fix: temporal scaler was not setting up tls for apikey auth

[joaopaulosr95]

After seeing connection reset by peer errors in my Temporal KEDA scaler, I started digging and found out about #6724, which was released earlier today. I deployed the new v2.17.1 Helm chart to my K8S cluster and still kept seeing the same errors, then decided to dig into the scaler code to see what I could find.

@rickbrouwer and I connected to explore options, and we realized that the TLS settings from #6707 were being overwritten, thus causing the error previously mentioned. This change fixed the main issue for good by rearranging the *tls.config variable, and it is already validated against a production K8S cluster.

Checklist

• When introducing a new scaler, I agree with the scaling governance policy
• I have verified that my change is according to the deprecations & breaking changes policy
• Tests have been added
• Changelog has been updated and is aligned with our changelog requirements
• A PR is opened to update our Helm chart (repo) (if applicable, ie. when deployment manifests are modified)
• A PR is opened to update the documentation on (repo) (if applicable)
• Commits are signed with Developer Certificate of Origin (DCO - learn more)

Fixes #

Relates to #

[joaopaulosr95]

cc @wozniakjan if we can get it into #6724 it would be great.

[JorTurFer]

/run-e2e temporal
Update: You can check the progress here

[wozniakjan]

cc @wozniakjan if we can get it into #6724 it would be great.

unfortunately 2.17.1 is now already released, we will see if there is enough to release 2.17.2 or if this will have to wait for 2.18.0

[Copilot]

Pull Request Overview

This PR ensures TLS is correctly configured for API Key authentication in the Temporal scaler by deferring and centralizing the client’s ConnectionOptions assignment after both API Key and certificate branches.

• Introduce tlsConfig variable and set default TLS for API Key auth
• Override tlsConfig when user-provided cert/key are present
• Move options.ConnectionOptions assignment to the end to prevent overwriting TLS settings
• Update CHANGELOG with a note on the secondary fix

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
pkg/scalers/temporal.go	Refactored TLS setup logic to preserve TLS config across branches and centralized ConnectionOptions assignment
CHANGELOG.md	Added entry for the secondary Temporal Scaler fix

Comments suppressed due to low confidence (1)

pkg/scalers/temporal.go:216

• [nitpick] The interceptor function signature is split across lines and repeats parameter types on separate lines. Consider merging req and reply parameters and formatting the entire signature on one line for improved readability and consistency.

func(ctx context.Context, method string, req any, reply any,

[wozniakjan]

/run-e2e temporal
Update: You can check the progress here

[naikaayushnz]

Will this be a part of v2.17.2 release?

[macb]

Also ended up here with the same issue. Would appreciate this in a v2.17.2 but using main is a workaround in the meantime.

[cheelim1]

has it been fixed in v2.17.2 ?
i'm still facing the error in 2.17.2 when trying to setup keda with temporal cloud

"error": "failed to create Temporal client connection: failed reaching server: connection error: desc = \"error reading server preface: remote error: tls: certificate required\""}

am i missing something?

[rickbrouwer]

has it been fixed in v2.17.2 ? i'm still facing the error in 2.17.2 when trying to setup keda with temporal cloud

"error": "failed to create Temporal client connection: failed reaching server: connection error: desc = \"error reading server preface: remote error: tls: certificate required\""}

am i missing something?

Yes, that should be fixed in 2.17.2. The message you show is also a bit different from the original issue. Could you share your scaledObject? Maybe it would be good to create a separate issue for that and share it there.