security: remove all REDACTED secrets from repo, add pre-commit guard

- Delete 26 secret manifests containing REDACTED placeholder values (15 cert-manager TLS + 11 app secrets across 8 namespaces) - REDACTED is valid base64 that decodes to non-UTF-8 bytes — ArgoCD applying these manifests corrupts live secrets in the cluster - Add .githooks/pre-commit that rejects any .yaml with REDACTED - Add README.md documenting secret management policy and manual creation commands for each service - n8n secret manifests already fixed in previous commits (618b1e8, db04fd2)
2026-04-14 20:02:51 +00:00
parent db04fd2cbc
commit f42cdee585
28 changed files with 81 additions and 481 deletions
@@ -0,0 +1,17 @@
 #!/bin/bash
 # Reject commits that contain REDACTED in YAML files.
 # "REDACTED" is valid base64 — if ArgoCD applies it, it corrupts secrets.
 REDACTED_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep '\.ya\?ml$' | xargs grep -l 'REDACTED' 2>/dev/null)
 if [ -n "$REDACTED_FILES" ]; then
  echo ""
  echo "ERROR: los siguientes archivos contienen 'REDACTED':"
  echo "$REDACTED_FILES" | sed 's/^/  /'
  echo ""
  echo "Los secrets con datos sensibles NO deben ir en este repo."
  echo "Elimina el campo 'data:' del manifest o borra el archivo."
  echo "Ver README.md para instrucciones de gestión de secrets."
  echo ""
  exit 1
 fi
@@ -0,0 +1,64 @@
 # k8s-manifests
 Manifests de Kubernetes gestionados por ArgoCD para el cluster chemavx.
 ## Regla crítica: secrets en git
 **Los secrets con datos sensibles NO se guardan en este repo.**
 Los archivos de secret en este repo sólo contienen metadata (name, namespace, labels, annotations). Los campos `data` / `stringData` se gestionan manualmente fuera de git.
 ### Por qué
 Un valor placeholder como `REDACTED` es base64 válido que decodifica a bytes no-UTF-8. Si ArgoCD aplica ese manifest, corrompe el secret en el cluster, lo que puede:
 - Romper certificados TLS (ERR_CERT_AUTHORITY_INVALID)
 - Impedir que pods arranquen (`grpc: error while marshaling: string field contains invalid UTF-8`)
 - Cifrar credenciales con una clave incorrecta
 ### Secrets TLS (cert-manager)
 Los secrets TLS los gestiona **cert-manager** automáticamente a partir del recurso `Certificate`. **No crear archivos secret-*-tls.yaml con datos**.
 ### Secrets de aplicación — crear manualmente antes del primer deploy
 | Namespace | Secret | Comando |
 |---|---|---|
 | `n8n` | `n8n-secret` | `kubectl create secret generic n8n-secret --from-literal=encryption-key='<valor-en-vaultwarden>' -n n8n` |
 | `authentik` | `authentik-secret` | Ver Vaultwarden → "authentik" |
 | `cloudflare-ddns` | `cloudflare-ddns-secret` | Ver Vaultwarden → "cloudflare-ddns" |
 | `vaultwarden` | `vaultwarden-secret` | Ver Vaultwarden → "vaultwarden" |
 | `openclaw` | `openclaw-token` | Ver Vaultwarden → "openclaw" |
 | `argocd` | `argocd-secret` | Gestionado por ArgoCD bootstrap |
 | `argocd` | `argocd-redis` | Gestionado por ArgoCD bootstrap |
 | `monitoring` | `kube-prometheus-stack-grafana` | Ver Vaultwarden → "grafana" |
 | `monitoring` | `kube-prometheus-stack-admission` | Generado por helm (webhook TLS) |
 ### ArgoCD ignoreDifferences para secrets
 Toda ArgoCD Application que gestione un namespace con secrets debe incluir `ignoreDifferences` para el campo `/data`:
 ```yaml
 spec:
  ignoreDifferences:
    - group: ""
      kind: Secret
      name: <nombre-del-secret>
      namespace: <namespace>
      jsonPointers:
        - /data
  syncPolicy:
    syncOptions:
      - RespectIgnoreDifferences=true
 ```
 Ver `n8n` ArgoCD Application como referencia.
 ## Pre-commit hook
 Este repo incluye un pre-commit hook que rechaza commits con `REDACTED` en archivos `.yaml`.
 Instalar con:
 ```bash
 cp .githooks/pre-commit .git/hooks/pre-commit
 chmod +x .git/hooks/pre-commit
 ```
@@ -1,9 +0,0 @@
 apiVersion: v1
 data:
  auth: REDACTED
 kind: Secret
 metadata:
  name: argocd-redis
  namespace: argocd
 type: Opaque
@@ -1,20 +0,0 @@
 apiVersion: v1
 data:
  admin.password: REDACTED
  admin.passwordMtime: REDACTED
  server.secretkey: REDACTED
  tls.crt: REDACTED
  tls.key: REDACTED
 kind: Secret
 metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"labels":{"app.kubernetes.io/name":"argocd-secret","app.kubernetes.io/part-of":"argocd"},"name":"argocd-secret","namespace":"argocd"},"type":"Opaque"}
      '
  labels:
    app.kubernetes.io/name: argocd-secret
    app.kubernetes.io/part-of: argocd
  name: argocd-secret
  namespace: argocd
 type: Opaque
@@ -1,21 +0,0 @@
 apiVersion: v1
 data:
  tls.crt: REDACTED
  tls.key: REDACTED
 kind: Secret
 metadata:
  annotations:
    cert-manager.io/alt-names: argocd.chemavx.xyz
    cert-manager.io/certificate-name: argocd-tls
    cert-manager.io/common-name: argocd.chemavx.xyz
    cert-manager.io/ip-sans: ''
    cert-manager.io/issuer-group: cert-manager.io
    cert-manager.io/issuer-kind: ClusterIssuer
    cert-manager.io/issuer-name: letsencrypt-prod
    cert-manager.io/uri-sans: ''
  labels:
    controller.cert-manager.io/fao: 'true'
  name: argocd-tls
  namespace: argocd
 type: kubernetes.io/tls
@@ -1,19 +0,0 @@
 apiVersion: v1
 data:
  insecure: REDACTED
  password: REDACTED
  type: REDACTED
  url: REDACTED
  username: REDACTED
 kind: Secret
 metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"labels":{"argocd.argoproj.io/secret-type":"repository"},"name":"gitea-k8s-manifests","namespace":"argocd"},"stringData":{"insecure":"true","password":"GitAdmin2026x","type":"git","url":"https://git.chemavx.xyz/chemavx/k8s-manifests","username":"chemavx"},"type":"Opaque"}
      '
  labels:
    argocd.argoproj.io/secret-type: repository
  name: gitea-k8s-manifests
  namespace: argocd
 type: Opaque
@@ -1,21 +0,0 @@
 apiVersion: v1
 data:
  tls.crt: REDACTED
  tls.key: REDACTED
 kind: Secret
 metadata:
  annotations:
    cert-manager.io/alt-names: auth.chemavx.xyz
    cert-manager.io/certificate-name: auth-tls
    cert-manager.io/common-name: auth.chemavx.xyz
    cert-manager.io/ip-sans: ''
    cert-manager.io/issuer-group: cert-manager.io
    cert-manager.io/issuer-kind: ClusterIssuer
    cert-manager.io/issuer-name: letsencrypt-prod
    cert-manager.io/uri-sans: ''
  labels:
    controller.cert-manager.io/fao: 'true'
  name: auth-tls
  namespace: authentik
 type: kubernetes.io/tls
@@ -1,15 +0,0 @@
 apiVersion: v1
 data:
  AUTHENTIK_POSTGRESQL__PASSWORD: REDACTED
  AUTHENTIK_SECRET_KEY: REDACTED
  POSTGRES_PASSWORD: REDACTED
 kind: Secret
 metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"authentik-secrets","namespace":"authentik"},"stringData":{"AUTHENTIK_POSTGRESQL__PASSWORD":"authentik","AUTHENTIK_SECRET_KEY":"PLACEHOLDER_WILL_UPDATE","POSTGRES_PASSWORD":"authentik"},"type":"Opaque"}
      '
  name: authentik-secrets
  namespace: authentik
 type: Opaque
@@ -1,21 +0,0 @@
 apiVersion: v1
 data:
  tls.crt: REDACTED
  tls.key: REDACTED
 kind: Secret
 metadata:
  annotations:
    cert-manager.io/alt-names: authentik.chemavx.xyz
    cert-manager.io/certificate-name: authentik-tls
    cert-manager.io/common-name: authentik.chemavx.xyz
    cert-manager.io/ip-sans: ''
    cert-manager.io/issuer-group: cert-manager.io
    cert-manager.io/issuer-kind: ClusterIssuer
    cert-manager.io/issuer-name: letsencrypt-prod
    cert-manager.io/uri-sans: ''
  labels:
    controller.cert-manager.io/fao: 'true'
  name: authentik-tls
  namespace: authentik
 type: kubernetes.io/tls
@@ -1,13 +0,0 @@
 apiVersion: v1
 data:
  CF_API_TOKEN: REDACTED
 kind: Secret
 metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"cloudflare-ddns-secret","namespace":"cloudflare-ddns"},"stringData":{"CF_API_TOKEN":"SMDp7QpoGiM_5JVeq4IXCGCv5oKAWQK5MfsBt3n_"},"type":"Opaque"}
      '
  name: cloudflare-ddns-secret
  namespace: cloudflare-ddns
 type: Opaque
@@ -1,21 +0,0 @@
 apiVersion: v1
 data:
  tls.crt: REDACTED
  tls.key: REDACTED
 kind: Secret
 metadata:
  annotations:
    cert-manager.io/alt-names: '*.chemavx.xyz,chemavx.xyz'
    cert-manager.io/certificate-name: wildcard-chemavx-xyz
    cert-manager.io/common-name: chemavx.xyz
    cert-manager.io/ip-sans: ''
    cert-manager.io/issuer-group: ''
    cert-manager.io/issuer-kind: ClusterIssuer
    cert-manager.io/issuer-name: letsencrypt-prod
    cert-manager.io/uri-sans: ''
  labels:
    controller.cert-manager.io/fao: 'true'
  name: wildcard-chemavx-xyz-tls
  namespace: default
 type: kubernetes.io/tls
@@ -1,21 +0,0 @@
 apiVersion: v1
 data:
  tls.crt: REDACTED
  tls.key: REDACTED
 kind: Secret
 metadata:
  annotations:
    cert-manager.io/alt-names: git.chemavx.xyz
    cert-manager.io/certificate-name: gitea-tls
    cert-manager.io/common-name: git.chemavx.xyz
    cert-manager.io/ip-sans: ''
    cert-manager.io/issuer-group: cert-manager.io
    cert-manager.io/issuer-kind: ClusterIssuer
    cert-manager.io/issuer-name: letsencrypt-prod
    cert-manager.io/uri-sans: ''
  labels:
    controller.cert-manager.io/fao: 'true'
  name: gitea-tls
  namespace: gitea
 type: kubernetes.io/tls
@@ -1,21 +0,0 @@
 apiVersion: v1
 data:
  tls.crt: REDACTED
  tls.key: REDACTED
 kind: Secret
 metadata:
  annotations:
    cert-manager.io/alt-names: homarr.chemavx.xyz
    cert-manager.io/certificate-name: homarr-tls
    cert-manager.io/common-name: homarr.chemavx.xyz
    cert-manager.io/ip-sans: ''
    cert-manager.io/issuer-group: cert-manager.io
    cert-manager.io/issuer-kind: ClusterIssuer
    cert-manager.io/issuer-name: letsencrypt-prod
    cert-manager.io/uri-sans: ''
  labels:
    controller.cert-manager.io/fao: 'true'
  name: homarr-tls
  namespace: homarr
 type: kubernetes.io/tls
@@ -1,21 +0,0 @@
 apiVersion: v1
 data:
  tls.crt: REDACTED
  tls.key: REDACTED
 kind: Secret
 metadata:
  annotations:
    cert-manager.io/alt-names: home.chemavx.xyz
    cert-manager.io/certificate-name: home-tls
    cert-manager.io/common-name: home.chemavx.xyz
    cert-manager.io/ip-sans: ''
    cert-manager.io/issuer-group: cert-manager.io
    cert-manager.io/issuer-kind: ClusterIssuer
    cert-manager.io/issuer-name: letsencrypt-prod
    cert-manager.io/uri-sans: ''
  labels:
    controller.cert-manager.io/fao: 'true'
  name: home-tls
  namespace: homarr
 type: kubernetes.io/tls
@@ -1,21 +0,0 @@
 apiVersion: v1
 data:
  tls.crt: REDACTED
  tls.key: REDACTED
 kind: Secret
 metadata:
  annotations:
    cert-manager.io/alt-names: grafana.chemavx.xyz
    cert-manager.io/certificate-name: grafana-tls
    cert-manager.io/common-name: grafana.chemavx.xyz
    cert-manager.io/ip-sans: ''
    cert-manager.io/issuer-group: cert-manager.io
    cert-manager.io/issuer-kind: ClusterIssuer
    cert-manager.io/issuer-name: letsencrypt-prod
    cert-manager.io/uri-sans: ''
  labels:
    controller.cert-manager.io/fao: 'true'
  name: grafana-tls
  namespace: monitoring
 type: kubernetes.io/tls
@@ -1,11 +0,0 @@
 apiVersion: v1
 data:
  ca: REDACTED
  cert: REDACTED
  key: REDACTED
 kind: Secret
 metadata:
  name: kube-prometheus-stack-admission
  namespace: monitoring
 type: Opaque
@@ -1,21 +0,0 @@
 apiVersion: v1
 data:
  admin-password: REDACTED
  admin-user: REDACTED
  ldap-toml: REDACTED
 kind: Secret
 metadata:
  annotations:
    meta.helm.sh/release-name: kube-prometheus-stack
    meta.helm.sh/release-namespace: monitoring
  labels:
    app.kubernetes.io/component: admin-secret
    app.kubernetes.io/instance: kube-prometheus-stack
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: grafana
    app.kubernetes.io/version: 12.4.2
    helm.sh/chart: grafana-11.5.0
  name: kube-prometheus-stack-grafana
  namespace: monitoring
 type: Opaque
@@ -1,19 +0,0 @@
 apiVersion: v1
 data:
  prometheus.http-client-file.yaml: REDACTED
 kind: Secret
 metadata:
  labels:
    app.kubernetes.io/managed-by: prometheus-operator
    managed-by: prometheus-operator
  name: prometheus-kube-prometheus-stack-prometheus-thanos-prometheus-http-client-file
  namespace: monitoring
  ownerReferences:
  - apiVersion: monitoring.coreos.com/v1
    blockOwnerDeletion: true
    controller: true
    kind: Prometheus
    name: kube-prometheus-stack-prometheus
    uid: f0355616-4bfa-4409-8b5f-c1c815ee7a2a
 type: Opaque
@@ -1,19 +0,0 @@
 apiVersion: v1
 data:
  0_monitoring_kube-prometheus-stack-admission_ca: REDACTED
 kind: Secret
 metadata:
  labels:
    app.kubernetes.io/managed-by: prometheus-operator
    managed-by: prometheus-operator
  name: prometheus-kube-prometheus-stack-prometheus-tls-assets-0
  namespace: monitoring
  ownerReferences:
  - apiVersion: monitoring.coreos.com/v1
    blockOwnerDeletion: true
    controller: true
    kind: Prometheus
    name: kube-prometheus-stack-prometheus
    uid: f0355616-4bfa-4409-8b5f-c1c815ee7a2a
 type: Opaque
@@ -1,19 +0,0 @@
 apiVersion: v1
 data:
  web-config.yaml: REDACTED
 kind: Secret
 metadata:
  labels:
    app.kubernetes.io/managed-by: prometheus-operator
    managed-by: prometheus-operator
  name: prometheus-kube-prometheus-stack-prometheus-web-config
  namespace: monitoring
  ownerReferences:
  - apiVersion: monitoring.coreos.com/v1
    blockOwnerDeletion: true
    controller: true
    kind: Prometheus
    name: kube-prometheus-stack-prometheus
    uid: f0355616-4bfa-4409-8b5f-c1c815ee7a2a
 type: Opaque
@@ -1,19 +0,0 @@
 apiVersion: v1
 data:
  prometheus.yaml.gz: REDACTED
 kind: Secret
 metadata:
  labels:
    app.kubernetes.io/managed-by: prometheus-operator
    managed-by: prometheus-operator
  name: prometheus-kube-prometheus-stack-prometheus
  namespace: monitoring
  ownerReferences:
  - apiVersion: monitoring.coreos.com/v1
    blockOwnerDeletion: true
    controller: true
    kind: Prometheus
    name: kube-prometheus-stack-prometheus
    uid: f0355616-4bfa-4409-8b5f-c1c815ee7a2a
 type: Opaque
@@ -1,21 +0,0 @@
 apiVersion: v1
 data:
  tls.crt: REDACTED
  tls.key: REDACTED
 kind: Secret
 metadata:
  annotations:
    cert-manager.io/alt-names: prometheus.chemavx.xyz
    cert-manager.io/certificate-name: prometheus-tls
    cert-manager.io/common-name: prometheus.chemavx.xyz
    cert-manager.io/ip-sans: ''
    cert-manager.io/issuer-group: cert-manager.io
    cert-manager.io/issuer-kind: ClusterIssuer
    cert-manager.io/issuer-name: letsencrypt-prod
    cert-manager.io/uri-sans: ''
  labels:
    controller.cert-manager.io/fao: 'true'
  name: prometheus-tls
  namespace: monitoring
 type: kubernetes.io/tls
@@ -1,21 +0,0 @@
 apiVersion: v1
 data:
  tls.crt: REDACTED
  tls.key: REDACTED
 kind: Secret
 metadata:
  annotations:
    cert-manager.io/alt-names: uptime.chemavx.xyz
    cert-manager.io/certificate-name: uptime-kuma-redirect-tls
    cert-manager.io/common-name: uptime.chemavx.xyz
    cert-manager.io/ip-sans: ''
    cert-manager.io/issuer-group: cert-manager.io
    cert-manager.io/issuer-kind: ClusterIssuer
    cert-manager.io/issuer-name: letsencrypt-prod
    cert-manager.io/uri-sans: ''
  labels:
    controller.cert-manager.io/fao: 'true'
  name: uptime-kuma-redirect-tls
  namespace: monitoring
 type: kubernetes.io/tls
@@ -1,21 +0,0 @@
 apiVersion: v1
 data:
  tls.crt: REDACTED
  tls.key: REDACTED
 kind: Secret
 metadata:
  annotations:
    cert-manager.io/alt-names: home.chemavx.xyz,status.chemavx.xyz
    cert-manager.io/certificate-name: uptime-kuma-tls
    cert-manager.io/common-name: status.chemavx.xyz
    cert-manager.io/ip-sans: ''
    cert-manager.io/issuer-group: cert-manager.io
    cert-manager.io/issuer-kind: ClusterIssuer
    cert-manager.io/issuer-name: letsencrypt-prod
    cert-manager.io/uri-sans: ''
  labels:
    controller.cert-manager.io/fao: 'true'
  name: uptime-kuma-tls
  namespace: monitoring
 type: kubernetes.io/tls
@@ -1,21 +0,0 @@
 apiVersion: v1
 data:
  tls.crt: REDACTED
  tls.key: REDACTED
 kind: Secret
 metadata:
  annotations:
    cert-manager.io/alt-names: openclaw.chemavx.xyz
    cert-manager.io/certificate-name: openclaw-tls
    cert-manager.io/common-name: openclaw.chemavx.xyz
    cert-manager.io/ip-sans: ''
    cert-manager.io/issuer-group: cert-manager.io
    cert-manager.io/issuer-kind: ClusterIssuer
    cert-manager.io/issuer-name: letsencrypt-prod
    cert-manager.io/uri-sans: ''
  labels:
    controller.cert-manager.io/fao: 'true'
  name: openclaw-tls
  namespace: openclaw
 type: kubernetes.io/tls
@@ -1,9 +0,0 @@
 apiVersion: v1
 data:
  OPENCLAW_TOKEN: REDACTED
 kind: Secret
 metadata:
  name: openclaw-token
  namespace: openclaw
 type: Opaque
@@ -1,15 +0,0 @@
 apiVersion: v1
 data:
  ADMIN_TOKEN: REDACTED
  DOMAIN: REDACTED
  SIGNUPS_ALLOWED: REDACTED
 kind: Secret
 metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"vaultwarden-secret","namespace":"vaultwarden"},"stringData":{"DOMAIN":"https://vaultwarden.chemavx.xyz","SIGNUPS_ALLOWED":"false"},"type":"Opaque"}
      '
  name: vaultwarden-secret
  namespace: vaultwarden
 type: Opaque
@@ -1,21 +0,0 @@
 apiVersion: v1
 data:
  tls.crt: REDACTED
  tls.key: REDACTED
 kind: Secret
 metadata:
  annotations:
    cert-manager.io/alt-names: vaultwarden.chemavx.xyz
    cert-manager.io/certificate-name: vaultwarden-tls
    cert-manager.io/common-name: vaultwarden.chemavx.xyz
    cert-manager.io/ip-sans: ''
    cert-manager.io/issuer-group: cert-manager.io
    cert-manager.io/issuer-kind: ClusterIssuer
    cert-manager.io/issuer-name: letsencrypt-prod
    cert-manager.io/uri-sans: ''
  labels:
    controller.cert-manager.io/fao: 'true'
  name: vaultwarden-tls
  namespace: vaultwarden
 type: kubernetes.io/tls