hyperlane-xyz · paulbalaji · Jan 28, 2026 · Jan 7, 2026 · Jan 28, 2026 · Jan 28, 2026
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
@@ -1,10 +1,24 @@
-export const DockerImageRepos = {
-  AGENT: 'gcr.io/abacus-labs-dev/hyperlane-agent',
-  MONOREPO: 'gcr.io/abacus-labs-dev/hyperlane-monorepo',
-  WARP_MONITOR: 'gcr.io/abacus-labs-dev/hyperlane-warp-monitor',
-  REBALANCER: 'gcr.io/abacus-labs-dev/hyperlane-rebalancer',
+const GCR_REGISTRY = 'gcr.io/abacus-labs-dev';
+
+export const DockerImageNames = {
+  AGENT: 'hyperlane-agent',
+  MONOREPO: 'hyperlane-monorepo',
+  KEY_FUNDER: 'hyperlane-key-funder',
+  WARP_MONITOR: 'hyperlane-warp-monitor',
+  REBALANCER: 'hyperlane-rebalancer',
 } as const;
 
+type DockerImageReposType = {
+  [K in keyof typeof DockerImageNames]: `${typeof GCR_REGISTRY}/${(typeof DockerImageNames)[K]}`;
+};
+
+export const DockerImageRepos = Object.fromEntries(
+  Object.entries(DockerImageNames).map(([key, name]) => [
+    key,
+    `${GCR_REGISTRY}/${name}`,
+  ]),
+) as DockerImageReposType;
+
 interface AgentDockerTags {
   relayer: string;
   relayerRC: string;

@@ -36,7 +36,7 @@ export const keyFunderConfig: KeyFunderConfig<
   typeof mainnet3SupportedChainNames
 > = {
   docker: {
-    repo: DockerImageRepos.MONOREPO,
+    repo: DockerImageRepos.KEY_FUNDER,
     tag: mainnetDockerTags.keyFunder,
   },
   // We're currently using the same deployer/key funder key as mainnet2.

@@ -10,7 +10,7 @@ export const keyFunderConfig: KeyFunderConfig<
   typeof testnet4SupportedChainNames
 > = {
   docker: {
-    repo: DockerImageRepos.MONOREPO,
+    repo: DockerImageRepos.KEY_FUNDER,
     tag: testnetDockerTags.keyFunder,
   },
   // We're currently using the same deployer key as testnet2.

