feat(supervisor): parameterize worker pod annotations, securityContext, SA, envFrom

[ConProgramming]

Summary

Parameterizes worker pod metadata, securityContext, ServiceAccount, and envFrom-Secret via five new optional env vars on the supervisor process, plus matching Helm values. Lets operators configure compliance-required pod settings (annotations, runAsNonRoot, capabilities.drop, seccompProfile, etc.) without patching the supervisor image.

Discovered while rebasing our trigger.dev fork for a FedRAMP environment — Red Hat OpenShift's restricted SCC + pod-security admission policy reject worker pods that don't carry these settings.

Changes

• New env vars on supervisor: KUBERNETES_WORKER_POD_ANNOTATIONS, _POD_SECURITY_CONTEXT, _CONTAINER_SECURITY_CONTEXT, _SERVICE_ACCOUNT, _ENV_FROM_SECRET (all optional, JSON-encoded for structured ones)
• envUtil.ts helper for JSON parsing + Zod validation, with tests
• workloadManager/kubernetes.ts applies parsed values to V1Pod spec
• Helm chart: supervisor.yaml emits the env vars when corresponding values are set; new supervisor.config.kubernetes.workerPod* keys in values.yaml

Test plan

• Unit tests for envUtil JSON parsing (success, malformed JSON, schema mismatch)
• Helm template renders correctly with values set + unset
• Manually verified against a real OpenShift cluster: worker pods now schedule with the expected securityContext applied

Notes

• Defaults preserve current behavior — no behavior change for anyone not setting the new values.
• This is PR 1 of 5 from a fork rebase; the others (helm extras, DEPLOY_IMAGE_OVERRIDE warning, s3.useIam, entrypoint migrate subcommand) are separate.

Made with Cursor

Made with Cursor

[changeset-bot]

⚠️ No Changeset found

Latest commit: 450049c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

Hi @ConProgramming, thanks for your interest in contributing!

This project requires that pull request authors are vouched, and you are not in the list of vouched users.

This PR will be closed automatically. See https://github.com/triggerdotdev/trigger.dev/blob/main/CONTRIBUTING.md for more details.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: b74276ca-07a6-4567-ae82-46f42f14f22d

📥 Commits

Reviewing files that changed from the base of the PR and between 37eeaa3 and 450049c.

📒 Files selected for processing (6)

• apps/supervisor/src/env.ts
• apps/supervisor/src/envUtil.test.ts
• apps/supervisor/src/envUtil.ts
• apps/supervisor/src/workloadManager/kubernetes.ts
• hosting/k8s/helm/templates/supervisor.yaml
• hosting/k8s/helm/values.yaml

---

Walkthrough

This PR extends Kubernetes worker pod configuration by introducing reusable JSON environment variable parsing schemas, adding new supervisor environment variables for worker service accounts, pod annotations, and security contexts, integrating these configurations into the KubernetesWorkloadManager to conditionally apply settings to pod specs, and exposing the new options through Helm chart values and templates.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}