fix: clean up Temporal server-side versioning data on TWD deletion

[anujagrawal380]

• Add a finalizer to TemporalWorkerDeployment to run Temporal server-side cleanup before K8s deletion
• Add a finalizer to TemporalConnection to prevent it from being deleted while any TWD still references it
• On TWD deletion, set current version to unversioned, clear ramping version, and delete registered versions

Problem

When a TemporalWorkerDeployment CRD is deleted (e.g., switching back to plain Deployments), the Temporal server retains the build ID routing configuration. The matching service continues routing new tasks to the deleted build ID's physical queue, while unversioned workers poll a different physical queue. Tasks sit in Scheduled state indefinitely with no errors.

A secondary race condition exists: Helm deletes both the TemporalConnection and TWD in the same upgrade. Without the connection, the controller cannot talk to Temporal to clean up. This is solved by adding a finalizer to the TemporalConnection that blocks its deletion until all referencing TWDs are gone.

Changes

internal/controller/worker_controller.go:

TWD finalizer (temporal.io/worker-deployment-cleanup):

• Added to all TWD resources during normal reconciliation
• On deletion, triggers handleDeletion() which:
  1. Sets the current version to unversioned (BuildID: "") -- the critical step that unblocks task dispatch
  2. Clears any ramping version
  3. Deletes all registered versions with SkipDrainage: true
  4. Attempts to delete the deployment record itself
  5. Removes the connection finalizer if no other TWDs reference it
  6. Removes its own finalizer, allowing K8s to complete deletion

TemporalConnection finalizer (temporal.io/connection-in-use):

• Added to the TemporalConnection during normal TWD reconciliation via ensureConnectionFinalizer()
• Prevents the connection from being deleted while any TWD still references it
• Removed by removeConnectionFinalizerIfUnused() during TWD deletion, after checking no other TWDs in the same namespace reference the connection
• Guarantees the connection is always available during TWD cleanup -- no race condition with Helm deleting both resources simultaneously

RBAC updates:

• Added update;patch verbs for temporalconnections (was get;list;watch)
• Added update verb for temporalconnections/finalizers

Deletion flow

Helm upgrade (TWD disabled)
  |
  v
Helm deletes TWD CRD + TemporalConnection CRD simultaneously
  |
  +--> TemporalConnection: has finalizer, K8s sets DeletionTimestamp but blocks deletion
  |
  +--> TWD: has finalizer, K8s sets DeletionTimestamp, triggers Reconcile
         |
         v
       handleDeletion() runs:
         1. Fetches TemporalConnection (guaranteed to exist via finalizer)
         2. Connects to Temporal server
         3. Sets current version to unversioned
         4. Deletes versions
         5. Removes connection finalizer (no other TWDs reference it)
         6. Removes TWD finalizer
         |
         v
       TWD deleted by K8s
         |
         v
       TemporalConnection: no more finalizers, deleted by K8s

Issue #55
Closes #166

[CLAassistant]

All committers have signed the CLA.

[anujagrawal380]

PTAL @carlydf

[jaypipes]

@anujagrawal380 awesome contribution, thank you so much for this PR! I couple really minor comments below, but overall excellent work.

[anujagrawal380]

@anujagrawal380 awesome contribution, thank you so much for this PR! I couple really minor comments below, but overall excellent work.

Thanks, resolved both the comments!

[jaypipes]

rock on :) nice work on this @anujagrawal380!

[carlydf]

we need integration tests for this before merging to main / including it in a release

[anujagrawal380]

we need integration tests for this before merging to main / including it in a release

@carlydf Added the integration tests. PTAL

[carlydf]

Hi @anujagrawal380 , could you fix the linters! Would love to include this in our next release

[anujagrawal380]

Hi @anujagrawal380 , could you fix the linters! Would love to include this in our next release

@carlydf @jaypipes Added few more minor improvements here: 9fd0c74 . PTAL!

[jaypipes]

yeah, I agree with @carlydf's concern about the deleteCleanupTimeout. I think that should be removed.

[carlydf]

@anujagrawal380 we hope to include this change in our release early next week, without the timeout addition. Hopefully you can respond to the feedback when you get back on Monday! To allow the tests to pass in a reasonable amount of time, you can override the pollerTTL to make pollers "die" faster on the server side.
Example

If we don't get a response by Tuesday, we will pick your commits into a separate PR (so you will still be attributed), remove the timeout, make the tests pass and merge it. Hopefully we can come to an agreement about the timeout behavior though!