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: key-funder-config
+  labels:
+    {{- include "hyperlane.labels" . | nindent 4 }}
+data:
+  keyfunder.yaml: |
+{{ .Values.hyperlane.keyfunderConfig | indent 4 }}
@@ -10,7 +10,7 @@ spec:
   jobTemplate:
     spec:
       backoffLimit: 0
-      activeDeadlineSeconds: 14400 # 60 * 60 * 4 seconds = 4 hours
+      activeDeadlineSeconds: 14400
       template:
         metadata:
           labels:
@@ -21,52 +21,33 @@ spec:
           - name: key-funder
             image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
             imagePullPolicy: IfNotPresent
-            command:
-            - pnpm
-            - exec
-            - tsx
-            - ./typescript/infra/scripts/funding/fund-keys-from-deployer.ts
-            - -e
-            - {{ .Values.hyperlane.runEnv }}
-            - --context
-            - {{ .Values.hyperlane.contextFundingFrom }}
-{{- range $context, $roles := .Values.hyperlane.contextsAndRolesToFund }}
-            - --contexts-and-roles
-            - {{ $context }}={{ join "," $roles }}
-{{- end }}
-{{- range $chain, $balance := .Values.hyperlane.desiredBalancePerChain }}
-            - --desired-balance-per-chain
-            - {{ $chain }}={{ $balance }}
-{{- end }}
-{{- range $chain, $balance := .Values.hyperlane.desiredKathyBalancePerChain }}
-            - --desired-kathy-balance-per-chain
-            - {{ $chain }}={{ $balance }}
-{{- end }}
-{{- range $chain, $balance := .Values.hyperlane.desiredRebalancerBalancePerChain }}
-            - --desired-rebalancer-balance-per-chain
-            - {{ $chain }}={{ $balance }}
-{{- end }}
-{{- range $chain, $balance := .Values.hyperlane.igpClaimThresholdPerChain }}
-            - --igp-claim-threshold-per-chain
-            - {{ $chain }}={{ $balance }}
-{{- end }}
-{{- if .Values.hyperlane.chainsToSkip }}
-            - --chain-skip-override
-{{- range $index, $chain := .Values.hyperlane.chainsToSkip }}
-            - {{ $chain }}
-{{- end }}
-{{- end }}
             env:
+            - name: LOG_FORMAT
+              value: json
+            - name: LOG_LEVEL
+              value: info
+            - name: KEYFUNDER_CONFIG_FILE
+              value: /config/keyfunder.yaml
+            {{- if .Values.hyperlane.registryUri }}
+            - name: REGISTRY_URI
+              value: {{ .Values.hyperlane.registryUri }}
+            {{- end }}
+            {{- if .Values.hyperlane.skipIgpClaim }}
+            - name: SKIP_IGP_CLAIM
+              value: "true"
+            {{- end }}
+            {{- if .Values.hyperlane.prometheusPushGateway }}
             - name: PROMETHEUS_PUSH_GATEWAY
-              value: {{ .Values.infra.prometheusPushGateway }}
+              value: {{ .Values.hyperlane.prometheusPushGateway }}
+            {{- end }}
             envFrom:
             - secretRef:
                 name: key-funder-env-var-secret
             volumeMounts:
-            - name: key-funder-addresses-secret
-              mountPath: /addresses-secret
+            - name: config
+              mountPath: /config
+              readOnly: true
           volumes:
-          - name: key-funder-addresses-secret
-            secret:
-              secretName: key-funder-addresses-secret
-              defaultMode: 0400
+          - name: config
+            configMap:
+              name: key-funder-config
@@ -9,7 +9,6 @@ spec:
     name: {{ include "hyperlane.cluster-secret-store.name" . }}
     kind: ClusterSecretStore
   refreshInterval: "1h"
-  # The secret that will be created
   target:
     name: key-funder-env-var-secret
     template:
@@ -20,24 +19,14 @@ spec:
         annotations:
           update-on-redeploy: "{{ now }}"
       data:
-        GCP_SECRET_OVERRIDES_ENABLED: "true"
-        GCP_SECRET_OVERRIDE_HYPERLANE_{{ .Values.hyperlane.runEnv | upper }}_KEY_DEPLOYER: {{ print "'{{ .deployer_key | toString }}'" }}
-{{/*
-   * For each network, create an environment variable with the RPC endpoint.
-   * The templating of external-secrets will use the data section below to know how
-   * to replace the correct value in the created secret.
-   */}}
+        HYP_KEY: {{ print "'{{ $json := .funder_key | fromJson }}{{ $json.privateKey }}'" }}
         {{- range .Values.hyperlane.chains }}
-        GCP_SECRET_OVERRIDE_{{ $.Values.hyperlane.runEnv | upper }}_RPC_ENDPOINTS_{{ . | upper }}: {{ printf "'{{ .%s_rpcs | toString }}'" . }}
+        RPC_URL_{{ . | upper | replace "-" "_" }}: {{ printf "'{{ index (.%s_rpcs | fromJson) 0 }}'" . }}
         {{- end }}
   data:
-  - secretKey: deployer_key
+  - secretKey: funder_key
     remoteRef:
       key: {{ printf "hyperlane-%s-key-deployer" .Values.hyperlane.runEnv }}
-{{/*
-   * For each network, load the secret in GCP secret manager with the form: environment-rpc-endpoint-network,
-   * and associate it with the secret key networkname_rpc.
-   */}}
   {{- range .Values.hyperlane.chains }}
   - secretKey: {{ printf "%s_rpcs" . }}
     remoteRef:

