chore: enable staging-public rpc

.github/workflows/deploy-staging-networks.yml

@@ -124,6 +124,11 @@ jobs:
           BOT_SWAPS_FOLLOW_CHAIN=PENDING
           BOT_SWAPS_TX_INTERVAL_SECONDS=350
 
+          RPC_INGRESS_ENABLED=true
+          RPC_INGRESS_HOST=staging.alpha-testnet.aztec-labs.com
+          RPC_INGRESS_STATIC_IP_NAME=staging-rc-1-ingress
+          RPC_INGRESS_SSL_CERT_NAME=staging-public-rpc-cert
+
           FLUSH_ENTRY_QUEUE=false
           EOF
           echo "NAMESPACE=$NAMESPACE" >> $GITHUB_ENV
@@ -236,6 +241,12 @@ jobs:
           BOT_TRANSFERS_REPLICAS=0
           BOT_SWAPS_REPLICAS=0
           FLUSH_ENTRY_QUEUE=false
+
+          # RPC_INGRESS_ENABLED=true
+          # RPC_INGRESS_HOST=rpc.testnet.aztec-labs.com
+          # RPC_INGRESS_STATIC_IP_NAME=testnet-rpc-ingress
+          # RPC_INGRESS_SSL_CERT_NAME=testnet-rpc-cert
+
           EOF
           echo "NAMESPACE=$NAMESPACE" >> $GITHUB_ENV
 

spartan/scripts/deploy_network.sh

@@ -75,6 +75,11 @@ BOT_SWAPS_TX_INTERVAL_SECONDS=${BOT_SWAPS_TX_INTERVAL_SECONDS:-60}
 BOT_TRANSFERS_FOLLOW_CHAIN=${BOT_TRANSFERS_FOLLOW_CHAIN:-NONE}
 BOT_SWAPS_FOLLOW_CHAIN=${BOT_SWAPS_FOLLOW_CHAIN:-NONE}
 
+RPC_INGRESS_ENABLED=${RPC_INGRESS_ENABLED:-false}
+RPC_INGRESS_HOST=${RPC_INGRESS_HOST:-}
+RPC_INGRESS_STATIC_IP_NAME=${RPC_INGRESS_STATIC_IP_NAME:-}
+RPC_INGRESS_SSL_CERT_NAME=${RPC_INGRESS_SSL_CERT_NAME:-}
+
 FLUSH_ENTRY_QUEUE=${FLUSH_ENTRY_QUEUE:-true}
 
 ########################
@@ -299,6 +304,11 @@ BOT_SWAPS_TX_INTERVAL_SECONDS = ${BOT_SWAPS_TX_INTERVAL_SECONDS}
 BOT_SWAPS_FOLLOW_CHAIN = "${BOT_SWAPS_FOLLOW_CHAIN}"
 BOT_TRANSFERS_PRIVATE_KEY = "${BOT_TRANSFERS_PRIVATE_KEY:-0xcafe01}"
 BOT_SWAPS_PRIVATE_KEY = "${BOT_SWAPS_PRIVATE_KEY:-0xcafe02}"
+
+RPC_INGRESS_ENABLED = ${RPC_INGRESS_ENABLED}
+RPC_INGRESS_HOST = "${RPC_INGRESS_HOST}"
+RPC_INGRESS_STATIC_IP_NAME = "${RPC_INGRESS_STATIC_IP_NAME}"
+RPC_INGRESS_SSL_CERT_NAME = "${RPC_INGRESS_SSL_CERT_NAME}"
 EOF
 
 tf_run "${DEPLOY_AZTEC_INFRA_DIR}" "${DESTROY_AZTEC_INFRA}" "${CREATE_AZTEC_INFRA}"

spartan/terraform/deploy-aztec-infra/main.tf

@@ -159,10 +159,21 @@ locals {
         "rpc.yaml",
         "rpc-resources-${var.RPC_RESOURCE_PROFILE}.yaml"
       ]
-      custom_settings = {
-        "nodeType"         = "rpc"
-        "node.env.NETWORK" = var.NETWORK
-      }
+      custom_settings = merge(
+        {
+          "nodeType"            = "rpc"
+          "node.env.NETWORK"    = var.NETWORK
+          "ingress.rpc.enabled" = var.RPC_INGRESS_ENABLED
+          "ingress.rpc.host"    = var.RPC_INGRESS_HOST
+        },
+        var.RPC_INGRESS_ENABLED ? {
+          "service.rpc.annotations.cloud\\.google\\.com/neg"                        = "{\"ingress\": true}"
+          "ingress.rpc.annotations.kubernetes\\.io/ingress\\.class"                 = "gce"
+          "ingress.rpc.annotations.kubernetes\\.io/ingress\\.global-static-ip-name" = var.RPC_INGRESS_STATIC_IP_NAME
+          "ingress.rpc.annotations.ingress\\.gcp\\.kubernetes\\.io/pre-shared-cert" = var.RPC_INGRESS_SSL_CERT_NAME
+          "ingress.rpc.annotations.kubernetes\\.io/ingress\\.allow-http"            = "false"
+        } : {}
+      )
       boot_node_host_path  = "node.env.BOOT_NODE_HOST"
       bootstrap_nodes_path = "node.env.BOOTSTRAP_NODES"
     }

spartan/terraform/deploy-aztec-infra/variables.tf

@@ -358,3 +358,28 @@ variable "BOT_SWAPS_PRIVATE_KEY" {
   default     = null
   nullable    = true
 }
+
+# RPC ingress configuration (GKE-specific)
+variable "RPC_INGRESS_ENABLED" {
+  description = "Enable GKE ingress for RPC nodes"
+  type        = bool
+  default     = false
+}
+
+variable "RPC_INGRESS_HOST" {
+  description = "Hostname for RPC ingress"
+  type        = string
+  default     = ""
+}
+
+variable "RPC_INGRESS_STATIC_IP_NAME" {
+  description = "Name of the GCP static IP resource for the ingress"
+  type        = string
+  default     = ""
+}
+
+variable "RPC_INGRESS_SSL_CERT_NAME" {
+  description = "Name of the GCP managed SSL certificate for the ingress"
+  type        = string
+  default     = ""
+}

spartan/terraform/gke-cluster/network-ingress.tf

@@ -0,0 +1,45 @@
+resource "google_compute_global_address" "staging_public_rpc_ip" {
+  name        = "staging-rc-1-ingress"
+  description = "Static IP for staging-public network RPC ingress"
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "google_compute_managed_ssl_certificate" "staging_public_rpc_cert" {
+  name        = "staging-public-rpc-cert"
+  description = "Managed SSL certificate for staging-public RPC ingress"
+
+  managed {
+    domains = ["staging.alpha-testnet.aztec-labs.com"]
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+# TODO: enable these resources once testnet is migrated to use deploy_network.sh
+
+#resource "google_compute_global_address" "testnet_rpc_ip" {
+#  name        = "testnet-rpc-ingress"
+#  description = "Static IP for testnet RPC ingress"
+#
+#  lifecycle {
+#    prevent_destroy = true
+#  }
+#}
+#
+#resource "google_compute_managed_ssl_certificate" "testnet_rpc_cert" {
+#  name        = "testnet-rpc-cert"
+#  description = "Managed SSL certificate for testnet RPC ingress"
+#
+#  managed {
+#    domains = ["rpc.testnet.aztec-labs.com"]
+#  }
+#
+#  lifecycle {
+#    prevent_destroy = true
+#  }
+#}

spartan/terraform/gke-cluster/outputs.tf

@@ -6,3 +6,13 @@ output "region" {
   description = "Google cloud region"
   value       = var.region
 }
+
+output "staging_public_rpc_ip" {
+  value       = google_compute_global_address.staging_public_rpc_ip.address
+  description = "The static IP address for staging-public RPC ingress"
+}
+
+output "staging_public_rpc_cert_name" {
+  value       = google_compute_managed_ssl_certificate.staging_public_rpc_cert.name
+  description = "The name of the managed SSL certificate for staging-public RPC"
+}