Merge branch 'main' of github.com:temporalio/temporal-worker-controller into dependabot/go_modules/internal/tests/github.com/jackc/pgx/v5-5.9.0

Author: carlydf

.github/workflows/helm-validate.yml

@@ -74,13 +74,27 @@ jobs:
       - name: Template CRDs chart
         run: helm template test-release helm/temporal-worker-controller-crds
 
+  helm-check-rbac:
+    name: Check Helm RBAC wasn't manually updated
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Regenerate and diff
+        run: make manifests && git diff --exit-code helm/temporal-worker-controller/templates/rbac.yaml
+
   helm-validate-succeed:
     name: All Helm Validations Succeed
     needs:
       - helm-lint
       - helm-template
       - helm-lint-crds
       - helm-template-crds
+      - helm-check-rbac
     runs-on: ubuntu-latest
     if: always()
     env:

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.25 AS builder
+FROM golang:1.26 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 

Makefile

@@ -153,6 +153,7 @@ help: ## Display this help.
 manifests: controller-gen ## Generate ClusterRole and CustomResourceDefinition objects.
 	GOWORK=off GO111MODULE=on $(CONTROLLER_GEN) rbac:roleName=manager-role crd:allowDangerousTypes=true,maxDescLen=0,generateEmbeddedObjectMeta=true paths=./api/... paths=./internal/... paths=./cmd/... \
     output:crd:artifacts:config=helm/temporal-worker-controller-crds/templates
+	python3 hack/sync-rbac-rules.py
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.

README.md

@@ -18,7 +18,7 @@ Temporal's [Worker Versioning](https://docs.temporal.io/production-deployment/wo
 📦 **Automatic version management** - Registers versions with Temporal, manages routing rules, and tracks version lifecycle  
 🎯 **Smart traffic routing** - New workflows automatically get routed to your target worker version  
 🛡️ **Progressive rollouts** - Catch incompatible changes early with small traffic percentages before they spread  
-⚡ **Easy rollbacks** - Instantly route traffic back to a previous version if issues are detected
+⚡ **Easy rollbacks** - Instantly route traffic back to a previous version if issues are detected  
 📈 **Per-version autoscaling** - Attach HPAs or other custom scalers to each versioned Deployment via [`WorkerResourceTemplate`](docs/worker-resource-templates.md)
 
 ## Quick Example
@@ -145,6 +145,7 @@ The Temporal Worker Controller eliminates this operational overhead by automatin
 
 | Document                                                    | Description                                                           |
 |-------------------------------------------------------------|-----------------------------------------------------------------------|
+| [Releases](docs/release.md)                                 | How we version and release the controller and Helm Chart              |
 | [Migration Guide](docs/migration-to-versioned.md)           | Step-by-step guide for migrating from traditional deployments         |
 | [Reversion Guide](docs/migration-to-unversioned.md)         | Step-by-step guide for migrating back to unversioned deployment       |
 | [CD Rollouts](docs/cd-rollouts.md)                          | Helm, kubectl, ArgoCD, and Flux integration for steady-state rollouts |

api/v1alpha1/temporalconnection_types.go

@@ -27,8 +27,10 @@ type TemporalConnectionSpec struct {
 	HostPort string `json:"hostPort"`
 
 	// MutualTLSSecretRef is the name of the Secret that contains the TLS certificate and key
-	// for mutual TLS authentication. The secret must be `type: kubernetes.io/tls` and exist
-	// in the same Kubernetes namespace as the TemporalConnection resource.
+	// for mutual TLS authentication. The secret must be `type: kubernetes.io/tls` or
+	// `type: Opaque` and exist in the same Kubernetes namespace as the TemporalConnection
+	// resource. Opaque secrets are useful when bundling tls.crt, tls.key, and ca.crt into
+	// a single secret (e.g. multi-file cert-manager outputs).
 	//
 	// More information about creating a TLS secret:
 	// https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets

api/v1alpha1/temporalworker_webhook.go

@@ -7,7 +7,6 @@ package v1alpha1
 import (
 	"context"
 	"fmt"
-	"time"
 
 	"github.com/temporalio/temporal-worker-controller/internal/defaults"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -19,10 +18,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 
-const (
-	maxTemporalWorkerDeploymentNameLen = 63
-)
-
 func (r *TemporalWorkerDeployment) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(r).
@@ -85,71 +80,37 @@ func (r *TemporalWorkerDeployment) validateForUpdateOrCreate(ctx context.Context
 }
 
 func validateForUpdateOrCreate(old, new *TemporalWorkerDeployment) (admission.Warnings, error) {
-	var allErrs field.ErrorList
-
-	if len(new.GetName()) > maxTemporalWorkerDeploymentNameLen {
-		allErrs = append(allErrs,
-			field.Invalid(field.NewPath("metadata.name"), new.GetName(), fmt.Sprintf("cannot be more than %d characters", maxTemporalWorkerDeploymentNameLen)),
-		)
-	}
-
-	allErrs = append(allErrs, validateRolloutStrategy(new.Spec.RolloutStrategy)...)
-
+	allErrs := validateRolloutStrategy(new.Spec.RolloutStrategy)
 	if len(allErrs) > 0 {
 		return nil, newInvalidErr(new, allErrs)
 	}
-
 	return nil, nil
 }
 
+// validateRolloutStrategy checks constraints that the CRD schema cannot enforce:
+// rampPercentage must be strictly increasing across steps, and gate.input and
+// gate.inputFrom are mutually exclusive (gate.input is an unstructured JSON field
+// invisible to CEL). All other rollout constraints are enforced by the CRD CEL rules.
 func validateRolloutStrategy(s RolloutStrategy) []*field.Error {
 	var allErrs []*field.Error
 
 	if s.Strategy == UpdateProgressive {
-		rolloutSteps := s.Steps
-		if len(rolloutSteps) == 0 {
-			allErrs = append(allErrs,
-				field.Invalid(field.NewPath("spec.rollout.steps"), rolloutSteps, "steps are required for Progressive rollout"),
-			)
-		}
 		var lastRamp int
-		for i, s := range rolloutSteps {
-			// Check duration >= 30s
-			if s.PauseDuration.Duration < 30*time.Second {
+		for i, step := range s.Steps {
+			if step.RampPercentage <= lastRamp {
 				allErrs = append(allErrs,
-					field.Invalid(field.NewPath(fmt.Sprintf("spec.rollout.steps[%d].pauseDuration", i)), s.PauseDuration.Duration.String(), "pause duration must be at least 30s"),
+					field.Invalid(field.NewPath(fmt.Sprintf("spec.rollout.steps[%d].rampPercentage", i)), step.RampPercentage, "rampPercentage must increase between each step"),
 				)
 			}
-
-			// Check ramp value greater than last
-			if s.RampPercentage <= lastRamp {
-				allErrs = append(allErrs,
-					field.Invalid(field.NewPath(fmt.Sprintf("spec.rollout.steps[%d].rampPercentage", i)), s.RampPercentage, "rampPercentage must increase between each step"),
-				)
-			}
-			lastRamp = s.RampPercentage
+			lastRamp = step.RampPercentage
 		}
 	}
 
-	// Validate gate input fields
-	if s.Gate != nil {
-		gate := s.Gate
-		if gate.Input != nil && gate.InputFrom != nil {
-			allErrs = append(allErrs,
-				field.Invalid(field.NewPath("spec.rollout.gate"), "input & inputFrom",
-					"only one of input or inputFrom may be set"),
-			)
-		}
-		if gate.InputFrom != nil {
-			cm := gate.InputFrom.ConfigMapKeyRef
-			sec := gate.InputFrom.SecretKeyRef
-			if (cm == nil && sec == nil) || (cm != nil && sec != nil) {
-				allErrs = append(allErrs,
-					field.Invalid(field.NewPath("spec.rollout.gate.inputFrom"), gate.InputFrom,
-						"exactly one of configMapKeyRef or secretKeyRef must be set"),
-				)
-			}
-		}
+	if s.Gate != nil && s.Gate.Input != nil && s.Gate.InputFrom != nil {
+		allErrs = append(allErrs,
+			field.Invalid(field.NewPath("spec.rollout.gate"), "input & inputFrom",
+				"only one of input or inputFrom may be set"),
+		)
 	}
 
 	return allErrs

api/v1alpha1/temporalworker_webhook_test.go

@@ -27,10 +27,6 @@ func TestTemporalWorkerDeployment_ValidateCreate(t *testing.T) {
 		"valid temporal worker deployment": {
 			obj: testhelpers.MakeTWDWithName("valid-worker", ""),
 		},
-		"temporal worker deployment with name too long": {
-			obj:      testhelpers.MakeTWDWithName("this-is-a-very-long-temporal-worker-deployment-name-that-exceeds-the-maximum-allowed-length-of-sixty-three-characters", ""),
-			errorMsg: "cannot be more than 63 characters",
-		},
 		"invalid object type": {
 			obj: &corev1.Pod{
 				ObjectMeta: metav1.ObjectMeta{
@@ -39,14 +35,6 @@ func TestTemporalWorkerDeployment_ValidateCreate(t *testing.T) {
 			},
 			errorMsg: "expected a TemporalWorkerDeployment",
 		},
-		"missing rollout steps": {
-			obj: testhelpers.ModifyObj(testhelpers.MakeTWDWithName("prog-rollout-missing-steps", ""), func(obj *temporaliov1alpha1.TemporalWorkerDeployment) *temporaliov1alpha1.TemporalWorkerDeployment {
-				obj.Spec.RolloutStrategy.Strategy = temporaliov1alpha1.UpdateProgressive
-				obj.Spec.RolloutStrategy.Steps = nil
-				return obj
-			}),
-			errorMsg: "spec.rollout.steps: Invalid value: null: steps are required for Progressive rollout",
-		},
 		"ramp value for step <= previous step": {
 			obj: testhelpers.ModifyObj(testhelpers.MakeTWDWithName("prog-rollout-decreasing-ramps", ""), func(obj *temporaliov1alpha1.TemporalWorkerDeployment) *temporaliov1alpha1.TemporalWorkerDeployment {
 				obj.Spec.RolloutStrategy.Strategy = temporaliov1alpha1.UpdateProgressive
@@ -62,18 +50,6 @@ func TestTemporalWorkerDeployment_ValidateCreate(t *testing.T) {
 			}),
 			errorMsg: "[spec.rollout.steps[2].rampPercentage: Invalid value: 9: rampPercentage must increase between each step, spec.rollout.steps[4].rampPercentage: Invalid value: 50: rampPercentage must increase between each step]",
 		},
-		"pause duration < 30s": {
-			obj: testhelpers.ModifyObj(testhelpers.MakeTWDWithName("prog-rollout-decreasing-ramps", ""), func(obj *temporaliov1alpha1.TemporalWorkerDeployment) *temporaliov1alpha1.TemporalWorkerDeployment {
-				obj.Spec.RolloutStrategy.Strategy = temporaliov1alpha1.UpdateProgressive
-				obj.Spec.RolloutStrategy.Steps = []temporaliov1alpha1.RolloutStep{
-					{10, metav1.Duration{Duration: time.Minute}},
-					{25, metav1.Duration{Duration: 10 * time.Second}},
-					{50, metav1.Duration{Duration: time.Minute}},
-				}
-				return obj
-			}),
-			errorMsg: `spec.rollout.steps[1].pauseDuration: Invalid value: "10s": pause duration must be at least 30s`,
-		},
 	}
 
 	for name, tc := range tests {
@@ -110,11 +86,6 @@ func TestTemporalWorkerDeployment_ValidateUpdate(t *testing.T) {
 			oldObj: nil,
 			newObj: testhelpers.MakeTWDWithName("valid-worker", ""),
 		},
-		"update with name too long": {
-			oldObj:   nil,
-			newObj:   testhelpers.MakeTWDWithName("this-is-a-very-long-temporal-worker-deployment-name-that-exceeds-the-maximum-allowed-length-of-sixty-three-characters", ""),
-			errorMsg: "cannot be more than 63 characters",
-		},
 	}
 
