Add Retool Workflows to a legacy Kubernetes with Helm deployment
Learn how to add support for Retool Workflows to an existing self-hosted deployment.
Retool Workflows was available as an optional configuration in Legacy releases of Retool 3.20.15 and later. It is part of the standard configuration of Stable and Edge releases.
If you deployed a Legacy release and did not enable Retool Workflows, you can upgrade to a Stable or Edge release and configure it with support.
Requirements
Your self-hosted deployment must meet the following requirements for Retool Workflows.
VM configuration
Retool Workflows requires a Linux-based virtual machine that meets the following system requirements:
- Ubuntu 22.04 or later.
- 16GiB memory.
- 8x vCPUs.
- 60GiB storage.
curlandunzipsoftware packages installed.
Retool recommends you allocate more resources than the minimum requirements so that your instance can more easily scale.
Retool version
Workflows is available in all Stable and Edge releases of self-hosted Retool, and in Legacy releases 3.20.15 or later. If you are using an older version, upgrade to either a Stable or Edge release. Unless you need to make use of the latest changes and have the ability to regularly upgrade your deployment, Retool recommends you use Stable releases.
Temporal
Temporal is a distributed system used to schedule and run asynchronous tasks for Retool Workflows. A Self-hosted Retool instance uses a Temporal cluster to facilitate the execution of each workflow amongst a pool of self-hosted workers that make queries and execute code in your VPC. Temporal manages the queueing, scheduling, and orchestration of workflows to guarantee that each workflow block executes in the correct order of the control flow. It does not store any block results by default.
You can use a Retool-managed cluster on Temporal Cloud, which is recommended for most use cases. You can also use an existing self-managed cluster that is hosted on Temporal Cloud or in your own infrastructure. Alternatively, you can spin up a new self-hosted cluster alongside your Self-hosted Retool instance.
- Retool-managed cluster
- Self-managed cluster
- Local cluster
Recommended
You should use a Retool-managed cluster if:
- You are on a version greater than 3.6.14.
- Your organization is on the Enterprise plan.
- You don't have an existing cluster which you prefer to use.
- Your cluster only needs to be used for a Self-hosted Retool deployment.
- You don't want to manage the cluster directly.
- You have a single or multi-instance Retool deployment, where each instance requires its own namespace.
Retool admins can enable Retool-managed Temporal. To get started, navigate to the Retool Workflows page and click Enroll now. Once you update your configuration, return to the page and click Complete setup.
It can take a few minutes to initialize a namespace in Retool-managed Temporal.
Retool-managed Temporal clusters are hosted on Temporal Cloud. Your Self-hosted Retool deployment communicates with the cluster when building, deploying, and executing Retool Workflows. All orchestration data to Temporal is fully encrypted and uses the private encryption key set for your deployment.
If you want to create a new, self-hosted cluster on Temporal Cloud, sign up first. Once your account is provisioned, you can then deploy Self-hosted Retool.
Temporal Cloud supports 10+ AWS regions from which to select, 99.99% availability, and 99.99% guarantee against service errors.
You should use an existing self-managed cluster, hosted on Temporal Cloud or in your own infrastructure, if:
- You cannot use a Retool-managed cluster.
- You are on a version greater than 3.6.14.
- Your organization is on the Free, Team, or Business plan.
- You have an existing cluster and would prefer to use another namespace within it.
- You need a cluster for uses other than a Self-hosted Retool deployment.
- You want to manage the cluster directly.
- You have a multi-instance Retool deployment, where each instance would have its own namespace in a shared Self-hosted Temporal cluster.
Self-managed cluster considerations
Retool recommends using a separate datastore for the Workflows Queue in production. Consider using AWS Aurora Serverless V2 configured to an ACU (cpu) provision ranging from 0.5 to 8 ACU. 1 ACU can provide around 10 QPS. The Workflows Queue is write-heavy (around 100:1 write to read operations) and Aurora Serverless can scale to accommodate spikes in traffic without any extra configuration.
Environments
For test environments, Retool recommends using the same database for the Retool Database and Workflows Queue. Without any extra configuration, Retool Workflows can process approximately 5-10 QPS (roughly, 5-10 concurrent blocks executed per second).
Workflows at scale
You can scale Self-hosted Retool Workflow-related services to perform a high rate of concurrent blocks per second. If your deployment needs to process more than 10 workflows per second, you can use:
- A Retool-managed cluster.
- A self-managed cluster on Temporal Cloud.
- Apache Cassandra as the Temporal datastore.
If you anticipate running workflows at a higher scale, please reach out to us to work through a deployment strategy that is best for your use case.
You should spin up a new cluster alongside your Self-hosted Retool instance if:
- You cannot use a Retool-managed cluster.
- You are on a version greater than 3.6.14.
- Your organization is on the Free, Team, or Business plan.
- You don't have an existing cluster to use.
- You don't need a cluster for uses other than a Self-hosted Retool deployment.
- You want to test a Self-hosted Retool deployment with a local cluster first.
- You have a multi-instance Retool deployment, but each instance is in its own VPC and requires its own Self-hosted Temporal cluster.
Local cluster considerations
Retool recommends using a separate datastore for the Workflows Queue in production. Consider using AWS Aurora Serverless V2 configured to an ACU (cpu) provision ranging from 0.5 to 8 ACU. 1 ACU can provide around 10 QPS. The Workflows Queue is write-heavy (around 100:1 write to read operations) and Aurora Serverless can scale to accommodate spikes in traffic without any extra configuration.
Environments
For test environments, Retool recommends using the same database for the Retool Database and Workflows Queue. Without any extra configuration, Retool Workflows can process approximately 5-10 QPS (roughly, 5-10 concurrent blocks executed per second).
Workflows at scale
You can scale Self-hosted Retool Workflow-related services to perform a high rate of concurrent blocks per second. If your deployment needs to process more than 10 workflows per second, you can use:
- A Retool-managed cluster.
- A self-managed cluster on Temporal Cloud.
- Apache Cassandra as the Temporal datastore.
If you anticipate running workflows at a higher scale, please reach out to us to work through a deployment strategy that is best for your use case.
Once you’ve decided which Temporal deployment option is best for you, you'll need to modify and provision additional services to your existing deployment and provide sufficient resources to run those resources. Retool recommends providing the following resource specifications wherever you deploy your infrastructure (e.g. at the VM level if using docker compose or "node" level if using Kubernetes):
System architecture changes
Support for Retool Workflows requires provisioning additional containers and services:
| Container | Image | Repository | Services |
|---|---|---|---|
| workflows-worker | backend | tryretool/backend | WORKFLOW_TEMPORAL_WORKER |
| workflows-backend | backend | tryretool/backend | WORKFLOW_BACKENDDB_CONNECTORDB_SSH_CONNECTOR |
| code-executor | code-executor-service | tryretool/code-executor-service | No service type. |
The following diagrams illustrates how your deployment instance's architecture changes after you add support for Retool Workflows.
- Current architecture
- New architecture
* Only present if you are using the default PostgreSQL database for Retool Database.
1. Upgrade your deployment
Follow these instructions to update your Retool instance to a newer release version.
1. Back up your database
If you use a managed database service, your database provider may have a feature to take snapshots or otherwise back up your database. If you use the PostgreSQL subchart, run the following command to export data from the PostgreSQL pod to a .sql file.
kubectl exec -it <POSTGRES-POD-NAME> -- bash -c 'pg_dump hammerhead_production --no-acl --no-owner --clean -U postgres' > retool_db_dump.sql
2. Select a new version
Update the image.tag value in values.yaml to the Docker tag for the version of Retool to install, such as tryretool/backend:3.75.3-stable.
3. Upgrade instance and apply changes
Use helm to perform the upgrade and include the Helm chart version number. Retool requires version 6.1.1 or later.
helm upgrade -f values.yaml my-retool retool/retool --version 6.1.1
4. Verify instance
Run kubectl get pods to verify that the update has completed.
my-retool-7898474bbd-pr8n6 1/1 Running 1 (8h ago) 8h
my-retool-jobs-runner-74796ddd99-dd856 1/1 Running 0 8h
my-retool-postgresql-0 1/1 Running 0 8h
You should see additional services for workflows, such as workflows-worker, workflows-backend, and code-executor.
