feat(supervisor): KUBERNETES_WORKER_ENV_FROM_SECRET — envFrom secret on every worker pod

ConProgramming · cursoragent · ConProgramming · commit 1767835e83a5 · 2026-05-05T10:52:21.000-04:00
Adds a single env var on the supervisor that names a Kubernetes Secret to
mount via `envFrom` on every worker pod the supervisor schedules. All
key/value pairs in the secret become env vars on the worker container —
resolved by the kubelet at pod creation, so the supervisor never reads
the secret values and needs no extra RBAC.

Use case: keep task-time secrets (DB URLs, API keys, etc.) in Kubernetes
Secrets owned by ops, instead of syncing them through trigger.dev's
webapp + database. Single source of truth in K8s; the secret never
leaves the K8s plane on its way to a task pod.

When the env var is unset (default) the worker pod spec is unchanged —
upstream behavior preserved.

Configured downstream via:

  supervisor:
    extraEnvVars:
      - name: KUBERNETES_WORKER_ENV_FROM_SECRET
        value: "trigger-task-secrets"

Renders as:

  spec.containers[0].envFrom = [{ secretRef: { name: "trigger-task-secrets" } }]

Co-authored-by: Cursor &lt;cursoragent@cursor.com&gt;
diff --git a/apps/supervisor/src/env.ts b/apps/supervisor/src/env.ts
@@ -116,6 +116,13 @@ const Env = z
       "KUBERNETES_WORKER_CONTAINER_SECURITY_CONTEXT",
       { valueValidator: JsonAny }
     ),
+    // Name of a Kubernetes Secret to envFrom-mount into every worker pod's
+    // container. Pulls every key/value pair in the secret as env vars on
+    // the worker. Resolved by the kubelet at pod creation time; the
+    // supervisor never reads the secret values, so this needs no extra
+    // RBAC. Use case: keep task-time secrets (DB URLs, API keys) in
+    // Kubernetes rather than syncing them through the trigger.dev webapp.
+    KUBERNETES_WORKER_ENV_FROM_SECRET: z.string().optional(),
     KUBERNETES_IMAGE_PULL_SECRETS: z.string().optional(), // csv
     KUBERNETES_EPHEMERAL_STORAGE_SIZE_LIMIT: z.string().default("10Gi"),
     KUBERNETES_EPHEMERAL_STORAGE_SIZE_REQUEST: z.string().default("2Gi"),
diff --git a/apps/supervisor/src/workloadManager/kubernetes.ts b/apps/supervisor/src/workloadManager/kubernetes.ts
@@ -139,6 +139,13 @@ export class KubernetesWorkloadManager implements WorkloadManager {
                 ...(Object.keys(env.KUBERNETES_WORKER_CONTAINER_SECURITY_CONTEXT).length > 0
                   ? { securityContext: env.KUBERNETES_WORKER_CONTAINER_SECURITY_CONTEXT }
                   : {}),
+                ...(env.KUBERNETES_WORKER_ENV_FROM_SECRET
+                  ? {
+                      envFrom: [
+                        { secretRef: { name: env.KUBERNETES_WORKER_ENV_FROM_SECRET } },
+                      ],
+                    }
+                  : {}),
                 env: [
                   {
                     name: "TRIGGER_DEQUEUED_AT_MS",
