fix(helm): support webapp serviceAccount annotations for IRSA (#3429)

Mirrors the existing `supervisor.serviceAccount` pattern onto webapp so
operators can annotate the SA (IRSA `eks.amazonaws.com/role-arn`,
Workload Identity, etc.) or bring their own SA. Without this,
`webapp.serviceAccount.annotations` isn't exposed and operators have to
patch the SA out-of-band.

```yaml
webapp:
  serviceAccount:
    create: true
    name: ""
    annotations:
      eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/trigger-webapp
```

Three pieces, same as supervisor:
- `webapp.serviceAccount.create` toggle on the SA block
- `webapp.serviceAccount.annotations` + `name` values
- `trigger-v4.webappServiceAccountName` helper, used by the SA, the
token-syncer RoleBinding subject, and the Deployment's
`serviceAccountName`

Role + RoleBinding are left unguarded (matching supervisor's shape where
`rbac.create` is a separate toggle from `serviceAccount.create`) -
BYO-SA users take on the responsibility of ensuring the SA they supply
has the permissions the RoleBinding grants.

Verified with `helm template` against default values, an IRSA annotation
override, and `create: false` with a custom name.

Author: nicktrn

.github/workflows/pr_checks.yml

@@ -6,6 +6,7 @@ on:
     paths-ignore:
       - "docs/**"
       - ".changeset/**"
+      - "hosting/**"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

hosting/k8s/helm/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: trigger
 description: The official Trigger.dev Helm chart
 type: application
-version: 4.0.5
+version: 4.0.6
 appVersion: v4.0.4
 home: https://trigger.dev
 sources:

hosting/k8s/helm/templates/_helpers.tpl

@@ -521,13 +521,34 @@ http://{{ include "trigger-v4.fullname" . }}-supervisor:{{ .Values.supervisor.se
 {{- end }}
 
 {{/*
-Create the name of the supervisor service account to use
+Create the name of the supervisor service account to use.
+When create is false, name must be set explicitly - falling back to the namespace's
+default ServiceAccount would silently grant it the RoleBinding's permissions.
 */}}
 {{- define "trigger-v4.supervisorServiceAccountName" -}}
 {{- if .Values.supervisor.serviceAccount.create }}
 {{- default (printf "%s-supervisor" (include "trigger-v4.fullname" .)) .Values.supervisor.serviceAccount.name }}
 {{- else }}
-{{- default "default" .Values.supervisor.serviceAccount.name }}
+{{- if not .Values.supervisor.serviceAccount.name }}
+{{- fail "supervisor.serviceAccount.name must be set when supervisor.serviceAccount.create is false" }}
+{{- end }}
+{{- .Values.supervisor.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the webapp service account to use.
+When create is false, name must be set explicitly - falling back to the namespace's
+default ServiceAccount would silently grant it the token-syncer RoleBinding's permissions.
+*/}}
+{{- define "trigger-v4.webappServiceAccountName" -}}
+{{- if .Values.webapp.serviceAccount.create }}
+{{- default (printf "%s-webapp" (include "trigger-v4.fullname" .)) .Values.webapp.serviceAccount.name }}
+{{- else }}
+{{- if not .Values.webapp.serviceAccount.name }}
+{{- fail "webapp.serviceAccount.name must be set when webapp.serviceAccount.create is false" }}
+{{- end }}
+{{- .Values.webapp.serviceAccount.name }}
 {{- end }}
 {{- end }}
 

hosting/k8s/helm/templates/webapp.yaml

@@ -1,10 +1,16 @@
+{{- if .Values.webapp.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "trigger-v4.fullname" . }}-webapp
+  name: {{ include "trigger-v4.webappServiceAccountName" . }}
   labels:
     {{- $component := "webapp" }}
     {{- include "trigger-v4.componentLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "component" $component) | nindent 4 }}
+  {{- with .Values.webapp.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -27,7 +33,7 @@ metadata:
     {{- include "trigger-v4.componentLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "component" $component) | nindent 4 }}
 subjects:
   - kind: ServiceAccount
-    name: {{ include "trigger-v4.fullname" . }}-webapp
+    name: {{ include "trigger-v4.webappServiceAccountName" . }}
     namespace: {{ .Release.Namespace }}
 roleRef:
   kind: Role
@@ -56,7 +62,7 @@ spec:
       labels:
         {{- include "trigger-v4.componentSelectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "component" $component) | nindent 8 }}
     spec:
-      serviceAccountName: {{ include "trigger-v4.fullname" . }}-webapp
+      serviceAccountName: {{ include "trigger-v4.webappServiceAccountName" . }}
       {{- with .Values.global.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}

hosting/k8s/helm/values.yaml

@@ -208,6 +208,15 @@ webapp:
   runReplication:
     logLevel: "info" # one of: log, error, warn, info, debug
 
+  # ServiceAccount configuration
+  serviceAccount:
+    create: true
+    # Name of the ServiceAccount to use. Required when create is false - otherwise
+    # the token-syncer RoleBinding would bind to the namespace's "default" SA.
+    name: ""
+    # Annotations to add to the ServiceAccount (e.g. eks.amazonaws.com/role-arn for IRSA)
+    annotations: {}
+
   # Observability configuration (OTel)
   observability:
     tracing: