From 4bb2b034b3af6e8135b51d54d93eebed42f37b1f Mon Sep 17 00:00:00 2001
From: Alex Gherghisan <alexghr@users.noreply.github.com>
Date: Tue, 16 Sep 2025 09:47:26 +0000
Subject: [PATCH] chore: enable staging-public rpc

---
 .github/workflows/deploy-staging-networks.yml | 11 +++++
 spartan/scripts/deploy_network.sh             | 10 +++++
 spartan/terraform/deploy-aztec-infra/main.tf  | 19 ++++++--
 .../terraform/deploy-aztec-infra/variables.tf | 25 +++++++++++
 .../terraform/gke-cluster/network-ingress.tf  | 45 +++++++++++++++++++
 spartan/terraform/gke-cluster/outputs.tf      | 10 +++++
 6 files changed, 116 insertions(+), 4 deletions(-)
 create mode 100644 spartan/terraform/gke-cluster/network-ingress.tf

diff --git a/.github/workflows/deploy-staging-networks.yml b/.github/workflows/deploy-staging-networks.yml
index aa94ac9cb312..c0e69d7decc5 100644
--- a/.github/workflows/deploy-staging-networks.yml
+++ b/.github/workflows/deploy-staging-networks.yml
@@ -124,6 +124,11 @@ jobs:
           BOT_SWAPS_FOLLOW_CHAIN=PENDING
           BOT_SWAPS_TX_INTERVAL_SECONDS=350
 
+          RPC_INGRESS_ENABLED=true
+          RPC_INGRESS_HOST=staging.alpha-testnet.aztec-labs.com
+          RPC_INGRESS_STATIC_IP_NAME=staging-rc-1-ingress
+          RPC_INGRESS_SSL_CERT_NAME=staging-public-rpc-cert
+
           FLUSH_ENTRY_QUEUE=false
           EOF
           echo "NAMESPACE=$NAMESPACE" >> $GITHUB_ENV
@@ -236,6 +241,12 @@ jobs:
           BOT_TRANSFERS_REPLICAS=0
           BOT_SWAPS_REPLICAS=0
           FLUSH_ENTRY_QUEUE=false
+
+          # RPC_INGRESS_ENABLED=true
+          # RPC_INGRESS_HOST=rpc.testnet.aztec-labs.com
+          # RPC_INGRESS_STATIC_IP_NAME=testnet-rpc-ingress
+          # RPC_INGRESS_SSL_CERT_NAME=testnet-rpc-cert
+
           EOF
           echo "NAMESPACE=$NAMESPACE" >> $GITHUB_ENV
 
diff --git a/spartan/scripts/deploy_network.sh b/spartan/scripts/deploy_network.sh
index 80315113a8e0..127e4a7eccb1 100755
--- a/spartan/scripts/deploy_network.sh
+++ b/spartan/scripts/deploy_network.sh
@@ -75,6 +75,11 @@ BOT_SWAPS_TX_INTERVAL_SECONDS=${BOT_SWAPS_TX_INTERVAL_SECONDS:-60}
 BOT_TRANSFERS_FOLLOW_CHAIN=${BOT_TRANSFERS_FOLLOW_CHAIN:-NONE}
 BOT_SWAPS_FOLLOW_CHAIN=${BOT_SWAPS_FOLLOW_CHAIN:-NONE}
 
+RPC_INGRESS_ENABLED=${RPC_INGRESS_ENABLED:-false}
+RPC_INGRESS_HOST=${RPC_INGRESS_HOST:-}
+RPC_INGRESS_STATIC_IP_NAME=${RPC_INGRESS_STATIC_IP_NAME:-}
+RPC_INGRESS_SSL_CERT_NAME=${RPC_INGRESS_SSL_CERT_NAME:-}
+
 FLUSH_ENTRY_QUEUE=${FLUSH_ENTRY_QUEUE:-true}
 
 ########################
@@ -299,6 +304,11 @@ BOT_SWAPS_TX_INTERVAL_SECONDS = ${BOT_SWAPS_TX_INTERVAL_SECONDS}
 BOT_SWAPS_FOLLOW_CHAIN = "${BOT_SWAPS_FOLLOW_CHAIN}"
 BOT_TRANSFERS_PRIVATE_KEY = "${BOT_TRANSFERS_PRIVATE_KEY:-0xcafe01}"
 BOT_SWAPS_PRIVATE_KEY = "${BOT_SWAPS_PRIVATE_KEY:-0xcafe02}"
+
+RPC_INGRESS_ENABLED = ${RPC_INGRESS_ENABLED}
+RPC_INGRESS_HOST = "${RPC_INGRESS_HOST}"
+RPC_INGRESS_STATIC_IP_NAME = "${RPC_INGRESS_STATIC_IP_NAME}"
+RPC_INGRESS_SSL_CERT_NAME = "${RPC_INGRESS_SSL_CERT_NAME}"
 EOF
 
 tf_run "${DEPLOY_AZTEC_INFRA_DIR}" "${DESTROY_AZTEC_INFRA}" "${CREATE_AZTEC_INFRA}"
diff --git a/spartan/terraform/deploy-aztec-infra/main.tf b/spartan/terraform/deploy-aztec-infra/main.tf
index 83b83d357aca..7f40e1139277 100644
--- a/spartan/terraform/deploy-aztec-infra/main.tf
+++ b/spartan/terraform/deploy-aztec-infra/main.tf
@@ -159,10 +159,21 @@ locals {
         "rpc.yaml",
         "rpc-resources-${var.RPC_RESOURCE_PROFILE}.yaml"
       ]
-      custom_settings = {
-        "nodeType"         = "rpc"
-        "node.env.NETWORK" = var.NETWORK
-      }
+      custom_settings = merge(
+        {
+          "nodeType"            = "rpc"
+          "node.env.NETWORK"    = var.NETWORK
+          "ingress.rpc.enabled" = var.RPC_INGRESS_ENABLED
+          "ingress.rpc.host"    = var.RPC_INGRESS_HOST
+        },
+        var.RPC_INGRESS_ENABLED ? {
+          "service.rpc.annotations.cloud\\.google\\.com/neg"                        = "{\"ingress\": true}"
+          "ingress.rpc.annotations.kubernetes\\.io/ingress\\.class"                 = "gce"
+          "ingress.rpc.annotations.kubernetes\\.io/ingress\\.global-static-ip-name" = var.RPC_INGRESS_STATIC_IP_NAME
+          "ingress.rpc.annotations.ingress\\.gcp\\.kubernetes\\.io/pre-shared-cert" = var.RPC_INGRESS_SSL_CERT_NAME
+          "ingress.rpc.annotations.kubernetes\\.io/ingress\\.allow-http"            = "false"
+        } : {}
+      )
       boot_node_host_path  = "node.env.BOOT_NODE_HOST"
       bootstrap_nodes_path = "node.env.BOOTSTRAP_NODES"
     }
diff --git a/spartan/terraform/deploy-aztec-infra/variables.tf b/spartan/terraform/deploy-aztec-infra/variables.tf
index 48b66978c41e..d158341ba4e5 100644
--- a/spartan/terraform/deploy-aztec-infra/variables.tf
+++ b/spartan/terraform/deploy-aztec-infra/variables.tf
@@ -358,3 +358,28 @@ variable "BOT_SWAPS_PRIVATE_KEY" {
   default     = null
   nullable    = true
 }
+
+# RPC ingress configuration (GKE-specific)
+variable "RPC_INGRESS_ENABLED" {
+  description = "Enable GKE ingress for RPC nodes"
+  type        = bool
+  default     = false
+}
+
+variable "RPC_INGRESS_HOST" {
+  description = "Hostname for RPC ingress"
+  type        = string
+  default     = ""
+}
+
+variable "RPC_INGRESS_STATIC_IP_NAME" {
+  description = "Name of the GCP static IP resource for the ingress"
+  type        = string
+  default     = ""
+}
+
+variable "RPC_INGRESS_SSL_CERT_NAME" {
+  description = "Name of the GCP managed SSL certificate for the ingress"
+  type        = string
+  default     = ""
+}
diff --git a/spartan/terraform/gke-cluster/network-ingress.tf b/spartan/terraform/gke-cluster/network-ingress.tf
new file mode 100644
index 000000000000..d0e879e561fa
--- /dev/null
+++ b/spartan/terraform/gke-cluster/network-ingress.tf
@@ -0,0 +1,45 @@
+resource "google_compute_global_address" "staging_public_rpc_ip" {
+  name        = "staging-rc-1-ingress"
+  description = "Static IP for staging-public network RPC ingress"
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "google_compute_managed_ssl_certificate" "staging_public_rpc_cert" {
+  name        = "staging-public-rpc-cert"
+  description = "Managed SSL certificate for staging-public RPC ingress"
+
+  managed {
+    domains = ["staging.alpha-testnet.aztec-labs.com"]
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+# TODO: enable these resources once testnet is migrated to use deploy_network.sh
+
+#resource "google_compute_global_address" "testnet_rpc_ip" {
+#  name        = "testnet-rpc-ingress"
+#  description = "Static IP for testnet RPC ingress"
+#
+#  lifecycle {
+#    prevent_destroy = true
+#  }
+#}
+#
+#resource "google_compute_managed_ssl_certificate" "testnet_rpc_cert" {
+#  name        = "testnet-rpc-cert"
+#  description = "Managed SSL certificate for testnet RPC ingress"
+#
+#  managed {
+#    domains = ["rpc.testnet.aztec-labs.com"]
+#  }
+#
+#  lifecycle {
+#    prevent_destroy = true
+#  }
+#}
diff --git a/spartan/terraform/gke-cluster/outputs.tf b/spartan/terraform/gke-cluster/outputs.tf
index 5a027b234440..59de5f460e05 100644
--- a/spartan/terraform/gke-cluster/outputs.tf
+++ b/spartan/terraform/gke-cluster/outputs.tf
@@ -6,3 +6,13 @@ output "region" {
   description = "Google cloud region"
   value       = var.region
 }
+
+output "staging_public_rpc_ip" {
+  value       = google_compute_global_address.staging_public_rpc_ip.address
+  description = "The static IP address for staging-public RPC ingress"
+}
+
+output "staging_public_rpc_cert_name" {
+  value       = google_compute_managed_ssl_certificate.staging_public_rpc_cert.name
+  description = "The name of the managed SSL certificate for staging-public RPC"
+}