feat: fine grained control with public ip addresses per service

.github/tests/mix-public.yaml

@@ -15,6 +15,7 @@ participants:
   - el_type: ethereumjs
     cl_type: grandine
 port_publisher:
+  nat_exit_ip: KURTOSIS_IP_ADDR_PLACEHOLDER
   el:
     enabled: true
     public_port_start: 40000

README.md

@@ -1063,48 +1063,78 @@ ethereum_genesis_generator_params:
   # The image to use for ethereum genesis generator
   image: ethpandaops/ethereum-genesis-generator:4.1.17
 
-# Global parameter to set the exit ip address of services and public ports
+# Configuration for public ports and NAT exit IP addresses
 port_publisher:
-  # if you have a service that you want to expose on a specific interface; set that IP here
-  # if you set it to auto it gets the public ip from ident.me and sets it
-  # Defaults to constants.PRIVATE_IP_ADDRESS_PLACEHOLDER
-  # The default value just means its the IP address of the container in which the service is running
+  # Global NAT exit IP address for all services (optional)
+  # If set, this will be used for all service groups (overrides individual nat_exit_ip settings)
+  # Set to "auto" to automatically detect public IP from ident.me
+  # Defaults to KURTOSIS_IP_ADDR_PLACEHOLDER (uses per-service settings)
   nat_exit_ip: KURTOSIS_IP_ADDR_PLACEHOLDER
+
   # Execution Layer public port exposed to your local machine
   # Disabled by default
   # Public port start defaults to 32000
   # You can't run multiple enclaves on the same port settings
   el:
     enabled: false
     public_port_start: 32000
+    # nat_exit_ip: IP address to expose for EL P2P networking (optional)
+    # Only used if global nat_exit_ip is not set
+    # Set to "auto" to automatically detect public IP from ident.me
+    # Defaults to KURTOSIS_IP_ADDR_PLACEHOLDER (container IP)
+    nat_exit_ip: KURTOSIS_IP_ADDR_PLACEHOLDER
+
   # Consensus Layer public port exposed to your local machine
   # Disabled by default
   # Public port start defaults to 33000
   # You can't run multiple enclaves on the same port settings
   cl:
     enabled: false
     public_port_start: 33000
+    # nat_exit_ip: IP address to expose for CL P2P networking (optional)
+    # Only used if global nat_exit_ip is not set
+    # Set to "auto" to automatically detect public IP from ident.me
+    # Defaults to KURTOSIS_IP_ADDR_PLACEHOLDER (container IP)
+    nat_exit_ip: KURTOSIS_IP_ADDR_PLACEHOLDER
+
   # Validator client public port exposed to your local machine
   # Disabled by default
   # Public port start defaults to 34000
   # You can't run multiple enclaves on the same port settings
   vc:
     enabled: false
     public_port_start: 34000
+    # nat_exit_ip: IP address to expose for VC networking (optional)
+    # Only used if global nat_exit_ip is not set
+    # Set to "auto" to automatically detect public IP from ident.me
+    # Defaults to KURTOSIS_IP_ADDR_PLACEHOLDER (container IP)
+    nat_exit_ip: KURTOSIS_IP_ADDR_PLACEHOLDER
+
   # remote signer public port exposed to your local machine
   # Disabled by default
   # Public port start defaults to 35000
   # You can't run multiple enclaves on the same port settings
   remote_signer:
     enabled: false
     public_port_start: 35000
