From 7e1198f1457126e082f06c3642f6f5757dc47a72 Mon Sep 17 00:00:00 2001
From: akrem-chabchoub <chabchoub.akrem@gmail.com>
Date: Mon, 2 Mar 2026 12:20:43 +0100
Subject: [PATCH 1/4] feat(config): add UDP service for p2p-forge and ingress
 routes for pebble

---
 config/k3d.yaml                           |  3 ++
 config/p2p-forge-deployment.yaml          | 19 +++++++-
 config/pebble-p2p-forge-ingressroute.yaml | 57 +++++++++++++++++++++++
 3 files changed, 78 insertions(+), 1 deletion(-)
 create mode 100644 config/pebble-p2p-forge-ingressroute.yaml

diff --git a/config/k3d.yaml b/config/k3d.yaml
index aa6f4a5..bb8e3e7 100644
--- a/config/k3d.yaml
+++ b/config/k3d.yaml
@@ -9,6 +9,9 @@ ports:
   - port: 80:80
     nodeFilters:
       - loadbalancer
+  - port: 30533:30533/udp
+    nodeFilters:
+      - server:0
 registries:
   create:
     proxy:
diff --git a/config/p2p-forge-deployment.yaml b/config/p2p-forge-deployment.yaml
index 8a80554..62db0c6 100644
--- a/config/p2p-forge-deployment.yaml
+++ b/config/p2p-forge-deployment.yaml
@@ -83,4 +83,21 @@ spec:
     protocol: UDP
   selector:
     app: p2p-forge
-
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: p2p-forge-dns
+  namespace: local
+  labels:
+    app: p2p-forge
+spec:
+  type: NodePort
+  ports:
+  - name: dns
+    port: 53
+    targetPort: 53
+    nodePort: 30533
+    protocol: UDP
+  selector:
+    app: p2p-forge
diff --git a/config/pebble-p2p-forge-ingressroute.yaml b/config/pebble-p2p-forge-ingressroute.yaml
new file mode 100644
index 0000000..8304eb9
--- /dev/null
+++ b/config/pebble-p2p-forge-ingressroute.yaml
@@ -0,0 +1,57 @@
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: ServersTransport
+metadata:
+  name: pebble-transport
+  namespace: ${NAMESPACE}
+spec:
+  insecureSkipVerify: true
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: pebble-http
+  namespace: ${NAMESPACE}
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`pebble.localhost`)
+      kind: Rule
+      services:
+        - name: pebble
+          port: 14000
+          scheme: https
+          serversTransport: pebble-transport
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: pebble-https
+  namespace: ${NAMESPACE}
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`pebble.localhost`)
+      kind: Rule
+      services:
+        - name: pebble
+          port: 14000
+          scheme: https
+          serversTransport: pebble-transport
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: p2p-forge
+  namespace: ${NAMESPACE}
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`p2p-forge.localhost`)
+      kind: Rule
+      services:
+        - name: p2p-forge
+          port: 8080

From 100ae50e4ba22c03c5df897bdfb8a8a62ca354ec Mon Sep 17 00:00:00 2001
From: Akrem Chabchoub <121046693+akrem-chabchoub@users.noreply.github.com>
Date: Thu, 5 Mar 2026 00:28:12 +0100
Subject: [PATCH 2/4] fix: delete unnecessary changes

---
 config/pebble-p2p-forge-ingressroute.yaml | 57 -----------------------
 1 file changed, 57 deletions(-)
 delete mode 100644 config/pebble-p2p-forge-ingressroute.yaml

diff --git a/config/pebble-p2p-forge-ingressroute.yaml b/config/pebble-p2p-forge-ingressroute.yaml
deleted file mode 100644
index 8304eb9..0000000
--- a/config/pebble-p2p-forge-ingressroute.yaml
+++ /dev/null
@@ -1,57 +0,0 @@
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: ServersTransport
-metadata:
-  name: pebble-transport
-  namespace: ${NAMESPACE}
-spec:
-  insecureSkipVerify: true
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: pebble-http
-  namespace: ${NAMESPACE}
-spec:
-  entryPoints:
-    - web
-  routes:
-    - match: Host(`pebble.localhost`)
-      kind: Rule
-      services:
-        - name: pebble
-          port: 14000
-          scheme: https
-          serversTransport: pebble-transport
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: pebble-https
-  namespace: ${NAMESPACE}
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`pebble.localhost`)
-      kind: Rule
-      services:
-        - name: pebble
-          port: 14000
-          scheme: https
-          serversTransport: pebble-transport
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: p2p-forge
-  namespace: ${NAMESPACE}
-spec:
-  entryPoints:
-    - web
-  routes:
-    - match: Host(`p2p-forge.localhost`)
-      kind: Rule
-      services:
-        - name: p2p-forge
-          port: 8080

