feat: genesis ceremony controller orchestration

Add group-level genesis ceremony support to SeiNodeGroup and per-node
genesis configuration to SeiNode/ValidatorSpec. The node controller
builds the full Init plan upfront (no deferred steps) and the group
controller coordinates assembly, peer collection, and static peer
injection.

New CRD types: GenesisCeremonyConfig, GenesisCeremonyNodeConfig,
GenesisS3Destination, GenesisS3Source. New group status fields:
AssemblyPlan, GenesisHash, GenesisS3URI.

Depends on seictl genesis ceremony client types (sei-protocol/seictl#40).

Author: bdchatham

api/v1alpha1/seinodegroup_types.go

@@ -26,6 +26,12 @@ type SeiNodeGroupSpec struct {
 	// +kubebuilder:default=Delete
 	DeletionPolicy DeletionPolicy `json:"deletionPolicy,omitempty"`
 
+	// Genesis configures genesis ceremony orchestration for this group.
+	// When set, the controller generates GenesisCeremonyNodeConfig for each
+	// child SeiNode and coordinates assembly of the final genesis.json.
+	// +optional
+	Genesis *GenesisCeremonyConfig `json:"genesis,omitempty"`
+
 	// Networking controls how the group is exposed to traffic.
 	// Networking resources are shared across all replicas.
 	// +optional
@@ -37,6 +43,56 @@ type SeiNodeGroupSpec struct {
 	Monitoring *MonitoringConfig `json:"monitoring,omitempty"`
 }
 
+// GenesisCeremonyConfig configures genesis ceremony orchestration for a node group.
+type GenesisCeremonyConfig struct {
+	// ChainID for the new network.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=64
+	// +kubebuilder:validation:Pattern=`^[a-z0-9][a-z0-9-]*[a-z0-9]$`
+	ChainID string `json:"chainId"`
+
+	// StakingAmount is the amount each validator self-delegates in its gentx.
+	// +optional
+	// +kubebuilder:default="10000000usei"
+	StakingAmount string `json:"stakingAmount,omitempty"`
+
+	// AccountBalance is the initial balance for each validator's genesis account.
+	// +optional
+	// +kubebuilder:default="1000000000000000000000usei,1000000000000000000000uusdc,1000000000000000000000uatom"
+	AccountBalance string `json:"accountBalance,omitempty"`
+
+	// Accounts adds non-validator genesis accounts (e.g. for load test funding).
+	// +optional
+	Accounts []GenesisAccount `json:"accounts,omitempty"`
+
+	// Overrides is a flat map of dotted key paths merged on top of sei-config's
+	// GenesisDefaults(). Applied BEFORE gentx generation.
+	// +optional
+	Overrides map[string]string `json:"overrides,omitempty"`
+
+	// GenesisS3 configures where genesis artifacts are stored.
+	// When omitted, inferred: bucket = "sei-genesis-artifacts",
+	// prefix = "<chainId>/<group-name>/", region from PlatformConfig.
+	// +optional
+	GenesisS3 *GenesisS3Destination `json:"genesisS3,omitempty"`
+
+	// MaxCeremonyDuration is the maximum time from group creation to genesis
+	// assembly completion. Default: "15m".
+	// +optional
+	MaxCeremonyDuration *metav1.Duration `json:"maxCeremonyDuration,omitempty"`
+}
+
+// GenesisAccount represents a non-validator genesis account to fund.
+type GenesisAccount struct {
+	// Address is the bech32-encoded account address.
+	// +kubebuilder:validation:MinLength=1
+	Address string `json:"address"`
+
+	// Balance is the initial balance in coin notation (e.g. "1000000usei").
+	// +kubebuilder:validation:MinLength=1
+	Balance string `json:"balance"`
+}
+
 // SeiNodeTemplate wraps a SeiNodeSpec for use in the group template.
 type SeiNodeTemplate struct {
 	// Metadata allows setting labels and annotations on child SeiNodes.
@@ -65,16 +121,17 @@ type SeiNodeTemplateMeta struct {
 // ---------------------------------------------------------------------------
 
 // SeiNodeGroupPhase represents the high-level lifecycle state.
-// +kubebuilder:validation:Enum=Pending;Initializing;Ready;Degraded;Failed;Terminating
+// +kubebuilder:validation:Enum=Pending;GenesisCeremony;Initializing;Ready;Degraded;Failed;Terminating
 type SeiNodeGroupPhase string
 
 const (
-	GroupPhasePending      SeiNodeGroupPhase = "Pending"
-	GroupPhaseInitializing SeiNodeGroupPhase = "Initializing"
-	GroupPhaseReady        SeiNodeGroupPhase = "Ready"
-	GroupPhaseDegraded     SeiNodeGroupPhase = "Degraded"
-	GroupPhaseFailed       SeiNodeGroupPhase = "Failed"
-	GroupPhaseTerminating  SeiNodeGroupPhase = "Terminating"
+	GroupPhasePending        SeiNodeGroupPhase = "Pending"
+	GroupPhaseGenesisCeremony SeiNodeGroupPhase = "GenesisCeremony"
+	GroupPhaseInitializing   SeiNodeGroupPhase = "Initializing"
+	GroupPhaseReady          SeiNodeGroupPhase = "Ready"
+	GroupPhaseDegraded       SeiNodeGroupPhase = "Degraded"
+	GroupPhaseFailed         SeiNodeGroupPhase = "Failed"
+	GroupPhaseTerminating    SeiNodeGroupPhase = "Terminating"
 )
 
 // SeiNodeGroupStatus defines the observed state of a SeiNodeGroup.
@@ -98,6 +155,18 @@ type SeiNodeGroupStatus struct {
 	// +optional
 	Nodes []GroupNodeStatus `json:"nodes,omitempty"`
 
+	// AssemblyPlan tracks the genesis assembly task on index 0's sidecar.
+	// +optional
+	AssemblyPlan *TaskPlan `json:"assemblyPlan,omitempty"`
+
+	// GenesisHash is the SHA-256 hex digest of the assembled genesis.json.
+	// +optional
+	GenesisHash string `json:"genesisHash,omitempty"`
+
+	// GenesisS3URI is the S3 URI of the uploaded genesis.
+	// +optional
+	GenesisS3URI string `json:"genesisS3URI,omitempty"`
+
 	// NetworkingStatus reports the observed state of networking resources.
 	// +optional
 	NetworkingStatus *NetworkingStatus `json:"networkingStatus,omitempty"`
@@ -131,11 +200,12 @@ type NetworkingStatus struct {
 
 // Status condition types for SeiNodeGroup.
 const (
-	ConditionNodesReady           = "NodesReady"
-	ConditionExternalServiceReady = "ExternalServiceReady"
-	ConditionRouteReady           = "RouteReady"
-	ConditionIsolationReady       = "IsolationReady"
-	ConditionServiceMonitorReady  = "ServiceMonitorReady"
+	ConditionNodesReady              = "NodesReady"
+	ConditionExternalServiceReady    = "ExternalServiceReady"
+	ConditionRouteReady              = "RouteReady"
+	ConditionIsolationReady          = "IsolationReady"
+	ConditionServiceMonitorReady     = "ServiceMonitorReady"
+	ConditionGenesisCeremonyComplete = "GenesisCeremonyComplete"
 )
 
 // +kubebuilder:object:root=true

api/v1alpha1/validator_types.go

@@ -11,4 +11,54 @@ type ValidatorSpec struct {
 	// When absent the node block-syncs from genesis.
 	// +optional
 	Snapshot *SnapshotSource `json:"snapshot,omitempty"`
+
+	// GenesisCeremony indicates this validator participates in a group genesis
+	// ceremony. Set by the SeiNodeGroup controller — not intended for direct use.
+	// +optional
+	GenesisCeremony *GenesisCeremonyNodeConfig `json:"genesisCeremony,omitempty"`
+}
+
+// GenesisCeremonyNodeConfig holds per-node genesis ceremony parameters.
+// Populated by the SeiNodeGroup controller when genesis is configured.
+type GenesisCeremonyNodeConfig struct {
+	// ChainID of the genesis network.
+	// +kubebuilder:validation:MinLength=1
+	ChainID string `json:"chainId"`
+
+	// StakingAmount is the self-delegation amount for this validator's gentx.
+	// +kubebuilder:validation:MinLength=1
+	StakingAmount string `json:"stakingAmount"`
+
+	// AccountBalance is the initial coin balance to fund this validator's
+	// genesis account. The node's own address is discovered during identity
+	// generation — no cross-node coordination needed.
+	// +kubebuilder:validation:MinLength=1
+	AccountBalance string `json:"accountBalance"`
+
+	// GenesisParams is a JSON string of genesis parameter overrides merged
+	// on top of sei-config's GenesisDefaults(). Applied before gentx generation.
+	// +optional
+	GenesisParams string `json:"genesisParams,omitempty"`
+
+	// Index is the node's ordinal within the group (0-based).
+	// +kubebuilder:validation:Minimum=0
+	Index int32 `json:"index"`
+
+	// ArtifactS3 is the S3 location where this node uploads its genesis artifacts.
+	ArtifactS3 GenesisS3Destination `json:"artifactS3"`
+}
+
+// GenesisS3Destination configures where genesis artifacts are stored in S3.
+type GenesisS3Destination struct {
+	// Bucket is the S3 bucket name.
+	// +kubebuilder:validation:MinLength=1
+	Bucket string `json:"bucket"`
+
+	// Prefix is an optional key prefix within the bucket.
+	// +optional
+	Prefix string `json:"prefix,omitempty"`
+
+	// Region is the AWS region for S3 access.
+	// +kubebuilder:validation:MinLength=1
+	Region string `json:"region"`
 }

internal/controller/node/controller.go

@@ -137,11 +137,16 @@ func (r *SeiNodeReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct
 }
 
 // reconcilePending creates all plans up front and selects the starting phase.
+// The Init plan is always built here — for genesis ceremony nodes the S3
+// source is deterministic and discover-peers is unconditionally included.
+// Plan execution order is the single source of truth for orchestration.
 func (r *SeiNodeReconciler) reconcilePending(ctx context.Context, node *seiv1alpha1.SeiNode, planner NodePlanner) (ctrl.Result, error) {
 	patch := client.MergeFrom(node.DeepCopy())
 
 	node.Status.PreInitPlan = buildPreInitPlan(node, planner)
-	if needsPreInit(node) {
+	if isGenesisCeremonyNode(node) {
+		node.Status.InitPlan = buildGenesisInitPlan()
+	} else if needsPreInit(node) {
 		node.Status.InitPlan = buildPostBootstrapInitPlan(node)
 	} else {
 		node.Status.InitPlan = planner.BuildPlan(node)

internal/controller/node/job.go

@@ -23,7 +23,14 @@ func preInitJobName(node *seiv1alpha1.SeiNode) string {
 
 func generatePreInitJob(node *seiv1alpha1.SeiNode, platform PlatformConfig) *batchv1.Job {
 	labels := preInitLabelsForNode(node)
-	snap := snapshotSourceFor(node)
+
+	var podSpec corev1.PodSpec
+	if isGenesisCeremonyNode(node) {
+		podSpec = buildGenesisPreInitPodSpec(node, platform)
+	} else {
+		snap := snapshotSourceFor(node)
+		podSpec = buildPreInitPodSpec(node, snap, platform)
+	}
 
 	return &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
@@ -41,7 +48,7 @@ func generatePreInitJob(node *seiv1alpha1.SeiNode, platform PlatformConfig) *bat
 						"karpenter.sh/do-not-disrupt": "true",
 					},
 				},
-				Spec: buildPreInitPodSpec(node, snap, platform),
+				Spec: podSpec,
 			},
 		},
 	}
@@ -72,8 +79,15 @@ func generatePreInitService(node *seiv1alpha1.SeiNode) *corev1.Service {
 
 // preInitSidecarURL returns the in-cluster DNS URL for the pre-init Job's sidecar.
 func preInitSidecarURL(node *seiv1alpha1.SeiNode) string {
+	return PreInitSidecarURL(node.Name, node.Namespace, sidecarPort(node))
+}
+
+// PreInitSidecarURL builds the in-cluster DNS URL for a pre-init Job's sidecar
+// given the node name, namespace, and port. Exported for use by the group controller.
+func PreInitSidecarURL(nodeName, namespace string, port int32) string {
+	jobName := fmt.Sprintf("%s-pre-init", nodeName)
 	return fmt.Sprintf("http://%s.%s.%s.svc.cluster.local:%d",
-		preInitPodHostname, preInitJobName(node), node.Namespace, sidecarPort(node))
+		preInitPodHostname, jobName, namespace, port)
 }
 
 // preInitWaitCommand returns a shell command that waits for the sidecar
@@ -99,6 +113,78 @@ func preInitWaitCommand(port int32, haltHeight int64) (command []string, args []
 	return []string{"/bin/bash", "-c"}, []string{script}
 }
 
+// buildGenesisPreInitPodSpec constructs a PodSpec for the genesis ceremony PreInit Job.
+// Unlike the snapshot PreInit, the main container runs "sleep infinity" as a keepalive
+// (the sidecar does the real work), and an init container copies the seid binary from
+// the node image to the PVC so sidecar tasks can invoke it.
+func buildGenesisPreInitPodSpec(node *seiv1alpha1.SeiNode, platform PlatformConfig) corev1.PodSpec {
+	serviceName := preInitJobName(node)
+
+	dataVolume := corev1.Volume{
+		Name: "data",
+		VolumeSource: corev1.VolumeSource{
+			PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{
+				ClaimName: nodeDataPVCClaimName(node),
+			},
+		},
+	}
+
+	port := sidecarPort(node)
+	sidecarContainer := corev1.Container{
+		Name:          "sei-sidecar",
+		Image:         sidecarImage(node),
+		Command:       []string{"seictl", "serve"},
+		RestartPolicy: ptr.To(corev1.ContainerRestartPolicyAlways),
+		Env: []corev1.EnvVar{
+			{Name: "SEI_CHAIN_ID", Value: node.Spec.ChainID},
+			{Name: "SEI_SIDECAR_PORT", Value: fmt.Sprintf("%d", port)},
+			{Name: "SEI_HOME", Value: dataDir},
+		},
+		Ports: []corev1.ContainerPort{
+			{Name: "sidecar", ContainerPort: port, Protocol: corev1.ProtocolTCP},
+		},
+		VolumeMounts: []corev1.VolumeMount{
+			{Name: "data", MountPath: dataDir},
+		},
+	}
+	if node.Spec.Sidecar != nil && node.Spec.Sidecar.Resources != nil {
+		sidecarContainer.Resources = *node.Spec.Sidecar.Resources
+	}
+
+	copySeid := corev1.Container{
+		Name:    "copy-seid",
+		Image:   node.Spec.Image,
+		Command: []string{"sh", "-c", fmt.Sprintf("mkdir -p %s/bin && cp $(which seid) %s/bin/seid", dataDir, dataDir)},
+		VolumeMounts: []corev1.VolumeMount{
+			{Name: "data", MountPath: dataDir},
+		},
+	}
+
+	keepalive := corev1.Container{
+		Name:    "keepalive",
+		Image:   node.Spec.Image,
+		Command: []string{"sleep", "infinity"},
+		VolumeMounts: []corev1.VolumeMount{
+			{Name: "data", MountPath: dataDir},
+		},
+	}
+
+	return corev1.PodSpec{
+		Hostname:                      preInitPodHostname,
+		Subdomain:                     serviceName,
+		ServiceAccountName:            platform.ServiceAccount,
+		ShareProcessNamespace:         ptr.To(true),
+		RestartPolicy:                 corev1.RestartPolicyNever,
+		TerminationGracePeriodSeconds: ptr.To(int64(5)),
+		Tolerations: []corev1.Toleration{
+			{Key: platform.TolerationKey, Value: platform.TolerationVal, Effect: corev1.TaintEffectNoSchedule},
+		},
+		Volumes:        []corev1.Volume{dataVolume},
+		InitContainers: []corev1.Container{copySeid, sidecarContainer},
+		Containers:     []corev1.Container{keepalive},
+	}
+}
+
 func buildPreInitPodSpec(node *seiv1alpha1.SeiNode, snap *seiv1alpha1.SnapshotSource, platform PlatformConfig) corev1.PodSpec {
 	serviceName := preInitJobName(node)
 

internal/controller/node/planner.go

@@ -80,11 +80,19 @@ func peersFor(node *seiv1alpha1.SeiNode) []seiv1alpha1.PeerSource {
 
 // needsPreInit returns true when the node requires a PreInitPlan Job.
 func needsPreInit(node *seiv1alpha1.SeiNode) bool {
+	if isGenesisCeremonyNode(node) {
+		return true
+	}
 	snap := snapshotSourceFor(node)
 	return snap != nil && snap.BootstrapImage != "" &&
 		snap.S3 != nil && snap.S3.TargetHeight > 0
 }
 
+// isGenesisCeremonyNode returns true when the node participates in a group genesis ceremony.
+func isGenesisCeremonyNode(node *seiv1alpha1.SeiNode) bool {
+	return node.Spec.Validator != nil && node.Spec.Validator.GenesisCeremony != nil
+}
+
 // snapshotGeneration extracts the SnapshotGenerationConfig from the populated
 // mode sub-spec. Returns nil when the mode doesn't support it.
 func snapshotGeneration(node *seiv1alpha1.SeiNode) *seiv1alpha1.SnapshotGenerationConfig {
@@ -197,6 +205,12 @@ func buildSharedTask(
 		return sidecar.MarkReadyTask{}, nil
 	case taskAwaitCondition:
 		return awaitConditionTask(node)
+	case taskGenerateIdentity:
+		return generateIdentityTaskBuilder(node), nil
+	case taskGenerateGentx:
+		return generateGentxTaskBuilder(node), nil
+	case taskUploadGenesisArtifacts:
+		return uploadGenesisArtifactsTaskBuilder(node), nil
 	default:
 		return nil, fmt.Errorf("buildSharedTask: unhandled task type %q", taskType)
 	}