jordan/stemedb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9c36a8e3b3
stemedb/scripts/provision-project-keys.sh
jordan 1e5ba8b946
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details
feat: wire auth bootstrap, cluster gateway, k8s deploy skill, and ops docs 
- Wire auth bootstrap (root API key, startup guard, auth-first router) in main.rs
- Add cluster gateway handlers with proper error handling
- Update Dockerfile with optimized multi-stage build and .dockerignore
- Add orchard9-deploy skill for CI/CD pipeline (Gitea/Woodpecker/Kaniko/Zot)
- Add k8s deployment roadmap and provision-project-keys script
- Document production infrastructure in CLAUDE.md
- Update three-node-cluster reference architecture
- Trim hosted.rs doc comments to stay under 800-line limit
2026-03-07 00:56:31 -07:00

55 lines
2.0 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# provision-project-keys.sh — create per-project API keys and store in GCP Secret Manager
#
# Usage: STEMEDB_ADMIN_KEY=steme_live_... ./scripts/provision-project-keys.sh projects.txt
# projects.txt: one project slug per line (e.g. "my-app", "another-project")
#
# Requires: curl, jq, gcloud (authenticated)
set -euo pipefail
STEMEDB_URL="${STEMEDB_URL:-https://stemedb.threesix.ai}"
ADMIN_KEY="${STEMEDB_ADMIN_KEY:?Set STEMEDB_ADMIN_KEY to a root/admin API key}"
PROJECTS_FILE="${1:?Usage: $0 <projects-file>}"
GCP_PROJECT="${GCP_PROJECT:-orchard9}"
echo "Provisioning keys against: $STEMEDB_URL"
echo "GCP project for secrets: $GCP_PROJECT"
echo ""
while IFS= read -r project; do
[[ -z "$project" || "$project" =~ ^# ]] && continue
echo "→ Provisioning: $project"
response=$(curl -sf -X POST "$STEMEDB_URL/v1/admin/api-keys" \
-H "X-API-Key: $ADMIN_KEY" \
-H "Content-Type: application/json" \
-d "{\"environment\":\"live\",\"label\":\"project-$project\",\"role\":\"write_agent\"}") \
|| { echo " ERROR: API call failed for $project"; continue; }
key=$(echo "$response" | jq -r '.key')
if [[ -z "$key" || "$key" == "null" ]]; then
echo " ERROR: no key returned for $project"
continue
fi
secret_name="stemedb-key-$project"
if gcloud secrets describe "$secret_name" --project="$GCP_PROJECT" &>/dev/null; then
echo -n "$key" | gcloud secrets versions add "$secret_name" \
--project="$GCP_PROJECT" --data-file=-
echo " Updated existing secret: $secret_name"
else
echo -n "$key" | gcloud secrets create "$secret_name" \
--project="$GCP_PROJECT" \
--replication-policy=automatic \
--data-file=-
echo " Created new secret: $secret_name"
fi
done < "$PROJECTS_FILE"
echo ""
echo "Done. Projects retrieve their keys with:"
echo " gcloud secrets versions access latest --secret=stemedb-key-<project> --project=$GCP_PROJECT"
Reference in New Issue View Git Blame Copy Permalink