152 lines
5.2 KiB
Bash
Executable File
152 lines
5.2 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Create the "AI Prod" 1Password vault and all required items with placeholder values.
|
|
# Run this once on a fresh setup, then edit each item in 1Password with real values.
|
|
#
|
|
# Usage:
|
|
# bin/op-setup # Create vault and all items
|
|
# bin/op-setup --dry-run # Print what would be created without doing it
|
|
|
|
set -e
|
|
|
|
VAULT="AI Prod"
|
|
DRY_RUN=false
|
|
|
|
# Colors
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
BLUE='\033[0;34m'
|
|
NC='\033[0m'
|
|
|
|
if [[ "${1:-}" == "--dry-run" ]]; then
|
|
DRY_RUN=true
|
|
echo -e "${YELLOW}Dry run mode — no changes will be made${NC}"
|
|
fi
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Helpers
|
|
# ---------------------------------------------------------------------------
|
|
|
|
run() {
|
|
if $DRY_RUN; then
|
|
echo -e " ${BLUE}[dry-run]${NC} $*"
|
|
else
|
|
"$@"
|
|
fi
|
|
}
|
|
|
|
item_exists() {
|
|
local title="$1"
|
|
op item get "$title" --vault "$VAULT" &>/dev/null
|
|
}
|
|
|
|
create_item() {
|
|
local title="$1"
|
|
shift
|
|
if item_exists "$title"; then
|
|
echo -e " ${YELLOW}↩${NC} $title — already exists, skipping"
|
|
else
|
|
echo -e " ${GREEN}+${NC} Creating: $title"
|
|
run op item create \
|
|
--vault "$VAULT" \
|
|
--category "Login" \
|
|
--title "$title" \
|
|
"$@"
|
|
fi
|
|
}
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Step 1: Ensure vault exists
|
|
# ---------------------------------------------------------------------------
|
|
|
|
echo ""
|
|
echo -e "${BLUE}=== 1Password Vault ===${NC}"
|
|
echo ""
|
|
|
|
if op vault get "$VAULT" &>/dev/null; then
|
|
echo -e "${GREEN}✓${NC} Vault '$VAULT' already exists"
|
|
else
|
|
echo -e "${GREEN}+${NC} Creating vault: $VAULT"
|
|
run op vault create "$VAULT"
|
|
fi
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Step 2: Create items
|
|
# ---------------------------------------------------------------------------
|
|
|
|
echo ""
|
|
echo -e "${BLUE}=== Creating Items in '$VAULT' ===${NC}"
|
|
echo ""
|
|
|
|
# --- PostgreSQL ---
|
|
# Used by: gateway (DB connection), minio-init job (postgres metadata)
|
|
create_item "PostgreSQL" \
|
|
"password[password]=REPLACE_WITH_STRONG_PASSWORD"
|
|
|
|
# --- MinIO ---
|
|
# Used by: minio StatefulSet, flink-secrets, gateway-secrets (iceberg S3), sandbox-secrets
|
|
# access_key = MinIO root user (equivalent to AWS_ACCESS_KEY_ID)
|
|
# secret_key = MinIO root password (equivalent to AWS_SECRET_ACCESS_KEY)
|
|
create_item "MinIO" \
|
|
"access_key[text]=minio-admin" \
|
|
"secret_key[password]=REPLACE_WITH_STRONG_SECRET_KEY"
|
|
|
|
# --- Gateway ---
|
|
# Used by: gateway-secrets (LLM keys + jwt_secret + search keys)
|
|
# jwt_secret: used to sign user sessions — generate with: openssl rand -base64 48
|
|
# deepinfra_api_key: Deep Infra Console → API Keys (https://deepinfra.com)
|
|
# anthropic_api_key: Anthropic Console → API Keys (https://console.anthropic.com) — kept for potential future use
|
|
# tavily_api_key: Tavily Console → API Keys (https://app.tavily.com)
|
|
create_item "Gateway" \
|
|
"deepinfra_api_key[password]=REPLACE_ME" \
|
|
"jwt_secret[password]=REPLACE_WITH_RANDOM_64_CHAR_SECRET" \
|
|
"anthropic_api_key[password]=sk-ant-REPLACE_ME" \
|
|
"tavily_api_key[password]=tvly-REPLACE_ME"
|
|
|
|
# --- Telegram ---
|
|
# Used by: gateway-secrets (optional Telegram bot integration)
|
|
# bot_token: BotFather → /newbot (https://t.me/BotFather)
|
|
# Leave as placeholder if Telegram integration is not needed.
|
|
create_item "Telegram" \
|
|
"bot_token[password]=REPLACE_ME_OR_LEAVE_EMPTY"
|
|
|
|
# --- Ingestor ---
|
|
# Used by: ingestor-secrets (exchange API keys for CCXT market data)
|
|
# Keys with empty/placeholder values will cause the ingestor to skip that exchange.
|
|
# Binance: https://www.binance.com/en/my/settings/api-management
|
|
# Coinbase: https://portal.cdp.coinbase.com/
|
|
# Kraken: https://www.kraken.com/u/security/api
|
|
create_item "Ingestor" \
|
|
"binance_api_key[text]=REPLACE_ME" \
|
|
"binance_api_secret[password]=REPLACE_ME" \
|
|
"coinbase_api_key[text]=REPLACE_ME" \
|
|
"coinbase_api_secret[password]=REPLACE_ME" \
|
|
"kraken_api_key[text]=REPLACE_ME" \
|
|
"kraken_api_secret[password]=REPLACE_ME"
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Done
|
|
# ---------------------------------------------------------------------------
|
|
|
|
echo ""
|
|
if $DRY_RUN; then
|
|
echo -e "${YELLOW}Dry run complete — no items were created.${NC}"
|
|
else
|
|
echo -e "${GREEN}✓ Setup complete.${NC}"
|
|
echo ""
|
|
echo -e "Next steps:"
|
|
echo -e " 1. Open 1Password and update each item in the '${VAULT}' vault with real values:"
|
|
echo -e " • PostgreSQL → set a strong random password"
|
|
echo -e " • MinIO → set a strong secret_key (access_key can stay as-is)"
|
|
echo -e " • Gateway → add real API keys and a random jwt_secret"
|
|
echo -e " • Ingestor → add real exchange API keys"
|
|
echo -e " • Telegram → add bot token (or leave placeholder if unused)"
|
|
echo ""
|
|
echo -e " 2. Verify op:// references resolve correctly:"
|
|
echo -e " op inject -i deploy/k8s/prod/secrets/gateway-secrets.tpl.yaml | head -20"
|
|
echo ""
|
|
echo -e " 3. Continue with cluster setup:"
|
|
echo -e " bin/secret-update prod"
|
|
fi
|
|
echo ""
|