feat(helm): add supervisor.extraVolumes/extraVolumeMounts

GovSignals Bot · ConProgramming · commit fd84546d1cd2 · 2026-04-29T16:14:23.000-04:00
Mirrors the existing webapp.extraVolumes / webapp.extraVolumeMounts pattern.
Required for compliance environments that need to mount a custom CA bundle
ConfigMap into the supervisor pod (e.g. Palantir Rubix or GameWarden CAs)
and point NODE_EXTRA_CA_CERTS at it.

Both extras render unconditionally — they no longer depend on the legacy
bootstrap-disabled volume block — so any consumer can opt in.
diff --git a/hosting/k8s/helm/templates/supervisor.yaml b/hosting/k8s/helm/templates/supervisor.yaml
@@ -245,24 +245,34 @@ spec:
             {{- with .Values.supervisor.extraEnvVars }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
-          {{- if not .Values.webapp.bootstrap.enabled }}
+          {{- if or (not .Values.webapp.bootstrap.enabled) .Values.supervisor.extraVolumeMounts }}
           volumeMounts:
+            {{- if not .Values.webapp.bootstrap.enabled }}
             - name: shared
               mountPath: /home/node/shared
+            {{- end }}
+            {{- with .Values.supervisor.extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
           {{- end }}
           {{- with .Values.supervisor.securityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-      {{- if not .Values.webapp.bootstrap.enabled }}
+      {{- if or (not .Values.webapp.bootstrap.enabled) .Values.supervisor.extraVolumes }}
       volumes:
+        {{- if not .Values.webapp.bootstrap.enabled }}
         - name: shared
           {{- if .Values.persistence.shared.enabled }}
           persistentVolumeClaim:
             claimName: {{ include "trigger-v4.fullname" . }}-shared
           {{- else }}
           emptyDir: {}
           {{- end }}
+        {{- end }}
+        {{- with .Values.supervisor.extraVolumes }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       {{- end }}
       {{- with .Values.supervisor.nodeSelector }}
       nodeSelector:
diff --git a/hosting/k8s/helm/values.yaml b/hosting/k8s/helm/values.yaml
@@ -338,6 +338,20 @@ supervisor:
     # - name: CUSTOM_VAR
     #   value: "custom-value"
 
+  # Extra volumes added to the Supervisor pod (e.g. CA bundle ConfigMap)
+  extraVolumes:
+    []
+    # - name: ca-bundle
+    #   configMap:
+    #     name: my-ca-bundle
+
+  # Extra volume mounts added to the Supervisor container
+  extraVolumeMounts:
+    []
+    # - name: ca-bundle
+    #   mountPath: /etc/ssl/custom-ca
+    #   readOnly: true
+
   # ServiceMonitor for Prometheus monitoring
   serviceMonitor:
     enabled: false
