Address code review feedback on docs and resource naming

- Truncate owned resource names to 47 chars (safe for Deployments; avoids
  per-resource-type special cases if Deployment is ever un-banned)
- Fix docs: replace "active Build ID" with "worker version with running workers"
  throughout; "active" is reserved for Ramping/Current versions
- Fix docs: owned-resource deletion is due to versioned Deployment sunset, not
  a separate "version delete" operation
- Fix docs: scaleTargetRef injection applies to any resource type with that field,
  not just HPA; clarify webhook rejects non-null values because controller owns them
- Fix docs: remove undocumented/untested BYO TLS path; cert-manager is required
- Fix docs: expand TWOR abbreviation to full name throughout; remove ⏳ autoscaling
  bullet from README and clarify TWOR is the path for metric/backlog-based autoscaling
- Add note on how to inspect the banned kinds list (BANNED_KINDS env var)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: carlydf

README.md

@@ -5,7 +5,7 @@
 
 > 🚀 **Public Preview**: This project is in [Public Preview](https://docs.temporal.io/evaluate/development-production-features/release-stages) and ready for production use cases*. Core functionality is complete with stable APIs.
 > 
-> *Dynamic auto-scaling based on workflow load is not yet implemented. Use cases must work with fixed worker replica counts.
+> *Autoscaling based on Temporal task queue depth is not yet built in. You can attach Horizontal Pod Autoscalers or KEDA ScaledObjects to each versioned Deployment via [`TemporalWorkerOwnedResource`](docs/owned-resources.md).
 
 **The Temporal Worker Controller makes it simple and safe to deploy Temporal workers on Kubernetes.**
 
@@ -105,8 +105,7 @@ helm install temporal-worker-controller \
 - ✅ **Deletion of resources** associated with drained Worker Deployment Versions
 - ✅ **Multiple rollout strategies**: `Manual`, `AllAtOnce`, and `Progressive` rollouts
 - ✅ **Gate workflows** - Test new versions with a [pre-deployment test](https://docs.temporal.io/production-deployment/worker-deployments/worker-versioning#adding-a-pre-deployment-test) before routing real traffic to them
-- ✅ **Per-version attached resources** - Attach HPAs, PodDisruptionBudgets, or any namespaced Kubernetes resource to each active worker version via [`TemporalWorkerOwnedResource`](docs/owned-resources.md)
-- ⏳ **Temporal-aware auto-scaling** - Scaling based on workflow task queue depth is not yet implemented
+- ✅ **Per-version attached resources** - Attach HPAs, KEDA ScaledObjects, PodDisruptionBudgets, or any namespaced Kubernetes resource to each worker version with running workers via [`TemporalWorkerOwnedResource`](docs/owned-resources.md) — this is also the recommended path for metric-based and backlog-based autoscaling
 
 
 ## 💡 Why Use This?

docs/owned-resources.md

@@ -1,44 +1,67 @@
 # TemporalWorkerOwnedResource
 
-`TemporalWorkerOwnedResource` (TWOR) lets you attach arbitrary Kubernetes resources — HPAs, PodDisruptionBudgets, custom CRDs — to each active versioned Deployment managed by a `TemporalWorkerDeployment`. The controller creates one copy of the resource per active Build ID, automatically wired to the correct versioned Deployment.
+`TemporalWorkerOwnedResource` lets you attach arbitrary Kubernetes resources — HPAs, PodDisruptionBudgets, KEDA ScaledObjects, custom CRDs — to each worker version that has running workers. The controller creates one copy of the resource per worker version with a running Deployment, automatically wired to the correct versioned Deployment.
 
 ## Why you need this
 
 The Temporal Worker Controller creates one Kubernetes `Deployment` per worker version (Build ID). If you attach an HPA directly to a single Deployment, it breaks as versions roll over — the old HPA still targets the old Deployment, the new Deployment has no HPA, and you have to manage cleanup yourself.
 
-`TemporalWorkerOwnedResource` solves this by treating the attached resource as a template. The controller renders one instance per active Build ID, injects the correct versioned Deployment name, and cleans up automatically when a version is deleted (via Kubernetes owner reference garbage collection).
+`TemporalWorkerOwnedResource` solves this by treating the attached resource as a template. The controller renders one instance per worker version with running workers, injects the correct versioned Deployment name, and cleans up automatically when the versioned Deployment is deleted (e.g., during the sunset process after traffic has drained).
+
+This is also the recommended mechanism for metric-based or backlog-based autoscaling: attach a KEDA `ScaledObject` (or a standard HPA with custom metrics) to your workers and the controller keeps one per running worker version, each pointing at the right Deployment.
 
 ## How it works
 
 1. You create a `TemporalWorkerOwnedResource` that references a `TemporalWorkerDeployment` and contains the resource spec in `spec.object`.
 2. The validating webhook checks that you have permission to manage that resource type yourself (SubjectAccessReview), and that the resource kind isn't on the banned list.
-3. On each reconcile loop, the controller renders one copy of `spec.object` per active Build ID, injects fields (see below), and applies it via Server-Side Apply.
+3. On each reconcile loop, the controller renders one copy of `spec.object` per worker version with a running Deployment, injects fields (see below), and applies it via Server-Side Apply.
 4. Each copy is owned by the corresponding versioned `Deployment`, so it is garbage-collected automatically when that Deployment is deleted.
-5. `TWOR.status.versions` is updated with the applied/failed status for each Build ID.
+5. `TemporalWorkerOwnedResource.status.versions` is updated with the applied/failed status for each Build ID.
 
 ## Auto-injection
 
-The controller auto-injects two fields when you set them to `null` in `spec.object`. Setting them to `null` is the explicit signal that you want injection — if you omit the field entirely, nothing is injected; if you set a non-null value, the webhook rejects the object.
+The controller auto-injects two fields when you set them to `null` in `spec.object`. Setting them to `null` is the explicit signal that you want injection:
+- If you omit the field entirely, nothing is injected.
+- If you set a non-null value, the webhook rejects the object because the controller owns these fields.
 
 | Field | Injected value |
 |-------|---------------|
-| `spec.scaleTargetRef` (HPA) | `{apiVersion: apps/v1, kind: Deployment, name: <versioned-deployment-name>}` |
-| `spec.selector.matchLabels` (any) | `{temporal.io/build-id: <buildID>, temporal.io/deployment-name: <twdName>}` |
+| `spec.scaleTargetRef` (any resource with this field) | `{apiVersion: apps/v1, kind: Deployment, name: <versioned-deployment-name>}` |
+| `spec.selector.matchLabels` (any resource with this field) | `{temporal.io/build-id: <buildID>, temporal.io/deployment-name: <twdName>}` |
+
+The `scaleTargetRef` injection applies to any resource type that has a `scaleTargetRef` field — not just HPAs. KEDA `ScaledObjects` and other autoscaler CRDs use the same field and benefit from the same injection.
 
 ## Resource naming
 
-Each per-Build-ID copy is named `<twdName>-<tworName>-<buildID>`, cleaned for DNS and truncated to 253 characters. Use `kubectl get hpa` (or whatever kind you attached) after a reconcile to see the created resources.
+Each per-Build-ID copy is given a unique, DNS-safe name derived from the `(twdName, tworName, buildID)` triple. Names are capped at 47 characters to be safe for all Kubernetes resource types, including Deployment (which has pod-naming constraints that effectively limit deployment names to ~47 characters). The name always ends with an 8-character hash of the full triple, so uniqueness is guaranteed even when the human-readable prefix is truncated.
+
+Use `kubectl get <kind>` after a reconcile to see the created resources and their names.
+
+## Banned resource kinds
+
+Certain resource kinds are blocked by default to prevent misuse (e.g., using `TemporalWorkerOwnedResource` to spin up arbitrary workloads). The default banned list is:
+
+```
+Deployment, StatefulSet, Job, Pod, CronJob
+```
+
+The banned list is configured via `ownedResourceConfig.bannedKinds` in Helm values and is visible as the `BANNED_KINDS` environment variable on the controller pod:
+
+```bash
+kubectl get pod -n <controller-namespace> -l app.kubernetes.io/name=temporal-worker-controller \
+  -o jsonpath='{.items[0].spec.containers[0].env[?(@.name=="BANNED_KINDS")].value}'
+```
 
 ## RBAC
 
 ### What the webhook checks
 
-When you create or update a TWOR, the webhook performs SubjectAccessReviews to verify:
+When you create or update a `TemporalWorkerOwnedResource`, the webhook performs SubjectAccessReviews to verify:
 
 1. **You** (the requesting user) can create/update the embedded resource type in that namespace.
 2. **The controller's service account** can create/update the embedded resource type in that namespace.
 
-If either check fails, the TWOR is rejected. This prevents privilege escalation — you cannot use TWOR to create resources you don't already have permission to create yourself.
+If either check fails, the request is rejected. This prevents privilege escalation — you cannot use `TemporalWorkerOwnedResource` to create resources you don't already have permission to create yourself.
 
 ### What to configure in Helm
 
@@ -58,26 +81,13 @@ Add entries for any other resource types you want to attach (e.g., KEDA `ScaledO
 
 ### What to configure for your users
 
-Users who create TWORs also need RBAC permission to manage the embedded resource type directly. For example, to let a team create TWORs that embed HPAs, they need the standard `autoscaling` permissions in their namespace — there is nothing TWOR-specific to configure for this.
+Users who create `TemporalWorkerOwnedResources` also need RBAC permission to manage the embedded resource type directly. For example, to let a team create `TemporalWorkerOwnedResources` that embed HPAs, they need the standard `autoscaling` permissions in their namespace — there is nothing `TemporalWorkerOwnedResource`-specific to configure for this.
 
 ## Webhook TLS
 
-The TWOR validating webhook requires TLS. The recommended approach is to install [cert-manager](https://cert-manager.io/docs/installation/) before deploying the controller — the Helm chart handles everything else automatically (`certmanager.enabled: true` is the default).
-
-If cert-manager is not available in your cluster, set `certmanager.enabled: false` and provide:
-1. A `kubernetes.io/tls` Secret named `webhook-server-cert` in the controller namespace, containing `tls.crt` and `tls.key` for the webhook server. The certificate must have DNS SANs:
-   - `<release-name>-webhook-service.<namespace>.svc`
-   - `<release-name>-webhook-service.<namespace>.svc.cluster.local`
-2. The base64-encoded CA certificate that signed `tls.crt`, passed as `certmanager.caBundle` in Helm values.
-
-```bash
-helm install temporal-worker-controller oci://docker.io/temporalio/temporal-worker-controller \
-  --namespace temporal-system \
-  --set certmanager.enabled=false \
-  --set certmanager.caBundle="$(base64 -w0 ca.crt)"
-```
+The `TemporalWorkerOwnedResource` validating webhook requires TLS. Install [cert-manager](https://cert-manager.io/docs/installation/) before deploying the controller — the Helm chart handles everything else automatically (`certmanager.enabled: true` is the default).
 
-## Example: HPA per Build ID
+## Example: HPA per worker version
 
 ```yaml
 apiVersion: temporal.io/v1alpha1
@@ -90,7 +100,8 @@ spec:
   workerRef:
     name: my-worker
 
-  # The resource template. The controller creates one copy per active Build ID.
+  # The resource template. The controller creates one copy per worker version
+  # with a running Deployment.
   object:
     apiVersion: autoscaling/v2
     kind: HorizontalPodAutoscaler
@@ -111,7 +122,7 @@ spec:
 
 See [examples/twor-hpa.yaml](../examples/twor-hpa.yaml) for an example pre-configured for the helloworld demo.
 
-## Example: PodDisruptionBudget per Build ID
+## Example: PodDisruptionBudget per worker version
 
 ```yaml
 apiVersion: temporal.io/v1alpha1
@@ -135,11 +146,12 @@ spec:
 ## Checking status
 
 ```bash
-# See all TWORs and which TWD they reference
-kubectl get twor -n my-namespace
+# See all TemporalWorkerOwnedResources and which TWD they reference
+kubectl get temporalworkerownedresource -n my-namespace
 
 # See per-Build-ID apply status
-kubectl get twor my-worker-hpa -n my-namespace -o jsonpath='{.status.versions}' | jq .
+kubectl get temporalworkerownedresource my-worker-hpa -n my-namespace \
+  -o jsonpath='{.status.versions}' | jq .
 
 # See the created HPAs
 kubectl get hpa -n my-namespace

internal/demo/README.md

@@ -123,29 +123,29 @@ kubectl get twd
 
 ### Testing TemporalWorkerOwnedResource (per-version HPA)
 
-`TemporalWorkerOwnedResource` (TWOR) lets you attach Kubernetes resources — HPAs, PodDisruptionBudgets, etc. — to each active versioned Deployment. The controller creates one copy per active Build ID and wires it to the correct Deployment automatically.
+`TemporalWorkerOwnedResource` lets you attach Kubernetes resources — HPAs, PodDisruptionBudgets, etc. — to each worker version with running workers. The controller creates one copy per worker version with a running Deployment and wires it to the correct Deployment automatically.
 
-The TWOR validating webhook enforces that you have permission to create the embedded resource type yourself, and it requires TLS (provided by cert-manager, installed in step 3 above).
+The `TemporalWorkerOwnedResource` validating webhook enforces that you have permission to create the embedded resource type yourself, and it requires TLS (provided by cert-manager, installed in step 3 above).
 
 After deploying the helloworld worker (step 5), apply the example HPA:
 
 ```bash
 kubectl apply -f examples/twor-hpa.yaml
 ```
 
-Watch the controller create an HPA for each active Build ID:
+Watch the controller create an HPA for each worker version with running workers:
 
 ```bash
-# See TWOR status (Applied: true once the controller reconciles)
-kubectl get twor
+# See TemporalWorkerOwnedResource status (Applied: true once the controller reconciles)
+kubectl get temporalworkerownedresource
 
 # See the per-Build-ID HPAs
 kubectl get hpa
 ```
 
-You should see one HPA per active worker version, with `scaleTargetRef` automatically pointing at the correct versioned Deployment.
+You should see one HPA per worker version with running workers, with `scaleTargetRef` automatically pointing at the correct versioned Deployment.
 
-When you deploy a new worker version (e.g., step 8), the controller creates a new HPA for the new Build ID and keeps the old one until that version is deleted.
+When you deploy a new worker version (e.g., step 8), the controller creates a new HPA for the new Build ID and keeps the old one until that versioned Deployment is deleted during the sunset process.
 
 See [docs/owned-resources.md](../../docs/owned-resources.md) for full documentation.
 

internal/k8s/ownedresources.go

@@ -39,10 +39,12 @@ func OwnedResourceFieldManager(twor *temporaliov1alpha1.TemporalWorkerOwnedResou
 
 const (
 	// ownedResourceMaxNameLen is the maximum length of a generated owned resource name.
-	// 253 is the RFC 1123 DNS subdomain limit used by most Kubernetes resource types
-	// (HPA, PDB, and most CRDs). Resources with stricter limits (e.g. 63-char DNS
-	// labels) are rare for the autoscaler/policy use cases TWOR targets.
-	ownedResourceMaxNameLen = 253
+	// 47 is chosen to be safe for Deployment resources: a pod name is composed of
+	// "{deployment-name}-{rs-hash}-{pod-hash}" where the hashes add ~17 characters,
+	// and pod names must be ≤63 characters. Using 47 as the limit ensures that the
+	// generated names work even if the user un-bans Deployment as an owned resource
+	// kind, avoiding special-casing per resource type.
+	ownedResourceMaxNameLen = 47
 
 	// ownedResourceHashLen is the number of hex characters used for the uniqueness suffix.
 	// 8 hex chars = 4 bytes = 32 bits, giving negligible collision probability

internal/k8s/ownedresources_test.go

@@ -25,7 +25,7 @@ func expectedOwnedResourceName(twdName, tworName, buildID string) string {
 	h := sha256.Sum256([]byte(twdName + tworName + buildID))
 	hashSuffix := hex.EncodeToString(h[:4])
 	raw := CleanStringForDNS(twdName + "-" + tworName + "-" + buildID)
-	prefix := strings.TrimRight(TruncateString(raw, 253-9), "-")
+	prefix := strings.TrimRight(TruncateString(raw, 47-9), "-")
 	return prefix + "-" + hashSuffix
 }
 
@@ -34,14 +34,14 @@ func TestComputeOwnedResourceName(t *testing.T) {
 		got := ComputeOwnedResourceName("my-worker", "my-hpa", "image-abc123")
 		// Should start with the human-readable prefix
 		assert.True(t, strings.HasPrefix(got, "my-worker-my-hpa-image-abc123-"), "got: %q", got)
-		// Should be ≤ 253 chars
-		assert.LessOrEqual(t, len(got), 253)
+		// Should be ≤ 47 chars
+		assert.LessOrEqual(t, len(got), 47)
 	})
 
 	t.Run("special chars are cleaned for DNS", func(t *testing.T) {
 		got := ComputeOwnedResourceName("my_worker", "my/hpa", "image:latest")
 		assert.True(t, strings.HasPrefix(got, "my-worker-my-hpa-image-latest-"), "got: %q", got)
-		assert.LessOrEqual(t, len(got), 253)
+		assert.LessOrEqual(t, len(got), 47)
 	})
 
 	t.Run("deterministic — same inputs always produce same name", func(t *testing.T) {
@@ -57,7 +57,7 @@ func TestComputeOwnedResourceName(t *testing.T) {
 		assert.NotEqual(t, name1, name2)
 	})
 
-	t.Run("very long names are still ≤ 253 chars and distinct per buildID", func(t *testing.T) {
+	t.Run("very long names are still ≤ 47 chars and distinct per buildID", func(t *testing.T) {
 		longTWD := strings.Repeat("w", 63)
 		longTWOR := strings.Repeat("r", 253) // maximum k8s object name
 		buildID1 := "build-" + strings.Repeat("a", 57)
@@ -66,8 +66,8 @@ func TestComputeOwnedResourceName(t *testing.T) {
 		n1 := ComputeOwnedResourceName(longTWD, longTWOR, buildID1)
 		n2 := ComputeOwnedResourceName(longTWD, longTWOR, buildID2)
 
-		assert.LessOrEqual(t, len(n1), 253, "name1 length: %d", len(n1))
-		assert.LessOrEqual(t, len(n2), 253, "name2 length: %d", len(n2))
+		assert.LessOrEqual(t, len(n1), 47, "name1 length: %d", len(n1))
+		assert.LessOrEqual(t, len(n2), 47, "name2 length: %d", len(n2))
 		assert.NotEqual(t, n1, n2, "names must differ even when prefix is fully truncated")
 	})