diff --git a/.github/workflows/precommit.yaml b/.github/workflows/precommit.yaml new file mode 100644 index 0000000..e51883a --- /dev/null +++ b/.github/workflows/precommit.yaml @@ -0,0 +1,31 @@ +name: Run pre-commit checks + +on: + push: + pull_request: + +jobs: + run-linters: + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v4 + + - name: Setup Python + uses: actions/setup-python@v5 + with: + python-version: "3.12" + + - name: Configure caching + uses: actions/cache@v4 + with: + path: ~/.cache/pre-commit + key: precommit-${{ runner.os }}-${{ hashFiles('.pre-commit-config.yaml') }} + + - name: Install pre-commit + run: | + pip install pre-commit + + - name: Run linters + run: | + pre-commit run --all-files diff --git a/.gitignore b/.gitignore index edcb8da..66c4ca0 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ /rendered /data/tokens /.env +data/secrets/ diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..c8ecf1a --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,26 @@ +repos: + - repo: https://github.com/Lucas-C/pre-commit-hooks + rev: v1.5.4 + hooks: + - id: remove-tabs + exclude: '^scripts/.*\.sh' + + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.5.0 + hooks: + - id: trailing-whitespace + - id: check-merge-conflict + - id: end-of-file-fixer + - id: check-added-large-files + - id: check-case-conflict + - id: check-json + - id: check-symlinks + - id: detect-private-key + + - repo: https://github.com/adrienverge/yamllint.git + rev: v1.32.0 + hooks: + - id: yamllint + files: \.(yaml|yml)$ + types: [file, yaml] + entry: yamllint --strict diff --git a/.yamllint.yaml b/.yamllint.yaml new file mode 100644 index 0000000..8bb476b --- /dev/null +++ b/.yamllint.yaml @@ -0,0 +1,11 @@ +--- +extends: default +rules: + line-length: disable + document-start: disable + indentation: + indent-sequences: whatever + hyphens: + max-spaces-after: 4 + truthy: + check-keys: false diff --git a/config/backup-job.jsonnet b/config/backup-job.jsonnet index 3347dc9..e3e62b0 100644 --- a/config/backup-job.jsonnet +++ b/config/backup-job.jsonnet @@ -2,37 +2,37 @@ resources: [ // Enable "kubernetes/backup" as a kubernetes auth endpoint { - path: '/v1/sys/auth/kubernetes/backup', - 'if-not-exists': true, + path: "/v1/sys/auth/kubernetes/backup", + "if-not-exists": true, payload: { - type: 'kubernetes', + type: "kubernetes", }, }, // https://developer.hashicorp.com/vault/api-docs/auth/kubernetes#configure-method { - path: '/v1/auth/kubernetes/backup/config', + path: "/v1/auth/kubernetes/backup/config", payload: { - kubernetes_host: 'https://kubernetes.default.svc', + kubernetes_host: "https://kubernetes.default.svc", }, }, // https://developer.hashicorp.com/vault/api-docs/auth/kubernetes#create-update-role { - path: '/v1/auth/kubernetes/backup/role/nerc-vault-backup', + path: "/v1/auth/kubernetes/backup/role/nerc-vault-backup", payload: { - bound_service_account_names: ['backup-job'], - bound_service_account_namespaces: ['vault'], + bound_service_account_names: ["backup-job"], + bound_service_account_namespaces: ["vault"], token_policies: [ - 'nerc-vault-backup', + "nerc-vault-backup", ], }, }, { - path: '/v1/sys/policy/nerc-vault-backup', + path: "/v1/sys/policy/nerc-vault-backup", payload: { - policy: importstr 'policies/nerc-vault-backup.hcl', + policy: importstr "policies/nerc-vault-backup.hcl", }, }, ], diff --git a/config/global/oidc.jsonnet b/config/global/oidc.jsonnet index 72b1641..d8ec8e3 100644 --- a/config/global/oidc.jsonnet +++ b/config/global/oidc.jsonnet @@ -5,7 +5,7 @@ "if-not-exists": true, payload: { type: "oidc", - description: "OIDC authentication via Dex on nerc-ocp-infra", + description: "OIDC authentication via Dex on nerc-ocp-infra", config: { listing_visibility: "unauth", }, diff --git a/config/global/policies.jsonnet b/config/global/policies.jsonnet index 6446fe3..f27fabc 100644 --- a/config/global/policies.jsonnet +++ b/config/global/policies.jsonnet @@ -1,33 +1,33 @@ { resources: [ { - path: '/v1/sys/policy/admin', + path: "/v1/sys/policy/admin", payload: { - policy: importstr 'policies/admin.hcl', + policy: importstr "policies/admin.hcl", }, }, { - path: '/v1/sys/policy/default', + path: "/v1/sys/policy/default", payload: { - policy: importstr 'policies/default.hcl', + policy: importstr "policies/default.hcl", }, }, { - path: '/v1/sys/policy/nerc-common-reader', + path: "/v1/sys/policy/nerc-common-reader", payload: { - policy: importstr 'policies/nerc-common-reader.hcl', + policy: importstr "policies/nerc-common-reader.hcl", }, }, { - path: '/v1/sys/policy/nerc-all-reader', + path: "/v1/sys/policy/nerc-all-reader", payload: { - policy: importstr 'policies/nerc-all-reader.hcl', + policy: importstr "policies/nerc-all-reader.hcl", }, }, { - path: '/v1/sys/policy/nerc-all-writer', + path: "/v1/sys/policy/nerc-all-writer", payload: { - policy: importstr 'policies/nerc-all-writer.hcl', + policy: importstr "policies/nerc-all-writer.hcl", }, }, ], diff --git a/lib/policies/default.hcl b/lib/policies/default.hcl index 7ccd80a..4d86b23 100644 --- a/lib/policies/default.hcl +++ b/lib/policies/default.hcl @@ -88,5 +88,5 @@ path "sys/control-group/request" { # Allow a token to make requests to the Authorization Endpoint for OIDC providers. path "identity/oidc/provider/+/authorize" { - capabilities = ["read", "update"] + capabilities = ["read", "update"] }