feat: add pre-commit configuration (#9)

- add pre-commit-config
- add yamllint config
- add ci/validate-* custom scripts
  - verify no secrets added
  - verify clusters with kustomize and kubeconform
  - verify apps with kustomize and kubeconform

Reviewed-on: #9
This commit was merged in pull request #9.
This commit is contained in:
2026-03-02 00:09:21 +11:00
parent ebb47348fe
commit 72a892eb14
5 changed files with 150 additions and 0 deletions
+23
View File
@@ -0,0 +1,23 @@
#!/usr/bin/env bash
set -euo pipefail
KUBE_VERSION="1.33.7"
schema_args=(
-schema-location "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.NormalizedKubernetesVersion}}-standalone{{.StrictSuffix}}/{{.ResourceKind}}{{.KindSuffix}}.json"
-schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
)
while IFS= read -r -d "" k; do
dir="$(dirname "$k")"
echo "==> kubeconform: $dir" >&2
kustomize build --enable-helm "$dir" \
| kubeconform \
-kubernetes-version "$KUBE_VERSION" \
-summary \
-output pretty \
-verbose \
-skip CustomResourceDefinition \
"${schema_args[@]}"
done < <(find apps/overlays -name kustomization.yaml -print0)
+23
View File
@@ -0,0 +1,23 @@
#!/usr/bin/env bash
set -euo pipefail
KUBE_VERSION="1.33.7"
schema_args=(
-schema-location "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.NormalizedKubernetesVersion}}-standalone{{.StrictSuffix}}/{{.ResourceKind}}{{.KindSuffix}}.json"
-schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
)
while IFS= read -r -d "" k; do
dir="$(dirname "$k")"
echo "==> kubeconform: $dir" >&2
kustomize build --enable-helm "$dir" \
| kubeconform \
-kubernetes-version "$KUBE_VERSION" \
-summary \
-output pretty \
-verbose \
-skip CustomResourceDefinition \
"${schema_args[@]}"
done < <(find clusters -name kustomization.yaml -print0)
+22
View File
@@ -0,0 +1,22 @@
#!/usr/bin/env bash
set -euo pipefail
# Check staged files for plain Kubernetes Secrets
ERRORS=0
while IFS= read -r -d '' file; do
# Skip if file doesn't exist (e.g., deleted files)
[[ -f "$file" ]] || continue
# Check if the file contains a plain Kubernetes Secret
if grep -q "^kind: Secret" "$file"; then
# Allow secure secret types
if ! grep -q -E "^kind: (SealedSecret|ExternalSecret|VaultStaticSecret|VaultDynamicSecret)" "$file"; then
echo "BLOCKED: $file contains a plain Kubernetes Secret" >&2
echo " Use VaultStaticSecret or VaultDynamicSecret instead" >&2
((ERRORS++))
fi
fi
done < <(git diff --cached --name-only --diff-filter=ACM -z | grep -zE '\.(yaml|yml)$')
exit $ERRORS