implement cli/infra update cicd
This commit is contained in:
Deeman
76
todo.md
Normal file
76
todo.md
Normal file
@@ -0,0 +1,76 @@
|
||||
|
||||
● Based on the infrastructure we built, here are the exact tasks to set up secrets in
|
||||
Pulumi ESC:
|
||||
|
||||
1. Install Pulumi ESC CLI
|
||||
|
||||
curl -fsSL https://get.pulumi.com/esc/install.sh | sh
|
||||
export PATH="$HOME/.pulumi/bin:$PATH"
|
||||
|
||||
2. Login to Pulumi
|
||||
|
||||
esc login
|
||||
|
||||
This will open a browser for authentication. You'll get a PULUMI_ACCESS_TOKEN - save
|
||||
this for GitLab CI.
|
||||
|
||||
3. Create Production Environment
|
||||
|
||||
esc env init <your-org>/prod
|
||||
|
||||
Replace <your-org> with your Pulumi organization name.
|
||||
|
||||
4. Set All Required Secrets
|
||||
|
||||
# SSH Keys
|
||||
esc env set <your-org>/prod SSH_PUBLIC_KEY "ssh-rsa AAAA..."
|
||||
esc env set <your-org>/prod SSH_PRIVATE_KEY_PATH "/path/to/private/key"
|
||||
|
||||
# Hetzner
|
||||
esc env set <your-org>/prod HETZNER_API_TOKEN "your-hetzner-token"
|
||||
|
||||
# Cloudflare R2 (for artifact storage)
|
||||
esc env set <your-org>/prod R2_ACCESS_KEY_ID "your-r2-access-key"
|
||||
esc env set <your-org>/prod R2_SECRET_ACCESS_KEY "your-r2-secret-key"
|
||||
esc env set <your-org>/prod R2_ENDPOINT "account-id.r2.cloudflarestorage.com"
|
||||
esc env set <your-org>/prod R2_ARTIFACTS_BUCKET "materia-artifacts"
|
||||
|
||||
# Cloudflare R2 Data Catalog (for Iceberg)
|
||||
esc env set <your-org>/prod CLOUDFLARE_API_TOKEN "your-cf-api-token"
|
||||
esc env set <your-org>/prod ICEBERG_REST_URI "https://api.cloudflare.com/client/v4/acco
|
||||
unts/YOUR_ACCOUNT_ID/r2/buckets/YOUR_WAREHOUSE_BUCKET/iceberg"
|
||||
esc env set <your-org>/prod R2_WAREHOUSE_NAME "materia"
|
||||
|
||||
5. Verify Secrets
|
||||
|
||||
esc env open <your-org>/prod --format shell
|
||||
|
||||
This shows all secrets as environment variables. You should see all the keys listed
|
||||
above.
|
||||
|
||||
6. Test Locally
|
||||
|
||||
eval $(esc env open <your-org>/prod --format shell)
|
||||
materia secrets list
|
||||
materia secrets test
|
||||
|
||||
7. Configure GitLab CI
|
||||
|
||||
In your GitLab project settings → CI/CD → Variables, add:
|
||||
|
||||
- Key: PULUMI_ACCESS_TOKEN
|
||||
- Value: (the token from step 2)
|
||||
- Protected: Yes
|
||||
- Masked: Yes
|
||||
|
||||
That's it! The CI/CD pipeline and materia CLI will automatically pull all other secrets
|
||||
from ESC.
|
||||
|
||||
Where to Get Each Secret
|
||||
|
||||
- SSH Keys: Generate with ssh-keygen -t rsa -b 4096
|
||||
- Hetzner API Token: https://console.hetzner.cloud/ → Project → Security → API Tokens
|
||||
- R2 Credentials: Cloudflare Dashboard → R2 → Manage R2 API Tokens
|
||||
- Cloudflare API Token: Cloudflare Dashboard → My Profile → API Tokens (needs R2
|
||||
permissions)
|
||||
- Iceberg REST URI: Format shown above - get account ID from Cloudflare dashboard URL
|
||||
Reference in New Issue
Block a user