- Bun workspaces (packages/* + bootstrap); Pulumi nodejs runtime under
packagemanager: bun (no npm fallback needed).
- bootstrap/config.ts: typed FoundationConfig per CONTRACT_001; loadConfig()
fails closed, aggregating all missing+malformed keys in one error. Reads flat
dotted keys; image digests excluded (they live in VERSIONS, D5).
- bootstrap/Pulumi.foundation.yaml: non-secret placeholders only (RFC-5737 vm.host,
.invalid offsite); no encryptionsalt/secrets committed (D2). pulumi preview = 0
resources under the passphrase provider via gitignored file:// state backend.
- Stage-1 vendoring: packages/pulumi-{docker,vault} as @olsitec/* (source-only,
logic unchanged). vault's 5 type-only imports from modules/olsitec re-homed
verbatim into pulumi-vault/olsitec-types.ts to keep the egg self-contained.
Realizes PLAN-002 §10 T02; ADR-005 / 000_TOPOLOGY.md §5 Stage-1.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
52 lines
2.9 KiB
Markdown
52 lines
2.9 KiB
Markdown
# VENDORED — `@olsitec/pulumi-vault`
|
|
|
|
**Source (absolute path):** `/Users/andiolsi/work/olsicloud4/pulumi/modules/vault/`
|
|
**Copy date:** 2026-06-30
|
|
**Stage:** Stage-1 vendoring per [`documentation/000_TOPOLOGY.md` §5](../../documentation/000_TOPOLOGY.md).
|
|
|
|
## What this is
|
|
|
|
A verbatim copy of the olsicloud4 `modules/vault` Pulumi module — the Vault init/unseal
|
|
capture (`VaultInitialization`) and the secret-engine/AppRole bootstrap
|
|
(`VaultBootstrap`, `VaultExternalSecretsClusterAppRole`, `VaultProject`) plus the admin
|
|
policy (`policy.ts`). Core of the foundation secret layer (ADR-004, PLAN-002 §4). At
|
|
day-zero `bootstrap/` consumes it locally through the Bun workspace, not from a registry.
|
|
|
|
## What was copied
|
|
|
|
`index.ts`, `policy.ts`, `package.json`, `tsconfig.json`, `.editorconfig`, `.gitignore`.
|
|
|
|
**Not copied:** `node_modules/`, `package-lock.json` (lockfiles), `.git/`.
|
|
|
|
## Changes made vs. the source
|
|
|
|
- `package.json` `name`: `vault` → `@olsitec/pulumi-vault`; added `version` (`0.0.0`,
|
|
pre-publish placeholder) and `main`/`types` (`index.ts`) for Bun-workspace resolution.
|
|
- **Type-only re-home (no logic change):** the upstream `index.ts` imports five
|
|
*purely type-level* declarations from its sibling module `../../modules/olsitec`
|
|
(`OlsitecProjectFeatureFlags`, `OlsitecCredentialTypes`, `GitProjectCredentials`,
|
|
`OciRegistryCredentials`, `MinioBackupProjectCredentials`). That sibling transitively
|
|
pulls in `modules/minio`, `modules/gitlab`, and `modules/kubernetes`, none of which
|
|
belong in the foundation egg and none of which are vendored. To keep this package
|
|
self-contained, those five type declarations were copied **verbatim** into a new local
|
|
file `olsitec-types.ts`, and the one import line in `index.ts` was re-pointed from
|
|
`../../modules/olsitec` to `./olsitec-types`. This is the **only** edit to `index.ts`;
|
|
no runtime/behavioural logic changed.
|
|
- `tsconfig.json` `files`: added `policy.ts` and `olsitec-types.ts` so the package
|
|
type-checks standalone (`tsc --noEmit`).
|
|
|
|
> **Note (out of scope for T02):** `VaultProject` and `VaultBootstrap` still reference
|
|
> minio/garage/cockroach/mongo credential shapes inherited from the Layer-1 olsitec module.
|
|
> The foundation egg only needs `VaultInitialization` (init/unseal capture) + `VaultBootstrap`.
|
|
> Trimming the unused Layer-1 surface is a deliberate later refactor (000_TOPOLOGY.md §5.1
|
|
> "refactor for Layer 0"), NOT part of Stage-1 vendoring — Stage 1 preserves the source as-is.
|
|
|
|
## Lifecycle (000_TOPOLOGY.md §5)
|
|
|
|
- **Stage 1 — VENDOR (this commit):** copied here; consumed locally via Bun workspace.
|
|
- **Stage 2 — PUBLISH (later task):** CI publishes `@olsitec/pulumi-vault@<semver>` to the
|
|
foundation Forgejo npm registry once it exists.
|
|
- **Stage 3 — CONSUME (steady state):** downstream switches imports to the published package;
|
|
the old module is frozen then removed.
|
|
|
|
Do not refactor the vendored logic here beyond the type-only re-home documented above.
|