Ben Vincent
72a892eb14
- add pre-commit-config - add yamllint config - add ci/validate-* custom scripts - verify no secrets added - verify clusters with kustomize and kubeconform - verify apps with kustomize and kubeconform Reviewed-on: #9
23 lines
731 B
Bash
Executable File
23 lines
731 B
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
# Check staged files for plain Kubernetes Secrets
|
|
ERRORS=0
|
|
|
|
while IFS= read -r -d '' file; do
|
|
# Skip if file doesn't exist (e.g., deleted files)
|
|
[[ -f "$file" ]] || continue
|
|
|
|
# Check if the file contains a plain Kubernetes Secret
|
|
if grep -q "^kind: Secret" "$file"; then
|
|
# Allow secure secret types
|
|
if ! grep -q -E "^kind: (SealedSecret|ExternalSecret|VaultStaticSecret|VaultDynamicSecret)" "$file"; then
|
|
echo "BLOCKED: $file contains a plain Kubernetes Secret" >&2
|
|
echo " Use VaultStaticSecret or VaultDynamicSecret instead" >&2
|
|
((ERRORS++))
|
|
fi
|
|
fi
|
|
done < <(git diff --cached --name-only --diff-filter=ACM -z | grep -zE '\.(yaml|yml)$')
|
|
|
|
exit $ERRORS
|