fix(chart/supervisor): branch TRIGGER_API_URL + OTEL endpoint on nginx.tls.enabled

ConProgramming · cursoragent · ConProgramming · commit 0c2165478b05 · 2026-06-02T22:40:10.000-04:00
When nginx.tls.enabled, the webapp Service routes through the nginx-tls
sidecar's external TLS port (with oauth2-proxy auth_request on /). The
supervisor can't traverse that auth chain with plain HTTP — runtime
result is

  400 The plain HTTP request was sent to HTTPS port

Point the supervisor at &lt;fullname&gt;-webapp-internal:&lt;nginx.internalPort&gt;
(TLS, no oauth2-proxy, app-token auth via TRIGGER_WORKER_TOKEN) when
nginx.tls.enabled — mirrors flat-era trigger-dev chart behavior and
the existing register-tasks job template's same conditional.

Caller responsibility: chart consumers who enable nginx.tls.enabled
must also render a &lt;fullname&gt;-webapp-internal Service that exposes
nginx.internalPort and selects webapp pods (e.g. via an umbrella
template alongside the upstream subchart, as GovSignals does).

Co-authored-by: Cursor &lt;cursoragent@cursor.com&gt;
diff --git a/hosting/k8s/helm/Chart.yaml b/hosting/k8s/helm/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: trigger
 description: The official Trigger.dev Helm chart
 type: application
-version: 4.5.0-rc.4-plt663.5
+version: 4.5.0-rc.4-plt663.6
 appVersion: v4.5.0-rc.4
 home: https://trigger.dev
 sources:
diff --git a/hosting/k8s/helm/templates/supervisor.yaml b/hosting/k8s/helm/templates/supervisor.yaml
@@ -136,7 +136,12 @@ spec:
           env:
             # Core configuration
             - name: TRIGGER_API_URL
+              {{- if and (dig "nginx" "enabled" false .Values) (dig "nginx" "tls" "enabled" false .Values) }}
+              # Use internal TLS service (bypasses oauth2-proxy, still encrypted)
+              value: "https://{{ include "trigger-v4.fullname" . }}-webapp-internal.{{ .Release.Namespace }}.svc.cluster.local:{{ dig "nginx" "internalPort" 3031 .Values }}"
+              {{- else }}
               value: "http://{{ include "trigger-v4.fullname" . }}-webapp:{{ .Values.webapp.service.port }}"
+              {{- end }}
             - name: TRIGGER_WORKER_TOKEN
               {{- if .Values.webapp.bootstrap.enabled }}
               valueFrom:
@@ -253,7 +258,11 @@ spec:
               value: {{ .Values.supervisor.config.debug | quote }}
             # OTEL
             - name: OTEL_EXPORTER_OTLP_ENDPOINT
+              {{- if and (dig "nginx" "enabled" false .Values) (dig "nginx" "tls" "enabled" false .Values) }}
+              value: "https://{{ include "trigger-v4.fullname" . }}-webapp-internal.{{ .Release.Namespace }}.svc.cluster.local:{{ dig "nginx" "internalPort" 3031 .Values }}/otel"
+              {{- else }}
               value: "http://{{ include "trigger-v4.fullname" . }}-webapp.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.webapp.service.port }}/otel"
+              {{- end }}
             {{- with .Values.supervisor.extraEnvVars }}
             {{- tpl (toYaml .) $ | nindent 12 }}
             {{- end }}
