chemavx/k8s-manifests
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: remove all REDACTED secrets from repo, add pre-commit guard

Browse Source 
- Delete 26 secret manifests containing REDACTED placeholder values
  (15 cert-manager TLS + 11 app secrets across 8 namespaces)
- REDACTED is valid base64 that decodes to non-UTF-8 bytes — ArgoCD
  applying these manifests corrupts live secrets in the cluster
- Add .githooks/pre-commit that rejects any .yaml with REDACTED
- Add README.md documenting secret management policy and manual
  creation commands for each service
- n8n secret manifests already fixed in previous commits (618b1e8, db04fd2)
This commit is contained in:
chemavx
2026-04-14 20:02:51 +00:00
parent db04fd2cbc
commit f42cdee585
28 changed files with 81 additions and 481 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+64
View File
@@ -0,0 +1,64 @@
# k8s-manifests
Manifests de Kubernetes gestionados por ArgoCD para el cluster chemavx.
## Regla crítica: secrets en git
**Los secrets con datos sensibles NO se guardan en este repo.**
Los archivos de secret en este repo sólo contienen metadata (name, namespace, labels, annotations). Los campos `data` / `stringData` se gestionan manualmente fuera de git.
### Por qué
Un valor placeholder como `REDACTED` es base64 válido que decodifica a bytes no-UTF-8. Si ArgoCD aplica ese manifest, corrompe el secret en el cluster, lo que puede:
- Romper certificados TLS (ERR_CERT_AUTHORITY_INVALID)
- Impedir que pods arranquen (`grpc: error while marshaling: string field contains invalid UTF-8`)
- Cifrar credenciales con una clave incorrecta
### Secrets TLS (cert-manager)
Los secrets TLS los gestiona **cert-manager** automáticamente a partir del recurso `Certificate`. **No crear archivos secret-*-tls.yaml con datos**.
### Secrets de aplicación — crear manualmente antes del primer deploy
| Namespace | Secret | Comando |
|---|---|---|
| `n8n` | `n8n-secret` | `kubectl create secret generic n8n-secret --from-literal=encryption-key='<valor-en-vaultwarden>' -n n8n` |
| `authentik` | `authentik-secret` | Ver Vaultwarden → "authentik" |
| `cloudflare-ddns` | `cloudflare-ddns-secret` | Ver Vaultwarden → "cloudflare-ddns" |
| `vaultwarden` | `vaultwarden-secret` | Ver Vaultwarden → "vaultwarden" |
| `openclaw` | `openclaw-token` | Ver Vaultwarden → "openclaw" |
| `argocd` | `argocd-secret` | Gestionado por ArgoCD bootstrap |
| `argocd` | `argocd-redis` | Gestionado por ArgoCD bootstrap |
| `monitoring` | `kube-prometheus-stack-grafana` | Ver Vaultwarden → "grafana" |
| `monitoring` | `kube-prometheus-stack-admission` | Generado por helm (webhook TLS) |
### ArgoCD ignoreDifferences para secrets
Toda ArgoCD Application que gestione un namespace con secrets debe incluir `ignoreDifferences` para el campo `/data`:
```yaml
spec:
ignoreDifferences:
- group: ""
kind: Secret
name: <nombre-del-secret>
namespace: <namespace>
jsonPointers:
- /data
syncPolicy:
syncOptions:
- RespectIgnoreDifferences=true
```
Ver `n8n` ArgoCD Application como referencia.
## Pre-commit hook
Este repo incluye un pre-commit hook que rechaza commits con `REDACTED` en archivos `.yaml`.
Instalar con:
```bash
cp .githooks/pre-commit .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit
```