feat(charts): add tcp-check init container configuration

- Introduced a new init container configuration for TCP dependency checks in the network charts.
- Updated README and values.yaml to document the new initContainer.tcpCheck fields, including image repository, tag, pull policy, timeout, and resource limits.
- Ensured compatibility with helm-docs format for autogenerated documentation.

Author: roderik

charts/network/README.md

@@ -21,6 +21,7 @@ A Helm chart for a blockchain network on Kubernetes
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| extraInitContainers | list | `[]` | Additional init containers appended verbatim to each workload. |
 | global | object | `{"chainId":null,"networkNodes":{"faucetArtifactPrefix":"besu-faucet","genesisConfigMapName":"besu-genesis","podPrefix":"","serviceName":"","staticNodesConfigMapName":"besu-static-nodes"},"securityContexts":{"container":{},"pod":{}}}` | Global configuration shared across subcharts. |
 | global.chainId | int | `nil` | Chain ID applied when charts omit explicit overrides. |
 | global.networkNodes | object | `{"faucetArtifactPrefix":"besu-faucet","genesisConfigMapName":"besu-genesis","podPrefix":"","serviceName":"","staticNodesConfigMapName":"besu-static-nodes"}` | Defaults consumed by Besu network node workloads. |
@@ -32,3 +33,10 @@ A Helm chart for a blockchain network on Kubernetes
 | global.securityContexts | object | `{"container":{},"pod":{}}` | Shared pod- and container-level security contexts applied when subcharts omit explicit overrides. |
 | global.securityContexts.container | object | `{}` | Container security context inherited by subcharts when set. |
 | global.securityContexts.pod | object | `{}` | Pod security context inherited by subcharts when set. |
+| initContainer | object | `{"tcpCheck":{"dependencies":[],"enabled":false,"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/settlemint/btp-waitforit","tag":"v7.7.10"},"resources":{"limits":{"cpu":"100m","memory":"64Mi"},"requests":{"cpu":"10m","memory":"32Mi"}},"timeout":120}}` | Init container configuration shared by subcharts. |
+| initContainer.tcpCheck.dependencies | list | `[]` | TCP dependencies expressed as name/endpoint pairs (host:port). |
+| initContainer.tcpCheck.enabled | bool | `false` | Enable the TCP dependency check init container by default. |
+| initContainer.tcpCheck.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy for the tcp-check init container. |
+| initContainer.tcpCheck.image.repository | string | `"ghcr.io/settlemint/btp-waitforit"` | OCI image hosting the tcp-check utility. |
+| initContainer.tcpCheck.image.tag | string | `"v7.7.10"` | Image tag for the tcp-check utility. |
+| initContainer.tcpCheck.timeout | int | `120` | Timeout in seconds applied to each dependency probe. |

charts/network/charts/network-bootstrapper/README.md

@@ -22,13 +22,23 @@ A Helm chart for Kubernetes
 | artifacts.external.staticNodes | list | `[]` | Collection of enode URIs persisted to the `besu-static-nodes` ConfigMap when `source` equals `external`. |
 | artifacts.external.validators | list | `[]` | Validator node definitions providing the data expected by the nodes chart. Each entry must include `address`, `publicKey`, `privateKey`, and `enode`. |
 | artifacts.source | string | `"generated"` | Determines how Besu network artifacts are populated. Use `generated` to run the job or `external` to supply values manually. |
+| extraInitContainers | list | `[]` | Additional init containers appended verbatim to the job pod spec. |
 | fullnameOverride | string | `"bootstrapper"` | Override for the fully qualified resource name generated by helpers. |
 | global.chainId | int | `nil` | Chain ID applied when `settings.chainId` is unset. |
 | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy controlling when Kubernetes fetches updated image layers. |
 | image.repository | string | `"ghcr.io/settlemint/network-bootstrapper"` | OCI registry path hosting the network bootstrapper image. |
 | image.tag | string | `""` | Image tag override; leave empty to inherit the chart appVersion. |
 | imagePullSecrets | list | `[]` | Image pull secrets enabling access to private registries. |
-| initContainers | list|string | `[]` | Init containers executed before the bootstrapper container starts. |
+| initContainer.tcpCheck.dependencies | list | `[]` | TCP dependencies expressed as name/endpoint pairs (host:port strings). |
+| initContainer.tcpCheck.enabled | bool | `false` | Enable a tcp-check init container before the bootstrapper job starts. |
+| initContainer.tcpCheck.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy for the tcp-check init container. |
+| initContainer.tcpCheck.image.repository | string | `"ghcr.io/settlemint/btp-waitforit"` | OCI image hosting the tcp-check utility. |
+| initContainer.tcpCheck.image.tag | string | `"v7.7.10"` | Image tag for the tcp-check utility. |
+| initContainer.tcpCheck.resources.limits.cpu | string | `"100m"` |  |
+| initContainer.tcpCheck.resources.limits.memory | string | `"64Mi"` |  |
+| initContainer.tcpCheck.resources.requests.cpu | string | `"10m"` |  |
+| initContainer.tcpCheck.resources.requests.memory | string | `"32Mi"` |  |
+| initContainer.tcpCheck.timeout | int | `120` | Timeout in seconds applied to each dependency probe. |
 | nameOverride | string | `""` | Override for the short release name used by name templates. |
 | nodeSelector | object | `{}` |  |
 | podAnnotations | object | `{}` |  |

charts/network/charts/network-bootstrapper/templates/_helpers.tpl

@@ -62,21 +62,81 @@ Create the name of the service account to use
 {{- end }}
 
 {{/*
-Render init container specifications provided via values.
-Accepts either a YAML string or a list of init container maps and indents output appropriately.
+Render a tcp-check init container when enabled.
 */}}
-{{- define "network-bootstrapper.renderInitContainers" -}}
-{{- $ctx := .context -}}
-{{- $containers := .containers -}}
-{{- $indent := .indent | default 2 -}}
-{{- if $containers -}}
-{{- if kindIs "string" $containers -}}
-{{ tpl $containers $ctx | nindent $indent }}
-{{- else -}}
-{{ tpl (toYaml $containers) $ctx | nindent $indent }}
-{{- end -}}
+{{- define "network-bootstrapper.tcpCheckInitContainer" -}}
+{{- $ctx := index . "context" -}}
+{{- $cfg := default (dict) (index . "config") -}}
+{{- $indent := index . "indent" | default 2 -}}
+{{- $enabled := default false (get $cfg "enabled") -}}
+{{- if $enabled -}}
+{{- $image := default (dict) (get $cfg "image") -}}
+{{- $repository := default "ghcr.io/settlemint/btp-waitforit" (get $image "repository") -}}
+{{- $tag := default "v7.7.10" (get $image "tag") -}}
+{{- $pullPolicy := default "IfNotPresent" (get $image "pullPolicy") -}}
+{{- $timeout := default 120 (get $cfg "timeout") -}}
+{{- $resources := get $cfg "resources" -}}
+{{- $dependencies := default (list) (get $cfg "dependencies") -}}
+{{- $count := len $dependencies -}}
+{{- $script := include "network-bootstrapper.tcpCheckScript" (dict "ctx" $ctx "timeout" $timeout "dependencies" $dependencies "count" $count) -}}
+{{- $container := dict "name" "tcp-check" "image" (printf "%s:%s" $repository $tag) "imagePullPolicy" $pullPolicy "command" (list "/bin/sh" "-ec") "args" (list $script) -}}
+{{- if $resources }}{{- $_ := set $container "resources" $resources }}{{- end -}}
+{{ toYaml (list $container) | nindent $indent }}
 {{- end -}}
+{{- end }}
+
+{{/*
+Produce the shell script executed by the tcp-check init container.
+*/}}
+{{- define "network-bootstrapper.tcpCheckScript" -}}
+set -euo pipefail
+INTERVAL=2
+TIMEOUT={{ index . "timeout" }}
+if [ {{ index . "count" }} -eq 0 ]; then
+  echo "No dependencies configured; skipping checks."
+  exit 0
+fi
+
+check() {
+  name="$1"
+  endpoint="$2"
+  host="${endpoint%:*}"
+  port="${endpoint##*:}"
+  echo "Waiting for ${name} (${endpoint})..."
+  elapsed=0
+  while true; do
+    if nc -z "$host" "$port" >/dev/null 2>&1; then
+      echo "${name} ready."
+      break
+    fi
+    sleep "${INTERVAL}"
+    elapsed=$((elapsed+INTERVAL))
+    if [ "$elapsed" -ge "$TIMEOUT" ]; then
+      echo "Timeout waiting for ${name} (${endpoint})."
+      exit 1
+    fi
+  done
+}
+
+{{- range $dependency := index . "dependencies" }}
+{{- $name := default "dependency" (get $dependency "name") }}
+{{- $endpointTemplate := default "" (get $dependency "endpoint") }}
+{{- $endpoint := tpl $endpointTemplate (index . "ctx") }}
+check {{ printf "%q" $name }} {{ printf "%q" $endpoint }}
+{{- end }}
+{{- end }}
+
+{{/*
+Render arbitrarily defined init containers without modification.
+*/}}
+{{- define "network-bootstrapper.extraInitContainers" -}}
+{{- $ctx := index . "context" -}}
+{{- $containers := default (list) (index . "containers") -}}
+{{- $indent := index . "indent" | default 2 -}}
+{{- if gt (len $containers) 0 -}}
+{{ tpl (toYaml $containers) $ctx | nindent $indent }}
 {{- end -}}
+{{- end }}
 
 {{/*
 Resolve pod and container security contexts by layering chart values over global defaults.

charts/network/charts/network-bootstrapper/templates/job.yaml

@@ -35,9 +35,21 @@ spec:
       securityContext:
         {{- toYaml $podSecurityContext | nindent 8 }}
       {{- end }}
-      {{- with .Values.initContainers }}
+      {{- $globalValues := default (dict) .Values.global }}
+      {{- $initConfig := default (dict) .Values.initContainer }}
+      {{- $globalInitConfig := default (dict) (get $globalValues "initContainer") }}
+      {{- $globalTcpDefaults := default (dict) (get $globalInitConfig "tcpCheck") }}
+      {{- $chartTcpOverrides := default (dict) (get $initConfig "tcpCheck") }}
+      {{- $tcpCheckConfig := mergeOverwrite (deepCopy $globalTcpDefaults) $chartTcpOverrides }}
+      {{- $globalExtraInit := default (list) (get $globalValues "extraInitContainers") }}
+      {{- $chartExtraInit := default (list) .Values.extraInitContainers }}
+      {{- $extraInitContainers := concat $globalExtraInit $chartExtraInit }}
+      {{- $tcpEnabled := default false (get $tcpCheckConfig "enabled") }}
+      {{- $hasExtraInit := gt (len $extraInitContainers) 0 }}
+      {{- if or $tcpEnabled $hasExtraInit }}
       initContainers:
-{{- include "network-bootstrapper.renderInitContainers" (dict "context" $ "containers" . "indent" 8) }}
+{{- include "network-bootstrapper.tcpCheckInitContainer" (dict "context" . "config" $tcpCheckConfig "indent" 8) }}
+{{- include "network-bootstrapper.extraInitContainers" (dict "context" . "containers" $extraInitContainers "indent" 8) }}
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}
@@ -55,7 +67,6 @@ spec:
             {{- $resolvedStaticDomain := default $clusterDomain .Values.settings.staticNodeDomain }}
             {{- $resolvedStaticPort := default $defaultStaticPort .Values.settings.staticNodePort }}
             {{- $resolvedStaticDiscovery := default $defaultStaticDiscovery .Values.settings.staticNodeDiscoveryPort }}
-            {{- $globalValues := default (dict) .Values.global }}
             {{- $settingsValues := default (dict) .Values.settings }}
             {{- $globalNodes := default (dict) (get $globalValues "networkNodes") }}
             {{- $localChainId := get $settingsValues "chainId" }}

charts/network/charts/network-bootstrapper/values.yaml

@@ -60,36 +60,32 @@ securityContext:
   # runAsNonRoot: true
   # runAsUser: 1000
 
-# -- (list|string) Init containers executed before the bootstrapper container starts.
-initContainers: []
-# - name: wait-for-genesis
-#   image: busybox:1.36
-#   imagePullPolicy: IfNotPresent
-#   command:
-#     - sh
-#     - -c
-#   args:
-#     - >-
-#       until nc -z ${STATIC_NODE_HOST:?} ${STATIC_NODE_PORT:?}; do echo "waiting for nodes"; sleep 2; done
-#   env:
-#     - name: STATIC_NODE_HOST
-#       value: besu-node-validator-0.besu-node-validator
-#     - name: STATIC_NODE_PORT
-#       value: "30303"
-#   envFrom:
-#     - secretRef:
-#         name: bootstrapper-env
-#   volumeMounts:
-#     - name: config
-#       mountPath: /config
-#   resources:
-#     requests:
-#       cpu: 50m
-#       memory: 64Mi
-#   securityContext: {}
-#   workingDir: /config
-#   stdin: false
-#   tty: false
+# Init container configuration shared across the bootstrapper job.
+initContainer:
+  tcpCheck:
+    # -- (bool) Enable a tcp-check init container before the bootstrapper job starts.
+    enabled: false
+    image:
+      # -- (string) OCI image hosting the tcp-check utility.
+      repository: ghcr.io/settlemint/btp-waitforit
+      # -- (string) Image tag for the tcp-check utility.
+      tag: v7.7.10
+      # -- (string) Image pull policy for the tcp-check init container.
+      pullPolicy: IfNotPresent
+    # -- (int) Timeout in seconds applied to each dependency probe.
+    timeout: 120
+    resources:
+      limits:
+        cpu: 100m
+        memory: 64Mi
+      requests:
+        cpu: 10m
+        memory: 32Mi
+    # -- (list) TCP dependencies expressed as name/endpoint pairs (host:port strings).
+    dependencies: []
+
+# -- (list) Additional init containers appended verbatim to the job pod spec.
+extraInitContainers: []
 
 # CPU and memory requests or limits for the bootstrapper container.
 resources:

charts/network/charts/network-nodes/README.md

@@ -60,6 +60,7 @@ A Helm chart for Kubernetes
 | config.ws.host | string | `"0.0.0.0"` | Network interface for the WebSocket listener. |
 | config.ws.maxActiveConnections | int | `2000` | Maximum concurrent WebSocket connections. |
 | config.ws.maxFrameSize | int | `2097152` | Maximum WebSocket frame size in bytes. |
+| extraInitContainers | list | `[]` | Additional init containers appended verbatim to both StatefulSets. |
 | fullnameOverride | string | `"besu-node"` | Override for the fully qualified release name used in resource naming. |
 | httpRoute.annotations | object | `{}` |  |
 | httpRoute.enabled | bool | `false` | Enable rendering of an HTTPRoute resource. |
@@ -78,9 +79,16 @@ A Helm chart for Kubernetes
 | ingress.enabled | bool | `false` | Enable creation of an Ingress resource. |
 | ingress.hosts | list | `[{"host":"chart-example.local","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}]` | Hostname and path routing rules for the Ingress. |
 | ingress.tls | list | `[]` | TLS configuration for Ingress hosts. |
-| initContainers.rpc | list|string | `[]` | Additional init containers exclusively for RPC pods. |
-| initContainers.shared | list|string | `[]` | Init containers applied to both validator and RPC pods. |
-| initContainers.validator | list|string | `[]` | Additional init containers exclusively for validator pods. |
+| initContainer.tcpCheck.dependencies | list | `[]` | TCP dependencies expressed as name/endpoint pairs (host:port strings). |
+| initContainer.tcpCheck.enabled | bool | `false` | Enable a tcp-check init container before Besu pods start. |
+| initContainer.tcpCheck.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy for the tcp-check init container. |
+| initContainer.tcpCheck.image.repository | string | `"ghcr.io/settlemint/btp-waitforit"` | OCI image hosting the tcp-check utility. |
+| initContainer.tcpCheck.image.tag | string | `"v7.7.10"` | Image tag for the tcp-check utility. |
+| initContainer.tcpCheck.resources.limits.cpu | string | `"100m"` |  |
+| initContainer.tcpCheck.resources.limits.memory | string | `"64Mi"` |  |
+| initContainer.tcpCheck.resources.requests.cpu | string | `"10m"` |  |
+| initContainer.tcpCheck.resources.requests.memory | string | `"32Mi"` |  |
+| initContainer.tcpCheck.timeout | int | `120` | Timeout in seconds applied to each dependency probe. |
 | livenessProbe.failureThreshold | int | `3` | Consecutive failures required before the container is restarted. |
 | livenessProbe.httpGet.path | string | `"/readiness?minPeers=1&maxBlocksBehind=10000"` | HTTP path used for liveness probing. |
 | livenessProbe.httpGet.port | string|int | `"json-rpc"` | Target container port serving the liveness endpoint. |

charts/network/charts/network-nodes/templates/_helpers.tpl

@@ -111,21 +111,81 @@ Resolve the number of validator replicas, falling back to global overrides when
 {{- end }}
 
