Added setup_ksops role

[nsilla]

SUMMARY

This change add the role setup_ksops to installs and set up the ksops kustomize plugin in the OpenShift GitOps operator.

With this plugin, the data in the gitops repositories may be encrypted thus allowing to upload secrets (bmh credentials, pull-secret) to shared repositories.

ISSUE TYPE

• Enhanced Feature

Tests

• TestBos2Sno: abi-sno -

---

Test-Hints: no-check

Summary by CodeRabbit

Summary by CodeRabbit

• New Features
  • Added documentation and automation for integrating the KSOPS Kustomize plugin with OpenShift GitOps.
  • Introduced support for managing SOPS age keys and configuring ArgoCD to use KSOPS for secret management.
  • Provided setup instructions and example usage for easier deployment.

[coderabbitai]

Walkthrough

This update introduces a new Ansible role, setup_ksops, for configuring KSOPS integration with the OpenShift GitOps Operator. The changes include a README file detailing setup instructions and required variables, specifically the SOPS age key. Additionally, a main Ansible task file is added, which ensures the age key is provided, creates a Kubernetes secret with the key, and patches the ArgoCD custom resource to enable KSOPS and SOPS integration by configuring environment variables, volumes, an init container, and volume mounts.

Changes

File(s)	Change Summary
roles/acm/setup_ksops/README.md	Added documentation explaining the setup process, required variables, usage instructions, and an example for the setup_ksops role.
roles/acm/setup_ksops/tasks/main.yml	Introduced Ansible tasks to assert the SOPS age key, create a Kubernetes secret, and patch ArgoCD for KSOPS/SOPS integration.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Ansible
    participant OpenShift Cluster
    participant ArgoCD

    User->>Ansible: Run setup_ksops role with sk_age_key
    Ansible->>OpenShift Cluster: Create sops-age secret in openshift-gitops namespace
    Ansible->>OpenShift Cluster: Patch ArgoCD CR (openshift-gitops)
    OpenShift Cluster->>ArgoCD: Update deployment with new env, volumes, init container
    ArgoCD->>ArgoCD: Mount ksops binary and SOPS age key, enable KSOPS plugin

Loading

Poem

In the garden where secrets softly grow,
A rabbit hops with keys in tow.
With KSOPS and SOPS now side by side,
Age-encrypted secrets no longer hide.
Ansible whispers, ArgoCD listens in,
Secure GitOps journeys now begin!
🐇🔑🌱

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[softwarefactory-project-zuul]

Build succeeded.
https://softwarefactory-project.io/zuul/t/local/buildset/08c79c7da1c74a6789eec915b1406a24

✔️ dci-rpm-build-el8 SUCCESS in 2m 53s
✔️ dci-rpm-build-el9 SUCCESS in 2m 36s

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

roles/acm/setup_ksops/README.md (1)

13-13: Specify the language for fenced code blocks.

For better readability and markdown linting compliance, add a language specifier (e.g., text, yaml, or bash) to your fenced code blocks.

Also applies to: 21-21

🧰 Tools

🪛 markdownlint-cli2 (0.17.2)

13-13: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b92aca6 and 080d08b.

📒 Files selected for processing (2)

• roles/acm/setup_ksops/README.md (1 hunks)
• roles/acm/setup_ksops/tasks/main.yml (1 hunks)

🧰 Additional context used

🪛 Gitleaks (8.21.2)

roles/acm/setup_ksops/README.md

16-16: Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information.

(age-secret-key)

---

29-29: Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information.

