From 86741110f7684d14a7599a44c8c731004b2ef0a8 Mon Sep 17 00:00:00 2001 From: Ljubisa Gacevic Date: Wed, 26 Nov 2025 12:09:34 +0100 Subject: [PATCH 01/27] feat(p2p-wss): add Pebble and p2p-forge deployments for P2P-WSS support --- beelocal.sh | 61 ++++++++++++++++++ config/p2p-forge-deployment.yaml | 84 +++++++++++++++++++++++++ config/pebble-deployment.yaml | 105 +++++++++++++++++++++++++++++++ 3 files changed, 250 insertions(+) create mode 100644 config/p2p-forge-deployment.yaml create mode 100644 config/pebble-deployment.yaml diff --git a/beelocal.sh b/beelocal.sh index d34bed0..b8de388 100755 --- a/beelocal.sh +++ b/beelocal.sh @@ -37,6 +37,7 @@ declare -x SETUP_CONTRACT_IMAGE=${SETUP_CONTRACT_IMAGE:-ethersphere/bee-localcha declare -x SETUP_CONTRACT_IMAGE_TAG=${SETUP_CONTRACT_IMAGE_TAG:-latest} declare -x NAMESPACE=${NAMESPACE:-local} declare -x BEEKEEPER_CLUSTER=${BEEKEEPER_CLUSTER:-local} +declare -x P2P_WSS_ENABLE=${P2P_WSS_ENABLE:-false} check() { if ! grep -qE "docker|admin" <<< "$(id "$(whoami)")"; then @@ -111,6 +112,10 @@ config() { trap 'rm -rf ${BEE_TEMP}' EXIT curl -sSL https://raw.githubusercontent.com/ethersphere/beelocal/"${BEELOCAL_BRANCH}"/config/k3d.yaml -o "${BEE_TEMP}"/k3d.yaml curl -sSL https://raw.githubusercontent.com/ethersphere/beelocal/"${BEELOCAL_BRANCH}"/config/geth-swap.yaml -o "${BEE_TEMP}"/geth-swap.yaml + if [[ "${P2P_WSS_ENABLE}" == "true" ]]; then + curl -sSL https://raw.githubusercontent.com/ethersphere/beelocal/"${BEELOCAL_BRANCH}"/config/pebble-deployment.yaml -o "${BEE_TEMP}"/pebble-deployment.yaml || true + curl -sSL https://raw.githubusercontent.com/ethersphere/beelocal/"${BEELOCAL_BRANCH}"/config/p2p-forge-deployment.yaml -o "${BEE_TEMP}"/p2p-forge-deployment.yaml || true + fi if [[ -n $CI ]]; then curl -sSL https://raw.githubusercontent.com/ethersphere/beelocal/"${BEELOCAL_BRANCH}"/hack/registries.yaml -o "${BEE_TEMP}"/registries.yaml sudo cp "${BEE_TEMP}"/registries.yaml /etc/rancher/k3s/registries.yaml @@ -257,6 +262,48 @@ geth() { fi } +deploy-p2p-wss() { + if [[ "${P2P_WSS_ENABLE}" != "true" ]]; then + return 0 + fi + + if [[ -z $BEE_CONFIG ]]; then + config + fi + + echo "deploying Pebble and p2p-forge for P2P-WSS support..." + + # Apply Pebble deployment + if [[ -f "${BEE_CONFIG}"/pebble-deployment.yaml ]]; then + kubectl apply -f "${BEE_CONFIG}"/pebble-deployment.yaml + elif [[ -f config/pebble-deployment.yaml ]]; then + kubectl apply -f config/pebble-deployment.yaml + else + echo "pebble-deployment.yaml not found..." + return 1 + fi + + # Wait for Pebble to be ready + echo "waiting for Pebble to be ready..." + kubectl rollout status deployment/pebble -n "${NAMESPACE}" --timeout=120s || true + + # Apply p2p-forge deployment + if [[ -f "${BEE_CONFIG}"/p2p-forge-deployment.yaml ]]; then + kubectl apply -f "${BEE_CONFIG}"/p2p-forge-deployment.yaml + elif [[ -f config/p2p-forge-deployment.yaml ]]; then + kubectl apply -f config/p2p-forge-deployment.yaml + else + echo "p2p-forge-deployment.yaml not found..." + return 1 + fi + + # Wait for p2p-forge to be ready + echo "waiting for p2p-forge to be ready..." + kubectl rollout status deployment/p2p-forge -n "${NAMESPACE}" --timeout=120s || true + + echo "Pebble and p2p-forge deployed successfully..." +} + stop() { if [[ -n $CI ]]; then echo "action not supported for CI" @@ -316,6 +363,18 @@ del-hosts() { fi } +# Parse --p2p-wss-enable flag +for arg in "$@"; do + case $arg in + --p2p-wss-enable) + P2P_WSS_ENABLE=true + shift + ;; + *) + ;; + esac +done + ALLOW_OPTS=(skip-local skip-vet skip-push ci) for OPT in $OPTS; do if [[ " ${ALLOW_OPTS[*]} " == *"$OPT"* ]]; then @@ -348,6 +407,7 @@ if [[ " ${ACTIONS[*]} " == *"$ACTION"* ]]; then elif ! k3d cluster list bee --no-headers &> /dev/null; then k8s-local fi + deploy-p2p-wss install elif [[ $ACTION == "prepare" ]]; then check @@ -359,6 +419,7 @@ if [[ " ${ACTIONS[*]} " == *"$ACTION"* ]]; then elif [[ -z $SKIP_LOCAL ]]; then build fi + deploy-p2p-wss else $ACTION fi diff --git a/config/p2p-forge-deployment.yaml b/config/p2p-forge-deployment.yaml new file mode 100644 index 0000000..0edc1ee --- /dev/null +++ b/config/p2p-forge-deployment.yaml @@ -0,0 +1,84 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: p2p-forge-config + namespace: local +data: + Corefile: | + .:53 { + errors + log + acme https://pebble:14000/dir + } +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: p2p-forge + namespace: local + labels: + app: p2p-forge +spec: + replicas: 1 + selector: + matchLabels: + app: p2p-forge + template: + metadata: + labels: + app: p2p-forge + spec: + containers: + - name: p2p-forge + image: ghcr.io/ipshipyard/p2p-forge:latest + args: + - "-conf" + - "/config/Corefile" + ports: + - name: api + containerPort: 8080 + protocol: TCP + - name: dns + containerPort: 53 + protocol: UDP + env: + - name: ACME_SERVER + value: "https://pebble:14000/dir" + - name: DNS_DOMAIN + value: "localhost" + volumeMounts: + - name: p2p-forge-config + mountPath: /config + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 512Mi + volumes: + - name: p2p-forge-config + configMap: + name: p2p-forge-config +--- +apiVersion: v1 +kind: Service +metadata: + name: p2p-forge + namespace: local + labels: + app: p2p-forge +spec: + type: ClusterIP + ports: + - name: api + port: 8080 + targetPort: 8080 + protocol: TCP + - name: dns + port: 53 + targetPort: 53 + protocol: UDP + selector: + app: p2p-forge + diff --git a/config/pebble-deployment.yaml b/config/pebble-deployment.yaml new file mode 100644 index 0000000..134fcfe --- /dev/null +++ b/config/pebble-deployment.yaml @@ -0,0 +1,105 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: pebble-config + namespace: local +data: + pebble-config.json: | + { + "pebble": { + "listenAddress": "0.0.0.0:14000", + "managementListenAddress": "0.0.0.0:15000", + "certificate": "/test/certs/localhost/cert.pem", + "privateKey": "/test/certs/localhost/key.pem", + "httpPort": 80, + "tlsPort": 443, + "ocspResponderURL": "", + "externalAccountBindingRequired": false + } + } +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pebble + namespace: local + labels: + app: pebble +spec: + replicas: 1 + selector: + matchLabels: + app: pebble + template: + metadata: + labels: + app: pebble + spec: + containers: + - name: pebble + image: ghcr.io/letsencrypt/pebble:latest + args: + - "-config" + - "/config/pebble-config.json" + ports: + - name: http + containerPort: 80 + protocol: TCP + - name: https + containerPort: 443 + protocol: TCP + - name: acme + containerPort: 14000 + protocol: TCP + - name: management + containerPort: 15000 + protocol: TCP + env: + - name: PEBBLE_VA_ALWAYS_VALID + value: "1" + - name: PEBBLE_WFE_NONCEREJECT + value: "0" + volumeMounts: + - name: pebble-config + mountPath: /config + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 512Mi + volumes: + - name: pebble-config + configMap: + name: pebble-config +--- +apiVersion: v1 +kind: Service +metadata: + name: pebble + namespace: local + labels: + app: pebble +spec: + type: ClusterIP + ports: + - name: http + port: 80 + targetPort: 80 + protocol: TCP + - name: https + port: 443 + targetPort: 443 + protocol: TCP + - name: acme + port: 14000 + targetPort: 14000 + protocol: TCP + - name: management + port: 15000 + targetPort: 15000 + protocol: TCP + selector: + app: pebble + From cb75cece802b7b222925dab38c8fdc3e5c3b831a Mon Sep 17 00:00:00 2001 From: Ljubisa Gacevic Date: Wed, 26 Nov 2025 12:28:21 +0100 Subject: [PATCH 02/27] fix(p2p-wss): correct p2p-forge Corefile configuration and add test script --- config/p2p-forge-deployment.yaml | 11 +++- test-p2p-wss.sh | 104 +++++++++++++++++++++++++++++++ 2 files changed, 112 insertions(+), 3 deletions(-) create mode 100755 test-p2p-wss.sh diff --git a/config/p2p-forge-deployment.yaml b/config/p2p-forge-deployment.yaml index 0edc1ee..8b2a3c2 100644 --- a/config/p2p-forge-deployment.yaml +++ b/config/p2p-forge-deployment.yaml @@ -8,7 +8,10 @@ data: .:53 { errors log - acme https://pebble:14000/dir + acme localhost { + registration-domain registration.localhost listen-address=:8080 external-tls=false + database-type badger /data + } } --- apiVersion: apps/v1 @@ -44,11 +47,11 @@ spec: env: - name: ACME_SERVER value: "https://pebble:14000/dir" - - name: DNS_DOMAIN - value: "localhost" volumeMounts: - name: p2p-forge-config mountPath: /config + - name: p2p-forge-data + mountPath: /data resources: requests: cpu: 100m @@ -60,6 +63,8 @@ spec: - name: p2p-forge-config configMap: name: p2p-forge-config + - name: p2p-forge-data + emptyDir: {} --- apiVersion: v1 kind: Service diff --git a/test-p2p-wss.sh b/test-p2p-wss.sh new file mode 100755 index 0000000..aad0a6a --- /dev/null +++ b/test-p2p-wss.sh @@ -0,0 +1,104 @@ +#!