How to test Temporal Services using Signadot Sandboxes

Co-authored by Arjun Iyer and Nimesha Jinarajadasa.

Introduction

Welcome to the Temporal + Signadot Sandboxes tutorial! In this guide, you'll learn how to quickly test new versions of Temporal worker code—either in a pull request or during local development—by leveraging a Temporal setup running in a remote Kubernetes cluster. This setup enables you to:

• Rapidly iterate on worker code without redeploying the entire stack
• Use sandboxes to isolate and test changes alongside a stable baseline
• Observe workflow execution and routing in real time

Estimated time to complete: 10-15 minutes

What you'll accomplish:

• Deploy Temporal and Signadot in Kubernetes
• Run baseline client and worker services
• Submit and observe a money transfer workflow
• Deploy a sandboxed worker and route traffic to it
• Understand how context propagation and selective task execution work under the hood

Prerequisites

Before you begin, ensure you have the following prerequisites set up:

1) Docker Desktop with Kubernetes Enabled

• Download Docker Desktop and install it.
• In Docker Desktop settings, enable the Kubernetes option.
• Wait for the cluster to be ready (look for a green indicator).

2) kubectl Installed

• Install kubectl and ensure it is available in your PATH.
• Set your context to the Docker Desktop Kubernetes cluster:

• Alternative: You may use minikube or kind if you prefer.

3) Signadot Account and Operator

• Sign up for a free Signadot account.
• Install the Signadot Operator in your cluster by following the Signadot Operator installation guide.

4) Signadot CLI (Optional, but recommended for sandbox management)

• Install the Signadot CLI:

Project Setup

1. Clone the Project Repository

2. Deploy Temporal to Kubernetes

Step 1: Deploy Baseline Client and Worker

Deploy the Baseline Worker

Deploy the Baseline Client UI

Verify Deployments

You should see something like the following for the pods:

And this for the services:

Step 2: Submit a Money Transfer Workflow

Access the Client UI

• Open the client UI in your browser. If using a local cluster, port-forward:

Then visit: http://localhost:8080

Submit a Money Transfer

• Fill out the form and submit a transfer.
• You should see a confirmation and workflow ID.

Open the Temporal UI

• Port-forward the Temporal UI:

Then visit: http://localhost:8088

• Search for your workflow ID and inspect its execution.

Observe the Worker Logs

You should see something like this in the worker logs:

Step 3: Deploy a Signadot Sandbox Worker

Fork the Worker Deployment

• Use the same image as the baseline (no code changes needed):

• Create a sandbox spec (e.g., worker-sandbox.yaml is provided):

• Wait for the sandbox to be ready:

• Confirm a new worker pod is running in the temporal namespace.

Step 4: Route a Workflow to the Sandbox

Use the Chrome Extension

• Install the Signadot Chrome Extension
• Log in to the Signadot dashboard via the extension. This will enable the extension to show a list of available Sandboxes.
• In the client UI, select the sandbox you just created using the extension. This will enable requests to be routed to the new sandbox version of the worker.
• Submit a new money transfer.

Observe Execution

• Watch the Temporal UI and both worker logs:

• You may see the task initially picked up by a baseline worker, but it will eventually be processed by the sandbox worker (retries are visible in the Temporal UI).

Step 5: How It Works (Under the Hood)

Context Propagation

• The client uses the Temporal Python SDK's TracingInterceptor to propagate OpenTelemetry baggage (including the Signadot routing key) into the workflow submission task. This baggage is stored in the workflow's headers in Temporal's persistent storage.

Selective Task Execution

• On the worker side, the same TracingInterceptor is used to extract baggage.
• Custom interceptors (see temporal_worker/interceptors.py) check the routing key and consult the Signadot routeserver to determine if the worker should process the task.
• If the routing key matches the sandbox, the sandbox worker processes the task; otherwise, it is skipped and retried until the correct worker picks it up.
• There are interceptors for Workflow and Activity tasks

Summary

In this tutorial, you learned how to use Temporal and Signadot Sandboxes to rapidly test new worker code in an isolated Kubernetes environment. We demonstrated deploying baseline services, submitting and routing workflows, and leveraging sandboxes for safe, high-fidelity testing without disrupting the baseline environment. This approach enables faster iteration and more reliable integration testing for microservices.

‍

Ready to go further? Check out more tutorials and resources at https://www.signadot.com/docs/overview.