feat(helm): support external artifact sourcing

Author: roderik

README.md

@@ -6,6 +6,96 @@ Generate node identities, configure consensus, and emit a Besu genesis.
 
 The helm chart to run this on Kubernetes / OpenShift can be found [here](./charts/network-bootstrapper/README.md)
 
+### Deployment modes
+
+Two deployment paths are supported: fully auto-generated artefacts or supplying your own genesis/static peers while sourcing node keys from an external secret store such as Conjur.
+
+#### Auto-generated artefacts (bootstrapper job)
+
+```bash
+cat <<'EOF' > values-generated.yaml
+network-bootstrapper:
+  artifacts:
+    source: generated
+  settings:
+    validators: 4
+
+network-nodes:
+  global:
+    validatorReplicaCount: 4
+EOF
+
+helm upgrade --install besu-network ./charts/network \
+  --namespace besu \
+  --create-namespace \
+  --values values-generated.yaml
+```
+
+The bootstrapper Job generates the genesis file, static-nodes list, validator keys, and faucet account and publishes them as ConfigMaps/Secrets consumed by the Besu StatefulSets.
+
+#### External genesis/static peers with Conjur-managed keys
+
+Genesis and static peer data can be committed to version control while validator and faucet private keys are injected at deployment time. The chart expects the validator count in `artifacts.external.validators` to match `global.validatorReplicaCount`.
+
+Create a Summon manifest describing the Conjur variables and a templated values file that references the injected environment variables:
+
+```bash
+cat <<'EOF' > conjur.env.yml
+BESU_NODE_VALIDATOR_0_PRIVATE_KEY: !var production/besu/validator0/private-key
+BESU_NODE_VALIDATOR_1_PRIVATE_KEY: !var production/besu/validator1/private-key
+BESU_FAUCET_PRIVATE_KEY: !var production/besu/faucet/private-key
+EOF
+
+cat <<'EOF' > values-external.tpl.yaml
+network-bootstrapper:
+  artifacts:
+    source: external
+    external:
+      genesis:
+        config:
+          chainId: 12345
+        alloc:
+          "0xfund":
+            balance: "0x56bc75e2d63100000"
+        extraData: "0x"
+      staticNodes:
+        - enode://node1@validator-0.besu.svc.cluster.local:30303
+        - enode://node2@validator-1.besu.svc.cluster.local:30303
+      validators:
+        - address: "0x111"
+          publicKey: "0x222"
+          privateKey: "${BESU_NODE_VALIDATOR_0_PRIVATE_KEY}"
+          enode: enode://validator1@validator-0.besu.svc.cluster.local:30303
+        - address: "0x333"
+          publicKey: "0x444"
+          privateKey: "${BESU_NODE_VALIDATOR_1_PRIVATE_KEY}"
+          enode: enode://validator2@validator-1.besu.svc.cluster.local:30303
+      faucet:
+        address: "0xfaucet"
+        publicKey: "0xfaucetpub"
+        privateKey: "${BESU_FAUCET_PRIVATE_KEY}"
+
+  global:
+    validatorReplicaCount: 2
+
+network-nodes:
+  validatorReplicaCount:
+  global:
+    validatorReplicaCount: 2
+EOF
+
+summon -f conjur.env.yml envsubst < values-external.tpl.yaml > values-external.yaml
+
+helm upgrade --install besu-network ./charts/network \
+  --namespace besu \
+  --create-namespace \
+  --values values-external.yaml
+
+rm values-external.yaml
+```
+
+Summon resolves the secrets in memory, `envsubst` renders them into a transient values file, and Helm creates the ConfigMaps/Secrets required by the Besu nodes. The temporary file is removed once the release is installed.
+
 ## CLI usage
 
 ```

README.tpl

@@ -6,4 +6,94 @@ Generate node identities, configure consensus, and emit a Besu genesis.
 
 The helm chart to run this on Kubernetes / OpenShift can be found [here](./charts/network-bootstrapper/README.md)
 
+### Deployment modes
+
+Two deployment paths are supported: fully auto-generated artefacts or supplying your own genesis/static peers while sourcing node keys from an external secret store such as Conjur.
