Skip to content

feat(deploy_tee): seismic-tee-bootstrap cohort orchestrator + CLI split#43

Merged
samlaf merged 1 commit into
mainfrom
feat/tee-bootstrap-cli
Jun 29, 2026
Merged

feat(deploy_tee): seismic-tee-bootstrap cohort orchestrator + CLI split#43
samlaf merged 1 commit into
mainfrom
feat/tee-bootstrap-cli

Conversation

@samlaf

@samlaf samlaf commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Split the single seismic-tee CLI in two by audience, and add a cohort orchestrator for standing up / tearing down a multi-node TEE network.

Two CLIs, because "operate my own node" and "found a whole network" are different audiences and only the first is ever external:

  • seismic-tee (operator-facing): configure — POST node TOML to tdx-init. Cloud-agnostic; never wraps Pulumi.
  • seismic-tee-bootstrap (Seismic-internal): up/down (provision a cohort), genesis (ceremony), manifest. The CLI that is allowed to wrap Pulumi.

The node descriptor ({public_ip, fqdn}) is the seam between them: bootstrap produces it (provisioning), both consume it.

Cohort orchestrator (orchestrator.py) drives the existing single-node seismic_node program via the Pulumi Automation API (local-program workspace, so every stack stays manageable with the plain pulumi CLI afterward):

  • One independent Pulumi stack per node — recycle/replace one without the others, rather than a single coupled cohort stack.
  • Inherits shared settings from a Pulumi..yaml (default Pulumi.dev.yaml), overriding only the per-node names (resource_group/vm_name/dns_record_name -> -). The prefix derives from the config's env (Pulumi.dev.yaml -> dev-bootstrap-node), so there's no second source of truth and no dev/testnet naming mismatch.
  • up: sequential (gentler on Azure quota); emits {public_ip, fqdn} descriptors to a gitignored descriptors/ dir.
  • down: parallel; streams [stack]-prefixed output; fully cleans up each node (destroy resources, remove the stack incl. its generated Pulumi..yaml, delete the descriptor).
  • Passphrase: prompts on a TTY like pulumi stack init (empty = none), requires PULUMI_CONFIG_PASSPHRASE in non-interactive contexts.

Generated artifacts (per-node Pulumi..yaml, descriptors/) are gitignored; the committed source of truth is the Pulumi..yaml templates plus this code.

Split the single seismic-tee CLI in two by audience, and add a cohort
orchestrator for standing up / tearing down a multi-node TEE network.

Two CLIs, because "operate my own node" and "found a whole network" are
different audiences and only the first is ever external:

- seismic-tee (operator-facing): `configure` — POST node TOML to tdx-init.
  Cloud-agnostic; never wraps Pulumi.
- seismic-tee-bootstrap (Seismic-internal): `up`/`down` (provision a cohort),
  `genesis` (ceremony), `manifest`. The CLI that is allowed to wrap Pulumi.

The node descriptor ({public_ip, fqdn}) is the seam between them: bootstrap
produces it (provisioning), both consume it.

Cohort orchestrator (orchestrator.py) drives the existing single-node
seismic_node program via the Pulumi Automation API (local-program workspace,
so every stack stays manageable with the plain `pulumi` CLI afterward):

- One independent Pulumi stack per node — recycle/replace one without the
  others, rather than a single coupled cohort stack.
- Inherits shared settings from a Pulumi.<env>.yaml (default Pulumi.dev.yaml),
  overriding only the per-node names (resource_group/vm_name/dns_record_name
  -> <prefix>-<i>). The prefix derives from the config's env
  (Pulumi.dev.yaml -> dev-bootstrap-node), so there's no second source of
  truth and no dev/testnet naming mismatch.
- up: sequential (gentler on Azure quota); emits {public_ip, fqdn} descriptors
  to a gitignored descriptors/ dir.
- down: parallel; streams [stack]-prefixed output; fully cleans up each node
  (destroy resources, remove the stack incl. its generated Pulumi.<stack>.yaml,
  delete the descriptor).
- Passphrase: prompts on a TTY like `pulumi stack init` (empty = none),
  requires PULUMI_CONFIG_PASSPHRASE in non-interactive contexts.

Generated artifacts (per-node Pulumi.<stack>.yaml, descriptors/) are
gitignored; the committed source of truth is the Pulumi.<env>.yaml templates
plus this code.
@samlaf samlaf merged commit b2fc2ac into main Jun 29, 2026
1 check passed
@samlaf samlaf deleted the feat/tee-bootstrap-cli branch June 29, 2026 16:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant