guard: ignore + git-crypt kubeconfig files so they can't leak to the public mirror
All checks were successful
ci/woodpecker/push/default Pipeline was successful

A GitGuardian audit of the infra repo showed the recent alerts were test
fixtures (false positives), but surfaced a real historical leak: a
cluster-admin kubeconfig was once committed as stacks/f1-stream/.../.config
(now expired, reachable only via a GitHub PR ref). The .gitignore already had
a `config` rule for kubeconfigs but missed the dotfile form `.config` — which
is exactly how that file slipped onto the public mirror.

Close the gap in two layers:
- .gitignore: also ignore `.config`, `kubeconfig`, `*.kubeconfig`,
  `admin.conf`, `.kube/` so they're never staged by accident.
- .gitattributes: route `.config`, `kubeconfig`, `*.kubeconfig`, `admin.conf`
  through git-crypt so a force-add or rename still lands as ciphertext (never
  plaintext) on the public GitHub mirror.

No tracked files match these names today, so there is zero retroactive impact
— purely forward-looking prevention.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-07-02 07:14:58 +00:00
parent dab307f9f8
commit 5d5d9752cb
2 changed files with 17 additions and 1 deletions

9
.gitattributes vendored
View file

@ -4,3 +4,12 @@
*.tfvars filter=git-crypt diff=git-crypt
secrets/** filter=git-crypt diff=git-crypt
stacks/**/secrets/** filter=git-crypt diff=git-crypt
# Kubeconfigs / cluster credentials — encrypt at rest so a force-added or renamed
# commit can't push plaintext to the public GitHub mirror. Belt-and-suspenders to
# the .gitignore rules above; `.config` is explicit because that is exactly the
# name an admin kubeconfig once leaked under (GitGuardian, 2026-07-02).
.config filter=git-crypt diff=git-crypt
kubeconfig filter=git-crypt diff=git-crypt
*.kubeconfig filter=git-crypt diff=git-crypt
admin.conf filter=git-crypt diff=git-crypt

9
.gitignore vendored
View file

@ -71,8 +71,15 @@ stacks/*/cloudflare_provider.tf
stacks/*/tiers.tf
stacks/*/terragrunt_rendered.json
# Kubernetes config (sensitive)
# Kubernetes config / cluster credentials (sensitive) — never commit in plaintext.
# `config` alone missed the dotfile form: an admin kubeconfig once leaked to the
# public mirror as `.config` (GitGuardian, 2026-07-02). Cover the common names.
config
.config
kubeconfig
*.kubeconfig
admin.conf
.kube/
# Node.js (not part of infra)
node_modules/