feat(BOUN-1233): rework ic-boundary CLI, bump ic-gateway (#2451)

* Rework `ic-boundary` CLI: re-group & rename, move http client & server
CLI to `ic-bn-lib`
* `ic-boundary` now gets configured through env vars like `ic-gateway`
* Add & enable shedding (for now only the system one) for API BNs

misc:
* Bump the size limits of governance and ledger canisters because the
dependencies affect their sizes and throw over the limit

---------

Co-authored-by: IDX GitHub Automation <infra+github-automation@dfinity.org>

Author: blind-oracle

Cargo.Bazel.Fuzzing.json.lock

@@ -366,7 +366,7 @@ def external_crates_repository(name, cargo_lockfile, lockfile, sanitizers_enable
                 version = "^0.2.2",
             ),
             "clap": crate.spec(
-                version = "^4.5.18",
+                version = "^4.5.20",
                 features = [
                     "derive",
                     "string",
@@ -568,7 +568,7 @@ def external_crates_repository(name, cargo_lockfile, lockfile, sanitizers_enable
             ),
             "ic-bn-lib": crate.spec(
                 git = "https://github.com/dfinity/ic-bn-lib",
-                rev = "9abf1e385e4a32279de005d0019c17774e164828",
+                rev = "526d34d15cfbf369d8baf2dae9932aa18d570a1d",
             ),
             "ic-btc-interface": crate.spec(
                 version = "^0.2.2",
@@ -680,7 +680,7 @@ def external_crates_repository(name, cargo_lockfile, lockfile, sanitizers_enable
                 version = "^1.31.0",
             ),
             "instant-acme": crate.spec(
-                version = "^0.7.1",
+                version = "^0.7.2",
             ),
             "intmap": crate.spec(
                 version = "^1.1.0",

Cargo.Bazel.Fuzzing.toml.lock

@@ -25,8 +25,8 @@ WORKDIR /tmp
 
 # Download and verify ic-gateway
 RUN \
-    curl -L -O https://github.com/dfinity/ic-gateway/releases/download/v0.1.58/ic-gateway_0.1.58_amd64.deb && \
-    echo "d6939a8e4c473cf5af8f63e3ce577d7685ec2bb89428d925f8a55dc87d7a10c1  ic-gateway_0.1.58_amd64.deb" | sha256sum -c
+    curl -L -O https://github.com/dfinity/ic-gateway/releases/download/v0.1.59/ic-gateway_0.1.59_amd64.deb && \
+    echo "2d57c4a6e77f974ce4674ebc631ba5f2c7de0bb4bf05069c5bcffb21ec274ea2  ic-gateway_0.1.59_amd64.deb" | sha256sum -c
 
 #
 # Second build stage:
@@ -56,9 +56,9 @@ FROM image-${BUILD_TYPE}
 
 USER root:root
 
-COPY --from=download /tmp/ic-gateway_0.1.58_amd64.deb /tmp/ic-gateway_0.1.58_amd64.deb
-RUN dpkg -i --force-confold /tmp/ic-gateway_0.1.58_amd64.deb && \
-    rm /tmp/ic-gateway_0.1.58_amd64.deb
+COPY --from=download /tmp/ic-gateway_0.1.59_amd64.deb /tmp/ic-gateway_0.1.59_amd64.deb
+RUN dpkg -i --force-confold /tmp/ic-gateway_0.1.59_amd64.deb && \
+    rm /tmp/ic-gateway_0.1.59_amd64.deb
 
 RUN mkdir -p /boot/config \
              /boot/efi \

Cargo.Bazel.json.lock

@@ -1,34 +1,16 @@
 [Unit]
-Description=IC Boundary Reverse Proxy
+Description=IC-Boundary
 After=network-online.target
 Wants=network-online.target
 After=setup-ic-boundary.service
 BindsTo=setup-ic-boundary.service
 
 [Service]
-LogRateLimitIntervalSec=1ms
-LogRateLimitBurst=1000
 User=root
 Group=root
 Restart=always
 EnvironmentFile=/run/ic-node/etc/default/ic-boundary
-ExecStart=/bin/bash -c ' \
-    /opt/ic/bin/ic-boundary \
-        --local-store-path /var/opt/registry/store \
-        --nns-pub-key-pem /run/ic-node/etc/default/nns_public_key.pem \
-        --nns-urls "${NNS_URL}" \
-        --http-port 9000 \
-        --metrics-addr "[::]:9324" \
-        --log-stdout \
-        --log-failed-requests-only \
-        --nftables-system-replicas-path /run/ic-node/etc/nftables/system_replicas.ruleset \
-        --retry-update-call \
-        --rate-limit-per-second-per-subnet "1000" \
-        --http-client-count "2" \
-        ${CACHE_SIZE:+ --cache-size-bytes "${CACHE_SIZE}"} \
-        ${CACHE_ITEM_MAX_SIZE:+ --cache-max-item-size-bytes "${CACHE_ITEM_MAX_SIZE}"} \
-        ${CACHE_TTL:+ --cache-ttl-seconds "${CACHE_TTL}"} \
-'
+ExecStart=/opt/ic/bin/ic-boundary
 
 [Install]
 WantedBy=multi-user.target

Cargo.Bazel.toml.lock

@@ -50,10 +50,21 @@ function generate_config() {
 
     # Generate Configuration
     cat >"${ENV_FILE}" <<EOF
-NNS_URL=${NNS_URL}
-CACHE_SIZE=1073741824
-CACHE_ITEM_MAX_SIZE=10485760
-CACHE_TTL=1
+LISTEN_HTTP_PORT="9000"
+NETWORK_HTTP_CLIENT_COUNT="2"
+OBS_METRICS_ADDR="[::]:9324"
+OBS_LOG_STDOUT="true"
+OBS_LOG_FAILED_REQUESTS_ONLY="true"
+HTTP_CLIENT_TIMEOUT_CONNECT="3s"
+NFTABLES_SYSTEM_REPLICAS_PATH="/run/ic-node/etc/nftables/system_replicas.ruleset"
+RETRY_UPDATE_CALL="true"
+RATE_LIMIT_PER_SECOND_PER_SUBNET="1000"
+REGISTRY_NNS_URLS="${NNS_URL}"
+REGISTRY_NNS_PUB_KEY_PEM="/run/ic-node/etc/default/nns_public_key.pem"
+REGISTRY_LOCAL_STORE_PATH="/var/opt/registry/store"
+CACHE_SIZE="1GB"
+CACHE_MAX_ITEM_SIZE="10MB"
+CACHE_TTL="1s"
 EOF
 }
 

Cargo.lock

@@ -125,8 +125,8 @@ ENV="${ENV}"
 DOMAIN_APP="${DOMAINS_APP}"
 DOMAIN_SYSTEM="${DOMAINS_SYSTEM}"
 DOMAIN_API="${DOMAINS_API}"
-HTTP_SERVER_LISTEN_PLAIN="[::]:80"
-HTTP_SERVER_LISTEN_TLS="[::]:443"
+LISTEN_PLAIN="[::]:80"
+LISTEN_TLS="[::]:443"
 DNS_PROTOCOL="https"
 METRICS_LISTEN="[::]:9314"
 POLICY_PRE_ISOLATION_CANISTERS="${RUN_DIR}/pre_isolation_canisters.txt"