🌱 Init Deploy temporal on k8s

.devcontainer/devcontainer.json

@@ -16,6 +16,14 @@
       ]
     }
   },
+  "appPort": [
+    "80:80",
+    "443:443",
+    "8080:8080",
+    "8443:8443",
+    "9080:9080",
+    "9443:9443"
+  ],
   "forwardPorts": [
     80,
     443,
@@ -24,15 +32,26 @@
     9080,
     9443
   ],
-
-	"portsAttributes": {
-		"80": { "label": "nginx-ingress-http" },
-		"443": { "label": "nginx-ingress-https" },
-		"8080": { "label": "kourier-knative-http" },
-		"8443": { "label": "kourier-knative-https" },
-		"9080": { "label": "nginx-gateway-fabric-http" },
-		"9443": { "label": "nginx-gateway-fabric-https" }
-	},
+  "portsAttributes": {
+    "80": {
+      "label": "nginx-ingress-http"
+    },
+    "443": {
+      "label": "nginx-ingress-https"
+    },
+    "8080": {
+      "label": "kourier-knative-http"
+    },
+    "8443": {
+      "label": "kourier-knative-https"
+    },
+    "9080": {
+      "label": "nginx-gateway-fabric-http"
+    },
+    "9443": {
+      "label": "nginx-gateway-fabric-https"
+    }
+  },
   "postStartCommand": "bash .devcontainer/scripts/postStartCommand.sh",
   "onCreateCommand": "bash  .devcontainer/scripts/onCreateCommand.sh"
 }

.github/.devcontainer/devcontainer.json

@@ -23,6 +23,7 @@
     "ghcr.io/devcontainers-contrib/features/fzf:1": {},
     "ghcr.io/devcontainers-contrib/features/vault-asdf:2": {},
     "ghcr.io/devcontainers/features/go:1": {},
-    "./features/grpcurl": {}
+    "./features/grpcurl": {},
+    "ghcr.io/devcontainers-contrib/features/temporal-cli:1": {}
   }
 }

README.md

@@ -30,6 +30,7 @@ It contains configurations and examples for the following components:
 - Discovery
   - [Sidecar Container Support v1.29 [beta]](discovery/sidecar-container-support-1.29-beta)
   - [Ephemeral Container - v1.25 [stable]](discovery/ephemeral-container-1.25-stable)
+  - [Temporal IO](discovery/temporal)
 
 ## Launch DevContainer
 

Taskfile.yml

@@ -28,6 +28,9 @@ includes:
   gateway:
     taskfile: ./gateway/tasks.yml
     dir: ./gateway
+  discovery:
+    taskfile: ./discovery/tasks.yml
+    dir: ./discovery
 
 tasks:
   default:

discovery/tasks.yml

@@ -0,0 +1,31 @@
+version: 3
+
+tasks:
+  temporal-install:
+    desc: Install Temporal IO.
+    cmds:
+      - helm repo add temporal https://go.temporal.io/helm-charts
+      - helm repo update temporal
+      - helm upgrade --install
+        --set server.replicaCount=1
+        --set cassandra.config.cluster_size=1
+        --set elasticsearch.replicas=1
+        --set prometheus.enabled=false
+        --set grafana.enabled=false
+        temporal temporal/temporal
+        --timeout 15m
+        --create-namespace
+        --namespace temporal-system
+        -f temporal/helm.values.yml
+        --version 0.50.0
+      - |
+        kubectl get secret temporal-gateway.127.0.0.1.nip.io-tls -n temporal-system -o jsonpath="{['data']['ca\.crt']}" | base64 --decode > /home/vscode/temporal-ing-ca.crt
+        cat <<EOF >> /home/vscode/.bashrc
+        export TEMPORAL_TLS_CA=/home/vscode/temporal-ing-ca.crt
+        export TEMPORAL_ADDRESS=temporal-gateway.127.0.0.1.nip.io:443
+        EOF
+        source /home/vscode/.bashrc
+
+  temporal-uninstall:
+    desc: Uninstall Temporal IO.
+    cmd: helm del -n temporal-system temporal

discovery/temporal/README.md

@@ -0,0 +1,89 @@
+# [Temporal IO][temporal.io]
+
+## Késako ?
+
+Temporal is a distributed, scalable, durable, and highly available orchestration engine designed to execute asynchronous long-running business logic in a resilient way.
+
+![Temporal Components](../images/temporal-components.png)
+
+## Install
+
+```bash
+task discovery:temporal-install
+```
+
+> ⚠️ Installation can take several minutes
+
+Visit UI :  <http://temporal-ui.127.0.0.1.nip.io>
+
+## Connect To Temporal **Frontend Service**
+
+### Via Temporal CLI
+
+> ℹ️ After installing the Helm Temporal chart, I automatically configure the CLI to consider the Frontend Service address and the Ingress certificate:
+>
+> ```bash
+> kubectl get secret temporal-gateway.127.0.0.1.nip.io-tls -n temporal-system -o jsonpath="{['data']['ca\.crt']}" | base64 --decode > /home/vscode/temporal-ing-ca.crt
+> cat <<EOF >> /home/vscode/.bashrc
+> export TEMPORAL_TLS_CA=/home/vscode/temporal-ing-ca.crt
+> export TEMPORAL_ADDRESS=temporal-gateway.127.0.0.1.nip.io:443
+> EOF
+> source /home/vscode/.bashrc
+>```
+
+```bash
+## Get Health of Temporal Cluster
+temporal operator cluster health
+# SERVING
+
+## Create namespace Team 1
+temporal operator namespace create --retention 5d --namespace team-temporal
+# Namespace team-temporal successfully registered.
+
+## Create namespace Team 2
+temporal operator namespace create --retention 5d --namespace team-cadence
+# Namespace team-cadence successfully registered.
+```
+
+### Via Temporal SDK Java
+
+```java
+import io.grpc.Grpc;
+import io.grpc.ManagedChannel;
+import io.grpc.TlsChannelCredentials;
+import io.grpc.netty.shaded.io.netty.handler.ssl.util.InsecureTrustManagerFactory;
+import io.temporal.serviceclient.WorkflowServiceStubs;
+import io.temporal.serviceclient.WorkflowServiceStubsOptions;
+
+// https://github.com/grpc/grpc-java/issues/10523
+ManagedChannel managedChannel = Grpc.newChannelBuilder("temporal-gateway.127.0.0.1.nip.io:443",
+        TlsChannelCredentials.newBuilder()
+                .trustManager(InsecureTrustManagerFactory.INSTANCE.getTrustManagers()[0])
+                .build()
+        ).build();
+WorkflowServiceStubs service = WorkflowServiceStubs.newServiceStubs(
+        WorkflowServiceStubsOptions.newBuilder()
+                .setChannel(managedChannel)
+                .build()
+        );
+```
+
+> ℹ️ You can see that I'm using an `InsecureTrustManagerFactory`. The simple reason that the ingress certificate is self-signed, and to avoid getting the [*Empty issuer DN not allowed in X509Certificates* error][cert-manager-certificate-validity], I decide to bypass the SSL verification.
+>
+> ⚠️ **However, this configuration is exclusively reserved for Tests. For production use, you should consider using [mTLS][temporal-mtls-cloud]**
+
+## Uninstall
+
+```bash
+task discovery:temporal-uninstall
+```
+
+## Resources
+
+- [Temporal Helm Chart][temporal-helm-chart-gh]
+
+<!-- Links -->
+[temporal.io]: https://temporal.io/
+[temporal-helm-chart-gh]: https://github.com/temporalio/helm-charts
+[cert-manager-certificate-validity]: https://cert-manager.io/docs/configuration/selfsigned/#certificate-validity
+[temporal-mtls-cloud]: https://learn.temporal.io/getting_started/java/run_workers_with_cloud_java/

discovery/temporal/helm.values.yml

@@ -0,0 +1,30 @@
+server:
+  config:
+    namespaces:
+      create: true
+  frontend:
+    ingress:
+      enabled: true
+      className: nginx
+      # Grpc Reguired TLS connection on Ingress-nginx
+      # https://github.com/kubernetes/ingress-nginx/issues/3897
+      tls:
+      - secretName: temporal-gateway.127.0.0.1.nip.io-tls
+        hosts:
+        - temporal-gateway.127.0.0.1.nip.io
+      hosts:
+        - temporal-gateway.127.0.0.1.nip.io
+      annotations:
+        nginx.ingress.kubernetes.io/backend-protocol: GRPC # Enable support of HTTP/2, for GRPC Client
+        nginx.org/grpc-services: temporal-frontend
+        nginx.ingress.kubernetes.io/proxy-body-size: 50m
+        nginx.ingress.kubernetes.io/proxy-connect-timeout: "60"
+        nginx.ingress.kubernetes.io/proxy-read-timeout: "60"
+        nginx.ingress.kubernetes.io/proxy-send-timeout: "60"
+        cert-manager.io/cluster-issuer: selfsigned-cluster-issuer
+web:
+  ingress:
+    enabled: true
+    className: nginx
+    hosts:
+      - temporal-ui.127.0.0.1.nip.io