Skip to main content

Temporal Nexus - self-hosted configuration

SUPPORT, STABILITY, and DEPENDENCY INFO

Temporal Nexus is available in Public Preview for both Temporal Cloud and self-hosted deployments.

This section covers enabling Temporal Nexus in your self-hosted Temporal Service.

Enable Nexus

Enable Nexus in your self-hosted Temporal Service by updating the server's static configuration file and enabling Nexus through dynamic config, then setting the public callback URL and allowed callback addresses. Nexus is only supported in single cluster setups at this time. For additional information on operating Nexus workloads in your self-hosted cluster, see Nexus Architecture.

note

Replace $PUBLIC_URL with a URL value that's accessible to external callers or internally within the cluster. Currently, external Nexus calls are considered experimental so it should be safe to use the address of an internal load balancer for the Frontend Service.

To enable Nexus in your deployment:

  1. Ensure that the server's static configuration file enables the HTTP API.

    services:
    frontend:
    rpc:
    # NOTE: keep other fields as they were
    httpPort: 7243

    clusterMetadata:
    # NOTE: keep other fields as they were
    clusterInformation:
    active:
    # NOTE: keep other fields as they were
    httpAddress: $PUBLIC_URL:7243
  2. Enable Nexus through dynamic config, set the public callback URL, and set the allowed callback addresses.

    system.enableNexus:
    - value: true
    component.nexusoperations.callback.endpoint.template:
    # The URL must be publicly accessible if the callback is meant to be called by external services.
    # When using Nexus for cross namespace calls, the URL's host is irrelevant as the address is resolved using
    # membership. The URL is a Go template that interpolates the `NamepaceName` and `NamespaceID` variables.
    - value: https://$PUBLIC_URL:7243/namespaces/{{.NamespaceName}}/nexus/callback
    component.callbacks.allowedAddresses:
    # This list is a security mechanism for limiting which callback URLs are accepted by the server.
    # Attackers may leverage the callback mechanism to force the server to call arbitrary URLs.
    # The config below is only recommended for development, tune this to your requirements.
    - value:
    - Pattern: "*"
    AllowInsecure: true