Updated repo structure and kubeseal-secrets hook

.pre-commit-hooks.yaml

@@ -1,10 +1,12 @@
 - id: kubeseal-secrets
   name: Kubeseal secrets files
-  entry: python3 ./kubeseal-secrets.py
-  language: python
-  args:
-    - "*secret*"
   description: |
     Finds secret files matching the pattern and creates sealed secrets using kubeseal.
+  entry: python3 ./hooks/kubeseal-secrets/kubeseal-secrets.py
+  language: python
+  args:
+    - --controller-name=sealed-secrets
+    - --controller-namespace=sealed-secrets
+  pass_filenames: true
+  files: "*secret*.(yaml|yml)$"
   stages: [commit]
-  pass_filenames: false

README.md

@@ -14,11 +14,11 @@ Integrate the Kubeseal Hook in Your Project
 ```yaml
 repos:
   - repo: https://github.com/Gridness/k8s-hooks
-    rev: 2.0  # or a specific tag/commit
+    rev: 2.0          # or a specific tag/commit
     hooks:
-      - id: kubeseal-secrets # or any other script you wanna run
-        args: # Specify args for the hook
-          - '*secret*'
+      - id: hook-id   # id of the hook
+        args: [""]    # list of args of the chosen hook
+        files: [""]   # list of files the hook gonna run over (if supported)
 ```
 2. Install pre-commit hooks:
 ```bash
@@ -27,11 +27,10 @@ pre-commit install
 3. On each commit, the hook do it's job
 
 # Requirements
-- [kubeseal](https://github.com/bitnami-labs/sealed-secrets) CLI must be installed and available in your PATH
 - [pre-commit](https://pre-commit.com/) framework installed in your local environment
 
 # Contributing
 Contributions to add new hooks, improve existing ones, or fix issues are welcome! Please open issues or pull requests.
 
 # License
-This repository is licensed under the MIT License
+This repository is licensed under the MIT License. See LICENSE file for details

hooks/kubeseal-secrets/README.md

@@ -0,0 +1,19 @@
+# Kubeseal Secrets Hook
+This pre-commit hook scans your Git repository for secret files matching a configurable pattern and creates sealed secrets using `kubeseal`. It ensures that all secrets are encrypted before being committed, enhancing security and compliance.
+
+You can specify regex pattern by which the script will look for secrets files in your repo directory in the hook `args` section of your pre-commit config
+# Usage
+```yaml
+repos:
+  - repo: https://github.com/Gridness/k8s-hooks
+    rev: 3.0  # or a specific tag/commit
+    hooks:
+      - id: kubeseal-secrets
+        args: # you can ommit these values if you want to use the default ones listed below
+          - "--controller-name sealed-secrets"
+          - "--controller-namespace sealed-secrets"
+        files: ["*secret*.yaml"] # regex pattern of your secrets manifests filenames
+```
+# Requirements
+- [sealed-secrets](https://artifacthub.io/packages/helm/bitnami-labs/sealed-secrets) controller must be deployed in your Kubernetes cluster
+- [kubeseal](https://github.com/bitnami-labs/sealed-secrets) CLI must be installed on the machine you are working with secrets and running this hook

hooks/kubeseal-secrets/kubeseal-secrets.py

@@ -0,0 +1,49 @@
+#!/usr/bin/env python3
+
+import argparse
+import subprocess
+import sys
+from pathlib import Path
+
+def seal_secrets(files, controller_name, controller_namespace):
+    for file_path in files:
+        file = Path(file_path)
+        if not file.exists():
+            print(f"Warning: File {file} does not exist, skipping")
+            continue
+
+        sealed_file = file.with_suffix(file.suffix + ".sealed.yaml")
+        if sealed_file.exists():
+            print(f"Sealed file already exists: {sealed_file}, skipping")
+            continue
+
+        kubeseal_cmd = [
+            "kubeseal",
+            "--format", "yaml",
+            "--controller-name", controller_name,
+            "--controller-namespace", controller_namespace,
+        ]
+
+        try:
+            with Path(file).open("rb") as f:
+                result = subprocess.run(
+                    kubeseal_cmd,
+                    input=f.read(),
+                    capture_output=True,
+                    check=True,
+                    text=False,
+                )
+            sealed_file.write_bytes(result.stdout)
+            print(f"✅ Sealed secret created: {sealed_file}")
+        except subprocess.CalledProcessError as e:
+            print(f"❌ Error sealing {file}: {e.stderr.decode()}")
+            sys.exit(1)
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="Seal Kubernetes secrets using kubeseal")
+    parser.add_argument("--controller-name", required=True, help="Name of the sealed secrets controller")
+    parser.add_argument("--controller-namespace", required=True, help="Namespace of the sealed secrets controller")
+    parser.add_argument("files", nargs="+", help="Secret files to process")
+
+    args = parser.parse_args()
+    seal_secrets(args.files, args.controller_name, args.controller_namespace)