From e7199201f54a94fdf6de225ad128c07c27910ccb Mon Sep 17 00:00:00 2001 From: nicktrn <55853254+nicktrn@users.noreply.github.com> Date: Thu, 23 Apr 2026 09:05:20 +0100 Subject: [PATCH 1/4] fix(helm): support webapp serviceAccount annotations for IRSA --- hosting/k8s/helm/templates/_helpers.tpl | 11 +++++++++++ hosting/k8s/helm/templates/webapp.yaml | 12 +++++++++--- hosting/k8s/helm/values.yaml | 7 +++++++ 3 files changed, 27 insertions(+), 3 deletions(-) diff --git a/hosting/k8s/helm/templates/_helpers.tpl b/hosting/k8s/helm/templates/_helpers.tpl index cb148678c92..abb1101d1c5 100644 --- a/hosting/k8s/helm/templates/_helpers.tpl +++ b/hosting/k8s/helm/templates/_helpers.tpl @@ -531,6 +531,17 @@ Create the name of the supervisor service account to use {{- end }} {{- end }} +{{/* +Create the name of the webapp service account to use +*/}} +{{- define "trigger-v4.webappServiceAccountName" -}} +{{- if .Values.webapp.serviceAccount.create }} +{{- default (printf "%s-webapp" (include "trigger-v4.fullname" .)) .Values.webapp.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.webapp.serviceAccount.name }} +{{- end }} +{{- end }} + {{/* Create the name of the supervisor role to use */}} diff --git a/hosting/k8s/helm/templates/webapp.yaml b/hosting/k8s/helm/templates/webapp.yaml index 0dd1bddbc41..721e5e60705 100644 --- a/hosting/k8s/helm/templates/webapp.yaml +++ b/hosting/k8s/helm/templates/webapp.yaml @@ -1,10 +1,16 @@ +{{- if .Values.webapp.serviceAccount.create }} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "trigger-v4.fullname" . }}-webapp + name: {{ include "trigger-v4.webappServiceAccountName" . }} labels: {{- $component := "webapp" }} {{- include "trigger-v4.componentLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "component" $component) | nindent 4 }} + {{- with .Values.webapp.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -27,7 +33,7 @@ metadata: {{- include "trigger-v4.componentLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "component" $component) | nindent 4 }} subjects: - kind: ServiceAccount - name: {{ include "trigger-v4.fullname" . }}-webapp + name: {{ include "trigger-v4.webappServiceAccountName" . }} namespace: {{ .Release.Namespace }} roleRef: kind: Role @@ -56,7 +62,7 @@ spec: labels: {{- include "trigger-v4.componentSelectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "component" $component) | nindent 8 }} spec: - serviceAccountName: {{ include "trigger-v4.fullname" . }}-webapp + serviceAccountName: {{ include "trigger-v4.webappServiceAccountName" . }} {{- with .Values.global.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} diff --git a/hosting/k8s/helm/values.yaml b/hosting/k8s/helm/values.yaml index 262ffa4b8ed..74556a08460 100644 --- a/hosting/k8s/helm/values.yaml +++ b/hosting/k8s/helm/values.yaml @@ -208,6 +208,13 @@ webapp: runReplication: logLevel: "info" # one of: log, error, warn, info, debug + # ServiceAccount configuration + serviceAccount: + create: true + name: "" + # Annotations to add to the ServiceAccount (e.g. eks.amazonaws.com/role-arn for IRSA) + annotations: {} + # Observability configuration (OTel) observability: tracing: From b9d79e5e8772b93b31c4c6016be82ae19eaa4269 Mon Sep 17 00:00:00 2001 From: nicktrn <55853254+nicktrn@users.noreply.github.com> Date: Thu, 23 Apr 2026 09:05:29 +0100 Subject: [PATCH 2/4] chore(helm): bump chart version to 4.0.6 --- hosting/k8s/helm/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosting/k8s/helm/Chart.yaml b/hosting/k8s/helm/Chart.yaml index 155dc1bf771..ac8e81b9f4b 100644 --- a/hosting/k8s/helm/Chart.yaml +++ b/hosting/k8s/helm/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: trigger description: The official Trigger.dev Helm chart type: application -version: 4.0.5 +version: 4.0.6 appVersion: v4.0.4 home: https://trigger.dev sources: From 4aec03f27e00ceb2bd80d991471ed68b41b3d38b Mon Sep 17 00:00:00 2001 From: nicktrn <55853254+nicktrn@users.noreply.github.com> Date: Thu, 23 Apr 2026 09:18:15 +0100 Subject: [PATCH 3/4] ci: skip pr checks for hosting-only changes --- .github/workflows/pr_checks.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pr_checks.yml b/.github/workflows/pr_checks.yml index dab18223e35..12da89db3b2 100644 --- a/.github/workflows/pr_checks.yml +++ b/.github/workflows/pr_checks.yml @@ -6,6 +6,7 @@ on: paths-ignore: - "docs/**" - ".changeset/**" + - "hosting/**" concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} From f4a5d2a3c795851499fb01834154735319a3f0c3 Mon Sep 17 00:00:00 2001 From: nicktrn <55853254+nicktrn@users.noreply.github.com> Date: Thu, 23 Apr 2026 09:20:38 +0100 Subject: [PATCH 4/4] fix(helm): fail rendering when serviceAccount.create is false and name is empty Previously the name helpers fell back to "default", causing the token-syncer RoleBinding to bind secret permissions to the namespace's default ServiceAccount - silently elevating any workload using it. Applied to both webapp and supervisor helpers. --- hosting/k8s/helm/templates/_helpers.tpl | 18 ++++++++++++++---- hosting/k8s/helm/values.yaml | 2 ++ 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/hosting/k8s/helm/templates/_helpers.tpl b/hosting/k8s/helm/templates/_helpers.tpl index abb1101d1c5..09901518086 100644 --- a/hosting/k8s/helm/templates/_helpers.tpl +++ b/hosting/k8s/helm/templates/_helpers.tpl @@ -521,24 +521,34 @@ http://{{ include "trigger-v4.fullname" . }}-supervisor:{{ .Values.supervisor.se {{- end }} {{/* -Create the name of the supervisor service account to use +Create the name of the supervisor service account to use. +When create is false, name must be set explicitly - falling back to the namespace's +default ServiceAccount would silently grant it the RoleBinding's permissions. */}} {{- define "trigger-v4.supervisorServiceAccountName" -}} {{- if .Values.supervisor.serviceAccount.create }} {{- default (printf "%s-supervisor" (include "trigger-v4.fullname" .)) .Values.supervisor.serviceAccount.name }} {{- else }} -{{- default "default" .Values.supervisor.serviceAccount.name }} +{{- if not .Values.supervisor.serviceAccount.name }} +{{- fail "supervisor.serviceAccount.name must be set when supervisor.serviceAccount.create is false" }} +{{- end }} +{{- .Values.supervisor.serviceAccount.name }} {{- end }} {{- end }} {{/* -Create the name of the webapp service account to use +Create the name of the webapp service account to use. +When create is false, name must be set explicitly - falling back to the namespace's +default ServiceAccount would silently grant it the token-syncer RoleBinding's permissions. */}} {{- define "trigger-v4.webappServiceAccountName" -}} {{- if .Values.webapp.serviceAccount.create }} {{- default (printf "%s-webapp" (include "trigger-v4.fullname" .)) .Values.webapp.serviceAccount.name }} {{- else }} -{{- default "default" .Values.webapp.serviceAccount.name }} +{{- if not .Values.webapp.serviceAccount.name }} +{{- fail "webapp.serviceAccount.name must be set when webapp.serviceAccount.create is false" }} +{{- end }} +{{- .Values.webapp.serviceAccount.name }} {{- end }} {{- end }} diff --git a/hosting/k8s/helm/values.yaml b/hosting/k8s/helm/values.yaml index 74556a08460..3ed254397e7 100644 --- a/hosting/k8s/helm/values.yaml +++ b/hosting/k8s/helm/values.yaml @@ -211,6 +211,8 @@ webapp: # ServiceAccount configuration serviceAccount: create: true + # Name of the ServiceAccount to use. Required when create is false - otherwise + # the token-syncer RoleBinding would bind to the namespace's "default" SA. name: "" # Annotations to add to the ServiceAccount (e.g. eks.amazonaws.com/role-arn for IRSA) annotations: {}