DirectorySecurity AdvisoriesPricing
Sign in
Directory
temporal logoHELM

temporal

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:

1
nameOverride: ""
2
fullnameOverride: ""
3
# Chart debug mode
4
# (eg. disable helm hook delete policy)
5
debug: false
6
imagePullSecrets: []
7
# Custom Service account management
8
serviceAccount:
9
# Whether to create service account or not
10
create: false
11
# Name of the service account.
12
# Uses `name` if set.
13
# If `create: true` defaults to temporal.fullname, otherwise uses the namespace's default serviceAccount.
14
name:
15
# extraAnnotations would let users add additional annotations
16
extraAnnotations:
17
additionalAnnotations: {}
18
additionalLabels: {}
19
# Array of extra K8s manifests to deploy
20
extraObjects: []
21
server:
22
enabled: true
23
image:
24
repository: chainreg.biz/chainguard-private/temporal-server-fips
25
tag: latest@sha256:ec983b9ea1adc8dc50768a0b57f2464acbce563871ec4d94bb3efad5c96f4de9
26
pullPolicy: IfNotPresent
27
# Global default settings (can be overridden per service)
28
replicaCount: 1
29
readinessProbe: {}
30
metrics:
31
# Annotate pods and services directly with the following Prometheus annotations.
32
# prometheus.io/job
33
# prometheus.io/port
34
# prometheus.io/scheme
35
# prometheus.io/scrape
36
annotations:
37
enabled: true
38
# Enable Prometheus ServiceMonitor
39
# Use this if you installed the Prometheus Operator (https://github.com/coreos/prometheus-operator).
40
serviceMonitor:
41
enabled: false
42
interval: 30s
43
# Set additional lables to all the ServiceMonitor resources
44
additionalLabels: {}
45
# label1: value1
46
# label2: value2
47
# Set Prometheus metric_relabel_configs via ServiceMonitor
48
# Use metricRelabelings to adjust metric and label names as needed
49
metricRelabelings: []
50
# - action: replace
51
# sourceLabels:
52
# - exported_namespace
53
# targetLabel: temporal_namespace
54
# - action: replace
55
# regex: service_errors_(.+)
56
# replacement: ${1}
57
# sourceLabels:
58
# - __name__
59
# targetLabel: temporal_error_kind
60
# - action: replace
61
# regex: service_errors_.+
62
# replacement: temporal_service_errors
63
# sourceLabels:
64
# - __name__
65
# targetLabel: __name__
66
deploymentLabels: {}
67
deploymentAnnotations: {}
68
deploymentStrategy: {}
69
podAnnotations: {}
70
podLabels: {}
71
secretLabels: {}
72
secretAnnotations: {}
73
resources: {}
74
# We usually recommend not to specify default resources and to leave this as a conscious
75
# choice for the user. This also increases chances charts run on environments with little
76
# resources, such as Minikube. If you do want to specify resources, uncomment the following
77
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
78
# limits:
79
# cpu: 100m
80
# memory: 128Mi
81
# requests:
82
# cpu: 100m
83
# memory: 128Mi
84
nodeSelector: {}
85
tolerations: []
86
affinity: {}
87
minReadySeconds: 0
88
terminationGracePeriodSeconds: null
89
additionalVolumes: []
90
additionalVolumeMounts: []
91
additionalEnv: []
92
additionalEnvSecretName: ""
93
additionalEnvConfigMapName: ""
94
# for sidecar containers, add containers here with restartPolicy: Always
95
additionalInitContainers: []
96
securityContext:
97
fsGroup: 1000
98
runAsUser: 1000
99
config:
100
logLevel: "debug,info"
101
# Define your TLS configuration here. See https://docs.temporal.io/references/configuration#tls
102
# for configuration options. You must also use `server.additionalVolumeMounts` and `server.additionalVolumes`
103
# to mount certificates (from Secret or ConfigMap etc) to the path you use below.
104
# tls:
105
# internode:
106
# server:
107
# certFile: /path/to/internode/cert/file
108
# keyFile: /path/to/internode/key/file
109
# requireClientAuth: true
110
# clientCaFiles:
111
# - /path/to/internode/serverCa
112
# client:
113
# serverName: dnsSanInInternodeCertificate
114
# rootCaFiles:
115
# - /path/to/internode/serverCa
116
# frontend:
117
# server:
118
# certFile: /path/to/frontend/cert/file
119
# keyFile: /path/to/frontend/key/file
120
# requireClientAuth: true
121
# clientCaFiles:
122
# - /path/to/internode/serverCa
123
# - /path/to/sdkClientPool1/ca
124
# - /path/to/sdkClientPool2/ca
125
# client:
126
# serverName: dnsSanInFrontendCertificate
127
# rootCaFiles:
128
# - /path/to/frontend/serverCa
129
# Define your Authorizer and ClaimMapper configuration here. See https://docs.temporal.io/self-hosted-guide/security#authorization
130
# authorization:
131
# jwtKeyProvider:
132
# keySourceURIs:
133
# - http://localhost:/jwks.json
134
# refreshInterval: 1m
135
# permissionsClaimName: permissions
136
# authorizer: default
137
# claimMapper: default
138
persistence:
139
defaultStore: default
140
visibilityStore: visibility
141
# Important: numHistoryShards cannot be changed after the initial deployment.
142
numHistoryShards: 512
143
# Persistence configuration follows the raw Temporal server config format.
144
# Driver is determined by which top-level key is present (cassandra vs sql).
145
# For SQL stores, you can use either connectAddr: "host:port" or separate host/port fields.
146
# Helm-specific fields (existingSecret, secretKey) are stripped before rendering to server config.
147
datastores:
148
default:
149
# Example SQL configuration:
150
# sql:
151
# createDatabase: false
152
# manageSchema: false
153
# pluginName: mysql8 # or postgres12, postgres12_pgx
154
# driverName: mysql8
155
# databaseName: temporal
156
# connectAddr: "mysql.example.com:3306" # preferred format
157
# connectProtocol: "tcp"
158
# # OR use separate host/port:
159
# # host: mysql.example.com
160
# # port: 3306
161
# user: temporal_user
162
# password: "" # optional, use existingSecret instead
163
# existingSecret: temporal-db-secret # Helm-specific, stripped before rendering
164
# secretKey: password # Helm-specific, default: password
165
# # Server v1.31+ alternative to password/existingSecret (SQL datastores
166
# # only). When set, no password Secret is created and no SQL_PASSWORD
167
# # env is wired; the server invokes the command per new connection.
168
# passwordCommand:
169
# command: my-token-helper
170
# args: []
171
# timeout: 30s
172
# maxConns: 20
173
# maxIdleConns: 20
174
# maxConnLifetime: "1h"
175
# connectAttributes:
176
# tx_isolation: "READ-COMMITTED"
177
# tls:
178
# enabled: true
179
# caFile: /path/to/ca.pem
180
# Example Cassandra configuration:
181
# cassandra:
182
# createDatabase: false
183
# manageSchema: false
184
# hosts: "host1,host2"
185
# port: 9042
186
# keyspace: temporal
187
# user: cassandra_user
188
# password: "" # optional, use existingSecret instead
189
# existingSecret: temporal-cassandra-secret
190
# secretKey: password
191
# replicationFactor: 3
192
# consistency:
193
# default:
194
# consistency: "local_quorum"
195
# serialConsistency: "local_serial"
196
visibility:
197
# Example SQL configuration (same structure as default.sql):
198
# sql:
199
# createDatabase: false
200
# manageSchema: false
201
# pluginName: mysql8
202
# driverName: mysql8
203
# databaseName: temporal_visibility
204
# connectAddr: "mysql.example.com:3306"
205
# connectProtocol: "tcp"
206
# user: temporal_user
207
# existingSecret: temporal-db-secret
208
# secretKey: password
209
# Example Elasticsearch configuration:
210
# elasticsearch:
211
# version: v7
212
# url:
213
# scheme: http
214
# host: "elasticsearch:9200"
215
# username: ""
216
# password: ""
217
# existingSecret: temporal-es-secret
218
# secretKey: password
219
# logLevel: error
220
# indices:
221
# visibility: temporal_visibility_v1
222
# tls:
223
# enabled: true
224
# caFile: /path/to/ca.crt
225
# certFile: /path/to/client.crt
226
# keyFile: /path/to/client.key
227
# serverName: elasticsearch.internal
228
# enableHostVerification: true
229
# aws-request-signing:
230
# credentialProvider: environment # static, environment, or aws-sdk-default
231
# region: us-east-1
232
# static:
233
# accessKeyID: ""
234
# secretAccessKey: ""
235
# token: ""
236
# Additional stores can be added here and will pass through directly
237
# archive:
238
# sql:
239
# pluginName: postgres12
240
# ...
241
metrics:
242
# Additional tags to be added to Prometheus metrics
243
tags: {}
244
# ... All other fields from https://github.com/temporalio/temporal/blob/main/common/metrics/config.go
245
# excludeTags: {}
246
# prefix: ""
247
# etc.
248
prometheus:
249
timerType: histogram
250
listenAddress: "0.0.0.0:9090"
251
namespaces:
252
# Enable this to create namespaces
253
create: false
254
namespace:
255
- name: default
256
retention: 3d
257
frontend:
258
enabled: true
259
service:
260
# Evaluated as template
261
annotations: {}
262
type: ClusterIP
263
port: 7233
264
appProtocol: tcp
265
membershipPort: 6933
266
membershipAppProtocol: tcp
267
httpPort: 7243
268
httpAppProtocol: http
269
# Defaults to a tcpSocket probe; uncomment below for a gRPC probe.
270
# gRPC probes don't yet support TLS (kubernetes/enhancements#4939), so opt in only when TLS is off.
271
readinessProbe: {}
272
# readinessProbe:
273
# grpc:
274
# port: 7233
275
# service: temporal.api.workflowservice.v1.WorkflowService
276
ingress:
277
enabled: false
278
# className:
279
annotations: {}
280
# kubernetes.io/ingress.class: traefik
281
# ingress.kubernetes.io/ssl-redirect: "false"
282
# traefik.frontend.rule.type: PathPrefix
283
hosts:
284
- "/"
285
# - "domain.com/xyz"
286
# - "domain.com"
287
tls: []
288
# - secretName: chart-example-tls
289
# hosts:
290
# - chart-example.local
291
metrics:
292
annotations:
293
enabled: true
294
serviceMonitor: {}
295
# enabled: false
296
prometheus: {}
297
# timerType: histogram
298
deploymentLabels: {}
299
deploymentAnnotations: {}
300
deploymentStrategy: {}
301
podAnnotations: {}
302
podLabels: {}
303
serviceLabels: {}
304
resources: {}
305
nodeSelector: {}
306
tolerations: []
307
affinity: {}
308
additionalEnv: []
309
containerSecurityContext: {}
310
topologySpreadConstraints: []
311
podDisruptionBudget: {}
312
internal-frontend:
313
# Enable this to create internal-frontend
314
enabled: false
315
service:
316
# Evaluated as template
317
annotations: {}
318
type: ClusterIP
319
port: 7236
320
appProtocol: tcp
321
membershipPort: 6936
322
membershipAppProtocol: tcp
323
httpPort: 7246
324
httpAppProtocol: http
325
# Defaults to a tcpSocket probe; uncomment below for a gRPC probe.
326
# gRPC probes don't yet support TLS (kubernetes/enhancements#4939), so opt in only when TLS is off.
327
readinessProbe: {}
328
# readinessProbe:
329
# grpc:
330
# port: 7236
331
# service: temporal.api.workflowservice.v1.WorkflowService
332
metrics:
333
annotations:
334
enabled: true
335
serviceMonitor: {}
336
# enabled: false
337
prometheus: {}
338
# timerType: histogram
339
deploymentLabels: {}
340
deploymentAnnotations: {}
341
deploymentStrategy: {}
342
podAnnotations: {}
343
podLabels: {}
344
serviceLabels: {}
345
resources: {}
346
nodeSelector: {}
347
tolerations: []
348
affinity: {}
349
additionalEnv: []
350
containerSecurityContext: {}
351
topologySpreadConstraints: []
352
podDisruptionBudget: {}
353
history:
354
enabled: true
355
service:
356
# type: ClusterIP
357
port: 7234
358
appProtocol: tcp
359
membershipPort: 6934
360
membershipAppProtocol: tcp
361
readinessProbe: {}
362
metrics:
363
annotations:
364
enabled: true
365
serviceMonitor: {}
366
# enabled: false
367
prometheus: {}
368
# timerType: histogram
369
deploymentLabels: {}
370
deploymentAnnotations: {}
371
deploymentStrategy: {}
372
podAnnotations: {}
373
podLabels: {}
374
serviceLabels: {}
375
resources: {}
376
nodeSelector: {}
377
tolerations: []
378
affinity: {}
379
additionalEnv: []
380
containerSecurityContext: {}
381
topologySpreadConstraints: []
382
podDisruptionBudget: {}
383
matching:
384
enabled: true
385
service:
386
# type: ClusterIP
387
port: 7235
388
appProtocol: tcp
389
membershipPort: 6935
390
membershipAppProtocol: tcp
391
readinessProbe: {}
392
metrics:
393
annotations:
394
enabled: true
395
serviceMonitor: {}
396
# enabled: false
397
prometheus: {}
398
# timerType: histogram
399
deploymentLabels: {}
400
deploymentAnnotations: {}
401
deploymentStrategy: {}
402
podAnnotations: {}
403
podLabels: {}
404
serviceLabels: {}
405
resources: {}
406
nodeSelector: {}
407
tolerations: []
408
affinity: {}
409
additionalEnv: []
410
containerSecurityContext: {}
411
topologySpreadConstraints: []
412
podDisruptionBudget: {}
413
worker:
414
enabled: true
415
service:
416
# type: ClusterIP
417
port: 7239
418
appProtocol: tcp
419
membershipPort: 6939
420
membershipAppProtocol: tcp
421
readinessProbe: {}
422
metrics:
423
annotations:
424
enabled: true
425
serviceMonitor: {}
426
# enabled: false
427
prometheus: {}
428
# timerType: histogram
429
deploymentLabels: {}
430
deploymentAnnotations: {}
431
deploymentStrategy: {}
432
podAnnotations: {}
433
podLabels: {}
434
serviceLabels: {}
435
resources: {}
436
nodeSelector: {}
437
tolerations: []
438
affinity: {}
439
additionalEnv: []
440
containerSecurityContext: {}
441
topologySpreadConstraints: []
442
podDisruptionBudget: {}
443
admintools:
444
enabled: true
445
image:
446
repository: chainreg.biz/chainguard-private/temporal-admin-tools-fips
447
tag: latest@sha256:9d8c09326641e8d803092b010b7ef4f1d3523b6ec516da06449ee08c6d1a3363
448
pullPolicy: IfNotPresent
449
service:
450
type: ClusterIP
451
port: 22
452
annotations: {}
453
deploymentLabels: {}
454
deploymentAnnotations: {}
455
deploymentStrategy: {}
456
podLabels: {}
457
podAnnotations: {}
458
nodeSelector: {}
459
tolerations: []
460
affinity: {}
461
additionalVolumes: []
462
additionalVolumeMounts: []
463
additionalEnv: []
464
additionalEnvSecretName: ""
465
additionalEnvConfigMapName: ""
466
# temporalAddress: "localhost:7233"
467
# for sidecar containers, add containers here with restartPolicy: Always
468
additionalInitContainers: []
469
resources: {}
470
containerSecurityContext: {}
471
securityContext: {}
472
minReadySeconds: 0
473
podDisruptionBudget: {}
474
web:
475
# additionalInitContainers: []
476
enabled: true
477
replicaCount: 1
478
image:
479
repository: chainreg.biz/chainguard-private/temporal-ui-server-fips
480
tag: latest@sha256:293a521aafb20faf527c68d471cbea9a67e0efff5393b1281fe04c07a2cadec8
481
pullPolicy: IfNotPresent
482
service:
483
# set type to NodePort if access to web needs access from outside the cluster
484
# for more info see https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
485
type: ClusterIP
486
# The below clusterIP setting can be set to "None" to make the temporal-web service headless.
487
# Note that this requires the web.service.type to be the default ClusterIP value.
488
# clusterIP:
489
port: 8080
490
appProtocol: http
491
annotations: {}
492
# loadBalancerIP:
493
# Override the address the UI uses to connect to the Temporal frontend.
494
# Defaults to <fullname>-frontend.<namespace>.svc:<server.frontend.service.port>.
495
# Useful when running a proxy sidecar that intercepts gRPC traffic.
496
# temporalAddress: "localhost:7233"
497
readinessProbe:
498
initialDelaySeconds: 10
499
httpGet:
500
path: /healthz
501
port: http
502
ingress:
503
enabled: false
504
# className:
505
annotations: {}
506
# kubernetes.io/ingress.class: traefik
507
# ingress.kubernetes.io/ssl-redirect: "false"
508
# traefik.frontend.rule.type: PathPrefix
509
hosts:
510
- "/"
511
# - "domain.com/xyz"
512
# - "domain.com"
513
tls: []
514
# - secretName: chart-example-tls
515
# hosts:
516
# - chart-example.local
517
deploymentLabels: {}
518
deploymentAnnotations: {}
519
deploymentStrategy: {}
520
podAnnotations: {}
521
podLabels: {}
522
resources: {}
523
# We usually recommend not to specify default resources and to leave this as a conscious
524
# choice for the user. This also increases chances charts run on environments with little
525
# resources, such as Minikube. If you do want to specify resources, uncomment the following
526
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
527
# limits:
528
# cpu: 100m
529
# memory: 128Mi
530
# requests:
531
# cpu: 100m
532
# memory: 128Mi
533
nodeSelector: {}
534
tolerations: []
535
affinity: {}
536
additionalVolumes: []
537
additionalVolumeMounts: []
538
# Adjust Web UI config with environment variables:
539
# https://docs.temporal.io/references/web-ui-environment-variables
540
additionalEnv: []
541
additionalEnvSecretName: ""
542
additionalEnvConfigMapName: ""
543
containerSecurityContext: {}
544
securityContext: {}
545
topologySpreadConstraints: []
546
minReadySeconds: 0
547
podDisruptionBudget: {}
548
schema:
549
# Use Helm hooks to ensure schema setup completes before server pods start.
550
# Set to false if using Flux, Rancher or Terraform.
551
useHelmHooks: true
552
backoffLimit: 100
553
activeDeadlineSeconds: null
554
ttlSecondsAfterFinished: 86400
555
jobAnnotations: {}
556
podAnnotations: {}
557
podLabels: {}
558
resources: {}
559
containerSecurityContext: {}
560
securityContext: {}
561
shims:
562
# Enable compatibility with Temporal 1.29 images. Set to false if using Temporal 1.30 or higher.
563
dockerize: true
564
# Enable compatibility with Temporal 1.29 images. Set to false if using Temporal 1.30 or higher.
565
elasticsearchTool: true
566
test:
567
podAnnotations: {}
568
podLabels: {}
569
resources: {}
570
nodeSelector: {}
571
tolerations: []
572
affinity: {}
573

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.