foundation/bootstrap/components
Andreas Niemann 82c34c9a42 fix(network): ignore ipamConfigs drift so up --refresh can't recreate the net
Close the known gap. Docker auto-assigns the subnet's first host (.1) as the
bridge gateway — a field we never declared — so `pulumi up --refresh` surfaced
it as a spurious foundation-net ipamConfigs drift. `gateway` is a ForceNew
input, so reconciling it (whether by declaring it OR by applying the refreshed
diff) REPLACES the network and disconnects every container. (Verified: adding
the gateway turned a clean plan into a network + 6-container + commands
replacement.)

The IPAM is immutable by design (subnet fixed by CONTRACT_003), so ignore
drift on it: ignoreChanges:["ipamConfigs"]. Plain `up` stays clean (44
unchanged) and `up --refresh` no longer wants to recreate the network/containers.

Residual, NON-destructive: `preview --refresh` still shows pessimistic
"~triggers" replaces on the vault-init + credential-writer commands, because a
refreshed container.id resolves to [unknown] in the preview (a Pulumi
preview artifact). At real apply the id is known + unchanged; worst case the
commands re-run idempotently. Documented for CI (T14).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-30 23:36:50 +02:00
..
credentials.ts fix(forgejo): generate + set SECRET_KEY (was empty under INSTALL_LOCK) 2026-06-30 23:30:35 +02:00
dns.ts feat(bootstrap): real olsitec.net config + DNS records (steps 1+2) 2026-06-30 20:47:30 +02:00
forgejo.ts fix(forgejo): generate + set SECRET_KEY (was empty under INSTALL_LOCK) 2026-06-30 23:30:35 +02:00
network.ts fix(network): ignore ipamConfigs drift so up --refresh can't recreate the net 2026-06-30 23:36:50 +02:00
postgres.ts feat(bootstrap): postgres data-plane + remote helper (T03) 2026-06-30 21:10:34 +02:00
proxy.ts feat(bootstrap): caddy public ingress + DNS-01 TLS (T07) 2026-06-30 21:54:12 +02:00
runner.ts feat(bootstrap): forgejo actions runner (T10) 2026-06-30 22:38:37 +02:00
rustfs.ts feat(bootstrap): rustfs S3 data-plane + buckets/service account (T04) 2026-06-30 21:19:53 +02:00
vault.ts feat(bootstrap): vault init/unseal + capture to encrypted config (T05) 2026-06-30 21:32:52 +02:00