-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsafe-secret-apply.sh
More file actions
executable file
·34 lines (30 loc) · 1.08 KB
/
safe-secret-apply.sh
File metadata and controls
executable file
·34 lines (30 loc) · 1.08 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#!/usr/bin/env bash
# Refuses to apply a secrets YAML if any CHANGE_ME values present.
#
# Background: `k8s/secrets.yaml` and `k8s/infra-secrets.yaml` are TEMPLATES
# containing `CHANGE_ME` placeholders. A naive `kubectl apply -f secrets.yaml`
# will overwrite real production secrets (AES_KEY, JWT_SECRET, RAZORPAY_*, etc.)
# with the literal string `CHANGE_ME` and crashloop dependent pods.
#
# This script guards against that mistake by refusing to apply any YAML
# that still contains a `CHANGE_ME` token.
#
# Usage:
# ./k8s/scripts/safe-secret-apply.sh k8s/secrets.local.yaml
set -euo pipefail
if [ -z "${1:-}" ]; then
echo "usage: $0 <secrets-yaml>" >&2
exit 1
fi
if [ ! -f "$1" ]; then
echo "REFUSED: $1 does not exist." >&2
exit 1
fi
if grep -q "CHANGE_ME" "$1"; then
echo "REFUSED: $1 contains CHANGE_ME placeholders." >&2
echo "Use 'kubectl patch secret ... --type=merge' to update individual keys;" >&2
echo "do not apply the whole file." >&2
echo "See k8s/README.md section 'Secret operations — DO NOT naive-apply'." >&2
exit 1
fi
kubectl apply -f "$1"