From e0c27ad317c5732ad1edba2ac756e6dfa257d029 Mon Sep 17 00:00:00 2001
From: Akrem Chabchoub <121046693+akrem-chabchoub@users.noreply.github.com>
Date: Thu, 5 Mar 2026 00:31:43 +0100
Subject: [PATCH 3/4] feat: update p2p-forge configuration with DNS settings

---
 config/p2p-forge-deployment.yaml | 47 ++++++++++++++++++--------------
 1 file changed, 27 insertions(+), 20 deletions(-)

diff --git a/config/p2p-forge-deployment.yaml b/config/p2p-forge-deployment.yaml
index 62db0c6..9dbc111 100644
--- a/config/p2p-forge-deployment.yaml
+++ b/config/p2p-forge-deployment.yaml
@@ -5,14 +5,27 @@ metadata:
   namespace: local
 data:
   Corefile: |
-    .:53 {
+    local.test:53 {
         errors
         log
+        ipparser local.test
         acme local.test {
             registration-domain p2p-forge.local.svc.cluster.local:8080 listen-address=:8080 external-tls=true
             database-type badger /data
         }
     }
+  local.test: |
+    $TTL 300
+    $ORIGIN local.test.
+    @ 86400 IN SOA ns.local.test. admin.local.test. (
+        2025010101 ; serial
+        86400      ; refresh
+        2400       ; retry
+        604800     ; expire
+        86400      ; minimum
+    )
+    local.test. 86400 IN NS ns.local.test.
+    ns.local.test. 86400 IN A 127.0.0.1
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -47,6 +60,8 @@ spec:
         volumeMounts:
         - name: p2p-forge-config
           mountPath: /config
+        - name: p2p-forge-zones
+          mountPath: /p2p-forge/zones
         - name: p2p-forge-data
           mountPath: /data
         resources:
@@ -60,6 +75,15 @@ spec:
       - name: p2p-forge-config
         configMap:
           name: p2p-forge-config
+          items:
+          - key: Corefile
+            path: Corefile
+      - name: p2p-forge-zones
+        configMap:
+          name: p2p-forge-config
+          items:
+          - key: local.test
+            path: local.test
       - name: p2p-forge-data
         emptyDir: {}
 ---
@@ -71,7 +95,7 @@ metadata:
   labels:
     app: p2p-forge
 spec:
-  type: ClusterIP
+  type: NodePort
   ports:
   - name: api
     port: 8080
@@ -81,23 +105,6 @@ spec:
     port: 53
     targetPort: 53
     protocol: UDP
-  selector:
-    app: p2p-forge
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: p2p-forge-dns
-  namespace: local
-  labels:
-    app: p2p-forge
-spec:
-  type: NodePort
-  ports:
-  - name: dns
-    port: 53
-    targetPort: 53
-    nodePort: 30533
-    protocol: UDP
+    nodePort: 30053
   selector:
     app: p2p-forge

From 79e247f51e57a61a29dbc3def43097d8f7c8a270 Mon Sep 17 00:00:00 2001
From: akrem-chabchoub <chabchoub.akrem@gmail.com>
Date: Thu, 5 Mar 2026 02:28:36 +0100
Subject: [PATCH 4/4] feat(beelocal): add WSS exposure for bee-autotls and
 update service configurations

---
 beelocal.sh                        | 24 +++++++++++++++++++++++-
 config/bee-autotls-wss-expose.yaml | 21 +++++++++++++++++++++
 config/k3d.yaml                    |  6 ++++++
 config/pebble-deployment.yaml      |  3 ++-
 4 files changed, 52 insertions(+), 2 deletions(-)
 create mode 100644 config/bee-autotls-wss-expose.yaml

diff --git a/beelocal.sh b/beelocal.sh
index ce42b9b..917bdcb 100755
--- a/beelocal.sh
+++ b/beelocal.sh
@@ -38,6 +38,7 @@ declare -x SETUP_CONTRACT_IMAGE_TAG=${SETUP_CONTRACT_IMAGE_TAG:-latest}
 declare -x NAMESPACE=${NAMESPACE:-local}
 declare -x BEEKEEPER_CLUSTER=${BEEKEEPER_CLUSTER:-local}
 declare -x P2P_WSS_ENABLE=${P2P_WSS_ENABLE:-false}
+declare -x BEE_AUTOTLS_FIRST_NODE_INSTANCE=${BEE_AUTOTLS_FIRST_NODE_INSTANCE:-bee-autotls-0}
 declare -x PEBBLE_IMAGE_TAG=${PEBBLE_IMAGE_TAG:-2.9.0}
 declare -x P2P_FORGE_IMAGE_TAG=${P2P_FORGE_IMAGE_TAG:-v0.7.0}
 declare -x PEBBLE_CERTIFICATE_VALIDITY_PERIOD=${PEBBLE_CERTIFICATE_VALIDITY_PERIOD:-300}
@@ -350,6 +351,25 @@ ${LOCAL_TEST_BLOCK}"
     echo "Pebble and p2p-forge deployed successfully..."
 }
 
