Update temporalmetricsdemo (apikey access only)

Author: deepika-awasthi

core/src/main/java/io/temporal/samples/temporalmetricsdemo/README.md

@@ -33,50 +33,25 @@ Prometheus :-
 
 ## 1) Create Service Account + API Key (Temporal Cloud)
 
-OpenMetrics auth reference:
-https://docs.temporal.io/production-deployment/cloud/metrics/openmetrics/api-reference#authentication
+1. Create a service account with **Metrics Read-Only** role
+   OpenMetrics auth reference:
+   https://docs.temporal.io/production-deployment/cloud/metrics/openmetrics/api-reference#authentication
 
-In Temporal Cloud UI:
-- **Settings → Service Accounts**
-- Create a service account with **Metrics Read-Only** role
-- Generate an **API key** ( copy this, it will be needed later)
----
-
-
-## 2) Create the `secrets/` folder + API key file
-
-From the repo root (same folder as `docker-compose.yml`), run:
-
-```
-cd temporalmetricsdemo
-mkdir -p secrets
-echo "put your CLOUD API KEY HERE" > secrets/temporal_cloud_api_key
-```
-now the folder will look like below and temporal_cloud_api_key will have the above api key that we generated in step 1
+    In Temporal Cloud UI:
+    - **Settings → Service Accounts**
+      - Create a service account with **Metrics Read-Only** role
+      - Generate an **API key** ( copy this, it will be needed later)
+    ---
+2. Add your namespace and assign namespace permission
 
-```
-temporalmetricsdemo/
-├── docker-compose.yml
-├── prometheus/
-├── grafana/
-├── secrets/
-│   └── temporal_cloud_api_key
-```
+![metrics read only service account](docs/images/img8.png)
 
-## 3) Configure TemporalConnection.java
 
-Edit `TemporalConnection.java` and set your defaults:
+** This approach is only for testing, for production either have 2 service account 1 for running workflows and 1 for metrics reading
+to have more control on API keys ** 
 
-```
-public static final String NAMESPACE = env("TEMPORAL_NAMESPACE", "<namespace>.<account-id>");
-public static final String ADDRESS   = env("TEMPORAL_ADDRESS", "<namespace>.<account-id>.tmprl.cloud:7233");
-public static final String CERT      = env("TEMPORAL_CERT", "/path/to/client.pem");
-public static final String KEY       = env("TEMPORAL_KEY",  "/path/to/client.key");
-public static final String TASK_QUEUE = env("TASK_QUEUE", "openmetrics-task-queue");
-public static final int WORKER_SECONDS = envInt("WORKER_SECONDS", 60);
-```
 
-## 4) 4) Update Prometheus scrape config
+## 2) Update Prometheus scrape config
 
 prometheus/config.yml
 Update it to use your namespace
@@ -86,35 +61,29 @@ Update it to use your namespace
 ```
 
 
-## 5) Start Prometheus + Grafana
+## 3) Start Prometheus + Grafana
 
 docker compose up -d
 docker compose ps
 
+## 4) Ran the sample and view the cloud metrics
 
-## 6) View Grafana dashboard
-
-http://localhost:3001/
-
-- Username: admin
-- Password: admin
-
-You should see the Temporal Cloud OpenMetrics dashboard.
+Terminal 1 
+**export below env variables in the respective terminal for running WorkerMain**
 
-## 7) Verify metrics in Prometheus
+export TEMPORAL_API_KEY=<api_created_above>
+export TEMPORAL_NAMESPACE="<namespace>.<account-id>"
+export TEMPORAL_ADDRESS="<region>.<cloud-provider>.api.temporal.io:7233" (regional endpoint for API auth) 
 
-Prometheus: http://localhost:9093/
+- `./gradlew -q execute -PmainClass=io.temporal.samples.temporalmetricsdemo.WorkerMain`
 
-Go to:
-Status → Targets (make sure the scrape target is UP)
-Graph tab (search for Temporal metrics and run a query)
+Terminal 2 
 
-## 8) Ran the sample and view the cloud metrics 
+**export env variables again for running Starter**
 
-- `./gradlew -q execute -PmainClass=io.temporal.samples.temporalmetricsdemo.WorkerMain`
 - `METRICS_PORT=9465 ./gradlew -q execute -PmainClass=io.temporal.samples.temporalmetricsdemo.Starter`
 
-starter logs 
+starter logs
 ```
 ➜  samples-java git:(deepika/openmetrics-demo) ✗ METRICS_PORT=9465 ./gradlew -q execute -PmainClass=io.temporal.samples.temporalmetricsdemo.Starter
 Worker metrics exposed at http://0.0.0.0:9465/metrics
@@ -138,5 +107,23 @@ Scenario=cancel ended: WorkflowFailedException - Workflow execution {workflowId=
 
 ```
 there will be some failures in the worker logs as we are intentionally failing workflows for the data generation purpose.
-give few seconds to see the data in both the dashboard and try to run couple of workflows so the rate 
-queries show properly. 
+give few seconds to see the data in both the dashboard and try to run couple of workflows so the rate
+queries show properly.
+
+## 5) View Grafana dashboard
+
+http://localhost:3001/
+
+- Username: admin
+- Password: admin
+
+You should see the Temporal Cloud OpenMetrics dashboard.
+
+## 6) Verify metrics in Prometheus
+
+Prometheus: http://localhost:9093/
+
+Go to:
+Status → Targets (make sure the scrape target is UP)
+Graph tab (search for Temporal metrics and run a query)
+

core/src/main/java/io/temporal/samples/temporalmetricsdemo/TemporalConnection.java

@@ -5,98 +5,86 @@
 import com.uber.m3.tally.Scope;
 import com.uber.m3.tally.StatsReporter;
 import com.uber.m3.util.Duration;
-import io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts;
-import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
-import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder;
 import io.micrometer.prometheus.PrometheusConfig;
 import io.micrometer.prometheus.PrometheusMeterRegistry;
 import io.temporal.client.WorkflowClient;
 import io.temporal.client.WorkflowClientOptions;
 import io.temporal.common.reporter.MicrometerClientStatsReporter;
 import io.temporal.serviceclient.WorkflowServiceStubs;
 import io.temporal.serviceclient.WorkflowServiceStubsOptions;
-import java.io.FileInputStream;
-import java.io.InputStream;
 import java.io.OutputStream;
 import java.net.InetSocketAddress;
 import java.nio.charset.StandardCharsets;
 
 public final class TemporalConnection {
   private TemporalConnection() {}
 
-  // Read from environment (docker-compose env_file: .env)
-  public static final String NAMESPACE = env("TEMPORAL_NAMESPACE", "<namespace>.<account-id>");
-  public static final String ADDRESS =
-      env("TEMPORAL_ADDRESS", "<namespace>.<account-id>.tmprl.cloud:7233");
-  public static final String CERT =
-      env("TEMPORAL_CERT", "path/to/client.pem");
-  public static final String KEY =
-      env("TEMPORAL_KEY", "path/to/client.key");
+  // Required: MUST be set in env. No defaults.
+  public static final String NAMESPACE = envRequired("TEMPORAL_NAMESPACE");
+  public static final String ADDRESS = envRequired("TEMPORAL_ADDRESS");
   public static final String TASK_QUEUE = env("TASK_QUEUE", "openmetrics-task-queue");
+
   private static final int METRICS_PORT = envInt("METRICS_PORT", 9464);
   private static final int METRICS_REPORT_SECONDS = envInt("METRICS_REPORT_SECONDS", 10);
 
   private static volatile WorkflowClient CLIENT;
-  private static volatile WorkflowServiceStubs SERVICE;
-
-  private static volatile boolean METRICS_STARTED = false;
-  private static volatile PrometheusMeterRegistry PROM_REGISTRY;
+  private static volatile PrometheusMeterRegistry PROM;
+  private static volatile boolean METRICS_STARTED;
 
   public static WorkflowClient client() {
     if (CLIENT != null) return CLIENT;
     synchronized (TemporalConnection.class) {
       if (CLIENT != null) return CLIENT;
 
-      SERVICE = serviceStubs();
+      String apiKey = envRequired("TEMPORAL_API_KEY");
+
+      // Validation
+      validate();
+      System.out.println("TemporalConnection: ADDRESS=" + ADDRESS);
+      System.out.println("TemporalConnection: NAMESPACE=" + NAMESPACE);
+
+      Scope scope = metricsScope();
+
+      WorkflowServiceStubs service =
+          WorkflowServiceStubs.newServiceStubs(
+              WorkflowServiceStubsOptions.newBuilder()
+                  .setTarget(ADDRESS)
+                  .setEnableHttps(true)
+                  .addApiKey(() -> apiKey)
+                  .setMetricsScope(scope)
+                  .build());
+
       CLIENT =
           WorkflowClient.newInstance(
-              SERVICE, WorkflowClientOptions.newBuilder().setNamespace(NAMESPACE).build());
+              service, WorkflowClientOptions.newBuilder().setNamespace(NAMESPACE).build());
+
       return CLIENT;
     }
   }
 
-  // create service stubs used by worker + starter
-  private static WorkflowServiceStubs serviceStubs() {
-    try (InputStream clientCert = new FileInputStream(CERT);
-        InputStream clientKey = new FileInputStream(KEY)) {
-
-      SslContext sslContext =
-          GrpcSslContexts.configure(SslContextBuilder.forClient().keyManager(clientCert, clientKey))
-              .build();
-
-      Scope metricsScope = metricsScope(); // ✅ tally scope that writes into Prometheus registry
-
-      WorkflowServiceStubsOptions options =
-          WorkflowServiceStubsOptions.newBuilder()
-              .setTarget(ADDRESS)
-              .setSslContext(sslContext)
-              .setMetricsScope(metricsScope) // ✅ Temporal SDK emits metrics here
-              .build();
-
-      return WorkflowServiceStubs.newServiceStubs(options);
-    } catch (Exception e) {
-      throw new RuntimeException("Failed to create Temporal TLS connection", e);
+  private static void validate() {
+    if (NAMESPACE.isBlank()) {
+      throw new IllegalStateException("TEMPORAL_NAMESPACE must be set (non-blank).");
+    }
+    if (ADDRESS.isBlank()) {
+      throw new IllegalStateException("TEMPORAL_ADDRESS must be set (non-blank).");
     }
   }
 
   private static Scope metricsScope() {
     synchronized (TemporalConnection.class) {
-      if (PROM_REGISTRY == null) {
-        PROM_REGISTRY = new PrometheusMeterRegistry(PrometheusConfig.DEFAULT);
-      }
-
-      StatsReporter reporter = new MicrometerClientStatsReporter(PROM_REGISTRY);
+      if (PROM == null) PROM = new PrometheusMeterRegistry(PrometheusConfig.DEFAULT);
 
+      StatsReporter reporter = new MicrometerClientStatsReporter(PROM);
       Scope scope =
           new RootScopeBuilder()
               .reporter(reporter)
               .reportEvery(Duration.ofSeconds(METRICS_REPORT_SECONDS));
 
       if (!METRICS_STARTED) {
         METRICS_STARTED = true;
-        startMetricsHttpServer(PROM_REGISTRY);
+        startMetricsHttpServer(PROM);
       }
-
       return scope;
     }
   }
@@ -116,17 +104,24 @@ private static void startMetricsHttpServer(PrometheusMeterRegistry registry) {
               os.write(body);
             }
           });
-      server.setExecutor(null);
       server.start();
-      System.out.println("Worker metrics exposed at http://0.0.0.0:" + METRICS_PORT + "/metrics");
+      System.out.println("Worker metrics at http://0.0.0.0:" + METRICS_PORT + "/metrics");
     } catch (Exception e) {
       throw new RuntimeException("Failed to start /metrics endpoint", e);
     }
   }
 
   private static String env(String key, String def) {
     String v = System.getenv(key);
-    return (v == null || v.isBlank()) ? def : v;
+    return (v == null || v.isBlank()) ? def : v.trim();
+  }
+
+  private static String envRequired(String key) {
+    String v = System.getenv(key);
+    if (v == null || v.isBlank()) {
+      throw new IllegalStateException("Missing required env var: " + key);
+    }
+    return v.trim();
   }
 
   private static int envInt(String key, int def) {