feat: add pre-commit configuration (#9)
- add pre-commit-config - add yamllint config - add ci/validate-* custom scripts - verify no secrets added - verify clusters with kustomize and kubeconform - verify apps with kustomize and kubeconform Reviewed-on: #9
This commit was merged in pull request #9.
This commit is contained in:
Executable
+23
@@ -0,0 +1,23 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
KUBE_VERSION="1.33.7"
|
||||
|
||||
schema_args=(
|
||||
-schema-location "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.NormalizedKubernetesVersion}}-standalone{{.StrictSuffix}}/{{.ResourceKind}}{{.KindSuffix}}.json"
|
||||
-schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
|
||||
)
|
||||
|
||||
while IFS= read -r -d "" k; do
|
||||
dir="$(dirname "$k")"
|
||||
echo "==> kubeconform: $dir" >&2
|
||||
|
||||
kustomize build --enable-helm "$dir" \
|
||||
| kubeconform \
|
||||
-kubernetes-version "$KUBE_VERSION" \
|
||||
-summary \
|
||||
-output pretty \
|
||||
-verbose \
|
||||
-skip CustomResourceDefinition \
|
||||
"${schema_args[@]}"
|
||||
done < <(find apps/overlays -name kustomization.yaml -print0)
|
||||
Executable
+23
@@ -0,0 +1,23 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
KUBE_VERSION="1.33.7"
|
||||
|
||||
schema_args=(
|
||||
-schema-location "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.NormalizedKubernetesVersion}}-standalone{{.StrictSuffix}}/{{.ResourceKind}}{{.KindSuffix}}.json"
|
||||
-schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
|
||||
)
|
||||
|
||||
while IFS= read -r -d "" k; do
|
||||
dir="$(dirname "$k")"
|
||||
echo "==> kubeconform: $dir" >&2
|
||||
|
||||
kustomize build --enable-helm "$dir" \
|
||||
| kubeconform \
|
||||
-kubernetes-version "$KUBE_VERSION" \
|
||||
-summary \
|
||||
-output pretty \
|
||||
-verbose \
|
||||
-skip CustomResourceDefinition \
|
||||
"${schema_args[@]}"
|
||||
done < <(find clusters -name kustomization.yaml -print0)
|
||||
Executable
+22
@@ -0,0 +1,22 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
# Check staged files for plain Kubernetes Secrets
|
||||
ERRORS=0
|
||||
|
||||
while IFS= read -r -d '' file; do
|
||||
# Skip if file doesn't exist (e.g., deleted files)
|
||||
[[ -f "$file" ]] || continue
|
||||
|
||||
# Check if the file contains a plain Kubernetes Secret
|
||||
if grep -q "^kind: Secret" "$file"; then
|
||||
# Allow secure secret types
|
||||
if ! grep -q -E "^kind: (SealedSecret|ExternalSecret|VaultStaticSecret|VaultDynamicSecret)" "$file"; then
|
||||
echo "BLOCKED: $file contains a plain Kubernetes Secret" >&2
|
||||
echo " Use VaultStaticSecret or VaultDynamicSecret instead" >&2
|
||||
((ERRORS++))
|
||||
fi
|
||||
fi
|
||||
done < <(git diff --cached --name-only --diff-filter=ACM -z | grep -zE '\.(yaml|yml)$')
|
||||
|
||||
exit $ERRORS
|
||||
Reference in New Issue
Block a user