feat: add support for secondary visibility store (dual visibility)

charts/temporal/templates/_helpers.tpl

@@ -140,6 +140,7 @@ app.kubernetes.io/part-of: {{ $global.Chart.Name }}
 {{- $config := deepCopy . -}}
 {{- $defaultStore := $config.defaultStore -}}
 {{- $visibilityStore := $config.visibilityStore -}}
+{{- $secondaryVisibilityStore := $config.secondaryVisibilityStore | default "" -}}
 {{- $patchedDatastores := dict -}}
 {{- range $name, $ds := $config.datastores -}}
   {{- $dsCopy := deepCopy $ds -}}
@@ -151,6 +152,8 @@ app.kubernetes.io/part-of: {{ $global.Chart.Name }}
           {{- $_ := set $storeConfig "password" "__ENV_TEMPORAL_DEFAULT_STORE_PASSWORD__" -}}
         {{- else if eq $name $visibilityStore -}}
           {{- $_ := set $storeConfig "password" "__ENV_TEMPORAL_VISIBILITY_STORE_PASSWORD__" -}}
+        {{- else if eq $name $secondaryVisibilityStore -}}
+          {{- $_ := set $storeConfig "password" "__ENV_TEMPORAL_SECONDARY_VISIBILITY_STORE_PASSWORD__" -}}
         {{- else -}}
           {{- $_ := unset $storeConfig "password" -}}
         {{- end -}}
@@ -168,6 +171,10 @@ app.kubernetes.io/part-of: {{ $global.Chart.Name }}
 {{- $stores := dict -}}
 {{- $_ := set $stores "default" (include "temporal.persistence.getStoreByType" (list $ "default") | fromYaml) -}}
 {{- $_ := set $stores "visibility" (include "temporal.persistence.getStoreByType" (list $ "visibility") | fromYaml) -}}
+{{- $secondaryVisibility := include "temporal.persistence.getStoreByType" (list $ "secondaryVisibility") | fromYaml -}}
+{{- if $secondaryVisibility -}}
+{{- $_ := set $stores "secondaryVisibility" $secondaryVisibility -}}
+{{- end -}}
 {{- $stores | toYaml -}}
 {{- end -}}
 
@@ -214,7 +221,11 @@ app.kubernetes.io/part-of: {{ $global.Chart.Name }}
 {{- $root := index . 0 -}}
 {{- $type := index . 1 -}}
 {{- $storeName := get $root.Values.server.config.persistence (printf "%sStore" $type) -}}
+{{- if $storeName -}}
 {{- include "temporal.persistence.getStore" (list $root $storeName) -}}
+{{- else -}}
+{{- dict | toYaml -}}
+{{- end -}}
 {{- end -}}
 
 {{- define "temporal.persistence.schema" -}}

charts/temporal/templates/server-deployment.yaml

@@ -1,6 +1,7 @@
 {{- if $.Values.server.enabled }}
 {{- $defaultStore := include "temporal.persistence.getStoreByType" (list $ "default") | fromYaml -}}
 {{- $visibilityStore := include "temporal.persistence.getStoreByType" (list $ "visibility") | fromYaml -}}
+{{- $secondaryVisibilityStore := include "temporal.persistence.getStoreByType" (list $ "secondaryVisibility") | fromYaml -}}
 {{- range $service := (list "frontend" "internal-frontend" "history" "matching" "worker") }}
 {{- $serviceValues := index $.Values.server $service }}
 {{- if or (not (hasKey $serviceValues "enabled")) $serviceValues.enabled }}
@@ -66,6 +67,10 @@ spec:
               {{- include "temporal.password-env" (list $ $defaultStore) | nindent 14 }}
             - name: TEMPORAL_VISIBILITY_STORE_PASSWORD
               {{- include "temporal.password-env" (list $ $visibilityStore) | nindent 14 }}
+          {{- if $secondaryVisibilityStore }}
+            - name: TEMPORAL_SECONDARY_VISIBILITY_STORE_PASSWORD
+              {{- include "temporal.password-env" (list $ $secondaryVisibilityStore) | nindent 14 }}
+          {{- end }}
           {{- if (index $.Values.server "internal-frontend").enabled }}
             - name: USE_INTERNAL_FRONTEND
               value: "1"

