v1.7.0

This release corresponds to Helm chart version 0.26.0. For details on versioning and how chart/app versions relate, see docs/release.md.

What's Changed

🚀 Generally Available: This project is Generally Available and ready for production use cases. Core functionality is complete with stable APIs.

---

Warning

💥 Breaking changes and migration required for existing users

v1.7.0 renames the two primary CRDs: TemporalWorkerDeployment → WorkerDeployment and TemporalConnection → Connection. Existing resources are not reconciled until migrated. A zero-downtime migration path is available — see docs/migration-crd-rename.md.

---

• CRD rename: TemporalWorkerDeployment → WorkerDeployment, TemporalConnection → Connection (#294): The Temporal prefix was redundant given the temporal.io API group. This is the last breaking change before GA. The deprecated CRD kinds remain installed with migration-guard finalizers and status conditions to guide migration.
• Cluster UID in CONTROLLER_IDENTITY (#309): Completes the two-release migration started in v1.6.0. The controller identity now includes the cluster namespace UID ({identity}/{namespaceUID}), preventing cross-cluster conflicts when two controllers share the same base identity. Existing Worker Deployments are reclaimed transparently on upgrade.
• Fix CEL rule to actually block deprecated resource create (#313): Follow-up to CRD migration PR
• Downgrade guide for CRD rename migration (#312): Follow-up to CRD migration PR

Full Changelog: v1.6.0...v1.7.0

v1.6.0

This release corresponds to Helm chart version 0.25.0. For details on versioning and how chart/app versions relate, see docs/release.md.

What's Changed

Upgrade Note

One-time pod rollout after upgrade. The build ID hash algorithm was updated to use json.Marshal instead of spew for pod spec serialization, so it now ignores zero-value fields introduced by future Kubernetes API versions (#290). On first reconcile after upgrading the controller, each TemporalWorkerDeployment will be assigned a new build ID and undergo a normal safe rollout. No manual intervention is required.

---

Bug Fixes

• Rate-limit back-off for DescribeWorkerDeployment (#291): When the Temporal server returns ResourceExhausted (namespace read RPS limit hit), the reconciler now backs off for 30 seconds instead of tight-looping. The condition is surfaced as ConditionProgressing=False with reason TemporalStateFetchFailed and a Rate limited message.

• Credential rotation: API key now read live on every RPC call (#301): The API key credential closure now reads the value from the K8s Secret on every outgoing Temporal RPC, so a rotated key takes effect immediately without requiring a controller restart or a permission-denied error cycle.

• Credential rotation: SDK client evicted on auth errors (#300): PermissionDenied and Unauthenticated errors from Temporal SDK calls now evict the cached client from the pool, so the next reconcile re-reads credentials and re-dials. Previously, a rotated API key or revoked mTLS cert caused a permanent stuck-retry loop.

• Events RBAC fix (#292): The events RBAC marker used the wrong API group (events.k8s.io instead of the core "" group), causing Server rejected event (will not retry!) log errors in cluster-wide deployments. Fixed, and Helm ClusterRole generation is now automated from Go markers to prevent future drift.

---

New Features

• Server-side versioning cleanup on TWD deletion (#240): When a TemporalWorkerDeployment is deleted (e.g., switching back to plain Deployments), the controller now resets Temporal's routing state before completing deletion. Without this, tasks could become permanently stuck in Scheduled state. A finalizer on TemporalConnection also prevents a race condition where Helm deletes both resources simultaneously and the controller loses its connection before cleanup completes.

• CRD-level spec validation via CEL rules (#293): Key TemporalWorkerDeployment spec constraints are now enforced by the API server at apply time via x-kubernetes-validations, regardless of whether the webhook is enabled. Validated rules include: name ≤ 63 chars, progressive strategy requires steps, max 20 steps, pauseDuration ≥ 30s per step, and gate.inputFrom requires exactly one source. Two constraints that cannot be expressed in CEL (strictly increasing rampPercentage, mutually exclusive gate.input/gate.inputFrom) fall back to reconciler-level validation with a Warning event and InvalidSpec condition.

• Accept Opaque secrets for mTLS auth (#276): The controller now accepts both kubernetes.io/tls and Opaque secret types for MutualTLSSecretRef. This unblocks setups that bundle tls.crt, tls.key, and ca.crt into a single Opaque secret (e.g., cert-manager outputs with a custom CA).

---

Deprecations

• authProxy.enabled Helm value deprecated (#304): The authProxy.enabled option is deprecated. Use metrics.disableAuth instead. The metrics port now only binds to 127.0.0.1 when the auth proxy is explicitly enabled.

---

Infrastructure

• Preparation for cluster-scoped controller identity (#308): The manager identity claim logic now recognizes the upcoming cluster-UID-prefixed identity format, enabling clean reclaim after rollback from v1.7.0 (which will include full cluster UID support).

• Removed go.work and binaries from source control (#305): go.work, go.work.sum, and checked-in binary files removed; go vet moved to the linters workflow.

---

Dependency Updates

• github.com/aws/aws-sdk-go-v2: eventstream 1.7.4→1.7.8, lambda 1.88.0→1.88.5
• go.opentelemetry.io/otel/sdk: 1.40.0→1.43.0
• github.com/go-jose/go-jose/v4: 4.1.3→4.1.4
• github.com/jackc/pgx/v5: 5.7.2→5.9.2

New Contributors

• @ConnorGraham made their first contribution in #276
• @taonic made their first contribution in #271
• @jaypipes made their first contribution in #288
• @anujagrawal380 made their first contribution in #240

Full Changelog: v1.5.2...v1.6.0

v1.5.2

This release corresponds to Helm chart version 0.24.1. For details on versioning and how chart/app versions relate, see docs/release.md.

What's Changed

• Revert cert-manager version constraint to ">=v1.0.0" from 0.23.0 wrongly added by CI by @carlydf in #252
• Skip automatic helm chart bump for patch releases by @Shivs11 in #254
• Bump Go to 1.25.8 to fix stdlib CVEs by @Shivs11 in #253
• Fix greedy sed in release.yml and restore cert-manager constraint by @Shivs11 in #255
• Add extra field when doing SubjectAccessReview by @jinjiaKarl in #265

New Contributors

• @jinjiaKarl made their first contribution in #265

Full Changelog: v1.5.0...v1.5.2

v1.5.1

This release corresponds to Helm chart version 0.24.0. For details on versioning and how chart/app versions relate, see docs/release.md.

What's Changed

• Bump Go to 1.25.8 to fix stdlib CVEs (PR #253)

Full Changelog: v1.5.0...v1.5.1

v1.5.0

This release corresponds to Helm chart version 0.23.0. For details on versioning and how chart/app versions relate, see docs/release.md.

Highlights

This release introduces WorkerResourceTemplate, enabling per-version autoscaling in Public Preview!

See docs/worker-resource-templates.md and our metrics-based autoscaling demo for more information on how to set it up.

This release is available in controller and CRD Helm charts v0.23.0.

What's Changed

• Enable Controller-managed versioned scaling resources with WorkerResourceTemplate by @carlydf in #217
• Fix demo readme and grafana dashboard for autoscaling demo by @carlydf in #251

Full Changelog: v1.4.0...v1.5.0

v1.4.0

This release corresponds to Helm chart version 0.22.0. For details on versioning and how chart/app versions relate, see docs/release.md.

Highlights

Upgrade Note

This release separates CRDs into a dedicated Helm chart.

Action required: Ensure your CRDs are upgraded—either by installing the new CRD chart or updating them manually. If not, your cluster may run with incompatible or outdated CRDs.

See docs/crd-management.md for details.

Other improvements within the controller code include:

• Using ManagerIdentity to coordinate handoff between worker controller and other clients modifying the same Worker Deployment resource. See docs/ownership.md for more details.
• Omit DescribeVersion calls for drained versions to avoid hitting RPS limits
• Add Ready and Progressing conditions to TemporalWorkerDeployment for consumption by CD tools

What's Changed

• fix: append custom CA to system cert pool instead of replacing it by @Shivs11 in #227
• Add manual branch image publish workflow by @Shivs11 in #224
• fix: lowercase CleanStringForDNS output for RFC 1123 compliance by @aarontsharp in #228
• Separate CRDs Helm chart for upgradeable CRD lifecycle by @carlydf in #208
• Use ManagerIdentity API instead of LastModifierIdentity + ignore-last-modifier metadata hack by @carlydf in #220
• Revert "Use ManagerIdentity API instead of LastModifierIdentity + ignore-last-modifier metadata hack (#220)" by @carlydf in #233
• omit DescribeVersion API calls for drained versions by @Shivs11 in #229
• Bug fix: Do not call CheckHealth when authenticating with API keys by @Shivs11 in #232
• Reapply "Use ManagerIdentity API instead of LastModifierIdentity + ignore-last-modifier metadata hack (#220)" (#233) by @carlydf in #234
• Lower reconcile-loop log to debug level by @carlydf in #238
• Add unit tests for clientpool auth code paths by @carlydf in #236
• update the helm.yml workflow to now publish helm charts from feature branches without bumping up the chart version by @Shivs11 in #242
• feat: replace domain conditions with standard Ready/Progressing conditions by @carlydf in #235
• fix: retry on conflict in test helper to fix flaky integration test by @Shivs11 in #244
• docs: add Helm ownership labeling step to CRD migration guide by @Shivs11 in #245
• Bump google.golang.org/grpc from 1.75.1 to 1.79.3 by @dependabot[bot] in #243
• bump helm chart version to 0.20.0 by @Shivs11 in #248
• Bump chart version to 0.21.0 with appVersion 1.4.0 by @Shivs11 in #250

New Contributors

• @aarontsharp made their first contribution in #228

Full Changelog: v1.3.0...v1.4.0

v1.3.1

This release corresponds to Helm chart version 0.20.0. For details on versioning and how chart/app versions relate, see docs/release.md.

Contains bug fixes:

• fix: append custom CA to system cert pool instead of replacing it (#227)
  • Previous PR broke TLS auth, this fixes it
• omit DescribeVersion API calls for drained versions (#229)
  • Excessive DescribeVersion calls were exceeding server rate limits, and not needed
• Bug fix: Do not call CheckHealth when authenticating with API keys (#232)
  • Fixes a regression specific to API Key Auth that was introduced in #203

Full Changelog: v1.3.0...v1.3.1

v1.2.4

Warning

This release is unstable and should not be used in production.

Helm chart versions <0.20.0 were built using manifests from the main branch at release time instead of the release branch. As a result, deployed manifests may not match the expected code version.

Required action:
Upgrade to v1.3.1 (Helm Chart 0.20.0). This is the first version with corrected manifests and a tested upgrade path from affected releases.

Recommended next step:
After upgrading to v1.3.1, continue upgrading to the latest GA release (v1.7.0) for production use.
For production environments, upgrade one minor version at a time after 0.20.0.
See docs/release.md for full details on versioning and upgrade paths.

---

Contains bug fixes:

• Helm chart bug Fix: Make sure image has nonRoot (#195)
• fix: append custom CA to system cert pool instead of replacing it (#227)
  • Previous PR broke TLS auth, this fixes it
• omit DescribeVersion API calls for drained versions (#229)
  • Excessive DescribeVersion calls were exceeding server rate limits, and not needed

Full Changelog: v1.2.3...v1.2.4

v1.2.3

Warning

This release is unstable and should not be used in production.

Helm chart versions <0.20.0 were built using manifests from the main branch at release time instead of the release branch. As a result, deployed manifests may not match the expected code version.

Required action:
Upgrade to v1.3.1 (Helm Chart 0.20.0). This is the first version with corrected manifests and a tested upgrade path from affected releases.

Recommended next step:
After upgrading to v1.3.1, continue upgrading to the latest GA release (v1.7.0) for production use.
For production environments, upgrade one minor version at a time after 0.20.0.
See docs/release.md for full details on versioning and upgrade paths.

---

Warning

This release is unstable and should not be used in production.
PR #212 introduced a bug in TLS certificate handling.
The issue is fixed in #227.

Recommended action: Skip this version and upgrade to the release containing the fix.

---

Full Changelog: v1.2.2...v1.2.3

v1.2.2

Warning

This release is unstable and should not be used in production.

Helm chart versions <0.20.0 were built using manifests from the main branch at release time instead of the release branch. As a result, deployed manifests may not match the expected code version.

Required action:
Upgrade to v1.3.1 (Helm Chart 0.20.0). This is the first version with corrected manifests and a tested upgrade path from affected releases.

Recommended next step:
After upgrading to v1.3.1, continue upgrading to the latest GA release (v1.7.0) for production use.
For production environments, upgrade one minor version at a time after 0.20.0.
See docs/release.md for full details on versioning and upgrade paths.

---

Warning

This release is unstable and should not be used in production.
PR #212 introduced a bug in TLS certificate handling.
The issue is fixed in #227.

Recommended action: Skip this version and upgrade to the release containing the fix.

---

• Cherry picked commit: #195
  Full Changelog: v1.2.1...v1.2.2