resources

package
v0.9.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 25, 2026 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Overview

Package resources contains builders for the Kubernetes objects the operator manages (Jobs, Deployments, Services, ConfigMaps, etc.).

Index

Constants

View Source 
const (
	// AzureTokenVolumeName is the name of the shared emptyDir volume for Azure tokens.
	AzureTokenVolumeName = "azure-token"
	// AzureTokenMountPath is the mount path for the Azure token volume.
	AzureTokenMountPath = "/azure"
	// AzureTokenFile is the full path to the token file.
	AzureTokenFile = "/azure/pgpass"
	// DefaultAzureCLIImage is the default azure-cli image for token containers.
	DefaultAzureCLIImage = "mcr.microsoft.com/azure-cli:2.87.0"
	// DefaultAzureScope is the default Entra token scope for Azure Database for PostgreSQL.
	DefaultAzureScope = "https://ossrdbms-aad.database.windows.net/.default"
	// AzureWILabel is the Azure Workload Identity pod label.
	AzureWILabel = "azure.workload.identity/use"
	// AzureWILabelValue is the value for the Azure Workload Identity pod label.
	AzureWILabelValue = "true"
)
View Source 
const (
	// InternodeCertMountPath is where the internode cert is mounted in every pod.
	InternodeCertMountPath = "/etc/temporal/certs/internode"
	// FrontendCertMountPath is where the frontend cert is mounted in frontend pods.
	FrontendCertMountPath = "/etc/temporal/certs/frontend"
)

Certificate / secret naming.

View Source 
const (
	// ConfigFileName is the rendered server config file key/mount name.
	ConfigFileName = "config.yaml"
	// DynamicConfigFileName is the dynamic config file key/mount name.
	DynamicConfigFileName = "dynamic_config.yaml"
)
View Source 
const (
	DevServerFrontendPort int32 = 7233
	DevServerUIPort       int32 = 8233
)

Dev server ports (Temporal CLI start-dev defaults).

View Source 
const (
	LabelName      = "app.kubernetes.io/name"
	LabelInstance  = "app.kubernetes.io/instance"
	LabelComponent = "app.kubernetes.io/component"
	LabelManagedBy = "app.kubernetes.io/managed-by"
	LabelCluster   = "temporal.bmor10.com/cluster"
	LabelVersion   = "temporal.bmor10.com/version"

	// ConfigHashAnnotation stamps the rendered-config hash onto pods so config
	// changes trigger a rollout.
	ConfigHashAnnotation = "temporal.bmor10.com/config-hash"
	// CertHashAnnotation stamps the mTLS cert hash onto pods so certificate
	// rotation triggers a rollout.
	CertHashAnnotation = "temporal.bmor10.com/cert-hash"
)

Label keys shared across all managed resources.

View Source 
const (
	ServiceFrontend         = "frontend"
	ServiceInternalFrontend = "internal-frontend"
	ServiceHistory          = "history"
	ServiceMatching         = "matching"
	ServiceWorker           = "worker"
)

Service component names.

View Source 
const PostgresSchemaDir = "v12"

PostgresSchemaDir is the on-image schema directory for the postgres12 plugin (used as the BuildSchemaJob SchemaVersionDir for SQL postgres stores).

Variables

View Source 
var ServiceMonitorGVK = schema.GroupVersionKind{
	Group:   "monitoring.coreos.com",
	Version: "v1",
	Kind:    "ServiceMonitor",
}

ServiceMonitorGVK is the GroupVersionKind of the Prometheus Operator ServiceMonitor resource.