(age-secret-key)

---

15-15: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

28-28: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🪛 markdownlint-cli2 (0.17.2)

roles/acm/setup_ksops/README.md

13-13: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

21-21: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

🪛 YAMLlint (1.35.1)

roles/acm/setup_ksops/tasks/main.yml

[warning] 30-30: wrong indentation: expected 12 but found 11

(indentation)

---

[warning] 35-35: wrong indentation: expected 12 but found 11

(indentation)

---

[warning] 41-41: wrong indentation: expected 12 but found 11

(indentation)

---

[warning] 45-45: wrong indentation: expected 15 but found 13

(indentation)

---

[warning] 50-50: wrong indentation: expected 12 but found 11

(indentation)

---

[error] 58-58: no new line character at the end of file

(new-line-at-end-of-file)

🪛 GitHub Actions: Pull Request

roles/acm/setup_ksops/tasks/main.yml

[error] 30-50: YAML indentation errors: Wrong indentation at lines 30, 35, 41, 45, 50; No new line character at end of file.

[coderabbitai]

🛠️ Refactor suggestion

⚠️ Potential issue

Do not include real or plausible secret keys in documentation.

The README contains what appears to be a real or plausible age secret key and public key. Even for demonstration, this poses a security risk and may encourage unsafe practices. Replace these with clearly fake or redacted values (e.g., AGE-SECRET-KEY-XXXX...).

Also applies to: 28-29

🧰 Tools

🪛 Gitleaks (8.21.2)

16-16: Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information.

(age-secret-key)

---

15-15: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

[softwarefactory-project-zuul]

Build succeeded.
https://softwarefactory-project.io/zuul/t/local/buildset/5798edcbbd1d441ba96fa858a98b1e7f

✔️ dci-rpm-build-el8 SUCCESS in 2m 52s
✔️ dci-rpm-build-el9 SUCCESS in 2m 22s

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (2)

roles/acm/setup_ksops/README.md (2)

13-17: ⚠️ Potential issue

Do not include real or plausible secret keys in documentation.

The example age key and public key appear real or plausible. Even for demonstration, this poses a security risk and may encourage unsafe practices. Replace these with clearly fake or redacted values (e.g., AGE-SECRET-KEY-XXXX... and age1xxxx...).

Apply this diff to redact the sensitive values:

-# created: 2025-04-16T11:28:48Z
-# public key: age1j24rsa89nhv86dstnl696pfhxlngktjl5gcvya6y6ykg8t5jkqgsv0ua36
-AGE-SECRET-KEY-16NSYF9LSS3QZKLXFEYS5K36FPQC62QLZPNA02H7YWV0SFFVXF2PQNRZPNQ
+# created: <redacted>
+# public key: age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+AGE-SECRET-KEY-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

🧰 Tools

🪛 Gitleaks (8.21.2)

15-15: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

16-16: Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information.

(age-secret-key)

🪛 markdownlint-cli2 (0.17.2)

13-13: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

21-30: ⚠️ Potential issue

Redact secret keys and public keys in usage examples.

The usage example repeats the inclusion of a plausible secret key and public key. Replace these with clearly fake or redacted values to avoid encouraging unsafe practices.

Apply this diff to redact the sensitive values:

-    sk_age_key: |
-      # created: 2025-04-16T11:28:48Z
-      # public key: age1j24rsa89nhv86dstnl696pfhxlngktjl5gcvya6y6ykg8t5jkqgsv0ua36
-      AGE-SECRET-KEY-16NSYF9LSS3QZKLXFEYS5K36FPQC62QLZPNA02H7YWV0SFFVXF2PQNRZPNQ
+    sk_age_key: |
+      # created: <redacted>
+      # public key: age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+      AGE-SECRET-KEY-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

🧰 Tools

🪛 Gitleaks (8.21.2)

28-28: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

29-29: Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information.

(age-secret-key)

🪛 markdownlint-cli2 (0.17.2)

21-21: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

🧹 Nitpick comments (1)

roles/acm/setup_ksops/README.md (1)

13-100: Add language specifiers to fenced code blocks for better readability.

Several fenced code blocks are missing language specifiers (e.g., bash, yaml). Adding these improves syntax highlighting and readability.

