Skip to content

fix(helm): support webapp serviceAccount annotations for IRSA #3429

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nicktrn merged 4 commits into from
Apr 23, 2026
Merged

fix(helm): support webapp serviceAccount annotations for IRSA #3429

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e719920
fix(helm): support webapp serviceAccount annotations for IRSA
nicktrn Apr 23, 2026
b9d79e5
chore(helm): bump chart version to 4.0.6
nicktrn Apr 23, 2026
4aec03f
ci: skip pr checks for hosting-only changes
nicktrn Apr 23, 2026
f4a5d2a
fix(helm): fail rendering when serviceAccount.create is false and nam…
nicktrn Apr 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/pr_checks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ on:
paths-ignore:
- "docs/**"
- ".changeset/**"
- "hosting/**"

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
Expand Down
2 changes: 1 addition & 1 deletion hosting/k8s/helm/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: trigger
description: The official Trigger.dev Helm chart
type: application
version: 4.0.5
version: 4.0.6
appVersion: v4.0.4
home: https://trigger.dev
sources:
Expand Down
25 changes: 23 additions & 2 deletions hosting/k8s/helm/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -521,13 +521,34 @@ http://{{ include "trigger-v4.fullname" . }}-supervisor:{{ .Values.supervisor.se
{{- end }}

{{/*
Create the name of the supervisor service account to use
Create the name of the supervisor service account to use.
When create is false, name must be set explicitly - falling back to the namespace's
default ServiceAccount would silently grant it the RoleBinding's permissions.
*/}}
{{- define "trigger-v4.supervisorServiceAccountName" -}}
{{- if .Values.supervisor.serviceAccount.create }}
{{- default (printf "%s-supervisor" (include "trigger-v4.fullname" .)) .Values.supervisor.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.supervisor.serviceAccount.name }}
{{- if not .Values.supervisor.serviceAccount.name }}
{{- fail "supervisor.serviceAccount.name must be set when supervisor.serviceAccount.create is false" }}
{{- end }}
Comment thread
nicktrn marked this conversation as resolved.
{{- .Values.supervisor.serviceAccount.name }}
{{- end }}
{{- end }}

{{/*
Create the name of the webapp service account to use.
When create is false, name must be set explicitly - falling back to the namespace's
default ServiceAccount would silently grant it the token-syncer RoleBinding's permissions.
*/}}
{{- define "trigger-v4.webappServiceAccountName" -}}
{{- if .Values.webapp.serviceAccount.create }}
{{- default (printf "%s-webapp" (include "trigger-v4.fullname" .)) .Values.webapp.serviceAccount.name }}
{{- else }}
{{- if not .Values.webapp.serviceAccount.name }}
{{- fail "webapp.serviceAccount.name must be set when webapp.serviceAccount.create is false" }}
{{- end }}
{{- .Values.webapp.serviceAccount.name }}
{{- end }}
{{- end }}

Expand Down
12 changes: 9 additions & 3 deletions hosting/k8s/helm/templates/webapp.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,16 @@
{{- if .Values.webapp.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "trigger-v4.fullname" . }}-webapp
name: {{ include "trigger-v4.webappServiceAccountName" . }}
labels:
{{- $component := "webapp" }}
{{- include "trigger-v4.componentLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "component" $component) | nindent 4 }}
{{- with .Values.webapp.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
Expand All @@ -27,7 +33,7 @@ metadata:
{{- include "trigger-v4.componentLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "component" $component) | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ include "trigger-v4.fullname" . }}-webapp
name: {{ include "trigger-v4.webappServiceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
Expand Down Expand Up @@ -56,7 +62,7 @@ spec:
labels:
{{- include "trigger-v4.componentSelectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "component" $component) | nindent 8 }}
spec:
serviceAccountName: {{ include "trigger-v4.fullname" . }}-webapp
serviceAccountName: {{ include "trigger-v4.webappServiceAccountName" . }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
Expand Down
9 changes: 9 additions & 0 deletions hosting/k8s/helm/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,15 @@ webapp:
runReplication:
logLevel: "info" # one of: log, error, warn, info, debug

# ServiceAccount configuration
serviceAccount:
create: true
# Name of the ServiceAccount to use. Required when create is false - otherwise
# the token-syncer RoleBinding would bind to the namespace's "default" SA.
name: ""
# Annotations to add to the ServiceAccount (e.g. eks.amazonaws.com/role-arn for IRSA)
annotations: {}
Comment thread
nicktrn marked this conversation as resolved.

# Observability configuration (OTel)
observability:
tracing:
Expand Down
Loading