2026-06-30 20:47:30 +02:00
|
|
|
#!/usr/bin/env bash
|
|
|
|
|
# Reproducible foundation deploy. Master passphrase = the single external secret.
|
|
|
|
|
set -euo pipefail
|
|
|
|
|
DIR="$(cd "$(dirname "$0")" && pwd)"
|
feat(bootstrap): vault init/unseal + capture to encrypted config (T05)
foundation-vault (hashicorp/vault:1.18, digest-pinned) with integrated raft
storage in foundation-vault-data (-> /vault/file, which the entrypoint chowns to
the vault user), IPC_LOCK for mlock, internal only (8200 unpublished). Init +
unseal reuse the olsitec-core pattern but over docker-exec/SSH (ADR-007): the
foundation-vault-init command inits 1-of-1 Shamir, unseals, and emits keys + root
token on stdout — marked secret and NOT streamed (logging:Stderr) so they never
reach the terminal/logs (D2). run.sh captures them into vaultCredentials:* (the
one bootstrap secret that cannot live in Vault, CONTRACT_002 §2.4) with an
idempotent guard that avoids churning the config. vault-unseal.sh is the
passphrase-gated reboot helper (ADR-004): reads keys from config, unseals over an
SSH stdin pipe. run.sh also now pins the Pulumi backend per-process
(PULUMI_BACKEND_URL) instead of a global `pulumi login`.
Live on cx33 Helsinki: initialized + unsealed (raft 1.18.5), keys captured to
encrypted config, idempotent re-up reuses stored keys, container-restart reseal
recovered by vault-unseal.sh. Acceptance T05 met.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-30 21:32:52 +02:00
|
|
|
# Pin the backend PER-PROCESS via env — NEVER `pulumi login` (that mutates the
|
|
|
|
|
# GLOBAL backend pointer in ~/.pulumi and would misdirect other projects' run.sh).
|
|
|
|
|
export PULUMI_BACKEND_URL="file://${DIR}/state"
|
2026-07-01 00:15:01 +02:00
|
|
|
export PULUMI_CONFIG_PASSPHRASE="${PULUMI_CONFIG_PASSPHRASE:-$(pass olsitec-foundation/PULUMI_CONFIG_PASSPHRASE)}"
|
2026-06-30 20:47:30 +02:00
|
|
|
export SSH_PRIVATE_KEY_PATH="${SSH_PRIVATE_KEY_PATH:-${HOME}/.ssh/foundation-test_ed25519}"
|
feat(bootstrap): vault init/unseal + capture to encrypted config (T05)
foundation-vault (hashicorp/vault:1.18, digest-pinned) with integrated raft
storage in foundation-vault-data (-> /vault/file, which the entrypoint chowns to
the vault user), IPC_LOCK for mlock, internal only (8200 unpublished). Init +
unseal reuse the olsitec-core pattern but over docker-exec/SSH (ADR-007): the
foundation-vault-init command inits 1-of-1 Shamir, unseals, and emits keys + root
token on stdout — marked secret and NOT streamed (logging:Stderr) so they never
reach the terminal/logs (D2). run.sh captures them into vaultCredentials:* (the
one bootstrap secret that cannot live in Vault, CONTRACT_002 §2.4) with an
idempotent guard that avoids churning the config. vault-unseal.sh is the
passphrase-gated reboot helper (ADR-004): reads keys from config, unseals over an
SSH stdin pipe. run.sh also now pins the Pulumi backend per-process
(PULUMI_BACKEND_URL) instead of a global `pulumi login`.
Live on cx33 Helsinki: initialized + unsealed (raft 1.18.5), keys captured to
encrypted config, idempotent re-up reuses stored keys, container-restart reseal
recovered by vault-unseal.sh. Acceptance T05 met.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-30 21:32:52 +02:00
|
|
|
cd "$DIR"
|
|
|
|
|
pulumi stack select foundation 2>/dev/null || pulumi stack init foundation
|
|
|
|
|
pulumi "$@"
|
|
|
|
|
|
|
|
|
|
# After a successful `up`, capture Vault's unseal keys + root token (emitted by the
|
|
|
|
|
# foundation-vault-init command as secret stack outputs) back into the
|
|
|
|
|
# passphrase-encrypted config (vaultCredentials:*). This is the proven
|
|
|
|
|
# olsitec-core/run.sh pattern and the ONE bootstrap secret that cannot live in
|
|
|
|
|
# Vault (CONTRACT_002 §2.4). Idempotent: only writes when the value actually
|
|
|
|
|
# changes, so Pulumi.foundation.yaml is not churned on every deploy.
|
|
|
|
|
if [ "${1:-}" = "up" ]; then
|
|
|
|
|
uk=$(pulumi stack output vaultUnsealKeys --show-secrets 2>/dev/null || true)
|
|
|
|
|
rt=$(pulumi stack output vaultRootToken --show-secrets 2>/dev/null || true)
|
|
|
|
|
if [ -n "$uk" ] && [ -n "$rt" ]; then
|
|
|
|
|
cur=$(pulumi config get vaultCredentials:unsealKeys 2>/dev/null || true)
|
|
|
|
|
if [ "$cur" != "$uk" ]; then
|
|
|
|
|
pulumi config set vaultCredentials:unsealKeys --secret "$uk"
|
|
|
|
|
pulumi config set vaultCredentials:rootToken --secret "$rt"
|
|
|
|
|
echo "run.sh: captured Vault unseal keys + root token into encrypted config"
|
|
|
|
|
fi
|
|
|
|
|
fi
|
2026-07-01 00:50:16 +02:00
|
|
|
# Publish the fresh stack export to RustFS so CI (pulumi-preview, backup-verify)
|
|
|
|
|
# has Pulumi state — bootstrap/state/ is gitignored (T14). Best-effort: the `up`
|
|
|
|
|
# already succeeded, so a publish hiccup must not fail the deploy.
|
|
|
|
|
"$DIR/state-publish.sh" || echo "run.sh: WARN state-publish failed (CI state not refreshed)"
|
feat(bootstrap): vault init/unseal + capture to encrypted config (T05)
foundation-vault (hashicorp/vault:1.18, digest-pinned) with integrated raft
storage in foundation-vault-data (-> /vault/file, which the entrypoint chowns to
the vault user), IPC_LOCK for mlock, internal only (8200 unpublished). Init +
unseal reuse the olsitec-core pattern but over docker-exec/SSH (ADR-007): the
foundation-vault-init command inits 1-of-1 Shamir, unseals, and emits keys + root
token on stdout — marked secret and NOT streamed (logging:Stderr) so they never
reach the terminal/logs (D2). run.sh captures them into vaultCredentials:* (the
one bootstrap secret that cannot live in Vault, CONTRACT_002 §2.4) with an
idempotent guard that avoids churning the config. vault-unseal.sh is the
passphrase-gated reboot helper (ADR-004): reads keys from config, unseals over an
SSH stdin pipe. run.sh also now pins the Pulumi backend per-process
(PULUMI_BACKEND_URL) instead of a global `pulumi login`.
Live on cx33 Helsinki: initialized + unsealed (raft 1.18.5), keys captured to
encrypted config, idempotent re-up reuses stored keys, container-restart reseal
recovered by vault-unseal.sh. Acceptance T05 met.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-30 21:32:52 +02:00
|
|
|
fi
|