From b2580c0ca95cbbda46001311a05e9a4880c5d3bf Mon Sep 17 00:00:00 2001
From: Ivan <61116326+Gridness@users.noreply.github.com>
Date: Sun, 14 Sep 2025 21:46:12 +0300
Subject: [PATCH 1/2] Update and rename kubeseal-secrets.sh to
 kubeseal-secrets.py

---
 kubeseal-secrets.py | 24 ++++++++++++++++++++++++
 kubeseal-secrets.sh | 14 --------------
 2 files changed, 24 insertions(+), 14 deletions(-)
 create mode 100644 kubeseal-secrets.py
 delete mode 100644 kubeseal-secrets.sh

diff --git a/kubeseal-secrets.py b/kubeseal-secrets.py
new file mode 100644
index 0000000..584cfd1
--- /dev/null
+++ b/kubeseal-secrets.py
@@ -0,0 +1,24 @@
+#!/usr/bin/env python3
+
+import subprocess
+import sys
+from pathlib import Path
+
+def seal_secrets(pattern="*secret*"):
+    secrets = list(Path(".").rglob(pattern))
+    for file in secrets:
+        sealed_file = file.with_suffix(file.suffix + ".sealed.yaml")
+        if not sealed_file.exists():
+            with open(file, "rb") as f:
+                result = subprocess.run(
+                    ["kubeseal", "--format", "yaml"],
+                    input=f.read(),
+                    capture_output=True,
+                    check=True
+                )
+            sealed_file.write_bytes(result.stdout)
+            print(f"Sealed secret created: {sealed_file}")
+
+if __name__ == "__main__":
+    pattern = sys.argv[1] if len(sys.argv) > 1 else "*secret*"
+    seal_secrets(pattern)
diff --git a/kubeseal-secrets.sh b/kubeseal-secrets.sh
deleted file mode 100644
index 65fa83a..0000000
--- a/kubeseal-secrets.sh
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/bash
-
-set -e
-
-pattern="${1:-*secret*}"
-
-secrets=$(find . -type f -name "$pattern")
-for file in $secrets; do
-    sealed_file=${file}.sealed.yaml
-    if [ ! -f $sealed_file ]; then
-        kubeseal --format yaml < "$file" > "$sealed_file"
-        echo "Sealed secret created: $sealed_file"
-    fi
-done

From 5714bda186a2573036df032c3762bad8c1136199 Mon Sep 17 00:00:00 2001
From: Ivan <61116326+Gridness@users.noreply.github.com>
Date: Sun, 14 Sep 2025 21:48:10 +0300
Subject: [PATCH 2/2] Update .pre-commit-hooks.yaml

Kubeseal secrets hook
- Made `pass_filenames` false since they are passed via arg regex pattern
- Made it work with python instead of bash
---
 .pre-commit-hooks.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml
index 90014ba..72d4a16 100644
--- a/.pre-commit-hooks.yaml
+++ b/.pre-commit-hooks.yaml
@@ -1,9 +1,10 @@
 - id: kubeseal-secrets
   name: Kubeseal secrets files
-  entry: ./kubeseal-secrets.sh
-  language: script
+  entry: python3 ./kubeseal-secrets.py
+  language: system
   args:
     - '*secret*'
   description: |
     Finds secret files matching the pattern and creates sealed secrets using kubeseal.
   stages: [commit]
+  pass_filenames: false