prod deployment

2026-04-01 18:34:08 -04:00
parent ca44e68f64
commit eab581f8cb
62 changed files with 1922 additions and 286 deletions
--- a/bin/op-setup
+++ b/bin/op-setup
@@ -0,0 +1,153 @@
+#!/usr/bin/env bash
+# Create the "AI Prod" 1Password vault and all required items with placeholder values.
+# Run this once on a fresh setup, then edit each item in 1Password with real values.
+#
+# Usage:
+#   bin/op-setup              # Create vault and all items
+#   bin/op-setup --dry-run    # Print what would be created without doing it
+
+set -e
+
+VAULT="AI Prod"
+DRY_RUN=false
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+if [[ "${1:-}" == "--dry-run" ]]; then
+    DRY_RUN=true
+    echo -e "${YELLOW}Dry run mode — no changes will be made${NC}"
+fi
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+run() {
+    if $DRY_RUN; then
+        echo -e "  ${BLUE}[dry-run]${NC} $*"
+    else
+        "$@"
+    fi
+}
+
+item_exists() {
+    local title="$1"
+    op item get "$title" --vault "$VAULT" &>/dev/null
+}
+
+create_item() {
+    local title="$1"
+    shift
+    if item_exists "$title"; then
+        echo -e "  ${YELLOW}↩${NC}  $title — already exists, skipping"
+    else
+        echo -e "  ${GREEN}+${NC}  Creating: $title"
+        run op item create \
+            --vault "$VAULT" \
+            --category "Login" \
+            --title "$title" \
+            "$@"
+    fi
+}
+
+# ---------------------------------------------------------------------------
+# Step 1: Ensure vault exists
+# ---------------------------------------------------------------------------
+
+echo ""
+echo -e "${BLUE}=== 1Password Vault ===${NC}"
+echo ""
+
+if op vault get "$VAULT" &>/dev/null; then
+    echo -e "${GREEN}✓${NC} Vault '$VAULT' already exists"
+else
+    echo -e "${GREEN}+${NC} Creating vault: $VAULT"
+    run op vault create "$VAULT"
+fi
+
+# ---------------------------------------------------------------------------
+# Step 2: Create items
+# ---------------------------------------------------------------------------
+
+echo ""
+echo -e "${BLUE}=== Creating Items in '$VAULT' ===${NC}"
+echo ""
+
+# --- PostgreSQL ---
+# Used by: gateway (DB connection), minio-init job (postgres metadata)
+create_item "PostgreSQL" \
+    "password[password]=REPLACE_WITH_STRONG_PASSWORD"
+
+# --- MinIO ---
+# Used by: minio StatefulSet, flink-secrets, gateway-secrets (iceberg S3), sandbox-secrets
+# access_key = MinIO root user (equivalent to AWS_ACCESS_KEY_ID)
+# secret_key = MinIO root password (equivalent to AWS_SECRET_ACCESS_KEY)
+create_item "MinIO" \
+    "access_key[text]=minio-admin" \
+    "secret_key[password]=REPLACE_WITH_STRONG_SECRET_KEY"
+
+# --- Gateway ---
+# Used by: ai-secrets (anthropic_api_key), gateway-secrets (all LLM keys + jwt_secret)
+# jwt_secret: used to sign user sessions — generate with: openssl rand -base64 48
+# anthropic_api_key: Anthropic Console → API Keys (https://console.anthropic.com)
+# openai_api_key: OpenAI Platform → API Keys (https://platform.openai.com)
+# google_api_key: Google AI Studio (https://aistudio.google.com)
+# openrouter_api_key: OpenRouter (https://openrouter.ai)
+create_item "Gateway" \
+    "anthropic_api_key[password]=sk-ant-REPLACE_ME" \
+    "jwt_secret[password]=REPLACE_WITH_RANDOM_64_CHAR_SECRET" \
+    "openai_api_key[password]=sk-REPLACE_ME" \
+    "google_api_key[password]=REPLACE_ME" \
+    "openrouter_api_key[password]=sk-or-REPLACE_ME"
+
+# --- Telegram ---
+# Used by: gateway-secrets (optional Telegram bot integration)
+# bot_token: BotFather → /newbot (https://t.me/BotFather)
+# Leave as placeholder if Telegram integration is not needed.
+create_item "Telegram" \
+    "bot_token[password]=REPLACE_ME_OR_LEAVE_EMPTY"
+
+# --- Ingestor ---
+# Used by: ingestor-secrets (exchange API keys for CCXT market data)
+# Keys with empty/placeholder values will cause the ingestor to skip that exchange.
+# Binance: https://www.binance.com/en/my/settings/api-management
+# Coinbase: https://portal.cdp.coinbase.com/
+# Kraken: https://www.kraken.com/u/security/api
+create_item "Ingestor" \
+    "binance_api_key[text]=REPLACE_ME" \
+    "binance_api_secret[password]=REPLACE_ME" \
+    "coinbase_api_key[text]=REPLACE_ME" \
+    "coinbase_api_secret[password]=REPLACE_ME" \
+    "kraken_api_key[text]=REPLACE_ME" \
+    "kraken_api_secret[password]=REPLACE_ME"
+
+# ---------------------------------------------------------------------------
+# Done
+# ---------------------------------------------------------------------------
+
+echo ""
+if $DRY_RUN; then
+    echo -e "${YELLOW}Dry run complete — no items were created.${NC}"
+else
+    echo -e "${GREEN}✓ Setup complete.${NC}"
+    echo ""
+    echo -e "Next steps:"
+    echo -e "  1. Open 1Password and update each item in the '${VAULT}' vault with real values:"
+    echo -e "     • PostgreSQL  → set a strong random password"
+    echo -e "     • MinIO       → set a strong secret_key (access_key can stay as-is)"
+    echo -e "     • Gateway     → add real API keys and a random jwt_secret"
+    echo -e "     • Ingestor    → add real exchange API keys"
+    echo -e "     • Telegram    → add bot token (or leave placeholder if unused)"
+    echo ""
+    echo -e "  2. Verify op:// references resolve correctly:"
+    echo -e "     op inject -i deploy/k8s/prod/secrets/gateway-secrets.tpl.yaml | head -20"
+    echo ""
+    echo -e "  3. Continue with cluster setup:"
+    echo -e "     bin/secret-update prod"
+fi
+echo ""