 	for name, tc := range tests {

api/v1alpha1/temporalworkerdeployment_cel_validation_test.go

@@ -0,0 +1,122 @@
+// Unless explicitly stated otherwise all files in this repository are licensed under the MIT License.
+//
+// This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2024 Datadog, Inc.
+
+package v1alpha1
+
+// Integration tests for CRD-level CEL validation rules on TemporalWorkerDeployment.
+//
+// These tests hit a real kube-apiserver (via envtest) so they verify that the
+// x-kubernetes-validations blocks in the generated CRD manifest are syntactically
+// valid and semantically correct. The webhook Go code is NOT involved here — we are
+// testing what the API server enforces regardless of whether the webhook is enabled.
+
+import (
+	"strings"
+	"time"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+var _ = Describe("TemporalWorkerDeployment CRD CEL validation", func() {
+	var ns string
+
+	BeforeEach(func() {
+		ns = makeTestNamespace("twd-cel")
+	})
+
+	// baseTWD returns a minimal valid TWD in the given namespace.
+	baseTWD := func(name string) *TemporalWorkerDeployment {
+		return &TemporalWorkerDeployment{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: ns,
+			},
+			Spec: TemporalWorkerDeploymentSpec{
+				Template: corev1.PodTemplateSpec{
+					Spec: corev1.PodSpec{
+						Containers: []corev1.Container{{Name: "worker", Image: "worker:latest"}},
+					},
+				},
+				RolloutStrategy: RolloutStrategy{Strategy: UpdateAllAtOnce},
+				WorkerOptions: WorkerOptions{
+					TemporalConnectionRef: TemporalConnectionReference{Name: "my-connection"},
+					TemporalNamespace:     "default",
+				},
+			},
+		}
+	}
+
+	It("accepts a valid TWD", func() {
+		Expect(k8sClient.Create(ctx, baseTWD("valid-worker"))).To(Succeed())
+	})
+
+	It("rejects name longer than 63 characters", func() {
+		twd := baseTWD(strings.Repeat("a", 64))
+		err := k8sClient.Create(ctx, twd)
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("name cannot be more than 63 characters"))
+	})
+
+	It("rejects Progressive strategy with no steps", func() {
+		twd := baseTWD("prog-no-steps")
+		twd.Spec.RolloutStrategy = RolloutStrategy{Strategy: UpdateProgressive}
+		err := k8sClient.Create(ctx, twd)
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("steps are required for Progressive rollout"))
+	})
+
+	It("rejects more than 20 Progressive steps", func() {
+		steps := make([]RolloutStep, 21)
+		for i := range steps {
+			steps[i] = RolloutStep{
+				RampPercentage: i + 1,
+				PauseDuration:  metav1.Duration{Duration: time.Minute},
+			}
+		}
+		twd := baseTWD("prog-too-many-steps")
+		twd.Spec.RolloutStrategy = RolloutStrategy{Strategy: UpdateProgressive, Steps: steps}
+		err := k8sClient.Create(ctx, twd)
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("Too many"))
+	})
+
+	It("rejects a Progressive step with pauseDuration less than 30s", func() {
+		twd := baseTWD("short-pause")
+		twd.Spec.RolloutStrategy = RolloutStrategy{
+			Strategy: UpdateProgressive,
+			Steps: []RolloutStep{
+				{RampPercentage: 50, PauseDuration: metav1.Duration{Duration: 10 * time.Second}},
+			},
+		}
+		err := k8sClient.Create(ctx, twd)
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("pause duration must be at least 30s"))
+	})
+
+	It("rejects gate.inputFrom with both configMapKeyRef and secretKeyRef set", func() {
+		twd := baseTWD("bad-gate-inputfrom")
+		twd.Spec.RolloutStrategy = RolloutStrategy{
+			Strategy: UpdateAllAtOnce,
+			Gate: &GateWorkflowConfig{
+				WorkflowType: "my-gate",
+				InputFrom: &GateInputSource{
+					ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
+						LocalObjectReference: corev1.LocalObjectReference{Name: "my-cm"},
+						Key:                  "key",
+					},
+					SecretKeyRef: &corev1.SecretKeySelector{
+						LocalObjectReference: corev1.LocalObjectReference{Name: "my-secret"},
+						Key:                  "key",
+					},
+				},
+			},
+		}
+		err := k8sClient.Create(ctx, twd)
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("exactly one of configMapKeyRef or secretKeyRef must be set"))
+	})
+})