+deploy-bee-autotls-wss-expose() {
+    if [[ "${P2P_WSS_ENABLE}" != "true" ]]; then
+        return 0
+    fi
+    echo "exposing bee-autotls-0 WSS for TLS verification from host..."
+    if [[ -z $BEE_CONFIG ]]; then
+        config
+    fi
+    if [[ -f "${BEE_CONFIG}"/bee-autotls-wss-expose.yaml ]] && grep -q "^apiVersion:" "${BEE_CONFIG}"/bee-autotls-wss-expose.yaml 2>/dev/null; then
+        envsubst '${NAMESPACE},${BEE_AUTOTLS_FIRST_NODE_INSTANCE}' < "${BEE_CONFIG}"/bee-autotls-wss-expose.yaml | kubectl apply -f -
+    elif [[ -f config/bee-autotls-wss-expose.yaml ]]; then
+        envsubst '${NAMESPACE},${BEE_AUTOTLS_FIRST_NODE_INSTANCE}' < config/bee-autotls-wss-expose.yaml | kubectl apply -f -
+    else
+        echo "bee-autotls-wss-expose.yaml not found, skipping..."
+        return 0
+    fi
+    echo "bee-autotls-0 WSS exposed on NodePort 31635..."
+}
+
 stop() {
     if [[ -n $CI ]]; then
         echo "action not supported for CI"
@@ -431,7 +451,7 @@ for OPT in $OPTS; do
     fi
 done
 
-ACTIONS=(build check destroy geth install k8s-local uninstall start stop run prepare add-hosts del-hosts)
+ACTIONS=(build check destroy geth install k8s-local uninstall start stop run prepare add-hosts del-hosts deploy-p2p-wss deploy-bee-autotls-wss-expose)
 if [[ " ${ACTIONS[*]} " == *"$ACTION"* ]]; then
     if [[ $ACTION == "run" ]]; then
         check
@@ -443,6 +463,7 @@ if [[ " ${ACTIONS[*]} " == *"$ACTION"* ]]; then
         fi
         deploy-p2p-wss
         install
+        deploy-bee-autotls-wss-expose
     elif [[ $ACTION == "prepare" ]]; then
         check
         add-hosts
@@ -454,6 +475,7 @@ if [[ " ${ACTIONS[*]} " == *"$ACTION"* ]]; then
             build
         fi
         deploy-p2p-wss
+        deploy-bee-autotls-wss-expose
     else
         $ACTION
     fi
diff --git a/config/bee-autotls-wss-expose.yaml b/config/bee-autotls-wss-expose.yaml
new file mode 100644
index 0000000..5547ce4
--- /dev/null
+++ b/config/bee-autotls-wss-expose.yaml
@@ -0,0 +1,21 @@
+# Exposes the first autotls node's WSS port (1635) as NodePort 31635
+# so beekeeper can verify TLS from the host when forge-tls-host-address is set.
+# BEE_AUTOTLS_FIRST_NODE_INSTANCE must match the first node's instance label (e.g. bee-autotls-0).
+apiVersion: v1
+kind: Service
+metadata:
+  name: ${BEE_AUTOTLS_FIRST_NODE_INSTANCE}-wss
+  namespace: ${NAMESPACE}
+  labels:
+    app: bee-autotls-wss-expose
+spec:
+  type: NodePort
+  ports:
+  - name: wss
+    port: 1635
+    targetPort: 1635
+    protocol: TCP
+    nodePort: 31635
+  selector:
+    app.kubernetes.io/name: bee
+    app.kubernetes.io/instance: ${BEE_AUTOTLS_FIRST_NODE_INSTANCE}
diff --git a/config/k3d.yaml b/config/k3d.yaml
index bb8e3e7..449fa44 100644
--- a/config/k3d.yaml
+++ b/config/k3d.yaml
@@ -12,6 +12,12 @@ ports:
   - port: 30533:30533/udp
     nodeFilters:
       - server:0
+  - port: 31635:31635
+    nodeFilters:
+      - server:0
+  - port: 31500:31500
+    nodeFilters:
+      - server:0
 registries:
   create:
     proxy:
diff --git a/config/pebble-deployment.yaml b/config/pebble-deployment.yaml
index c268d58..b3c3c7f 100644
--- a/config/pebble-deployment.yaml
+++ b/config/pebble-deployment.yaml
@@ -83,7 +83,7 @@ metadata:
   labels:
     app: pebble
 spec:
-  type: ClusterIP
+  type: NodePort
   ports:
   - name: http
     port: 80
@@ -101,5 +101,6 @@ spec:
     port: 15000
     targetPort: 15000
     protocol: TCP
+    nodePort: 31500
   selector:
     app: pebble