Temporal

the temporal https //temporal io/ integration gives resolve ai read only access to your workflows, activities, task queues, and schedules during alert investigations how it works resolve runs read only temporal cli https //docs temporal io/cli commands against your temporal frontend over grpc, and only read operations are permitted resolve runs these commands from the resolve satellite https //docs resolve ai/resolve satellite in your environment, so the satellite is required in every case below — what differs is how it authenticates to temporal temporal cloud (api key) — the satellite connects to your temporal cloud namespace using an api key over tls mtls (client certificate) — the satellite presents a client certificate over tls works for temporal cloud or self hosted self hosted (no auth) — the satellite connects to your in network temporal frontend over plaintext grpc resolve can list and describe workflows, task queues, schedules, and namespaces show workflow event history count workflows matching a query get a running workflow's stack trace write operations (such as terminate , cancel , signal , reset , and delete ) are currently not supported if you wish to allow resolve ai to take write actions on temporal, please contact help\@resolve ai mailto\ help\@resolve ai connect temporal the satellite connects to temporal cloud over tls using an api key you add to the temporal connection prerequisites a resolve satellite https //docs resolve ai/resolve satellite ( v1 1 35+ ) installed in your environment, with network egress to your temporal cloud endpoint (for example tmprl cloud 7233 ) a temporal cloud api key create one in the temporal cloud ui or cli — see temporal cloud api keys https //docs temporal io/cloud/api keys the key only needs read access to the namespaces you want resolve to investigate your temporal cloud grpc endpoint , e g \<namespace> \<account> tmprl cloud 7233 the namespaces you want resolve to access (temporal cloud namespaces are formatted \<namespace> \<account> ) temporal cloud connections are enabled per organization contact help\@resolve ai mailto\ help\@resolve ai to turn this on for your org add the integration to your satellite configuration integrations yaml integrations temporalintegration type temporal create true connection address \<temporal cloud grpc endpoint> # e g \<namespace> \<account> tmprl cloud 7233 namespaces \ \<namespace> \<account> # the first entry is the default namespace apikey \<temporal cloud api key> # enables tls + api key authentication field required description address yes your temporal cloud grpc endpoint namespaces yes (min 1) namespaces resolve may target ( \<namespace> \<account> ) first is default apikey yes temporal cloud api key enables tls and api key authentication the api key is stored encrypted and is only used to authenticate read only queries tls is enabled automatically when an api key is present apply the updated configuration and restart the resolve satellite to pick up the new integration for a self hosted temporal frontend, resolve connects through the satellite running in your environment prerequisites the resolve satellite https //docs resolve ai/resolve satellite installed in the cluster (or network) that can reach your temporal frontend the temporal frontend grpc address , resolvable from inside the satellite (for example temporal frontend temporal svc cluster local 7233 ) the namespaces you want resolve to access no api key is required for self hosted; the satellite manages the connection add the integration to your satellite configuration integrations yaml integrations temporalintegration type temporal create true connection address \<temporal frontend grpc address> # e g temporal frontend temporal svc cluster local 7233 namespaces \ \<namespace> # the first entry is the default namespace \# \<another namespace> # add more namespaces as needed field required description address yes temporal frontend grpc address, resolvable from inside the satellite's kubernetes cluster namespaces yes (min 1) namespaces resolve may target the first entry is treated as the default apply the updated configuration and restart the resolve satellite to pick up the new integration for a temporal frontend that requires mutual tls, the satellite presents a client certificate over tls this works for both temporal cloud (certificate auth) and self hosted temporal do not also set an apikey — api key and mtls auth are mutually exclusive prerequisites a resolve satellite https //docs resolve ai/resolve satellite ( v1 1 36+ ) installed in your environment, with network egress to your temporal endpoint a client certificate and private key (pem) issued from a certificate authority your temporal frontend trusts this pair is the credential; no api key is used the server ca certificate (pem) if your temporal serves a certificate from a private/custom ca your temporal grpc endpoint and the namespaces you want resolve to access mtls temporal connections are enabled per organization contact help\@resolve ai mailto\ help\@resolve ai to turn this on for your org provide the client cert/key (and optional ca) to the satellite, then point the connection at them with remoteconfigkey mounting the files from a secret is recommended so the private key stays on the satellite; inline pem ( httpagentclientcert / httpagentclientkey / httpagentcertificate ) is also supported integrations yaml integrations temporalintegration type temporal create true connection address \<temporal grpc endpoint> # e g \<namespace> \<account> tmprl cloud 7233 namespaces \ \<namespace> # the first entry is the default namespace remoteconfigkey temporalintegration # selects the client cert config below tlsservername \<server name> # optional sni override, if the cert name differs from the address host \# client certificate the satellite presents to temporal over mtls mount these from a \# secret (recommended); the private key never leaves the satellite httpagentclientcertpath /etc/secrets/temporal/client crt httpagentclientkeypath /etc/secrets/temporal/client key httpagentcertificatepath /etc/secrets/temporal/ca crt # server ca, only if temporal uses a private ca field required description address yes your temporal grpc endpoint namespaces yes (min 1) namespaces resolve may target the first entry is treated as the default remoteconfigkey yes selects the satellite client cert config ( httpagentclient ) to present over mtls tlsservername no tls server name (sni) override, when the temporal certificate name differs from the address host the client key is mounted on the satellite and never sent to resolve tls is enabled automatically when a client certificate is present apply the updated configuration and restart the resolve satellite to pick up the new integration verify the connection resolve runs a two step health check liveness – confirms the temporal cli is available on the satellite connectivity – confirms the satellite can reach temporal (cloud or self hosted) for the first configured namespace, using whichever auth is configured (api key or client certificate) once both pass, the integration shows as healthy in the resolve ui troubleshooting symptom likely cause resolution authentication / connectivity fails (cloud) invalid or expired api key, wrong endpoint, or no egress verify the temporal cloud api key, that address is your namespace's grpc endpoint, and that the satellite has egress to the temporal cloud endpoint mtls handshake fails wrong/expired client cert or key, or temporal does not trust the issuing ca verify the client cert/key and that temporal trusts the issuing ca; set tlsservername if the certificate name differs from the address host health check fails at the connectivity step satellite cannot reach the temporal frontend verify address is correct and that network policies allow grpc traffic from the satellite "namespace not allowed" error a namespace was requested that isn't in your config add the namespace to the namespaces list "only read only commands allowed" a write operation was attempted expected — the integration is read only by design