2. Configure deployment
- Retool-managed cluster
- Self-hosted cluster
- Local cluster
Allow your deployment to connect to Temporal
Open up egress to the public internet on ports 443 and 7233 to allow outbound-only connections to Temporal Cloud from your deployment. This is so services can enqueue work to, and poll work out, of Temporal.
Temporal Cloud does not have a static IP range to allow list. If more specificity is required, egress is required on ports on the following domains:
| Port | Domains |
|---|---|
| 443 | *.retool.com, *.tryretool.com, *.temporal.io |
| 7233 | *.tmprl.cloud |
Kubernetes pods are non-isolated for egress by default thereby allowing all outbound connections. If the Retool backend or workers cannot connect to Temporal Cloud, check your egress NetworkPolicy for any issues.
Configure Helm for Temporal cluster
Update the values.yaml configuration file to specify whether to use a Retool-managed cluster or a self-managed one.
| Variable | Description |
|---|---|
.Values.workflows.enabled | Whether to enable workers and workflow backend pods. Set to true. |
.Values.codeExecutor.enabled | Whether to enable code executor pods. Set to true. |
.Values.retool-temporal-services-helm.enabled | Whether to use a local Retool-deployed Temporal cluster. Set to false. |
.Values.workflows.temporal.enabled | Whether to use a self-managed Temporal cluster. Set to false. |
Follow the steps for configuring either a Temporal Cloud cluster or a self-hosted cluster in your VPC.
Temporal Cloud
Allow your deployment to connect to Temporal
Open up egress to the public internet on ports 443 and 7233 to allow outbound-only connections to Temporal Cloud from your deployment. This is so services can enqueue work to, and poll work out, of Temporal.
Temporal Cloud does not have a static IP range to allow list. If more specificity is required, egress is required on ports on the following domains:
| Port | Domains |
|---|---|
| 443 | *.retool.com, *.tryretool.com, *.temporal.io |
| 7233 | *.tmprl.cloud |
Kubernetes pods are non-isolated for egress by default thereby allowing all outbound connections. If Retool backend or workers cannot connect to Temporal Cloud, check your egress NetworkPolicy for any issues.
Configure Helm for Temporal cluster
Update the values.yaml configuration file to specify whether to use a Retool-managed cluster or a self-managed one. You must also configure mTLS.
| Variable | Description |
|---|---|
.Values.workflows.enabled | Whether to enable workers and workflow backend pods. Set to true. |
.Values.codeExecutor.enabled | Whether to enable code executor pods. Set to true. |
.Values.retool-temporal-services-helm.enabled | Whether to use a local Retool-deployed Temporal cluster. Set to false. |
.Values.workflows.temporal.enabled | Whether to use a self-managed Temporal cluster. Set to true. |
.Values.workflows.temporal.* | The configuration for your Temporal cluster. |
Self-hosted
Configure Helm for Temporal cluster
Update the following variables in values.yaml to configure the Temporal cluster. You can optionally use mTLS to secure traffic between services within your VPC.
| Variable | Description |
|---|---|
.Values.workflows.enabled | Whether to enable workers and workflow backend pods. Set to true. |
.Values.codeExecutor.enabled | Whether to enable code executor pods. Set to true. |
.Values.retool-temporal-services-helm.enabled | Whether to use a local Retool-deployed Temporal cluster. Set to false. |
.Values.workflows.temporal.enabled | Whether to use a self-managed Temporal cluster. Set to true. |
.Values.workflows.temporal.* | The configuration for your Temporal cluster. |
Configure Helm for Temporal cluster
Update the following variables in values.yaml to configure the Temporal cluster. You can optionally use mTLS to secure traffic between services within your VPC.
| Variable | Description |
|---|---|
.Values.workflows.enabled | Whether to enable workers and workflow backend pods. Set to true. |
.Values.codeExecutor.enabled | Whether to enable code executor pods. Set to true. |
.Values.retool-temporal-services-helm.enabled | Whether to use a local Retool-deployed Temporal cluster. Set to true. |
.Values.retool-temporal-services-helm.persistence | Add PostgreSQL or AWS Aurora credentials to both default and visibility. |
.Values.workflows.temporal.enabled | Whether to use a self-managed Temporal cluster. Set to false. |