feat: add support for gating rollouts behind successful workflow executions (#152)

<!--- Note to EXTERNAL Contributors -->
<!-- Thanks for opening a PR! 
If it is a significant code change, please **make sure there is an open
issue** for this.
We work best with you when we have accepted the idea first before you
code. -->

This PR adds support for custom inputs to the "gate" workflow, which was
originally part of the docs but I discovered was not implemented when I
tried to use it 😅.

<!--- For ALL Contributors 👇 -->

## What was changed
<!-- Describe what has changed in this PR -->
This PR includes a few changes:
1. Gated workflow input specification support both in-line and as a
ConfigMap
2. Moved CRDs to top level chart directory, which ensures they are
installed first per [helm
docs](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-1-let-helm-do-it-for-you)
3. Because of 2, TemporalConnection can now be added to the helm
templates/values definitions
4. Relevant docs updates

## Why?
<!-- Tell your future self why have you made these changes -->
Gated workflow success for our use case really depends on being able to
specify exactly the workflow inputs.

## Checklist
<!--- add/delete as needed --->

### Closes
<!-- add issue number here -->
Here is the [link to temporal community slack
thread](https://temporalio.slack.com/archives/C07MDJ6S3HP/p1759190414718889)
where I discussed with @Shivs11 and @carlydf .

### How was this tested:
<!--- Please describe how you tested your changes/how we can test them
-->
Already deployed in our staging cluster, using configMap with a huge
workflow input. This workflow must complete successfully or the new
workers will not roll out.

### Any docs updates needed?
<!--- update README if applicable or point out where to update
docs.temporal.io -->
Updated docs accordingly.

Author: kianjones9

api/v1alpha1/temporalworker_webhook.go

@@ -131,6 +131,27 @@ func validateRolloutStrategy(s RolloutStrategy) []*field.Error {
 		}
 	}
 
+	// Validate gate input fields
+	if s.Gate != nil {
+		gate := s.Gate
+		if gate.Input != nil && gate.InputFrom != nil {
+			allErrs = append(allErrs,
+				field.Invalid(field.NewPath("spec.rollout.gate"), "input & inputFrom",
+					"only one of input or inputFrom may be set"),
+			)
+		}
+		if gate.InputFrom != nil {
+			cm := gate.InputFrom.ConfigMapKeyRef
+			sec := gate.InputFrom.SecretKeyRef
+			if (cm == nil && sec == nil) || (cm != nil && sec != nil) {
+				allErrs = append(allErrs,
+					field.Invalid(field.NewPath("spec.rollout.gate.inputFrom"), gate.InputFrom,
+						"exactly one of configMapKeyRef or secretKeyRef must be set"),
+				)
+			}
+		}
+	}
+
 	return allErrs
 }
 

api/v1alpha1/worker_types.go

@@ -6,6 +6,7 @@ package v1alpha1
 
 import (
 	corev1 "k8s.io/api/core/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -273,6 +274,25 @@ const (
 
 type GateWorkflowConfig struct {
 	WorkflowType string `json:"workflowType"`
+	// Input is an arbitrary JSON object passed as the first parameter to the gate workflow.
+	// For inputs with secrets use SecretKeyRef in InputFrom to omit from logs.
+	// +optional
+	Input *apiextensionsv1.JSON `json:"input,omitempty"`
+	// InputFrom references a key in a ConfigMap or Secret whose contents are passed
+	// as the first parameter to the gate workflow. The referenced value should be a JSON document.
+	// For inputs with secrets use SecretKeyRef to omit from logs.
+	// +optional
+	InputFrom *GateInputSource `json:"inputFrom,omitempty"`
+}
+
+// GateInputSource references a value from a ConfigMap or a Secret
+type GateInputSource struct {
+	// Select a key of a ConfigMap in the same namespace
+	// +optional
+	ConfigMapKeyRef *corev1.ConfigMapKeySelector `json:"configMapKeyRef,omitempty"`
+	// Select a key of a Secret in the same namespace
+	// +optional
+	SecretKeyRef *corev1.SecretKeySelector `json:"secretKeyRef,omitempty"`
 }
 
 // RolloutStrategy defines strategy to apply during next rollout

docs/architecture.md

@@ -71,6 +71,28 @@ Here is an example of a progressive cut-over strategy gated on the success of th
       workflowType: "HelloWorld"
 ```
 
+### Gate Input Flow
+
+When `spec.rollout.gate` is configured, the controller starts one test workflow per task queue in the Target Version. If gate input is provided, it is passed as the first workflow argument:
+
+```yaml
+rollout:
+  gate:
+    workflowType: "RolloutGate"
+    # Inline JSON object
+    input:
+      thresholds:
+        errorRate: 0.01
+        p95LatencyMs: 250
+    # Or reference ConfigMap/Secret (JSON document)
+    # inputFrom:
+    #   configMapKeyRef:
+    #     name: my-gate-input
+    #     key: payload.json
+```
+
+Input resolution happens in the controller before invoking the workflow. The payload must be a JSON object and is not logged, except for size and a short preview for debugging.
+
 ## Deployment Flow Diagram
 
 ```mermaid

docs/concepts.md

@@ -95,7 +95,15 @@ Configuration that tells the controller how to connect to the same Temporal clus
 Defines how new versions are promoted:
 - **strategy**: Manual, AllAtOnce, or Progressive
 - **steps**: For Progressive strategy, defines ramp percentages and pause durations
-- **gate**: Optional workflow that must succeed on all task queues in the target Worker Deployment Version before promotion continues
+- **gate**: Optional workflow that must succeed on all task queues in the target Worker Deployment Version before promotion continues. Gate can receive an input payload:
+  - `workflowType`: The workflow name/type to execute for validation
+  - `input`: Inline JSON object passed as the first workflow argument
+  - `inputFrom`: Reference to a `ConfigMap` or `Secret` key whose contents are JSON; passed as the first workflow argument
+
+Notes on gate inputs:
+- Exactly one of `input` or `inputFrom` may be set.
+- The value must be a JSON object (not a string containing JSON).
+- Large/sensitive payloads should use `inputFrom.secretKeyRef` or split into smaller documents.
 
 ### Sunset Configuration
 Defines how Drained versions are cleaned up:

docs/configuration.md

@@ -184,8 +184,29 @@ rollout:
       pauseDuration: 5m
   gate:
     workflowType: "HealthCheck"
+    # Optionally provide input to the gate workflow:
+    # 1) Inline arbitrary JSON:
+    # input:
+    #   thresholds:
+    #     errorRate: 0.01
+    #     p95LatencyMs: 250
+    # 2) Or reference a key from a ConfigMap or Secret containing JSON:
+    # inputFrom:
+    #   configMapKeyRef:
+    #     name: gate-input
+    #     key: payload.json
+    # inputFrom:
+    #   secretKeyRef:
+    #     name: gate-input
+    #     key: payload.json
 ```
 
+Gate workflow input details:
+- Exactly one of `input` or `inputFrom` may be set.
+- `input` accepts any JSON object and is passed as the first parameter to the gate workflow.
+- `inputFrom` reads a JSON document from the specified `ConfigMap` or `Secret` key.
+- The target workflow should declare a single argument matching the JSON shape (e.g., a struct or `json.RawMessage`).
+
 ## Advanced Configuration
 
 ### Environment-Specific Configurations

docs/migration-guide.md

@@ -545,6 +545,21 @@ spec:
         pauseDuration: 30m
     gate:
       workflowType: "HealthCheck"  # Validate new version before proceeding
+      # Optional gate input examples
+      # Inline JSON object:
+      # input:
+      #   thresholds:
+      #     errorRate: 0.01
+      #     p95LatencyMs: 250
+      # Or load from a ConfigMap/Secret key containing JSON:
+      # inputFrom:
+      #   configMapKeyRef:
+      #     name: order-processor-gate-input
+      #     key: payload.json
+      # inputFrom:
+      #   secretKeyRef:
+      #     name: gate-input
+      #     key: payload.json
 ---
 # Staging - Fast rollout for testing
 apiVersion: temporal.io/v1alpha1

helm/temporal-worker-controller/crds/temporal.io_temporalworkerdeployments.yaml

@@ -63,6 +63,36 @@ spec:
                 properties:
                   gate:
                     properties:
+                      input:
+                        type: object
+                        x-kubernetes-preserve-unknown-fields: true
+                      inputFrom:
+                        properties:
+                          configMapKeyRef:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                            - key
+                            - name
+                            type: object
+                          secretKeyRef:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                            - key
+                            - name
+                            type: object
+                        type: object
                       workflowType:
                         type: string
                     required:

internal/controller/execplan.go

@@ -6,6 +6,7 @@ package controller
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"time"
 
@@ -68,7 +69,47 @@ func (r *TemporalWorkerDeploymentReconciler) executePlan(ctx context.Context, l
 	deploymentHandler := temporalClient.WorkerDeploymentClient().GetHandle(p.WorkerDeploymentName)
 
 	for _, wf := range p.startTestWorkflows {
-		if _, err := temporalClient.ExecuteWorkflow(ctx, sdkclient.StartWorkflowOptions{
+		// Log workflow start details
+		if len(wf.input) > 0 {
+			if wf.isInputSecret {
+				// Don't log the actual input if it came from a Secret
+				l.Info("starting gate workflow",
+					"workflowType", wf.workflowType,
+					"taskQueue", wf.taskQueue,
+					"buildID", wf.buildID,
+					"inputBytes", len(wf.input),
+					"inputSource", "SecretRef (contents hidden)",
+				)
+			} else {
+				// For non-secret sources, parse JSON and extract keys
+				var inputKeys []string
+				if len(wf.input) > 0 {
+					var jsonData map[string]interface{}
+					if err := json.Unmarshal(wf.input, &jsonData); err == nil {
+						for key := range jsonData {
+							inputKeys = append(inputKeys, key)
+						}
+					}
+				}
+
+				// Log the input keys for non-secret sources (inline or ConfigMap)
+				l.Info("starting gate workflow",
+					"workflowType", wf.workflowType,
+					"taskQueue", wf.taskQueue,
+					"buildID", wf.buildID,
+					"inputBytes", len(wf.input),
+					"inputKeys", inputKeys,
+				)
+			}
+		} else {
+			l.Info("starting gate workflow",
+				"workflowType", wf.workflowType,
+				"taskQueue", wf.taskQueue,
+				"buildID", wf.buildID,
+				"inputBytes", 0,
+			)
+		}
+		opts := sdkclient.StartWorkflowOptions{
 			ID:                       wf.workflowID,
 			TaskQueue:                wf.taskQueue,
 			WorkflowExecutionTimeout: time.Hour,
@@ -80,7 +121,14 @@ func (r *TemporalWorkerDeploymentReconciler) executePlan(ctx context.Context, l
 					BuildId:        wf.buildID,
 				},
 			},
-		}, wf.workflowType); err != nil {
+		}
+		var err error
+		if len(wf.input) > 0 {
+			_, err = temporalClient.ExecuteWorkflow(ctx, opts, wf.workflowType, json.RawMessage(wf.input))
+		} else {
+			_, err = temporalClient.ExecuteWorkflow(ctx, opts, wf.workflowType)
+		}
+		if err != nil {
 			return fmt.Errorf("unable to start test workflow execution: %w", err)
 		}
 	}

internal/controller/genplan.go

@@ -15,6 +15,7 @@ import (
 	"github.com/temporalio/temporal-worker-controller/internal/temporal"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
 )
 
 // plan holds the actions to execute during reconciliation
@@ -41,10 +42,12 @@ type plan struct {
 
 // startWorkflowConfig defines a workflow to be started
 type startWorkflowConfig struct {
-	workflowType string
-	workflowID   string
-	buildID      string
-	taskQueue    string
+	workflowType  string
+	workflowID    string
+	buildID       string
+	taskQueue     string
+	input         []byte
+	isInputSecret bool // indicates if input should be treated as sensitive
 }
 
 // generatePlan creates a plan for the controller to execute
@@ -86,6 +89,39 @@ func (r *TemporalWorkerDeploymentReconciler) generatePlan(
 		rolloutStrategy.Strategy = temporaliov1alpha1.UpdateManual
 	}
 
+	// Resolve gate input if gate is configured
+	var gateInput []byte
+	var isGateInputSecret bool
+	if rolloutStrategy.Gate != nil {
+		// Fetch ConfigMap or Secret data if needed
+		var configMapData map[string]string
+		var configMapBinaryData map[string][]byte
+		var secretData map[string][]byte
+
+		if rolloutStrategy.Gate.InputFrom != nil {
+			if cmRef := rolloutStrategy.Gate.InputFrom.ConfigMapKeyRef; cmRef != nil {
+				cm := &corev1.ConfigMap{}
+				if err := r.Client.Get(ctx, types.NamespacedName{Namespace: w.Namespace, Name: cmRef.Name}, cm); err != nil {
+					return nil, fmt.Errorf("failed to get ConfigMap %s/%s: %w", w.Namespace, cmRef.Name, err)
+				}
+				configMapData = cm.Data
+				configMapBinaryData = cm.BinaryData
+			}
+			if secRef := rolloutStrategy.Gate.InputFrom.SecretKeyRef; secRef != nil {
+				sec := &corev1.Secret{}
+				if err := r.Client.Get(ctx, types.NamespacedName{Namespace: w.Namespace, Name: secRef.Name}, sec); err != nil {
+					return nil, fmt.Errorf("failed to get Secret %s/%s: %w", w.Namespace, secRef.Name, err)
+				}
+				secretData = sec.Data
+			}
+		}
+
+		gateInput, isGateInputSecret, err = planner.ResolveGateInput(rolloutStrategy.Gate, w.Namespace, configMapData, configMapBinaryData, secretData)
+		if err != nil {
+			return nil, fmt.Errorf("unable to resolve gate input: %w", err)
+		}
+	}
+
 	// Generate the plan using the planner package
 	plannerConfig := &planner.Config{
 		RolloutStrategy: rolloutStrategy,
@@ -101,6 +137,8 @@ func (r *TemporalWorkerDeploymentReconciler) generatePlan(
 		plannerConfig,
 		workerDeploymentName,
 		r.MaxDeploymentVersionsIneligibleForDeletion,
+		gateInput,
+		isGateInputSecret,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("error generating plan: %w", err)
@@ -119,10 +157,12 @@ func (r *TemporalWorkerDeploymentReconciler) generatePlan(
 	// Convert test workflows
 	for _, wf := range planResult.TestWorkflows {
 		plan.startTestWorkflows = append(plan.startTestWorkflows, startWorkflowConfig{
-			workflowType: wf.WorkflowType,
-			workflowID:   wf.WorkflowID,
-			buildID:      wf.BuildID,
-			taskQueue:    wf.TaskQueue,
+			workflowType:  wf.WorkflowType,
+			workflowID:    wf.WorkflowID,
+			buildID:       wf.BuildID,
+			taskQueue:     wf.TaskQueue,
+			input:         []byte(wf.GateInput),
+			isInputSecret: wf.IsInputSecret,
 		})
 	}