DirectorySecurity AdvisoriesPricing
Sign in
Directory
temporal logoHELM

temporal

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:

1
nameOverride: ""
2
fullnameOverride: ""
3
# Chart debug mode
4
# (eg. disable helm hook delete policy)
5
debug: false
6
imagePullSecrets: []
7
# Custom Service account management
8
serviceAccount:
9
# Whether to create service account or not
10
create: false
11
# Name of the service account.
12
# Uses `name` if set.
13
# If `create: true` defaults to temporal.fullname, otherwise uses the namespace's default serviceAccount.
14
name:
15
# extraAnnotations would let users add additional annotations
16
extraAnnotations:
17
additionalAnnotations: {}
18
additionalLabels: {}
19
# Array of extra K8s manifests to deploy
20
extraObjects: []
21
server:
22
enabled: true
23
image:
24
repository: cgr.dev/chainguard-private/temporal-server-fips
25
tag: latest@sha256:4ea2ff93081c4637f1005ff8943223eba5e8e27cff618d8418fba09129237d72
26
pullPolicy: IfNotPresent
27
# Global default settings (can be overridden per service)
28
replicaCount: 1
29
readinessProbe: {}
30
metrics:
31
# Annotate pods and services directly with the following Prometheus annotations.
32
# prometheus.io/job
33
# prometheus.io/port
34
# prometheus.io/scheme
35
# prometheus.io/scrape
36
annotations:
37
enabled: true
38
# Enable Prometheus ServiceMonitor
39
# Use this if you installed the Prometheus Operator (https://github.com/coreos/prometheus-operator).
40
serviceMonitor:
41
enabled: false
42
interval: 30s
43
# Set additional lables to all the ServiceMonitor resources
44
additionalLabels: {}
45
# label1: value1
46
# label2: value2
47
# Set Prometheus metric_relabel_configs via ServiceMonitor
48
# Use metricRelabelings to adjust metric and label names as needed
49
metricRelabelings: []
50
# - action: replace
51
# sourceLabels:
52
# - exported_namespace
53
# targetLabel: temporal_namespace
54
# - action: replace
55
# regex: service_errors_(.+)
56
# replacement: ${1}
57
# sourceLabels:
58
# - __name__
59
# targetLabel: temporal_error_kind
60
# - action: replace
61
# regex: service_errors_.+
62
# replacement: temporal_service_errors
63
# sourceLabels:
64
# - __name__
65
# targetLabel: __name__
66
deploymentLabels: {}
67
deploymentAnnotations: {}
68
deploymentStrategy: {}
69
podAnnotations: {}
70
podLabels: {}
71
secretLabels: {}
72
secretAnnotations: {}
73
resources: {}
74
# We usually recommend not to specify default resources and to leave this as a conscious
75
# choice for the user. This also increases chances charts run on environments with little
76
# resources, such as Minikube. If you do want to specify resources, uncomment the following
77
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
78
# limits:
79
# cpu: 100m
80
# memory: 128Mi
81
# requests:
82
# cpu: 100m
83
# memory: 128Mi
84
nodeSelector: {}
85
tolerations: []
86
affinity: {}
87
minReadySeconds: 0
88
terminationGracePeriodSeconds: null
89
additionalVolumes: []
90
additionalVolumeMounts: []
91
additionalEnv: []
92
additionalEnvSecretName: ""
93
additionalEnvConfigMapName: ""
94
# for sidecar containers, add containers here with restartPolicy: Always
95
additionalInitContainers: []
96
# publicClientHostPort: "temporal-frontend.example.svc:7233"
97
securityContext:
98
fsGroup: 1000
99
runAsUser: 1000
100
config:
101
logLevel: "debug,info"
