AgentSkillsCN

namespace-management

当用户希望了解“Temporal 命名空间”、“创建命名空间”、“命名空间保留时间”、“多租户 Temporal”、“命名空间配置”、“命名空间隔离”,或需要关于 Temporal 命名空间的组织与管理的指导时,应使用此技能。

SKILL.md
--- frontmatter
name: namespace-management
description: This skill should be used when the user asks about "temporal namespace", "create namespace", "namespace retention", "multi-tenant temporal", "namespace configuration", "namespace isolation", or needs guidance on organizing and managing Temporal namespaces.
version: 1.0.0

Namespace Management

Guidance for creating, configuring, and managing Temporal namespaces.

Namespace Concepts

Namespaces provide logical isolation for workflows:

AspectIsolation Level
Workflow IDsPer namespace (can reuse IDs)
Task queuesPer namespace
Search attributesPer namespace
RetentionConfigurable per namespace
SecurityIndependent authorization
Nexus EndpointsCross-namespace routing (endpoint → target NS + TQ)

Creating Namespaces

Using CLI

bash
# Basic creation
temporal operator namespace create --namespace orders

# With retention period
temporal operator namespace create \
  --namespace orders \
  --retention 168h

# With description
temporal operator namespace create \
  --namespace orders \
  --retention 168h \
  --description "Order processing workflows"

Using timelord-cli

bash
timelord namespace create orders --retention 168h --description "Order processing"

Using SDK

go
import (
    "go.temporal.io/api/operatorservice/v1"
    "go.temporal.io/sdk/client"
)

func createNamespace(c client.Client) error {
    ctx := context.Background()

    _, err := c.OperatorService().CreateNamespace(ctx, &operatorservice.CreateNamespaceRequest{
        Namespace: "orders",
        WorkflowExecutionRetentionPeriod: &durationpb.Duration{
            Seconds: 604800, // 7 days
        },
        Description: "Order processing workflows",
    })
    return err
}

Namespace Configuration

Retention Period

How long completed workflow history is retained:

EnvironmentRecommended Retention
Development1-3 days
Staging3-7 days
Production7-30 days
CompliancePer requirements

Update retention:

bash
temporal operator namespace update \
  --namespace orders \
  --retention 336h  # 14 days

Search Attributes

Custom searchable fields per namespace:

bash
# Add search attribute
temporal operator search-attribute create \
  --namespace orders \
  --name CustomerId \
  --type Keyword

temporal operator search-attribute create \
  --namespace orders \
  --name OrderTotal \
  --type Double

temporal operator search-attribute create \
  --namespace orders \
  --name OrderDate \
  --type Datetime

Available types:

TypeDescriptionExample
KeywordExact match stringCustomerID, Status
TextFull-text searchDescription
IntInteger valuesCount, Attempts
DoubleFloating pointAmount, Price
BoolBooleanIsActive, IsPriority
DatetimeTimestampsCreatedAt, DueDate
KeywordListMultiple keywordsTags, Categories

Archival

Configure workflow archival:

bash
# Enable archival
temporal operator namespace update \
  --namespace orders \
  --history-archival-state enabled \
  --history-archival-uri "s3://bucket/archival"

Multi-Tenancy Patterns

Namespace Per Team

code
├── team-a-dev
├── team-a-staging
├── team-a-prod
├── team-b-dev
├── team-b-staging
└── team-b-prod

Benefits:

  • Clear ownership
  • Independent configuration
  • Separate quotas

Namespace Per Environment

code
├── development
├── staging
├── production
└── production-canary

Benefits:

  • Consistent naming
  • Environment isolation
  • Simplified promotion

Namespace Per Service

code
├── orders
├── payments
├── inventory
├── shipping
└── notifications

Benefits:

  • Service isolation
  • Independent scaling
  • Clear boundaries

Connecting Services with Nexus

When using namespace-per-service, Nexus endpoints connect them:

code
orders ──nexus: payments-ep──> payments
orders ──nexus: inventory-ep──> inventory
shipping ──nexus: inventory-ep──> inventory

Each endpoint routes to the handler namespace's task queue. Teams own their handler services independently.

