chore(fulldeploy): use kubernetes-deployment/scripts/pulumi.sh wrapper
Some checks failed
CI/CD / lint (pull_request) Successful in 2m22s
CI/CD / typecheck (pull_request) Successful in 2m57s
CI/CD / test (pull_request) Failing after 4m36s
CI/CD / smoke (pull_request) Has been skipped
CI/CD / build (pull_request) Has been skipped
CI/CD / publish (pull_request) Has been skipped
Some checks failed
CI/CD / lint (pull_request) Successful in 2m22s
CI/CD / typecheck (pull_request) Successful in 2m57s
CI/CD / test (pull_request) Failing after 4m36s
CI/CD / smoke (pull_request) Has been skipped
CI/CD / build (pull_request) Has been skipped
CI/CD / publish (pull_request) Has been skipped
The pre-flight drift check now calls the bao-backed pulumi wrapper that landed with the litellm key persistence work, so deploys no longer need PULUMI_CONFIG_PASSPHRASE in .env or shell env. The passphrase is fetched from OpenBao at runtime by the wrapper and exec-passed to pulumi only — never touches the parent shell's state. Falls back to a clear warning if the wrapper isn't present (older clone of kubernetes-deployment) instead of pretending to skip the check silently.
This commit is contained in:
Michal
@@ -29,25 +29,27 @@ echo " mcpctl Full Deploy"
|
|||||||
echo "========================================"
|
echo "========================================"
|
||||||
|
|
||||||
# --- Pre-flight: Pulumi drift check ---
|
# --- Pre-flight: Pulumi drift check ---
|
||||||
|
# Uses the kubernetes-deployment/scripts/pulumi.sh wrapper which pulls
|
||||||
|
# PULUMI_CONFIG_PASSPHRASE from OpenBao at runtime, so the passphrase
|
||||||
|
# never needs to live in .env or shell history. Falls back to a warning
|
||||||
|
# if the wrapper isn't present (older clone of kubernetes-deployment).
|
||||||
echo ""
|
echo ""
|
||||||
echo ">>> Pre-flight: checking for Pulumi infra drift"
|
echo ">>> Pre-flight: checking for Pulumi infra drift"
|
||||||
echo ""
|
echo ""
|
||||||
if [ -d "$PULUMI_DIR" ]; then
|
if [ -d "$PULUMI_DIR" ] && [ -x "$PULUMI_DIR/scripts/pulumi.sh" ]; then
|
||||||
if [ -z "$PULUMI_CONFIG_PASSPHRASE" ]; then
|
preview_output=$("$PULUMI_DIR/scripts/pulumi.sh" preview --stack "$PULUMI_STACK" --non-interactive --diff 2>&1) || true
|
||||||
echo " WARNING: PULUMI_CONFIG_PASSPHRASE not set — skipping drift check."
|
|
||||||
echo " Set it in .env or export it to enable."
|
|
||||||
else
|
|
||||||
preview_output=$(cd "$PULUMI_DIR" && pulumi preview --stack "$PULUMI_STACK" --non-interactive --diff 2>&1) || true
|
|
||||||
if echo "$preview_output" | grep -qE '^\s+[-+~]'; then
|
if echo "$preview_output" | grep -qE '^\s+[-+~]'; then
|
||||||
echo "$preview_output"
|
echo "$preview_output"
|
||||||
echo ""
|
echo ""
|
||||||
echo "ERROR: Pulumi detected infra changes that have not been applied."
|
echo "ERROR: Pulumi detected infra changes that have not been applied."
|
||||||
echo " Run: cd $PULUMI_DIR && pulumi up -s $PULUMI_STACK"
|
echo " Run: $PULUMI_DIR/scripts/pulumi.sh up -s $PULUMI_STACK"
|
||||||
echo " Then re-run this script."
|
echo " Then re-run this script."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
echo " No drift — infra is in sync."
|
echo " No drift — infra is in sync."
|
||||||
fi # passphrase check
|
elif [ -d "$PULUMI_DIR" ]; then
|
||||||
|
echo " WARNING: $PULUMI_DIR/scripts/pulumi.sh not found or not executable —"
|
||||||
|
echo " skipping drift check. Pull latest kubernetes-deployment."
|
||||||
else
|
else
|
||||||
echo " WARNING: Pulumi repo not found at $PULUMI_DIR — skipping drift check."
|
echo " WARNING: Pulumi repo not found at $PULUMI_DIR — skipping drift check."
|
||||||
fi
|
fi
|
||||||
|
|||||||
Reference in New Issue
Block a user