Add cli tls support

[charlese-instaclustr]

Added the option to use TLS via the Cadence CLI, by use of a tls_cert_path flag which accepts a file path to a PEM formatted certificate file.

Why?

A user may want to make a CLI call to the grpc port of a TLS enabled Cadence cluster. In this case, the CLI needs to be able to construct the correct TLS outbound configuration, which requires enabling the user to pass the relevant cert file.

How did you test it?

• Built the Cadence CLI locally
• Provisioned one TLS-enabled and one non-TLS-enabled Cadence cluster
• Tested new feature by making cadence admin cluster describe and cadence domain register CLI calls to the grpc port of the TLS-enabled cluster, while passing the relevant cert file via the new tls_cert_path flag.
• Regression tested by calling the same commands against the grpc port of the non-TLS-enabled cluster
• Regression tested with the same commands against the tchannel ports of both clusters

Potential risks

This change does not affect the behaviour of existing transport options. So, in the worst case (e.g. the new feature does not allow connection to a TLS-enabled cluster in some case), it should not break any existing deployments/configurations.

Release notes

No.

Documentation Changes

No.

[shijiesheng]

nit: delete this line to keep the style consistent

[charlese-instaclustr]

Done, thanks

[longquanzheng]

Quick question, Have you tested this working?

[charlese-instaclustr]

Quick question, Have you tested this working?

@longquanzheng Hi, yes, please see the testing procedure in my original comment:

• Built the Cadence CLI locally
  -Provisioned one TLS-enabled and one non-TLS-enabled Cadence cluster
  -Tested new feature by making cadence admin cluster describe and cadence domain register CLI calls to the grpc port of the TLS-enabled cluster, while passing the relevant cert file via the new tls_cert_path flag.
  -Regression tested by calling the same commands against the grpc port of the non-TLS-enabled cluster
  -Regression tested with the same commands against the tchannel ports of both clusters

Please let me know if you think any more should be conducted, thanks.

[coveralls]

Pull Request Test Coverage Report for Build 0184c121-23ad-4a12-bb0f-41bb15841445

• 5 of 27 (18.52%) changed or added relevant lines in 2 files are covered.
• 52 unchanged lines in 12 files lost coverage.
• Overall coverage increased (+0.02%) to 57.318%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
tools/cli/factory.go	0	22	0.0%

Files with Coverage Reduction	New Missed Lines	%
service/history/execution/mutable_state_task_refresher.go	1	73.42%
common/task/weightedRoundRobinTaskScheduler.go	1	89.64%
common/persistence/statsComputer.go	2	94.64%
service/matching/matcher.go	2	91.46%
common/task/fifoTaskScheduler.go	2	85.57%
common/persistence/executionManager.go	2	78.89%
service/history/task/fetcher.go	3	91.75%
common/persistence/dataManagerInterfaces.go	3	58.66%
service/history/task/task_util.go	4	75.14%
service/history/shard/context.go	9	66.7%

Totals
Change from base Build 0184bfa6-2420-4120-8a6a-0968e393a1f6:	0.02%
Covered Lines:	85237
Relevant Lines:	148710

---

💛 - Coveralls