Add retries to calls to the k8s api

[murphpdx]

Summary

Wraps the k8s API clients (CoreV1Api, BatchV1Api, AuthorizationV1Api) in a retry Proxy that handles transient apiserver failures:

• Retries on HTTP 408/429/500/502/503/504 and network errors (ECONNREFUSED, ECONNRESET, ETIMEDOUT, ENETUNREACH, EAI_AGAIN, ENOTFOUND) with exponential backoff + jitter, capped at 4 attempts total. Honors Retry-After on 429 (capped at 30s).
• Makes create/delete helpers idempotent: createPod, createJob, createDockerSecret, and createSecretForEnvs handle 409 by reading back the existing resource; deletePod and deleteSecret swallow 404. Covers the lost-response-after-success case the retry wrapper can itself produce.

Why

Under load we see intermittent ECONNRESET / 503 against the kube apiserver during prepareJob, which currently fail the entire workflow. With this change those fail-fast on transient errors become short retry loops. No change to success-path behavior.

Test plan

• Unit tests: 34 new tests in tests/k8s-retry-test.ts for isRetryableError (status codes, network codes via cause chain, precedence, edge inputs) and retryAfterDelay (header formats, 30s cap, fallbacks). npx jest tests/k8s-retry-test.ts passes.
• Existing constants-test.ts and k8s-utils-test.ts still pass.
• npm run build clean; npx tsc --noEmit clean.
• Cluster test: deploy to a test runner and run workflow.

Known limitations

The createPod 409 handler returns the existing pod unconditionally. In ARC, the pod name is derived from the ephemeral runner pod name, so a stale pod with a mismatched spec is unlikely — 409 is almost always the lost-response case. If the operational signal shows otherwise, we'll add an ownership-label check as a follow-up.

[Copilot]

Pull request overview

Adds a generic retry layer in front of the Kubernetes client APIs (CoreV1Api, BatchV1Api, AuthorizationV1Api) to absorb transient apiserver/network failures, plus idempotency handling on the affected create/delete helpers so a retry that lands after a successful first call doesn't surface as a hard error.

Changes:

• New withRetryClient Proxy that retries on a fixed allow-list of HTTP statuses (408/429/500/502/503/504) and network error codes via the cause chain, with exponential backoff + jitter and Retry-After honored (capped at 30s) for 429.
• createJobPod, createContainerStepPod, createDockerSecret, and createSecretForEnvs now treat 409 as success (reading back the existing object where applicable); deletePod and deleteSecret swallow 404.
• New unit tests for isRetryableError and retryAfterDelay covering status codes, cause-chain traversal, and Retry-After parsing edge cases.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

File	Description
packages/k8s/src/k8s/index.ts	Adds retry constants, isRetryableError / retryAfterDelay / describeError helpers, the withRetryClient Proxy, and 409/404 handling on the four create + two delete helpers.
packages/k8s/tests/k8s-retry-test.ts	New Jest suite exercising isRetryableError (status codes, network codes, cause chain, edge inputs) and retryAfterDelay (header casing, missing/invalid/zero/negative values, 30s cap).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[murphpdx]

Fixed, the code no longer swallows the 409. replaceNamespacedSecret/patch is not a viable fallback here, because the secret is created with immutable = true (line 824). The code comment at 794–795 calls this out. So read-back-and-compare was the correct of the two options offered. If a mismatch is found an error is thrown.