guard: ignore + git-crypt kubeconfig files so they can't leak to the public mirror
All checks were successful
ci/woodpecker/push/default Pipeline was successful
All checks were successful
ci/woodpecker/push/default Pipeline was successful
A GitGuardian audit of the infra repo showed the recent alerts were test fixtures (false positives), but surfaced a real historical leak: a cluster-admin kubeconfig was once committed as stacks/f1-stream/.../.config (now expired, reachable only via a GitHub PR ref). The .gitignore already had a `config` rule for kubeconfigs but missed the dotfile form `.config` — which is exactly how that file slipped onto the public mirror. Close the gap in two layers: - .gitignore: also ignore `.config`, `kubeconfig`, `*.kubeconfig`, `admin.conf`, `.kube/` so they're never staged by accident. - .gitattributes: route `.config`, `kubeconfig`, `*.kubeconfig`, `admin.conf` through git-crypt so a force-add or rename still lands as ciphertext (never plaintext) on the public GitHub mirror. No tracked files match these names today, so there is zero retroactive impact — purely forward-looking prevention. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
parent
dab307f9f8
commit
5d5d9752cb
2 changed files with 17 additions and 1 deletions
9
.gitattributes
vendored
9
.gitattributes
vendored
|
|
@ -4,3 +4,12 @@
|
|||
*.tfvars filter=git-crypt diff=git-crypt
|
||||
secrets/** filter=git-crypt diff=git-crypt
|
||||
stacks/**/secrets/** filter=git-crypt diff=git-crypt
|
||||
|
||||
# Kubeconfigs / cluster credentials — encrypt at rest so a force-added or renamed
|
||||
# commit can't push plaintext to the public GitHub mirror. Belt-and-suspenders to
|
||||
# the .gitignore rules above; `.config` is explicit because that is exactly the
|
||||
# name an admin kubeconfig once leaked under (GitGuardian, 2026-07-02).
|
||||
.config filter=git-crypt diff=git-crypt
|
||||
kubeconfig filter=git-crypt diff=git-crypt
|
||||
*.kubeconfig filter=git-crypt diff=git-crypt
|
||||
admin.conf filter=git-crypt diff=git-crypt
|
||||
|
|
|
|||
9
.gitignore
vendored
9
.gitignore
vendored
|
|
@ -71,8 +71,15 @@ stacks/*/cloudflare_provider.tf
|
|||
stacks/*/tiers.tf
|
||||
stacks/*/terragrunt_rendered.json
|
||||
|
||||
# Kubernetes config (sensitive)
|
||||
# Kubernetes config / cluster credentials (sensitive) — never commit in plaintext.
|
||||
# `config` alone missed the dotfile form: an admin kubeconfig once leaked to the
|
||||
# public mirror as `.config` (GitGuardian, 2026-07-02). Cover the common names.
|
||||
config
|
||||
.config
|
||||
kubeconfig
|
||||
*.kubeconfig
|
||||
admin.conf
|
||||
.kube/
|
||||
|
||||
# Node.js (not part of infra)
|
||||
node_modules/
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue