Update Config Templating

.github/CODEOWNERS

@@ -1 +1 @@
-* @temporalio/selfhosting
+* @temporalio/cgs

.github/workflows/ci.yml

@@ -2,6 +2,9 @@ name: Lint Charts
 
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   lint-test:
     runs-on: ubuntu-latest

CONTRIBUTING.md

@@ -30,6 +30,28 @@ Feel free to submit a draft PR early if you need feedback or assistance during t
 
 Note: When you submit your first PR, you will be asked to sign the [Temporal Contributor License Agreement (CLA)](https://cla-assistant.io/temporalio/helm-charts) before we merge your PR.
 
+## Types of Changes We Accept
+
+We prioritize and accept changes that enable customization required for Temporal to run on specific Kubernetes platforms, to meet security requirements, or enable use of Temporal Server features. Changes that we are likely to accept include:
+
+- **Security configurations**: Adding or enhancing security contexts, pod security policies, network policies, or other security-related Kubernetes resources
+- **Credential management**: Supporting credential retrieval from Kubernetes secrets (e.g., fetching database credentials from a secret instead of a ConfigMap)
+- **Platform-specific requirements**: Adaptations needed for specific Kubernetes distributions, cloud providers, or managed Kubernetes services
+- **Service account and RBAC customization**: Enhancements to service accounts, roles, and role bindings to meet organizational security policies
+- **Resource management**: Customizations to resource limits, requests, or scheduling constraints required by platform policies
+- **Monitoring and observability**: Integration with platform-specific monitoring, logging, or observability solutions
+- **CI/CD system compatibility**: Changes that enable the chart to work with GitOps tools and CI/CD systems (e.g., ArgoCD, Flux). These changes must be configuration-driven and optional to preserve a good manual installation experience
+- **Testing infrastructure and reliability**: Improvements to the testing infrastructure or changes that make the chart more reliable and robust
+
+### Changes We Don't Accept
+
+To keep the charts focused and maintainable, we generally do not accept:
+
+- **Persistence backend sub-charts**: We are removing the use of sub-charts for persistence backends (e.g., MySQL, PostgreSQL, Cassandra). Users should configure Temporal to connect to existing database infrastructure rather than deploying databases via sub-charts.
+- **Integration with unsupported technologies**: Changes required to integrate Temporal with technologies that Temporal does not support. Such changes will only be accepted if they provide benefits in a wider context beyond the specific integration.
+- **Feature additions unrelated to platform compatibility or security**: New features that don't address Kubernetes platform requirements or security needs
+- **Cosmetic or stylistic changes**: UI, naming, or formatting changes that don't affect functionality or configurability
+
 
 ## Issues and Pull Requests Lifecycle
 

README.md

@@ -87,7 +87,7 @@ temporaltest-worker-7c9d68f4cf-8tzfw           1/1     Running   2          11m
 
 This method requires a three node kubernetes cluster to successfully bring up all the dependencies.
 
-When installed without manully setting dependency replicas to 1, this Temporal Helm Chart configures Temporal to run with a three node Cassandra cluster (for persistence) and Elasticsearch (for "visibility" features), Prometheus, and Grafana. By default, Temporal Helm Chart installs all dependencies, out of the box.
+When installed without manually setting dependency replicas to 1, this Temporal Helm Chart configures Temporal to run with a three node Cassandra cluster (for persistence) and Elasticsearch (for "visibility" features), Prometheus, and Grafana. By default, Temporal Helm Chart installs all dependencies, out of the box.
 
 To install Temporal with all of its dependencies run this command:
 

charts/temporal/Chart.yaml

@@ -39,7 +39,7 @@ dependencies:
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.64.0
+version: 0.72.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: 1.28.0
+appVersion: 1.29.1

charts/temporal/templates/_helpers.tpl

@@ -450,4 +450,4 @@ To modify camelCase to hyphenated internal-frontend service name
     {{- else }}
         {{- print $service }}
     {{- end }}
-{{- end -}}
+{{- end -}}

charts/temporal/templates/server-configmap.yaml

@@ -9,6 +9,7 @@ metadata:
     {{- include "temporal.resourceLabels" (list $ "" "") | nindent 4 }}
 data:
   config_template.yaml: |-
+    # enable-template
     log:
       stdout: true
       level: {{ $server.config.logLevel | quote }}
@@ -18,12 +19,13 @@ data:
       visibilityStore: visibility
       numHistoryShards: {{ $server.config.numHistoryShards }}
       datastores:
+        {{- if ne (include "temporal.persistence.driver" (list $ "default")) "custom" }}
         default:
           {{- if eq (include "temporal.persistence.driver" (list $ "default")) "cassandra" }}
           cassandra:
             hosts: "{{ include "temporal.persistence.cassandra.hosts" (list $ "default") }}"
             port: {{ include "temporal.persistence.cassandra.port" (list $ "default") }}
-            password: {{ `{{ .Env.TEMPORAL_STORE_PASSWORD | quote }}` }}
+            password: {{ `{{ env "TEMPORAL_STORE_PASSWORD" | quote }}` }}
             {{- with (omit $server.config.persistence.default.cassandra "hosts" "port" "password" "existingSecret") }}
               {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -35,7 +37,7 @@ data:
             connectAddr: "{{ include "temporal.persistence.sql.host" (list $ "default") }}:{{ include "temporal.persistence.sql.port" (list $ "default") }}"
             connectProtocol: "tcp"
             user: {{ include "temporal.persistence.sql.user" (list $ "default") }}
-            password: {{ `{{ .Env.TEMPORAL_STORE_PASSWORD | quote }}` }}
+            password: {{ `{{ env "TEMPORAL_STORE_PASSWORD" | quote }}` }}
             {{- with (omit $server.config.persistence.default.sql "driver" "driverName" "host" "port" "connectAddr" "connectProtocol" "database" "databaseName" "user" "password" "existingSecret") }}
               {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -44,6 +46,7 @@ data:
           faultInjection:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+        {{- end }}
         {{- with $server.config.persistence.additionalStores }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -55,7 +58,7 @@ data:
                 scheme: "{{ $elasticsearch.scheme }}"
                 host: "{{ $elasticsearch.host }}:{{ $elasticsearch.port }}"
             username: "{{ $elasticsearch.username }}"
-            password: {{ `{{ .Env.TEMPORAL_VISIBILITY_STORE_PASSWORD  | quote }}` }}
+            password: {{ `{{ env "TEMPORAL_VISIBILITY_STORE_PASSWORD" | quote }}` }}
             logLevel: "{{ $elasticsearch.logLevel }}"
             indices:
                 visibility: "{{ $elasticsearch.visibilityIndex }}"
@@ -71,7 +74,7 @@ data:
             connectAddr: "{{ include "temporal.persistence.sql.host" (list $ "visibility") }}:{{ include "temporal.persistence.sql.port" (list $ "visibility") }}"
             connectProtocol: "tcp"
             user: "{{ include "temporal.persistence.sql.user" (list $ "visibility") }}"
-            password: {{ `{{ .Env.TEMPORAL_VISIBILITY_STORE_PASSWORD  | quote }}` }}
+            password: {{ `{{ env "TEMPORAL_VISIBILITY_STORE_PASSWORD" | quote }}` }}
             {{- with (omit $server.config.persistence.visibility.sql "driver" "driverName" "host" "port" "connectAddr" "connectProtocol" "database" "databaseName" "user" "password" "existingSecret") }}
               {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -81,14 +84,15 @@ data:
       membership:
         name: temporal
         maxJoinDuration: 30s
-        broadcastAddress: {{ `{{ default .Env.POD_IP "0.0.0.0" }}` }}
+        # TODO: validate broadcast address can work with 0.0.0.0
+        broadcastAddress: {{ `{{ env "POD_IP" | default "" }}` }}
 
       pprof:
         port: 7936
 
       metrics:
         tags:
-          type: {{ `{{ .Env.SERVICES }}` }}
+          type: {{ `{{ env "TEMPORAL_SERVICES" }}` }}
           {{- with $server.metrics.tags }}
             {{- toYaml . | nindent 10 }}
           {{- end }}

charts/temporal/templates/server-deployment.yaml

@@ -85,16 +85,22 @@ spec:
                   fieldPath: status.podIP
             - name: SERVICES
               value: {{ $service }}
+            - name: TEMPORAL_SERVER_CONFIG_FILE_PATH
+              value: /etc/temporal/config/config_template.yaml
+            {{- if ne (include "temporal.persistence.driver" (list $ "default")) "custom" }}
             - name: TEMPORAL_STORE_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: {{ include "temporal.persistence.secretName" (list $ "default") }}
                   key: {{ include "temporal.persistence.secretKey" (list $ "default") }}
+            {{- end }}
+            {{- if ne (include "temporal.persistence.driver" (list $ "visibility")) "custom" }}
             - name: TEMPORAL_VISIBILITY_STORE_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: {{ include "temporal.persistence.secretName" (list $ "visibility") }}
                   key: {{ include "temporal.persistence.secretKey" (list $ "visibility") }}
+            {{- end }}
           {{- if and (hasKey $.Values.server "internalFrontend") $.Values.server.internalFrontend.enabled }}
             - name: USE_INTERNAL_FRONTEND
               value: "1"

charts/temporal/templates/server-job.yaml

@@ -53,12 +53,12 @@ spec:
           {{- range $store := (list "default" "visibility") }}
             {{- $storeConfig := index $.Values.server.config.persistence $store }}
             {{- $driver := include "temporal.persistence.driver" (list $ $store) }}
-            {{- if ne $driver "elasticsearch" }}
+            {{- if and (ne $driver "elasticsearch") (ne $driver "custom") }}
         - name: create-{{ $store }}-store
           image: "{{ $.Values.admintools.image.repository }}:{{ $.Values.admintools.image.tag }}"
           imagePullPolicy: {{ $.Values.admintools.image.pullPolicy }}
               {{- if eq $driver "cassandra" }}
-          command: ['temporal-cassandra-tool', 'create', '-k', '{{ $storeConfig.cassandra.keyspace }}', '--replication-factor', '{{ $storeConfig.cassandra.replicationFactor }}']
+          command: ['temporal-cassandra-tool', 'create', '-k', '{{ $storeConfig.cassandra.keyspace }}', '--replication-factor', '{{ $storeConfig.cassandra.replicationFactor }}'{{- if $storeConfig.cassandra.datacenter }}, '--datacenter', '{{ $storeConfig.cassandra.datacenter }}'{{- end }}]
               {{- else if eq $driver "sql" }}
           command: ['temporal-sql-tool', 'create-database']
               {{- end }}
@@ -83,33 +83,36 @@ spec:
           {{- range $store := (list "default" "visibility") }}
             {{- $storeConfig := index $.Values.server.config.persistence $store }}
             {{- $driver := include "temporal.persistence.driver" (list $ $store) }}
+            {{- if ne $driver "custom" }}
         - name: setup-{{ $store }}-store
           image: "{{ $.Values.admintools.image.repository }}:{{ $.Values.admintools.image.tag }}"
           imagePullPolicy: {{ $.Values.admintools.image.pullPolicy }}
-            {{- if eq $driver "cassandra" }}
+              {{- if eq $driver "cassandra" }}
           command: ['temporal-cassandra-tool', 'setup-schema', '-v', '0.0']
-            {{- else if eq $driver "sql" }}
+              {{- else if eq $driver "sql" }}
           command: ['temporal-sql-tool', 'setup-schema', '-v', '0.0']
-            {{- else if eq $driver "elasticsearch" }}
+              {{- else if eq $driver "elasticsearch" }}
+          # TODO: Use temporal-elasticsearch-tool if available. curl will not be part of the image in the future.
           command: ['sh', '-c']
           args:
             - 'curl -X PUT --fail --user "$ES_USER:$ES_PWD" $ES_SCHEME://$ES_HOST:$ES_PORT/_template/temporal_visibility_v1_template -H "Content-Type: application/json" --data-binary "@schema/elasticsearch/visibility/index_template_$ES_VERSION.json" 2>&1 &&
               curl --head --fail --user "$ES_USER:$ES_PWD" $ES_SCHEME://$ES_HOST:$ES_PORT/$ES_VISIBILITY_INDEX 2>&1 ||
               curl -X PUT --fail --user "$ES_USER:$ES_PWD" $ES_SCHEME://$ES_HOST:$ES_PORT/$ES_VISIBILITY_INDEX 2>&1'
-            {{- end }}
+              {{- end }}
           env:
-            {{- include "temporal.admintools-env" (list $ $store) | nindent 12 }}
-            {{- with $.Values.admintools.additionalVolumeMounts }}
+              {{- include "temporal.admintools-env" (list $ $store) | nindent 12 }}
+              {{- with $.Values.admintools.additionalVolumeMounts }}
           volumeMounts:
-              {{- toYaml . | nindent 12 }}
-            {{- end }}
-            {{- with $.Values.schema.resources }}
+                {{- toYaml . | nindent 12 }}
+              {{- end }}
+              {{- with $.Values.schema.resources }}
           resources:
-              {{- toYaml . | nindent 12 }}
-            {{- end }}
-            {{- with $.Values.schema.containerSecurityContext }}
+                {{- toYaml . | nindent 12 }}
+              {{- end }}
+              {{- with $.Values.schema.containerSecurityContext }}
           securityContext:
-              {{- toYaml . | nindent 12 }}
+                {{- toYaml . | nindent 12 }}
+              {{- end }}
             {{- end }}
           {{- end }}
         {{- end }}
@@ -118,7 +121,7 @@ spec:
             {{- $storeConfig := index $.Values.server.config.persistence $store }}
             {{- $driver := include "temporal.persistence.driver" (list $ $store) }}
             {{- $schema := include "temporal.persistence.schema" $store }}
-            {{- if ne $driver "elasticsearch" }}
+            {{- if and (ne $driver "elasticsearch") (ne $driver "custom") }}
         - name: update-{{ $store }}-store
           image: "{{ $.Values.admintools.image.repository }}:{{ $.Values.admintools.image.tag }}"
           imagePullPolicy: {{ $.Values.admintools.image.pullPolicy }}
@@ -167,7 +170,7 @@ spec:
               {{- end }}
               {{- with $.Values.admintools.additionalEnv }}
                 {{- toYaml . | nindent 12 }}
-              {{- end }} 
+              {{- end }}
               {{- with $.Values.admintools.additionalVolumeMounts }}
           volumeMounts:
                 {{- toYaml . | nindent 12 }}

charts/temporal/templates/server-secret.yaml

@@ -7,7 +7,7 @@
   {{- $driverConfig = $.Values.elasticsearch -}}
   {{- end -}}
   {{- $secretName := include "temporal.componentname" (list $ (printf "%s-store" $store)) }}
-  {{- if and (not $driverConfig.existingSecret) (eq (include "temporal.persistence.secretName" (list $ $store)) $secretName) }}
+  {{- if and (ne $driver "custom") (not $driverConfig.existingSecret) (eq (include "temporal.persistence.secretName" (list $ $store)) $secretName) }}
 apiVersion: v1
 kind: Secret
 metadata:

charts/temporal/templates/server-service.yaml

@@ -16,13 +16,19 @@ spec:
   ports:
     - port: {{ $serviceValues.service.port }}
       targetPort: rpc
+      # For Istio service mesh - make sure all ports are defined here and in the deployment:
+      # Also for Istio - make sure to set the `appProtocol` property, see:
+      # https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selection/#explicit-protocol-selection
+      # Note when two services expose the same port, it is necessary that the appProtocol of both is the same.
+      appProtocol: {{ $serviceValues.service.appProtocol }}
       protocol: TCP
       name: grpc-rpc
       {{- if hasKey $serviceValues.service "nodePort" }}
       nodePort: {{ $serviceValues.service.nodePort }}
       {{- end }}
     - port: {{ $serviceValues.service.httpPort }}
       targetPort: http
+      appProtocol: {{ $serviceValues.service.httpAppProtocol }}
       protocol: TCP
       name: http
       # TODO: Allow customizing the node HTTP port
@@ -74,12 +80,12 @@ spec:
   ports:
     - port: {{ $serviceValues.service.port }}
       targetPort: rpc
-      appProtocol: tcp
+      appProtocol: {{ $serviceValues.service.appProtocol }}
       protocol: TCP
       name: grpc-rpc
     - port: {{ $serviceValues.service.membershipPort }}
       targetPort: membership
-      appProtocol: tcp
+      appProtocol: {{ $serviceValues.service.membershipAppProtocol }}
       protocol: TCP
       name: grpc-membership
     - port: 9090

charts/temporal/templates/web-service.yaml

@@ -11,7 +11,7 @@ metadata:
 spec:
   {{- with .Values.web.service.loadBalancerIP }}
   loadBalancerIP: {{.}}
-    {{- end }}
+  {{- end }}
   type: {{ .Values.web.service.type }}
   {{- with .Values.web.service.clusterIP }}
   clusterIP: {{.}}
@@ -20,6 +20,7 @@ spec:
     - port: {{ .Values.web.service.port }}
       targetPort: http
       protocol: TCP
+      appProtocol: {{ .Values.web.service.appProtocol }}
       name: http
       {{- if hasKey .Values.web.service "nodePort" }}
       nodePort: {{ .Values.web.service.nodePort }}