This repository contains a Temporal Server image with custom authentication via Google IAM and authorization via OpenFGA. The image is designed for use with the Charmed Temporal K8s Operator.
The main components that are handled in this repository are:
- Temporal Server - the main component of the Temporal architecture.
- TCTL - command line tool for interacting with the Temporal Server.
Since the repository contains two components, each of them is documented individually. Please refer to the Documentation Index for further reading.
To test the custom Temporal Server locally, we will be using microk8s as a local registry, which will allow us to deploy our charm using this custom image.
-
Set up a Google Cloud project. You will then need to set up an OAuth 2.0 client ID. This will be used to acquire the credentials needed to set up authentication through the web UI and client libraries.
-
Set up the charmed Temporal ecosystem.
-
Enable authentication on the Temporal Web UI charm as follows:
juju config temporal-ui-k8s \ auth-enabled=true \ auth-client-id="<google_client_id>" \ auth-client-secret="<google_secret_id>"
-
Enable the microk8s registry:
microk8s enable registry -
Build the custom image in this repository and push it to the local microk8s registry:
docker build . -t localhost:32000/temporal-auth docker images # make note of the image ID docker tag <IMAGE_ID> localhost:32000/temporal-auth docker push localhost:32000/temporal-auth
-
Attach the image as a resource to the server charm by running the following:
juju refresh temporal-k8s --resource temporal-server-image=localhost:32000/temporal-auth
You should now be able to run sample workflows using the Temporal Python and Go client libraries against the deployed Temporal server. Each library contains instructions on how to set the necessary configuration variables for Google IAM authentication.