security: remove all REDACTED secrets from repo, add pre-commit guard
- Delete 26 secret manifests containing REDACTED placeholder values (15 cert-manager TLS + 11 app secrets across 8 namespaces) - REDACTED is valid base64 that decodes to non-UTF-8 bytes — ArgoCD applying these manifests corrupts live secrets in the cluster - Add .githooks/pre-commit that rejects any .yaml with REDACTED - Add README.md documenting secret management policy and manual creation commands for each service - n8n secret manifests already fixed in previous commits (618b1e8,db04fd2)
This commit is contained in:
@@ -1,21 +0,0 @@
|
||||
apiVersion: v1
|
||||
data:
|
||||
tls.crt: REDACTED
|
||||
tls.key: REDACTED
|
||||
kind: Secret
|
||||
metadata:
|
||||
annotations:
|
||||
cert-manager.io/alt-names: auth.chemavx.xyz
|
||||
cert-manager.io/certificate-name: auth-tls
|
||||
cert-manager.io/common-name: auth.chemavx.xyz
|
||||
cert-manager.io/ip-sans: ''
|
||||
cert-manager.io/issuer-group: cert-manager.io
|
||||
cert-manager.io/issuer-kind: ClusterIssuer
|
||||
cert-manager.io/issuer-name: letsencrypt-prod
|
||||
cert-manager.io/uri-sans: ''
|
||||
labels:
|
||||
controller.cert-manager.io/fao: 'true'
|
||||
name: auth-tls
|
||||
namespace: authentik
|
||||
type: kubernetes.io/tls
|
||||
|
||||
@@ -1,15 +0,0 @@
|
||||
apiVersion: v1
|
||||
data:
|
||||
AUTHENTIK_POSTGRESQL__PASSWORD: REDACTED
|
||||
AUTHENTIK_SECRET_KEY: REDACTED
|
||||
POSTGRES_PASSWORD: REDACTED
|
||||
kind: Secret
|
||||
metadata:
|
||||
annotations:
|
||||
kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"authentik-secrets","namespace":"authentik"},"stringData":{"AUTHENTIK_POSTGRESQL__PASSWORD":"authentik","AUTHENTIK_SECRET_KEY":"PLACEHOLDER_WILL_UPDATE","POSTGRES_PASSWORD":"authentik"},"type":"Opaque"}
|
||||
|
||||
'
|
||||
name: authentik-secrets
|
||||
namespace: authentik
|
||||
type: Opaque
|
||||
|
||||
@@ -1,21 +0,0 @@
|
||||
apiVersion: v1
|
||||
data:
|
||||
tls.crt: REDACTED
|
||||
tls.key: REDACTED
|
||||
kind: Secret
|
||||
metadata:
|
||||
annotations:
|
||||
cert-manager.io/alt-names: authentik.chemavx.xyz
|
||||
cert-manager.io/certificate-name: authentik-tls
|
||||
cert-manager.io/common-name: authentik.chemavx.xyz
|
||||
cert-manager.io/ip-sans: ''
|
||||
cert-manager.io/issuer-group: cert-manager.io
|
||||
cert-manager.io/issuer-kind: ClusterIssuer
|
||||
cert-manager.io/issuer-name: letsencrypt-prod
|
||||
cert-manager.io/uri-sans: ''
|
||||
labels:
|
||||
controller.cert-manager.io/fao: 'true'
|
||||
name: authentik-tls
|
||||
namespace: authentik
|
||||
type: kubernetes.io/tls
|
||||
|
||||
Reference in New Issue
Block a user