feat: add secrets scanning + hook + use operator for pihole WEBPASSWORD#263
Merged
Conversation
Renovate bumped postgres 15->18 (#260). PG18 image refuses to start on data dir created by PG15, taking the infisical app down with it (ECONNREFUSED :5432). Revert tag to 15 and disable postgres major bumps in renovate for infisical (mirrors authentik), which require pg_upgrade.
The pre-commit hook only auto-bumped chart versions. Extend it to catch problems locally before push, mirroring CI's lint + Infisical scan jobs. Key changes: - Infisical secret scan on staged diff (git diff --cached | scan --pipe); git-changes --staged scans commits not the index on CLI v0.43, so unusable - yamllint on staged YAML (errors block, warnings pass, matches `make lint`) - helm lint on charts with staged changes - file hygiene: merge markers, whitespace errors, >1MiB files - run fail-fast checks before the version-bump mutation - rename scripts/pre-commit-chart-version.sh -> scripts/pre-commit.sh Missing tools warn and skip rather than block. Bypass with --no-verify.
Self-host Infisical but still seal everything in git, so the platform's core job (serving secrets to the cluster) was unused. Add the Infisical Secrets Operator and wire pihole as a proof-of-concept consumer. Key changes: - charts/infisical-secrets-operator: wraps upstream secrets-operator v0.10.33, cluster-scoped, hostAPI -> self-hosted platform, Pi5 node affinity - charts/pihole: InfisicalSecret CR (gated behind infisical.enabled=false) that materializes the existing pihole-secrets/WEBPASSWORD via the operator - machine-identity credential template (the one secret still sealed in git; every InfisicalSecret references it via credentialsRef) - Makefile: operator added to build-deps, update-deps, install-infra - docs/runbooks/INFISICAL_OPERATOR.md: setup, enable, rollback, gotchas - .yamllint: shared config so `make lint` + pre-commit hook agree, and the hook stops choking on Helm templates (ignored) / long values lines Disabled by default — needs a machine identity + sealed creds before enabling.
Add the sealed Universal Auth credentials the operator uses to authenticate to the self-hosted platform (applied + verified unsealing in-cluster). Pre-commit scan fixes surfaced while committing the sealed secret: - .infisical-scan.toml: allowlist kubeseal ciphertext by content regex. The hook scans a piped diff (no file path), so the existing path allowlist for sealed-secrets/*-sealed.yaml didn't apply there. - .yamllint: ignore charts/*/sealed-secrets/ (machine-generated ciphertext).
The Infisical Secrets Operator now sources pihole's WEBPASSWORD from the self-hosted platform; the SealedSecret is retired so there's one source of truth. Verified in-cluster: Secret pihole-secrets is owned by the InfisicalSecret and holds the correct value; all 4 pihole pods healthy. Changes from bringing it up live: - hostAPI -> in-cluster Service URL (infisical-infisical-standalone-infisical .default.svc:8080). The public ingress hostname only resolves via pihole's local DNS, which CoreDNS can't reach. - secretsPath: / (secret lives at the prod env root) + a template filter so only WEBPASSWORD is materialized, not all 41 env secrets. - enabled: true, projectSlug: homelab-nkcl - remove charts/pihole/sealed-secrets/pihole-secrets-sealed.yaml Bootstrap creds (charts/infisical-secrets-operator) stay sealed in git.
`helm install` aborts on already-installed releases, so re-running install-infra/install-monitoring/deploy-all died on the first existing chart. Switch all to `helm upgrade --install`.
jcserv
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.