Functions

func ApplyAzureSchemaWorkloadIdentity added in v0.9.0 

func ApplyAzureSchemaWorkloadIdentity(podMeta *metav1.ObjectMeta, podSpec *corev1.PodSpec, cluster *temporalv1alpha1.TemporalCluster, mainContainerName string)

ApplyAzureSchemaWorkloadIdentity applies Azure Workload Identity configuration to a schema Job pod. It sets the ServiceAccount, adds the WI label, adds the token volume, mounts the volume on the main container, and appends the token init container. This function is idempotent.

func ApplyAzureServerWorkloadIdentity added in v0.9.0 

func ApplyAzureServerWorkloadIdentity(podMeta *metav1.ObjectMeta, podSpec *corev1.PodSpec, cluster *temporalv1alpha1.TemporalCluster, mainContainerName string)

ApplyAzureServerWorkloadIdentity applies Azure Workload Identity configuration to a server pod. It sets the ServiceAccount, adds the WI label, adds the token volume, mounts the volume on the main container, appends the token refresher sidecar, and adds an init container that fetches the token once before the server starts. This function is idempotent.

func AzurePasswordCommand added in v0.9.0 

func AzurePasswordCommand() string

AzurePasswordCommand returns the passwordCommand shell snippet that waits for the token file and reads it. It is a snippet (not a full "sh -c '...'" string) because both consumers wrap it: the schema Job embeds it in "$(...)" and the Temporal server config renders it as command "sh" with args ["-c", <snippet>].

func AzureServiceAccountName added in v0.9.0 

func AzureServiceAccountName(cluster *temporalv1alpha1.TemporalCluster) string

AzureServiceAccountName returns the ServiceAccount name to use for Azure Workload Identity.

func AzureTokenInitContainer added in v0.9.0 

func AzureTokenInitContainer(cluster *temporalv1alpha1.TemporalCluster) corev1.Container

AzureTokenInitContainer returns the initContainer that obtains an Azure token once.

func AzureTokenRefresherSidecar added in v0.9.0 

func AzureTokenRefresherSidecar(cluster *temporalv1alpha1.TemporalCluster) corev1.Container

AzureTokenRefresherSidecar returns the sidecar that refreshes the Azure token periodically.

func AzureWorkloadIdentityEnabled added in v0.9.0 

func AzureWorkloadIdentityEnabled(cluster *temporalv1alpha1.TemporalCluster) bool

AzureWorkloadIdentityEnabled returns true when Azure Workload Identity is configured.

func BuildAzureServiceAccount added in v0.9.0 

func BuildAzureServiceAccount(cluster *temporalv1alpha1.TemporalCluster) *corev1.ServiceAccount

BuildAzureServiceAccount builds the ServiceAccount for Azure Workload Identity.

func BuildClientCertificate 

func BuildClientCertificate(clusterClient *temporalv1alpha1.TemporalClusterClient, cluster *temporalv1alpha1.TemporalCluster) *certmanagerv1.Certificate

BuildClientCertificate builds a cert-manager Certificate for a TemporalClusterClient, signed by the cluster's mTLS issuer. The resulting Secret carries tls.crt, tls.key, and ca.crt for an application worker.

func BuildConfigSecret 

func BuildConfigSecret(cluster *temporalv1alpha1.TemporalCluster, rendered string) *corev1.Secret

BuildConfigSecret builds the Secret containing the rendered server config.

func BuildDeployment 

func BuildDeployment(cluster *temporalv1alpha1.TemporalCluster, svc ServiceInfo, configHash, version string, mtls *MTLSMounts) (*appsv1.Deployment, error)

BuildDeployment builds the Deployment for a single Temporal service. The version overrides the server image tag (used for per-service rollout during upgrades); when empty the cluster's spec version is used.

func BuildDevServerDeployment added in v0.6.0 

func BuildDevServerDeployment(dev *temporalv1alpha1.TemporalDevServer, image string) *appsv1.Deployment

BuildDevServerDeployment builds the single-replica Deployment that runs `temporal server start-dev`.

func BuildDevServerPVC added in v0.6.0 

func BuildDevServerPVC(dev *temporalv1alpha1.TemporalDevServer) *corev1.PersistentVolumeClaim

