From 7f49294b36e97afbe96ef56cd05ba5ba94969b51 Mon Sep 17 00:00:00 2001
From: Michal <michal@itaz.eu>
Date: Mon, 27 Apr 2026 19:14:36 +0100
Subject: [PATCH] chore(fulldeploy): use
 kubernetes-deployment/scripts/pulumi.sh wrapper
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The pre-flight drift check now calls the bao-backed pulumi wrapper
that landed with the litellm key persistence work, so deploys no
longer need PULUMI_CONFIG_PASSPHRASE in .env or shell env. The
passphrase is fetched from OpenBao at runtime by the wrapper and
exec-passed to pulumi only — never touches the parent shell's
state.

Falls back to a clear warning if the wrapper isn't present (older
clone of kubernetes-deployment) instead of pretending to skip the
check silently.
---
 fulldeploy.sh | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/fulldeploy.sh b/fulldeploy.sh
index 10d1c3e..4caf072 100755
--- a/fulldeploy.sh
+++ b/fulldeploy.sh
@@ -29,25 +29,27 @@ echo "  mcpctl Full Deploy"
 echo "========================================"
 
 # --- Pre-flight: Pulumi drift check ---
+# Uses the kubernetes-deployment/scripts/pulumi.sh wrapper which pulls
+# PULUMI_CONFIG_PASSPHRASE from OpenBao at runtime, so the passphrase
+# never needs to live in .env or shell history. Falls back to a warning
+# if the wrapper isn't present (older clone of kubernetes-deployment).
 echo ""
 echo ">>> Pre-flight: checking for Pulumi infra drift"
 echo ""
-if [ -d "$PULUMI_DIR" ]; then
-  if [ -z "$PULUMI_CONFIG_PASSPHRASE" ]; then
-    echo "  WARNING: PULUMI_CONFIG_PASSPHRASE not set — skipping drift check."
-    echo "           Set it in .env or export it to enable."
-  else
-  preview_output=$(cd "$PULUMI_DIR" && pulumi preview --stack "$PULUMI_STACK" --non-interactive --diff 2>&1) || true
+if [ -d "$PULUMI_DIR" ] && [ -x "$PULUMI_DIR/scripts/pulumi.sh" ]; then
+  preview_output=$("$PULUMI_DIR/scripts/pulumi.sh" preview --stack "$PULUMI_STACK" --non-interactive --diff 2>&1) || true
   if echo "$preview_output" | grep -qE '^\s+[-+~]'; then
     echo "$preview_output"
     echo ""
     echo "ERROR: Pulumi detected infra changes that have not been applied."
-    echo "       Run: cd $PULUMI_DIR && pulumi up -s $PULUMI_STACK"
+    echo "       Run: $PULUMI_DIR/scripts/pulumi.sh up -s $PULUMI_STACK"
     echo "       Then re-run this script."
     exit 1
   fi
   echo "  No drift — infra is in sync."
-  fi # passphrase check
+elif [ -d "$PULUMI_DIR" ]; then
+  echo "  WARNING: $PULUMI_DIR/scripts/pulumi.sh not found or not executable —"
+  echo "           skipping drift check. Pull latest kubernetes-deployment."
 else
   echo "  WARNING: Pulumi repo not found at $PULUMI_DIR — skipping drift check."
 fi