Skip to main content
The following instructions will help you deploy Trigger.dev to Kubernetes using our official Helm chart. Make sure to read the self-hosting overview first. As self-hosted deployments tend to have unique requirements and configurations, we don’t provide specific advice for securing your deployment, scaling up, or improving reliability. Should the burden ever get too much, we’d be happy to see you on Trigger.dev cloud where we deal with these concerns for you. Warning: This guide alone is unlikely to result in a production-ready deployment. Security, scaling, and reliability concerns are not fully addressed here.

Requirements

Prerequisites

  • Kubernetes cluster 1.19+
  • Helm 3.8+
  • Kubectl with cluster access

Resources

The following are minimum requirements for running the entire stack on Kubernetes: Cluster resources:
  • 6+ vCPU total
  • 12+ GB RAM total
  • Persistent volume support
Individual components:
  • Webapp: 1 vCPU, 2 GB RAM
  • Supervisor: 1 vCPU, 1 GB RAM
  • PostgreSQL: 1 vCPU, 2 GB RAM
  • Redis: 0.5 vCPU, 1 GB RAM
  • ClickHouse: 1 vCPU, 2 GB RAM
  • Object Storage: 0.5 vCPU, 1 GB RAM
  • Workers: Depending on concurrency and machine preset
These requirements scale based on your task concurrency and can be adjusted via the resources section in your values.yaml. For example:

Installation

Quick start

  1. Install with default values (for testing only):
  1. Access the webapp:
  1. Open the dashboard: http://localhost:3040
  2. Login with the magic link:

Configuration

Most values map directly to the environment variables documented in the webapp and supervisor environment variable overview. Naming convention:
  • Environment variables use UPPER_SNAKE_CASE
  • Helm values use camelCase
Example mapping:

Default values

The following commands will display the default values:

Custom values

The default values are insecure and are only suitable for testing. You will need to configure your own secrets as a bare minimum. Create a values-custom.yaml file to override the defaults. For example:
Deploy with your custom values:

Extra env

You can set extra environment variables on all services. For example:

Extra annotations

You can set extra annotations on all services. For example:

External services

You can disable the built-in services and use external services instead. The chart supports both direct configuration and existing Kubernetes secrets for secure credential management.

PostgreSQL

Direct configuration:
Using existing secrets (recommended):

Redis

Direct configuration:
Using existing secrets (recommended):

ClickHouse

Direct configuration:
Using existing secrets (recommended):

S3 Object Storage

Direct configuration:
Using existing secrets (recommended):

PostgreSQL SSL with custom CA certificates

When connecting to PostgreSQL instances that require custom CA certificates (such as AWS RDS with SSL verification), you can mount the CA certificate as a volume and configure the webapp to use it:
Benefits:
  • No plaintext credentials in values.yaml or Helm releases
  • Complete DATABASE_URL stored securely in Kubernetes secrets
  • Compatible with secret management tools (External Secrets Operator, etc.)
  • Follows Kubernetes security best practices

DNS performance

For production clusters we recommend deploying NodeLocal DNSCache. DNS queries — especially to managed Postgres or Redis endpoints — can be very slow under Kubernetes’ default resolver, and a node-local cache typically gives a large step change in latency and throughput across the cluster. The default ndots: 5 setting also forces every cluster search domain to be tried before resolving hostnames with fewer dots (the case for most external database hosts). Lowering ndots to 1 on the webapp and supervisor pods avoids those extra round-trips.

Task events

By default, task events (timeline, logs, spans) are stored in PostgreSQL. For production deployments we recommend storing them in ClickHouse instead, it scales to much higher volumes and avoids unbounded growth of the TaskEvent table. ClickHouse is already deployed by the chart, so no extra services are required. To enable, set EVENT_REPOSITORY_DEFAULT_STORE on the webapp via extraEnvVars:
This only affects new runs; existing runs continue to read from wherever their events were originally stored.

Realtime streams

Realtime streams power AI-agent token streaming and run streams. They default to v2, backed by the bundled s2 deployment — s2-lite, the open-source, self-hostable S2 server. The chart deploys it with a persistent volume, so no extra services are required. To fall back to the Redis-backed v1 streams, set the default version to v1:
To use a hosted S2 at s2.dev instead of the bundled s2-lite, disable the bundled deployment and point at your basin. Supply the access token via an existing secret:
To disable realtime streams v2 entirely and use v1, set s2.deploy: false with no external endpoint. See helm show values for all s2 options.

Worker token

When using the default bootstrap configuration, worker creation and authentication is handled automatically. The webapp generates a worker token and makes it available to the supervisor via a shared volume.

Bootstrap (default)

Manual

If you need to set up workers separately or use a custom token:
  1. Get the worker token from the webapp logs:
  1. Create a secret with the token:
  1. Configure the supervisor to use the secret:

Registry setup

See the Docker registry setup for conceptual information. The configuration is specified in your values.yaml:
The internal registry (registry.external: false) is experimental and requires proper TLS setup and additional cluster configuration. Use an external registry for production.

Object storage

See the Docker object storage setup for conceptual information. The defaults will use built-in MinIO, but you can use an external S3-compatible storage. The configuration is specified in your values.yaml:

Authentication

Authentication options are identical to the Docker-based installation. The configuration is specified in your values.yaml: GitHub OAuth:
Email authentication (Resend):
Restricting access:

Version locking

Trigger.dev 4.5.0 is the last version we officially support for running v3 (SDK v3) tasks. If you still have v3 tasks, pin to exactly 4.5.0 or migrate to v4. 4.5.1 and later reject v3 triggers and deploys with an upgrade message.
You can lock versions in two ways: Helm chart version (recommended):
Specific image tags:
The chart version’s appVersion field determines the default image tags. Newer image tags may be incompatible with older chart versions and vice versa.

Troubleshooting

Check logs:
Check pod status:
Start from scratch:
Common issues:
  • Magic links not working: Check webapp logs for email delivery errors
  • Deploy fails: Verify registry access and authentication
  • Pods stuck pending: Describe the pod and check the events
  • Worker token issues: Check webapp and supervisor logs for errors
See the Docker troubleshooting section for more information.

CLI usage

See the Docker CLI usage section, the commands are identical regardless of deployment method.

CI / GitHub Actions

When running the CLI in a CI environment, your login profiles won’t be available. Instead, you can use the TRIGGER_API_URL and TRIGGER_ACCESS_TOKEN environment variables to point at your self-hosted instance and authenticate. For more detailed instructions, see the GitHub Actions guide.

Telemetry

By default, the Trigger.dev webapp sends telemetry data to our servers. This data is used to improve the product and is not shared with third parties. To disable telemetry, set in your values.yaml: