foundation/bootstrap/run.sh

36 lines
2 KiB
Bash
Raw Permalink Normal View History

#!/usr/bin/env bash
# Reproducible foundation deploy. Master passphrase = the single external secret.
set -euo pipefail
DIR="$(cd "$(dirname "$0")" && pwd)"
# Pin the backend PER-PROCESS via env — NEVER `pulumi login` (that mutates the
# GLOBAL backend pointer in ~/.pulumi and would misdirect other projects' run.sh).
export PULUMI_BACKEND_URL="file://${DIR}/state"
export PULUMI_CONFIG_PASSPHRASE="${PULUMI_CONFIG_PASSPHRASE:-$(pass olsitec-foundation/PULUMI_CONFIG_PASSPHRASE)}"
export SSH_PRIVATE_KEY_PATH="${SSH_PRIVATE_KEY_PATH:-${HOME}/.ssh/foundation-test_ed25519}"
cd "$DIR"
pulumi stack select foundation 2>/dev/null || pulumi stack init foundation
pulumi "$@"
# After a successful `up`, capture Vault's unseal keys + root token (emitted by the
# foundation-vault-init command as secret stack outputs) back into the
# passphrase-encrypted config (vaultCredentials:*). This is the proven
# olsitec-core/run.sh pattern and the ONE bootstrap secret that cannot live in
# Vault (CONTRACT_002 §2.4). Idempotent: only writes when the value actually
# changes, so Pulumi.foundation.yaml is not churned on every deploy.
if [ "${1:-}" = "up" ]; then
uk=$(pulumi stack output vaultUnsealKeys --show-secrets 2>/dev/null || true)
rt=$(pulumi stack output vaultRootToken --show-secrets 2>/dev/null || true)
if [ -n "$uk" ] && [ -n "$rt" ]; then
cur=$(pulumi config get vaultCredentials:unsealKeys 2>/dev/null || true)
if [ "$cur" != "$uk" ]; then
pulumi config set vaultCredentials:unsealKeys --secret "$uk"
pulumi config set vaultCredentials:rootToken --secret "$rt"
echo "run.sh: captured Vault unseal keys + root token into encrypted config"
fi
fi
feat(ci): state-dependent pulumi-preview + backup-verify pipelines (T14) Completes T14: the two CI pipelines that need Pulumi stack state, which bootstrap/state/ is gitignored from. Solves the blocker by publishing a fresh `pulumi stack export` to RustFS after every `up`, then having CI pull + import it. - state-publish.sh: ships the stack export to rfs/foundation-ci-state/ foundation-stack.json via a throwaway mc container on foundation-net (ADR-007), exactly like backup.sh. Secrets inside the export stay passphrase-encrypted; config travels in the committed (encrypted) Pulumi.foundation.yaml. run.sh invokes it best-effort after `up`. - rustfs.ts + Pulumi.foundation.yaml: declare the foundation-ci-state bucket (created belt-and-suspenders by state-publish on first run). - pulumi-preview.yml (push/PR): read-only drift/PR check. Pulls + imports state, materializes the operator key from the SSH_PRIVATE_KEY secret (the provider + index.ts read it), `pulumi preview` — never `up`. A diff is informational so the job fails only on a program/preview error. - backup-verify.yml (weekly + dispatch): reuses backup.sh/restore.sh unchanged to produce a bundle and restore-verify it from offsite (CONTRACT_004 §4.6). Imports real state so the bundle's pulumi-state.json is real, not an empty deployment. Repo-scoped Actions secrets set via the admin API: PULUMI_CONFIG_PASSPHRASE, SSH_PRIVATE_KEY, RUSTFS_ACCESS_KEY, RUSTFS_SECRET_KEY. Both pipelines validated end-to-end in a foundation-ci container on the VM (preview exit 0; backup-verify RESTORE VERIFY PASS from offsite). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-01 00:50:16 +02:00
# Publish the fresh stack export to RustFS so CI (pulumi-preview, backup-verify)
# has Pulumi state — bootstrap/state/ is gitignored (T14). Best-effort: the `up`
# already succeeded, so a publish hiccup must not fail the deploy.
"$DIR/state-publish.sh" || echo "run.sh: WARN state-publish failed (CI state not refreshed)"
fi