@@ -1,18 +1,16 @@
 image:
-  repository: gcr.io/hyperlane-labs-dev/hyperlane-monorepo
-  tag:
+  repository: gcr.io/abacus-labs-dev/hyperlane-key-funder
+  tag: latest
 hyperlane:
-  runEnv: testnet2
-  # Used for fetching secrets
+  runEnv: testnet4
   chains: []
   chainsToSkip: []
-  contextFundingFrom: hyperlane
-  # key = context, value = array of roles to fund
-  contextsAndRolesToFund:
-    hyperlane:
-      - relayer
+  registryUri: ''
+  keyfunderConfig: ''
+  skipIgpClaim: false
+  prometheusPushGateway: ''
 cronjob:
-  schedule: '*/10 * * * *' # Every 10 minutes
+  schedule: '*/10 * * * *'
   successfulJobsHistoryLimit: 6
   failedJobsHistoryLimit: 10
 externalSecrets:

@@ -18,6 +18,7 @@
     "@hyperlane-xyz/core": "workspace:*",
     "@hyperlane-xyz/helloworld": "workspace:*",
     "@hyperlane-xyz/http-registry-server": "workspace:*",
+    "@hyperlane-xyz/keyfunder": "workspace:*",
     "@hyperlane-xyz/metrics": "workspace:*",
     "@hyperlane-xyz/rebalancer": "workspace:*",
     "@hyperlane-xyz/registry": "catalog:",

@@ -1,12 +1,22 @@
+import { confirm, input } from '@inquirer/prompts';
 import chalk from 'chalk';
+import { readFileSync } from 'fs';
+import { join } from 'path';
 
 import { Contexts } from '../../config/contexts.js';
 import { KeyFunderHelmManager } from '../../src/funding/key-funder.js';
-import { checkMonorepoImageExists } from '../../src/utils/gcloud.js';
+import { checkKeyfunderImageExists } from '../../src/utils/gcloud.js';
+import { validateRegistryCommit } from '../../src/utils/git.js';
 import { HelmCommand } from '../../src/utils/helm.js';
+import { getMonorepoRoot } from '../../src/utils/utils.js';
 import { assertCorrectKubeContext } from '../agent-utils.js';
 import { getConfigsBasedOnArgs } from '../core-utils.js';
 
+function readRegistryRc(): string {
+  const registryRcPath = join(getMonorepoRoot(), '.registryrc');
+  return readFileSync(registryRcPath, 'utf-8').trim();
+}
+
 async function main() {
   const { agentConfig, envConfig, environment } = await getConfigsBasedOnArgs();
   if (agentConfig.context != Contexts.Hyperlane)
@@ -17,22 +27,44 @@ async function main() {
   await assertCorrectKubeContext(envConfig);
 
   if (envConfig.keyFunderConfig?.docker.tag) {
-    const exists = await checkMonorepoImageExists(
-      envConfig.keyFunderConfig.docker.tag,
-    );
+    const tag = envConfig.keyFunderConfig.docker.tag;
+    const exists = await checkKeyfunderImageExists(tag);
     if (!exists) {
       console.log(
         chalk.red(
-          `Attempted to deploy key funder with image tag ${chalk.bold(
-            envConfig.keyFunderConfig.docker.tag,
-          )}, but it has not been published to GCR.`,
+          `Attempted to deploy key funder with image tag ${chalk.bold(tag)}, but it has not been published to GCR.`,
         ),
       );
       process.exit(1);
     }
   }
 
-  const manager = KeyFunderHelmManager.forEnvironment(environment);
+  const defaultRegistryCommit = readRegistryRc();
+  console.log(
+    chalk.gray(
+      `Using registry commit from .registryrc: ${defaultRegistryCommit}`,
+    ),
+  );
+
+  const shouldOverride = await confirm({
+    message: 'Do you want to override the registry version?',
+    default: false,
+  });
+
+  let registryCommit = defaultRegistryCommit;
+  if (shouldOverride) {
+    registryCommit = await input({
+      message:
+        'Enter the registry version to use (can be a commit, branch or tag):',
+    });
+  }
+
+  await validateRegistryCommit(registryCommit);
+
+  const manager = KeyFunderHelmManager.forEnvironment(
+    environment,
+    registryCommit,
+  );
   await manager.runHelmCommand(HelmCommand.InstallOrUpgrade);
 }