Merge pull request #5 from disentangle-network/feature/nebula-mesh

Add nebula-pq DaemonSet and ConfigMap templates

Author: disentangle-network

.github/workflows/integration-test.yml

@@ -29,11 +29,18 @@ jobs:
           node_image: kindest/node:${{ matrix.k8s-version }}
           cluster_name: disentangle-test
 
-      - name: Build test image (or use existing)
+      - name: Pull and load real image into kind
         run: |
-          # For CI, we use a mock/stub image since we can't build the full Rust binary
-          # In production CI, this would build from the protocol repo
-          echo "Using chart default image (pull from registry)"
+          # Read appVersion from Chart.yaml to stay in sync with the chart.
+          # Pull the platform-specific image then re-tag to strip the multi-arch
+          # manifest index, which kind's containerd import cannot handle.
+          APP_VERSION=$(grep '^appVersion:' helm/disentangle/Chart.yaml | sed 's/appVersion: *"\(.*\)"/\1/')
+          IMAGE="ghcr.io/disentangle-network/disentangle-node:${APP_VERSION}"
+          echo "Pulling ${IMAGE} (linux/amd64)"
+          docker pull --platform linux/amd64 "${IMAGE}"
+          IMGID=$(docker images --no-trunc -q "${IMAGE}" | head -1)
+          docker tag "${IMGID}" "${IMAGE}"
+          kind load docker-image "${IMAGE}" --name disentangle-test
 
       - name: Install chart
         run: |

helm/disentangle/Chart.yaml

@@ -3,7 +3,7 @@ name: disentangle
 description: Helm chart for Disentangle Protocol network deployment
 type: application
 version: 0.1.0
-appVersion: "0.3.1"
+appVersion: "v0.4.0"
 license: Apache-2.0
 keywords:
   - blockchain

helm/disentangle/templates/nebula-configmap.yaml

@@ -0,0 +1,46 @@
+{{- if .Values.nebula.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "disentangle.fullname" . }}-nebula-config
+  labels:
+    {{- include "disentangle.labels" . | nindent 4 }}
+    app.kubernetes.io/component: nebula
+data:
+  config.yaml: |
+    pki:
+      ca: /etc/nebula/certs/ca.crt
+      cert: /etc/nebula/certs/host.crt
+      key: /etc/nebula/certs/host.key
+      curve: PQ
+
+    {{- if eq .Values.nebula.mode "lighthouse" }}
+    lighthouse:
+      am_lighthouse: true
+    {{- else }}
+    lighthouse:
+      am_lighthouse: false
+      hosts:
+        - "{{ .Values.nebula.lighthouseAddr }}"
+    {{- end }}
+
+    listen:
+      host: 0.0.0.0
+      port: {{ .Values.nebula.port }}
+
+    punchy:
+      punch: true
+
+    tun:
+      disabled: false
+      dev: nebula1
+
+    firewall:
+      outbound:
+        {{- toYaml .Values.nebula.firewall.outbound | nindent 8 }}
+      inbound:
+        {{- toYaml .Values.nebula.firewall.inbound | nindent 8 }}
+
+    logging:
+      level: info
+{{- end }}

helm/disentangle/templates/nebula-daemonset.yaml

@@ -0,0 +1,57 @@
+{{- if .Values.nebula.enabled }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "disentangle.fullname" . }}-nebula
+  labels:
+    {{- include "disentangle.labels" . | nindent 4 }}
+    app.kubernetes.io/component: nebula
+spec:
+  selector:
+    matchLabels:
+      {{- include "disentangle.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: nebula
+  template:
+    metadata:
+      labels:
+        {{- include "disentangle.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: nebula
+    spec:
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      containers:
+        - name: nebula
+          image: "{{ .Values.nebula.image.repository }}:{{ .Values.nebula.image.tag }}"
+          imagePullPolicy: {{ .Values.nebula.image.pullPolicy }}
+          securityContext:
+            capabilities:
+              add: ["NET_ADMIN"]
+          ports:
+            - containerPort: {{ .Values.nebula.port }}
+              protocol: UDP
+              name: nebula
+          volumeMounts:
+            - name: nebula-config
+              mountPath: /etc/nebula
+              readOnly: true
+            - name: nebula-certs
+              mountPath: /etc/nebula/certs
+              readOnly: true
+            - name: tun
+              mountPath: /dev/net/tun
+          command:
+            - nebula
+            - -config
+            - /etc/nebula/config.yaml
+      volumes:
+        - name: nebula-config
+          configMap:
+            name: {{ include "disentangle.fullname" . }}-nebula-config
+        - name: nebula-certs
+          secret:
+            secretName: {{ .Values.nebula.certSecretName }}
+        - name: tun
+          hostPath:
+            path: /dev/net/tun
+            type: CharDevice
+{{- end }}

helm/disentangle/values.yaml

@@ -90,6 +90,35 @@ securityContext:
   runAsNonRoot: true
   runAsUser: 1000
 
+# Nebula-PQ overlay mesh
+nebula:
+  enabled: false
+  image:
+    repository: ghcr.io/disentangle-network/nebula-pq
+    tag: "latest"
+    pullPolicy: IfNotPresent
+  # Mode: "lighthouse" or "node"
+  mode: "node"
+  # Overlay network CIDR (e.g., 10.42.0.0/16)
+  overlayCidr: "10.42.0.0/16"
+  # Lighthouse address (ip:port) - required for mode=node
+  lighthouseAddr: ""
+  # Port for nebula UDP traffic
+  port: 4242
+  # Certificate secret name (created by launch mesh add, SOPS-encrypted)
+  certSecretName: "nebula-certs"
+  # Firewall rules
+  firewall:
+    outbound:
+      - port: any
+        proto: any
+        host: any
+    inbound:
+      - port: any
+        proto: any
+        groups:
+          - disentangle
+
 # Node scheduling
 nodeSelector: {}
 tolerations: []

tests/golden/custom-resources.yaml

@@ -8,7 +8,7 @@ metadata:
     helm.sh/chart: disentangle-0.1.0
     app.kubernetes.io/name: disentangle
     app.kubernetes.io/instance: golden-test
-    app.kubernetes.io/version: "0.3.1"
+    app.kubernetes.io/version: "v0.4.0"
     app.kubernetes.io/managed-by: Helm
 spec:
   minAvailable: 6
@@ -26,7 +26,7 @@ metadata:
     helm.sh/chart: disentangle-0.1.0
     app.kubernetes.io/name: disentangle
     app.kubernetes.io/instance: golden-test
-    app.kubernetes.io/version: "0.3.1"
+    app.kubernetes.io/version: "v0.4.0"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: disentangle/templates/configmap.yaml
@@ -38,7 +38,7 @@ metadata:
     helm.sh/chart: disentangle-0.1.0
     app.kubernetes.io/name: disentangle
     app.kubernetes.io/instance: golden-test
-    app.kubernetes.io/version: "0.3.1"
+    app.kubernetes.io/version: "v0.4.0"
     app.kubernetes.io/managed-by: Helm
 data:
   cluster-config.yaml: |
@@ -67,7 +67,7 @@ metadata:
     helm.sh/chart: disentangle-0.1.0
     app.kubernetes.io/name: disentangle
     app.kubernetes.io/instance: golden-test
-    app.kubernetes.io/version: "0.3.1"
+    app.kubernetes.io/version: "v0.4.0"
     app.kubernetes.io/managed-by: Helm
 spec:
   type: ClusterIP
@@ -94,7 +94,7 @@ metadata:
     helm.sh/chart: disentangle-0.1.0
     app.kubernetes.io/name: disentangle
     app.kubernetes.io/instance: golden-test
-    app.kubernetes.io/version: "0.3.1"
+    app.kubernetes.io/version: "v0.4.0"
     app.kubernetes.io/managed-by: Helm
 spec:
   type: ClusterIP
@@ -116,7 +116,7 @@ metadata:
     helm.sh/chart: disentangle-0.1.0
     app.kubernetes.io/name: disentangle
     app.kubernetes.io/instance: golden-test
-    app.kubernetes.io/version: "0.3.1"
+    app.kubernetes.io/version: "v0.4.0"
     app.kubernetes.io/managed-by: Helm
 spec:
   serviceName: golden-test-disentangle-headless
@@ -138,7 +138,7 @@ spec:
           type: RuntimeDefault
       containers:
       - name: disentangle-node
-        image: ghcr.io/disentangle-network/disentangle-node:0.3.1
+        image: ghcr.io/disentangle-network/disentangle-node:v0.4.0
         imagePullPolicy: IfNotPresent
         securityContext:
           allowPrivilegeEscalation: false
@@ -220,7 +220,7 @@ metadata:
     helm.sh/chart: disentangle-0.1.0
     app.kubernetes.io/name: disentangle
     app.kubernetes.io/instance: golden-test
-    app.kubernetes.io/version: "0.3.1"
+    app.kubernetes.io/version: "v0.4.0"
     app.kubernetes.io/managed-by: Helm
   annotations:
     "helm.sh/hook": test
@@ -284,7 +284,7 @@ metadata:
     helm.sh/chart: disentangle-0.1.0
     app.kubernetes.io/name: disentangle
     app.kubernetes.io/instance: golden-test
-    app.kubernetes.io/version: "0.3.1"
+    app.kubernetes.io/version: "v0.4.0"
     app.kubernetes.io/managed-by: Helm
   annotations:
     "helm.sh/hook": test
@@ -357,7 +357,7 @@ metadata:
     helm.sh/chart: disentangle-0.1.0
     app.kubernetes.io/name: disentangle
     app.kubernetes.io/instance: golden-test
-    app.kubernetes.io/version: "0.3.1"
+    app.kubernetes.io/version: "v0.4.0"
     app.kubernetes.io/managed-by: Helm
   annotations:
     "helm.sh/hook": test

tests/golden/default.yaml

@@ -8,7 +8,7 @@ metadata:
     helm.sh/chart: disentangle-0.1.0
     app.kubernetes.io/name: disentangle
     app.kubernetes.io/instance: golden-test
-    app.kubernetes.io/version: "0.3.1"
+    app.kubernetes.io/version: "v0.4.0"
     app.kubernetes.io/managed-by: Helm
 spec:
   minAvailable: 3
@@ -26,7 +26,7 @@ metadata:
     helm.sh/chart: disentangle-0.1.0
     app.kubernetes.io/name: disentangle
     app.kubernetes.io/instance: golden-test
-    app.kubernetes.io/version: "0.3.1"
+    app.kubernetes.io/version: "v0.4.0"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: disentangle/templates/configmap.yaml
@@ -38,7 +38,7 @@ metadata:
     helm.sh/chart: disentangle-0.1.0
     app.kubernetes.io/name: disentangle
     app.kubernetes.io/instance: golden-test
-    app.kubernetes.io/version: "0.3.1"
+    app.kubernetes.io/version: "v0.4.0"
     app.kubernetes.io/managed-by: Helm
 data:
   cluster-config.yaml: |
@@ -67,7 +67,7 @@ metadata:
     helm.sh/chart: disentangle-0.1.0
     app.kubernetes.io/name: disentangle
     app.kubernetes.io/instance: golden-test
-    app.kubernetes.io/version: "0.3.1"
+    app.kubernetes.io/version: "v0.4.0"
     app.kubernetes.io/managed-by: Helm
 spec:
   type: ClusterIP
@@ -94,7 +94,7 @@ metadata:
     helm.sh/chart: disentangle-0.1.0
     app.kubernetes.io/name: disentangle
     app.kubernetes.io/instance: golden-test
-    app.kubernetes.io/version: "0.3.1"
+    app.kubernetes.io/version: "v0.4.0"
     app.kubernetes.io/managed-by: Helm
 spec:
   type: ClusterIP
@@ -116,7 +116,7 @@ metadata:
     helm.sh/chart: disentangle-0.1.0
     app.kubernetes.io/name: disentangle
     app.kubernetes.io/instance: golden-test
-    app.kubernetes.io/version: "0.3.1"
+    app.kubernetes.io/version: "v0.4.0"
     app.kubernetes.io/managed-by: Helm
 spec:
   serviceName: golden-test-disentangle-headless
@@ -138,7 +138,7 @@ spec:
           type: RuntimeDefault
       containers:
       - name: disentangle-node
-        image: ghcr.io/disentangle-network/disentangle-node:0.3.1
+        image: ghcr.io/disentangle-network/disentangle-node:v0.4.0
         imagePullPolicy: IfNotPresent
         securityContext:
           allowPrivilegeEscalation: false
@@ -220,7 +220,7 @@ metadata:
     helm.sh/chart: disentangle-0.1.0
     app.kubernetes.io/name: disentangle
     app.kubernetes.io/instance: golden-test
-    app.kubernetes.io/version: "0.3.1"
+    app.kubernetes.io/version: "v0.4.0"
     app.kubernetes.io/managed-by: Helm
   annotations:
     "helm.sh/hook": test
@@ -284,7 +284,7 @@ metadata:
     helm.sh/chart: disentangle-0.1.0
     app.kubernetes.io/name: disentangle
     app.kubernetes.io/instance: golden-test
-    app.kubernetes.io/version: "0.3.1"
+    app.kubernetes.io/version: "v0.4.0"
     app.kubernetes.io/managed-by: Helm
   annotations:
     "helm.sh/hook": test
@@ -357,7 +357,7 @@ metadata:
     helm.sh/chart: disentangle-0.1.0
     app.kubernetes.io/name: disentangle
     app.kubernetes.io/instance: golden-test
-    app.kubernetes.io/version: "0.3.1"
+    app.kubernetes.io/version: "v0.4.0"
     app.kubernetes.io/managed-by: Helm
   annotations:
     "helm.sh/hook": test