+
+#### Auto-generated artefacts (bootstrapper job)
+
+```bash
+cat <<'EOF' > values-generated.yaml
+network-bootstrapper:
+  artifacts:
+    source: generated
+  settings:
+    validators: 4
+
+network-nodes:
+  global:
+    validatorReplicaCount: 4
+EOF
+
+helm upgrade --install besu-network ./charts/network \
+  --namespace besu \
+  --create-namespace \
+  --values values-generated.yaml
+```
+
+The bootstrapper Job generates the genesis file, static-nodes list, validator keys, and faucet account and publishes them as ConfigMaps/Secrets consumed by the Besu StatefulSets.
+
+#### External genesis/static peers with Conjur-managed keys
+
+Genesis and static peer data can be committed to version control while validator and faucet private keys are injected at deployment time. The chart expects the validator count in `artifacts.external.validators` to match `global.validatorReplicaCount`.
+
+Create a Summon manifest describing the Conjur variables and a templated values file that references the injected environment variables:
+
+```bash
+cat <<'EOF' > conjur.env.yml
+BESU_NODE_VALIDATOR_0_PRIVATE_KEY: !var production/besu/validator0/private-key
+BESU_NODE_VALIDATOR_1_PRIVATE_KEY: !var production/besu/validator1/private-key
+BESU_FAUCET_PRIVATE_KEY: !var production/besu/faucet/private-key
+EOF
+
+cat <<'EOF' > values-external.tpl.yaml
+network-bootstrapper:
+  artifacts:
+    source: external
+    external:
+      genesis:
+        config:
+          chainId: 12345
+        alloc:
+          "0xfund":
+            balance: "0x56bc75e2d63100000"
+        extraData: "0x"
+      staticNodes:
+        - enode://node1@validator-0.besu.svc.cluster.local:30303
+        - enode://node2@validator-1.besu.svc.cluster.local:30303
+      validators:
+        - address: "0x111"
+          publicKey: "0x222"
+          privateKey: "${BESU_NODE_VALIDATOR_0_PRIVATE_KEY}"
+          enode: enode://validator1@validator-0.besu.svc.cluster.local:30303
+        - address: "0x333"
+          publicKey: "0x444"
+          privateKey: "${BESU_NODE_VALIDATOR_1_PRIVATE_KEY}"
+          enode: enode://validator2@validator-1.besu.svc.cluster.local:30303
+      faucet:
+        address: "0xfaucet"
+        publicKey: "0xfaucetpub"
+        privateKey: "${BESU_FAUCET_PRIVATE_KEY}"
+
+  global:
+    validatorReplicaCount: 2
+
+network-nodes:
+  validatorReplicaCount:
+  global:
+    validatorReplicaCount: 2
+EOF
+
+summon -f conjur.env.yml envsubst < values-external.tpl.yaml > values-external.yaml
+
+helm upgrade --install besu-network ./charts/network \
+  --namespace besu \
+  --create-namespace \
+  --values values-external.yaml
+
+rm values-external.yaml
+```
+
+Summon resolves the secrets in memory, `envsubst` renders them into a transient values file, and Helm creates the ConfigMaps/Secrets required by the Besu nodes. The temporary file is removed once the release is installed.
