfg *config.Config) authorization.ClaimMapper {
+			return authorization.NewDefaultJWTClaimMapper(
+				// token key provider - fetches public keys from the OIDC provider
+				authorization.NewDefaultTokenKeyProvider(&cfg.Global.Authorization, logger),
+				&cfg.Global.Authorization,
+				logger,
+			)
+		}),
+		temporal.WithAudienceGetter(func(cfg *config.Config) authorization.JWTAudienceMapper {
+			return authorization.NewAudienceMapper(cfg.Global.Authorization.Audience)
+		}),
 	)
 	if err != nil {
 		log.Fatalf("setup server: %v", err)