102
# Define your TLS configuration here. See https://docs.temporal.io/references/configuration#tls
103
# for configuration options. You must also use `server.additionalVolumeMounts` and `server.additionalVolumes`
104
# to mount certificates (from Secret or ConfigMap etc) to the path you use below.
105
# tls:
106
# internode:
107
# server:
108
# certFile: /path/to/internode/cert/file
109
# keyFile: /path/to/internode/key/file
110
# requireClientAuth: true
111
# clientCaFiles:
112
# - /path/to/internode/serverCa
113
# client:
114
# serverName: dnsSanInInternodeCertificate
115
# rootCaFiles:
116
# - /path/to/internode/serverCa
117
# frontend:
118
# server:
119
# certFile: /path/to/frontend/cert/file
120
# keyFile: /path/to/frontend/key/file
121
# requireClientAuth: true
122
# clientCaFiles:
123
# - /path/to/internode/serverCa
124
# - /path/to/sdkClientPool1/ca
125
# - /path/to/sdkClientPool2/ca
126
# client:
127
# serverName: dnsSanInFrontendCertificate
128
# rootCaFiles:
129
# - /path/to/frontend/serverCa
130
# Define your Authorizer and ClaimMapper configuration here. See https://docs.temporal.io/self-hosted-guide/security#authorization
131
# authorization:
132
# jwtKeyProvider:
133
# keySourceURIs:
134
# - http://localhost:/jwks.json
135
# refreshInterval: 1m
136
# permissionsClaimName: permissions
137
# authorizer: default
138
# claimMapper: default
139
persistence:
140
defaultStore: default
141
visibilityStore: visibility
142
# Important: numHistoryShards cannot be changed after the initial deployment.
143
numHistoryShards: 512
144
# Persistence configuration follows the raw Temporal server config format.
145
# Driver is determined by which top-level key is present (cassandra vs sql).
146
# For SQL stores, you can use either connectAddr: "host:port" or separate host/port fields.
147
# Helm-specific fields (existingSecret, secretKey) are stripped before rendering to server config.
148
datastores:
149
default:
150
# Example SQL configuration:
151
# sql:
152
# createDatabase: false
153
# manageSchema: false
154
# pluginName: mysql8 # or postgres12, postgres12_pgx
155
# driverName: mysql8
156
# databaseName: temporal
157
# connectAddr: "mysql.example.com:3306" # preferred format
158
# connectProtocol: "tcp"
159
# # OR use separate host/port:
160
# # host: mysql.example.com
161
# # port: 3306
162
# user: temporal_user
163
# password: "" # optional, use existingSecret instead
164
# existingSecret: temporal-db-secret # Helm-specific, stripped before rendering
165
# secretKey: password # Helm-specific, default: password
166
# # Server v1.31+ alternative to password/existingSecret (SQL datastores
167
# # only). When set, no password Secret is created and no SQL_PASSWORD
168
# # env is wired; the server invokes the command per new connection.
169
# passwordCommand:
170
# command: my-token-helper
171
# args: []
172
# timeout: 30s
173
# maxConns: 20
174
# maxIdleConns: 20
175
# maxConnLifetime: "1h"
176
# connectAttributes:
177
# tx_isolation: "READ-COMMITTED"
178
# tls:
179
# enabled: true
180
# caFile: /path/to/ca.pem
181
# Example Cassandra configuration:
182
# cassandra:
183
# createDatabase: false
184
# manageSchema: false
185
# hosts: "host1,host2"
186
# port: 9042
187
# keyspace: temporal
188
# user: cassandra_user
189
# password: "" # optional, use existingSecret instead
190
# existingSecret: temporal-cassandra-secret
191
# secretKey: password
192
# replicationFactor: 3
193
# consistency:
194
# default:
195
# consistency: "local_quorum"
196
# serialConsistency: "local_serial"
197
visibility:
198
# Example SQL configuration (same structure as default.sql):
199
# sql:
200
# createDatabase: false
201
# manageSchema: false
202
# pluginName: mysql8
203
# driverName: mysql8
204
# databaseName: temporal_visibility
205
# connectAddr: "mysql.example.com:3306"
206
# connectProtocol: "tcp"
207
# user: temporal_user
208
# existingSecret: temporal-db-secret
209
# secretKey: password
210
# Example Elasticsearch configuration:
211
# elasticsearch:
212
# version: v7
213
# url:
214
# scheme: http
215
# host: "elasticsearch:9200"
216
# username: ""
217
# password: ""
218
# existingSecret: temporal-es-secret
219
# secretKey: password
220
# logLevel: error
221
# indices:
222
# visibility: temporal_visibility_v1
223
# tls:
224
# enabled: true
225
# caFile: /path/to/ca.crt
226
# certFile: /path/to/client.crt
227
# keyFile: /path/to/client.key
228
# serverName: elasticsearch.internal
229
# enableHostVerification: true
230
# aws-request-signing:
231
# credentialProvider: environment # static, environment, or aws-sdk-default
232
# region: us-east-1
233
# static:
234
# accessKeyID: ""
235
# secretAccessKey: ""
236
# token: ""
237
# Additional stores can be added here and will pass through directly
238
# archive:
239
# sql:
240
# pluginName: postgres12
241
# ...
242
metrics:
243
# Additional tags to be added to Prometheus metrics
244
tags: {}
245
# ... All other fields from https://github.com/temporalio/temporal/blob/main/common/metrics/config.go
246
# excludeTags: {}
247
# prefix: ""
248
# etc.
249
prometheus:
250
timerType: histogram
251
listenAddress: "0.0.0.0:9090"
252
namespaces:
253
# Enable this to create namespaces
254
create: false
255
namespace:
256
- name: default
257
retention: 3d
258
frontend:
259
enabled: true
260
service:
261
# Evaluated as template
262
annotations: {}
263
type: ClusterIP
264
port: 7233
265
appProtocol: tcp
266
membershipPort: 6933
267
membershipAppProtocol: tcp
268
httpPort: 7243
269
httpAppProtocol: http
270
# Defaults to a tcpSocket probe; uncomment below for a gRPC probe.
271
# gRPC probes don't yet support TLS (kubernetes/enhancements#4939), so opt in only when TLS is off.
272
readinessProbe: {}
273
# readinessProbe:
274
# grpc:
275
# port: 7233
276
# service: temporal.api.workflowservice.v1.WorkflowService
277
ingress:
278
enabled: false
279
# className:
280
annotations: {}
281
# kubernetes.io/ingress.class: traefik
282
# ingress.kubernetes.io/ssl-redirect: "false"
283
# traefik.frontend.rule.type: PathPrefix
284
hosts:
285
- "/"
286
# - "domain.com/xyz"
287
# - "domain.com"
288
tls: []
289
# - secretName: chart-example-tls
290
# hosts:
291
# - chart-example.local
292
metrics:
293
annotations:
294
enabled: true
295
serviceMonitor: {}
296
# enabled: false
297
prometheus: {}
298
# timerType: histogram
299
deploymentLabels: {}
300
deploymentAnnotations: {}
301
deploymentStrategy: {}
302
podAnnotations: {}
303
podLabels: {}
304
serviceLabels: {}
305
resources: {}
306
nodeSelector: {}
307
tolerations: []
308
affinity: {}
309
additionalEnv: []
310
containerSecurityContext: {}
311
topologySpreadConstraints: []
312
podDisruptionBudget: {}
313
internal-frontend:
314
# Enable this to create internal-frontend
315
enabled: false
316
service:
317
# Evaluated as template
318
annotations: {}
319
type: ClusterIP
320
port: 7236
321
appProtocol: tcp
322
membershipPort: 6936
323
membershipAppProtocol: tcp
324
httpPort: 7246
325
httpAppProtocol: http
326
# Defaults to a tcpSocket probe; uncomment below for a gRPC probe.
327
# gRPC probes don't yet support TLS (kubernetes/enhancements#4939), so opt in only when TLS is off.
328
readinessProbe: {}
329
# readinessProbe:
330
# grpc:
331
# port: 7236
332
# service: temporal.api.workflowservice.v1.WorkflowService
333
metrics:
334
annotations:
335
enabled: true
336
serviceMonitor: {}
337
# enabled: false
338
prometheus: {}
339
# timerType: histogram
340
deploymentLabels: {}
341
deploymentAnnotations: {}
342
deploymentStrategy: {}
343
podAnnotations: {}
344
podLabels: {}
345
serviceLabels: {}
346
resources: {}
347
nodeSelector: {}
348
tolerations: []
349
affinity: {}
350
additionalEnv: []
351
containerSecurityContext: {}
352
topologySpreadConstraints: []
353
podDisruptionBudget: {}
354
history:
355
enabled: true
356
service:
357
# type: ClusterIP
358
port: 7234
359
appProtocol: tcp
360
membershipPort: 6934
361
membershipAppProtocol: tcp
362
readinessProbe: {}
363
metrics:
364
annotations:
365
enabled: true
366
serviceMonitor: {}
367
# enabled: false
368
prometheus: {}
369
# timerType: histogram
370
deploymentLabels: {}
371
deploymentAnnotations: {}
372
deploymentStrategy: {}
373
podAnnotations: {}
374
podLabels: {}
375
serviceLabels: {}
376
resources: {}
377
nodeSelector: {}
378
tolerations: []
379
affinity: {}
380
additionalEnv: []
381
containerSecurityContext: {}
382
topologySpreadConstraints: []
383
podDisruptionBudget: {}
384
matching:
385
enabled: true
386
service:
387
# type: ClusterIP
388
port: 7235
389
appProtocol: tcp
390
membershipPort: 6935
391
membershipAppProtocol: tcp
392
readinessProbe: {}
393
metrics:
394
annotations:
395
enabled: true
396
serviceMonitor: {}
397
# enabled: false
398
prometheus: {}
399
# timerType: histogram
400
deploymentLabels: {}
401
deploymentAnnotations: {}
402
deploymentStrategy: {}
403
podAnnotations: {}
404
podLabels: {}
405
serviceLabels: {}
406
resources: {}
407
nodeSelector: {}
408
tolerations: []
409
affinity: {}
410
additionalEnv: []
411
containerSecurityContext: {}
412
topologySpreadConstraints: []
413
podDisruptionBudget: {}
414
worker:
415
enabled: true
416
service:
417
# type: ClusterIP
418
port: 7239
419
appProtocol: tcp
420
membershipPort: 6939
421
membershipAppProtocol: tcp
422
readinessProbe: {}
423
metrics:
424
annotations:
425
enabled: true
426
serviceMonitor: {}
427
# enabled: false
428
prometheus: {}
429
# timerType: histogram
430
deploymentLabels: {}
431
deploymentAnnotations: {}
432
deploymentStrategy: {}
433
podAnnotations: {}
434
podLabels: {}
435
serviceLabels: {}
436
resources: {}
437
nodeSelector: {}
438
tolerations: []
439
affinity: {}
440
additionalEnv: []
441
containerSecurityContext: {}
442
topologySpreadConstraints: []
443
podDisruptionBudget: {}
444
admintools:
445
enabled: true
446
image:
447
repository: cgr.dev/chainguard-private/temporal-admin-tools-fips
448
tag: latest@sha256:9d8c09326641e8d803092b010b7ef4f1d3523b6ec516da06449ee08c6d1a3363
449
pullPolicy: IfNotPresent
450
service:
451
type: ClusterIP
452
port: 22
453
annotations: {}
454
deploymentLabels: {}
455
deploymentAnnotations: {}
456
deploymentStrategy: {}
457
podLabels: {}
458
podAnnotations: {}
459
nodeSelector: {}
460
tolerations: []
461
affinity: {}
462
additionalVolumes: []
463
additionalVolumeMounts: []
464
additionalEnv: []
465
additionalEnvSecretName: ""
466
additionalEnvConfigMapName: ""
467
# temporalAddress: "localhost:7233"
468
# for sidecar containers, add containers here with restartPolicy: Always
469
additionalInitContainers: []
470
resources: {}
471
containerSecurityContext: {}
472
securityContext: {}
473
minReadySeconds: 0
474
podDisruptionBudget: {}
475
web:
476
# additionalInitContainers: []
477
enabled: true
478
replicaCount: 1
479
image:
480
repository: cgr.dev/chainguard-private/temporal-ui-server-fips
481
tag: latest@sha256:5c3ace80397a5a47a4a731ec2a4e9c2d5d7111da241c8bc64d523f7d90ba7231
482
pullPolicy: IfNotPresent
483
service:
484
# set type to NodePort if access to web needs access from outside the cluster
485
# for more info see https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
486
type: ClusterIP
487
# The below clusterIP setting can be set to "None" to make the temporal-web service headless.
488
# Note that this requires the web.service.type to be the default ClusterIP value.
489
# clusterIP:
490
port: 8080
491
appProtocol: http
492
annotations: {}
493
# loadBalancerIP:
494
# Override the address the UI uses to connect to the Temporal frontend.
495
# Defaults to <fullname>-frontend.<namespace>.svc:<server.frontend.service.port>.
496
# Useful when running a proxy sidecar that intercepts gRPC traffic.
497
# temporalAddress: "localhost:7233"
498
readinessProbe:
499
initialDelaySeconds: 10
500
httpGet:
501
path: /healthz
502
port: http
503
ingress:
504
enabled: false
505
# className:
506
annotations: {}
507
# kubernetes.io/ingress.class: traefik
508
# ingress.kubernetes.io/ssl-redirect: "false"
509
# traefik.frontend.rule.type: PathPrefix
510
hosts:
511
- "/"
512
# - "domain.com/xyz"
513
# - "domain.com"
514
tls: []
515
# - secretName: chart-example-tls
516
# hosts:
517
# - chart-example.local
518
deploymentLabels: {}
519
deploymentAnnotations: {}
520
deploymentStrategy: {}
521
podAnnotations: {}
522
podLabels: {}
523
resources: {}
524
# We usually recommend not to specify default resources and to leave this as a conscious
525
# choice for the user. This also increases chances charts run on environments with little
526
# resources, such as Minikube. If you do want to specify resources, uncomment the following
527
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
528
# limits:
529
# cpu: 100m
530
# memory: 128Mi
531
# requests:
532
# cpu: 100m
533
# memory: 128Mi
534
nodeSelector: {}
535
tolerations: []
536
affinity: {}
537
additionalVolumes: []
538
additionalVolumeMounts: []
539
# Adjust Web UI config with environment variables:
540
# https://docs.temporal.io/references/web-ui-environment-variables
541
additionalEnv: []
542
additionalEnvSecretName: ""
543
additionalEnvConfigMapName: ""
544
containerSecurityContext: {}
545
securityContext: {}
546
topologySpreadConstraints: []
547
minReadySeconds: 0
548
podDisruptionBudget: {}
549
schema:
550
# Use Helm hooks to ensure schema setup completes before server pods start.
551
# Set to false if using Flux, Rancher or Terraform.
552
useHelmHooks: true
553
backoffLimit: 100
554
activeDeadlineSeconds: null
555
ttlSecondsAfterFinished: 86400
556
jobAnnotations: {}
557
podAnnotations: {}
558
podLabels: {}
559
resources: {}
560
containerSecurityContext: {}
561
securityContext: {}
562
shims:
563
# Enable compatibility with Temporal 1.29 images. Set to false if using Temporal 1.30 or higher.
564
dockerize: true
565
# Enable compatibility with Temporal 1.29 images. Set to false if using Temporal 1.30 or higher.
566
elasticsearchTool: true
567
test:
568
podAnnotations: {}
569
podLabels: {}
570
resources: {}
571
nodeSelector: {}
572
tolerations: []
573
affinity: {}
574

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.