+    # nat_exit_ip: IP address to expose for remote signer networking (optional)
+    # Only used if global nat_exit_ip is not set
+    # Set to "auto" to automatically detect public IP from ident.me
+    # Defaults to KURTOSIS_IP_ADDR_PLACEHOLDER (container IP)
+    nat_exit_ip: KURTOSIS_IP_ADDR_PLACEHOLDER
+
   # Additional services public port exposed to your local machine
   # Disabled by default
   # Public port start defaults to 36000
   # You can't run multiple enclaves on the same port settings
   additional_services:
     enabled: false
     public_port_start: 36000
+    # nat_exit_ip: IP address to expose for additional services (optional)
+    # Only used if global nat_exit_ip is not set
+    # Set to "auto" to automatically detect public IP from ident.me
+    # Defaults to KURTOSIS_IP_ADDR_PLACEHOLDER (container IP)
+    nat_exit_ip: KURTOSIS_IP_ADDR_PLACEHOLDER
 
   # MEV public port exposed to your local machine
   # Disabled by default
@@ -1113,6 +1143,11 @@ port_publisher:
   mev:
     enabled: false
     public_port_start: 37000
+    # nat_exit_ip: IP address to expose for MEV services (optional)
+    # Only used if global nat_exit_ip is not set
+    # Set to "auto" to automatically detect public IP from ident.me
+    # Defaults to KURTOSIS_IP_ADDR_PLACEHOLDER (container IP)
+    nat_exit_ip: KURTOSIS_IP_ADDR_PLACEHOLDER
 
   # Other public port exposed to your local machine (like ethereum metrics exporter, snooper)
   # Disabled by default
@@ -1121,10 +1156,70 @@ port_publisher:
   other:
     enabled: false
     public_port_start: 38000
+    # nat_exit_ip: IP address to expose for other services (optional)
+    # Only used if global nat_exit_ip is not set
+    # Set to "auto" to automatically detect public IP from ident.me
+    # Defaults to KURTOSIS_IP_ADDR_PLACEHOLDER (container IP)
+    nat_exit_ip: KURTOSIS_IP_ADDR_PLACEHOLDER
 ```
 
 #### Example configurations
 
+<details>
+    <summary>Port Publisher Configuration Examples</summary>
+
+**Global NAT Exit IP (Backward Compatible)**
+```yaml
+port_publisher:
+  nat_exit_ip: "auto"  # All services use auto-detected public IP
+  el:
+    enabled: true
+    public_port_start: 32000
+  cl:
+    enabled: true
+    public_port_start: 33000
+  additional_services:
+    enabled: true
+    public_port_start: 36000
+```
+
+**Per-Service NAT Exit IP (Granular Control)**
+```yaml
+port_publisher:
+  nat_exit_ip: KURTOSIS_IP_ADDR_PLACEHOLDER  # Not set globally
+  el:
+    enabled: true
+    public_port_start: 32000
+    nat_exit_ip: "auto"  # Only EL uses public IP
+  cl:
+    enabled: true
+    public_port_start: 33000
+    nat_exit_ip: KURTOSIS_IP_ADDR_PLACEHOLDER  # CL uses container IP
+  additional_services:
+    enabled: true
+    public_port_start: 36000
+    nat_exit_ip: "192.168.1.100"  # Custom IP for additional services
+```
+
+**Mixed Configuration**
+```yaml
+port_publisher:
+  nat_exit_ip: KURTOSIS_IP_ADDR_PLACEHOLDER  # Not set globally
+  el:
+    enabled: true
+    public_port_start: 32000
+    nat_exit_ip: "auto"  # Auto-detect for EL
+  cl:
+    enabled: true
+    public_port_start: 33000
+    nat_exit_ip: "auto"  # Auto-detect for CL
+  additional_services:
+    enabled: true
