feat: add pre-commit configuration (#9)
- add pre-commit-config - add yamllint config - add ci/validate-* custom scripts - verify no secrets added - verify clusters with kustomize and kubeconform - verify apps with kustomize and kubeconform Reviewed-on: #9
This commit was merged in pull request #9.
This commit is contained in:
Executable
+22
@@ -0,0 +1,22 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
# Check staged files for plain Kubernetes Secrets
|
||||
ERRORS=0
|
||||
|
||||
while IFS= read -r -d '' file; do
|
||||
# Skip if file doesn't exist (e.g., deleted files)
|
||||
[[ -f "$file" ]] || continue
|
||||
|
||||
# Check if the file contains a plain Kubernetes Secret
|
||||
if grep -q "^kind: Secret" "$file"; then
|
||||
# Allow secure secret types
|
||||
if ! grep -q -E "^kind: (SealedSecret|ExternalSecret|VaultStaticSecret|VaultDynamicSecret)" "$file"; then
|
||||
echo "BLOCKED: $file contains a plain Kubernetes Secret" >&2
|
||||
echo " Use VaultStaticSecret or VaultDynamicSecret instead" >&2
|
||||
((ERRORS++))
|
||||
fi
|
||||
fi
|
||||
done < <(git diff --cached --name-only --diff-filter=ACM -z | grep -zE '\.(yaml|yml)$')
|
||||
|
||||
exit $ERRORS
|
||||
Reference in New Issue
Block a user