michal/mcpctl
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

chore: fulldeploy uses bao-backed pulumi wrapper for drift check #68

Merged
michal merged 1 commits from chore/fulldeploy-pulumi-wrapper into main 2026-04-27 20:21:33 +00:00
Conversation 0 Commits 1 Files Changed 1 +10 -8
michal commented 2026-04-27 18:14:45 +00:00
Owner
Copy Link

Summary

Pre-flight drift check in fulldeploy.sh now calls
$PULUMI_DIR/scripts/pulumi.sh instead of pulumi directly, so the
passphrase comes from OpenBao at runtime and never needs to live in
.env or shell env. Falls back to a clear warning if the wrapper
isn't present (older clone of kubernetes-deployment).

Companion to kubernetes-deployment@d4dae77 which anchors the wrapper
to its own project root so it works regardless of caller cwd.

Test plan

  • bash fulldeploy.sh from a shell with no PULUMI_CONFIG_PASSPHRASE
    set succeeds — drift check uses the wrapper, smoke 141/141 green.
## Summary Pre-flight drift check in `fulldeploy.sh` now calls `$PULUMI_DIR/scripts/pulumi.sh` instead of `pulumi` directly, so the passphrase comes from OpenBao at runtime and never needs to live in `.env` or shell env. Falls back to a clear warning if the wrapper isn't present (older clone of kubernetes-deployment). Companion to `kubernetes-deployment@d4dae77` which anchors the wrapper to its own project root so it works regardless of caller cwd. ## Test plan - [x] `bash fulldeploy.sh` from a shell with no `PULUMI_CONFIG_PASSPHRASE` set succeeds — drift check uses the wrapper, smoke 141/141 green.
michal added 1 commit 2026-04-27 18:14:46 +00:00
chore(fulldeploy): use kubernetes-deployment/scripts/pulumi.sh wrapper
Some checks failed
CI/CD / lint (pull_request) Successful in 2m22s
Details
CI/CD / typecheck (pull_request) Successful in 2m57s
Details
CI/CD / test (pull_request) Failing after 4m36s
Details
CI/CD / smoke (pull_request) Has been skipped
Details
CI/CD / build (pull_request) Has been skipped
Details
CI/CD / publish (pull_request) Has been skipped
Details
7f49294b36 
The pre-flight drift check now calls the bao-backed pulumi wrapper
that landed with the litellm key persistence work, so deploys no
longer need PULUMI_CONFIG_PASSPHRASE in .env or shell env. The
passphrase is fetched from OpenBao at runtime by the wrapper and
exec-passed to pulumi only — never touches the parent shell's
state.

Falls back to a clear warning if the wrapper isn't present (older
clone of kubernetes-deployment) instead of pretending to skip the
check silently.
michal merged commit c0b4dc89f3 into main 2026-04-27 20:21:33 +00:00
michal deleted branch chore/fulldeploy-pulumi-wrapper 2026-04-27 20:21:34 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michal
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: michal/mcpctl#68
Delete Branch "chore/fulldeploy-pulumi-wrapper"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?