### ------- helpers --------------------------------------------------------- function _need --description "ensure a command exists" for c in $argv if not type -q $c echo (set_color red)"Error:"(set_color normal)" missing required command: $c" >&2 return 1 end end end function _banner --description "pretty section header" -a MSG set_color cyan echo echo "==> $MSG" set_color normal end # 32-char alphanumeric generator (fast, no shell-specials) function _rand_alnum32 if type -q openssl openssl rand -base64 48 2>/dev/null | tr -dc 'A-Za-z0-9' | head -c 32 else dd if=/dev/urandom bs=48 count=1 2>/dev/null | base64 | tr -dc 'A-Za-z0-9' | head -c 32 end end # Convert any string to a k8s-safe name (RFC-1123 label-ish) function _k8s_name --description "sanitize to RFC-1123 label" -a S set s (string lower -- $S) set s (string replace -ar -- '[^a-z0-9-]' '-' $s) set s (string replace -r -- '^-+' '' $s) set s (string replace -r -- '-+$' '' $s) echo $s end # Simple non-empty check function _require --description "require a non-empty value" -a WHAT VAL if test -z "$VAL" echo (set_color red)"Error:"(set_color normal)" $WHAT cannot be empty. Aborting." >&2 return 1 end end # List SCs in a stable way function _sc_list --description "list storageclasses as menu" kubectl get storageclass -o json | jq -r ' .items[] | {name: .metadata.name, provisioner: .provisioner, reclaim: (.reclaimPolicy // "Delete"), default: ( .metadata.annotations["storageclass.kubernetes.io/is-default-class"] == "true" or .metadata.annotations["storageclass.beta.kubernetes.io/is-default-class"] == "true") } | "\(.name)\t\(.provisioner)\t\(.reclaim)\t\((.default|tostring))" ' 2>/dev/null end # convert XMR -> piconero (atomic units) with Python (exact function _xmr_to_atomic -a AMT _need python3; or return 1 printf '%s' 'from decimal import Decimal, getcontext import sys getcontext().prec = 50 amt = Decimal(sys.argv[1]) atomic = int((amt * Decimal("1000000000000")).to_integral_value(rounding="ROUND_HALF_UP")) print(atomic) ' | python3 - "$AMT" end # Choose SC (menu -> stderr; selection -> stdout) function _choose_sc --description "interactive StorageClass picker" set lines (_sc_list) if test (count $lines) -eq 0 echo (set_color red)"Error:"(set_color normal)" No StorageClasses found." >&2 return 1 end echo "" >&2 echo "==> Available StorageClasses" >&2 echo " # | name | provisioner | reclaim | default" >&2 echo "----+----------------------+------------------------+---------+--------" >&2 set i 1 for l in $lines set name (echo $l | awk -F'\t' '{print $1}') set prov (echo $l | awk -F'\t' '{print $2}') set rec (echo $l | awk -F'\t' '{print $3}') set def (echo $l | awk -F'\t' '{print $4}') printf " %2d | %-20s | %-22s | %-7s | %s\n" $i $name $prov $rec $def >&2 set i (math $i + 1) end set prefer (printf "%s\n" $lines | awk -F'\t' '$3=="Retain"{print $1}' | head -n1) if test -z "$prefer" set prefer (printf "%s\n" $lines | awk -F'\t' '$4=="true"{print $1}' | head -n1) end if test -z "$prefer" set prefer (printf "%s\n" $lines | awk -F'\t' '{print $1}' | head -n1) end read -P "Pick StorageClass by number or name (blank = $prefer): " choice if test -z "$choice" echo "Using StorageClass: $prefer" >&2 echo $prefer return 0 end if string match -qr '^[0-9]+$' -- $choice set idx (math $choice) if test $idx -lt 1 -o $idx -gt (count $lines) echo (set_color red)"Error:"(set_color normal)" Choice out of range." >&2 return 1 end set sel (printf "%s\n" $lines[$idx] | awk -F'\t' '{print $1}') echo "Using StorageClass: $sel" >&2 echo $sel return 0 end set found (printf "%s\n" $lines | awk -F'\t' -v want="$choice" '$1==want{print $1}') if test -z "$found" echo (set_color red)"Error:"(set_color normal)" No StorageClass named '$choice'." >&2 return 1 end echo "Using StorageClass: $found" >&2 echo $found end # ---------- port-forward helpers (stderr logs) ---------- function _pf_start --description "start port-forward in bg: sets global PF_PID" -a NS SVC LOCAL REMOTE set -g PF_PID "" if test -z "$LOCAL"; set LOCAL 18083; end if test -z "$REMOTE"; set REMOTE 18083; end echo "Starting port-forward: svc/$SVC $LOCAL:$REMOTE (ns=$NS)…" >&2 kubectl -n $NS port-forward svc/$SVC $LOCAL:$REMOTE >/dev/null 2>&1 & set -g PF_PID $last_pid sleep 1 end function _pf_stop --description "stop port-forward if running" if test -n "$PF_PID" echo "Stopping port-forward (pid $PF_PID)…" >&2 kill $PF_PID 2>/dev/null; or true set -e PF_PID end end # Minimal JSON-RPC caller for wallet RPC function _rpc_call --description "call wallet JSON-RPC via localhost pf" -a RPCUSER RPCPASS METHOD PARAMS set url "http://127.0.0.1:18083/json_rpc" if test -z "$PARAMS" set payload (printf '{"jsonrpc":"2.0","id":"0","method":"%s"}' $METHOD) else set payload (printf '{"jsonrpc":"2.0","id":"0","method":"%s","params":%s}' $METHOD "$PARAMS") end curl -s --fail --digest -u "$RPCUSER:$RPCPASS" \ -H "Content-Type: application/json" \ -d "$payload" "$url" end # Probe a monerod and assert it looks like Monero mainnet (not test/stage), not "qubic". # Usage: _probe_monerod host:port function _probe_monerod -a ADDR if test -z "$ADDR" echo (set_color red)"Error:"(set_color normal)" _probe_monerod needs host:port" >&2 return 1 end if string match -qi '*qubic*' -- $ADDR echo (set_color red)"Refusing daemon '$ADDR' (contains 'qubic'). This is NOT a Monero node."(set_color normal) >&2 return 1 end # Try up to 3 short attempts for t in (seq 1 3) set ok 0 set raw (curl -s --max-time 7 "http://$ADDR/get_info" 2>/dev/null) if test -n "$raw" set mstatus (echo $raw | jq -r '.status // "OK"') set testnet (echo $raw | jq -r '.testnet // false') set stagenet (echo $raw | jq -r '.stagenet // false') set height (echo $raw | jq -r '.height // .target_height // 0') if test "$mstatus" = "OK" set ok 1 end end if test $ok -eq 0 set raw (curl -s --max-time 7 -H 'Content-Type: application/json' \ -d '{"jsonrpc":"2.0","id":"0","method":"get_info"}' "http://$ADDR/json_rpc" \ | jq -r '.result? | @json' 2>/dev/null) if test -n "$raw" set mstatus (echo $raw | jq -r '.status // "OK"') set testnet (echo $raw | jq -r '.testnet // false') set stagenet (echo $raw | jq -r '.stagenet // false') set height (echo $raw | jq -r '.height // .target_height // 0') if test "$mstatus" = "OK" set ok 1 end end end if test $ok -eq 1 if test "$testnet" = "true" -o "$stagenet" = "true" echo (set_color red)"Refusing non-mainnet daemon (testnet=$testnet stagenet=$stagenet) at $ADDR."(set_color normal) >&2 return 1 end echo "Daemon OK: Monero mainnet, height=$height" return 0 end sleep 1 end echo (set_color red)"Could not speak Monero /get_info to $ADDR. Not a monerod (or blocked)."(set_color normal) >&2 echo "Tip: run your own monerod or set WALLETSVC_SKIP_DAEMON_CHECK=1 to bypass." >&2 return 1 end # Wait for wallet RPC to accept connections (digest auth get_version) function walletsvc_wait_ready -a NS SVC SECS if test -z "$NS"; set NS crypto; end if test -z "$SVC"; set SVC wallet-rpc; end if test -z "$SECS"; set SECS 60; end set RPCUSER (kubectl -n $NS get secret {$SVC}-rpc-auth -o jsonpath='{.data.username}' | base64 -d 2>/dev/null) set RPCPASS (kubectl -n $NS get secret {$SVC}-rpc-auth -o jsonpath='{.data.password}' | base64 -d 2>/dev/null) if test -z "$RPCUSER" -o -z "$RPCPASS" echo (set_color red)"Error:"(set_color normal)" missing RPC creds in secret {$SVC}-rpc-auth" >&2 return 1 end _pf_start $NS $SVC 18083 18083 set tries (math "ceil($SECS/2)") for i in (seq 1 $tries) set code (curl -s -o /dev/null -w "%{http_code}" --digest -u "$RPCUSER:$RPCPASS" \ -H 'Content-Type: application/json' \ -d '{"jsonrpc":"2.0","id":"0","method":"get_version"}' \ http://127.0.0.1:18083/json_rpc) if test "$code" = "200" _pf_stop return 0 end sleep 2 end _pf_stop echo (set_color red)"RPC not ready after $SECS seconds."(set_color normal) >&2 return 1 end ### ------- main workflow --------------------------------------------------- function walletsvc_bootstrap --description "Interactive setup of monero-wallet-rpc with PVC+secrets; creates default wallet and prints recovery info" _need kubectl jq curl awk; or return 1 _banner "Monero wallet RPC bootstrap" # --- Namespace read -P "Namespace [crypto]: " ns_raw if test -z "$ns_raw"; set ns_raw crypto; end set ns (_k8s_name $ns_raw) _require "Namespace" $ns; or return 1 echo "Ensuring namespace '$ns' exists…" if kubectl get ns $ns >/dev/null 2>&1 echo "Namespace $ns already exists." else kubectl create ns $ns; or return 1 echo "Created namespace $ns." end # --- StorageClass kubectl get storageclass echo "TIP: Prefer a class with reclaimPolicy=Retain so a PVC delete won't delete the PV." set sc (_choose_sc); or return 1 # --- Unified name (prefix wallet-monero-) read -P "Wallet name (no spaces, e.g. 'brad', base will be wallet-monero-brad): " wallet_raw _require "Wallet name" $wallet_raw; or return 1 if string match -rq '\s' -- $wallet_raw echo (set_color red)"Error:"(set_color normal)" Wallet name cannot contain spaces." >&2 return 1 end set base (_k8s_name $wallet_raw) set base (string replace -r '^wallet-monero-' '' -- $base) set name "wallet-monero-$base" # Bind all k8s object names to the unified base set pvc_name $name set app_name $name set svc_name $name set rpc_secret_name "$app_name-rpc-auth" set wpass_secret_name "$app_name-wallet-pass" # --- Detect existing resources (all of them) set exists_any 0 set found_list for r in "deploy/$app_name" "svc/$svc_name" "netpol/{$app_name}-ingress" if kubectl -n $ns get $r >/dev/null 2>&1 set -a found_list $r set exists_any 1 end end if kubectl -n $ns get pvc $pvc_name >/dev/null 2>&1 set -a found_list "pvc/$pvc_name" set exists_any 1 end if kubectl -n $ns get secret $rpc_secret_name >/dev/null 2>&1 set -a found_list "secret/$rpc_secret_name" set exists_any 1 end if kubectl -n $ns get secret $wpass_secret_name >/dev/null 2>&1 set -a found_list "secret/$wpass_secret_name" set exists_any 1 end if test $exists_any -eq 1 _banner "Existing resources detected for $name" for r in $found_list echo " - $ns/$r" end read -P "Remove EVERYTHING (deploy/svc/netpol/PVC/SECRETS) and recreate? (y/N): " wipe if string match -qi 'y*' -- $wipe kubectl -n $ns delete deploy $app_name --ignore-not-found --wait=true >/dev/null 2>&1; or true kubectl -n $ns delete svc $svc_name --ignore-not-found --wait=true >/dev/null 2>&1; or true kubectl -n $ns delete netpol {$app_name}-ingress --ignore-not-found --wait=true >/dev/null 2>&1; or true kubectl -n $ns delete pvc $pvc_name --ignore-not-found --wait=true >/dev/null 2>&1; or true kubectl -n $ns delete secret $rpc_secret_name --ignore-not-found >/dev/null 2>&1; or true kubectl -n $ns delete secret $wpass_secret_name --ignore-not-found >/dev/null 2>&1; or true echo "Cleaned up all previous resources." else echo "Reusing existing resources; they will be applied in-place." end end # --- Node scheduling (worker-only by default) read -P "Schedule only on worker nodes? (y/N) [y]: " pin_workers if test -z "$pin_workers"; set pin_workers y; end set use_pin 0 if string match -qi 'y*' -- $pin_workers set use_pin 1 read -P "Worker label key [node-role.kubernetes.io/worker]: " node_label_key if test -z "$node_label_key"; set node_label_key node-role.kubernetes.io/worker; end read -P "Worker label value [true]: " node_label_val if test -z "$node_label_val"; set node_label_val true; end end # --- Daemon (auto-use local monerod) echo echo "Monero daemon: using your cluster-local monerod