fix(chart/supervisor): branch TRIGGER_API_URL + OTEL endpoint on nginx.tls.enabled

When nginx.tls.enabled, the webapp Service routes through the nginx-tls
sidecar's external TLS port (with oauth2-proxy auth_request on /). The
supervisor can't traverse that auth chain with plain HTTP — runtime
result is

  400 The plain HTTP request was sent to HTTPS port

Point the supervisor at <fullname>-webapp-internal:<nginx.internalPort>
(TLS, no oauth2-proxy, app-token auth via TRIGGER_WORKER_TOKEN) when
nginx.tls.enabled — mirrors flat-era trigger-dev chart behavior and
the existing register-tasks job template's same conditional.

Caller responsibility: chart consumers who enable nginx.tls.enabled
must also render a <fullname>-webapp-internal Service that exposes
nginx.internalPort and selects webapp pods (e.g. via an umbrella
template alongside the upstream subchart, as GovSignals does).

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: ConProgramming

hosting/k8s/helm/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: trigger
 description: The official Trigger.dev Helm chart
 type: application
-version: 4.5.0-rc.4-plt663.5
+version: 4.5.0-rc.4-plt663.6
 appVersion: v4.5.0-rc.4
 home: https://trigger.dev
 sources:

hosting/k8s/helm/templates/supervisor.yaml

@@ -136,7 +136,12 @@ spec:
           env:
             # Core configuration
             - name: TRIGGER_API_URL
+              {{- if and .Values.nginx.enabled .Values.nginx.tls.enabled }}
+              # Use internal TLS service (bypasses oauth2-proxy, still encrypted)
+              value: "https://{{ include "trigger-v4.fullname" . }}-webapp-internal.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.nginx.internalPort | default 3031 }}"
+              {{- else }}
               value: "http://{{ include "trigger-v4.fullname" . }}-webapp:{{ .Values.webapp.service.port }}"
+              {{- end }}
             - name: TRIGGER_WORKER_TOKEN
               {{- if .Values.webapp.bootstrap.enabled }}
               valueFrom:
@@ -253,7 +258,11 @@ spec:
               value: {{ .Values.supervisor.config.debug | quote }}
             # OTEL
             - name: OTEL_EXPORTER_OTLP_ENDPOINT
+              {{- if and .Values.nginx.enabled .Values.nginx.tls.enabled }}
+              value: "https://{{ include "trigger-v4.fullname" . }}-webapp-internal.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.nginx.internalPort | default 3031 }}/otel"
+              {{- else }}
               value: "http://{{ include "trigger-v4.fullname" . }}-webapp.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.webapp.service.port }}/otel"
+              {{- end }}
             {{- with .Values.supervisor.extraEnvVars }}
             {{- tpl (toYaml .) $ | nindent 12 }}
             {{- end }}

hosting/k8s/helm/values.yaml

@@ -914,6 +914,22 @@ registry:
       #     - registry.local
 
 # Shared persistent volumes
+# Optional nginx sidecar configuration. Default empty — chart consumers
+# that ship an in-pod nginx (e.g. for TLS termination + auth proxy) wire
+# this via extraContainers/extraVolumes; this block exists so other
+# templates can safely reference `.Values.nginx.*` with chart defaults.
+nginx:
+  # When true (and `nginx.tls.enabled: true`), templates like supervisor
+  # route to `<fullname>-webapp-internal:<nginx.internalPort>` over TLS
+  # instead of the public webapp Service. The chart consumer is
+  # responsible for actually rendering the in-pod sidecar + the
+  # `<fullname>-webapp-internal` Service (see `extraContainers` /
+  # `extraVolumes` on `webapp`).
+  enabled: false
+  tls:
+    enabled: false
+  internalPort: 3031
+
 persistence:
   # This is used for the worker token file
   shared: