deemanone/beanflows
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
55bb84f0fa6673409801142680184211b39f196d
beanflows/todo.md
Deeman 55bb84f0fa implement cli/infra update cicd
2025-10-12 21:00:41 +02:00

77 lines
2.4 KiB
Markdown
Raw Blame History

● Based on the infrastructure we built, here are the exact tasks to set up secrets in
Pulumi ESC:
1. Install Pulumi ESC CLI
curl -fsSL https://get.pulumi.com/esc/install.sh | sh
export PATH="$HOME/.pulumi/bin:$PATH"
2. Login to Pulumi
esc login
This will open a browser for authentication. You'll get a PULUMI_ACCESS_TOKEN - save
this for GitLab CI.
3. Create Production Environment
esc env init <your-org>/prod
Replace <your-org> with your Pulumi organization name.
4. Set All Required Secrets
# SSH Keys
esc env set <your-org>/prod SSH_PUBLIC_KEY "ssh-rsa AAAA..."
esc env set <your-org>/prod SSH_PRIVATE_KEY_PATH "/path/to/private/key"
# Hetzner
esc env set <your-org>/prod HETZNER_API_TOKEN "your-hetzner-token"
# Cloudflare R2 (for artifact storage)
esc env set <your-org>/prod R2_ACCESS_KEY_ID "your-r2-access-key"
esc env set <your-org>/prod R2_SECRET_ACCESS_KEY "your-r2-secret-key"
esc env set <your-org>/prod R2_ENDPOINT "account-id.r2.cloudflarestorage.com"
esc env set <your-org>/prod R2_ARTIFACTS_BUCKET "materia-artifacts"
# Cloudflare R2 Data Catalog (for Iceberg)
esc env set <your-org>/prod CLOUDFLARE_API_TOKEN "your-cf-api-token"
esc env set <your-org>/prod ICEBERG_REST_URI "https://api.cloudflare.com/client/v4/acco
unts/YOUR_ACCOUNT_ID/r2/buckets/YOUR_WAREHOUSE_BUCKET/iceberg"
esc env set <your-org>/prod R2_WAREHOUSE_NAME "materia"
5. Verify Secrets
esc env open <your-org>/prod --format shell
This shows all secrets as environment variables. You should see all the keys listed
above.
6. Test Locally
eval $(esc env open <your-org>/prod --format shell)
materia secrets list
materia secrets test
7. Configure GitLab CI
In your GitLab project settings → CI/CD → Variables, add:
- Key: PULUMI_ACCESS_TOKEN
- Value: (the token from step 2)
- Protected: Yes
- Masked: Yes
That's it! The CI/CD pipeline and materia CLI will automatically pull all other secrets
from ESC.
Where to Get Each Secret
- SSH Keys: Generate with ssh-keygen -t rsa -b 4096
- Hetzner API Token: https://console.hetzner.cloud/ → Project → Security → API Tokens
- R2 Credentials: Cloudflare Dashboard → R2 → Manage R2 API Tokens
- Cloudflare API Token: Cloudflare Dashboard → My Profile → API Tokens (needs R2
permissions)
- Iceberg REST URI: Format shown above - get account ID from Cloudflare dashboard URL
Reference in New Issue View Git Blame Copy Permalink