Enable Controller-managed versioned scaling resources with WorkerResourceTemplate (#217)

<!--- Note to EXTERNAL Contributors -->
  <!-- Thanks for opening a PR!
If it is a significant code change, please **make sure there is an open
issue** for this.
We work best with you when we have accepted the idea first before you
code. -->

<!--- For ALL Contributors 👇 -->

## What was changed
### New CRD: `WorkerResourceTemplate` (WRT)

A new `WorkerResourceTemplate` CRD that lets users attach arbitrary
namespaced Kubernetes resources (HPAs, PDBs, custom scalers, etc.) to a
`TemporalWorkerDeployment`. The controller creates one copy of the
resource per active worker version, with auto-injection of
`scaleTargetRef`, `selector.matchLabels`, and metric selector labels to
point at the correct versioned Deployment.

#### Key behaviors:
- One copy per active Build ID, named `{twdName}-{wrtName}-{buildID}`
(uniquely truncated to 47 chars, DNS-safe)
- Auto-injects `spec.scaleTargetRef` (when set to `{}`) to reference the
versioned Deployment → enables per-version HPA autoscaling, and any
other scaler that uses `scaleTargetRef`
- Auto-injects `selector.matchLabels` (when set to `{}`) with the
correct per-version labels → enables per-version PDB targeting, and
arbitrary CRDs that use `selector.matchLabels` to target versioned
Deployments
- Auto-appends `worker_deployment_name`, `worker_deployment_build_id`,
and `temporal_namespace` to
`spec.metrics[*].external.metric.selector.matchLabels` whenever
`matchLabels` is present (including `{}`). User labels like `task_type:
"Activity"` coexist alongside the injected keys. Absent `matchLabels` =
no injection for that metric entry.
- Applied via Server-Side Apply with field manager
`"temporal-worker-controller"`
- Owner ref on each resource copy points to the `WorkerResourceTemplate`
→ k8s GC deletes all copies when the WRT is deleted
- Apply status written back to
`WorkerResourceTemplate.status.versions[*]` (Applied, Message, BuildID)
- Resource spec lives in `spec.template` (raw JSON/YAML embedded object)
  - Target TWD referenced via `spec.temporalWorkerDeploymentRef.name`

#### Validating Webhook

A `WorkerResourceTemplateValidator` webhook enforces:
- `apiVersion` and `kind` required; `metadata.name`/`metadata.namespace`
forbidden (controller sets these)
- Allowed resource kinds configurable via `ALLOWED_KINDS` env var
(default: `HorizontalPodAutoscaler`)
- `minReplicas` ≠ 0 (currently required for
`approximate_task_queue_backlog` metric-based autoscaling to work when
queue is idle, plan to relax this in future)
- `scaleTargetRef` must be absent or `{}` (opt-in sentinel); non-empty
value rejected (controller owns injection)
- `selector.matchLabels` must be absent or `{}` (opt-in sentinel);
non-empty value rejected (controller owns injection)
- `metrics[*].external.metric.selector.matchLabels` must not contain the
controller-owned keys `worker_deployment_name`,
`worker_deployment_build_id`, or `temporal_namespace`; user labels (e.g.
`task_type`) are allowed
- SAR check: requesting user must be able to create/update the embedded
resource type
- SAR check: controller service account must be able to create/update
the embedded resource type
  - `spec.temporalWorkerDeploymentRef.name` is immutable after creation

### Helm chart updates

-
`helm/temporal-worker-controller-crds/templates/temporal.io_workerresourcetemplates.yaml`
(new CRD manifest)
- `helm/temporal-worker-controller/templates/webhook.yaml` (always-on
`WorkerResourceTemplate` `ValidatingWebhookConfiguration`;
`TemporalWorkerDeployment` webhook now behind `webhook.enabled`)
- `helm/temporal-worker-controller/templates/certmanager.yaml`
(cert-manager `Issuer` + `Certificate` for TLS, default enabled)
- `helm/temporal-worker-controller/Chart.yaml` (cert-manager added as
optional subchart dependency; opt in via `certmanager.install: true`)
- `helm/temporal-worker-controller/templates/manager.yaml` (cert
volume/port always present; `ALLOWED_KINDS`, `POD_NAMESPACE`,
`SERVICE_ACCOUNT_NAME` env vars)
- `helm/temporal-worker-controller/templates/rbac.yaml`
(`WorkerResourceTemplate` + SAR rules in manager `ClusterRole`;
editor/viewer roles; configurable attached-resource RBAC)
- `helm/temporal-worker-controller/values.yaml`
(`workerResourceConfig.allowedResources` default: HPA, piped to
`ALLOWED_KINDS` and to controller rbac)

### Integration tests

New integration test subtests added to the existing envtest suite, all
running through the shared `testTemporalWorkerDeploymentCreation`
table-test runner:
- `WorkerResourceTemplate` (7 tests): Deployment owner ref,
`matchLabels` injection, multiple `WorkerResourceTemplate`s on same
`TemporalWorkerDeployment`, metric selector label injection, multiple
active versions, apply failure → Applied:false, SSA idempotency
- Rollout gaps (5 tests): Progressive ramp to Current,
ConnectionSpecHash annotation repair, gate input from ConfigMap, gate
input from Secret, multiple deprecated versions
- Webhook admission (5 tests, separate Ginkgo suite): Spec rejection,
SAR pass, SAR fail (user), SAR fail (controller SA),
`temporalWorkerDeploymentRef.name` immutability

## Why?
HPA autoscaling for versioned Temporal workers requires a separate HPA
per worker version, each targeting only that version's Deployment with
the correct `scaleTargetRef` and label selectors. Without this CRD,
users have no way to create per-version resources that the controller
lifecycle-manages alongside the versioned Deployments.

## Checklist
<!--- add/delete as needed --->

1. Closes #207

2. How was this tested:
- Full envtest integration test suite: new subtests covering WRT
lifecycle, previously uncovered rollout scenarios, and webhook admission
via the real HTTP admission path
- Unit tests: webhook validator, SSA naming/injection helpers, planner
integration
- All tests pass: `KUBEBUILDER_ASSETS=.../bin/k8s/1.27.1-darwin-arm64 go
test -tags
  test_dep ./...`

3. Any docs updates needed?
- `docs/worker-resource-template.md` added: concept overview, HPA
example with cert-manager setup, RBAC configuration guide

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: carlydf

.github/workflows/helm-image-check.yml

@@ -28,6 +28,9 @@ jobs:
       - name: Install crane
         uses: imjasonh/setup-crane@v0.4
 
+      - name: Build chart dependencies
+        run: helm repo add jetstack https://charts.jetstack.io && helm dependency build helm/temporal-worker-controller
+
       - name: Render chart and verify images
         run: |
           set -euo pipefail

.github/workflows/helm-validate.yml

@@ -18,6 +18,9 @@ jobs:
       - name: Install Helm
         uses: azure/setup-helm@v3
 
+      - name: Build chart dependencies
+        run: helm repo add jetstack https://charts.jetstack.io && helm dependency build helm/temporal-worker-controller
+
       - name: Lint chart
         run: helm lint --strict helm/temporal-worker-controller
 
@@ -30,6 +33,9 @@ jobs:
       - name: Install Helm
         uses: azure/setup-helm@v3
 
+      - name: Build chart dependencies
+        run: helm repo add jetstack https://charts.jetstack.io && helm dependency build helm/temporal-worker-controller
+
       - name: Template with default values
         run: helm template test-release helm/temporal-worker-controller
 

.github/workflows/helm.yml

@@ -111,6 +111,9 @@ jobs:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PAT}}
 
+      - name: Build chart dependencies
+        run: helm repo add jetstack https://charts.jetstack.io && helm dependency build ./helm/temporal-worker-controller
+
       - name: Package and Push Helm charts
         run: |
           # Use version from previous step

.github/workflows/test-integration.yml

@@ -125,7 +125,13 @@ jobs:
 
     - name: Download dependencies
       run: go mod download
-      
+
+    - name: Install Helm
+      uses: azure/setup-helm@v3
+
+    - name: Build Helm chart dependencies
+      run: helm repo add jetstack https://charts.jetstack.io && helm dependency build helm/temporal-worker-controller
+
     - name: Run unit tests
       run: make test-unit
 

.gitignore

@@ -2,6 +2,7 @@
 
 bin
 dist
+helm/**/charts/*.tgz
 
 secret.env
 skaffold.env

Makefile

@@ -150,8 +150,8 @@ help: ## Display this help.
 
 # crd:maxDescLen=0 is to avoid error described in https://github.com/kubernetes-sigs/kubebuilder/issues/2556#issuecomment-1074844483
 .PHONY: manifests
-manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	GOWORK=off GO111MODULE=on $(CONTROLLER_GEN) rbac:roleName=manager-role crd:allowDangerousTypes=true,maxDescLen=0,generateEmbeddedObjectMeta=true webhook paths=./api/... paths=./internal/... paths=./cmd/... \
+manifests: controller-gen ## Generate ClusterRole and CustomResourceDefinition objects.
+	GOWORK=off GO111MODULE=on $(CONTROLLER_GEN) rbac:roleName=manager-role crd:allowDangerousTypes=true,maxDescLen=0,generateEmbeddedObjectMeta=true paths=./api/... paths=./internal/... paths=./cmd/... \
     output:crd:artifacts:config=helm/temporal-worker-controller-crds/templates
 
 .PHONY: generate
@@ -188,6 +188,15 @@ apply-load-sample-workflow: ## Start a sample workflow every 15 seconds
 		sleep 15; \
 	done
 
+.PHONY: apply-hpa-load
+.SILENT: apply-hpa-load
+apply-hpa-load: ## Start ~2 workflows/sec to build a backlog and drive HPA scaling to ~10 replicas
+	@echo "Starting load at ~2 workflows/sec. Press Ctrl-C to stop."
+	@while true; do \
+		$(MAKE) -s start-sample-workflow & \
+		sleep 0.5; \
+	done
+
 .PHONY: list-workflow-build-ids
 list-workflow-build-ids: ## List workflow executions and their build IDs.
 	@$(TEMPORAL) workflow list --limit 20 --fields SearchAttributes -o json | \
@@ -214,8 +223,8 @@ test-all: manifests generate envtest ## Run tests.
 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test -tags test_dep ./... -coverprofile cover.out
 
 .PHONY: test-unit
-test-unit: ## Run unit tests with minimal setup.
-	go test ./... -coverprofile cover.out
+test-unit: envtest ## Run unit tests and webhook integration tests (requires envtest binaries).
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... -coverprofile cover.out
 
 .PHONY: test-integration
 test-integration: manifests generate envtest ## Run integration tests against local Temporal dev server.

README.md

@@ -4,8 +4,6 @@
 [![Go Report Card](https://goreportcard.com/badge/github.com/temporalio/temporal-worker-controller)](https://goreportcard.com/report/github.com/temporalio/temporal-worker-controller)
 
 > 🚀 **Public Preview**: This project is in [Public Preview](https://docs.temporal.io/evaluate/development-production-features/release-stages) and ready for production use cases*. Core functionality is complete with stable APIs.
-> 
-> *Dynamic auto-scaling based on workflow load is not yet implemented. Use cases must work with fixed worker replica counts.
 
 **The Temporal Worker Controller makes it simple and safe to deploy Temporal workers on Kubernetes.**
 
@@ -20,7 +18,8 @@ Temporal's [Worker Versioning](https://docs.temporal.io/production-deployment/wo
 📦 **Automatic version management** - Registers versions with Temporal, manages routing rules, and tracks version lifecycle  
 🎯 **Smart traffic routing** - New workflows automatically get routed to your target worker version  
 🛡️ **Progressive rollouts** - Catch incompatible changes early with small traffic percentages before they spread  
-⚡ **Easy rollbacks** - Instantly route traffic back to a previous version if issues are detected  
+⚡ **Easy rollbacks** - Instantly route traffic back to a previous version if issues are detected
+📈 **Per-version autoscaling** - Attach HPAs or other custom scalers to each versioned Deployment via [`WorkerResourceTemplate`](docs/worker-resource-templates.md)
 
 ## Quick Example
 
@@ -78,6 +77,7 @@ When you update the image, the controller automatically:
 - Helm [v3.0+](https://github.com/helm/helm/releases) if deploying via our Helm chart
 - [Temporal Server](https://docs.temporal.io/) (Cloud or self-hosted [v1.29.1](https://github.com/temporalio/temporal/releases/tag/v1.29.1))
 - Basic familiarity with Temporal [Workers](https://docs.temporal.io/workers), [Workflows](https://docs.temporal.io/workflows), and [Worker Versioning](https://docs.temporal.io/production-deployment/worker-deployments/worker-versioning)
+- **TLS for the validating webhook** *(required for `WorkerResourceTemplate`)* — the recommended path is [cert-manager](https://cert-manager.io/docs/installation/), which handles certificate provisioning automatically. Install it separately or as a subchart of the controller chart (`certmanager.install: true`). If you prefer to manage TLS yourself, see [Webhook TLS](docs/worker-resource-templates.md#webhook-tls).
 