+    public_port_start: 36000
+    # Uses default KURTOSIS_IP_ADDR_PLACEHOLDER for additional services
+```
+</details>
+
 <details>
     <summary>Verkle configuration example</summary>
 

network_params.yaml

@@ -227,3 +227,6 @@ port_publisher:
   mev:
     enabled: false
     public_port_start: 37000
+  other:
+    enabled: false
+    public_port_start: 38000

src/blobscan/blobscan_launcher.star

@@ -10,6 +10,22 @@ SECRET_KEY = "supersecure"
 WEB_HTTP_PORT_NUMBER = 3000
 API_HTTP_PORT_NUMBER = 3001
 
+
+def get_blobscan_api_host(blobscan_config, port_publisher):
+    if port_publisher.additional_services_enabled:
+        return port_publisher.additional_services_nat_exit_ip
+    return blobscan_config.ip_address
+
+
+def get_blobscan_api_port(blobscan_config, port_publisher):
+    if port_publisher.additional_services_enabled:
+        public_ports = shared_utils.get_public_ports_for_component(
+            "additional_services", port_publisher, 0
+        )
+        return public_ports[1]  # Second port for the API (first is web)
+    return blobscan_config.ports[constants.HTTP_PORT_ID].number
+
+
 WEB_PORTS = {
     constants.HTTP_PORT_ID: shared_utils.new_port_spec(
         WEB_HTTP_PORT_NUMBER,
@@ -116,7 +132,8 @@ def launch_blobscan(
     blobscan_config = plan.add_service(API_SERVICE_NAME, api_config)
 
     blobscan_api_url = "http://{0}:{1}".format(
-        blobscan_config.ip_address, blobscan_config.ports[constants.HTTP_PORT_ID].number
+        get_blobscan_api_host(blobscan_config, port_publisher),
+        get_blobscan_api_port(blobscan_config, port_publisher),
     )
 
     web_config = get_web_config(

src/blockscout/blockscout_launcher.star

@@ -9,6 +9,23 @@ SERVICE_NAME_FRONTEND = "blockscout-frontend"
 HTTP_PORT_NUMBER = 4000
 HTTP_PORT_NUMBER_VERIF = 8050
 HTTP_PORT_NUMBER_FRONTEND = 3000
+
+
+def get_api_host(blockscout_service, port_publisher):
+    if port_publisher.additional_services_enabled:
+        return port_publisher.additional_services_nat_exit_ip
+    return blockscout_service.ip_address
+
+
+def get_api_port(blockscout_service, port_publisher):
+    if port_publisher.additional_services_enabled:
+        public_ports = shared_utils.get_public_ports_for_component(
+            "additional_services", port_publisher, 0
+        )
+        return public_ports[0]  # First port for the API
+    return blockscout_service.ports["http"].number
+
+
 BLOCKSCOUT_MIN_CPU = 100
 BLOCKSCOUT_MAX_CPU = 1000
 BLOCKSCOUT_MIN_MEMORY = 1024
@@ -110,6 +127,7 @@ def launch_blockscout(
         network_params,
         global_node_selectors,
         blockscout_service,
+        port_publisher,
     )
     plan.add_service(SERVICE_NAME_FRONTEND, config_frontend)
     return blockscout_url
@@ -223,6 +241,7 @@ def get_config_frontend(
     network_params,
     node_selectors,
     blockscout_service,
+    port_publisher,
 ):
     return ServiceConfig(
         image=shared_utils.docker_cache_image_calc(
@@ -238,9 +257,9 @@ def get_config_frontend(
             "NEXT_PUBLIC_NETWORK_NAME": "Kurtosis",
             "NEXT_PUBLIC_NETWORK_ID": network_params.network_id,
             "NEXT_PUBLIC_NETWORK_RPC_URL": el_client_rpc_url,
-            "NEXT_PUBLIC_API_HOST": blockscout_service.ip_address
+            "NEXT_PUBLIC_API_HOST": get_api_host(blockscout_service, port_publisher)
             + ":"
-            + str(blockscout_service.ports["http"].number),
+            + str(get_api_port(blockscout_service, port_publisher)),
             "NEXT_PUBLIC_AD_BANNER_PROVIDER": "none",
             "NEXT_PUBLIC_AD_TEXT_PROVIDER": "none",
             "NEXT_PUBLIC_IS_TESTNET": "true",

src/cl/grandine/grandine_launcher.star

@@ -195,7 +195,7 @@ def get_beacon_config(
         "--eth1-rpc-urls=" + EXECUTION_ENGINE_ENDPOINT,
         # ENR
         "--disable-enr-auto-update",
-        "--enr-address=" + port_publisher.nat_exit_ip,
+        "--enr-address=" + port_publisher.cl_nat_exit_ip,
         "--enr-udp-port={0}".format(discovery_port_udp),
         "--enr-tcp-port={0}".format(discovery_port_tcp),
         # QUIC

src/cl/lighthouse/lighthouse_launcher.star

@@ -194,7 +194,7 @@ def get_beacon_config(
         "--suggested-fee-recipient=" + constants.VALIDATING_REWARDS_ACCOUNT,
         # ENR
         "--disable-enr-auto-update",
-        "--enr-address=" + port_publisher.nat_exit_ip,
+        "--enr-address=" + port_publisher.cl_nat_exit_ip,
         "--enr-tcp-port={0}".format(discovery_port_tcp),
         "--enr-udp-port={0}".format(discovery_port_udp),
         # QUIC

src/cl/lodestar/lodestar_launcher.star

@@ -172,7 +172,7 @@ def get_beacon_config(
         "--nat=true",
         "--jwt-secret=" + constants.JWT_MOUNT_PATH_ON_CONTAINER,
         # ENR
-        "--enr.ip=" + port_publisher.nat_exit_ip,
+        "--enr.ip=" + port_publisher.cl_nat_exit_ip,
         "--enr.tcp={0}".format(discovery_port_tcp),
         "--enr.udp={0}".format(discovery_port_udp),
         # QUIC

src/cl/nimbus/nimbus_launcher.star

@@ -204,7 +204,7 @@ def get_beacon_config(
         ),
         "--data-dir=" + BEACON_DATA_DIRPATH_ON_SERVICE_CONTAINER,
         "--web3-url=" + EXECUTION_ENGINE_ENDPOINT,
-        "--nat=extip:" + port_publisher.nat_exit_ip,
+        "--nat=extip:" + port_publisher.cl_nat_exit_ip,
         "--enr-auto-update=false",
         "--history={0}".format("archive" if constants.ARCHIVE_MODE else "prune"),
         "--rest",

src/cl/prysm/prysm_launcher.star

@@ -188,7 +188,7 @@ def get_beacon_config(
         "--http-host=0.0.0.0",
         "--http-cors-domain=*",
         "--http-port={0}".format(BEACON_HTTP_PORT_NUM),
-        "--p2p-host-ip=" + port_publisher.nat_exit_ip,
+        "--p2p-host-ip=" + port_publisher.cl_nat_exit_ip,
         "--p2p-tcp-port={0}".format(discovery_port_tcp),
         "--p2p-udp-port={0}".format(discovery_port_udp),
         "--p2p-quic-port={0}".format(discovery_port_quic),

src/cl/teku/teku_launcher.star

@@ -182,7 +182,7 @@ def get_beacon_config(
         ),
         "--p2p-enabled=true",
         "--p2p-peer-lower-bound={0}".format(MIN_PEERS),
-        "--p2p-advertised-ip=" + port_publisher.nat_exit_ip,
+        "--p2p-advertised-ip=" + port_publisher.cl_nat_exit_ip,
         "--p2p-discovery-site-local-addresses-enabled=true",
         "--p2p-port={0}".format(discovery_port_tcp),
         "--rest-api-enabled=true",

src/el/besu/besu_launcher.star

