[Feature Request] Allow disabling default worker service

[mxk]

Is your feature request related to a problem? Please describe.

We are deploying a central Temporal server with JWT-based authorization. The chart is currently deploying a default worker service pod that has no way of generating or providing an API key to the server, so the pod is constantly failing with Request unauthorized error.

Describe the solution you'd like

We would like to disable the default worker service so that only application-specific workers with proper authorization are registered with the server (similar to how we can disable the web UI with web.enabled value).

[adamko147]

Hi @mxk,
I've encountered the same scenario and solved by enabling internal-fronted service and deploying own frontend with JWT auth enabled. with internal-fronted, internal temporal components do not need to generate/use JWT while the clients connecting to frontend do need to use JWT.
We have own helm charts, although there is an open issue (#560) to enable internal-frontend in temporal charts. Would that work for you?

[mxk]

I don't think that's related to disabling the default worker service, but I was able to work around the original issue by adding replicaCount: '0' to the worker config. Helm still creates a deployment for it, which is not ideal, but at least there are no running pods.

[alexku7]

Sorry for a stupid question

Is the default worker required?

Can we simply disable it without any impact on the cluster?

According to the documentation here it does something in the cluster and has some job to do..Am I wrong ?

[robholland]

It's not valid to disable the internal worker, it's required for proper operation of the cluster. If you are using JWT for authentication from your workers you should use the internal frontend system to ensure the worker can get un-authenticated access. Please track #602 for some work in fixing up this area.