Add TemporalWorkerOwnedResource docs, HPA example, and cert-manager setup

- docs/owned-resources.md: full TWOR reference (auto-injection, RBAC, webhook TLS, examples)
- examples/twor-hpa.yaml: ready-to-apply HPA example for the helloworld demo
- helm/webhook.yaml + values.yaml: add certmanager.caBundle for BYO TLS without cert-manager
- internal/demo/README.md: add cert-manager install step and TWOR demo walkthrough
- README.md + docs/README.md: add cert-manager prerequisite, TWOR feature bullet, and doc link

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: carlydf

README.md

@@ -78,6 +78,7 @@ When you update the image, the controller automatically:
 - Helm [v3.0+](https://github.com/helm/helm/releases) if deploying via our Helm chart
 - [Temporal Server](https://docs.temporal.io/) (Cloud or self-hosted [v1.29.1](https://github.com/temporalio/temporal/releases/tag/v1.29.1))
 - Basic familiarity with Temporal [Workers](https://docs.temporal.io/workers), [Workflows](https://docs.temporal.io/workflows), and [Worker Versioning](https://docs.temporal.io/production-deployment/worker-deployments/worker-versioning)
+- **[cert-manager](https://cert-manager.io/docs/installation/)** *(required for `TemporalWorkerOwnedResource`)* — the controller installs a validating webhook for TWOR objects that requires TLS. cert-manager handles certificate provisioning automatically. If cert-manager is not available in your cluster, see [Webhook TLS without cert-manager](docs/owned-resources.md#webhook-tls) for the manual setup.
 
 ### 🔧 Installation
 
@@ -104,7 +105,8 @@ helm install temporal-worker-controller \
 - ✅ **Deletion of resources** associated with drained Worker Deployment Versions
 - ✅ **Multiple rollout strategies**: `Manual`, `AllAtOnce`, and `Progressive` rollouts
 - ✅ **Gate workflows** - Test new versions with a [pre-deployment test](https://docs.temporal.io/production-deployment/worker-deployments/worker-versioning#adding-a-pre-deployment-test) before routing real traffic to them
-- ⏳ **Load-based auto-scaling** - Not yet implemented (use fixed replica counts)
+- ✅ **Per-version attached resources** - Attach HPAs, PodDisruptionBudgets, or any namespaced Kubernetes resource to each active worker version via [`TemporalWorkerOwnedResource`](docs/owned-resources.md)
+- ⏳ **Temporal-aware auto-scaling** - Scaling based on workflow task queue depth is not yet implemented
 
 
 ## 💡 Why Use This?
@@ -137,6 +139,7 @@ The Temporal Worker Controller eliminates this operational overhead by automatin
 | [Configuration](docs/configuration.md) | Complete configuration reference |
 | [Concepts](docs/concepts.md) | Key concepts and terminology |
 | [Limits](docs/limits.md) | Technical constraints and limitations |
+| [TemporalWorkerOwnedResource](docs/owned-resources.md) | Attach HPAs, PDBs, and other resources to each versioned Deployment |
 
 ## 🔧 Worker Configuration
 

docs/README.md

@@ -30,6 +30,9 @@ Technical constraints and limitations of the Temporal Worker Controller system,
 ### [Ownership](ownership.md)
 How the controller gets permission to manage a Worker Deployment, how a human client can take or give back control.
 
+### [TemporalWorkerOwnedResource](owned-resources.md)
+How to attach HPAs, PodDisruptionBudgets, and other Kubernetes resources to each active versioned Deployment. Covers the auto-injection model, RBAC setup, webhook TLS, and examples.
+
 ---
 
 *Note: This documentation structure is designed to grow with the project.*

docs/owned-resources.md

@@ -0,0 +1,146 @@
+# TemporalWorkerOwnedResource
+
+`TemporalWorkerOwnedResource` (TWOR) lets you attach arbitrary Kubernetes resources — HPAs, PodDisruptionBudgets, custom CRDs — to each active versioned Deployment managed by a `TemporalWorkerDeployment`. The controller creates one copy of the resource per active Build ID, automatically wired to the correct versioned Deployment.
+
+## Why you need this
+
+The Temporal Worker Controller creates one Kubernetes `Deployment` per worker version (Build ID). If you attach an HPA directly to a single Deployment, it breaks as versions roll over — the old HPA still targets the old Deployment, the new Deployment has no HPA, and you have to manage cleanup yourself.
+
+`TemporalWorkerOwnedResource` solves this by treating the attached resource as a template. The controller renders one instance per active Build ID, injects the correct versioned Deployment name, and cleans up automatically when a version is deleted (via Kubernetes owner reference garbage collection).
+
+## How it works
+
+1. You create a `TemporalWorkerOwnedResource` that references a `TemporalWorkerDeployment` and contains the resource spec in `spec.object`.
+2. The validating webhook checks that you have permission to manage that resource type yourself (SubjectAccessReview), and that the resource kind isn't on the banned list.
+3. On each reconcile loop, the controller renders one copy of `spec.object` per active Build ID, injects fields (see below), and applies it via Server-Side Apply.
+4. Each copy is owned by the corresponding versioned `Deployment`, so it is garbage-collected automatically when that Deployment is deleted.
+5. `TWOR.status.versions` is updated with the applied/failed status for each Build ID.
+
+## Auto-injection
+
+The controller auto-injects two fields when you set them to `null` in `spec.object`. Setting them to `null` is the explicit signal that you want injection — if you omit the field entirely, nothing is injected; if you set a non-null value, the webhook rejects the object.
+
+| Field | Injected value |
+|-------|---------------|
+| `spec.scaleTargetRef` (HPA) | `{apiVersion: apps/v1, kind: Deployment, name: <versioned-deployment-name>}` |
+| `spec.selector.matchLabels` (any) | `{temporal.io/build-id: <buildID>, temporal.io/deployment-name: <twdName>}` |
+
+## Resource naming
+
+Each per-Build-ID copy is named `<twdName>-<tworName>-<buildID>`, cleaned for DNS and truncated to 253 characters. Use `kubectl get hpa` (or whatever kind you attached) after a reconcile to see the created resources.
+
+## RBAC
+
+### What the webhook checks
+
+When you create or update a TWOR, the webhook performs SubjectAccessReviews to verify:
+
+1. **You** (the requesting user) can create/update the embedded resource type in that namespace.
+2. **The controller's service account** can create/update the embedded resource type in that namespace.
+
+If either check fails, the TWOR is rejected. This prevents privilege escalation — you cannot use TWOR to create resources you don't already have permission to create yourself.
+
+### What to configure in Helm
+
+`ownedResourceConfig.rbac.rules` controls what resource types the controller's ClusterRole permits it to manage. The defaults cover HPAs and PodDisruptionBudgets:
+
+```yaml
+ownedResourceConfig:
+  rbac:
+    rules:
+      - apiGroups: ["autoscaling"]
+        resources: ["horizontalpodautoscalers"]
+      - apiGroups: ["policy"]
+        resources: ["poddisruptionbudgets"]
+```
+
+Add entries for any other resource types you want to attach (e.g., KEDA `ScaledObjects`). For development clusters you can set `rbac.wildcard: true` to grant access to all resource types, but this is not recommended for production.
+
+### What to configure for your users
+
+Users who create TWORs also need RBAC permission to manage the embedded resource type directly. For example, to let a team create TWORs that embed HPAs, they need the standard `autoscaling` permissions in their namespace — there is nothing TWOR-specific to configure for this.
+
+## Webhook TLS
+
+The TWOR validating webhook requires TLS. The recommended approach is to install [cert-manager](https://cert-manager.io/docs/installation/) before deploying the controller — the Helm chart handles everything else automatically (`certmanager.enabled: true` is the default).
+
+If cert-manager is not available in your cluster, set `certmanager.enabled: false` and provide:
+1. A `kubernetes.io/tls` Secret named `webhook-server-cert` in the controller namespace, containing `tls.crt` and `tls.key` for the webhook server. The certificate must have DNS SANs:
+   - `<release-name>-webhook-service.<namespace>.svc`
+   - `<release-name>-webhook-service.<namespace>.svc.cluster.local`
+2. The base64-encoded CA certificate that signed `tls.crt`, passed as `certmanager.caBundle` in Helm values.
+
+```bash
+helm install temporal-worker-controller oci://docker.io/temporalio/temporal-worker-controller \
+  --namespace temporal-system \
+  --set certmanager.enabled=false \
+  --set certmanager.caBundle="$(base64 -w0 ca.crt)"
+```
+
+## Example: HPA per Build ID
+
+```yaml
+apiVersion: temporal.io/v1alpha1
+kind: TemporalWorkerOwnedResource
+metadata:
+  name: my-worker-hpa
+  namespace: my-namespace
+spec:
+  # Reference the TemporalWorkerDeployment to attach to.
+  workerRef:
+    name: my-worker
+
+  # The resource template. The controller creates one copy per active Build ID.
+  object:
+    apiVersion: autoscaling/v2
+    kind: HorizontalPodAutoscaler
+    spec:
+      # null tells the controller to auto-inject the versioned Deployment reference.
+      # Do not set this to a real value — the webhook will reject it.
+      scaleTargetRef: null
+      minReplicas: 2
+      maxReplicas: 10
+      metrics:
+        - type: Resource
+          resource:
+            name: cpu
+            target:
+              type: Utilization
+              averageUtilization: 70
+```
+
+See [examples/twor-hpa.yaml](../examples/twor-hpa.yaml) for an example pre-configured for the helloworld demo.
+
+## Example: PodDisruptionBudget per Build ID
+
+```yaml
+apiVersion: temporal.io/v1alpha1
+kind: TemporalWorkerOwnedResource
+metadata:
+  name: my-worker-pdb
+  namespace: my-namespace
+spec:
+  workerRef:
+    name: my-worker
+  object:
+    apiVersion: policy/v1
+    kind: PodDisruptionBudget
+    spec:
+      minAvailable: 1
+      # null tells the controller to auto-inject {temporal.io/build-id, temporal.io/deployment-name}.
+      selector:
+        matchLabels: null
+```
+
+## Checking status
+
+```bash
+# See all TWORs and which TWD they reference
+kubectl get twor -n my-namespace
+
+# See per-Build-ID apply status
+kubectl get twor my-worker-hpa -n my-namespace -o jsonpath='{.status.versions}' | jq .
+
+# See the created HPAs
+kubectl get hpa -n my-namespace
+```

examples/twor-hpa.yaml

@@ -0,0 +1,49 @@
+# TemporalWorkerOwnedResource — HPA example
+#
+# This example attaches a HorizontalPodAutoscaler to each active versioned Deployment
+# of the "helloworld" TemporalWorkerDeployment (from the local demo).
+#
+# Prerequisites:
+#   - The helloworld demo is running (skaffold run --profile helloworld-worker)
+#   - The controller was installed with cert-manager (certmanager.enabled: true, the default)
+#   - You have permission to create HPAs in this namespace
+#
+# Apply:
+#   kubectl apply -f examples/twor-hpa.yaml
+#
+# Verify:
+#   kubectl get twor              # shows Applied status per Build ID
+#   kubectl get hpa               # shows one HPA per active Build ID
+#
+# See docs/owned-resources.md for full documentation.
+apiVersion: temporal.io/v1alpha1
+kind: TemporalWorkerOwnedResource
+metadata:
+  name: helloworld-hpa
+  # Deploy into the same namespace as the helloworld TemporalWorkerDeployment.
+  # The default Skaffold setup does not set a namespace, so resources land in "default".
+  namespace: default
+spec:
+  # Must match the name of the TemporalWorkerDeployment.
+  workerRef:
+    name: helloworld
+
+  # The resource template. The controller creates one copy per active Build ID,
+  # naming each one "<twdName>-<tworName>-<buildID>".
+  object:
+    apiVersion: autoscaling/v2
+    kind: HorizontalPodAutoscaler
+    spec:
+      # Setting scaleTargetRef to null tells the controller to auto-inject the
+      # correct versioned Deployment reference for each Build ID. Do not set this
+      # to a real value — the webhook will reject it.
+      scaleTargetRef: null
+      minReplicas: 1
+      maxReplicas: 3
+      metrics:
+        - type: Resource
+          resource:
+            name: cpu
+            target:
+              type: Utilization
+              averageUtilization: 70

helm/temporal-worker-controller/templates/webhook.yaml

@@ -34,6 +34,9 @@ webhooks:
   - name: vtemporalworkerownedresource.kb.io
     admissionReviewVersions: ["v1"]
     clientConfig:
+      {{- if and (not .Values.certmanager.enabled) .Values.certmanager.caBundle }}
+      caBundle: {{ .Values.certmanager.caBundle }}
+      {{- end }}
       service:
         name: {{ .Release.Name }}-webhook-service
         namespace: {{ .Release.Namespace }}
@@ -64,6 +67,9 @@ webhooks:
   - name: vtemporalworkerdeployment.kb.io
     admissionReviewVersions: ["v1"]
     clientConfig:
+      {{- if and (not .Values.certmanager.enabled) .Values.certmanager.caBundle }}
+      caBundle: {{ .Values.certmanager.caBundle }}
+      {{- end }}
       service:
         name: {{ .Release.Name }}-webhook-service
         namespace: {{ .Release.Namespace }}

helm/temporal-worker-controller/values.yaml

@@ -130,10 +130,16 @@ certmanager:
   # enabled controls creation of the cert-manager Issuer and Certificate used for
   # webhook TLS. cert-manager must be installed in the cluster.
   # See https://cert-manager.io/docs/installation/
-  # Set to false only if you are providing your own TLS certificate in a Secret
-  # named "webhook-server-cert" in the controller namespace.
+  # Set to false only if you are providing your own TLS certificate (see caBundle below).
   enabled: true
 
+  # caBundle is only used when enabled: false (i.e. you are managing webhook TLS yourself).
+  # Set this to the base64-encoded PEM CA certificate that signed the TLS certificate in
+  # the "webhook-server-cert" Secret. The Kubernetes API server uses this to verify the
+  # webhook server's TLS certificate.
+  # Leave empty when enabled: true — cert-manager injects the CA bundle automatically.
+  caBundle: ""
+
 # Not yet supported
 prometheus:
   enabled: false

internal/demo/README.md

@@ -10,6 +10,7 @@ This guide will help you set up and run the Temporal Worker Controller locally u
 - [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
 - Temporal Cloud account with API key or mTLS certificates
 - Understanding of [Worker Versioning concepts](https://docs.temporal.io/production-deployment/worker-deployments/worker-versioning) (Pinned and Auto-Upgrade versioning behaviors)
+- **[cert-manager](https://cert-manager.io/docs/installation/)** — required for the `TemporalWorkerOwnedResource` validating webhook (TLS). Install it once into your Minikube cluster before deploying the controller (see step 3 below).
 
 > **Note**: This demo specifically showcases **Pinned** workflow behavior. All workflows in the demo will remain on the worker version where they started, demonstrating how the controller safely manages multiple worker versions simultaneously during deployments.
 
@@ -63,6 +64,13 @@ This guide will help you set up and run the Temporal Worker Controller locally u
    - Note: Do not set both mTLS and API key for the same connection. If both present, the TemporalConnection Custom Resource
    Instance will not get installed in the k8s environment.
 
+3. Install cert-manager into Minikube (required for the TWOR validating webhook):
+   ```bash
+   kubectl apply -f https://github.com/cert-manager/cert-manager/releases/latest/download/cert-manager.yaml
+   # Wait for cert-manager pods to be ready before continuing
+   kubectl wait --for=condition=Available deployment --all -n cert-manager --timeout=120s
+   ```
+
 4. Build and deploy the Controller image to the local k8s cluster:
    ```bash
    skaffold run --profile worker-controller
@@ -113,6 +121,34 @@ kubectl logs -n temporal-system deployments/temporal-worker-controller-manager -
 kubectl get twd
 ```
 
+### Testing TemporalWorkerOwnedResource (per-version HPA)
+
+`TemporalWorkerOwnedResource` (TWOR) lets you attach Kubernetes resources — HPAs, PodDisruptionBudgets, etc. — to each active versioned Deployment. The controller creates one copy per active Build ID and wires it to the correct Deployment automatically.
+
+The TWOR validating webhook enforces that you have permission to create the embedded resource type yourself, and it requires TLS (provided by cert-manager, installed in step 3 above).
+
+After deploying the helloworld worker (step 5), apply the example HPA:
+
+```bash
+kubectl apply -f examples/twor-hpa.yaml
+```
+
+Watch the controller create an HPA for each active Build ID:
+
+```bash
+# See TWOR status (Applied: true once the controller reconciles)
+kubectl get twor
+
+# See the per-Build-ID HPAs
+kubectl get hpa
+```
+
+You should see one HPA per active worker version, with `scaleTargetRef` automatically pointing at the correct versioned Deployment.
+
+When you deploy a new worker version (e.g., step 8), the controller creates a new HPA for the new Build ID and keeps the old one until that version is deleted.
+
+See [docs/owned-resources.md](../../docs/owned-resources.md) for full documentation.
+
 ### Cleanup
 
 To clean up the demo: