Gridness · Gridness · Sep 14, 2025 · Sep 14, 2025 · Sep 14, 2025
diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml
@@ -1,9 +1,10 @@
 - id: kubeseal-secrets
   name: Kubeseal secrets files
-  entry: ./kubeseal-secrets.sh
-  language: script
+  entry: python3 ./kubeseal-secrets.py
+  language: system
   args:
     - '*secret*'
   description: |
     Finds secret files matching the pattern and creates sealed secrets using kubeseal.
   stages: [commit]
+  pass_filenames: false
diff --git a/kubeseal-secrets.py b/kubeseal-secrets.py
@@ -0,0 +1,24 @@
+#!/usr/bin/env python3
+
+import subprocess
+import sys
+from pathlib import Path
+
+def seal_secrets(pattern="*secret*"):
+    secrets = list(Path(".").rglob(pattern))
+    for file in secrets:
+        sealed_file = file.with_suffix(file.suffix + ".sealed.yaml")
+        if not sealed_file.exists():
+            with open(file, "rb") as f:
+                result = subprocess.run(
+                    ["kubeseal", "--format", "yaml"],
+                    input=f.read(),
+                    capture_output=True,
+                    check=True
+                )
+            sealed_file.write_bytes(result.stdout)
+            print(f"Sealed secret created: {sealed_file}")
+
+if __name__ == "__main__":
+    pattern = sys.argv[1] if len(sys.argv) > 1 else "*secret*"
+    seal_secrets(pattern)
diff --git a/kubeseal-secrets.sh b/kubeseal-secrets.sh