feat(deploy_tee): seismic-tee-bootstrap cohort orchestrator + CLI split#43
Merged
Conversation
Split the single seismic-tee CLI in two by audience, and add a cohort
orchestrator for standing up / tearing down a multi-node TEE network.
Two CLIs, because "operate my own node" and "found a whole network" are
different audiences and only the first is ever external:
- seismic-tee (operator-facing): `configure` — POST node TOML to tdx-init.
Cloud-agnostic; never wraps Pulumi.
- seismic-tee-bootstrap (Seismic-internal): `up`/`down` (provision a cohort),
`genesis` (ceremony), `manifest`. The CLI that is allowed to wrap Pulumi.
The node descriptor ({public_ip, fqdn}) is the seam between them: bootstrap
produces it (provisioning), both consume it.
Cohort orchestrator (orchestrator.py) drives the existing single-node
seismic_node program via the Pulumi Automation API (local-program workspace,
so every stack stays manageable with the plain `pulumi` CLI afterward):
- One independent Pulumi stack per node — recycle/replace one without the
others, rather than a single coupled cohort stack.
- Inherits shared settings from a Pulumi.<env>.yaml (default Pulumi.dev.yaml),
overriding only the per-node names (resource_group/vm_name/dns_record_name
-> <prefix>-<i>). The prefix derives from the config's env
(Pulumi.dev.yaml -> dev-bootstrap-node), so there's no second source of
truth and no dev/testnet naming mismatch.
- up: sequential (gentler on Azure quota); emits {public_ip, fqdn} descriptors
to a gitignored descriptors/ dir.
- down: parallel; streams [stack]-prefixed output; fully cleans up each node
(destroy resources, remove the stack incl. its generated Pulumi.<stack>.yaml,
delete the descriptor).
- Passphrase: prompts on a TTY like `pulumi stack init` (empty = none),
requires PULUMI_CONFIG_PASSPHRASE in non-interactive contexts.
Generated artifacts (per-node Pulumi.<stack>.yaml, descriptors/) are
gitignored; the committed source of truth is the Pulumi.<env>.yaml templates
plus this code.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Split the single seismic-tee CLI in two by audience, and add a cohort orchestrator for standing up / tearing down a multi-node TEE network.
Two CLIs, because "operate my own node" and "found a whole network" are different audiences and only the first is ever external:
configure— POST node TOML to tdx-init. Cloud-agnostic; never wraps Pulumi.up/down(provision a cohort),genesis(ceremony),manifest. The CLI that is allowed to wrap Pulumi.The node descriptor ({public_ip, fqdn}) is the seam between them: bootstrap produces it (provisioning), both consume it.
Cohort orchestrator (orchestrator.py) drives the existing single-node seismic_node program via the Pulumi Automation API (local-program workspace, so every stack stays manageable with the plain
pulumiCLI afterward):pulumi stack init(empty = none), requires PULUMI_CONFIG_PASSPHRASE in non-interactive contexts.Generated artifacts (per-node Pulumi..yaml, descriptors/) are gitignored; the committed source of truth is the Pulumi..yaml templates plus this code.