fix tollkeeper refresh flow from cursor review

paulbalaji · paulbalaji · commit e87ab461949c · 2026-04-22T15:34:20.000+01:00
- Pod refresh: Deployment pods get new random suffixes on delete, so the
  name-based poll in refreshK8sResources times out. Restart via
  `kubectl rollout restart` + `rollout status` instead.
- includesChain: `-o jsonpath='{.data}'` renders a Go map (`map[K:V ...]`)
  and throws in JSON.parse. Query the specific RPC_URL_&lt;CHAIN&gt; key
  directly so jsonpath returns just its base64 value.
diff --git a/typescript/infra/src/tollkeeper/helm.ts b/typescript/infra/src/tollkeeper/helm.ts
@@ -29,14 +29,11 @@ export class TollkeeperHelmManager extends HelmManager {
     );
   }
 
-  // Tollkeeper is a Deployment (chart labels pods with `app=<release>`), so the
-  // base StatefulSet-only pod discovery returns nothing. Filter on ReplicaSet
-  // ownership to get Deployment-managed pods.
+  // Pod restarts go through `kubectl rollout restart` (see restartDeployment)
+  // rather than the shared pod-delete flow: Deployment pods get new names on
+  // delete, which breaks the name-based wait in refreshK8sResources.
   async getManagedK8sPods(): Promise<string[]> {
-    const [output] = await execCmd(
-      `kubectl get pods --selector=app=${this.helmReleaseName} -o jsonpath='{range .items[?(@.metadata.ownerReferences[0].kind=="ReplicaSet")]}{.metadata.name}{"\\n"}{end}' -n ${this.namespace}`,
-    );
-    return output.split('\n').filter(Boolean);
+    return [];
   }
 
   // The tollkeeper chart doesn't use the standard `app.kubernetes.io/instance`
@@ -52,13 +49,29 @@ export class TollkeeperHelmManager extends HelmManager {
     const secrets = await this.getExistingK8sSecrets();
     if (secrets.length === 0) return false;
 
+    // Query the specific RPC_URL_<CHAIN> key. `-o jsonpath='{.data}'` would
+    // render the map in Go format (`map[K:V ...]`), not JSON — parsing fails.
+    // Targeting the key directly returns its base64 value if present, else
+    // empty string.
+    const needle = `${RPC_ENV_PREFIX}${chain.toUpperCase().replaceAll('-', '_')}`;
     const [output] = await execCmd(
-      `kubectl get secret ${secrets[0]} -n ${this.namespace} --ignore-not-found -o jsonpath='{.data}'`,
+      `kubectl get secret ${secrets[0]} -n ${this.namespace} --ignore-not-found -o jsonpath='{.data.${needle}}'`,
     );
+    return output.trim().length > 0;
+  }
 
-    const needle = `${RPC_ENV_PREFIX}${chain.toUpperCase().replaceAll('-', '_')}`;
-    const keys = Object.keys(JSON.parse(output || '{}'));
-    return keys.includes(needle);
+  // Deployment-aware restart: rolls pods without name-based polling.
+  async restartDeployment(): Promise<void> {
+    console.log(
+      `🔄 Restarting deployment ${this.helmReleaseName} in ${this.namespace}...`,
+    );
+    await execCmd(
+      `kubectl rollout restart deployment/${this.helmReleaseName} -n ${this.namespace}`,
+    );
+    await execCmd(
+      `kubectl rollout status deployment/${this.helmReleaseName} -n ${this.namespace} --timeout=180s`,
+    );
+    console.log(`✅  ${this.helmReleaseName} rollout complete`);
   }
 
   static async getManagersForChain(
diff --git a/typescript/infra/src/utils/rpcUrls.ts b/typescript/infra/src/utils/rpcUrls.ts
@@ -297,15 +297,22 @@ async function refreshDependentK8sResourcesInteractive(
   const tollkeeperManagers = await selectTollkeeper(environment, chain);
   const cronjobManagers = await selectCronJobs(environment);
 
-  // Services get both secret and pod refresh
+  // StatefulSet-backed services: both secret and pod refresh through the
+  // shared (name-based) flow.
   const serviceManagers = [
     ...coreManagers,
     ...warpManagers,
     ...rebalancerManagers,
+  ];
+  // Tollkeeper gets secret refresh through the shared flow, but pod refresh
+  // via `kubectl rollout restart` — its Deployment pods get new names on
+  // delete, which would break name-based polling in refreshK8sResources.
+  // CronJobs only get secret refresh (pods pick up new secrets on next run).
+  const allManagersForSecrets = [
+    ...serviceManagers,
     ...tollkeeperManagers,
+    ...cronjobManagers,
   ];
-  // CronJobs only get secret refresh (they pick up new secrets on next scheduled run)
-  const allManagersForSecrets = [...serviceManagers, ...cronjobManagers];
 
   if (allManagersForSecrets.length > 0) {
     await refreshK8sResources(
@@ -321,6 +328,9 @@ async function refreshDependentK8sResourcesInteractive(
       environment,
     );
   }
+  for (const manager of tollkeeperManagers) {
+    await manager.restartDeployment();
+  }
 }
 
 async function selectCoreInfrastructure(
