feat: support provider v0.12.0 — Gateway API migration + cert-manager automation (#66)

* docs: add Gateway API migration implementation plan (#65)

Step-by-step plan for adding v0.12.0 Gateway API support to
provider-console-api. Covers new install flow, dedicated migration
endpoint, cert-manager + DNS-01 (Cloudflare/CloudDNS) automation,
helm values backup, and manual verification checklist.

* config: bump provider defaults to v0.12.0 and add Gateway API/cert-manager pins (#65)

* config: clarify version-prefix difference between GATEWAY_API_CRD_REF and NGINX_GATEWAY_FABRIC_VERSION (#65)

* model: add CertManagerInput for cert-manager DNS-01 config (#65)

* model: use Pydantic v2 ConfigDict + field_validator and reject malformed clouddns SA (#65)

* model: require cert_manager block on ProviderBuildInput, default acme_email from provider.config.email (#65)

* fix: handle empty loc on root validators and avoid in-place dict mutation (#65)

* service: add GatewayApiService for NGF + akash-gateway install (#65)

* service: ensure akash-default-tls temp key cleanup runs on failure (#65)

* service: add CertManagerService with DNS-01 cloudflare/clouddns + wait-for-Ready (#65)

* fix(certmgr): drop cloudflare solver email, suppress streaming on redact, harden ClusterIssuer + Certificate (#65)

* service: drop ingress-nginx install from ProviderService and clean up NGF values file (#65)

* service: drop redundant NGF values cleanup entry, ~/provider/ already covers it (#65)

* service: wire Gateway API + cert-manager into build-provider task flow (#65)

* service: add MigrationService for v0.11.x to v0.12.0 Gateway API migration (#65)

* fix(migrate): catch InvalidVersion, refresh price script, drop dead __init__, use 404 for missing provider (#65)

* api: add POST /provider/migrate-gateway-api endpoint with 14-task orchestrator (#65)

* service: close SSH client and log errors in migrate_gateway_api (#65)

* fix: heartbeat during cert wait + validate domain in migrate endpoint (#65)

- Add periodic heartbeat to certificate readiness wait to prevent operator
  seeing timeout/hang appearance for 600s wait window (Fix C1)
- Validate domain is non-empty string in migrate_gateway_api endpoint
  before attempting ACME challenge creation (Fix I3)

* service: enable nginx-gateway-fabric snippets in NGF values (#65)

Adds nginxGateway.snippets.enable=true to the values file written by
install_nginx_gateway_fabric, which is shared by both the new-provider
build flow and the v0.11.x to v0.12.0 migration flow. Providers stood
up or migrated through the console now get NGF with snippets support
enabled by default.

* chore: ignore docs/ directory

Keeps local design notes and planning docs (e.g. superpowers specs)
out of the repo.

* fix: preserve exception chains and tighten keyfile lookup (#65)

Address reviewer nits across the migration code path:
- provider_build: use dict.get for control_machine keyfile; suppress
  chaining on the ValidationError/KeyError/Exception handlers via
  `raise ... from None`.
- cert_manager_service, gateway_api_service: chain ApplicationError
  with `from e` and use `{e!s}` formatting so the original traceback
  survives.
- migration_service: explicitly suppress the InvalidVersion context
  with `raise ... from None`.

* chore: bump AKASH_VERSION to v2.0.1 and node helm chart to 15.0.0

* fix: preserve traceback and exception chain in migration error handler

Author: devalpatel67

.gitignore

@@ -16,4 +16,6 @@ __pycache__/
 bin/
 lib/
 Projects/
-pyvenv.cfg
+pyvenv.cfg
+
+docs/*

application/api/provider_build.py

@@ -10,6 +10,7 @@
 from application.exception.application_error import ApplicationError
 from application.model.provider_build_input import ProviderBuildInput
 from application.model.machine_input import ControlMachineInput
+from application.model.cert_manager_input import CertManagerInput
 from application.service.akash_cluster_service import AkashClusterService
 from application.service.provider_service import ProviderService
 from application.utils.ssh_utils import get_ssh_client
@@ -52,7 +53,7 @@ def process_provider_build_input(data: Dict) -> ProviderBuildInput:
                     "message": "The provided configuration is invalid.",
                     "error_code": "VAL_005",
                     "details": [
-                        {"field": error["loc"][0], "message": error["msg"]}
+                        {"field": error["loc"][0] if error["loc"] else "__root__", "message": error["msg"]}
                         for error in e.errors()
                     ],
                 },
@@ -134,7 +135,7 @@ async def build_provider(
                     "message": "Invalid provider build input",
                     "error_code": "VAL_006",
                     "details": [
-                        {"field": error["loc"][0], "message": error["msg"]}
+                        {"field": error["loc"][0] if error["loc"] else "__root__", "message": error["msg"]}
                         for error in ve.errors()
                     ],
                 },
@@ -476,6 +477,100 @@ async def upgrade_provider(
         )
 
 
+@router.post("/provider/migrate-gateway-api", include_in_schema=False)
+async def migrate_gateway_api(
+    background_tasks: BackgroundTasks,
+    machine_input: Dict,
+    wallet_address: str = Depends(verify_token),
+) -> Dict:
+    try:
+        control_machine = machine_input["control_machine"]
+        keyfile_value = control_machine.get("keyfile")
+        if keyfile_value:
+            control_machine["keyfile"] = decode_keyfile_to_uploadfile(keyfile_value)
+        control_machine_input = ControlMachineInput(**control_machine)
+
+        cert_manager_input = CertManagerInput(**machine_input["cert_manager"])
+        domain = machine_input["domain"]
+        if not isinstance(domain, str) or not domain.strip():
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail={
+                    "status": "error",
+                    "error": {
+                        "message": "domain is required and must be a non-empty string",
+                        "error_code": "VAL_010",
+                    },
+                },
+            )
+        if not cert_manager_input.acme_email:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail={
+                    "status": "error",
+                    "error": {
+                        "message": "cert_manager.acme_email is required for migration",
+                        "error_code": "VAL_007",
+                    },
+                },
+            )
+
+        action_id = str(uuid4())
+        akash_cluster_service = AkashClusterService()
+        background_tasks.add_task(
+            akash_cluster_service.migrate_gateway_api,
+            action_id,
+            control_machine_input,
+            cert_manager_input,
+            domain,
+            wallet_address,
+        )
+        return {
+            "message": "Gateway API migration started successfully",
+            "action_id": action_id,
+        }
+    except HTTPException:
+        raise
+    except ValidationError as ve:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail={
+                "status": "error",
+                "error": {
+                    "message": "Invalid migration input",
+                    "error_code": "VAL_008",
+                    "details": [
+                        {"field": err["loc"][0] if err["loc"] else "__root__", "message": err["msg"]}
+                        for err in ve.errors()
+                    ],
+                },
+            },
+        ) from None
+    except KeyError as ke:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail={
+                "status": "error",
+                "error": {
+                    "message": f"Missing required field: {ke}",
+                    "error_code": "VAL_009",
+                },
+            },
+        ) from None
+    except Exception as e:
+        log.exception("Error starting Gateway API migration")
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail={
+                "status": "error",
+                "error": {
+                    "message": f"An error occurred while starting migration: {e}",
+                    "error_code": "PRV_009",
+                },
+            },
+        ) from e
+
+
 @router.post("/restart-provider", include_in_schema=False)
 async def restart_provider(
     data: Dict,

application/config/config.py

@@ -25,24 +25,32 @@ class Config:
         "https://raw.githubusercontent.com/akash-network/provider-configs/main/devices/pcie/gpus.json",
     )
     KEYRING_BACKEND = environ.get("KEYRING_BACKEND", "file")
-    AKASH_VERSION = environ.get("AKASH_VERSION", "v1.0.0")
+    AKASH_VERSION = environ.get("AKASH_VERSION", "v2.0.1")
     AKASH_NODE_HELM_CHART_VERSION = environ.get(
-        "AKASH_NODE_HELM_CHART_VERSION", "14.0.0"
+        "AKASH_NODE_HELM_CHART_VERSION", "15.0.0"
     )
-    INGRESS_NGINX_VERSION = environ.get("INGRESS_NGINX_VERSION", "4.11.3")
-    PROVIDER_SERVICES_VERSION = environ.get("PROVIDER_SERVICES_VERSION", "v0.10.1")
+    PROVIDER_SERVICES_VERSION = environ.get("PROVIDER_SERVICES_VERSION", "v0.12.0")
     PROVIDER_SERVICES_HELM_CHART_VERSION = environ.get(
-        "PROVIDER_SERVICES_HELM_CHART_VERSION", "14.0.3"
+        "PROVIDER_SERVICES_HELM_CHART_VERSION", "16.0.0"
     )
-    PROVIDER_HOSTNAME_OPERATOR_VERSION = environ.get("PROVIDER_HOSTNAME_OPERATOR_VERSION", "v0.10.0")
-    PROVIDER_INVENTORY_OPERATOR_VERSION = environ.get("PROVIDER_INVENTORY_OPERATOR_VERSION", "v0.10.0")
+    PROVIDER_HOSTNAME_OPERATOR_VERSION = environ.get("PROVIDER_HOSTNAME_OPERATOR_VERSION", "v0.12.0")
+    PROVIDER_INVENTORY_OPERATOR_VERSION = environ.get("PROVIDER_INVENTORY_OPERATOR_VERSION", "v0.12.0")
     PROVIDER_PRICE_SCRIPT_URL = environ.get(
         "PROVIDER_PRICE_SCRIPT_URL",
         "https://raw.githubusercontent.com/akash-network/helm-charts/main/charts/akash-provider/scripts/price_script_generic.sh",
     )
     NVIDIA_DEVICE_PLUGIN_VERSION = environ.get("NVIDIA_DEVICE_PLUGIN_VERSION", "0.14.5")
     ROOK_CEPH_VERSION = environ.get("ROOK_CEPH_VERSION", "1.15.3")
 
