52 lines
2.8 KiB
Bash
52 lines
2.8 KiB
Bash
|
|
#!/usr/bin/env bash
|
||
|
|
# state-publish.sh — publish the latest Pulumi stack export to RustFS so CI has
|
||
|
|
# stack state (T14). `bootstrap/state/` is gitignored, so a CI checkout has NO
|
||
|
|
# Pulumi deployment to `preview` against; this pushes a fresh `pulumi stack export`
|
||
|
|
# to a dedicated RustFS object after every `up` (invoked by run.sh; also runnable
|
||
|
|
# standalone to re-publish without a deploy).
|
||
|
|
#
|
||
|
|
# WHAT TRAVELS: only the resource DEPLOYMENT (stack export). Config + secrets stay
|
||
|
|
# in the committed Pulumi.foundation.yaml (passphrase-encrypted) that CI gets from
|
||
|
|
# the git checkout; secrets inside the export itself are likewise passphrase-
|
||
|
|
# encrypted (`secure:` ciphertext), so the object carries NO plaintext secret.
|
||
|
|
#
|
||
|
|
# WHERE: rfs/foundation-ci-state/foundation-stack.json (internal RustFS; the bucket
|
||
|
|
# is declared in components/rustfs.ts BUCKET_SETUP and created here belt-and-suspenders).
|
||
|
|
# The push runs ON the VM via a throwaway `mc` container on foundation-net (ADR-007),
|
||
|
|
# exactly like backup.sh — RustFS 9000 is NOT published off-host. RustFS root creds
|
||
|
|
# are read on the VM from the running container and never transit the wire.
|
||
|
|
set -euo pipefail
|
||
|
|
ROOT="$(cd "$(dirname "$0")/.." && pwd)"
|
||
|
|
DIR="$ROOT/bootstrap"
|
||
|
|
export PULUMI_BACKEND_URL="file://${DIR}/state"
|
||
|
|
export PULUMI_CONFIG_PASSPHRASE="${PULUMI_CONFIG_PASSPHRASE:-$(pass olsitec-foundation/PULUMI_CONFIG_PASSPHRASE)}"
|
||
|
|
KEY="${SSH_PRIVATE_KEY_PATH:-${HOME}/.ssh/foundation-test_ed25519}"
|
||
|
|
MC_IMAGE="$(grep '^IMAGE_MC=' "$ROOT/VERSIONS" | cut -d= -f2-)"
|
||
|
|
BUCKET=foundation-ci-state
|
||
|
|
OBJECT=foundation-stack.json
|
||
|
|
cd "$DIR"
|
||
|
|
pulumi stack select foundation >/dev/null
|
||
|
|
|
||
|
|
HOST=$(pulumi config get foundation:vm.host)
|
||
|
|
PORT=$(pulumi config get foundation:vm.sshPort)
|
||
|
|
SUSER=$(pulumi config get foundation:vm.user)
|
||
|
|
SSHX="ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=15 -i $KEY -p $PORT $SUSER@$HOST"
|
||
|
|
|
||
|
|
echo "state-publish: exporting stack -> rfs/$BUCKET/$OBJECT"
|
||
|
|
pulumi stack export | $SSHX "cat > /tmp/ci-stack.json"
|
||
|
|
# Push from the VM through a throwaway mc container (RAK/RSK read on the VM, not sent).
|
||
|
|
$SSHX "MC_IMAGE='$MC_IMAGE' BUCKET='$BUCKET' OBJECT='$OBJECT' sh -s" <<'REMOTE'
|
||
|
|
set -eu
|
||
|
|
RAK=$(docker inspect foundation-rustfs --format '{{range .Config.Env}}{{println .}}{{end}}' | sed -n 's/^RUSTFS_ACCESS_KEY=//p')
|
||
|
|
RSK=$(docker inspect foundation-rustfs --format '{{range .Config.Env}}{{println .}}{{end}}' | sed -n 's/^RUSTFS_SECRET_KEY=//p')
|
||
|
|
docker run --rm --network foundation-net --entrypoint sh -v /tmp:/w \
|
||
|
|
-e RAK="$RAK" -e RSK="$RSK" -e BUCKET="$BUCKET" -e OBJECT="$OBJECT" "$MC_IMAGE" -c '
|
||
|
|
set -e
|
||
|
|
mc alias set rfs http://foundation-rustfs:9000 "$RAK" "$RSK" >/dev/null
|
||
|
|
mc mb --ignore-existing "rfs/$BUCKET" >/dev/null
|
||
|
|
mc cp /w/ci-stack.json "rfs/$BUCKET/$OBJECT" >/dev/null
|
||
|
|
'
|
||
|
|
rm -f /tmp/ci-stack.json
|
||
|
|
REMOTE
|
||
|
|
echo "state-publish: published rfs/$BUCKET/$OBJECT"
|