BuildDevServerPVC builds the PVC for a persistent dev server. Returns nil when the dev server uses ephemeral storage.

func BuildDevServerService added in v0.6.0 

func BuildDevServerService(dev *temporalv1alpha1.TemporalDevServer) *corev1.Service

BuildDevServerService builds the Service exposing the frontend and UI ports.

func BuildDynamicConfigMap 

func BuildDynamicConfigMap(cluster *temporalv1alpha1.TemporalCluster, rendered string) *corev1.ConfigMap

BuildDynamicConfigMap builds the ConfigMap containing dynamic config. When the rendered content is empty, an empty document is written so the mount always exists.

func BuildFrontendCertificate 

func BuildFrontendCertificate(cluster *temporalv1alpha1.TemporalCluster) *certmanagerv1.Certificate

BuildFrontendCertificate builds the frontend server Certificate, covering the frontend client Service DNS plus any user-supplied DNS names.

func BuildFrontendService 

func BuildFrontendService(cluster *temporalv1alpha1.TemporalCluster, frontend ServiceInfo) *corev1.Service

BuildFrontendService builds the regular ClusterIP Service that clients use to reach the frontend gRPC (and HTTP) endpoints.

func BuildHeadlessService 

func BuildHeadlessService(cluster *temporalv1alpha1.TemporalCluster, svc ServiceInfo) *corev1.Service

BuildHeadlessService builds the headless Service used for Ringpop membership.

func BuildInspectorJob added in v0.9.0 

func BuildInspectorJob(params InspectorJobParams) *batchv1.Job

BuildInspectorJob builds a batch/v1 Job that runs the operator's "inspect" subcommand to probe a SQL store and read its schema version. The Job uses Azure Workload Identity for passwordless authentication, with the token wiring applied via ApplyAzureSchemaWorkloadIdentity. The caller is responsible for setting the controller owner reference on the returned Job.

func BuildInternodeCertificate 

func BuildInternodeCertificate(cluster *temporalv1alpha1.TemporalCluster) *certmanagerv1.Certificate

BuildInternodeCertificate builds the shared internode mTLS Certificate covering every service's membership DNS names. It is used by all services for both server and client auth within the cluster.

func BuildPodDisruptionBudget 

func BuildPodDisruptionBudget(cluster *temporalv1alpha1.TemporalCluster, svc ServiceInfo) *policyv1.PodDisruptionBudget

BuildPodDisruptionBudget builds a PDB allowing at most one unavailable pod for the given service.

func BuildSchemaJob 

func BuildSchemaJob(p SchemaJobParams) (*batchv1.Job, error)

BuildSchemaJob builds a batch/v1 Job that runs temporal-sql-tool for the given store and action. The caller is responsible for setting the controller owner reference on the returned Job.

func BuildServiceMonitor 

func BuildServiceMonitor(cluster *temporalv1alpha1.TemporalCluster) *unstructured.Unstructured

BuildServiceMonitor builds a Prometheus Operator ServiceMonitor (as an unstructured object to avoid a hard dependency on the prometheus-operator API) that scrapes the metrics port of every Temporal service in the cluster.

func BuildUIClientCertificate 

func BuildUIClientCertificate(cluster *temporalv1alpha1.TemporalCluster) *certmanagerv1.Certificate

BuildUIClientCertificate builds the client Certificate the UI uses to connect to the frontend when mTLS is enabled.

func BuildUIDeployment 

func BuildUIDeployment(cluster *temporalv1alpha1.TemporalCluster) *appsv1.Deployment

BuildUIDeployment builds the temporal-ui Deployment.

func BuildUIIngress 

func BuildUIIngress(cluster *temporalv1alpha1.TemporalCluster) *networkingv1.Ingress

BuildUIIngress builds an Ingress for the UI when configured. It returns nil when ingress is not enabled.

func BuildUIService 

func BuildUIService(cluster *temporalv1alpha1.TemporalCluster) *corev1.Service

BuildUIService builds the ClusterIP Service for the UI.

func ClientSecretName 

func ClientSecretName(clusterClient *temporalv1alpha1.TemporalClusterClient) string

ClientSecretName returns the Secret name for a client's credentials.

func ConfigHash 

func ConfigHash(content string) string

ConfigHash returns a stable short hash of the rendered config content, used to trigger pod rollouts when the config changes.

func ConfigSecretName 

func ConfigSecretName(clusterName string) string

ConfigSecretName returns the name of the Secret holding the rendered server config. The config is stored in a Secret (not a ConfigMap) because it embeds datastore credentials.

func DeploymentName 

func DeploymentName(clusterName, component string) string

DeploymentName returns the Deployment name for a service.

func DevServerFrontendEndpoint added in v0.6.0 

func DevServerFrontendEndpoint(dev *temporalv1alpha1.TemporalDevServer) string

DevServerFrontendEndpoint returns the in-cluster gRPC frontend endpoint.

func DevServerFrontendServiceName added in v0.6.0 

func DevServerFrontendServiceName(name string) string

DevServerFrontendServiceName returns the Service name for a dev server.

func DevServerImage added in v0.6.0 

func DevServerImage(dev *temporalv1alpha1.TemporalDevServer) (string, error)

DevServerImage returns the container image for a dev server. When Image is set it is used verbatim; otherwise the Temporal server Version (or the latest supported version when empty) is mapped to the matching temporalio/temporal CLI image. It returns an error when the server version is unsupported.

func DevServerPVCName added in v0.6.0 

func DevServerPVCName(name string) string

DevServerPVCName returns the PVC name for a persistent dev server.

func DevServerServerVersion added in v0.8.0 

func DevServerServerVersion(dev *temporalv1alpha1.TemporalDevServer) string

DevServerServerVersion returns the Temporal server version reported in status: the explicit Version, the latest supported version when Version is empty, or an empty string when a raw Image override is used.

func DevServerUIEndpoint added in v0.6.0 

func DevServerUIEndpoint(dev *temporalv1alpha1.TemporalDevServer) string

DevServerUIEndpoint returns the in-cluster Web UI endpoint.

func DynamicConfigMapName 

func DynamicConfigMapName(clusterName string) string

DynamicConfigMapName returns the name of the ConfigMap holding dynamic config.

func FrontendCertName 

func FrontendCertName(clusterName string) string

FrontendCertName returns the frontend server Certificate (and its secret) name.

func FrontendServiceName 

func FrontendServiceName(clusterName string) string

FrontendServiceName returns the name of the cluster's frontend client Service.

func HeadlessServiceName 

func HeadlessServiceName(clusterName, component string) string

HeadlessServiceName returns the name of a service's headless membership Service.

func InspectorJobName added in v0.9.0 

func InspectorJobName(clusterName string, store SchemaStore) string

InspectorJobName returns the deterministic name for an inspector Job.

func InternodeCertName 

func InternodeCertName(clusterName string) string

InternodeCertName returns the internode Certificate (and its secret) name.

func MTLSEnabled added in v0.4.0 

func MTLSEnabled(cluster *temporalv1alpha1.TemporalCluster) bool

MTLSEnabled reports whether the cluster requests cert-manager-issued mTLS.

func PDBName 

func PDBName(clusterName, component string) string

PDBName returns the PodDisruptionBudget name for a service.

func SchemaJobName 

func SchemaJobName(clusterName string, store SchemaStore, action SchemaAction) string

SchemaJobName returns the deterministic name for a schema Job.

func SelectorLabels 

func SelectorLabels(cluster *temporalv1alpha1.TemporalCluster, component string) map[string]string

SelectorLabels returns the stable selector labels for a cluster component. These never include the version so that selectors remain stable across upgrades.

func ServiceMonitorName 

func ServiceMonitorName(clusterName string) string

ServiceMonitorName returns the cluster's ServiceMonitor name.

func StandardLabels 

func StandardLabels(cluster *temporalv1alpha1.TemporalCluster, component string) map[string]string

StandardLabels returns the full label set for a cluster component, including the managed-by and version labels.

func UIClientCertName 

func UIClientCertName(clusterName string) string

UIClientCertName returns the UI client Certificate/secret name.

func UIName 

func UIName(clusterName string) string

UIName returns the name of the UI Deployment/Service.

