Provide environment information
Self-hosted trigger.dev on EKS using ArgoCD
Describe the bug
The current Helm chart for Trigger.dev v4 hardcodes the creation of ServiceAccounts for the webapp and supervisor components without providing a way to add annotations. This effectively blocks the use of IAM Roles for Service Accounts (IRSA) on AWS EKS, as the eks.amazonaws.com/role-arn annotation cannot be applied through values.yaml.
In templates/webapp/serviceaccount.yaml, the ServiceAccount is defined statically:
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "trigger-v4.fullname" . }}-webapp
labels:
{{- $component := "webapp" }}
{{- include "trigger-v4.componentLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "component" $component) | nindent 4 }}
Because there is no {{- with .Values.webapp.serviceAccount.annotations }} block, users cannot inject the IAM role required for the Webapp to interact with ECR or other AWS services.
And due to that I get the following error when trying to use ECR as an external registry
{"repositoryName":"trigger/proj_hctgrgyrebziolnltwsp","region":"us-east-2","getRepoError":{"name":"ValidationError","$fault":"client","$metadata":{"httpStatusCode":400,"requestId":"cf300249-44b8-40aa-b4f0-c1d2f9e8fe1c","attempts":1,"totalRetryDelay":0},"Type":"Sender","Code":"ValidationError","message":"1 validation error detected: Value null at 'roleArn' failed to satisfy constraint: Member must not be null"},"http":{"requestId":"wYZoL9MCOwGfgStfWbqM9","path":"/api/v1/deployments","host":"<>","method":"POST"},"timestamp":"2026-04-12T16:14:39.330Z","name":"webapp","message":"Failed to get ECR repository","level":"error"}
{"repositoryName":"trigger/proj_hctgrgyrebziolnltwsp","host":"<>,"ecrRepoError":"1 validation error detected: Value null at 'roleArn' failed to satisfy constraint: Member must not be null","http":{"requestId":"wYZoL9MCOwGfgStfWbqM9","path":"/api/v1/deployments","host":"<>","method":"POST"},"timestamp":"2026-04-12T16:14:39.330Z","name":"webapp","message":"Failed to ensure ECR repository exists","level":"error"}
{"environmentId":"cmnoeeqwr00051n1sdalh73j3","projectId":"cmnoeeqw600041n1sgyxpc4me","version":"20260412.3","triggeredById":"cmnoeedxy00001n1sya52rwkf","type":"MANAGED","cause":"1 validation error detected: Value null at 'roleArn' failed to satisfy constraint: Member must not be null","http":{"requestId":"wYZoL9MCOwGfgStfWbqM9","path":"/api/v1/deployments","host":"<>","method":"POST"},"timestamp":"2026-04-12T16:14:39.330Z","name":"webapp","message":"Failed to get deployment image ref","level":"error"}
Reproduction repo
To reproduce
Steps to Reproduce:
- Attempt to add the AWS IAM Role annotation to the webapp ServiceAccount via values.yaml:
webapp:
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/trigger-role
Actual Behavior: The annotation is ignored because the service account manifest in webapp.yaml template does not include an annotations helper or block.
Expected Behavior: The ServiceAccount should render with the provided annotations to allow the EKS OIDC provider to inject IAM credentials.
Additional information
No response
Provide environment information
Self-hosted trigger.dev on EKS using ArgoCD
Describe the bug
The current Helm chart for Trigger.dev v4 hardcodes the creation of ServiceAccounts for the webapp and supervisor components without providing a way to add annotations. This effectively blocks the use of IAM Roles for Service Accounts (IRSA) on AWS EKS, as the eks.amazonaws.com/role-arn annotation cannot be applied through values.yaml.
In
templates/webapp/serviceaccount.yaml, the ServiceAccount is defined statically:Because there is no {{- with .Values.webapp.serviceAccount.annotations }} block, users cannot inject the IAM role required for the Webapp to interact with ECR or other AWS services.
And due to that I get the following error when trying to use ECR as an external registry
{"repositoryName":"trigger/proj_hctgrgyrebziolnltwsp","region":"us-east-2","getRepoError":{"name":"ValidationError","$fault":"client","$metadata":{"httpStatusCode":400,"requestId":"cf300249-44b8-40aa-b4f0-c1d2f9e8fe1c","attempts":1,"totalRetryDelay":0},"Type":"Sender","Code":"ValidationError","message":"1 validation error detected: Value null at 'roleArn' failed to satisfy constraint: Member must not be null"},"http":{"requestId":"wYZoL9MCOwGfgStfWbqM9","path":"/api/v1/deployments","host":"<>","method":"POST"},"timestamp":"2026-04-12T16:14:39.330Z","name":"webapp","message":"Failed to get ECR repository","level":"error"}
{"repositoryName":"trigger/proj_hctgrgyrebziolnltwsp","host":"<>,"ecrRepoError":"1 validation error detected: Value null at 'roleArn' failed to satisfy constraint: Member must not be null","http":{"requestId":"wYZoL9MCOwGfgStfWbqM9","path":"/api/v1/deployments","host":"<>","method":"POST"},"timestamp":"2026-04-12T16:14:39.330Z","name":"webapp","message":"Failed to ensure ECR repository exists","level":"error"}
{"environmentId":"cmnoeeqwr00051n1sdalh73j3","projectId":"cmnoeeqw600041n1sgyxpc4me","version":"20260412.3","triggeredById":"cmnoeedxy00001n1sya52rwkf","type":"MANAGED","cause":"1 validation error detected: Value null at 'roleArn' failed to satisfy constraint: Member must not be null","http":{"requestId":"wYZoL9MCOwGfgStfWbqM9","path":"/api/v1/deployments","host":"<>","method":"POST"},"timestamp":"2026-04-12T16:14:39.330Z","name":"webapp","message":"Failed to get deployment image ref","level":"error"}
Reproduction repo
To reproduce
Steps to Reproduce:
Actual Behavior: The annotation is ignored because the service account manifest in webapp.yaml template does not include an annotations helper or block.
Expected Behavior: The ServiceAccount should render with the provided annotations to allow the EKS OIDC provider to inject IAM credentials.
Additional information
No response