https://bmorton.github.io/temporal-operator/installation/Recent content in Installation on temporal-operatorHugoen-ushttps://bmorton.github.io/temporal-operator/installation/verifying-releases/Mon, 01 Jan 0001 00:00:00 +0000https://bmorton.github.io/temporal-operator/installation/verifying-releases/<h1 id="verifying-releases"> Verifying releases <a class="anchor" href="#verifying-releases">#</a> </h1> <p>Every <code>temporal-operator</code> release is built with <a href="https://goreleaser.com">GoReleaser</a>, its container images and checksums are signed with <a href="https://docs.sigstore.dev/">Cosign</a> (keyless, via GitHub OIDC), and a <a href="https://slsa.dev/">SLSA Level 3</a> provenance attestation is published with the GitHub Release.</p> <h2 id="verify-the-container-image-signature"> Verify the container image signature <a class="anchor" href="#verify-the-container-image-signature">#</a> </h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>cosign verify ghcr.io/bmorton/temporal-operator:v0.1.0 <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --certificate-identity-regexp<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;^https://github.com/bmorton/temporal-operator/.github/workflows/release.yml@.*$&#39;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --certificate-oidc-issuer<span style="color:#f92672">=</span>https://token.actions.githubusercontent.com </span></span></code></pre></div><p>For a quick check that accepts any signing identity from this repo&rsquo;s workflows:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>cosign verify ghcr.io/bmorton/temporal-operator:v0.1.0 <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --certificate-identity-regexp<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;.*&#39;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --certificate-oidc-issuer<span style="color:#f92672">=</span>https://token.actions.githubusercontent.com </span></span></code></pre></div><h2 id="verify-the-checksums-signature"> Verify the checksums signature <a class="anchor" href="#verify-the-checksums-signature">#</a> </h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>cosign verify-blob <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --signature checksums.txt.sig <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --certificate-identity-regexp<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;.*&#39;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --certificate-oidc-issuer<span style="color:#f92672">=</span>https://token.actions.githubusercontent.com <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> checksums.txt </span></span></code></pre></div><h2 id="verify-slsa-provenance"> Verify SLSA provenance <a class="anchor" href="#verify-slsa-provenance">#</a> </h2> <p>Download <code>multiple.intoto.jsonl</code> from the GitHub Release, then use the <a href="https://github.com/slsa-framework/slsa-verifier">slsa-verifier</a>:</p>https://bmorton.github.io/temporal-operator/installation/azure/Mon, 01 Jan 0001 00:00:00 +0000https://bmorton.github.io/temporal-operator/installation/azure/<h1 id="running-on-azure"> Running on Azure <a class="anchor" href="#running-on-azure">#</a> </h1> <p>This guide covers running the Temporal operator on Azure: AKS, Azure Database for PostgreSQL Flexible Server, Application Gateway ingress, and passwordless Microsoft Entra authentication.</p> <h2 id="aks-prerequisites"> AKS prerequisites <a class="anchor" href="#aks-prerequisites">#</a> </h2> <ul> <li>An AKS cluster (<code>az aks create ...</code>).</li> <li>The operator installed (see the <a href="./_index.md">installation guide</a>).</li> </ul> <h2 id="persistence-flexible-server"> Persistence: Flexible Server <a class="anchor" href="#persistence-flexible-server">#</a> </h2> <p>Azure Database for PostgreSQL Flexible Server is the recommended SQL backend.</p> <ul> <li>Create the <code>temporal</code> and <code>temporal_visibility</code> databases up front — the operator runs <code>setup-schema</code> but does not create databases.</li> <li>Raise <code>max_connections</code> (~200) to avoid pool exhaustion on smaller SKUs.</li> <li>TLS is required; set <code>tls.enabled: true</code> on each store. Azure chains to a public root, so no CA secret is needed.</li> </ul> <p>Example: <a href="https://github.com/bmorton/temporal-operator/tree/main/examples/cluster-azure-postgres-flexible"><code>examples/cluster-azure-postgres-flexible</code></a>.</p>