Co-authored by Arjun Iyer and Nimesha Jinarajadasa. Read this on Signadot
Introduction
Welcome to the Temporal + Signadot Sandboxes tutorial! In this guide, you'll learn how to quickly test new versions of Temporal worker code—either in a pull request or during local development—by leveraging a Temporal setup running in a remote Kubernetes cluster. This setup enables you to:
- Rapidly iterate on worker code without redeploying the entire stack
- Use sandboxes to isolate and test changes alongside a stable baseline
- Observe workflow execution and routing in real time
Estimated time to complete: 10-15 minutes
What you'll accomplish:
- Deploy Temporal and Signadot in Kubernetes
- Run baseline client and worker services
- Submit and observe a money transfer workflow
- Deploy a sandboxed worker and route traffic to it
- Understand how context propagation and selective task execution work under the hood
Prerequisites
Before you begin, ensure you have the following prerequisites set up:
1) Docker Desktop with Kubernetes Enabled
- Download Docker Desktop and install it.
- In Docker Desktop settings, enable the Kubernetes option.
- Wait for the cluster to be ready (look for a green indicator).
2) kubectl Installed
- Install kubectl and ensure it is available in your PATH.
- Set your context to the Docker Desktop Kubernetes cluster:
kubectl config use-context docker-desktop
kubectl get nodes
3) Signadot Account and Operator
- Sign up for a free Signadot account.
- Install the Signadot Operator in your cluster by following the Signadot Operator installation guide.
4) Signadot CLI (Optional, but recommended for sandbox management)
Project Setup
1) Clone the Project Repository
git clone https://github.com/signadot/examples.git
cd examples/temporal-tutorial
2) Deploy Temporal to Kubernetes
kubectl create namespace temporal
kubectl apply -f k8s/temporal/ -n temporal
Step 1: Deploy Baseline Client and Worker
Deploy the Baseline Worker
cd temporal_worker
./build.sh
kubectl apply -f ../k8s/worker-deployment.yaml -n temporal
Deploy the Baseline Client UI
cd ../py_client
./build.sh
kubectl apply -f ../k8s/temporal-py-client-ui-deployment.yaml -n temporal
Verify Deployments
kubectl get pods -n temporal
kubectl get svc -n temporal
You should see something like the following for the pods:
And this for the services:
Step 2: Submit a Money Transfer Workflow
Access the Client UI
- Open the client UI in your browser. If using a local cluster, port-forward:
kubectl port-forward svc/temporal-py-client-ui 8080:8080 -n temporal
Then visit: http://localhost:8080
Submit a Money Transfer
- Fill out the form and submit a transfer.
- You should see a confirmation and workflow ID.
Open the Temporal UI
- Port-forward the Temporal UI:
kubectl port-forward svc/temporal-ui 8088:8080 -n temporal
Then visit: http://localhost:8088
- Search for your workflow ID and inspect its execution.
Observe the Worker Logs
kubectl logs -f <worker pod> -n temporal
You should see something like this in the worker logs:
Step 3: Deploy a Signadot Sandbox Worker
Fork the Worker Deployment
- Use the same image as the baseline (no code changes needed):
- Create a sandbox spec (e.g., worker-sandbox.yaml is provided):
signadot sandbox apply -f sandbox/worker-sandbox.yaml --set cluster=<your-cluster> (this is the name of the cluster created in the signadot dashboard)
- Wait for the sandbox to be ready:
signadot sandbox list
# or check the Signadot dashboard
- Confirm a new worker pod is running in the temporal namespace.
Step 4: Route a Workflow to the Sandbox
Use the Chrome Extension
- Install the Signadot Chrome Extension
- Log in to the Signadot dashboard via the extension. This will enable the extension to show a list of available Sandboxes.
- In the client UI, select the sandbox you just created using the extension. This will enable requests to be routed to the new sandbox version of the worker.
- Submit a new money transfer.
Observe Execution
- Watch the Temporal UI and both worker logs:
kubectl logs -f <baseline worker pod> -n temporal
(In another terminal window)
kubectl logs -f <sandbox-worker-pod> -n temporal
- You may see the task initially picked up by a baseline worker, but it will eventually be processed by the sandbox worker (retries are visible in the Temporal UI).
Step 5: How It Works (Under the Hood)
Context Propagation
- The client uses the Temporal Python SDK's TracingInterceptor to propagate OpenTelemetry baggage (including the Signadot routing key) into the workflow submission task. This baggage is stored in the workflow's headers in Temporal's persistent storage.
Selective Task Execution
- On the worker side, the same TracingInterceptor is used to extract baggage.
- Custom interceptors (see temporal_worker/interceptors.py) check the routing key and consult the Signadot routeserver to determine if the worker should process the task.
- If the routing key matches the sandbox, the sandbox worker processes the task; otherwise, it is skipped and retried until the correct worker picks it up.
- There are interceptors for Workflow and Activity tasks
# Example: SelectiveTaskInterceptor (temporal_worker/interceptors.py)
class SelectiveTaskInterceptor(Interceptor):
def intercept_workflow(self, input: ExecuteWorkflowInput, next):
routing_key = ... # extract from baggage
if self.routes_client.should_process(routing_key):
return next(input)
else:
# Skip processing
raise ApplicationError("Not for this worker")
Summary
In this tutorial, you learned how to use Temporal and Signadot Sandboxes to rapidly test new worker code in an isolated Kubernetes environment. We demonstrated deploying baseline services, submitting and routing workflows, and leveraging sandboxes for safe, high-fidelity testing without disrupting the baseline environment. This approach enables faster iteration and more reliable integration testing for microservices.
Ready to go further? Check out more tutorials and resources at https://www.signadot.com/docs/overview.
Top comments (0)