by default." if test "$ns" = "crypto" set daemon_addr monerod:18081 else set daemon_addr monerod.crypto.svc.cluster.local:18081 end echo "Daemon address (for the Deployment): $daemon_addr" read -P "Override daemon address for this deployment? (host:port, blank to keep): " daemon_override if test -n "$daemon_override" set daemon_addr $daemon_override end if test -z "$WALLETSVC_SKIP_DAEMON_CHECK" _banner "Probing daemon via temporary port-forward" set PF_LOCAL 28081 _pf_start crypto monerod $PF_LOCAL 18081 if not _probe_monerod 127.0.0.1:$PF_LOCAL _pf_stop return 1 end _pf_stop else echo "Skipping daemon probe due to WALLETSVC_SKIP_DAEMON_CHECK=1" end # Use your private image by default (in Zot) read -P "Container image for wallet RPC [registry.bstein.dev/infra/monero-wallet-rpc:0.18.4.1]: " image if test -z "$image"; set image registry.bstein.dev/infra/monero-wallet-rpc:0.18.4.1; end _require "Container image" $image; or return 1 # --- Secrets (defaults: RPC user=wallet name, passwords auto if missing) set existing_rpc_user (kubectl -n $ns get secret $rpc_secret_name -o jsonpath='{.data.username}' 2>/dev/null | base64 -d 2>/dev/null) set existing_rpc_pass (kubectl -n $ns get secret $rpc_secret_name -o jsonpath='{.data.password}' 2>/dev/null | base64 -d 2>/dev/null) set existing_wpass (kubectl -n $ns get secret $wpass_secret_name -o jsonpath='{.data.password}' 2>/dev/null | base64 -d 2>/dev/null) set rpc_user_default $base if test -n "$existing_rpc_user" set rpc_user_default $existing_rpc_user end read -P "RPC username [$rpc_user_default]: " rpc_user if test -z "$rpc_user"; set rpc_user $rpc_user_default; end _require "RPC username" $rpc_user; or return 1 read -s -P "RPC password [leave blank to keep current or auto-generate if none]: " rpc_pass echo if test -z "$rpc_pass" if test -n "$existing_rpc_pass" set rpc_pass $existing_rpc_pass else set rpc_pass (_rand_alnum32) end end read -P "Wallet filename (no path) [main]: " wallet_file_raw if test -z "$wallet_file_raw"; set wallet_file_raw main; end set wallet_file (_k8s_name $wallet_file_raw) _require "Wallet filename" $wallet_file; or return 1 read -s -P "Wallet password [leave blank to keep current or auto-generate if none]: " wallet_pass echo if test -z "$wallet_pass" if test -n "$existing_wpass" set wallet_pass $existing_wpass else set wallet_pass (_rand_alnum32) end end _banner "Summary" echo " Namespace: $ns" echo " StorageClass: $sc" echo " Base name: $name" echo " PVC: $pvc_name" echo " App/Deployment: $app_name" echo " Service: $svc_name" echo " Daemon address: $daemon_addr" echo " Image: $image" echo " RPC user: $rpc_user" echo " Wallet file: /data/$wallet_file" if test $use_pin -eq 1 echo " NodeSelector: $node_label_key=$node_label_val" end read -P "Proceed? [y/N]: " proceed if not string match -qi 'y*' -- $proceed echo (set_color yellow)"Aborted by user at confirmation step."(set_color normal) return 1 end _banner "Applying secrets" kubectl -n $ns create secret generic $rpc_secret_name \ --from-literal=username="$rpc_user" \ --from-literal=password="$rpc_pass" \ --dry-run=client -o yaml | kubectl -n $ns apply -f -; or return 1 kubectl -n $ns create secret generic $wpass_secret_name \ --from-literal=password="$wallet_pass" \ --dry-run=client -o yaml | kubectl -n $ns apply -f -; or return 1 set ts (date -Is) kubectl -n $ns annotate secret $rpc_secret_name walletsvc.titan/update-ts="$ts" --overwrite >/dev/null 2>&1 kubectl -n $ns annotate secret $wpass_secret_name walletsvc.titan/update-ts="$ts" --overwrite >/dev/null 2>&1 echo "RPC creds: user='$rpc_user' pass='$rpc_pass'" echo "Wallet pass: $wallet_pass" _banner "Applying PVC" if kubectl -n $ns get pvc $pvc_name >/dev/null 2>&1 echo "PVC $ns/$pvc_name exists; keeping as-is." else set pvcfile (mktemp -t {$pvc_name}-pvc.XXXX.yaml) begin echo "apiVersion: v1" echo "kind: PersistentVolumeClaim" echo "metadata:" echo " name: $pvc_name" echo " namespace: $ns" echo "spec:" echo " accessModes: [\"ReadWriteOnce\"]" echo " storageClassName: $sc" echo " resources:" echo " requests:" echo " storage: 5Gi" end > $pvcfile echo "--- PVC manifest ($pvcfile) ---" cat $pvcfile kubectl apply -f $pvcfile; or return 1 end _banner "Applying Deployment" set dply (mktemp -t {$app_name}-deploy.XXXX.yaml) begin echo "apiVersion: apps/v1" echo "kind: Deployment" echo "metadata:" echo " name: $app_name" echo " namespace: $ns" echo " labels: { app: $app_name }" echo "spec:" echo " replicas: 1" echo " strategy:" echo " type: Recreate" echo " selector:" echo " matchLabels: { app: $app_name }" echo " template:" echo " metadata:" echo " labels: { app: $app_name }" echo " spec:" if test $use_pin -eq 1 echo " nodeSelector:" echo " $node_label_key: \"$node_label_val\"" end echo " securityContext:" echo " fsGroup: 1000" echo " fsGroupChangePolicy: OnRootMismatch" echo " initContainers:" echo " - name: volume-permissions" echo " image: busybox:1.36" echo " command: [\"/bin/sh\",\"-lc\",\"chown :1000 /data && chmod 0770 /data\"]" echo " securityContext:" echo " runAsUser: 0" echo " volumeMounts:" echo " - name: data" echo " mountPath: /data" echo " containers:" echo " - name: wallet-rpc" echo " image: $image" echo " imagePullPolicy: Always" echo " command: [\"/bin/sh\",\"-lc\"]" echo " args:" echo " - |" echo " RPCU=\$(cat /run/monero-secrets/rpc-user);" echo " RPCP=\$(cat /run/monero-secrets/rpc-pass);" echo " exec /usr/local/bin/monero-wallet-rpc \\" echo " --wallet-dir /data \\" echo " --daemon-address $daemon_addr \\" echo " --rpc-bind-ip 0.0.0.0 --rpc-bind-port 18083 \\" echo " --rpc-login \"\${RPCU}:\${RPCP}\" \\" echo " --confirm-external-bind" echo " ports:" echo " - containerPort: 18083" echo " volumeMounts:" echo " - name: data" echo " mountPath: /data" echo " - name: rpc-auth" echo " mountPath: /run/monero-secrets" echo " readOnly: true" echo " resources:" echo " requests: { cpu: \"100m\", memory: \"128Mi\" }" echo " limits: { cpu: \"1\", memory: \"512Mi\" }" echo " volumes:" echo " - name: data" echo " persistentVolumeClaim: { claimName: $pvc_name }" echo " - name: rpc-auth" echo " secret:" echo " secretName: $rpc_secret_name" echo " items:" echo " - key: username" echo " path: rpc-user" echo " - key: password" echo " path: rpc-pass" end > $dply echo "--- Deployment manifest ($dply) ---" head -n 70 $dply echo "..." kubectl apply -f $dply; or return 1 _banner "Applying Service" set svc (mktemp -t {$app_name}-svc.XXXX.yaml) begin echo "apiVersion: v1" echo "kind: Service" echo "metadata:" echo " name: $svc_name" echo " namespace: $ns" echo " labels: { app: $app_name }" echo "spec:" echo " type: ClusterIP" echo " selector: { app: $app_name }" echo " ports:" echo " - name: rpc" echo " port: 18083" echo " targetPort: 18083" end > $svc echo "--- Service manifest ($svc) ---" cat $svc kubectl apply -f $svc; or return 1 _banner "Applying NetworkPolicy (same-namespace-only)" set np (mktemp -t {$app_name}-netpol.XXXX.yaml) begin echo "apiVersion: networking.k8s.io/v1" echo "kind: NetworkPolicy" echo "metadata:" printf " name: %s-ingress\n" $app_name echo " namespace: $ns" echo "spec:" echo " podSelector: { matchLabels: { app: $app_name } }" echo " policyTypes: [\"Ingress\"]" echo " ingress:" echo " - from:" echo " - namespaceSelector:" echo " matchLabels:" echo " kubernetes.io/metadata.name: $ns" echo " ports:" echo " - port: 18083" echo " protocol: TCP" end > $np echo "--- NetworkPolicy manifest ($np) ---" cat $np kubectl apply -f $np; or return 1 _banner "Ensuring pod picks up latest secrets" kubectl -n $ns rollout restart deploy/$app_name >/dev/null 2>&1; or true _banner "Waiting for rollout" if not kubectl -n $ns rollout status deploy/$app_name --timeout=180s echo (set_color red)"Rollout did not finish in time. Recent events:"(set_color normal) >&2 kubectl -n $ns get events --sort-by=.lastTimestamp | tail -n 40 echo (set_color yellow)"Hint:"(set_color normal)" if you see Multi-Attach for the PVC, delete any older pod." return 1 end _banner "Waiting for wallet RPC readiness" walletsvc_wait_ready $ns $svc_name 60; or return 1 _banner "Creating/opening wallet via JSON-RPC" if not walletsvc_check_write $ns $app_name >/dev/null echo (set_color red)"PVC is not writable; aborting."(set_color normal) return 1 end # Always attempt create; if it exists, open it. if not walletsvc_create_wallet $ns $svc_name $wallet_file $wallet_pass echo (set_color yellow)"create_wallet returned non-zero; attempting open anyway…"(set_color normal) end if not walletsvc_open $ns $svc_name $wallet_file $wallet_pass echo (set_color red)"Failed to open wallet $wallet_file. If this wallet already exists, the on-disk password may differ from the Secret. Use walletsvc_open with the correct password or walletsvc_change_wallet_password."(set_color normal) return 1 end # --- Gather summary data (address, seed if enabled) set PRIMARY (walletsvc_primary_address $ns $svc_name 2>/dev/null) set NEWADDR (walletsvc_new_address $ns $svc_name "bootstrap-deposit" 0 2>/dev/null | awk '/New address:/{print $3}' ) set SEEDRAW (walletsvc_show_seed $ns $svc_name 2>&1) set SEED (echo $SEEDRAW | awk '/Mnemonic seed:/,0{if($0!~/Mnemonic seed:/)print}' ) _banner "Done" echo "Namespace: $ns" echo "Base name: $name" echo "Service (in-cluster): $svc_name:18083" echo "PVC: $pvc_name via StorageClass '$sc'" echo "RPC auth: user='$rpc_user'" echo "RPC pass: $rpc_pass" echo "Wallet pass: $wallet_pass" echo "Wallet file: /data/$wallet_file" echo "Primary address (acct 0):" echo " $PRIMARY" if test -n "$NEWADDR" echo "Fresh deposit subaddress (acct 0):" echo " $NEWADDR" end if string match -qi '*Mnemonic seed:*' -- $SEEDRAW echo (set_color yellow)"Mnemonic seed (WRITE THIS DOWN, OFFLINE):"(set_color normal) echo $SEED else echo "Mnemonic seed not retrievable via RPC (image may disable it)." echo "If needed and supported by your image: walletsvc_show_seed $ns $svc_name" end echo echo "Access locally: walletsvc_portforward $ns $svc_name # then http://127.0.0.1:18083/json_rpc" echo "Quick overview: walletsvc_overview $ns $svc_name" end ### ------- utilities ------------------------------------------------------- function walletsvc_portforward --description "port-forward RPC to localhost:18083" -a NS SVC if test -z "$NS"; set NS crypto; end if test -z "$SVC"; set SVC wallet-rpc; end echo "Forwarding $NS/$SVC → http://127.0.0.1:18083 (Ctrl+C to stop)…" kubectl -n $NS port-forward svc/$SVC 18083:18083 end function walletsvc_status --description "show pod/service status" -a NS APP if test -z "$NS"; set NS crypto; end if test -z "$APP"; set APP wallet-rpc; end kubectl -n $NS get deploy,po,svc,netpol -l app=$APP -o wide end function walletsvc_stop --description "stop the RPC but keep PVC + secrets" -a NS APP SVC if test -z "$NS"; set NS crypto; end if test -z "$APP"; set APP wallet-rpc; end if test -z "$SVC"; set SVC $APP; end kubectl -n $NS delete deploy $APP --ignore-not-found kubectl -n $NS delete svc $SVC --ignore-not-found echo "Stopped $NS/$APP. PVC and secrets retained." end function walletsvc_purge --description "IRREVERSIBLY delete PVC + secrets (keys on disk!)" -a NS APP PVC SVC if test -z "$NS"; set NS crypto; end if test -z "$APP"; set APP wallet-rpc; end if test -z "$PVC"; set PVC wallet-data; end if test -z "$SVC"; set SVC $APP; end echo "Type to confirm: PURGE $NS $PVC" read CONFIRM if test "$CONFIRM" != "PURGE $NS $PVC" echo "Aborted." return 1 end kubectl -n $NS delete deploy $APP --ignore-not-found kubectl -n $NS delete svc $SVC --ignore-not-found kubectl -n $NS delete pvc $PVC --ignore-not-found --wait=true kubectl -n $NS delete secret $APP-wallet-pass --ignore-not-found kubectl -n $NS delete secret $APP-rpc-auth --ignore-not-found echo "Purged. Ensure you have the mnemonic backed up if you ever need to restore." end function walletsvc_show_seed --description "Try to fetch mnemonic via RPC query_key (wallet must be open)" -a NS SVC RPCUSER RPCPASS _need jq curl; or return 1 if test -z "$NS"; set NS crypto; end if test -z "$SVC"; set SVC wallet-rpc; end if test -z "$RPCUSER" set RPCUSER (kubectl -n $NS get secret {$SVC}-rpc-auth -o jsonpath='{.data.username}' | base64 -d) end if test -z "$RPCPASS" set RPCPASS (kubectl -n $NS get secret {$SVC}-rpc-auth -o jsonpath='{.data.password}' | base64 -d) end _pf_start $NS $SVC 18083 18083 set res (_rpc_call $RPCUSER $RPCPASS query_key '{"key_type":"mnemonic"}') _pf_stop set err (echo $res | jq -r '.error.message // empty') if test -n "$err" echo "query_key error: $err" echo "Some images disable returning mnemonics via RPC. Consider backing up offline." return 1 end echo "Mnemonic seed:" echo $res | jq -r '.result.key' end # ---------- core JSON-RPC wrapper (raw JSON to stdout) ---------- function walletsvc_rpc_call --description "RPC call with secrets (auto port-forward)" -a NS SVC METHOD PARAMS_JSON if test -z "$NS"; set NS crypto; end if test -z "$SVC"; set SVC wallet-rpc; end if test -z "$METHOD" echo "Usage: walletsvc_rpc_call [ns] [svc] [params_json]" >&2 return 1 end set RPCUSER (kubectl -n $NS get secret {$SVC}-rpc-auth -o jsonpath='{.data.username}' | base64 -d) set RPCPASS (kubectl -n $NS get secret {$SVC}-rpc-auth -o jsonpath='{.data.password}' | base64 -d) _pf_start $NS $SVC 18083 18083 if test -n "$PARAMS_JSON" set payload (printf '{"jsonrpc":"2.0","id":"0","method":"%s","params":%s}' $METHOD "$PARAMS_JSON") else set payload (printf '{"jsonrpc":"2.0","id":"0","method":"%s"}' $METHOD) end set tmp (mktemp) set code (curl -s --digest -u "$RPCUSER:$RPCPASS" \ -H 'Content-Type: application/json' \ -o $tmp -w "%{http_code}" \ -d "$payload" "http://127.0.0.1:18083/json_rpc") set rc $status _pf_stop set body (cat $tmp); rm -f $tmp if test $rc -ne 0 echo "RPC transport error ($METHOD): curl exit $rc" >&2 echo $body return $rc end if test "$code" != "200" echo "RPC HTTP $code ($METHOD)" >&2 echo $body return 1 end echo $body return 0 end function walletsvc_rpc_test --description "get_version using secrets" -a NS SVC walletsvc_rpc_call $NS $SVC get_version | jq . end # Rotate RPC username/password (updates Secret & restarts Deploy) function walletsvc_set_rpc_credentials --description "rotate RPC Basic creds" -a NS APP _need kubectl; or return 1 if test -z "$NS"; set NS crypto; end if test -z "$APP"; set APP wallet-rpc; end set SNAME {$APP}-rpc-auth read -P "New RPC username [leave blank to keep current]: " NEWUSER if test -z "$NEWUSER" set NEWUSER (kubectl -n $NS get secret $SNAME -o jsonpath='{.data.username}' | base64 -d) end read -s -P "New RPC password [blank = auto-generate 32 alnum]: " NEWPASS echo if test -z "$NEWPASS"; set NEWPASS (_rand_alnum32); end echo "Updating secret $NS/$SNAME and restarting $APP…" kubectl -n $NS create secret generic $SNAME \ --from-literal=username="$NEWUSER" \ --from-literal=password="$NEWPASS" \ --dry-run=client -o yaml | kubectl -n $NS apply -f -; or return 1 kubectl -n $NS annotate secret $SNAME walletsvc.titan/update-ts=(date -Is) --overwrite >/dev/null 2>&1 kubectl -n $NS rollout restart deploy/$APP kubectl -n $NS rollout status deploy/$APP --timeout=180s; or return 1 echo "New RPC creds:" echo " user: $NEWUSER" echo " pass: $NEWPASS" end # Change wallet file password via RPC function walletsvc_change_wallet_password --description "change password of a wallet file via RPC" -a NS SVC if test -z "$NS"; set NS crypto; end if test -z "$SVC"; set SVC wallet-rpc; end read -P "Wallet filename (under /data): " WFILE if test -z "$WFILE" echo "Wallet filename required." >&2 return 1 end read -s -P "Current wallet password: " OLD echo read -s -P "New wallet password [blank = auto-generate 32 alnum]: " NEW echo if test -z "$NEW"; set NEW (_rand_alnum32); end set res (walletsvc_rpc_call $NS $SVC open_wallet (printf '{"filename":"%s","password":"%s"}' $WFILE $OLD)) walletsvc_rpc_call $NS $SVC change_wallet_password (printf '{"old_password":"%s","new_password":"%s"}' $OLD $NEW) echo "New wallet password: $NEW" end # --- logs from the deployment (quick tail) --- function walletsvc_logs -a NS APP LINES if test -z "$NS"; set NS crypto; end if test -z "$APP"; set APP wallet-rpc; end if test -z "$LINES"; set LINES 200; end kubectl -n $NS logs deploy/$APP --tail=$LINES end # --- list files in /data inside the pod --- function walletsvc_wallet_ls -a NS APP if test -z "$NS"; set NS crypto; end if test -z "$APP"; set APP wallet-rpc; end echo "Listing /data in $NS/$APP…" >&2 kubectl -n $NS exec deploy/$APP -- sh -lc 'ls -la /data || true' end # --- create a wallet (uses Secret password if PASS omitted) --- function walletsvc_create_wallet -a NS SVC FILE PASS LANG if test -z "$NS"; set NS crypto; end if test -z "$SVC"; set SVC wallet-rpc; end if test -z "$FILE" echo "Usage: walletsvc_create_wallet [ns] [svc] [pass] [language]" >&2 return 1 end if test -z "$PASS" set PASS (kubectl -n $NS get secret {$SVC}-wallet-pass -o jsonpath='{.data.password}' | base64 -d 2>/dev/null) end if test -z "$LANG"; set LANG English; end set payload (printf '{"filename":"%s","password":"%s","language":"%s"}' $FILE $PASS $LANG) set res (walletsvc_rpc_call $NS $SVC create_wallet $payload) set rc $status if test $rc -ne 0 echo (set_color red)"create_wallet RPC transport failed (rc=$rc)."(set_color normal) >&2 return $rc end set err (echo $res | jq -r '.error.message // empty') if test -n "$err" if string match -q "*already exists*" -- $err echo "Wallet $FILE already exists." return 0 end echo "create_wallet error: $err" >&2 return 1 end echo "Created wallet: $FILE" end # --- improved opener: closes first, checks files, hints if password mismatch --- function walletsvc_open -a NS SVC FILE PASS if test -z "$NS"; set NS crypto; end if test -z "$SVC"; set SVC wallet-rpc; end if test -z "$FILE" echo "Usage: walletsvc_open [ns] [svc] [password]" >&2 return 1 end if test -z "$PASS" set PASS (kubectl -n $NS get secret {$SVC}-wallet-pass -o jsonpath='{.data.password}' | base64 -d 2>/dev/null) end if test -z "$PASS" read -s -P "Wallet password for $FILE: " PASS; echo end walletsvc_rpc_call $NS $SVC close_wallet >/dev/null 2>&1; or true set res (walletsvc_rpc_call $NS $SVC open_wallet (printf '{"filename":"%s","password":"%s"}' $FILE $PASS)) set rc $status if test $rc -ne 0 echo (set_color red)"open_wallet RPC transport failed (rc=$rc)."(set_color normal) >&2 return $rc end set exists (kubectl -n $NS exec deploy/$SVC -- sh -lc (printf 'test -e /data/%s -o -e /data/%s.keys && echo yes || echo no' $FILE $FILE) 2>/dev/null) if test "$exists" = "no" echo "No wallet files at /data/$FILE{,.keys}. If this should be a new wallet, run:" >&2 echo " walletsvc_create_wallet $NS $SVC $FILE" >&2 return 1 end set tmp (mktemp) walletsvc_rpc_call $NS $SVC open_wallet (printf '{"filename":"%s","password":"%s"}' $FILE $PASS) > $tmp set rc $status set res (cat $tmp); rm -f $tmp if test $rc -ne 0 echo "open_wallet transport/HTTP error (rc=$rc)" >&2 echo $res | jq . >&2 return $rc end set err (echo $res | jq -r '.error.message // empty' 2>/dev/null) if test -n "$err" echo "open_wallet error: $err" >&2 if string match -q "*password*" -- (string lower -- $err) echo "Hint: Secret {$SVC}-wallet-pass may not match the files on disk. Try supplying the pass explicitly." >&2 end return 1 end echo $res | jq . end function walletsvc_check_write -a NS APP if test -z "$NS"; set NS crypto; end if test -z "$APP"; set APP wallet-rpc; end kubectl -n $NS exec deploy/$APP -- sh -lc 'echo test-$(date +%s) > /data/.write-test && ls -l /data/.write-test && rm -f /data/.write-test' end # --- ensure wallet is open (create if missing) --- function walletsvc_ensure_open -a NS SVC FILE if test -z "$NS"; set NS crypto; end if test -z "$SVC"; set SVC wallet-rpc; end if test -z "$FILE"; set FILE main; end set exists (kubectl -n $NS exec deploy/$SVC -- sh -lc (printf 'if [ -e "/data/%s" ] || [ -e "/data/%s.keys" ]; then echo yes; else echo no; fi' $FILE $FILE) 2>/dev/null) if test "$exists" = "no" echo "No /data/$FILE found. Creating…" >&2 walletsvc_create_wallet $NS $SVC $FILE; or return 1 end walletsvc_open $NS $SVC $FILE; or return 1 end # --- quick primary address print (account 0) function walletsvc_primary_address -a NS SVC if test -z "$NS"; set NS crypto; end if test -z "$SVC"; set SVC wallet-rpc; end _pf_start $NS $SVC 18083 18083 set resp (curl -s --fail --digest \ -u (kubectl -n $NS get secret {$SVC}-rpc-auth -o jsonpath='{.data.username}' | base64 -d):(kubectl -n $NS get secret {$SVC}-rpc-auth -o jsonpath='{.data.password}' | base64 -d) \ -H 'Content-Type: application/json' \ -d '{"jsonrpc":"2.0","id":"0","method":"get_address","params":{"account_index":0}}' \ http://127.0.0.1:18083/json_rpc) _pf_stop echo $resp | jq -r '.result.address' end # --- show unlocked balance quickly function walletsvc_unlocked -a NS SVC _need python3; or return 1 if test -z "$NS"; set NS crypto; end if test -z "$SVC"; set SVC wallet-rpc; end set res (walletsvc_rpc_call $NS $SVC get_balance '{"account_index":0}') set bal (echo $res | jq -r '.result.balance // 0') set unl (echo $res | jq -r '.result.unlocked_balance // 0') # Convert piconero -> XMR using Python (fish-safe) set balx (python3 -c 'from decimal import Decimal; import sys; print(Decimal(sys.argv[1]) / Decimal("1e12"))' -- $bal) set unlx (python3 -c 'from decimal import Decimal; import sys; print(Decimal(sys.argv[1]) / Decimal("1e12"))' -- $unl) echo "balance=$balx XMR unlocked=$unlx XMR" end # --- wait until unlocked balance >= threshold (XMR), timeout seconds function walletsvc_wait_unlocked -a NS SVC XMR_MIN TIMEOUT _need python3; or return 1 if test -z "$NS"; set NS crypto; end if test -z "$SVC"; set SVC wallet-rpc; end if test -z "$XMR_MIN"; set XMR_MIN 0; end if test -z "$TIMEOUT"; set TIMEOUT 300; end set start (date +%s) while true set res (walletsvc_rpc_call $NS $SVC get_balance '{"account_index":0}') set unl (echo $res | jq -r '.result.unlocked_balance // 0') set unlx (python3 -c 'from decimal import Decimal; import sys; print(Decimal(sys.argv[1]) / Decimal("1e12"))' -- $unl) set ge (python3 -c 'from decimal import Decimal; import sys; print(1 if Decimal(sys.argv[1]) >= Decimal(sys.argv[2]) else 0)' -- $unlx $XMR_MIN) if test $ge -eq 1 echo "Unlocked: $unlx XMR (≥ $XMR_MIN)" return 0 end if test (math (date +%s) - $start) -ge $TIMEOUT echo "Timed out waiting for unlocked balance ≥ $XMR_MIN XMR (current $unlx XMR)." return 1 end sleep 6 end end # ---------- friendly overview ---------- function walletsvc_overview -a NS SVC ACCOUNT if test -z "$NS"; set NS crypto; end if test -z "$SVC"; set SVC wallet-rpc; end if test -z "$ACCOUNT"; set ACCOUNT 0; end set RPCUSER (kubectl -n $NS get secret {$SVC}-rpc-auth -o jsonpath='{.data.username}' | base64 -d) set RPCPASS (kubectl -n $NS get secret {$SVC}-rpc-auth -o jsonpath='{.data.password}' | base64 -d) _pf_start $NS $SVC 18083 18083 echo "== Wallet RPC overview (ns=$NS svc=$SVC acct=$ACCOUNT)" set resp (curl -s --fail --digest -u "$RPCUSER:$RPCPASS" \ -H 'Content-Type: application/json' \ -d '{"jsonrpc":"2.0","id":"0","method":"get_version"}' \ http://127.0.0.1:18083/json_rpc) echo $resp | jq -r '"-- Version:\n version=\(.result.version) release=\(.result.release)"' set resp (curl -s --fail --digest -u "$RPCUSER:$RPCPASS" \ -H 'Content-Type: application/json' \ -d '{"jsonrpc":"2.0","id":"0","method":"get_height"}' \ http://127.0.0.1:18083/json_rpc) set err (echo $resp | jq -r '.error.message // empty') echo "-- Height:" if test -n "$err" echo " ERROR: $err" echo " (Tip: open your wallet: walletsvc_open $NS $SVC main)" else echo $resp | jq -r '" wallet_height=\(.result.height)"' end set resp (curl -s --fail --digest -u "$RPCUSER:$RPCPASS" \ -H 'Content-Type: application/json' \ -d '{"jsonrpc":"2.0","id":"0","method":"get_accounts"}' \ http://127.0.0.1:18083/json_rpc) set err (echo $resp | jq -r '.error.message // empty') echo "-- Accounts:" if test -n "$err" echo " ERROR: $err" else echo $resp | jq -r '.result.subaddress_accounts[] | " [\(.account_index)] \(.label) total=\(.balance/1000000000000) XMR unlocked=\(.unlocked_balance/1000000000000) XMR"' end set BODY (printf '{"account_index":%s}' $ACCOUNT) set resp (curl -s --fail --digest -u "$RPCUSER:$RPCPASS" \ -H 'Content-Type: application/json' \ -d (printf '{"jsonrpc":"2.0","id":"0","method":"get_balance","params":%s}' "$BODY") \ http://127.0.0.1:18083/json_rpc) set err (echo $resp | jq -r '.error.message // empty') echo "-- Account balance:" if test -n "$err" echo " ERROR: $err" else echo $resp | jq -r '" balance=\(.result.balance/1000000000000) XMR unlocked=\(.result.unlocked_balance/1000000000000) XMR"' end set resp (curl -s --fail --digest -u "$RPCUSER:$RPCPASS" \ -H 'Content-Type: application/json' \ -d (printf '{"jsonrpc":"2.0","id":"0","method":"get_address","params":{"account_index":%s}}' $ACCOUNT) \ http://127.0.0.1:18083/json_rpc) set err (echo $resp | jq -r '.error.message // empty') echo "-- Primary address (account base):" if test -n "$err" echo " ERROR: $err" else echo $resp | jq -r '.result.address' end echo "-- First 5 subaddresses:" if test -n "$err" echo " (skipped due to error above)" else echo $resp | jq -r '.result.addresses[:5][] | " [\(.address_index)] \(.address) label=\(.label) used=\(.used)"' end set BODY (printf '{"account_index":%s,"in":true}' $ACCOUNT) set in (curl -s --fail --digest -u "$RPCUSER:$RPCPASS" \ -H 'Content-Type: application/json' \ -d (printf '{"jsonrpc":"2.0","id":"0","method":"get_transfers","params":%s}' "$BODY") \ http://127.0.0.1:18083/json_rpc) echo "-- Recent transfers (incoming, last 5):" echo $in | jq -r '.result.in // [] | (.[-5:] // [])[] | " + \(.amount/1000000000000) XMR conf=\(.confirmations) tx=\(.txid)"' set BODY (printf '{"account_index":%s,"out":true}' $ACCOUNT) set out (curl -s --fail --digest -u "$RPCUSER:$RPCPASS" \ -H 'Content-Type: application/json' \ -d (printf '{"jsonrpc":"2.0","id":"0","method":"get_transfers","params":%s}' "$BODY") \ http://127.0.0.1:18083/json_rpc) echo "-- Recent transfers (outgoing, last 5):" echo $out | jq -r '.result.out // [] | (.[-5:] // [])[] | " - \(.amount/1000000000000) XMR conf=\(.confirmations) tx=\(.txid)"' set BODY (printf '{"account_index":%s,"pool":true}' $ACCOUNT) set pool (curl -s --fail --digest -u "$RPCUSER:$RPCPASS" \ -H 'Content-Type: application/json' \ -d (printf '{"jsonrpc":"2.0","id":"0","method":"get_transfers","params":%s}' "$BODY") \ http://127.0.0.1:18083/json_rpc) echo "-- Mempool (unconfirmed incoming):" echo $pool | jq -r '.result.pool // [] | .[] | " ~ \(.amount/1000000000000) XMR tx=\(.txid)"' _pf_stop end # ---------- list addresses ---------- function walletsvc_list_addresses -a NS SVC ACCOUNT if test -z "$NS"; set NS crypto; end if test -z "$SVC"; set SVC wallet-rpc; end if test -z "$ACCOUNT"; set ACCOUNT 0; end set RPCUSER (kubectl -n $NS get secret {$SVC}-rpc-auth -o jsonpath='{.data.username}' | base64 -d) set RPCPASS (kubectl -n $NS get secret {$SVC}-rpc-auth -o jsonpath='{.data.password}' | base64 -d) _pf_start $NS $SVC 18083 18083 set BODY (printf '{"account_index":%s}' $ACCOUNT) set resp (curl -s --fail --digest -u "$RPCUSER:$RPCPASS" \ -H 'Content-Type: application/json' \ -d (printf '{"jsonrpc":"2.0","id":"0","method":"get_address","params":%s}' "$BODY") \ http://127.0.0.1:18083/json_rpc) _pf_stop set err (echo $resp | jq -r '.error.message // empty') if test -n "$err" echo "ERROR: $err" >&2 return 1 end echo $resp | jq -r '.result.addresses[] | "[\(.address_index)] \(.address) label=\(.label) used=\(.used)"' end # ---------- new subaddress ---------- function walletsvc_new_address -a NS SVC LABEL ACCOUNT if test -z "$NS"; set NS crypto; end if test -z "$SVC"; set SVC wallet-rpc; end if test -z "$ACCOUNT"; set ACCOUNT 0; end if test -z "$LABEL"; set LABEL (printf "deposit-%s" (date +%Y%m%d-%H%M%S)); end set RPCUSER (kubectl -n $NS get secret {$SVC}-rpc-auth -o jsonpath='{.data.username}' | base64 -d) set RPCPASS (kubectl -n $NS get secret {$SVC}-rpc-auth -o jsonpath='{.data.password}' | base64 -d) _pf_start $NS $SVC 18083 18083 set BODY (printf '{"account_index":%s,"label":"%s"}' $ACCOUNT $LABEL) set resp (curl -s --fail --digest -u "$RPCUSER:$RPCPASS" \ -H 'Content-Type: application/json' \ -d (printf '{"jsonrpc":"2.0","id":"0","method":"create_address","params":%s}' "$BODY") \ http://127.0.0.1:18083/json_rpc) _pf_stop set err (echo $resp | jq -r '.error.message // empty') if test -n "$err" echo "ERROR: $err" >&2 return 1 end echo $resp | jq -r --arg L "$LABEL" '"New address: \(.result.address) [index=\(.result.address_index)] label=" + $L' end # --- send a specific amount XMR to a single address (optionally payment_id) # Usage: walletsvc_send [ns] [svc] [payment_id_hex] function walletsvc_send -a NS SVC TO AMT_XMR PID _need jq curl python3; or return 1 if test -z "$NS"; set NS crypto; end if test -z "$SVC"; set SVC wallet-rpc; end if test -z "$TO" -o -z "$AMT_XMR" echo "Usage: walletsvc_send [ns] [svc] [payment_id_hex]" >&2 return 1 end # Convert amount to atomic units set ATOMIC (_xmr_to_atomic $AMT_XMR) if test -z "$ATOMIC" echo "Failed to convert amount '$AMT_XMR' to piconero." >&2 return 1 end # Build JSON set body_base (printf '{"destinations":[{"amount":%s,"address":"%s"}],"account_index":0,"priority":1,"get_tx_key":true,"do_not_relay":false}' $ATOMIC $TO) if test -n "$PID" set body (string replace '}' ',"payment_id":"'$PID'"}' -- $body_base) else set body $body_base end set res (walletsvc_rpc_call $NS $SVC transfer $body) set err (echo $res | jq -r '.error.message // empty') if test -n "$err" echo "ERROR: $err" >&2 return 1 end set fee (echo $res | jq -r '.result.fee // 0') set tx (echo $res | jq -r '.result.tx_hash // (.result.tx_hash_list[0] // "")') # piconero -> XMR without heredoc set fee_xmr (python3 -c 'from decimal import Decimal; import sys; print(Decimal(sys.argv[1]) / Decimal("1e12"))' -- $fee) echo "Sent transaction:" echo " tx: $tx" echo " fee: $fee_xmr XMR ($fee piconero)" end # --- sweep all unlocked funds to an address (account 0) # Usage: walletsvc_sweep_all [ns] [svc] function walletsvc_sweep_all -a NS SVC TO _need jq curl; or return 1 if test -z "$NS"; set NS crypto; end if test -z "$SVC"; set SVC wallet-rpc; end if test -z "$TO" echo "Usage: walletsvc_sweep_all [ns] [svc] " >&2 return 1 end set body (printf '{"address":"%s","account_index":0,"priority":1,"do_not_relay":false,"get_tx_keys":true}' $TO) set res (walletsvc_rpc_call $NS $SVC sweep_all $body) set err (echo $res | jq -r '.error.message // empty') if test -n "$err" echo "ERROR: $err" >&2 return 1 end echo "Sweep transactions:" echo $res | jq -r '.result.tx_hash_list[]? | " tx: " + .' end # Optional: non-sensitive cluster snapshot to help tune manifests. function cluster_probe set OUT cluster-snapshot.txt printf "# Cluster snapshot %s\n" (date -Is) > $OUT printf "\n## kubectl version\n" >> $OUT kubectl version --short >> $OUT 2>&1 printf "\n## Nodes\n" >> $OUT kubectl get nodes -o wide >> $OUT printf "\n### Node resources\n" >> $OUT kubectl describe nodes | egrep -i 'Name:|Roles:|Capacity:|Allocatable:|cpu|memory|ephemeral' >> $OUT printf "\n## Namespaces\n" >> $OUT kubectl get ns >> $OUT printf "\n## StorageClasses (summary)\n" >> $OUT kubectl get storageclass >> $OUT printf "\n## StorageClasses (yaml)\n" >> $OUT kubectl get storageclass -o yaml >> $OUT printf "\n## PV/PVC\n" >> $OUT kubectl get pv >> $OUT 2>/dev/null kubectl get pvc -A >> $OUT 2>/dev/null printf "\n## Ingress / Services\n" >> $OUT kubectl get ingressclass >> $OUT 2>/dev/null kubectl get ingress -A >> $OUT 2>/dev/null kubectl get svc -A | egrep -i 'NAMESPACE|LoadBalancer|EXTERNAL-IP|traefik|ingress' >> $OUT printf "\n## kube-system pods (CNI hint)\n" >> $OUT kubectl -n kube-system get pods -o wide >> $OUT 2>/dev/null printf "\n## Default limits/quotas\n" >> $OUT kubectl -n default get limitrange,resourcequota >> $OUT 2>/dev/null printf "\n## Tools present on your machine\n" >> $OUT for t in kubectl helm jq curl awk envsubst fish if type -q $t printf "%s: OK\n" $t >> $OUT else printf "%s: MISSING\n" $t >> $OUT end end echo "Wrote $OUT — paste the contents here." end # --- one-line command reference (keep in sync) --- function walletsvc_help echo "walletsvc_bootstrap # interactive deploy + secrets + PVC + first wallet (multiwallet RPC), idempotent" echo "walletsvc_status [ns] [app] # show deploy, pods, service, netpol (default ns=crypto)" echo "walletsvc_portforward [ns] [svc] # port-forward RPC to localhost:18083 (CTRL+C to stop)" echo "walletsvc_logs [ns] [app] [N] # tail N (default 200) lines of RPC pod logs" echo "walletsvc_wallet_ls [ns] [app] # list files under /data in the RPC pod (check wallet files)" echo "walletsvc_rpc_test [ns] [svc] # JSON-RPC get_version (sanity check)" echo "walletsvc_rpc_call [ns] [svc] [params_json] # raw JSON (stdout) with digest auth" echo "walletsvc_open [ns] [svc] [pass] # close_wallet (ignore) -> open_wallet" echo "walletsvc_create_wallet [ns] [svc] [pass] [lang]# create wallet (defaults: pass from Secret, lang=English)" echo "walletsvc_ensure_open [ns] [svc] [file] # create if missing, then open (uses Secret pass)" echo "walletsvc_overview [ns] [svc] [acct=0] # version, height, balances, a few addresses, recent transfers" echo "walletsvc_list_addresses [ns] [svc] [acct=0] # list all subaddresses for account" echo "walletsvc_new_address [ns] [svc] [label] [acct=0] # create labeled subaddress" echo "walletsvc_set_rpc_credentials [ns] [app] # rotate RPC basic auth (secret + rollout)" echo "walletsvc_change_wallet_password [ns] [svc] # change wallet file password via RPC" echo "walletsvc_stop [ns] [app] [svc] # delete deployment+service only" echo "walletsvc_purge [ns] [app] [pvc] [svc] # delete deploy+svc+PVC+secrets (danger!)" end function walletsvc_help_detailed echo "Commands (defaults: ns=crypto, svc/app=wallet-rpc)" echo echo "walletsvc_bootstrap" echo " Interactive deploy: creates/updates secrets, PVC, Deployment (fsGroup+init perms), Service, NetPolicy." echo " Idempotent: if deploy/svc/netpol already exist, you can clean them up (PVC+secrets kept) and continue." echo " Uses your in-cluster monerod by default (monerod:18081 in ns=crypto)." echo " Probes it via a temporary port-forward so it works from your workstation." echo " Set WALLETSVC_SKIP_DAEMON_CHECK=1 to bypass the daemon probe (not recommended)." end