d0b3c26223
Adds three policy files under policy/ plus a pre-commit hook that
runs conftest against all staged YAML manifests (excluding chart
templates).
Policies:
no_ingress.rego
Deny Ingress resources — cluster uses Gateway API only.
gateway_api.rego
HTTPRoute/TLSRoute: require explicit group/kind on parentRefs and
group/kind/weight on backendRefs (PR #162, #165).
Gateway: require explicit group on certificateRefs (PR #153).
All fields are defaulted by the controller; omitting them causes
permanent ArgoCD OutOfSync.
resource_normalization.rego
CPU integer: deny unquoted integer cpu values (PR #163).
CPU milliCPU: deny values like 1000m/2000m that normalise to "1"/"2" (PR #164).
Memory Mi→Gi: deny 1024Mi/2048Mi etc. that normalise to 1Gi/2Gi (PR #163).
clusterIP null: deny Service with explicit null clusterIP (PR #166).
Also fixes all existing violations found by the new policies across
puppet deployments and reposync cronjobs (resource normalization).
kanidm/tlsroute.yaml and puppet/service_puppetdb.yaml are excluded
from this commit as they are addressed in PRs #165 and #166.
50 lines
1.4 KiB
YAML
50 lines
1.4 KiB
YAML
repos:
|
|
# General file checks
|
|
- repo: https://github.com/pre-commit/pre-commit-hooks
|
|
rev: v4.5.0
|
|
hooks:
|
|
- id: check-executables-have-shebangs
|
|
- id: check-json
|
|
- id: check-added-large-files
|
|
args: ['--maxkb=500']
|
|
- id: check-merge-conflict
|
|
- id: check-shebang-scripts-are-executable
|
|
- id: check-symlinks
|
|
- id: check-toml
|
|
- id: check-yaml
|
|
args: [--allow-multiple-documents]
|
|
- id: detect-aws-credentials
|
|
args: [--allow-missing-credentials]
|
|
- id: detect-private-key
|
|
- id: end-of-file-fixer
|
|
- id: forbid-new-submodules
|
|
- id: pretty-format-json
|
|
- id: trailing-whitespace
|
|
|
|
# YAML linting
|
|
- repo: https://github.com/adrienverge/yamllint.git
|
|
rev: v1.37.1
|
|
hooks:
|
|
- id: yamllint
|
|
args:
|
|
[
|
|
"-d {extends: relaxed, rules: {line-length: disable}, ignore: chart}",
|
|
"-s",
|
|
]
|
|
|
|
# Kubernetes manifest validation
|
|
- repo: local
|
|
hooks:
|
|
- id: no_plain_secrets
|
|
name: prevent plain kubernetes secrets
|
|
entry: ci/validate-no-secrets.sh
|
|
language: system
|
|
pass_filenames: false
|
|
- id: conftest_policies
|
|
name: OPA policy checks (conftest)
|
|
entry: conftest test --policy policy/
|
|
language: system
|
|
types: [yaml]
|
|
exclude: ".*/charts/.*|.*/templates/.*|\\.woodpecker/.*"
|
|
pass_filenames: true
|