michal/mcpctl
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

chore(fulldeploy): use kubernetes-deployment/scripts/pulumi.sh wrapper
Some checks failed
CI/CD / lint (pull_request) Successful in 2m22s
Details
CI/CD / typecheck (pull_request) Successful in 2m57s
Details
CI/CD / test (pull_request) Failing after 4m36s
Details
CI/CD / smoke (pull_request) Has been skipped
Details
CI/CD / build (pull_request) Has been skipped
Details
CI/CD / publish (pull_request) Has been skipped
Details

Browse Source 
The pre-flight drift check now calls the bao-backed pulumi wrapper
that landed with the litellm key persistence work, so deploys no
longer need PULUMI_CONFIG_PASSPHRASE in .env or shell env. The
passphrase is fetched from OpenBao at runtime by the wrapper and
exec-passed to pulumi only — never touches the parent shell's
state.

Falls back to a clear warning if the wrapper isn't present (older
clone of kubernetes-deployment) instead of pretending to skip the
check silently.
This commit is contained in:
Michal
2026-04-27 19:14:36 +01:00
parent f5bdeea8e7
commit 7f49294b36
1 changed files with 10 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
fulldeploy.sh
View File

@@ -29,25 +29,27 @@ echo " mcpctl Full Deploy"
echo "========================================"
# --- Pre-flight: Pulumi drift check ---
# Uses the kubernetes-deployment/scripts/pulumi.sh wrapper which pulls
# PULUMI_CONFIG_PASSPHRASE from OpenBao at runtime, so the passphrase
# never needs to live in .env or shell history. Falls back to a warning
# if the wrapper isn't present (older clone of kubernetes-deployment).
echo ""
echo ">>> Pre-flight: checking for Pulumi infra drift"
echo ""
if [ -d "$PULUMI_DIR" ]; then
if [ -z "$PULUMI_CONFIG_PASSPHRASE" ]; then
echo " WARNING: PULUMI_CONFIG_PASSPHRASE not set — skipping drift check."
echo " Set it in .env or export it to enable."
else
preview_output=$(cd "$PULUMI_DIR" && pulumi preview --stack "$PULUMI_STACK" --non-interactive --diff 2>&1) || true
if [ -d "$PULUMI_DIR" ] && [ -x "$PULUMI_DIR/scripts/pulumi.sh" ]; then
preview_output=$("$PULUMI_DIR/scripts/pulumi.sh" preview --stack "$PULUMI_STACK" --non-interactive --diff 2>&1) || true
if echo "$preview_output" | grep -qE '^\s+[-+~]'; then
echo "$preview_output"
echo ""
echo "ERROR: Pulumi detected infra changes that have not been applied."
echo " Run: cd $PULUMI_DIR && pulumi up -s $PULUMI_STACK"
echo " Run: $PULUMI_DIR/scripts/pulumi.sh up -s $PULUMI_STACK"
echo " Then re-run this script."
exit 1
fi
echo " No drift — infra is in sync."
fi # passphrase check
elif [ -d "$PULUMI_DIR" ]; then
echo " WARNING: $PULUMI_DIR/scripts/pulumi.sh not found or not executable —"
echo " skipping drift check. Pull latest kubernetes-deployment."
else
echo " WARNING: Pulumi repo not found at $PULUMI_DIR — skipping drift check."
fi