+    # Gateway API + cert-manager (v0.12.0 Gateway API migration)
+    CERT_MANAGER_VERSION = environ.get("CERT_MANAGER_VERSION", "v1.19.1")
+    GATEWAY_API_CRD_REF = environ.get("GATEWAY_API_CRD_REF", "v2.5.1")  # git tag ref for kubectl kustomize ?ref= — v-prefix required
+    NGINX_GATEWAY_FABRIC_VERSION = environ.get("NGINX_GATEWAY_FABRIC_VERSION", "2.5.1")  # helm --version, no v-prefix
+    AKASH_GATEWAY_HELM_CHART_VERSION = environ.get("AKASH_GATEWAY_HELM_CHART_VERSION", "1.0.0")
+    CERT_READY_TIMEOUT_SECONDS = int(environ.get("CERT_READY_TIMEOUT_SECONDS", "600"))
+    LETSENCRYPT_PROD_SERVER = "https://acme-v02.api.letsencrypt.org/directory"
+    LETSENCRYPT_STAGING_SERVER = "https://acme-staging-v02.api.letsencrypt.org/directory"
+
     # Authentication
     HOST_NAME = environ.get("HOST_NAME")
     SECURITY_HOST = environ.get("SECURITY_HOST")

application/model/cert_manager_input.py

@@ -0,0 +1,59 @@
+from base64 import b64decode
+from typing import Literal, Optional
+
+from pydantic import BaseModel, ConfigDict, EmailStr, SecretStr, field_validator, model_validator
+
+
+class CloudflareConfig(BaseModel):
+    model_config = ConfigDict(extra="forbid")
+
+    api_token: SecretStr
+
+
+class CloudDnsConfig(BaseModel):
+    model_config = ConfigDict(extra="forbid")
+
+    project: str
+    service_account_json: SecretStr  # raw JSON or base64-encoded JSON
+
+    @field_validator("service_account_json", mode="before")
+    @classmethod
+    def _normalize_b64(cls, v):
+        if not isinstance(v, str):
+            return v
+        raw = v.strip()
+        if raw.startswith("{"):
+            return raw
+        try:
+            decoded = b64decode(raw).decode()
+        except Exception as exc:
+            raise ValueError(
+                "service_account_json must be raw JSON (starting with '{') "
+                "or base64-encoded JSON"
+            ) from exc
+        if not decoded.startswith("{"):
+            raise ValueError(
+                "service_account_json must be raw JSON (starting with '{') "
+                "or base64-encoded JSON"
+            )
+        return decoded
+
+
+class CertManagerInput(BaseModel):
+    model_config = ConfigDict(extra="forbid")
+
+    acme_email: Optional[EmailStr] = None
+    use_staging: bool = False
+    dns_provider: Literal["cloudflare", "clouddns"]
+    cloudflare: Optional[CloudflareConfig] = None
+    clouddns: Optional[CloudDnsConfig] = None
+
+    @model_validator(mode="after")
+    def _exactly_one_provider_block(self):
+        if self.dns_provider == "cloudflare":
+            if self.cloudflare is None or self.clouddns is not None:
+                raise ValueError("dns_provider=cloudflare requires `cloudflare` block and no `clouddns` block")
+        else:
+            if self.clouddns is None or self.cloudflare is not None:
+                raise ValueError("dns_provider=clouddns requires `clouddns` block and no `cloudflare` block")
+        return self

application/model/provider_build_input.py

@@ -1,10 +1,11 @@
 from pydantic import BaseModel, model_validator, field_validator
 from typing import List, Optional, Literal
-from typing import Optional
 from fastapi import UploadFile
 from base64 import b64decode
 import io
 
+from application.model.cert_manager_input import CertManagerInput
+
 
 class Node(BaseModel):
     hostname: str
@@ -93,3 +94,24 @@ class ProviderBuildInput(BaseModel):
     wallet: Wallet
     nodes: List[Node]
     provider: Provider
+    cert_manager: CertManagerInput
+
+    @model_validator(mode="before")
+    @classmethod
+    def _default_acme_email_from_provider_email(cls, data):
+        if isinstance(data, dict):
+            cm = data.get("cert_manager")
+            if isinstance(cm, dict) and not cm.get("acme_email"):
+                provider = data.get("provider") or {}
+                config = provider.get("config") or {}
+                email = config.get("email")
+                if email:
+                    cm = {**cm, "acme_email": email}
+                    data = {**data, "cert_manager": cm}
+        return data
+
+    @model_validator(mode="after")
+    def _require_acme_email(self):
+        if self.cert_manager.acme_email is None:
+            raise ValueError("cert_manager.acme_email is required (or set provider.config.email)")
+        return self