deemanone/beanflows
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
55bb84f0fa6673409801142680184211b39f196d
beanflows/todo.md
Deeman 55bb84f0fa implement cli/infra update cicd
2025-10-12 21:00:41 +02:00

2.4 KiB
Raw Blame History

● Based on the infrastructure we built, here are the exact tasks to set up secrets in Pulumi ESC:

  1. Install Pulumi ESC CLI

curl -fsSL https://get.pulumi.com/esc/install.sh | sh export PATH="$HOME/.pulumi/bin:$PATH"

  1. Login to Pulumi

esc login

This will open a browser for authentication. You'll get a PULUMI_ACCESS_TOKEN - save this for GitLab CI.

  1. Create Production Environment

esc env init /prod

Replace with your Pulumi organization name.

  1. Set All Required Secrets

SSH Keys

esc env set /prod SSH_PUBLIC_KEY "ssh-rsa AAAA..." esc env set /prod SSH_PRIVATE_KEY_PATH "/path/to/private/key"

Hetzner

esc env set /prod HETZNER_API_TOKEN "your-hetzner-token"

Cloudflare R2 (for artifact storage)

esc env set /prod R2_ACCESS_KEY_ID "your-r2-access-key" esc env set /prod R2_SECRET_ACCESS_KEY "your-r2-secret-key" esc env set /prod R2_ENDPOINT "account-id.r2.cloudflarestorage.com" esc env set /prod R2_ARTIFACTS_BUCKET "materia-artifacts"

Cloudflare R2 Data Catalog (for Iceberg)

esc env set /prod CLOUDFLARE_API_TOKEN "your-cf-api-token" esc env set /prod ICEBERG_REST_URI "https://api.cloudflare.com/client/v4/acco unts/YOUR_ACCOUNT_ID/r2/buckets/YOUR_WAREHOUSE_BUCKET/iceberg" esc env set /prod R2_WAREHOUSE_NAME "materia"

  1. Verify Secrets

esc env open /prod --format shell

This shows all secrets as environment variables. You should see all the keys listed above.

  1. Test Locally

eval $(esc env open /prod --format shell) materia secrets list materia secrets test

  1. Configure GitLab CI

In your GitLab project settings → CI/CD → Variables, add:

  • Key: PULUMI_ACCESS_TOKEN
  • Value: (the token from step 2)
  • Protected: Yes
  • Masked: Yes

That's it! The CI/CD pipeline and materia CLI will automatically pull all other secrets from ESC.

Where to Get Each Secret

  • SSH Keys: Generate with ssh-keygen -t rsa -b 4096
  • Hetzner API Token: https://console.hetzner.cloud/ → Project → Security → API Tokens
  • R2 Credentials: Cloudflare Dashboard → R2 → Manage R2 API Tokens
  • Cloudflare API Token: Cloudflare Dashboard → My Profile → API Tokens (needs R2 permissions)
  • Iceberg REST URI: Format shown above - get account ID from Cloudflare dashboard URL
Reference in New Issue View Git Blame Copy Permalink