charts/temporal/tests/server_configmap_test.yaml

@@ -134,6 +134,62 @@ tests:
       - matchRegex:
           path: data['config_template.yaml']
           pattern: 'password: \{\{ env "TEMPORAL_VISIBILITY_STORE_PASSWORD" \| quote \}\}'
+  - it: handles secondary visibility store for dual visibility
+    set:
+      server:
+        enabled: true
+        config:
+          persistence:
+            defaultStore: default
+            visibilityStore: visibility
+            secondaryVisibilityStore: secondary-visibility
+            numHistoryShards: 512
+            datastores:
+              default:
+                sql:
+                  pluginName: mysql8
+                  driverName: mysql8
+                  databaseName: temporal
+                  connectAddr: "mysql.example.com:3306"
+                  user: temporal_user
+                  password: "secret"
+              visibility:
+                elasticsearch:
+                  version: v8
+                  url:
+                    scheme: https
+                    host: "elasticsearch.example.com:9200"
+                  username: elastic
+                  password: "secret"
+                  indices:
+                    visibility: temporal_visibility_v1
+              secondary-visibility:
+                elasticsearch:
+                  version: v8
+                  url:
+                    scheme: https
+                    host: "elasticsearch.example.com:9200"
+                  username: elastic
+                  password: "secret2"
+                  indices:
+                    visibility: temporal_visibility_v1_secondary
+    template: templates/server-configmap.yaml
+    documentSelector:
+      path: metadata.name
+      value: RELEASE-NAME-temporal-config
+    asserts:
+      - matchRegex:
+          path: data['config_template.yaml']
+          pattern: 'secondaryVisibilityStore: secondary-visibility'
+      - matchRegex:
+          path: data['config_template.yaml']
+          pattern: 'secondary-visibility:'
+      - matchRegex:
+          path: data['config_template.yaml']
+          pattern: 'password: \{\{ env "TEMPORAL_SECONDARY_VISIBILITY_STORE_PASSWORD" \| quote \}\}'
+      - matchRegex:
+          path: data['config_template.yaml']
+          pattern: 'visibility: temporal_visibility_v1_secondary'
 
   - it: handles metrics config
     set:
@@ -175,4 +231,4 @@ tests:
           pattern: "withoutUnitSuffix: false"
       - matchRegex:
           path: data['config_template.yaml']
-          pattern: "prometheus:\\s+listenAddress: 0.0.0.0:9090"
+          pattern: "prometheus:\\s+listenAddress: 0.0.0.0:9090"

charts/temporal/tests/server_deployment_test.yaml

@@ -295,6 +295,7 @@ tests:
       - equal:
           path: spec.template.spec.containers[0].readinessProbe.tcpSocket.port
           value: rpc
+
   - it: additional environment variables are set on all services
     template: templates/server-deployment.yaml
     documentSelector:
@@ -315,6 +316,62 @@ tests:
       - equal:
           path: spec.template.spec.containers[0].envFrom[0].secretRef.name
           value: secret-env
-      - equal: 
+      - equal:
           path: spec.template.spec.containers[0].envFrom[1].configMapRef.name
           value: configmap-env
+
+  - it: injects secondary visibility store password env var when configured
+    template: templates/server-deployment.yaml
+    set:
+      server:
+        config:
+          persistence:
+            defaultStore: default
+            visibilityStore: visibility
+            secondaryVisibilityStore: secondary-visibility
+            datastores:
+              default:
+                sql:
+                  password: "secret"
+              visibility:
+                elasticsearch:
+                  password: "secret"
+              secondary-visibility:
+                elasticsearch:
+                  password: "secret2"
+    documentSelector:
+      path: metadata.name
+      value: RELEASE-NAME-temporal-frontend
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: TEMPORAL_SECONDARY_VISIBILITY_STORE_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: RELEASE-NAME-temporal-secondary-visibility-store
+                key: password
+
+  - it: does not inject secondary visibility env var when not configured
+    template: templates/server-deployment.yaml
+    set:
+      server:
+        config:
+          persistence:
+            defaultStore: default
+            visibilityStore: visibility
+            datastores:
+              default:
+                sql:
+                  password: "secret"
+              visibility:
+                elasticsearch:
+                  password: "secret"
+    documentSelector:
+      path: metadata.name
+      value: RELEASE-NAME-temporal-frontend
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: TEMPORAL_SECONDARY_VISIBILITY_STORE_PASSWORD