@@ -145,7 +145,7 @@ def get_config(
         "--rpc-ws-port={0}".format(WS_PORT_NUM),
         "--rpc-ws-api=ADMIN,CLIQUE,ETH,NET,DEBUG,TXPOOL,ENGINE,TRACE,WEB3",
         "--p2p-enabled=true",
-        "--p2p-host=" + port_publisher.nat_exit_ip,
+        "--p2p-host=" + port_publisher.el_nat_exit_ip,
         "--p2p-port={0}".format(discovery_port_tcp),
         "--engine-rpc-enabled=true",
         "--engine-jwt-secret=" + constants.JWT_MOUNT_PATH_ON_CONTAINER,

src/el/erigon/erigon_launcher.star

@@ -147,7 +147,7 @@ def get_config(
         "--http.vhosts=*",
         "--ws",
         "--allow-insecure-unlock",
-        "--nat=extip:" + port_publisher.nat_exit_ip,
+        "--nat=extip:" + port_publisher.el_nat_exit_ip,
         "--http",
         "--http.addr=0.0.0.0",
         "--http.corsdomain=*",

src/el/ethereumjs/ethereumjs_launcher.star

@@ -157,7 +157,7 @@ def get_config(
         "--wsEnginePort={0}".format(WS_PORT_ENGINE_NUM),
         "--wsEngineAddr=0.0.0.0",
         "--jwt-secret=" + constants.JWT_MOUNT_PATH_ON_CONTAINER,
-        "--extIP={0}".format(port_publisher.nat_exit_ip),
+        "--extIP={0}".format(port_publisher.el_nat_exit_ip),
         "--sync=full",
         "--isSingleNode=true",
         "--logLevel={0}".format(log_level),

src/el/geth/geth_launcher.star

@@ -189,7 +189,7 @@ def get_config(
         "--ws.api=admin,engine,net,eth,web3,debug,txpool",
         "--ws.origins=*",
         "--allow-insecure-unlock",
-        "--nat=extip:" + port_publisher.nat_exit_ip,
+        "--nat=extip:" + port_publisher.el_nat_exit_ip,
         "--authrpc.port={0}".format(ENGINE_RPC_PORT_NUM),
         "--authrpc.addr=0.0.0.0",
         "--authrpc.vhosts=*",

src/el/nethermind/nethermind_launcher.star

@@ -136,7 +136,7 @@ def get_config(
         "--JsonRpc.WebSocketsPort={0}".format(WS_PORT_NUM),
         "--JsonRpc.EngineHost=0.0.0.0",
         "--JsonRpc.EnginePort={0}".format(ENGINE_RPC_PORT_NUM),
-        "--Network.ExternalIp={0}".format(port_publisher.nat_exit_ip),
+        "--Network.ExternalIp={0}".format(port_publisher.el_nat_exit_ip),
         "--Network.DiscoveryPort={0}".format(discovery_port_tcp),
         "--Network.P2PPort={0}".format(discovery_port_tcp),
         "--JsonRpc.JwtSecretFile=" + constants.JWT_MOUNT_PATH_ON_CONTAINER,

src/el/nimbus-eth1/nimbus_launcher.star

@@ -140,7 +140,7 @@ def get_config(
         "--metrics",
         "--metrics-address=0.0.0.0",
         "--metrics-port={0}".format(METRICS_PORT_NUM),
-        "--nat=extip:{0}".format(port_publisher.nat_exit_ip),
+        "--nat=extip:{0}".format(port_publisher.el_nat_exit_ip),
         "--tcp-port={0}".format(discovery_port_tcp),
         "--udp-port={0}".format(discovery_port_udp),
     ]

src/el/reth/reth_launcher.star

@@ -184,7 +184,7 @@ def get_config(
             "--ws.port={0}".format(WS_PORT_NUM),
             "--ws.api=net,eth",
             "--ws.origins=*",
-            "--nat=extip:" + port_publisher.nat_exit_ip,
+            "--nat=extip:" + port_publisher.el_nat_exit_ip,
             "--authrpc.port={0}".format(ENGINE_RPC_PORT_NUM),
             "--authrpc.jwtsecret=" + constants.JWT_MOUNT_PATH_ON_CONTAINER,
             "--authrpc.addr=0.0.0.0",