Apply this diff to add language specifiers:

-```
+# Example key (no highlighting needed)
+```
...
-```
+# Usage example (YAML)
+```yaml
...
-```
+# Bash commands
+```bash
...
-```
+# Bash commands
+```bash
...
-```
+# Bash commands
+```bash
...
-```
+# Bash commands
+```bash
...
-```
+# YAML for SOPS rules
+```yaml
...
-```
+# Bash commands
+```bash
...
-```
+# YAML for KSOPS generator
+```yaml
...
-```
+# YAML for kustomization
+```yaml

🧰 Tools

🪛 Gitleaks (8.21.2)

15-15: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

28-28: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

16-16: Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information.

(age-secret-key)

---

29-29: Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information.

(age-secret-key)

🪛 markdownlint-cli2 (0.17.2)

13-13: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

21-21: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

36-36: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

52-52: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

59-59: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

65-65: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

75-75: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

81-81: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

95-95: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 080d08b and 44667a9.

📒 Files selected for processing (2)

• roles/acm/setup_ksops/README.md (1 hunks)
• roles/acm/setup_ksops/tasks/main.yml (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• roles/acm/setup_ksops/tasks/main.yml

🧰 Additional context used

🪛 Gitleaks (8.21.2)

roles/acm/setup_ksops/README.md

15-15: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

28-28: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

16-16: Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information.

(age-secret-key)

---

29-29: Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information.

(age-secret-key)

🪛 markdownlint-cli2 (0.17.2)

roles/acm/setup_ksops/README.md

13-13: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

21-21: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

36-36: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

52-52: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

59-59: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

65-65: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

75-75: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

81-81: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

95-95: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

🔇 Additional comments (1)

roles/acm/setup_ksops/README.md (1)

1-102: Documentation is clear and comprehensive.

Aside from the above issues, the documentation is well-structured, accurate, and provides clear instructions for users.

🧰 Tools

🪛 Gitleaks (8.21.2)

15-15: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

28-28: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

16-16: Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information.

(age-secret-key)

---

29-29: Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information.

(age-secret-key)

🪛 markdownlint-cli2 (0.17.2)

13-13: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

21-21: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

36-36: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

52-52: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

59-59: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

65-65: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

75-75: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

81-81: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

95-95: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

[dcibot]

from change #648:

• SUCCESS https://www.distributed-ci.io/jobs/becd6ed9-19a0-49a3-8606-c9d1da947931/jobStates

[softwarefactory-project-zuul]

Build succeeded.
https://softwarefactory-project.io/zuul/t/local/buildset/30e930ccc1ed4750bac59695214d516c

✔️ dci-rpm-build-el8 SUCCESS in 2m 54s
✔️ dci-rpm-build-el9 SUCCESS in 2m 28s

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (2)

roles/acm/setup_ksops/README.md (2)

13-17: ⚠️ Potential issue

Remove real or plausible age keys from docs
Even example keys can be treated as real credentials—replace them with clearly placeholder values to avoid encouraging insecure practices.

- # public key: age1j24rsa89nhv86dstnl696pfhxlngktjl5gcvya6y6ykg8t5jkqgsv0ua36
- AGE-SECRET-KEY-16NSYF9LSS3QZKLXFEYS5K36FPQC62QLZPNA02H7YWV0SFFVXF2PQNRZPNQ
+ # public key: age1...
+ AGE-SECRET-KEY-XXXX...

🧰 Tools

🪛 markdownlint-cli2 (0.17.2)

13-13: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

27-30: ⚠️ Potential issue

Sanitize example snippet in usage block
The usage example reprints the same real key—switch to placeholder text and prompt users to supply their own.

-      # public key: age1j24rsa89nhv86dstnl696pfhxlngktjl5gcvya6y6ykg8t5jkqgsv0ua36
-      AGE-SECRET-KEY-16NSYF9LSS3QZKLXFEYS5K36FPQC62QLZPNA02H7YWV0SFFVXF2PQNRZPNQ
+      # public key: age1...
+      AGE-SECRET-KEY-XXXX...

🧹 Nitpick comments (2)

roles/acm/setup_ksops/README.md (2)

9-10: Fix typo in description
Correct the misspelling of “recommeneded” to “recommended” for clarity and professionalism.

- | sk_age_key       |         | yes      | A literal age generated (age-keygen) key. If kept in a version control service, it's recommeneded to vault-encrypt it.
+ | sk_age_key       |         | yes      | A literal age generated (age-keygen) key. If kept in a version control service, it's recommended to vault-encrypt it.

---

13-17: Specify fenced code block languages for linting
To satisfy MD040 and improve readability, label each triple-backtick fence with an appropriate language (e.g., yaml, bash, shell, or text). For example:

- ```
+ ```bash
- ```
+ ```yaml

Also applies to: 21-30, 36-47, 52-55, 59-62, 65-71, 75-78, 81-88, 95-100

🧰 Tools

🪛 markdownlint-cli2 (0.17.2)

13-13: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 44667a9 and bce6217.

📒 Files selected for processing (2)

• roles/acm/setup_ksops/README.md (1 hunks)
• roles/acm/setup_ksops/tasks/main.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• roles/acm/setup_ksops/tasks/main.yml

🧰 Additional context used

🪛 markdownlint-cli2 (0.17.2)

roles/acm/setup_ksops/README.md

13-13: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

21-21: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

36-36: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

52-52: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

59-59: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

65-65: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

75-75: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

81-81: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

95-95: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

⏰ Context from checks skipped due to timeout of 90000ms (3)

• GitHub Check: Sanity Check (stable-2.17)
• GitHub Check: Ansible-lint Check
• GitHub Check: Sanity Check (stable-2.9)

[dcibot]

from change #648:

• SUCCESS https://www.distributed-ci.io/jobs/ff665fc3-1b89-4728-8f09-e8010e776ef6/jobStates

[dcibot]

from change https://github.com/dci-labs/bos2-ci-config/pull/322:

• FAILURE https://www.distributed-ci.io/jobs/fe033057-51c0-4a31-bd39-73095e5210d6/jobStates

[dcibot]

from change https://github.com/dci-labs/bos2-ci-config/pull/322:

• FAILURE https://www.distributed-ci.io/jobs/d5e35796-9f56-46d7-b97d-a58b66764673/jobStates

[dcibot]

from change https://github.com/dci-labs/bos2-ci-config/pull/322:

• FAILURE https://www.distributed-ci.io/jobs/7409a770-a6b3-45f8-800b-8546b075c996/jobStates

[dcibot]

from change https://github.com/dci-labs/bos2-ci-config/pull/322:

• FAILURE https://www.distributed-ci.io/jobs/58cf8224-b267-4fe1-bd26-48238262a3ca/jobStates

[ramperher]

Are any of these steps required in the automation? Or are these commands expected to be always launched manually?

[nsilla]

That's a good question.
At first I thought of, at least, automating the steps of creating the key pair in case it didn't exist in advance.
I ended up disregarding this option since the gitops repository secrets must have been encrypted before running the jobs, after all,the whole idea is to be able to keeps such secrets in the repository without exposing them.
This means that, ideally, even the key pair should have been generated before the gitops repository is created.
So, in the end, I don't really see the point of automating these operations, so I opted on documenting them.

[ramperher]

In that case, I would probably document the role to clearly expose what's automated and what's not automated, and with regards to what's not automated, expose the steps to follow (done), as well as what's the server where you have to run these commands and what's the expected result after executing all (this is somehow missed)

[ramperher]

@nsilla , is the testing finished?

[dcibot]

from change #648:

• no check (not a code change)

[dcibot]

from change #648:

• no check (not a code change)

[softwarefactory-project-zuul]

Build succeeded.
https://softwarefactory-project.io/zuul/t/local/buildset/38581100e0f449ba93522b483269c5b3

✔️ dci-rpm-build-el8 SUCCESS in 2m 59s
✔️ dci-rpm-build-el9 SUCCESS in 2m 29s

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

roles/acm/setup_ksops/README.md (1)

13-17: ⚠️ Potential issue

Do not include real secret keys in documentation
The README currently includes actual-looking SOPS age private and public keys, which pose a security risk and may encourage unsafe practices. Replace these with clearly placeholder values (e.g., AGE-SECRET-KEY-XXXX...).

--- a/roles/acm/setup_ksops/README.md
+++ b/roles/acm/setup_ksops/README.md
@@ -13,5 +13,5 @@

-# created: 2025-04-16T11:28:48Z
-# public key: age1j24rsa89nhv86dstnl696pfhxlngktjl5gcvya6y6ykg8t5jkqgsv0ua36
-AGE-SECRET-KEY-16NSYF9LSS3QZKLXFEYS5K36FPQC62QLZPNA02H7YWV0SFFVXF2PQNRZPNQ

• created: 2025-XX-XXTXX:XX:XXZ

• public key: age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

• AGE-SECRET-KEY-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

@@ -26,5 +26,5 @@
sk_age_key: |
-     # created: 2025-04-16T11:28:48Z
-     # public key: age1j24rsa89nhv86dstnl696pfhxlngktjl5gcvya6y6ykg8t5jkqgsv0ua36
-     AGE-SECRET-KEY-16NSYF9LSS3QZKLXFEYS5K36FPQC62QLZPNA02H7YWV0SFFVXF2PQNRZPNQ
+     # created: 2025-XX-XXTXX:XX:XXZ
+     # public key: age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+     AGE-SECRET-KEY-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Also applies to: 26-30

<details>
<summary>🧰 Tools</summary>

<details>
<summary>🪛 Gitleaks (8.21.2)</summary>

16-16: Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information.

(age-secret-key)

---

15-15: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

</details>
<details>
<summary>🪛 markdownlint-cli2 (0.17.2)</summary>

13-13: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

</details>

</details>

</blockquote></details>

</blockquote></details>

<details>
<summary>🧹 Nitpick comments (2)</summary><blockquote>

<details>
<summary>roles/acm/setup_ksops/README.md (2)</summary><blockquote>

`9-9`: **Fix typo in table description**  
The word “recommeneded” is misspelled. It should be “recommended”:

```diff
- | sk_age_key       |         | yes      | A literal age generated (age-keygen) key. If kept in a version control service, it's recommeneded to vault-encrypt it.
+ | sk_age_key       |         | yes      | A literal age-generated (age-keygen) key. If kept in a version control service, it's recommended to vault-encrypt it.

---

13-101: Specify languages for fenced code blocks
Markdownlint (MD040) flags that all fenced code blocks should declare a language for proper syntax highlighting and lint compliance. Please add appropriate language identifiers (bash, yaml, etc.) to each block, for example:

- ```
+ ```bash

- ``` 
+ ```yaml

🧰 Tools

🪛 Gitleaks (8.21.2)

16-16: Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information.

(age-secret-key)

---

29-29: Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information.

(age-secret-key)

---

15-15: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

28-28: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🪛 markdownlint-cli2 (0.17.2)

13-13: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

21-21: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

36-36: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

52-52: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

59-59: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

65-65: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

75-75: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

81-81: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

95-95: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bce6217 and 65c2ab7.

📒 Files selected for processing (2)

• roles/acm/setup_ksops/README.md (1 hunks)
• roles/acm/setup_ksops/tasks/main.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• roles/acm/setup_ksops/tasks/main.yml

🧰 Additional context used

🪛 Gitleaks (8.21.2)

roles/acm/setup_ksops/README.md

16-16: Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information.

(age-secret-key)

---

29-29: Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information.

(age-secret-key)

---

15-15: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

28-28: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🪛 markdownlint-cli2 (0.17.2)

roles/acm/setup_ksops/README.md

13-13: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

21-21: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

36-36: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

52-52: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

59-59: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

65-65: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

75-75: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

81-81: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

---

95-95: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: Sanity Check (stable-2.9)
• GitHub Check: Sanity Check (stable-2.17)