Namespace Naming

Conventions

Pattern: {team}-{service}-{environment}

code
orders-processing-prod
payments-api-staging
inventory-sync-dev

Rules:

  • Use lowercase
  • Use hyphens as separators
  • Keep names descriptive but concise
  • Include environment suffix

Examples

ServiceDevStagingProd
Ordersorders-devorders-stagingorders-prod
Paymentspayments-devpayments-stagingpayments-prod
Sharedshared-devshared-stagingshared-prod

Access Control

Per-Namespace Authorization

Configure authorization per namespace:

yaml
# Namespace-specific permissions
namespaces:
  orders-prod:
    allowed_principals:
      - team-orders@example.com
      - platform-team@example.com
    permissions:
      - READ
      - WRITE
      - ADMIN
  orders-staging:
    allowed_principals:
      - team-orders@example.com
    permissions:
      - READ
      - WRITE

Certificate-Based Access

Map certificates to namespaces:

go
type ClaimMapper struct{}

func (c *ClaimMapper) GetClaims(authInfo *authorization.AuthInfo) (*authorization.Claims, error) {
    // Extract namespace from certificate CN
    cn := authInfo.TLSSubject.CommonName
    // CN format: service.namespace.example.com

    namespace := extractNamespace(cn)

    return &authorization.Claims{
        Namespaces: map[string]authorization.NamespaceClaims{
            namespace: {
                Permissions: []authorization.Permission{
                    authorization.PermissionRead,
                    authorization.PermissionWrite,
                },
            },
        },
    }, nil
}

Nexus Endpoint Management

Nexus endpoints route cross-namespace calls to handler task queues.

CLI Commands

bash
# Create endpoint
temporal operator nexus endpoint create \
  --name payments-endpoint \
  --target-namespace payments-ns \
  --target-task-queue payments-tq

# List endpoints
temporal operator nexus endpoint list

# Describe endpoint
temporal operator nexus endpoint describe --name payments-endpoint

# Update endpoint
temporal operator nexus endpoint update \
  --name payments-endpoint \
  --target-task-queue new-payments-tq

# Delete endpoint
temporal operator nexus endpoint delete --name payments-endpoint

Endpoint Naming

Follow the namespace naming pattern: {service}-{target}-ep

CallerHandlerEndpoint Name
orderspaymentspayments-ep
ordersinventoryinventory-ep
shippingnotificationsnotifications-ep

Topology

code
┌──────────────┐   payments-ep    ┌──────────────┐
│  orders-ns   │────────────────>│ payments-ns  │
│              │   inventory-ep   ┌──────────────┐
│              │────────────────>│ inventory-ns │
└──────────────┘                 └──────────────┘

Operations

List Namespaces

bash
# CLI
temporal operator namespace list

# timelord
timelord namespace list --json

Describe Namespace

bash
# CLI
temporal operator namespace describe --namespace orders

# timelord
timelord namespace describe orders --json

Update Namespace

bash
temporal operator namespace update \
  --namespace orders \
  --retention 336h \
  --description "Updated description"

Delete Namespace

bash
# Requires force flag - destructive!
temporal operator namespace delete --namespace orders-test

Migration Between Namespaces

Workflow Migration Strategy

  1. Stop new workflows in source namespace
  2. Wait for completion of running workflows
  3. Start new workflows in target namespace
  4. Verify functionality in target
  5. Archive/delete source namespace

Data Migration

Export and replay approach:

bash
# Export histories
temporal workflow list --namespace source-ns --query "ExecutionStatus='Completed'" | \
  while read wf; do
    temporal workflow show --namespace source-ns --workflow-id $wf --output json > histories/$wf.json
  done

# Replay in target (for verification)
# Run replay tests against new namespace

Monitoring

Namespace Metrics

promql
# Workflows per namespace
sum by (namespace) (temporal_workflow_active_count)

# Task queue depth per namespace
sum by (namespace, task_queue) (temporal_task_queue_depth)

# Failures per namespace
rate(temporal_workflow_failed_total[5m]) by (namespace)

Alerts

yaml
groups:
  - name: namespace-alerts
    rules:
      - alert: NamespaceHighFailureRate
        expr: rate(temporal_workflow_failed_total[5m]) > 0.1
        for: 5m
        labels:
          severity: warning
        annotations:
          summary: "High failure rate in namespace {{ $labels.namespace }}"

Best Practices

Configuration

  • Set appropriate retention (not too long, not too short)
  • Define search attributes upfront
  • Document namespace purpose
  • Configure archival for compliance

Organization

  • Use consistent naming conventions
  • Document namespace ownership
  • Plan namespace structure before creation
  • Separate environments clearly

Security

  • Apply least-privilege access
  • Use namespace-level authorization
  • Audit namespace access
  • Rotate credentials regularly

Operations

  • Monitor each namespace independently
  • Set up alerts per namespace
  • Plan capacity per namespace
  • Document runbooks per namespace

Additional Resources

Reference Files

For detailed namespace patterns, consult:

  • references/namespace-patterns.md - Advanced organization patterns
  • references/migration-procedures.md - Namespace migration guides