/usr/bin/env bash +# Test script for Pebble and p2p-forge deployments + +set -uo pipefail + +NAMESPACE=${NAMESPACE:-local} + +echo "=== Testing P2P-WSS Deployments (Pebble + p2p-forge) ===" +echo "" + +# 1. Check pod status +echo "1. Checking pod status..." +kubectl get pods -n "${NAMESPACE}" -l 'app in (pebble,p2p-forge)' -o wide +echo "" + +# 2. Test Pebble ACME directory +echo "2. Testing Pebble ACME directory endpoint..." +PEBBLE_DIR=$(kubectl run -n "${NAMESPACE}" --rm -i --restart=Never test-pebble-dir --image=curlimages/curl:latest -- curl -k -s https://pebble."${NAMESPACE}":14000/dir 2>&1 || echo "") +if echo "${PEBBLE_DIR}" | grep -q "newOrder"; then + echo " ✓ Pebble ACME directory is accessible" +else + echo " ⚠ Pebble ACME directory test inconclusive (may need to check manually)" +fi +echo "" + +# 3. Test Pebble management interface +echo "3. Testing Pebble management interface..." +PEBBLE_ROOT=$(kubectl run -n "${NAMESPACE}" --rm -i --restart=Never test-pebble-mgmt --image=curlimages/curl:latest -- curl -k -s https://pebble."${NAMESPACE}":15000/roots/0 2>&1) +if echo "${PEBBLE_ROOT}" | grep -q "BEGIN CERTIFICATE"; then + echo " ✓ Pebble management interface is accessible" +elif echo "${PEBBLE_ROOT}" | grep -q "200\|OK"; then + echo " ✓ Pebble management interface is accessible (certificate retrieved)" +else + echo " ⚠ Pebble management interface test inconclusive" + echo " (This is non-critical - ACME directory is the main endpoint)" +fi +echo "" + +# 4. Test p2p-forge health endpoint +echo "4. Testing p2p-forge health endpoint..." +# Note: p2p-forge may not have a certificate yet (it's trying to obtain one for registration.localhost) +# This is expected - localhost domains don't qualify for public certificates +# The service is running but HTTPS won't work until a certificate is obtained +P2P_FORGE_LOGS=$(kubectl logs -n "${NAMESPACE}" -l app=p2p-forge --tail=20 2>&1) +if echo "${P2P_FORGE_LOGS}" | grep -q "plugin/acme.*listener\|Registration HTTP API"; then + echo " ✓ p2p-forge ACME registration API is configured (port 8080)" + echo " ⚠ HTTPS not available yet - p2p-forge needs a certificate for registration.localhost" + echo " ℹ This is expected - localhost domains don't qualify for public certificates" + echo " ℹ TLS errors in logs are expected until a certificate is obtained" +elif echo "${P2P_FORGE_LOGS}" | grep -q "plugin/acme"; then + echo " ✓ p2p-forge ACME plugin is active" + echo " ⚠ Registration API may not be fully configured" +else + echo " ⚠ Could not confirm p2p-forge ACME plugin status" +fi +echo "" + +# 5. Check for TLS handshake errors (expected behavior) +echo "5. Checking p2p-forge status..." +TLS_ERRORS=$(echo "${P2P_FORGE_LOGS}" | grep -c "TLS handshake error\|no certificate available" || echo "0") +if [[ "${TLS_ERRORS}" -gt 0 ]]; then + echo " ℹ Found ${TLS_ERRORS} TLS handshake errors (expected - no certificate yet)" + echo " ℹ These will resolve once p2p-forge obtains a certificate" +else + echo " ✓ No TLS errors found" +fi +echo "" + +# 6. Verify service connectivity +echo "6. Verifying service connectivity..." +PEBBLE_IP=$(kubectl get svc -n "${NAMESPACE}" pebble -o jsonpath='{.spec.clusterIP}') +P2P_FORGE_IP=$(kubectl get svc -n "${NAMESPACE}" p2p-forge -o jsonpath='{.spec.clusterIP}') +echo " Pebble ClusterIP: ${PEBBLE_IP}" +echo " p2p-forge ClusterIP: ${P2P_FORGE_IP}" +if [[ -n "${PEBBLE_IP}" ]] && [[ -n "${P2P_FORGE_IP}" ]]; then + echo " ✓ Both services have ClusterIPs" +else + echo " ✗ Service IPs not found" + exit 1 +fi +echo "" + +# 7. Test DNS resolution within cluster +echo "7. Testing DNS resolution..." +if kubectl run -n "${NAMESPACE}" --rm -i --restart=Never test-dns --image=busybox:latest -- nslookup pebble 2>&1 | grep -q "Address"; then + echo " ✓ DNS resolution works within cluster" +else + echo " ⚠ DNS resolution test inconclusive (nslookup may not be available)" +fi +echo "" + +echo "=== Test Summary ===" +echo "✓ All basic connectivity tests passed" +echo "✓ Pebble is ready to serve ACME requests" +echo "✓ p2p-forge is running and configured" +echo "" +echo "Note: p2p-forge may show errors about 'registration.localhost' not qualifying" +echo " for public certificates - this is expected for localhost domains." +echo "" +echo "To test ACME certificate issuance, you would need to:" +echo " 1. Configure a Bee node with --p2p-wss-enable flag" +echo " 2. Point it to use Pebble as the ACME server" +echo " 3. Use p2p-forge for DNS-01 challenge validation" + From 74a44f2e038555694ef1a26e5b25325aa6608cc1 Mon Sep 17 00:00:00 2001 From: Ljubisa Gacevic Date: Wed, 26 Nov 2025 13:52:45 +0100 Subject: [PATCH 03/27] fix(p2p-wss): improve YAML file validation and fallback logic --- beelocal.sh | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/beelocal.sh b/beelocal.sh index b8de388..a9a1390 100755 --- a/beelocal.sh +++ b/beelocal.sh @@ -113,8 +113,15 @@ config() { curl -sSL https://raw.githubusercontent.com/ethersphere/beelocal/"${BEELOCAL_BRANCH}"/config/k3d.yaml -o "${BEE_TEMP}"/k3d.yaml curl -sSL https://raw.githubusercontent.com/ethersphere/beelocal/"${BEELOCAL_BRANCH}"/config/geth-swap.yaml -o "${BEE_TEMP}"/geth-swap.yaml if [[ "${P2P_WSS_ENABLE}" == "true" ]]; then - curl -sSL https://raw.githubusercontent.com/ethersphere/beelocal/"${BEELOCAL_BRANCH}"/config/pebble-deployment.yaml -o "${BEE_TEMP}"/pebble-deployment.yaml || true - curl -sSL https://raw.githubusercontent.com/ethersphere/beelocal/"${BEELOCAL_BRANCH}"/config/p2p-forge-deployment.yaml -o "${BEE_TEMP}"/p2p-forge-deployment.yaml || true + # download, but if it fails or file is invalid, use local files in deploy-p2p-wss + if ! curl -sSL https://raw.githubusercontent.com/ethersphere/beelocal/"${BEELOCAL_BRANCH}"/config/pebble-deployment.yaml -o "${BEE_TEMP}"/pebble-deployment.yaml 2>/dev/null || \ + ! grep -q "^apiVersion:" "${BEE_TEMP}"/pebble-deployment.yaml 2>/dev/null; then + rm -f "${BEE_TEMP}"/pebble-deployment.yaml + fi + if ! curl -sSL https://raw.githubusercontent.com/ethersphere/beelocal/"${BEELOCAL_BRANCH}"/config/p2p-forge-deployment.yaml -o "${BEE_TEMP}"/p2p-forge-deployment.yaml 2>/dev/null || \ + ! grep -q "^apiVersion:" "${BEE_TEMP}"/p2p-forge-deployment.yaml 2>/dev/null; then + rm -f "${BEE_TEMP}"/p2p-forge-deployment.yaml + fi fi if [[ -n $CI ]]; then curl -sSL https://raw.githubusercontent.com/ethersphere/beelocal/"${BEELOCAL_BRANCH}"/hack/registries.yaml -o "${BEE_TEMP}"/registries.yaml @@ -273,8 +280,8 @@ deploy-p2p-wss() { echo "deploying Pebble and p2p-forge for P2P-WSS support..." - # Apply Pebble deployment - if [[ -f "${BEE_CONFIG}"/pebble-deployment.yaml ]]; then + # Apply Pebble deployment - use remote file if it exists and is valid, otherwise use local + if [[ -f "${BEE_CONFIG}"/pebble-deployment.yaml ]] && grep -q "^apiVersion:" "${BEE_CONFIG}"/pebble-deployment.yaml 2>/dev/null; then kubectl apply -f "${BEE_CONFIG}"/pebble-deployment.yaml elif [[ -f config/pebble-deployment.yaml ]]; then kubectl apply -f config/pebble-deployment.yaml @@ -287,8 +294,8 @@ deploy-p2p-wss() { echo "waiting for Pebble to be ready..." kubectl rollout status deployment/pebble -n "${NAMESPACE}" --timeout=120s || true - # Apply p2p-forge deployment - if [[ -f "${BEE_CONFIG}"/p2p-forge-deployment.yaml ]]; then + # Apply p2p-forge deployment - use remote file if it exists and is valid, otherwise use local + if [[ -f "${BEE_CONFIG}"/p2p-forge-deployment.yaml ]] && grep -q "^apiVersion:" "${BEE_CONFIG}"/p2p-forge-deployment.yaml 2>/dev/null; then kubectl apply -f "${BEE_CONFIG}"/p2p-forge-deployment.yaml elif [[ -f config/p2p-forge-deployment.yaml ]]; then kubectl apply -f config/p2p-forge-deployment.yaml From 460d846ebb26e3f4a1f17865babfcc744fc990bd Mon Sep 17 00:00:00 2001 From: Ljubisa Gacevic Date: Wed, 26 Nov 2025 14:02:32 +0100 Subject: [PATCH 04/27] docs(p2p-wss): add README documentation and simplify flag usage --- README.md | 21 +++++++++++++++++++++ beelocal.sh | 12 ------------ 2 files changed, 21 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 7cff05b..cd97c76 100644 --- a/README.md +++ b/README.md @@ -1 +1,22 @@ # beelocal + +Spinup local k8s infra with geth and bee up and running. + +## P2P-WSS Support + +Enable P2P WebSocket Secure (WSS) support by setting `P2P_WSS_ENABLE=true`. This deploys: + +- **Pebble**: ACME test CA for certificate issuance +- **p2p-forge**: DNS server for ACME DNS-01 challenge handling + +### Bee Node Configuration + +When `P2P_WSS_ENABLE=true`, configure your Bee nodes with: + +```bash +--autotls-domain="localhost" +--autotls-registration-endpoint="http://p2p-forge.local:8080/v1/_acme-challenge" +--autotls-ca-endpoint="https://pebble.local:14000/dir" +``` + +**Note:** Both services are deployed in the `local` namespace. diff --git a/beelocal.sh b/beelocal.sh index a9a1390..be0520e 100755 --- a/beelocal.sh +++ b/beelocal.sh @@ -370,18 +370,6 @@ del-hosts() { fi } -# Parse --p2p-wss-enable flag -for arg in "$@"; do - case $arg in - --p2p-wss-enable) - P2P_WSS_ENABLE=true - shift - ;; - *) - ;; - esac -done - ALLOW_OPTS=(skip-local skip-vet skip-push ci) for OPT in $OPTS; do if [[ " ${ALLOW_OPTS[*]} " == *"$OPT"* ]]; then From dc206aeb7fe52816248b805f3700912ee6bc6546 Mon Sep 17 00:00:00 2001 From: Ljubisa Gacevic Date: Wed, 26 Nov 2025 16:38:32 +0100 Subject: [PATCH 05/27] fix(p2p-wss): change domain from localhost to local.test --- README.md | 14 ++++++++++---- config/p2p-forge-deployment.yaml | 4 ++-- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index cd97c76..183ab93 100644 --- a/README.md +++ b/README.md @@ -14,9 +14,15 @@ Enable P2P WebSocket Secure (WSS) support by setting `P2P_WSS_ENABLE=true`. This When `P2P_WSS_ENABLE=true`, configure your Bee nodes with: ```bash ---autotls-domain="localhost" ---autotls-registration-endpoint="http://p2p-forge.local:8080/v1/_acme-challenge" ---autotls-ca-endpoint="https://pebble.local:14000/dir" +--autotls-domain="local.test" +--autotls-registration-endpoint="http://p2p-forge:8080/v1/_acme-challenge" +--autotls-ca-endpoint="https://pebble:14000/dir" ``` -**Note:** Both services are deployed in the `local` namespace. +**Get Pebble's root CA certificate:** + +```bash +# Retrieve Pebble root CA certificate +kubectl run -n local --rm -i --restart=Never get-ca --image=curlimages/curl:latest -- \ + curl -k -s https://pebble:15000/roots/0 > pebble-root-ca.pem +``` diff --git a/config/p2p-forge-deployment.yaml b/config/p2p-forge-deployment.yaml index 8b2a3c2..f190445 100644 --- a/config/p2p-forge-deployment.yaml +++ b/config/p2p-forge-deployment.yaml @@ -8,8 +8,8 @@ data: .:53 { errors log - acme localhost { - registration-domain registration.localhost listen-address=:8080 external-tls=false + acme local.test { + registration-domain registration.local.test listen-address=:8080 external-tls=false database-type badger /data } } From 26c1e4bc4b732e0313e2801a97ccd4fa32ff029a Mon Sep 17 00:00:00 2001 From: Ljubisa Gacevic Date: Wed, 26 Nov 2025 18:33:25 +0100 Subject: [PATCH 06/27] fix: use external-tls=true --- config/p2p-forge-deployment.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/config/p2p-forge-deployment.yaml b/config/p2p-forge-deployment.yaml index f190445..a2dfb2f 100644 --- a/config/p2p-forge-deployment.yaml +++ b/config/p2p-forge-deployment.yaml @@ -9,7 +9,7 @@ data: errors log acme local.test { - registration-domain registration.local.test listen-address=:8080 external-tls=false + registration-domain registration.local.test listen-address=:8080 external-tls=true database-type badger /data } } @@ -44,9 +44,6 @@ spec: - name: dns containerPort: 53 protocol: UDP - env: - - name: ACME_SERVER - value: "https://pebble:14000/dir" volumeMounts: - name: p2p-forge-config mountPath: /config From 3c01455ea8ffa5d15d009313dfea7f029b0b13b3 Mon Sep 17 00:00:00 2001 From: Ljubisa Gacevic Date: Fri, 28 Nov 2025 21:35:48 +0100 Subject: [PATCH 07/27] fix: add patch for bee deployment --- config/bee-statefulset-pebble-ca-patch.yaml | 53 +++++++++++++++++++++ config/pebble-deployment.yaml | 13 +++-- 2 files changed, 59 insertions(+), 7 deletions(-) create mode 100644 config/bee-statefulset-pebble-ca-patch.yaml diff --git a/config/bee-statefulset-pebble-ca-patch.yaml b/config/bee-statefulset-pebble-ca-patch.yaml new file mode 100644 index 0000000..63ebced --- /dev/null +++ b/config/bee-statefulset-pebble-ca-patch.yaml @@ -0,0 +1,53 @@ +# StatefulSet patch template for adding Pebble CA certificate to bee nodes +# This patch modifies the main bee container to install the Pebble root CA certificate +# before starting the bee process. The certificate is installed directly into the +# container's filesystem using update-ca-certificates. +# +# Prerequisites: +# 1. Pebble must be deployed and accessible at https://pebble:15000 +# 2. The bee container image must support apt-get (Debian/Ubuntu based) +# +# Usage with kubectl patch: +# kubectl patch statefulset -n --type='strategic' -p "$(cat config/bee-statefulset-pebble-ca-patch.yaml)" +# +# For beekeeper integration: +# Apply this patch structure when creating bee node StatefulSets to ensure +# they can trust Pebble's ACME server certificate. + +spec: + template: + spec: + containers: + - name: bee + # Temporarily run as root to install certificates, then switch back to original user + securityContext: + runAsUser: 0 + # Modify command to install certificate first, then start bee + command: + - /bin/bash + - -c + - | + set -e + + # Fetch Pebble Root + # We use -k here because we haven't trusted it yet + curl -k -s https://pebble:15000/roots/0 > /usr/local/share/ca-certificates/pebble-root-real.crt + curl -k -s https://pebble:15000/intermediates/0 > /usr/local/share/ca-certificates/pebble-intermediate-real.crt + + # Update the store + # This generates /etc/ssl/certs/ca-certificates.crt + update-ca-certificates + + # --- VERIFICATION --- + echo "Verifying..." + + # We remove >/dev/null to see actual errors if they happen + # We simply check if the file exists, as network tests might fail due to hostname (see note below) + if [ -f /etc/ssl/certs/ca-certificates.crt ]; then + echo "Bundle created successfully." + else + exit 1 + fi + + # Exec into the original bee command (replaces shell with bee process) + exec bee start --config=.bee.yaml diff --git a/config/pebble-deployment.yaml b/config/pebble-deployment.yaml index 134fcfe..fdb01d1 100644 --- a/config/pebble-deployment.yaml +++ b/config/pebble-deployment.yaml @@ -11,8 +11,8 @@ data: "managementListenAddress": "0.0.0.0:15000", "certificate": "/test/certs/localhost/cert.pem", "privateKey": "/test/certs/localhost/key.pem", - "httpPort": 80, - "tlsPort": 443, + "httpPort": 5002, + "tlsPort": 5001, "ocspResponderURL": "", "externalAccountBindingRequired": false } @@ -43,10 +43,10 @@ spec: - "/config/pebble-config.json" ports: - name: http - containerPort: 80 + containerPort: 5002 protocol: TCP - name: https - containerPort: 443 + containerPort: 5001 protocol: TCP - name: acme containerPort: 14000 @@ -86,11 +86,11 @@ spec: ports: - name: http port: 80 - targetPort: 80 + targetPort: 5002 protocol: TCP - name: https port: 443 - targetPort: 443 + targetPort: 5001 protocol: TCP - name: acme port: 14000 @@ -102,4 +102,3 @@ spec: protocol: TCP selector: app: pebble - From c6c676d3f8968a64c34338fe71e2826640920dce Mon Sep 17 00:00:00 2001 From: Ljubisa Gacevic Date: Sat, 29 Nov 2025 12:56:22 +0100 Subject: [PATCH 08/27] fix: add patch --- config/bee-statefulset-pebble-ca-patch.yaml | 1 + config/p2p-forge-deployment.yaml | 2 ++ 2 files changed, 3 insertions(+) diff --git a/config/bee-statefulset-pebble-ca-patch.yaml b/config/bee-statefulset-pebble-ca-patch.yaml index 63ebced..0e67fd3 100644 --- a/config/bee-statefulset-pebble-ca-patch.yaml +++ b/config/bee-statefulset-pebble-ca-patch.yaml @@ -33,6 +33,7 @@ spec: # We use -k here because we haven't trusted it yet curl -k -s https://pebble:15000/roots/0 > /usr/local/share/ca-certificates/pebble-root-real.crt curl -k -s https://pebble:15000/intermediates/0 > /usr/local/share/ca-certificates/pebble-intermediate-real.crt + curl -k -s https://raw.githubusercontent.com/letsencrypt/pebble/refs/heads/main/test/certs/pebble.minica.pem > /usr/local/share/ca-certificates/pebble-minica.crt # Update the store # This generates /etc/ssl/certs/ca-certificates.crt diff --git a/config/p2p-forge-deployment.yaml b/config/p2p-forge-deployment.yaml index a2dfb2f..7bad5e9 100644 --- a/config/p2p-forge-deployment.yaml +++ b/config/p2p-forge-deployment.yaml @@ -8,6 +8,8 @@ data: .:53 { errors log + any + ipparser . acme local.test { registration-domain registration.local.test listen-address=:8080 external-tls=true database-type badger /data From 52233f86fc0542b71a610af0054a2c95c1176b1b Mon Sep 17 00:00:00 2001 From: Ljubisa Gacevic Date: Fri, 2 Jan 2026 14:24:42 +0100 Subject: [PATCH 09/27] chore(wss): update deployments --- config/bee-statefulset-pebble-ca-patch.yaml | 32 ++++++++++++--------- config/p2p-forge-deployment.yaml | 4 +-- 2 files changed, 19 insertions(+), 17 deletions(-) diff --git a/config/bee-statefulset-pebble-ca-patch.yaml b/config/bee-statefulset-pebble-ca-patch.yaml index 0e67fd3..7398820 100644 --- a/config/bee-statefulset-pebble-ca-patch.yaml +++ b/config/bee-statefulset-pebble-ca-patch.yaml @@ -27,27 +27,31 @@ spec: - /bin/bash - -c - | - set -e + set -ex - # Fetch Pebble Root - # We use -k here because we haven't trusted it yet - curl -k -s https://pebble:15000/roots/0 > /usr/local/share/ca-certificates/pebble-root-real.crt - curl -k -s https://pebble:15000/intermediates/0 > /usr/local/share/ca-certificates/pebble-intermediate-real.crt - curl -k -s https://raw.githubusercontent.com/letsencrypt/pebble/refs/heads/main/test/certs/pebble.minica.pem > /usr/local/share/ca-certificates/pebble-minica.crt + # Fetch all required Pebble certs + # We use -k because we haven't trusted the server yet. We use --fail to exit on HTTP error. + curl -k -s --fail https://pebble:15000/roots/0 > /usr/local/share/ca-certificates/pebble-root-real.crt + curl -k -s --fail https://pebble:15000/intermediates/0 > /usr/local/share/ca-certificates/pebble-intermediate-real.crt + curl -k -s --fail https://raw.githubusercontent.com/letsencrypt/pebble/refs/heads/main/test/certs/pebble.minica.pem > /usr/local/share/ca-certificates/pebble-minica.crt - # Update the store - # This generates /etc/ssl/certs/ca-certificates.crt + echo "--- Downloaded certs ---" + ls -l /usr/local/share/ca-certificates/ + echo "--- End Downloaded certs ---" + + # Update the system trust store update-ca-certificates # --- VERIFICATION --- - echo "Verifying..." + echo "Verifying connection to Pebble ACME server..." - # We remove >/dev/null to see actual errors if they happen - # We simply check if the file exists, as network tests might fail due to hostname (see note below) - if [ -f /etc/ssl/certs/ca-certificates.crt ]; then - echo "Bundle created successfully." + # Attempt to connect to the ACME endpoint securely. + # If this fails, the CA was not installed correctly. + if curl --head --fail https://pebble:14000/dir; then + echo "Successfully connected to Pebble." else - exit 1 + echo "Failed to connect to Pebble after updating CA certificates." + exit 1 fi # Exec into the original bee command (replaces shell with bee process) diff --git a/config/p2p-forge-deployment.yaml b/config/p2p-forge-deployment.yaml index 7bad5e9..90ba578 100644 --- a/config/p2p-forge-deployment.yaml +++ b/config/p2p-forge-deployment.yaml @@ -8,10 +8,8 @@ data: .:53 { errors log - any - ipparser . acme local.test { - registration-domain registration.local.test listen-address=:8080 external-tls=true + registration-domain p2p-forge listen-address=:8080 external-tls=false database-type badger /data } } From db1a04869fc39d6caa7011715ab53f736003444b Mon Sep 17 00:00:00 2001 From: Ljubisa Gacevic Date: Thu, 8 Jan 2026 10:44:13 +0100 Subject: [PATCH 10/27] fix: add apply-pebble-ca-patch --- beelocal.sh | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/beelocal.sh b/beelocal.sh index be0520e..26a218b 100755 --- a/beelocal.sh +++ b/beelocal.sh @@ -248,6 +248,7 @@ install() { build fi beekeeper create bee-cluster --cluster-name "${BEEKEEPER_CLUSTER}" + apply-pebble-ca-patch } uninstall() { @@ -311,6 +312,60 @@ deploy-p2p-wss() { echo "Pebble and p2p-forge deployed successfully..." } +apply-pebble-ca-patch() { + if [[ "${P2P_WSS_ENABLE}" != "true" ]]; then + return 0 + fi + + echo "applying Pebble CA certificate patch to bee nodes..." + + # Wait for statefulsets to be created (with retry logic) + local max_attempts=30 + local attempt=0 + local statefulsets_found=false + + while [[ $attempt -lt $max_attempts ]]; do + # Find all bee statefulsets in the namespace + local statefulsets=$(kubectl get statefulset -n "${NAMESPACE}" -o jsonpath='{.items[*].metadata.name}' 2>/dev/null | grep -E '^bee-[0-9]+$' || true) + + if [[ -n "$statefulsets" ]]; then + statefulsets_found=true + break + fi + + attempt=$((attempt + 1)) + echo "waiting for bee statefulsets to be created... (attempt $attempt/$max_attempts)" + sleep 2 + done + + if [[ "$statefulsets_found" != "true" ]]; then + echo "warning: no bee statefulsets found after $max_attempts attempts, skipping patch" + return 0 + fi + + # Apply patch to each statefulset + local patch_file="" + if [[ -f config/bee-statefulset-pebble-ca-patch.yaml ]]; then + patch_file="config/bee-statefulset-pebble-ca-patch.yaml" + elif [[ -f "${BEE_CONFIG}"/bee-statefulset-pebble-ca-patch.yaml ]]; then + patch_file="${BEE_CONFIG}/bee-statefulset-pebble-ca-patch.yaml" + else + echo "warning: bee-statefulset-pebble-ca-patch.yaml not found, skipping patch" + return 0 + fi + + for statefulset in $statefulsets; do + echo "applying Pebble CA patch to $statefulset..." + if kubectl patch statefulset "$statefulset" -n "${NAMESPACE}" --type='strategic' -p "$(cat "$patch_file")" 2>/dev/null; then + echo "successfully patched $statefulset" + else + echo "warning: failed to patch $statefulset (may already be patched)" + fi + done + + echo "Pebble CA patch application completed..." +} + stop() { if [[ -n $CI ]]; then echo "action not supported for CI" @@ -415,6 +470,7 @@ if [[ " ${ACTIONS[*]} " == *"$ACTION"* ]]; then build fi deploy-p2p-wss + apply-pebble-ca-patch else $ACTION fi From 3050c7369691f8b2e1f9d0e6a669b4a25c2cbdc2 Mon Sep 17 00:00:00 2001 From: akrem-chabchoub Date: Wed, 14 Jan 2026 02:20:11 +0100 Subject: [PATCH 11/27] fix(p2p-forge): update registration domain to use cluster local address and enable external TLS --- config/p2p-forge-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/p2p-forge-deployment.yaml b/config/p2p-forge-deployment.yaml index 90ba578..8f2a489 100644 --- a/config/p2p-forge-deployment.yaml +++ b/config/p2p-forge-deployment.yaml @@ -9,7 +9,7 @@ data: errors log acme local.test { - registration-domain p2p-forge listen-address=:8080 external-tls=false + registration-domain p2p-forge.local.svc.cluster.local:8080 listen-address=:8080 external-tls=true database-type badger /data } } From 25721c067a99dd721c0a6c8a5de3e1d7ecbf78cc Mon Sep 17 00:00:00 2001 From: akrem-chabchoub Date: Wed, 14 Jan 2026 02:23:08 +0100 Subject: [PATCH 12/27] feat(p2p-wss): add CoreDNS configuration for local.test forwarding to p2p-forge --- beelocal.sh | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/beelocal.sh b/beelocal.sh index 26a218b..c6fbdfb 100755 --- a/beelocal.sh +++ b/beelocal.sh @@ -309,6 +309,33 @@ deploy-p2p-wss() { echo "waiting for p2p-forge to be ready..." kubectl rollout status deployment/p2p-forge -n "${NAMESPACE}" --timeout=120s || true + # Configure CoreDNS to forward local.test queries to p2p-forge + echo "configuring CoreDNS to forward local.test to p2p-forge..." + + # Check if local.test forwarding is already configured + if kubectl get cm coredns -n kube-system -o jsonpath='{.data.Corefile}' | grep -q "local.test"; then + echo "CoreDNS already configured for local.test, skipping..." + else + # Patch CoreDNS configmap to add local.test forwarding + LOCAL_TEST_BLOCK="local.test:53 { + errors + cache 30 + forward . p2p-forge.${NAMESPACE}.svc.cluster.local:53 +}" + # Get current Corefile, append local.test block, and apply + CURRENT_COREFILE=$(kubectl get cm coredns -n kube-system -o jsonpath='{.data.Corefile}') + NEW_COREFILE="${CURRENT_COREFILE} +${LOCAL_TEST_BLOCK}" + + kubectl create configmap coredns -n kube-system \ + --from-literal=Corefile="${NEW_COREFILE}" \ + --dry-run=client -o yaml | kubectl apply -f - + + kubectl rollout restart deployment coredns -n kube-system + kubectl rollout status deployment/coredns -n kube-system --timeout=60s || true + echo "CoreDNS configured for local.test forwarding..." + fi + echo "Pebble and p2p-forge deployed successfully..." } From 3e7d993edb8fea377aaf13a1333ef774d04d289a Mon Sep 17 00:00:00 2001 From: akrem-chabchoub Date: Wed, 14 Jan 2026 03:11:51 +0100 Subject: [PATCH 13/27] fix: change deployment namespace from local to local-dns for p2p-forge and pebble configurations --- config/p2p-forge-deployment.yaml | 6 +++--- config/pebble-deployment.yaml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/config/p2p-forge-deployment.yaml b/config/p2p-forge-deployment.yaml index 8f2a489..e2b04e2 100644 --- a/config/p2p-forge-deployment.yaml +++ b/config/p2p-forge-deployment.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: p2p-forge-config - namespace: local + namespace: local-dns data: Corefile: | .:53 { @@ -18,7 +18,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: p2p-forge - namespace: local + namespace: local-dns labels: app: p2p-forge spec: @@ -67,7 +67,7 @@ apiVersion: v1 kind: Service metadata: name: p2p-forge - namespace: local + namespace: local-dns labels: app: p2p-forge spec: diff --git a/config/pebble-deployment.yaml b/config/pebble-deployment.yaml index fdb01d1..80bff55 100644 --- a/config/pebble-deployment.yaml +++ b/config/pebble-deployment.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: pebble-config - namespace: local + namespace: local-dns data: pebble-config.json: | { @@ -22,7 +22,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: pebble - namespace: local + namespace: local-dns labels: app: pebble spec: @@ -78,7 +78,7 @@ apiVersion: v1 kind: Service metadata: name: pebble - namespace: local + namespace: local-dns labels: app: pebble spec: From 0b31e0d436c9eb1c65a034a68479bcbeea8745a5 Mon Sep 17 00:00:00 2001 From: akrem-chabchoub Date: Wed, 14 Jan 2026 13:40:23 +0100 Subject: [PATCH 14/27] fix(p2p-wss): use local config files and update CoreDNS forwarding to use service IP --- beelocal.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/beelocal.sh b/beelocal.sh index c6fbdfb..67e8152 100755 --- a/beelocal.sh +++ b/beelocal.sh @@ -128,6 +128,9 @@ config() { sudo cp "${BEE_TEMP}"/registries.yaml /etc/rancher/k3s/registries.yaml fi BEE_CONFIG="${BEE_TEMP}" + else + # Use local config files + BEE_CONFIG="config" fi } @@ -317,10 +320,11 @@ deploy-p2p-wss() { echo "CoreDNS already configured for local.test, skipping..." else # Patch CoreDNS configmap to add local.test forwarding + P2P_FORGE_IP=$(kubectl get svc p2p-forge -n "${NAMESPACE}" -o jsonpath='{.spec.clusterIP}') LOCAL_TEST_BLOCK="local.test:53 { errors cache 30 - forward . p2p-forge.${NAMESPACE}.svc.cluster.local:53 + forward . ${P2P_FORGE_IP}:53 }" # Get current Corefile, append local.test block, and apply CURRENT_COREFILE=$(kubectl get cm coredns -n kube-system -o jsonpath='{.data.Corefile}') From b5d0b1c79733b092728962b6e44902502dce6f00 Mon Sep 17 00:00:00 2001 From: akrem-chabchoub Date: Wed, 14 Jan 2026 14:15:52 +0100 Subject: [PATCH 15/27] fix: change deployment namespace from local-dns to local for p2p-forge and pebble configurations --- config/p2p-forge-deployment.yaml | 6 +++--- config/pebble-deployment.yaml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/config/p2p-forge-deployment.yaml b/config/p2p-forge-deployment.yaml index e2b04e2..8f2a489 100644 --- a/config/p2p-forge-deployment.yaml +++ b/config/p2p-forge-deployment.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: p2p-forge-config - namespace: local-dns + namespace: local data: Corefile: | .:53 { @@ -18,7 +18,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: p2p-forge - namespace: local-dns + namespace: local labels: app: p2p-forge spec: @@ -67,7 +67,7 @@ apiVersion: v1 kind: Service metadata: name: p2p-forge - namespace: local-dns + namespace: local labels: app: p2p-forge spec: diff --git a/config/pebble-deployment.yaml b/config/pebble-deployment.yaml index 80bff55..fdb01d1 100644 --- a/config/pebble-deployment.yaml +++ b/config/pebble-deployment.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: pebble-config - namespace: local-dns + namespace: local data: pebble-config.json: | { @@ -22,7 +22,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: pebble - namespace: local-dns + namespace: local labels: app: pebble spec: @@ -78,7 +78,7 @@ apiVersion: v1 kind: Service metadata: name: pebble - namespace: local-dns + namespace: local labels: app: pebble spec: From f18a8b74066ced6a95c054cfec5d7cc1f8e076c0 Mon Sep 17 00:00:00 2001 From: Ljubisa Gacevic Date: Fri, 16 Jan 2026 19:01:13 +0100 Subject: [PATCH 16/27] fix: remove pebble patch --- beelocal.sh | 56 -------------------- config/bee-statefulset-pebble-ca-patch.yaml | 58 --------------------- 2 files changed, 114 deletions(-) delete mode 100644 config/bee-statefulset-pebble-ca-patch.yaml diff --git a/beelocal.sh b/beelocal.sh index 67e8152..5c5dba7 100755 --- a/beelocal.sh +++ b/beelocal.sh @@ -251,7 +251,6 @@ install() { build fi beekeeper create bee-cluster --cluster-name "${BEEKEEPER_CLUSTER}" - apply-pebble-ca-patch } uninstall() { @@ -343,60 +342,6 @@ ${LOCAL_TEST_BLOCK}" echo "Pebble and p2p-forge deployed successfully..." } -apply-pebble-ca-patch() { - if [[ "${P2P_WSS_ENABLE}" != "true" ]]; then - return 0 - fi - - echo "applying Pebble CA certificate patch to bee nodes..." - - # Wait for statefulsets to be created (with retry logic) - local max_attempts=30 - local attempt=0 - local statefulsets_found=false - - while [[ $attempt -lt $max_attempts ]]; do - # Find all bee statefulsets in the namespace - local statefulsets=$(kubectl get statefulset -n "${NAMESPACE}" -o jsonpath='{.items[*].metadata.name}' 2>/dev/null | grep -E '^bee-[0-9]+$' || true) - - if [[ -n "$statefulsets" ]]; then - statefulsets_found=true - break - fi - - attempt=$((attempt + 1)) - echo "waiting for bee statefulsets to be created... (attempt $attempt/$max_attempts)" - sleep 2 - done - - if [[ "$statefulsets_found" != "true" ]]; then - echo "warning: no bee statefulsets found after $max_attempts attempts, skipping patch" - return 0 - fi - - # Apply patch to each statefulset - local patch_file="" - if [[ -f config/bee-statefulset-pebble-ca-patch.yaml ]]; then - patch_file="config/bee-statefulset-pebble-ca-patch.yaml" - elif [[ -f "${BEE_CONFIG}"/bee-statefulset-pebble-ca-patch.yaml ]]; then - patch_file="${BEE_CONFIG}/bee-statefulset-pebble-ca-patch.yaml" - else - echo "warning: bee-statefulset-pebble-ca-patch.yaml not found, skipping patch" - return 0 - fi - - for statefulset in $statefulsets; do - echo "applying Pebble CA patch to $statefulset..." - if kubectl patch statefulset "$statefulset" -n "${NAMESPACE}" --type='strategic' -p "$(cat "$patch_file")" 2>/dev/null; then - echo "successfully patched $statefulset" - else - echo "warning: failed to patch $statefulset (may already be patched)" - fi - done - - echo "Pebble CA patch application completed..." -} - stop() { if [[ -n $CI ]]; then echo "action not supported for CI" @@ -501,7 +446,6 @@ if [[ " ${ACTIONS[*]} " == *"$ACTION"* ]]; then build fi deploy-p2p-wss - apply-pebble-ca-patch else $ACTION fi diff --git a/config/bee-statefulset-pebble-ca-patch.yaml b/config/bee-statefulset-pebble-ca-patch.yaml deleted file mode 100644 index 7398820..0000000 --- a/config/bee-statefulset-pebble-ca-patch.yaml +++ /dev/null @@ -1,58 +0,0 @@ -# StatefulSet patch template for adding Pebble CA certificate to bee nodes -# This patch modifies the main bee container to install the Pebble root CA certificate -# before starting the bee process. The certificate is installed directly into the -# container's filesystem using update-ca-certificates. -# -# Prerequisites: -# 1. Pebble must be deployed and accessible at https://pebble:15000 -# 2. The bee container image must support apt-get (Debian/Ubuntu based) -# -# Usage with kubectl patch: -# kubectl patch statefulset -n --type='strategic' -p "$(cat config/bee-statefulset-pebble-ca-patch.yaml)" -# -# For beekeeper integration: -# Apply this patch structure when creating bee node StatefulSets to ensure -# they can trust Pebble's ACME server certificate. - -spec: - template: - spec: - containers: - - name: bee - # Temporarily run as root to install certificates, then switch back to original user - securityContext: - runAsUser: 0 - # Modify command to install certificate first, then start bee - command: - - /bin/bash - - -c - - | - set -ex - - # Fetch all required Pebble certs - # We use -k because we haven't trusted the server yet. We use --fail to exit on HTTP error. - curl -k -s --fail https://pebble:15000/roots/0 > /usr/local/share/ca-certificates/pebble-root-real.crt - curl -k -s --fail https://pebble:15000/intermediates/0 > /usr/local/share/ca-certificates/pebble-intermediate-real.crt - curl -k -s --fail https://raw.githubusercontent.com/letsencrypt/pebble/refs/heads/main/test/certs/pebble.minica.pem > /usr/local/share/ca-certificates/pebble-minica.crt - - echo "--- Downloaded certs ---" - ls -l /usr/local/share/ca-certificates/ - echo "--- End Downloaded certs ---" - - # Update the system trust store - update-ca-certificates - - # --- VERIFICATION --- - echo "Verifying connection to Pebble ACME server..." - - # Attempt to connect to the ACME endpoint securely. - # If this fails, the CA was not installed correctly. - if curl --head --fail https://pebble:14000/dir; then - echo "Successfully connected to Pebble." - else - echo "Failed to connect to Pebble after updating CA certificates." - exit 1 - fi - - # Exec into the original bee command (replaces shell with bee process) - exec bee start --config=.bee.yaml From c845ad7b6485aa156108d8ef8debfc3e7a6741e6 Mon Sep 17 00:00:00 2001 From: Ljubisa Gacevic Date: Fri, 16 Jan 2026 19:16:53 +0100 Subject: [PATCH 17/27] fix: clean up --- README.md | 10 +---- test-p2p-wss.sh | 104 ------------------------------------------------ 2 files changed, 1 insertion(+), 113 deletions(-) delete mode 100755 test-p2p-wss.sh diff --git a/README.md b/README.md index 183ab93..13d7a65 100644 --- a/README.md +++ b/README.md @@ -15,14 +15,6 @@ When `P2P_WSS_ENABLE=true`, configure your Bee nodes with: ```bash --autotls-domain="local.test" ---autotls-registration-endpoint="http://p2p-forge:8080/v1/_acme-challenge" +--autotls-registration-endpoint="http://p2p-forge.local.svc.cluster.local:8080" --autotls-ca-endpoint="https://pebble:14000/dir" ``` - -**Get Pebble's root CA certificate:** - -```bash -# Retrieve Pebble root CA certificate -kubectl run -n local --rm -i --restart=Never get-ca --image=curlimages/curl:latest -- \ - curl -k -s https://pebble:15000/roots/0 > pebble-root-ca.pem -``` diff --git a/test-p2p-wss.sh b/test-p2p-wss.sh deleted file mode 100755 index aad0a6a..0000000 --- a/test-p2p-wss.sh +++ /dev/null @@ -1,104 +0,0 @@ -#!/usr/bin/env bash -# Test script for Pebble and p2p-forge deployments - -set -uo pipefail - -NAMESPACE=${NAMESPACE:-local} - -echo "=== Testing P2P-WSS Deployments (Pebble + p2p-forge) ===" -echo "" - -# 1. Check pod status -echo "1. Checking pod status..." -kubectl get pods -n "${NAMESPACE}" -l 'app in (pebble,p2p-forge)' -o wide -echo "" - -# 2. Test Pebble ACME directory -echo "2. Testing Pebble ACME directory endpoint..." -PEBBLE_DIR=$(kubectl run -n "${NAMESPACE}" --rm -i --restart=Never test-pebble-dir --image=curlimages/curl:latest -- curl -k -s https://pebble."${NAMESPACE}":14000/dir 2>&1 || echo "") -if echo "${PEBBLE_DIR}" | grep -q "newOrder"; then - echo " ✓ Pebble ACME directory is accessible" -else - echo " ⚠ Pebble ACME directory test inconclusive (may need to check manually)" -fi -echo "" - -# 3. Test Pebble management interface -echo "3. Testing Pebble management interface..." -PEBBLE_ROOT=$(kubectl run -n "${NAMESPACE}" --rm -i --restart=Never test-pebble-mgmt --image=curlimages/curl:latest -- curl -k -s https://pebble."${NAMESPACE}":15000/roots/0 2>&1) -if echo "${PEBBLE_ROOT}" | grep -q "BEGIN CERTIFICATE"; then - echo " ✓ Pebble management interface is accessible" -elif echo "${PEBBLE_ROOT}" | grep -q "200\|OK"; then - echo " ✓ Pebble management interface is accessible (certificate retrieved)" -else - echo " ⚠ Pebble management interface test inconclusive" - echo " (This is non-critical - ACME directory is the main endpoint)" -fi -echo "" - -# 4. Test p2p-forge health endpoint -echo "4. Testing p2p-forge health endpoint..." -# Note: p2p-forge may not have a certificate yet (it's trying to obtain one for registration.localhost) -# This is expected - localhost domains don't qualify for public certificates -# The service is running but HTTPS won't work until a certificate is obtained -P2P_FORGE_LOGS=$(kubectl logs -n "${NAMESPACE}" -l app=p2p-forge --tail=20 2>&1) -if echo "${P2P_FORGE_LOGS}" | grep -q "plugin/acme.