temporalio · chaptersix · Apr 29, 2026 · Apr 29, 2026 · Apr 29, 2026 · Apr 29, 2026
@@ -1,15 +1,13 @@
-name: Test compose examples
+name: Test compose and TLS examples
 
 on:
   pull_request:
-    paths:
-      - 'compose/**'
-      - '.github/workflows/compose.yaml'
   push:
     branches:
       - main
     paths:
       - 'compose/**'
+      - 'tls/**'
       - '.github/workflows/compose.yaml'
 
 permissions:
@@ -315,3 +313,111 @@ jobs:
         if: always()
         working-directory: compose
         run: docker compose -f docker-compose-multirole.yaml -f docker-compose-validate-multirole.yml down -v
+
+  tls-simple-test:
+    name: Test tls-simple
+    needs: lint-actions
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    env:
+      TEMPORAL_TLS_CERTS_DIR: /etc/temporal/config/certs
+      TEMPORAL_LOCAL_CERT_DIR: ./certs
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Generate TLS certificates
+        working-directory: tls/tls-simple
+        run: bash generate-test-certs.sh
+
+      - name: Start compose stack
+        working-directory: tls/tls-simple
+        run: docker compose up -d
+
+      - name: Wait for namespace creation
+        working-directory: tls/tls-simple
+        run: |
+          for i in $(seq 1 60); do
+            if docker compose logs temporal-create-namespace 2>&1 | grep -q "Namespace 'default' created\|already exists"; then
+              echo "Namespace ready"
+              exit 0
+            fi
+            echo "Waiting for namespace creation... ($i/60)"
+            sleep 5
+          done
+          echo "Namespace creation did not complete"
+          exit 1
+
+      - name: Validate Temporal is functional
+        working-directory: tls/tls-simple
+        run: |
+          docker compose exec temporal-admin-tools temporal operator cluster health
+          docker compose exec temporal-admin-tools temporal operator namespace describe -n default
+
+      - name: Print all logs on failure
+        if: failure()
+        working-directory: tls/tls-simple
+        run: |
+          echo "=== Printing all container logs ==="
+          docker compose ps -a
+          docker compose logs
+
+      - name: Cleanup
+        if: always()
+        working-directory: tls/tls-simple
+        run: |
+          docker compose down -v
+          rm -rf certs
+
+  tls-full-test:
+    name: Test tls-full
+    needs: lint-actions
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    env:
+      TEMPORAL_TLS_CERTS_DIR: /certs
+      TEMPORAL_LOCAL_CERT_DIR: ./certs
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Generate TLS certificates
+        working-directory: tls/tls-full
+        run: bash generate-certs.sh
+
+      - name: Start compose stack
+        working-directory: tls/tls-full
+        run: docker compose up -d
+
+      - name: Wait for namespace creation
+        working-directory: tls/tls-full
+        run: |
+          for i in $(seq 1 60); do
+            if docker compose logs temporal-create-namespace 2>&1 | grep -q "Namespace 'default' created\|already exists"; then
+              echo "Namespace ready"
+              exit 0
+            fi
+            echo "Waiting for namespace creation... ($i/60)"
+            sleep 5
+          done
+          echo "Namespace creation did not complete"
+          exit 1
+
+      - name: Validate Temporal is functional
+        working-directory: tls/tls-full
+        run: |
+          docker compose exec temporal-cli-admin temporal operator cluster health
+          docker compose exec temporal-cli-admin temporal operator namespace describe -n default
+
+      - name: Print all logs on failure
+        if: failure()
+        working-directory: tls/tls-full
+        run: |
+          echo "=== Printing all container logs ==="
+          docker compose ps -a
+          docker compose logs
+
+      - name: Cleanup
+        if: always()
+        working-directory: tls/tls-full
+        run: |
+          docker compose down -v
+          rm -rf certs
@@ -32,26 +32,37 @@ cluster-internode    |              |                         |
 ./generate-certs.sh
 ```
 
-2. Start Temporal with `start-temporal.sh`. This will bring up a Temporal cluster (via `docker-compose`) with the `certs` subdirectory mounted as a volume and Temporal configured to use the test certificates in it to secure network communications.
+2. Start Temporal with `start-temporal.sh`. This will bring up a Temporal cluster (via `docker compose`) with the `certs` subdirectory mounted as a volume and Temporal configured to use the test certificates in it to secure network communications.
 
 ```bash
 ./start-temporal.sh
 ```
 
-3. You can use docker to enter the cli containers and use `tctl` like this (in another terminal):
+3. You can use docker to enter the cli containers and use the `temporal` CLI like this (in another terminal):
 
 ```bash
-docker exec -it tls-full-temporal-cli-admin-1 bash
-docker exec -it tls-full-temporal-cli-development-1 bash
-docker exec -it tls-full-temporal-cli-accounting-1 bash
+docker compose exec temporal-cli-admin bash
+docker compose exec temporal-cli-development bash
+docker compose exec temporal-cli-accounting bash
 ```
 
 Environment variables are set up to provide the `development` and `accounting` containers with access to namespaces with the respective names.
-(You'll have to create them first with `tctl namespace register`.)
+The `default` namespace is created automatically on startup.
 
 4. But you might notice that all three containers actually have identical (full admin-level) permissions!
 That's because there's no ClaimMapper or Authorizer actually examining the client certs to determine permissions.
 To actually enforce namespace access, you'll have to build the server with a custom ClaimMapper, and turn on the default Authorizer also.
 You can look in [tlsClaimMapper.go](./tlsClaimMapper.go) for an example that will work with the certs in this sample,
 and in [the authorizer sample](../../extensibility/authorizer/) for more instructions on how to build a custom server.
 
+### Custom config template
+
+This sample uses a custom `config_template.yaml` to configure per-namespace TLS host overrides. The file is a Go template rendered by the Temporal server using [sprig](https://masterminds.github.io/sprig/) functions.
+
+To enable template rendering, the file must contain `# enable-template` in the first 1KB. It is loaded via the `TEMPORAL_SERVER_CONFIG_FILE_PATH` environment variable.
+
+To preview the rendered config inside the container:
+
+```bash
+docker compose exec temporal temporal-server --config-file /etc/temporal/config/config_template.yaml render-config
+```