 {{/*
-Render init container specifications provided via values.
-Accepts either a YAML string or a list of init container maps and indents output appropriately.
+Render a tcp-check init container when enabled.
 */}}
-{{- define "nodes.renderInitContainers" -}}
-{{- $ctx := .context -}}
-{{- $containers := .containers -}}
-{{- $indent := .indent | default 2 -}}
-{{- if $containers -}}
-{{- if kindIs "string" $containers -}}
-{{ tpl $containers $ctx | nindent $indent }}
-{{- else -}}
-{{ tpl (toYaml $containers) $ctx | nindent $indent }}
-{{- end -}}
+{{- define "nodes.tcpCheckInitContainer" -}}
+{{- $ctx := index . "context" -}}
+{{- $cfg := default (dict) (index . "config") -}}
+{{- $indent := index . "indent" | default 2 -}}
+{{- $enabled := default false (get $cfg "enabled") -}}
+{{- if $enabled -}}
+{{- $image := default (dict) (get $cfg "image") -}}
+{{- $repository := default "ghcr.io/settlemint/btp-waitforit" (get $image "repository") -}}
+{{- $tag := default "v7.7.10" (get $image "tag") -}}
+{{- $pullPolicy := default "IfNotPresent" (get $image "pullPolicy") -}}
+{{- $timeout := default 120 (get $cfg "timeout") -}}
+{{- $resources := get $cfg "resources" -}}
+{{- $dependencies := default (list) (get $cfg "dependencies") -}}
+{{- $count := len $dependencies -}}
+{{- $script := include "nodes.tcpCheckScript" (dict "ctx" $ctx "timeout" $timeout "dependencies" $dependencies "count" $count) -}}
+{{- $container := dict "name" "tcp-check" "image" (printf "%s:%s" $repository $tag) "imagePullPolicy" $pullPolicy "command" (list "/bin/sh" "-ec") "args" (list $script) -}}
+{{- if $resources }}{{- $_ := set $container "resources" $resources }}{{- end -}}
+{{ toYaml (list $container) | nindent $indent }}
 {{- end -}}
+{{- end }}
+
+{{/*
+Produce the shell script executed by the tcp-check init container.
+*/}}
+{{- define "nodes.tcpCheckScript" -}}
+set -euo pipefail
+INTERVAL=2
+TIMEOUT={{ index . "timeout" }}
+if [ {{ index . "count" }} -eq 0 ]; then
+  echo "No dependencies configured; skipping checks."
+  exit 0
+fi
+
+check() {
+  name="$1"
+  endpoint="$2"
+  host="${endpoint%:*}"
+  port="${endpoint##*:}"
+  echo "Waiting for ${name} (${endpoint})..."
+  elapsed=0
+  while true; do
+    if nc -z "$host" "$port" >/dev/null 2>&1; then
+      echo "${name} ready."
+      break
+    fi
+    sleep "${INTERVAL}"
+    elapsed=$((elapsed+INTERVAL))
+    if [ "$elapsed" -ge "$TIMEOUT" ]; then
+      echo "Timeout waiting for ${name} (${endpoint})."
+      exit 1
+    fi
+  done
+}
+
+{{- range $dependency := index . "dependencies" }}
+{{- $name := default "dependency" (get $dependency "name") }}
+{{- $endpointTemplate := default "" (get $dependency "endpoint") }}
+{{- $endpoint := tpl $endpointTemplate (index . "ctx") }}
+check {{ printf "%q" $name }} {{ printf "%q" $endpoint }}
+{{- end }}
+{{- end }}
+
+{{/*
+Render arbitrarily defined init containers without modification.
+*/}}
+{{- define "nodes.extraInitContainers" -}}
+{{- $ctx := index . "context" -}}
+{{- $containers := default (list) (index . "containers") -}}
+{{- $indent := index . "indent" | default 2 -}}
+{{- if gt (len $containers) 0 -}}
+{{ tpl (toYaml $containers) $ctx | nindent $indent }}
 {{- end -}}
+{{- end }}
 
 {{/*
 Resolve pod and container security contexts using global defaults plus chart overrides.