feat(helm): add webapp.extraContainers + webapp.extraInitContainers

ConProgramming · cursoragent · ConProgramming · commit 5ac922807fe9 · 2026-05-05T15:39:08.000-04:00
Mirrors the pattern already established for `webapp.extraEnvVars`,
`webapp.extraVolumes`, and `webapp.extraVolumeMounts`. Lets consumers
inject sidecars (in-pod TLS like nginx/envoy, log shippers, audit
agents, etc.) and extra init containers without forking the chart.

Both default to empty list — no behavior change for existing users.

Use case driving this: GovSignals' FedStart deployments need an
in-pod nginx TLS sidecar so supervisor / register-tasks can talk to
the webapp over TLS without going through the cluster-edge oauth2-proxy.
The umbrella umbrella-style patterns we'd otherwise need (kustomize
post-render, fork the webapp template) are all worse.

Co-authored-by: Cursor &lt;cursoragent@cursor.com&gt;
diff --git a/hosting/k8s/helm/templates/webapp.yaml b/hosting/k8s/helm/templates/webapp.yaml
@@ -82,6 +82,9 @@ spec:
           volumeMounts:
             - name: shared
               mountPath: /home/node/shared
+        {{- with .Values.webapp.extraInitContainers }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       containers:
         - name: token-syncer
           image: {{ include "trigger-v4.webapp.tokenSyncer.image" . }}
@@ -404,6 +407,9 @@ spec:
             {{- with .Values.webapp.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
+        {{- with .Values.webapp.extraContainers }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       volumes:
         - name: shared
           {{- if .Values.persistence.shared.enabled }}
diff --git a/hosting/k8s/helm/values.yaml b/hosting/k8s/helm/values.yaml
@@ -172,6 +172,29 @@ webapp:
     #   mountPath: /etc/ssl/certs
     #   readOnly: true
 
+  # Extra containers added to the webapp pod (sidecars). Useful for
+  # in-pod TLS (nginx, envoy), log shippers, audit agents, etc.
+  extraContainers:
+    []
+    # - name: nginx-tls
+    #   image: nginx:alpine
+    #   ports:
+    #     - name: https-internal
+    #       containerPort: 3031
+    #   volumeMounts:
+    #     - name: nginx-config
+    #       mountPath: /etc/nginx/conf.d
+    #     - name: nginx-tls-certs
+    #       mountPath: /etc/nginx/tls
+
+  # Extra init containers added to the webapp pod, scheduled after the
+  # built-in `volume-permissions` init.
+  extraInitContainers:
+    []
+    # - name: wait-for-secrets
+    #   image: busybox
+    #   command: [...]
+
   # ServiceMonitor for Prometheus monitoring
   serviceMonitor:
     enabled: false