[anujagrawal380]

@anujagrawal380 we hope to include this change in our release early next week, without the timeout addition. Hopefully you can respond to the feedback when you get back on Monday! To allow the tests to pass in a reasonable amount of time, you can override the pollerTTL to make pollers "die" faster on the server side. Example

If we don't get a response by Tuesday, we will pick your commits into a separate PR (so you will still be attributed), remove the timeout, make the tests pass and merge it. Hopefully we can come to an agreement about the timeout behavior though!

Thanks @carlydf @jaypipes for the thorough review. Made the changes as suggested. Please let me know if any more changes are required!

[jaypipes]

excellent work on this @anujagrawal380 thank you so much! :)

[carlydf]

thank you!

[Shivs11]

ty!

[anujagrawal380]

@carlydf Can we please rerun tests again here?

[anujagrawal380]

@carlydf Sorry, lint failed. Please again!

[carlydf]

@carlydf Sorry, lint failed. Please again!

@anujagrawal380, this test failed in https://github.com/temporalio/temporal-worker-controller/actions/runs/25011104275/job/73248144790. I'm re-running to see if it was just flaky and maybe will pass the second time. At the same time, ideally we would not have a flaky test since that will cause issues for future PRs. Could you take a look at the failure please?

    --- FAIL: TestIntegration/deletion-sets-current-to-unversioned (5.61s)

[anujagrawal380]

@carlydf Sorry, lint failed. Please again!

@anujagrawal380, this test failed in https://github.com/temporalio/temporal-worker-controller/actions/runs/25011104275/job/73248144790. I'm re-running to see if it was just flaky and maybe will pass the second time. At the same time, ideally we would not have a flaky test since that will cause issues for future PRs. Could you take a look at the failure please?

    --- FAIL: TestIntegration/deletion-sets-current-to-unversioned (5.61s)

@carlydf Added a commit, please rerun once more!

[carlydf]

@carlydf Sorry, lint failed. Please again!

@anujagrawal380, this test failed in https://github.com/temporalio/temporal-worker-controller/actions/runs/25011104275/job/73248144790. I'm re-running to see if it was just flaky and maybe will pass the second time. At the same time, ideally we would not have a flaky test since that will cause issues for future PRs. Could you take a look at the failure please?

    --- FAIL: TestIntegration/deletion-sets-current-to-unversioned (5.61s)

@carlydf Added a commit, please rerun once more!

@anujagrawal380 it failed again. Have not looked at why. Is this passing locally? To run locally you can do:

KUBEBUILDER_ASSETS=/Users/cdf/Desktop/temporal-worker-controller/bin/k8s/1.27.1-darwin-arm64 go test -tags test_dep ./internal/tests/internal
   -run "TestIntegration/deletion-sets-current-to-unversioned" -timeout 600s 

but replace the KUBEBUILDER_ASSETS env var with the correct path for your system. To generate those assets and find out the right path, you can run make test-integration and then Ctrl+C the test after the KUBEBUILDER_ASSETS line is printed.

 % make test-integration
test -s /Users/cdf/Desktop/temporal-worker-controller/bin/controller-gen && /Users/cdf/Desktop/temporal-worker-controller/bin/controller-gen --version | grep -q v0.19.0 || \
        GOBIN=/Users/cdf/Desktop/temporal-worker-controller/bin go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.19.0
GOWORK=off GO111MODULE=on /Users/cdf/Desktop/temporal-worker-controller/bin/controller-gen rbac:roleName=manager-role crd:allowDangerousTypes=true,maxDescLen=0,generateEmbeddedObjectMeta=true paths=./api/... paths=./internal/... paths=./cmd/... \
    output:crd:artifacts:config=helm/temporal-worker-controller-crds/templates
python3 hack/sync-rbac-rules.py
Synced RBAC rules from config/rbac/role.yaml → helm/temporal-worker-controller/templates/rbac.yaml
GOWORK=off GO111MODULE=on /Users/cdf/Desktop/temporal-worker-controller/bin/controller-gen object:headerFile="hack/boilerplate.go.txt" paths=./api/... paths=./internal/... paths=./cmd/...
test -s /Users/cdf/Desktop/temporal-worker-controller/bin/setup-envtest || GOBIN=/Users/cdf/Desktop/temporal-worker-controller/bin go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
Running integration tests...
KUBEBUILDER_ASSETS="/Users/cdf/Desktop/temporal-worker-controller/bin/k8s/1.27.1-darwin-arm64" go test -v -tags test_dep ./internal/tests/internal -run TestIntegration
^Cmake: *** [test-integration] Interrupt: 2