feat: add pre-commit configuration (#9)

- add pre-commit-config
- add yamllint config
- add ci/validate-* custom scripts
  - verify no secrets added
  - verify clusters with kustomize and kubeconform
  - verify apps with kustomize and kubeconform

Reviewed-on: #9
This commit was merged in pull request #9.
This commit is contained in:
2026-03-02 00:09:21 +11:00
parent ebb47348fe
commit 72a892eb14
5 changed files with 150 additions and 0 deletions
+22
View File
@@ -0,0 +1,22 @@
#!/usr/bin/env bash
set -euo pipefail
# Check staged files for plain Kubernetes Secrets
ERRORS=0
while IFS= read -r -d '' file; do
# Skip if file doesn't exist (e.g., deleted files)
[[ -f "$file" ]] || continue
# Check if the file contains a plain Kubernetes Secret
if grep -q "^kind: Secret" "$file"; then
# Allow secure secret types
if ! grep -q -E "^kind: (SealedSecret|ExternalSecret|VaultStaticSecret|VaultDynamicSecret)" "$file"; then
echo "BLOCKED: $file contains a plain Kubernetes Secret" >&2
echo " Use VaultStaticSecret or VaultDynamicSecret instead" >&2
((ERRORS++))
fi
fi
done < <(git diff --cached --name-only --diff-filter=ACM -z | grep -zE '\.(yaml|yml)$')
exit $ERRORS