 ### 🔧 Installation
 
@@ -118,7 +118,7 @@ See [docs/crd-management.md](docs/crd-management.md) for upgrade, rollback, and
 - ✅ **Deletion of resources** associated with drained Worker Deployment Versions
 - ✅ **Multiple rollout strategies**: `Manual`, `AllAtOnce`, and `Progressive` rollouts
 - ✅ **Gate workflows** - Test new versions with a [pre-deployment test](https://docs.temporal.io/production-deployment/worker-deployments/worker-versioning#adding-a-pre-deployment-test) before routing real traffic to them
-- ⏳ **Load-based auto-scaling** - Not yet implemented (use fixed replica counts)
+- ✅ **Per-version attached resources** - Attach HPAs, PodDisruptionBudgets, or any namespaced Kubernetes resource to each worker version with running workers via [`WorkerResourceTemplate`](docs/worker-resource-templates.md) — this is also the recommended path for metric-based and backlog-based autoscaling
 
 
 ## 💡 Why Use This?
@@ -143,16 +143,17 @@ The Temporal Worker Controller eliminates this operational overhead by automatin
 
 ## 📖 Documentation
 
-| Document | Description |
-|----------|-------------|
-| [Migration Guide](docs/migration-to-versioned.md) | Step-by-step guide for migrating from traditional deployments |
-| [Reversion Guide](docs/migration-to-unversioned.md) | Step-by-step guide for migrating back to unversioned deployment |
-| [CD Rollouts](docs/cd-rollouts.md) | Helm, kubectl, ArgoCD, and Flux integration for steady-state rollouts |
-| [Architecture](docs/architecture.md) | Technical deep-dive into how the controller works |
-| [Configuration](docs/configuration.md) | Complete configuration reference |
-| [Concepts](docs/concepts.md) | Key concepts and terminology |
-| [Limits](docs/limits.md) | Technical constraints and limitations |
-| [CRD Management](docs/crd-management.md) | CRD upgrade, rollback, and migration guide |
+| Document                                                    | Description                                                           |
+|-------------------------------------------------------------|-----------------------------------------------------------------------|
+| [Migration Guide](docs/migration-to-versioned.md)           | Step-by-step guide for migrating from traditional deployments         |
+| [Reversion Guide](docs/migration-to-unversioned.md)         | Step-by-step guide for migrating back to unversioned deployment       |
+| [CD Rollouts](docs/cd-rollouts.md)                          | Helm, kubectl, ArgoCD, and Flux integration for steady-state rollouts |
+| [Architecture](docs/architecture.md)                        | Technical deep-dive into how the controller works                     |
+| [Configuration](docs/configuration.md)                      | Complete configuration reference                                      |
+| [Concepts](docs/concepts.md)                                | Key concepts and terminology                                          |
+| [Limits](docs/limits.md)                                    | Technical constraints and limitations                                 |
+| [WorkerResourceTemplate](docs/worker-resource-templates.md) | Attach HPAs, PDBs, and other resources to each versioned Deployment   |
+| [CRD Management](docs/crd-management.md)                    | CRD upgrade, rollback, and migration guide                            |
 
 ## 🔧 Worker Configuration
 

api/v1alpha1/conditions.go

@@ -0,0 +1,25 @@
+package v1alpha1
+
+// Condition type constants.
+const (
+	// ConditionReady is True for TemporalWorkerDeployment when the Temporal
+	// connection is reachable and the target version is the current version in Temporal.
+	// It is True for WorkerResourceTemplate when all active Build ID instances of the
+	// WorkerResourceTemplate have been successfully applied.
+	ConditionReady = "Ready"
+
+	// ConditionProgressing is True while a rollout is actively in-flight —
+	// i.e., the target version has not yet been promoted to current.
+	ConditionProgressing = "Progressing"
+)
+
+// Deprecated condition type constants. Maintained for backward compatibility with
+// monitoring and automation built against v1.3.x. Use Ready and Progressing
+// instead. These will be removed in the next major version of the CRD.
+const (
+	// Deprecated: Use ConditionReady and ConditionProgressing instead.
+	ConditionTemporalConnectionHealthy = "TemporalConnectionHealthy"
+
+	// Deprecated: Use ConditionReady instead.
+	ConditionRolloutComplete = "RolloutComplete"
+)

api/v1alpha1/webhook_suite_test.go

@@ -5,17 +5,26 @@
 package v1alpha1
 
 import (
+	"bytes"
 	"context"
 	"crypto/tls"
+	"encoding/json"
 	"fmt"
 	"net"
+	"os"
+	"os/exec"
 	"path/filepath"
+	"strings"
 	"testing"
 	"time"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	admissionv1 "k8s.io/api/admission/v1"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	authorizationv1 "k8s.io/api/authorization/v1"
+	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	//+kubebuilder:scaffold:imports
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/rest"
@@ -26,6 +35,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	sigsyaml "sigs.k8s.io/yaml"
 )
 
 // These tests use Ginkgo (BDD-style Go testing framework). Refer to
@@ -44,16 +54,24 @@ func TestAPIs(t *testing.T) {
 }
 
 var _ = BeforeSuite(func() {
+	if os.Getenv("KUBEBUILDER_ASSETS") == "" {
+		Skip("Skipping webhook integration tests: KUBEBUILDER_ASSETS not set")
+	}
+
 	logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true)))
 
 	ctx, cancel = context.WithCancel(context.TODO())
 
 	By("bootstrapping test environment")
+	wrtWebhook := loadWRTWebhookFromHelmChart(filepath.Join("..", "..", "helm", "temporal-worker-controller"))
 	testEnv = &envtest.Environment{
-		CRDDirectoryPaths:     []string{filepath.Join("..", "..", "config", "crd", "bases")},
-		ErrorIfCRDPathMissing: false,
+		CRDDirectoryPaths: []string{
+			// CRDs live in the crds chart's templates directory
+			filepath.Join("..", "..", "helm", "temporal-worker-controller-crds", "templates"),
+		},
+		ErrorIfCRDPathMissing: true,
 		WebhookInstallOptions: envtest.WebhookInstallOptions{
-			Paths: []string{filepath.Join("..", "..", "config", "webhook")},
+			ValidatingWebhooks: []*admissionregistrationv1.ValidatingWebhookConfiguration{wrtWebhook},
 		},
 	}
 
@@ -70,6 +88,19 @@ var _ = BeforeSuite(func() {
 	err = admissionv1.AddToScheme(scheme)
 	Expect(err).NotTo(HaveOccurred())
 
+	// corev1, rbacv1, and authorizationv1 are needed by the integration tests.
+	// corev1: create Namespaces
+	// rbacv1: create Roles and RoleBindings for RBAC setup
+	// authorizationv1: create SubjectAccessReview objects inside the webhook validator
+	err = corev1.AddToScheme(scheme)
+	Expect(err).NotTo(HaveOccurred())
+
+	err = rbacv1.AddToScheme(scheme)
+	Expect(err).NotTo(HaveOccurred())
+
+	err = authorizationv1.AddToScheme(scheme)
+	Expect(err).NotTo(HaveOccurred())
+
 	//+kubebuilder:scaffold:scheme
 
 	k8sClient, err = client.New(cfg, client.Options{Scheme: scheme})
@@ -93,6 +124,17 @@ var _ = BeforeSuite(func() {
 	err = (&TemporalWorkerDeployment{}).SetupWebhookWithManager(mgr)
 	Expect(err).NotTo(HaveOccurred())
 
+	// Set env vars consumed by NewWorkerResourceTemplateValidator before constructing it.
+	// POD_NAMESPACE and SERVICE_ACCOUNT_NAME identify the controller SA for the SAR checks.
+	// "test-system" / "test-controller" are the values used in the integration tests.
+	// ALLOWED_KINDS mirrors the default Helm values so integration tests can create HPAs.
+	Expect(os.Setenv("POD_NAMESPACE", "test-system")).To(Succeed())
+	Expect(os.Setenv("SERVICE_ACCOUNT_NAME", "test-controller")).To(Succeed())
+	Expect(os.Setenv("ALLOWED_KINDS", "HorizontalPodAutoscaler")).To(Succeed())
+
+	err = NewWorkerResourceTemplateValidator(mgr).SetupWebhookWithManager(mgr)
+	Expect(err).NotTo(HaveOccurred())
+
 	//+kubebuilder:scaffold:webhook
 
 	go func() {
@@ -115,7 +157,36 @@ var _ = BeforeSuite(func() {
 
 })
 
+// loadWRTWebhookFromHelmChart renders the Helm chart's webhook.yaml with default values using
+// `helm template` and extracts the ValidatingWebhookConfiguration for WorkerResourceTemplate.
+// This makes the test authoritative against the Helm chart rather than a hand-maintained copy.
+func loadWRTWebhookFromHelmChart(chartPath string) *admissionregistrationv1.ValidatingWebhookConfiguration {
+	out, err := exec.Command("helm", "template", "test", chartPath, "--show-only", "templates/webhook.yaml").Output()
+	Expect(err).NotTo(HaveOccurred(), "helm template failed — is helm installed?")
+
+	// The file contains multiple YAML documents; find the WRT ValidatingWebhookConfiguration.
+	for _, doc := range bytes.Split(out, []byte("\n---\n")) {
+		trimmed := strings.TrimSpace(string(doc))
+		if !strings.Contains(trimmed, "kind: ValidatingWebhookConfiguration") {
+			continue
+		}
+		if !strings.Contains(trimmed, "vworkerresourcetemplate.kb.io") {
+			continue
+		}
+		jsonBytes, convErr := sigsyaml.YAMLToJSON([]byte(trimmed))
+		Expect(convErr).NotTo(HaveOccurred(), "failed to convert WRT webhook YAML to JSON")
+		var wh admissionregistrationv1.ValidatingWebhookConfiguration
+		Expect(json.Unmarshal(jsonBytes, &wh)).To(Succeed(), "failed to decode WRT ValidatingWebhookConfiguration")
+		return &wh
+	}
+	Fail("WRT ValidatingWebhookConfiguration not found in rendered helm chart webhook.yaml")
+	return nil
+}
+
 var _ = AfterSuite(func() {
+	if testEnv == nil {
+		return // BeforeSuite was skipped; nothing to tear down
+	}
 	cancel()
 	By("tearing down the test environment")
 	err := testEnv.Stop()

api/v1alpha1/worker_types.go

@@ -50,11 +50,15 @@ type WorkerOptions struct {
 // TemporalWorkerDeploymentSpec defines the desired state of TemporalWorkerDeployment
 type TemporalWorkerDeploymentSpec struct {
 
-	// Number of desired pods. This is a pointer to distinguish between explicit
-	// zero and not specified. Defaults to 1.
+	// Number of desired pods. When set, the controller manages replicas for all active
+	// worker versions. When omitted (nil), the controller creates versioned Deployments
+	// with nil replicas and never calls UpdateScale on active versions — following the
+	// Kubernetes-recommended pattern for HPA and other external autoscalers
+	// (https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#migrating-deployments-and-statefulsets-to-horizontal-autoscaling).
+	// The controller still scales drained versions (and inactive versions that are not
+	// the rollout target) to zero regardless.
 	// This field makes TemporalWorkerDeploymentSpec implement the scale subresource, which is compatible with auto-scalers.
 	// +optional
-	// +kubebuilder:default=1
 	Replicas *int32 `json:"replicas,omitempty" protobuf:"varint,1,opt,name=replicas"`
 
 	// Template describes the pods that will be created.
@@ -86,29 +90,6 @@ type TemporalWorkerDeploymentSpec struct {
 	WorkerOptions WorkerOptions `json:"workerOptions"`
 }
 
-// Condition type constants for TemporalWorkerDeployment.
-const (
-	// ConditionReady is True when the Temporal connection is reachable and the
-	// target version is the current version in Temporal. CD systems such as
-	// ArgoCD and Flux use this condition to gate deployment success.
-	ConditionReady = "Ready"
-
-	// ConditionProgressing is True while a rollout is actively in-flight —
-	// i.e., the target version has not yet been promoted to current.
-	ConditionProgressing = "Progressing"
-)
-
-// Deprecated condition type constants. Maintained for backward compatibility with
-// monitoring and automation built against v1.3.x. Use Ready and Progressing
-// instead. These will be removed in the next major version of the CRD.
-const (
-	// Deprecated: Use ConditionReady and ConditionProgressing instead.
-	ConditionTemporalConnectionHealthy = "TemporalConnectionHealthy"
-
-	// Deprecated: Use ConditionReady instead.
-	ConditionRolloutComplete = "RolloutComplete"
-)
-
 // Condition reason constants for TemporalWorkerDeployment.
 //
 // These strings appear in status.conditions[].reason and are part of the CRD's