fix: restore upstream blocks accidentally removed in earlier commits

Three blocks were dropped accidentally by overly-greedy StrReplace edits
in earlier commits. Restore them to match upstream main:

1. apps/supervisor/src/env.ts: KUBERNETES_POD_DNS_NDOTS_OVERRIDE_ENABLED
   and KUBERNETES_POD_DNS_NDOTS env vars (and their multi-line comment
   explaining the ndots-tuning rationale) — dropped in 171b09f
   (feat(supervisor): parameterize worker-pod and -container
   securityContext) when the surrounding KUBERNETES_WORKER_*
   parameterization was added.

2. apps/supervisor/src/workloadManager/kubernetes.ts: corresponding
   dnsConfig block in the worker pod spec that consumes the env vars —
   dropped in the same commit.

3. hosting/k8s/helm/values.yaml: webapp.serviceAccount block (create,
   name, annotations) — dropped in 7c5f3a5 (fix(helm): default worker
   Role to empty rules) when the worker.rbac block was edited; the
   StrReplace replacement string accidentally swallowed the unrelated
   webapp.serviceAccount block above it.

No functional change to our patches; pure restoration of upstream code.

Author: Conner Aldrich

apps/supervisor/src/env.ts

@@ -145,6 +145,16 @@ const Env = z
 
     KUBERNETES_MEMORY_OVERHEAD_GB: z.coerce.number().min(0).optional(), // Optional memory overhead to add to the limit in GB
     KUBERNETES_SCHEDULER_NAME: z.string().optional(), // Custom scheduler name for pods
+
+    // Pod DNS config — override the cluster default ndots to `KUBERNETES_POD_DNS_NDOTS`.
+    // Default k8s ndots is 5: any name with fewer than 5 dots (e.g. `api.example.com`, 2 dots) is first walked
+    // through every entry in the cluster search list (`<ns>.svc.cluster.local`, `svc.cluster.local`, `cluster.local`)
+    // before being tried as-is, turning one resolution into 4+ CoreDNS queries (×2 with A+AAAA).
+    // Overriding the default can be useful to cut CoreDNS query amplification for external domains.
+    // Note: before enabling, make sure no code path relies on search-list expansion for names with dots ≥ the value
+    // set here — those names will now hit their as-is form first and could resolve externally before falling back.
+    KUBERNETES_POD_DNS_NDOTS_OVERRIDE_ENABLED: BoolEnv.default(false),
+    KUBERNETES_POD_DNS_NDOTS: z.coerce.number().int().min(1).max(15).default(2),
     // Large machine affinity settings - large-* presets prefer a dedicated pool
     KUBERNETES_LARGE_MACHINE_AFFINITY_ENABLED: BoolEnv.default(false),
     KUBERNETES_LARGE_MACHINE_AFFINITY_POOL_LABEL_KEY: z
@@ -213,7 +223,9 @@ const Env = z
             if (!validEffects.includes(effect)) {
               ctx.addIssue({
                 code: z.ZodIssueCode.custom,
-                message: `Invalid toleration effect "${effect}" in "${entry}". Must be one of: ${validEffects.join(", ")}`,
+                message: `Invalid toleration effect "${effect}" in "${entry}". Must be one of: ${validEffects.join(
+                  ", "
+                )}`,
               });
               return z.NEVER;
             }

apps/supervisor/src/workloadManager/kubernetes.ts

@@ -335,6 +335,13 @@ export class KubernetesWorkloadManager implements WorkloadManager {
             },
           }
         : {}),
+      ...(env.KUBERNETES_POD_DNS_NDOTS_OVERRIDE_ENABLED
+        ? {
+            dnsConfig: {
+              options: [{ name: "ndots", value: `${env.KUBERNETES_POD_DNS_NDOTS}` }],
+            },
+          }
+        : {}),
     };
   }
 

hosting/k8s/helm/values.yaml

@@ -208,6 +208,15 @@ webapp:
   runReplication:
     logLevel: "info" # one of: log, error, warn, info, debug
 
+  # ServiceAccount configuration
+  serviceAccount:
+    create: true
+    # Name of the ServiceAccount to use. Required when create is false - otherwise
+    # the token-syncer RoleBinding would bind to the namespace's "default" SA.
+    name: ""
+    # Annotations to add to the ServiceAccount (e.g. eks.amazonaws.com/role-arn for IRSA)
+    annotations: {}
+
   # Observability configuration (OTel)
   observability:
     tracing: