feat(supervisor): optional ndots override for runner pods

[myftija]

Adds KUBERNETES_POD_DNS_NDOTS_OVERRIDE_ENABLED flag (off by default) that overrides the cluster default and sets dnsConfig.options.ndots on runner pods (defaulting to 2, configurable via KUBERNETES_POD_DNS_NDOTS).

Kubernetes defaults pods to ndots: 5, so any name with fewer than 5 dots, including typical external domains like api.example.com, is first walked through every entry in the cluster search list (<ns>.svc.cluster.local, svc.cluster.local, cluster.local) before being tried as-is, turning one resolution into 4+ CoreDNS queries (×2 with A+AAAA).

Using a lower ndots value reduces DNS query amplification in the cluster.local zone.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 7a9bb61

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

This pull request introduces a new DNS configuration feature for the supervisor. It adds documentation describing a pod DNS ndots override capability, introduces two new environment variables to control this feature with validation and bounds checking, and implements conditional logic to apply DNS configuration settings to Kubernetes pod specifications when the override is enabled. The feature allows customization of how DNS query resolution behaves for names containing fewer dots by affecting cluster search-list expansion.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description lacks several required sections from the template: issue reference, testing steps, and checklist items are missing or incomplete.	Add the issue number (Closes #XXXX), describe testing steps, complete the checklist items, and optionally add a changelog section and screenshots.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat(supervisor): optional ndots override for runner pods' clearly and concisely summarizes the main change—adding an optional DNS ndots configuration override feature for runner pods.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ndots-overrides

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.

[coderabbitai]

🧹 Nitpick comments (1)

apps/supervisor/src/env.ts (1)

132-133: Optional: warn when KUBERNETES_POD_DNS_NDOTS is set without enabling the override.

If an operator sets KUBERNETES_POD_DNS_NDOTS but forgets KUBERNETES_POD_DNS_NDOTS_OVERRIDE_ENABLED=true, the value is silently ignored (the dnsConfig block is not emitted in kubernetes.ts at Line 324). Consider adding a superRefine check that raises an issue (or at least a startup log warning) when KUBERNETES_POD_DNS_NDOTS has been explicitly provided while the flag is off — this would mirror the existing COMPUTE_SNAPSHOTS_ENABLED cross-validation at Lines 261-274. Low priority; purely a UX/footgun prevention nit.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/supervisor/src/env.ts` around lines 132 - 133, Add a cross-field
validation to the env schema using zod's .superRefine so that when
KUBERNETES_POD_DNS_NDOTS_OVERRIDE_ENABLED is false but KUBERNETES_POD_DNS_NDOTS
was explicitly provided (i.e., differs from its default) an issue is raised (or
at minimum a startup warning logged); mirror the pattern used for
COMPUTE_SNAPSHOTS_ENABLED cross-validation (the same file's existing check) and
reference the KUBERNETES_POD_DNS_NDOTS_OVERRIDE_ENABLED and
KUBERNETES_POD_DNS_NDOTS symbols when implementing the check.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@apps/supervisor/src/env.ts`:
- Around line 132-133: Add a cross-field validation to the env schema using
zod's .superRefine so that when KUBERNETES_POD_DNS_NDOTS_OVERRIDE_ENABLED is
false but KUBERNETES_POD_DNS_NDOTS was explicitly provided (i.e., differs from
its default) an issue is raised (or at minimum a startup warning logged); mirror
the pattern used for COMPUTE_SNAPSHOTS_ENABLED cross-validation (the same file's
existing check) and reference the KUBERNETES_POD_DNS_NDOTS_OVERRIDE_ENABLED and
KUBERNETES_POD_DNS_NDOTS symbols when implementing the check.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 2ec86861-d032-462f-a7d7-cfa3b0cd56aa

📥 Commits

Reviewing files that changed from the base of the PR and between 3446be7 and 7a9bb61.

📒 Files selected for processing (3)

• .server-changes/supervisor-pod-dns-ndots.md
• apps/supervisor/src/env.ts
• apps/supervisor/src/workloadManager/kubernetes.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (28)

• GitHub Check: units / internal / 🧪 Unit Tests: Internal (6, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (1, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (4, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (1, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (7, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (5, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (2, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (2, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (3, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (5, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (7, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (8, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (8, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (4, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (6, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (3, 8)
• GitHub Check: units / packages / 🧪 Unit Tests: Packages (1, 1)
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - npm)
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - pnpm)
• GitHub Check: sdk-compat / Deno Runtime
• GitHub Check: sdk-compat / Bun Runtime
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - npm)
• GitHub Check: sdk-compat / Cloudflare Workers
• GitHub Check: sdk-compat / Node.js 20.20 (ubuntu-latest)
• GitHub Check: typecheck / typecheck
• GitHub Check: sdk-compat / Node.js 22.12 (ubuntu-latest)
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - pnpm)
• GitHub Check: Analyze (javascript-typescript)

🧰 Additional context used

📓 Path-based instructions (7)

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

**/*.{ts,tsx}: Use types over interfaces for TypeScript
Avoid using enums; prefer string unions or const objects instead

Files:

• apps/supervisor/src/workloadManager/kubernetes.ts
• apps/supervisor/src/env.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Use function declarations instead of default exports

Add crumbs as you write code using // @Crumbs comments or `// `#region` `@crumbs blocks. These are temporary debug instrumentation and must be stripped using agentcrumbs strip before merge.

Files:

• apps/supervisor/src/workloadManager/kubernetes.ts
• apps/supervisor/src/env.ts

**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/otel-metrics.mdc)

**/*.ts: When creating or editing OTEL metrics (counters, histograms, gauges), ensure metric attributes have low cardinality by using only enums, booleans, bounded error codes, or bounded shard IDs
Do not use high-cardinality attributes in OTEL metrics such as UUIDs/IDs (envId, userId, runId, projectId, organizationId), unbounded integers (itemCount, batchSize, retryCount), timestamps (createdAt, startTime), or free-form strings (errorMessage, taskName, queueName)
When exporting OTEL metrics via OTLP to Prometheus, be aware that the exporter automatically adds unit suffixes to metric names (e.g., 'my_duration_ms' becomes 'my_duration_ms_milliseconds', 'my_counter' becomes 'my_counter_total'). Account for these transformations when writing Grafana dashboards or Prometheus queries

Files:

• apps/supervisor/src/workloadManager/kubernetes.ts
• apps/supervisor/src/env.ts

**/*.{js,ts,jsx,tsx,json,md,yaml,yml}

📄 CodeRabbit inference engine (AGENTS.md)

Format code using Prettier before committing

Files:

• apps/supervisor/src/workloadManager/kubernetes.ts
• apps/supervisor/src/env.ts

apps/supervisor/src/workloadManager/**/*.{js,ts}

📄 CodeRabbit inference engine (apps/supervisor/CLAUDE.md)

Container orchestration abstraction (Docker or Kubernetes) should be implemented in src/workloadManager/

Files:

• apps/supervisor/src/workloadManager/kubernetes.ts

**/*.ts{,x}

📄 CodeRabbit inference engine (CLAUDE.md)

Always import from @trigger.dev/sdk when writing Trigger.dev tasks. Never use @trigger.dev/sdk/v3 or deprecated client.defineJob.

Files:

• apps/supervisor/src/workloadManager/kubernetes.ts
• apps/supervisor/src/env.ts

apps/supervisor/src/env.ts

📄 CodeRabbit inference engine (apps/supervisor/CLAUDE.md)

Environment configuration should be defined in src/env.ts

Files:

• apps/supervisor/src/env.ts

🧠 Learnings (5)

📚 Learning: 2026-03-02T12:42:47.652Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: apps/supervisor/CLAUDE.md:0-0
Timestamp: 2026-03-02T12:42:47.652Z
Learning: Applies to apps/supervisor/src/workloadManager/**/*.{js,ts} : Container orchestration abstraction (Docker or Kubernetes) should be implemented in `src/workloadManager/`

Applied to files:

• apps/supervisor/src/workloadManager/kubernetes.ts

📚 Learning: 2026-03-27T11:45:41.240Z

Learnt from: nicktrn
Repo: triggerdotdev/trigger.dev PR: 3114
File: apps/supervisor/src/workloadServer/index.ts:832-840
Timestamp: 2026-03-27T11:45:41.240Z
Learning: In `apps/supervisor/src/workloadManager/compute.ts` and the supervisor restore flow, `TRIGGER_METADATA_URL` does not need to be re-injected on VM restore because it is baked into the instance environment at creation time and the environment is preserved through snapshot/restore. The Kubernetes restore path follows the same pattern. Do not flag the absence of `TRIGGER_METADATA_URL` re-injection on restore as a bug.

Applied to files:

• apps/supervisor/src/workloadManager/kubernetes.ts

📚 Learning: 2026-03-22T13:26:12.060Z

Learnt from: ericallam
Repo: triggerdotdev/trigger.dev PR: 3244
File: apps/webapp/app/components/code/TextEditor.tsx:81-86
Timestamp: 2026-03-22T13:26:12.060Z
Learning: In the triggerdotdev/trigger.dev codebase, do not flag `navigator.clipboard.writeText(...)` calls for `missing-await`/`unhandled-promise` issues. These clipboard writes are intentionally invoked without `await` and without `catch` handlers across the project; keep that behavior consistent when reviewing TypeScript/TSX files (e.g., usages like in `apps/webapp/app/components/code/TextEditor.tsx`).

Applied to files:

• apps/supervisor/src/workloadManager/kubernetes.ts
• apps/supervisor/src/env.ts

📚 Learning: 2026-03-22T19:24:14.403Z

Learnt from: matt-aitken
Repo: triggerdotdev/trigger.dev PR: 3187
File: apps/webapp/app/v3/services/alerts/deliverErrorGroupAlert.server.ts:200-204
Timestamp: 2026-03-22T19:24:14.403Z
Learning: In the triggerdotdev/trigger.dev codebase, webhook URLs are not expected to contain embedded credentials/secrets (e.g., fields like `ProjectAlertWebhookProperties` should only hold credential-free webhook endpoints). During code review, if you see logging or inclusion of raw webhook URLs in error messages, do not automatically treat it as a credential-leak/secrets-in-logs issue by default—first verify the URL does not contain embedded credentials (for example, no username/password in the URL, no obvious secret/token query params or fragments). If the URL is credential-free per this project’s conventions, allow the logging.

Applied to files:

• apps/supervisor/src/workloadManager/kubernetes.ts
• apps/supervisor/src/env.ts

📚 Learning: 2026-03-02T12:42:47.652Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: apps/supervisor/CLAUDE.md:0-0
Timestamp: 2026-03-02T12:42:47.652Z
Learning: Applies to apps/supervisor/src/env.ts : Environment configuration should be defined in `src/env.ts`

Applied to files:

• apps/supervisor/src/env.ts

🔇 Additional comments (4)

apps/supervisor/src/env.ts (2)

125-133: LGTM — sensible defaults and bounds for the ndots override.

• min(1).max(15) aligns with glibc's RES_MAXNDOTS=15, and excluding 0 is a reasonable guardrail (ndots:0 disables the search list entirely).
• Default 2 preserves cross-namespace service resolution: a name like svc.ns (1 dot) still goes through the search list and matches svc.ns.svc.cluster.local.
• The override is opt-in via KUBERNETES_POD_DNS_NDOTS_OVERRIDE_ENABLED (default false), so the change is backward compatible.
• Doc comment accurately describes the behavioral tradeoffs and pairs well with .server-changes/supervisor-pod-dns-ndots.md.

---

202-204: Cosmetic reformat — no semantic change.

The resulting error message string is identical to the previous join(", ") form.

apps/supervisor/src/workloadManager/kubernetes.ts (1)

324-330: LGTM — correct conditional dnsConfig injection.

• Shape matches k8s.V1PodSpec.dnsConfig with options: V1PodDNSConfigOption[] (the value field is a string, and the template literal ${env.KUBERNETES_POD_DNS_NDOTS} produces one).
• dnsPolicy is intentionally left unset, so it stays ClusterFirst; per Kubernetes semantics, dnsConfig.options merges with the base resolv.conf and same-name options are overridden, so the pod-level ndots correctly takes precedence over the cluster default.
• Conditional spread keeps the generated spec unchanged when the flag is off — zero behavioral impact for existing deployments.

.server-changes/supervisor-pod-dns-ndots.md (1)

1-9: LGTM — docs accurately describe the feature.

Flag name, default value (2), configurability via KUBERNETES_POD_DNS_NDOTS, and the search-list-expansion rationale all match the implementation in env.ts and kubernetes.ts. The callout about code paths relying on search-list expansion for longer names is a useful operator warning.