#!/usr/bin/env bash # state-publish.sh — publish the latest Pulumi stack export to RustFS so CI has # stack state (T14). `bootstrap/state/` is gitignored, so a CI checkout has NO # Pulumi deployment to `preview` against; this pushes a fresh `pulumi stack export` # to a dedicated RustFS object after every `up` (invoked by run.sh; also runnable # standalone to re-publish without a deploy). # # WHAT TRAVELS: only the resource DEPLOYMENT (stack export). Config + secrets stay # in the committed Pulumi.foundation.yaml (passphrase-encrypted) that CI gets from # the git checkout; secrets inside the export itself are likewise passphrase- # encrypted (`secure:` ciphertext), so the object carries NO plaintext secret. # # WHERE: rfs/foundation-ci-state/foundation-stack.json (internal RustFS; the bucket # is declared in components/rustfs.ts BUCKET_SETUP and created here belt-and-suspenders). # The push runs ON the VM via a throwaway `mc` container on foundation-net (ADR-007), # exactly like backup.sh — RustFS 9000 is NOT published off-host. RustFS root creds # are read on the VM from the running container and never transit the wire. set -euo pipefail ROOT="$(cd "$(dirname "$0")/.." && pwd)" DIR="$ROOT/bootstrap" export PULUMI_BACKEND_URL="file://${DIR}/state" export PULUMI_CONFIG_PASSPHRASE="${PULUMI_CONFIG_PASSPHRASE:-$(pass olsitec-foundation/PULUMI_CONFIG_PASSPHRASE)}" KEY="${SSH_PRIVATE_KEY_PATH:-${HOME}/.ssh/foundation-test_ed25519}" MC_IMAGE="$(grep '^IMAGE_MC=' "$ROOT/VERSIONS" | cut -d= -f2-)" BUCKET=foundation-ci-state OBJECT=foundation-stack.json cd "$DIR" pulumi stack select foundation >/dev/null HOST=$(pulumi config get foundation:vm.host) PORT=$(pulumi config get foundation:vm.sshPort) SUSER=$(pulumi config get foundation:vm.user) SSHX="ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=15 -i $KEY -p $PORT $SUSER@$HOST" echo "state-publish: exporting stack -> rfs/$BUCKET/$OBJECT" pulumi stack export | $SSHX "cat > /tmp/ci-stack.json" # Push from the VM through a throwaway mc container (RAK/RSK read on the VM, not sent). $SSHX "MC_IMAGE='$MC_IMAGE' BUCKET='$BUCKET' OBJECT='$OBJECT' sh -s" <<'REMOTE' set -eu RAK=$(docker inspect foundation-rustfs --format '{{range .Config.Env}}{{println .}}{{end}}' | sed -n 's/^RUSTFS_ACCESS_KEY=//p') RSK=$(docker inspect foundation-rustfs --format '{{range .Config.Env}}{{println .}}{{end}}' | sed -n 's/^RUSTFS_SECRET_KEY=//p') docker run --rm --network foundation-net --entrypoint sh -v /tmp:/w \ -e RAK="$RAK" -e RSK="$RSK" -e BUCKET="$BUCKET" -e OBJECT="$OBJECT" "$MC_IMAGE" -c ' set -e mc alias set rfs http://foundation-rustfs:9000 "$RAK" "$RSK" >/dev/null mc mb --ignore-existing "rfs/$BUCKET" >/dev/null mc cp /w/ci-stack.json "rfs/$BUCKET/$OBJECT" >/dev/null ' rm -f /tmp/ci-stack.json REMOTE echo "state-publish: published rfs/$BUCKET/$OBJECT"