+
 ## CLI usage

charts/network/charts/network-bootstrapper/README.md

@@ -15,6 +15,13 @@ A Helm chart for Kubernetes
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` |  |
+| artifacts.external.faucet.address | string | `""` | Faucet account address stored in the `besu-faucet-address` ConfigMap when `source` equals `external`. |
+| artifacts.external.faucet.privateKey | string | `""` | Faucet private key stored in the `besu-faucet-private-key` Secret when `source` equals `external`. |
+| artifacts.external.faucet.publicKey | string | `""` | Faucet account public key stored in the `besu-faucet-pubkey` ConfigMap when `source` equals `external`. |
+| artifacts.external.genesis | object | `{}` | Besu genesis document rendered into the `besu-genesis` ConfigMap when `source` equals `external`. |
+| artifacts.external.staticNodes | list | `[]` | Collection of enode URIs persisted to the `besu-static-nodes` ConfigMap when `source` equals `external`. |
+| artifacts.external.validators | list | `[]` | Validator node definitions providing the data expected by the nodes chart. Each entry must include `address`, `publicKey`, `privateKey`, and `enode`. |
+| artifacts.source | string | `"generated"` | Determines how Besu network artifacts are populated. Use `generated` to run the job or `external` to supply values manually. |
 | fullnameOverride | string | `"bootstrapper"` | Override for the fully qualified resource name generated by helpers. |
 | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy controlling when Kubernetes fetches updated image layers. |
 | image.repository | string | `"ghcr.io/settlemint/network-bootstrapper"` | OCI registry path hosting the network bootstrapper image. |

charts/network/charts/network-bootstrapper/templates/external-artifacts.yaml

@@ -0,0 +1,123 @@
+{{- $artifactSource := default "generated" .Values.artifacts.source -}}
+{{- if eq $artifactSource "external" }}
+{{- $root := . -}}
+{{- $external := .Values.artifacts.external | default (dict) -}}
+{{- $genesis := get $external "genesis" -}}
+{{- $staticNodes := get $external "staticNodes" -}}
+{{- $validators := get $external "validators" -}}
+{{- $faucet := get $external "faucet" -}}
+{{- $validatorCount := len $validators -}}
+{{- if not $genesis }}{{ fail "artifacts.external.genesis must be provided when artifacts.source is 'external'." }}{{- end }}
+{{- if not $staticNodes }}{{ fail "artifacts.external.staticNodes must include at least one enode when artifacts.source is 'external'." }}{{- end }}
+{{- if not $validators }}{{ fail "artifacts.external.validators must include at least one entry when artifacts.source is 'external'." }}{{- end }}
+{{- if not ($faucet.address) }}{{ fail "artifacts.external.faucet.address must be set when artifacts.source is 'external'." }}{{- end }}
+{{- if not ($faucet.publicKey) }}{{ fail "artifacts.external.faucet.publicKey must be set when artifacts.source is 'external'." }}{{- end }}
+{{- if not ($faucet.privateKey) }}{{ fail "artifacts.external.faucet.privateKey must be set when artifacts.source is 'external'." }}{{- end }}
+{{- $globalValues := default (dict) .Values.global -}}
+{{- $globalReplicaCount := -1 -}}
+{{- if and (kindIs "map" $globalValues) (hasKey $globalValues "network") -}}
+  {{- $networkGlobal := index $globalValues "network" -}}
+  {{- if and (kindIs "map" $networkGlobal) (hasKey $networkGlobal "validatorReplicaCount") -}}
+    {{- $globalReplicaCount = (index $networkGlobal "validatorReplicaCount" | int) -}}
+  {{- end -}}
+{{- end -}}
+{{- if and (eq $globalReplicaCount -1) (kindIs "map" $globalValues) (hasKey $globalValues "validatorReplicaCount") -}}
+  {{- $globalReplicaCount = (index $globalValues "validatorReplicaCount" | int) -}}
+{{- end -}}
+{{- if eq $globalReplicaCount -1 -}}
+  {{- fail (printf "artifacts.external.validators has %d entries. Set global.validatorReplicaCount (or global.network.validatorReplicaCount) to this value and align network-nodes.validatorReplicaCount." $validatorCount) -}}
+{{- end -}}
+{{- if ne $globalReplicaCount $validatorCount -}}
+  {{- fail (printf "artifacts.external.validators has %d entries but the configured validator replica count is %d. Update global.validatorReplicaCount (or global.network.validatorReplicaCount) and network-nodes.validatorReplicaCount to match." $validatorCount $globalReplicaCount) -}}
+{{- end -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: besu-genesis
+  labels:
+    {{- include "network-bootstrapper.labels" . | nindent 4 }}
+data:
+  genesis.json: |-
+{{ toPrettyJson $genesis | indent 4 }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: besu-static-nodes
+  labels:
+    {{- include "network-bootstrapper.labels" . | nindent 4 }}
+data:
+  static-nodes.json: |-