*listener\|Registration HTTP API"; then - echo " ✓ p2p-forge ACME registration API is configured (port 8080)" - echo " ⚠ HTTPS not available yet - p2p-forge needs a certificate for registration.localhost" - echo " ℹ This is expected - localhost domains don't qualify for public certificates" - echo " ℹ TLS errors in logs are expected until a certificate is obtained" -elif echo "${P2P_FORGE_LOGS}" | grep -q "plugin/acme"; then - echo " ✓ p2p-forge ACME plugin is active" - echo " ⚠ Registration API may not be fully configured" -else - echo " ⚠ Could not confirm p2p-forge ACME plugin status" -fi -echo "" - -# 5. Check for TLS handshake errors (expected behavior) -echo "5. Checking p2p-forge status..." -TLS_ERRORS=$(echo "${P2P_FORGE_LOGS}" | grep -c "TLS handshake error\|no certificate available" || echo "0") -if [[ "${TLS_ERRORS}" -gt 0 ]]; then - echo " ℹ Found ${TLS_ERRORS} TLS handshake errors (expected - no certificate yet)" - echo " ℹ These will resolve once p2p-forge obtains a certificate" -else - echo " ✓ No TLS errors found" -fi -echo "" - -# 6. Verify service connectivity -echo "6. Verifying service connectivity..." -PEBBLE_IP=$(kubectl get svc -n "${NAMESPACE}" pebble -o jsonpath='{.spec.clusterIP}') -P2P_FORGE_IP=$(kubectl get svc -n "${NAMESPACE}" p2p-forge -o jsonpath='{.spec.clusterIP}') -echo " Pebble ClusterIP: ${PEBBLE_IP}" -echo " p2p-forge ClusterIP: ${P2P_FORGE_IP}" -if [[ -n "${PEBBLE_IP}" ]] && [[ -n "${P2P_FORGE_IP}" ]]; then - echo " ✓ Both services have ClusterIPs" -else - echo " ✗ Service IPs not found" - exit 1 -fi -echo "" - -# 7. Test DNS resolution within cluster -echo "7. Testing DNS resolution..." -if kubectl run -n "${NAMESPACE}" --rm -i --restart=Never test-dns --image=busybox:latest -- nslookup pebble 2>&1 | grep -q "Address"; then - echo " ✓ DNS resolution works within cluster" -else - echo " ⚠ DNS resolution test inconclusive (nslookup may not be available)" -fi -echo "" - -echo "=== Test Summary ===" -echo "✓ All basic connectivity tests passed" -echo "✓ Pebble is ready to serve ACME requests" -echo "✓ p2p-forge is running and configured" -echo "" -echo "Note: p2p-forge may show errors about 'registration.localhost' not qualifying" -echo " for public certificates - this is expected for localhost domains." -echo "" -echo "To test ACME certificate issuance, you would need to:" -echo " 1. Configure a Bee node with --p2p-wss-enable flag" -echo " 2. Point it to use Pebble as the ACME server" -echo " 3. Use p2p-forge for DNS-01 challenge validation" - From f0c70ff76c574c2231f506604c7ca1677dc2bc7a Mon Sep 17 00:00:00 2001 From: akrem-chabchoub Date: Fri, 23 Jan 2026 12:56:20 +0100 Subject: [PATCH 18/27] feat(pebble): add certificate validity period to deployment configuration --- config/pebble-deployment.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/config/pebble-deployment.yaml b/config/pebble-deployment.yaml index fdb01d1..181dbe9 100644 --- a/config/pebble-deployment.yaml +++ b/config/pebble-deployment.yaml @@ -14,7 +14,8 @@ data: "httpPort": 5002, "tlsPort": 5001, "ocspResponderURL": "", - "externalAccountBindingRequired": false + "externalAccountBindingRequired": false, + "certificateValidityPeriod": 300 } } --- From 10c744e3a493f38a9886fb440f8fad12df2b4999 Mon Sep 17 00:00:00 2001 From: akrem-chabchoub Date: Thu, 5 Feb 2026 16:49:39 +0100 Subject: [PATCH 19/27] fix(beelocal): adjust image references accordingly --- beelocal.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/beelocal.sh b/beelocal.sh index 67e8152..4159880 100755 --- a/beelocal.sh +++ b/beelocal.sh @@ -357,7 +357,7 @@ apply-pebble-ca-patch() { while [[ $attempt -lt $max_attempts ]]; do # Find all bee statefulsets in the namespace - local statefulsets=$(kubectl get statefulset -n "${NAMESPACE}" -o jsonpath='{.items[*].metadata.name}' 2>/dev/null | grep -E '^bee-[0-9]+$' || true) + local statefulsets=$(kubectl get statefulset -n "${NAMESPACE}" -o jsonpath='{.items[*].metadata.name}' 2>/dev/null | grep -E '^(bee-[0-9]+|bootnode-[0-9]+|light-[0-9]+)$' || true) if [[ -n "$statefulsets" ]]; then statefulsets_found=true From b81d327f2632ebc3db2268c9b9b03bc01e24c4bb Mon Sep 17 00:00:00 2001 From: akrem-chabchoub Date: Thu, 5 Feb 2026 22:51:40 +0100 Subject: [PATCH 20/27] fix(beelocal): fix statefulset filter --- beelocal.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/beelocal.sh b/beelocal.sh index 4159880..aac8665 100755 --- a/beelocal.sh +++ b/beelocal.sh @@ -357,7 +357,7 @@ apply-pebble-ca-patch() { while [[ $attempt -lt $max_attempts ]]; do # Find all bee statefulsets in the namespace - local statefulsets=$(kubectl get statefulset -n "${NAMESPACE}" -o jsonpath='{.items[*].metadata.name}' 2>/dev/null | grep -E '^(bee-[0-9]+|bootnode-[0-9]+|light-[0-9]+)$' || true) + local statefulsets=$(kubectl get statefulset -n "${NAMESPACE}" -o jsonpath='{.items[*].metadata.name}' 2>/dev/null | grep -E '^(bee-[0-9]+)$' || true) if [[ -n "$statefulsets" ]]; then statefulsets_found=true From 522396fb3a238d2f2e39899c988296cc5f18766a Mon Sep 17 00:00:00 2001 From: akrem-chabchoub Date: Mon, 16 Feb 2026 10:58:23 +0100 Subject: [PATCH 21/27] fix: remove apply-pebble-ca-patch function --- beelocal.sh | 54 ----------------------------------------------------- 1 file changed, 54 deletions(-) diff --git a/beelocal.sh b/beelocal.sh index 3906bee..5c5dba7 100755 --- a/beelocal.sh +++ b/beelocal.sh @@ -342,60 +342,6 @@ ${LOCAL_TEST_BLOCK}" echo "Pebble and p2p-forge deployed successfully..." } -apply-pebble-ca-patch() { - if [[ "${P2P_WSS_ENABLE}" != "true" ]]; then - return 0 - fi - - echo "applying Pebble CA certificate patch to bee nodes..." - - # Wait for statefulsets to be created (with retry logic) - local max_attempts=30 - local attempt=0 - local statefulsets_found=false - - while [[ $attempt -lt $max_attempts ]]; do - # Find all bee statefulsets in the namespace - local statefulsets=$(kubectl get statefulset -n "${NAMESPACE}" -o jsonpath='{.items[*].metadata.name}' 2>/dev/null | grep -E '^(bee-[0-9]+)$' || true) - - if [[ -n "$statefulsets" ]]; then - statefulsets_found=true - break - fi - - attempt=$((attempt + 1)) - echo "waiting for bee statefulsets to be created... (attempt $attempt/$max_attempts)" - sleep 2 - done - - if [[ "$statefulsets_found" != "true" ]]; then - echo "warning: no bee statefulsets found after $max_attempts attempts, skipping patch" - return 0 - fi - - # Apply patch to each statefulset - local patch_file="" - if [[ -f config/bee-statefulset-pebble-ca-patch.yaml ]]; then - patch_file="config/bee-statefulset-pebble-ca-patch.yaml" - elif [[ -f "${BEE_CONFIG}"/bee-statefulset-pebble-ca-patch.yaml ]]; then - patch_file="${BEE_CONFIG}/bee-statefulset-pebble-ca-patch.yaml" - else - echo "warning: bee-statefulset-pebble-ca-patch.yaml not found, skipping patch" - return 0 - fi - - for statefulset in $statefulsets; do - echo "applying Pebble CA patch to $statefulset..." - if kubectl patch statefulset "$statefulset" -n "${NAMESPACE}" --type='strategic' -p "$(cat "$patch_file")" 2>/dev/null; then - echo "successfully patched $statefulset" - else - echo "warning: failed to patch $statefulset (may already be patched)" - fi - done - - echo "Pebble CA patch application completed..." -} - stop() { if [[ -n $CI ]]; then echo "action not supported for CI" From 2eb1bbf9b3033ff4a1f2f0f77916d10a2c5401e8 Mon Sep 17 00:00:00 2001 From: akrem-chabchoub Date: Mon, 16 Feb 2026 12:32:38 +0100 Subject: [PATCH 22/27] feat(beelocal): add PEBBLE_IMAGE_TAG as config --- beelocal.sh | 5 +++-- config/pebble-deployment.yaml | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/beelocal.sh b/beelocal.sh index 5c5dba7..3691037 100755 --- a/beelocal.sh +++ b/beelocal.sh @@ -38,6 +38,7 @@ declare -x SETUP_CONTRACT_IMAGE_TAG=${SETUP_CONTRACT_IMAGE_TAG:-latest} declare -x NAMESPACE=${NAMESPACE:-local} declare -x BEEKEEPER_CLUSTER=${BEEKEEPER_CLUSTER:-local} declare -x P2P_WSS_ENABLE=${P2P_WSS_ENABLE:-false} +declare -x PEBBLE_IMAGE_TAG=${PEBBLE_IMAGE_TAG:-v2.4.0} check() { if ! grep -qE "docker|admin" <<< "$(id "$(whoami)")"; then @@ -285,9 +286,9 @@ deploy-p2p-wss() { # Apply Pebble deployment - use remote file if it exists and is valid, otherwise use local if [[ -f "${BEE_CONFIG}"/pebble-deployment.yaml ]] && grep -q "^apiVersion:" "${BEE_CONFIG}"/pebble-deployment.yaml 2>/dev/null; then - kubectl apply -f "${BEE_CONFIG}"/pebble-deployment.yaml + envsubst '${PEBBLE_IMAGE_TAG}' < "${BEE_CONFIG}"/pebble-deployment.yaml | kubectl apply -f - elif [[ -f config/pebble-deployment.yaml ]]; then - kubectl apply -f config/pebble-deployment.yaml + envsubst '${PEBBLE_IMAGE_TAG}' < config/pebble-deployment.yaml | kubectl apply -f - else echo "pebble-deployment.yaml not found..." return 1 diff --git a/config/pebble-deployment.yaml b/config/pebble-deployment.yaml index 181dbe9..8af8179 100644 --- a/config/pebble-deployment.yaml +++ b/config/pebble-deployment.yaml @@ -38,7 +38,7 @@ spec: spec: containers: - name: pebble - image: ghcr.io/letsencrypt/pebble:latest + image: ghcr.io/letsencrypt/pebble:${PEBBLE_IMAGE_TAG} args: - "-config" - "/config/pebble-config.json" From bb2b68bb9e4d08617cfada6b44966b1cae728e08 Mon Sep 17 00:00:00 2001 From: akrem-chabchoub Date: Mon, 16 Feb 2026 12:32:56 +0100 Subject: [PATCH 23/27] feat(beelocal): add P2P_FORGE_IMAGE_TAG as config --- beelocal.sh | 5 +++-- config/p2p-forge-deployment.yaml | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/beelocal.sh b/beelocal.sh index 3691037..1ce34a3 100755 --- a/beelocal.sh +++ b/beelocal.sh @@ -39,6 +39,7 @@ declare -x NAMESPACE=${NAMESPACE:-local} declare -x BEEKEEPER_CLUSTER=${BEEKEEPER_CLUSTER:-local} declare -x P2P_WSS_ENABLE=${P2P_WSS_ENABLE:-false} declare -x PEBBLE_IMAGE_TAG=${PEBBLE_IMAGE_TAG:-v2.4.0} +declare -x P2P_FORGE_IMAGE_TAG=${P2P_FORGE_IMAGE_TAG:-v0.7.0} check() { if ! grep -qE "docker|admin" <<< "$(id "$(whoami)")"; then @@ -300,9 +301,9 @@ deploy-p2p-wss() { # Apply p2p-forge deployment - use remote file if it exists and is valid, otherwise use local if [[ -f "${BEE_CONFIG}"/p2p-forge-deployment.yaml ]] && grep -q "^apiVersion:" "${BEE_CONFIG}"/p2p-forge-deployment.yaml 2>/dev/null; then - kubectl apply -f "${BEE_CONFIG}"/p2p-forge-deployment.yaml + envsubst '${P2P_FORGE_IMAGE_TAG}' < "${BEE_CONFIG}"/p2p-forge-deployment.yaml | kubectl apply -f - elif [[ -f config/p2p-forge-deployment.yaml ]]; then - kubectl apply -f config/p2p-forge-deployment.yaml + envsubst '${P2P_FORGE_IMAGE_TAG}' < config/p2p-forge-deployment.yaml | kubectl apply -f - else echo "p2p-forge-deployment.yaml not found..." return 1 diff --git a/config/p2p-forge-deployment.yaml b/config/p2p-forge-deployment.yaml index 8f2a489..8a80554 100644 --- a/config/p2p-forge-deployment.yaml +++ b/config/p2p-forge-deployment.yaml @@ -33,7 +33,7 @@ spec: spec: containers: - name: p2p-forge - image: ghcr.io/ipshipyard/p2p-forge:latest + image: ghcr.io/ipshipyard/p2p-forge:${P2P_FORGE_IMAGE_TAG} args: - "-conf" - "/config/Corefile" From ed33f515ff2d84aec70909e26ce18abce630bc3d Mon Sep 17 00:00:00 2001 From: akrem-chabchoub Date: Mon, 16 Feb 2026 14:05:22 +0100 Subject: [PATCH 24/27] fix(beelocal): update pebble image tag --- beelocal.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/beelocal.sh b/beelocal.sh index e3dabb7..18a28af 100755 --- a/beelocal.sh +++ b/beelocal.sh @@ -38,7 +38,7 @@ declare -x SETUP_CONTRACT_IMAGE_TAG=${SETUP_CONTRACT_IMAGE_TAG:-latest} declare -x NAMESPACE=${NAMESPACE:-local} declare -x BEEKEEPER_CLUSTER=${BEEKEEPER_CLUSTER:-local} declare -x P2P_WSS_ENABLE=${P2P_WSS_ENABLE:-false} -declare -x PEBBLE_IMAGE_TAG=${PEBBLE_IMAGE_TAG:-v2.4.0} +declare -x PEBBLE_IMAGE_TAG=${PEBBLE_IMAGE_TAG:-v2.9.0} declare -x P2P_FORGE_IMAGE_TAG=${P2P_FORGE_IMAGE_TAG:-v0.7.0} check() { From 2f22976eed5f097e9108d79817df64a30f6a2b17 Mon Sep 17 00:00:00 2001 From: Ljubisa Gacevic Date: Mon, 16 Feb 2026 14:19:29 +0100 Subject: [PATCH 25/27] fix(wss): print deployed images --- beelocal.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/beelocal.sh b/beelocal.sh index 18a28af..42efd49 100755 --- a/beelocal.sh +++ b/beelocal.sh @@ -286,9 +286,10 @@ deploy-p2p-wss() { config fi - echo "deploying Pebble and p2p-forge for P2P-WSS support..." - + echo "deploying P2P-WSS support..." + # Apply Pebble deployment - use remote file if it exists and is valid, otherwise use local + echo "deploying Pebble (ghcr.io/letsencrypt/pebble:${PEBBLE_IMAGE_TAG})..." if [[ -f "${BEE_CONFIG}"/pebble-deployment.yaml ]] && grep -q "^apiVersion:" "${BEE_CONFIG}"/pebble-deployment.yaml 2>/dev/null; then envsubst '${PEBBLE_IMAGE_TAG}' < "${BEE_CONFIG}"/pebble-deployment.yaml | kubectl apply -f - elif [[ -f config/pebble-deployment.yaml ]]; then @@ -303,6 +304,7 @@ deploy-p2p-wss() { kubectl rollout status deployment/pebble -n "${NAMESPACE}" --timeout=120s || true # Apply p2p-forge deployment - use remote file if it exists and is valid, otherwise use local + echo "deploying p2p-forge (ghcr.io/ipshipyard/p2p-forge:${P2P_FORGE_IMAGE_TAG})..." if [[ -f "${BEE_CONFIG}"/p2p-forge-deployment.yaml ]] && grep -q "^apiVersion:" "${BEE_CONFIG}"/p2p-forge-deployment.yaml 2>/dev/null; then envsubst '${P2P_FORGE_IMAGE_TAG}' < "${BEE_CONFIG}"/p2p-forge-deployment.yaml | kubectl apply -f - elif [[ -f config/p2p-forge-deployment.yaml ]]; then From 5c2b2a10d889dec37fb0c29c196531d5a93d5767 Mon Sep 17 00:00:00 2001 From: akrem-chabchoub Date: Mon, 16 Feb 2026 14:19:39 +0100 Subject: [PATCH 26/27] fix(beelocal): update pebble img tag --- beelocal.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/beelocal.sh b/beelocal.sh index 18a28af..d754f69 100755 --- a/beelocal.sh +++ b/beelocal.sh @@ -38,7 +38,7 @@ declare -x SETUP_CONTRACT_IMAGE_TAG=${SETUP_CONTRACT_IMAGE_TAG:-latest} declare -x NAMESPACE=${NAMESPACE:-local} declare -x BEEKEEPER_CLUSTER=${BEEKEEPER_CLUSTER:-local} declare -x P2P_WSS_ENABLE=${P2P_WSS_ENABLE:-false} -declare -x PEBBLE_IMAGE_TAG=${PEBBLE_IMAGE_TAG:-v2.9.0} +declare -x PEBBLE_IMAGE_TAG=${PEBBLE_IMAGE_TAG:-2.9.0} declare -x P2P_FORGE_IMAGE_TAG=${P2P_FORGE_IMAGE_TAG:-v0.7.0} check() { From c64122b6d5ca8a8e632aa4faa7834b9a1d5df6de Mon Sep 17 00:00:00 2001 From: akrem-chabchoub Date: Fri, 20 Feb 2026 13:54:13 +0100 Subject: [PATCH 27/27] chore: make cert validity period configurable --- beelocal.sh | 3 ++- config/pebble-deployment.yaml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/beelocal.sh b/beelocal.sh index 742a68c..ce42b9b 100755 --- a/beelocal.sh +++ b/beelocal.sh @@ -40,6 +40,7 @@ declare -x BEEKEEPER_CLUSTER=${BEEKEEPER_CLUSTER:-local} declare -x P2P_WSS_ENABLE=${P2P_WSS_ENABLE:-false} declare -x PEBBLE_IMAGE_TAG=${PEBBLE_IMAGE_TAG:-2.9.0} declare -x P2P_FORGE_IMAGE_TAG=${P2P_FORGE_IMAGE_TAG:-v0.7.0} +declare -x PEBBLE_CERTIFICATE_VALIDITY_PERIOD=${PEBBLE_CERTIFICATE_VALIDITY_PERIOD:-300} check() { if ! grep -qE "docker|admin" <<< "$(id "$(whoami)")"; then @@ -291,7 +292,7 @@ deploy-p2p-wss() { # Apply Pebble deployment - use remote file if it exists and is valid, otherwise use local echo "deploying Pebble (ghcr.io/letsencrypt/pebble:${PEBBLE_IMAGE_TAG})..." if [[ -f "${BEE_CONFIG}"/pebble-deployment.yaml ]] && grep -q "^apiVersion:" "${BEE_CONFIG}"/pebble-deployment.yaml 2>/dev/null; then - envsubst '${PEBBLE_IMAGE_TAG}' < "${BEE_CONFIG}"/pebble-deployment.yaml | kubectl apply -f - + envsubst '${PEBBLE_IMAGE_TAG},${PEBBLE_CERTIFICATE_VALIDITY_PERIOD}' < "${BEE_CONFIG}"/pebble-deployment.yaml | kubectl apply -f - elif [[ -f config/pebble-deployment.yaml ]]; then envsubst '${PEBBLE_IMAGE_TAG}' < config/pebble-deployment.yaml | kubectl apply -f - else diff --git a/config/pebble-deployment.yaml b/config/pebble-deployment.yaml index 8af8179..c268d58 100644 --- a/config/pebble-deployment.yaml +++ b/config/pebble-deployment.yaml @@ -15,7 +15,7 @@ data: "tlsPort": 5001, "ocspResponderURL": "", "externalAccountBindingRequired": false, - "certificateValidityPeriod": 300 + "certificateValidityPeriod": ${PEBBLE_CERTIFICATE_VALIDITY_PERIOD} } } ---