chemavx
f42cdee585
- Delete 26 secret manifests containing REDACTED placeholder values (15 cert-manager TLS + 11 app secrets across 8 namespaces) - REDACTED is valid base64 that decodes to non-UTF-8 bytes — ArgoCD applying these manifests corrupts live secrets in the cluster - Add .githooks/pre-commit that rejects any .yaml with REDACTED - Add README.md documenting secret management policy and manual creation commands for each service - n8n secret manifests already fixed in previous commits (618b1e8,db04fd2)
18 lines
647 B
Bash
Executable File
18 lines
647 B
Bash
Executable File
#!/bin/bash
|
|
# Reject commits that contain REDACTED in YAML files.
|
|
# "REDACTED" is valid base64 — if ArgoCD applies it, it corrupts secrets.
|
|
|
|
REDACTED_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep '\.ya\?ml$' | xargs grep -l 'REDACTED' 2>/dev/null)
|
|
|
|
if [ -n "$REDACTED_FILES" ]; then
|
|
echo ""
|
|
echo "ERROR: los siguientes archivos contienen 'REDACTED':"
|
|
echo "$REDACTED_FILES" | sed 's/^/ /'
|
|
echo ""
|
|
echo "Los secrets con datos sensibles NO deben ir en este repo."
|
|
echo "Elimina el campo 'data:' del manifest o borra el archivo."
|
|
echo "Ver README.md para instrucciones de gestión de secrets."
|
|
echo ""
|
|
exit 1
|
|
fi
|