Types

type InspectorJobParams added in v0.9.0 

type InspectorJobParams struct {
	// Cluster is the owning TemporalCluster.
	Cluster *temporalv1alpha1.TemporalCluster
	// Store identifies which logical store to inspect.
	Store SchemaStore
	// SQLSpec is the SQL datastore spec for the target store.
	SQLSpec *temporalv1alpha1.SQLDatastoreSpec
	// OperatorImage is the operator image to use for the inspect container.
	OperatorImage string
}

InspectorJobParams describes the parameters for building an inspector Job.

type MTLSMounts 

type MTLSMounts struct {
	Enabled         bool
	InternodeSecret string
	FrontendSecret  string
	// CertHash, when set, is stamped on the pod template to trigger a rolling
	// restart on certificate rotation.
	CertHash string
}

MTLSMounts describes the cert secrets to mount when mTLS is enabled.

type SchemaAction 

type SchemaAction string

SchemaAction identifies the schema operation a Job performs. 

const (
	// ActionSetup creates the schema_version bookkeeping (setup-schema -v 0.0).
	ActionSetup SchemaAction = "setup"
	// ActionUpdate applies versioned migrations (update-schema -d <dir>).
	ActionUpdate SchemaAction = "update"
)

type SchemaJobParams 

type SchemaJobParams struct {
	// Cluster is the owning TemporalCluster.
	Cluster *temporalv1alpha1.TemporalCluster
	// SQLSpec is the resolved SQL datastore spec for the target store. Set for
	// SQL-backed stores.
	SQLSpec *temporalv1alpha1.SQLDatastoreSpec
	// CassandraSpec is the resolved Cassandra datastore spec. Set for
	// Cassandra-backed stores.
	CassandraSpec *temporalv1alpha1.CassandraDatastoreSpec
	// Store and Action select the operation.
	Store  SchemaStore
	Action SchemaAction
	// SchemaVersionDir is the on-image schema version directory, e.g. "v12".
	SchemaVersionDir string
	// PasswordCommand, when set, is a shell command whose stdout is exported as
	// SQL_PASSWORD before the schema tool runs (passwordless / token auth).
	PasswordCommand string
	// PodTemplate overrides the Job pod template (ServiceAccount, labels, token
	// initContainer, volumes). Nil leaves the generated pod unchanged.
	PodTemplate *temporalv1alpha1.PodTemplateOverride
}

SchemaJobParams describes a single schema Job to build.

type SchemaStore 

type SchemaStore string

SchemaStore identifies which logical store a schema Job targets. 

const (
	// StoreDefault is the default (history/execution) store.
	StoreDefault SchemaStore = "default"
	// StoreVisibility is the visibility store.
	StoreVisibility SchemaStore = "visibility"
)

type ServiceInfo 

type ServiceInfo struct {
	// Name is the component name (e.g. "frontend").
	Name string
	// Spec is the per-service configuration from the CR; may be nil.
	Spec *temporalv1alpha1.ServiceSpec
	// Ports holds the resolved ports for the service.
	Ports temporal.ServicePort
	// HasHTTP reports whether the service exposes an HTTP port.
	HasHTTP bool
}

ServiceInfo describes a single Temporal service to be deployed.

func EnabledServices 

func EnabledServices(cluster *temporalv1alpha1.TemporalCluster) []ServiceInfo

EnabledServices returns the services that should be deployed for a cluster, including internal-frontend only when enabled.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.