security: remove all REDACTED secrets from repo, add pre-commit guard

- Delete 26 secret manifests containing REDACTED placeholder values (15 cert-manager TLS + 11 app secrets across 8 namespaces) - REDACTED is valid base64 that decodes to non-UTF-8 bytes — ArgoCD applying these manifests corrupts live secrets in the cluster - Add .githooks/pre-commit that rejects any .yaml with REDACTED - Add README.md documenting secret management policy and manual creation commands for each service - n8n secret manifests already fixed in previous commits (618b1e8, db04fd2)
2026-04-14 20:02:51 +00:00
parent db04fd2cbc
commit f42cdee585
28 changed files with 81 additions and 481 deletions
@@ -0,0 +1,17 @@
+#!/bin/bash
+# Reject commits that contain REDACTED in YAML files.
+# "REDACTED" is valid base64 — if ArgoCD applies it, it corrupts secrets.
+
+REDACTED_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep '\.ya\?ml$' | xargs grep -l 'REDACTED' 2>/dev/null)
+
+if [ -n "$REDACTED_FILES" ]; then
+  echo ""
+  echo "ERROR: los siguientes archivos contienen 'REDACTED':"
+  echo "$REDACTED_FILES" | sed 's/^/  /'
+  echo ""
+  echo "Los secrets con datos sensibles NO deben ir en este repo."
+  echo "Elimina el campo 'data:' del manifest o borra el archivo."
+  echo "Ver README.md para instrucciones de gestión de secrets."
+  echo ""
+  exit 1
+fi