+{{ toPrettyJson $staticNodes | indent 4 }}
+{{- range $index, $validator := $validators }}
+{{- $requiredAddress := required (printf "artifacts.external.validators[%d].address must be set." $index) $validator.address }}
+{{- $requiredPublicKey := required (printf "artifacts.external.validators[%d].publicKey must be set." $index) $validator.publicKey }}
+{{- $requiredPrivateKey := required (printf "artifacts.external.validators[%d].privateKey must be set." $index) $validator.privateKey }}
+{{- $requiredEnode := required (printf "artifacts.external.validators[%d].enode must be set." $index) $validator.enode }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ printf "besu-node-validator-%d-address" $index }}
+  labels:
+    {{- include "network-bootstrapper.labels" $root | nindent 4 }}
+data:
+  address: {{ $requiredAddress | quote }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ printf "besu-node-validator-%d-enode" $index }}
+  labels:
+    {{- include "network-bootstrapper.labels" $root | nindent 4 }}
+data:
+  enode: {{ $requiredEnode | quote }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ printf "besu-node-validator-%d-pubkey" $index }}
+  labels:
+    {{- include "network-bootstrapper.labels" $root | nindent 4 }}
+data:
+  publicKey: {{ $requiredPublicKey | quote }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "besu-node-validator-%d-private-key" $index }}
+  labels:
+    {{- include "network-bootstrapper.labels" $root | nindent 4 }}
+type: Opaque
+stringData:
+  privateKey: {{ $requiredPrivateKey | quote }}
+{{- end }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: besu-faucet-address
+  labels:
+    {{- include "network-bootstrapper.labels" . | nindent 4 }}
+data:
+  address: {{ $faucet.address | quote }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: besu-faucet-pubkey
+  labels:
+    {{- include "network-bootstrapper.labels" . | nindent 4 }}
+data:
+  publicKey: {{ $faucet.publicKey | quote }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: besu-faucet-private-key
+  labels:
+    {{- include "network-bootstrapper.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  privateKey: {{ $faucet.privateKey | quote }}
+{{- end }}

charts/network/charts/network-bootstrapper/templates/job.yaml

@@ -1,3 +1,5 @@
+{{- $artifactSource := default "generated" .Values.artifacts.source -}}
+{{- if eq $artifactSource "generated" }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -106,3 +108,4 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+{{- end }}

charts/network/charts/network-bootstrapper/values.yaml

@@ -121,3 +121,22 @@ settings:
   evmStackSize:
   # -- (int) Maximum smart-contract bytecode size accepted by the EVM.
   contractSizeLimit:
+
+# Artifact sourcing controls for bootstrap data used by the nodes chart.
+artifacts:
+  # -- (string) Determines how Besu network artifacts are populated. Use `generated` to run the job or `external` to supply values manually.
+  source: generated
+  external:
+    # -- (object) Besu genesis document rendered into the `besu-genesis` ConfigMap when `source` equals `external`.
+    genesis: {}
+    # -- (list) Collection of enode URIs persisted to the `besu-static-nodes` ConfigMap when `source` equals `external`.
+    staticNodes: []
+    # -- (list) Validator node definitions providing the data expected by the nodes chart. Each entry must include `address`, `publicKey`, `privateKey`, and `enode`.
+    validators: []
+    faucet:
+      # -- (string) Faucet account address stored in the `besu-faucet-address` ConfigMap when `source` equals `external`.
+      address: ""
+      # -- (string) Faucet account public key stored in the `besu-faucet-pubkey` ConfigMap when `source` equals `external`.
+      publicKey: ""
+      # -- (string) Faucet private key stored in the `besu-faucet-private-key` Secret when `source` equals `external`.
+      privateKey: ""

charts/network/charts/network-nodes/README.md

@@ -135,6 +135,6 @@ A Helm chart for Kubernetes
 | serviceAccount.create | bool | `true` | Create a ServiceAccount resource automatically for the release. |
 | serviceAccount.name | string | `""` | Existing ServiceAccount name to reuse when creation is disabled. |
 | tolerations | list | `[]` | Tolerations allowing pods to run on nodes with matching taints. |
-| validatorReplicaCount | int | `4` | Number of validator node replicas participating in consensus. |
+| validatorReplicaCount | int | `nil` | Number of validator node replicas participating in consensus. Leave unset to derive from global.validatorReplicaCount. |
 | volumeMounts | list | `[]` | Additional volume mounts applied to Besu containers. |
 | volumes | list | `[]` | Extra volumes attached to Besu pods for custom configuration or secrets. |