feat(supervisor): parameterize worker-pod annotations via KUBERNETES_WORKER_POD_ANNOTATIONS

GovSignals Bot · ConProgramming · commit a3cd53100504 · 2026-04-29T16:19:51.000-04:00
Replaces the hardcoded Rubix `com.palantir.rubix.service/pod-cert` annotation
with a JSON-shaped env var so the same supervisor image can run in environments
that need different per-pod annotations (Rubix in FedStart, none/empty in
GameWarden).

Default is `{}` so behavior matches upstream when the env is unset.
diff --git a/apps/supervisor/src/env.ts b/apps/supervisor/src/env.ts
@@ -94,6 +94,31 @@ const Env = z
     KUBERNETES_WORKER_NODETYPE_LABEL: z.string().default("v4-worker"),
     KUBERNETES_WORKER_SERVICE_ACCOUNT: z.string().optional(), // Service account for worker pods
     KUBERNETES_WORKER_AUTOMOUNT_SERVICE_ACCOUNT_TOKEN: BoolEnv.default(false), // Whether to mount SA token
+    KUBERNETES_WORKER_POD_ANNOTATIONS: z
+      .string()
+      .default("{}")
+      .transform((v, ctx) => {
+        try {
+          const parsed = JSON.parse(v);
+          if (
+            typeof parsed !== "object" ||
+            parsed === null ||
+            Array.isArray(parsed) ||
+            Object.values(parsed).some((value) => typeof value !== "string")
+          ) {
+            throw new Error("expected JSON object of string values");
+          }
+          return parsed as Record<string, string>;
+        } catch (err) {
+          ctx.addIssue({
+            code: z.ZodIssueCode.custom,
+            message: `Invalid KUBERNETES_WORKER_POD_ANNOTATIONS: ${
+              err instanceof Error ? err.message : String(err)
+            }`,
+          });
+          return z.NEVER;
+        }
+      }), // Extra annotations to apply to every worker pod (e.g. for service mesh / cert injection)
     KUBERNETES_IMAGE_PULL_SECRETS: z.string().optional(), // csv
     KUBERNETES_EPHEMERAL_STORAGE_SIZE_LIMIT: z.string().default("10Gi"),
     KUBERNETES_EPHEMERAL_STORAGE_SIZE_REQUEST: z.string().default("2Gi"),
diff --git a/apps/supervisor/src/workloadManager/kubernetes.ts b/apps/supervisor/src/workloadManager/kubernetes.ts
@@ -118,7 +118,7 @@ export class KubernetesWorkloadManager implements WorkloadManager {
               "app.kubernetes.io/component": "create",
             },
             annotations: {
-              "com.palantir.rubix.service/pod-cert": "{}",
+              ...env.KUBERNETES_WORKER_POD_ANNOTATIONS,
             },
           },
           spec: {
