security: remove all REDACTED secrets from repo, add pre-commit guard

- Delete 26 secret manifests containing REDACTED placeholder values (15 cert-manager TLS + 11 app secrets across 8 namespaces) - REDACTED is valid base64 that decodes to non-UTF-8 bytes — ArgoCD applying these manifests corrupts live secrets in the cluster - Add .githooks/pre-commit that rejects any .yaml with REDACTED - Add README.md documenting secret management policy and manual creation commands for each service - n8n secret manifests already fixed in previous commits (618b1e8, db04fd2)
2026-04-14 20:02:51 +00:00
parent db04fd2cbc
commit f42cdee585
28 changed files with 81 additions and 481 deletions
@@ -1,21 +0,0 @@
-apiVersion: v1
-data:
-  tls.crt: REDACTED
-  tls.key: REDACTED
-kind: Secret
-metadata:
-  annotations:
-    cert-manager.io/alt-names: grafana.chemavx.xyz
-    cert-manager.io/certificate-name: grafana-tls
-    cert-manager.io/common-name: grafana.chemavx.xyz
-    cert-manager.io/ip-sans: ''
-    cert-manager.io/issuer-group: cert-manager.io
-    cert-manager.io/issuer-kind: ClusterIssuer
-    cert-manager.io/issuer-name: letsencrypt-prod
-    cert-manager.io/uri-sans: ''
-  labels:
-    controller.cert-manager.io/fao: 'true'
-  name: grafana-tls
-  namespace: monitoring
-type: kubernetes.io/tls
-
@@ -1,11 +0,0 @@
-apiVersion: v1
-data:
-  ca: REDACTED
-  cert: REDACTED
-  key: REDACTED
-kind: Secret
-metadata:
-  name: kube-prometheus-stack-admission
-  namespace: monitoring
-type: Opaque
-
@@ -1,21 +0,0 @@
-apiVersion: v1
-data:
-  admin-password: REDACTED
-  admin-user: REDACTED
-  ldap-toml: REDACTED
-kind: Secret
-metadata:
-  annotations:
-    meta.helm.sh/release-name: kube-prometheus-stack
-    meta.helm.sh/release-namespace: monitoring
-  labels:
-    app.kubernetes.io/component: admin-secret
-    app.kubernetes.io/instance: kube-prometheus-stack
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/version: 12.4.2
-    helm.sh/chart: grafana-11.5.0
-  name: kube-prometheus-stack-grafana
-  namespace: monitoring
-type: Opaque
-
@@ -1,19 +0,0 @@
-apiVersion: v1
-data:
-  prometheus.http-client-file.yaml: REDACTED
-kind: Secret
-metadata:
-  labels:
-    app.kubernetes.io/managed-by: prometheus-operator
-    managed-by: prometheus-operator
-  name: prometheus-kube-prometheus-stack-prometheus-thanos-prometheus-http-client-file
-  namespace: monitoring
-  ownerReferences:
-  - apiVersion: monitoring.coreos.com/v1
-    blockOwnerDeletion: true
-    controller: true
-    kind: Prometheus
-    name: kube-prometheus-stack-prometheus
-    uid: f0355616-4bfa-4409-8b5f-c1c815ee7a2a
-type: Opaque
-
@@ -1,19 +0,0 @@
-apiVersion: v1
-data:
-  0_monitoring_kube-prometheus-stack-admission_ca: REDACTED
-kind: Secret
-metadata:
-  labels:
-    app.kubernetes.io/managed-by: prometheus-operator
-    managed-by: prometheus-operator
-  name: prometheus-kube-prometheus-stack-prometheus-tls-assets-0
-  namespace: monitoring
-  ownerReferences:
-  - apiVersion: monitoring.coreos.com/v1
-    blockOwnerDeletion: true
-    controller: true
-    kind: Prometheus
-    name: kube-prometheus-stack-prometheus
-    uid: f0355616-4bfa-4409-8b5f-c1c815ee7a2a
-type: Opaque
-
@@ -1,19 +0,0 @@
-apiVersion: v1
-data:
-  web-config.yaml: REDACTED
-kind: Secret
-metadata:
-  labels:
-    app.kubernetes.io/managed-by: prometheus-operator
-    managed-by: prometheus-operator
-  name: prometheus-kube-prometheus-stack-prometheus-web-config
-  namespace: monitoring
-  ownerReferences:
-  - apiVersion: monitoring.coreos.com/v1
-    blockOwnerDeletion: true
-    controller: true
-    kind: Prometheus
-    name: kube-prometheus-stack-prometheus
-    uid: f0355616-4bfa-4409-8b5f-c1c815ee7a2a
-type: Opaque
-
@@ -1,19 +0,0 @@
-apiVersion: v1
-data:
-  prometheus.yaml.gz: REDACTED
-kind: Secret
-metadata:
-  labels:
-    app.kubernetes.io/managed-by: prometheus-operator
-    managed-by: prometheus-operator
-  name: prometheus-kube-prometheus-stack-prometheus
-  namespace: monitoring
-  ownerReferences:
-  - apiVersion: monitoring.coreos.com/v1
-    blockOwnerDeletion: true
-    controller: true
-    kind: Prometheus
-    name: kube-prometheus-stack-prometheus
-    uid: f0355616-4bfa-4409-8b5f-c1c815ee7a2a
-type: Opaque
-
@@ -1,21 +0,0 @@
-apiVersion: v1
-data:
-  tls.crt: REDACTED
-  tls.key: REDACTED
-kind: Secret
-metadata:
-  annotations:
-    cert-manager.io/alt-names: prometheus.chemavx.xyz
-    cert-manager.io/certificate-name: prometheus-tls
-    cert-manager.io/common-name: prometheus.chemavx.xyz
-    cert-manager.io/ip-sans: ''
-    cert-manager.io/issuer-group: cert-manager.io
-    cert-manager.io/issuer-kind: ClusterIssuer
-    cert-manager.io/issuer-name: letsencrypt-prod
-    cert-manager.io/uri-sans: ''
-  labels:
-    controller.cert-manager.io/fao: 'true'
-  name: prometheus-tls
-  namespace: monitoring
-type: kubernetes.io/tls
-
@@ -1,21 +0,0 @@
-apiVersion: v1
-data:
-  tls.crt: REDACTED
-  tls.key: REDACTED
-kind: Secret
-metadata:
-  annotations:
-    cert-manager.io/alt-names: uptime.chemavx.xyz
-    cert-manager.io/certificate-name: uptime-kuma-redirect-tls
-    cert-manager.io/common-name: uptime.chemavx.xyz
-    cert-manager.io/ip-sans: ''
-    cert-manager.io/issuer-group: cert-manager.io
-    cert-manager.io/issuer-kind: ClusterIssuer
-    cert-manager.io/issuer-name: letsencrypt-prod
-    cert-manager.io/uri-sans: ''
-  labels:
-    controller.cert-manager.io/fao: 'true'
-  name: uptime-kuma-redirect-tls
-  namespace: monitoring
-type: kubernetes.io/tls
-
@@ -1,21 +0,0 @@
-apiVersion: v1
-data:
-  tls.crt: REDACTED
-  tls.key: REDACTED
-kind: Secret
-metadata:
-  annotations:
-    cert-manager.io/alt-names: home.chemavx.xyz,status.chemavx.xyz
-    cert-manager.io/certificate-name: uptime-kuma-tls
-    cert-manager.io/common-name: status.chemavx.xyz
-    cert-manager.io/ip-sans: ''
-    cert-manager.io/issuer-group: cert-manager.io
-    cert-manager.io/issuer-kind: ClusterIssuer
-    cert-manager.io/issuer-name: letsencrypt-prod
-    cert-manager.io/uri-sans: ''
-  labels:
-    controller.cert-manager.io/fao: 'true'
-  name: uptime-kuma-tls
-  namespace: monitoring
-type: kubernetes.io/tls
-