AI 资讯
The .gitleaks-baseline.json That Suppressed Live Production Secrets
Originally published at woitzik.dev A previous article here covered setting up gitleaks for homelab secret scanning - the setup, the pre-commit hook, getting CI to fail on new commits that contain secrets. The setup was correct. The tool was running. The CI was green. And it had been quietly suppressing a live production credential for months. This is the follow-on story: not about getting gitleaks running, but about the specific way a baseline file breaks the guarantees you think you have once it's in place. View the complete homelab infrastructure source on GitHub 🐙 What a Baseline File Does (and Is Supposed to Do) When gitleaks first runs on an existing repo, it finds every secret-shaped string in the full git history - including secrets that were introduced years ago, rotated long since, and are completely inert. Flagging those in CI creates noise that causes developers to tune out gitleaks entirely, which is worse than not having it. The baseline workflow is the standard answer: run gitleaks on the current state, export all findings to a JSON file, commit that file to the repo, and tell gitleaks to suppress any finding that already appears in the baseline. Future commits that introduce new secrets still fail; old known-inert findings don't. # Generate baseline from current HEAD gitleaks detect --report-format json --report-path .gitleaks-baseline.json # Tell gitleaks to use it gitleaks detect --baseline-path .gitleaks-baseline.json The assumption embedded in this workflow: findings that appear in the baseline are inert. They were there before the baseline was generated; they've been there; they're known. The Assumption That Broke It The baseline was generated at a point when the repo contained Garage's rpc_secret and admin_token committed in a YAML file. Those were real production values - the cluster was live, using those exact secrets - but the baseline suppression treated them as "known, reviewed, not a problem." The commit that introduced them had happened
开发者
The Helm Chart Is a Platform Contract — Not a Template
Early in building our cloud infrastructure, we had a problem nobody talks about — because it happens so slowly you almost don't notice it. We had eight separate Helm charts. One for services that needed KEDA scaling. One for standard HPA. One for backends that exposed HTTP. One for workers that didn't. One for Azure Functions. One for frontends. Eight charts, all living in the same repository, all drifting apart from each other. The charts started as copies of each other. Over time each one picked up its own fixes, its own conventions, its own slightly-different take on security contexts and ServiceAccount annotations and rolling update strategy. Nobody made a decision to diverge. It just happened. Every time we fixed something in one chart — say, wiring up Azure Workload Identity to every ServiceAccount — we had to remember to propagate that fix to seven others. Sometimes we did. Sometimes we didn't. We'd find out when something broke in an unexpected way six weeks later. Helm chart drift is more dangerous than dependency drift. At least with a dependency, you know what version you're on. With eight loosely related charts, you just don't know what you don't know. This is the story of how we replaced all eight with a single versioned chart, published to an OCI registry, and consumed by 70+ services through ArgoCD multi-source Applications — and what that structure forced us to think clearly about. The Two-Questions Framework The first thing we had to do was figure out why we had eight charts in the first place. What was actually different between services that justified a different chart? We landed on two questions: Does it expose HTTP? — This determines whether it needs an ingress, a Service, liveness/readiness probes on an HTTP path. What drives its scaling? — Standard CPU/memory HPA, or event-driven scaling via KEDA (Azure Service Bus, Event Hubs)? That's it. Everything else — security contexts, Workload Identity, pod anti-affinity, rolling update strategy, how s
AI 资讯
Argo CD 3.5 Tightens Supply Chain Security with Internal mTLS and Source Integrity
The Argo CD project released a v3.5 release candidate in June 2026. This version adds mutual TLS enforcement for internal components. It also includes Git commit signature verification for supply chain security and native ApplicationSet management in the UI. The release also graduates two significant features: impersonation and Source Hydrator, from alpha to beta. By Claudio Masolo
AI 资讯
GitOps Policy Drift: Why Reconciliation Doesn't Stop Day-2 Failure
GitOps policy drift is what happens when a control plane keeps a policy perfectly reconciled long after the reason for that policy has stopped being true. Every commit is applied. Every pull request is merged cleanly. Every dashboard reads green. And the rule being enforced no longer reflects anything anyone would choose to enforce today — it just hasn't been told to stop. That gap is the subject of this post. Not configuration drift — the thing GitOps was built to kill — but a second, quieter failure mode that lives one layer above it: the policy is right by every technical measure and wrong by every practical one, and nothing in the reconciliation loop is capable of telling the difference. The Promise GitOps Actually Kept GitOps earned its place in the infrastructure as code architecture stack by solving a real and expensive problem: state drift. Before declarative reconciliation, infrastructure diverged from its source of truth constantly — a console change here, an emergency hotfix there, a manual override nobody logged. The git repository said one thing. Production said another. Reconciling the two was a forensic exercise. GitOps closed that gap with a simple, durable mechanism: a controller that continuously compares declared state to actual state and corrects the difference without waiting for a human to notice. That's not a small win. It's the reason platform teams can run infrastructure at a scale that would have been operationally unmanageable a decade ago, and it's why GitOps controllers sit at the center of nearly every modern infrastructure as code architecture built since. This post isn't an argument against that mechanism. It's an argument that the mechanism's success created a blind spot nobody designed for. What GitOps Never Promised to Solve Here's the boundary GitOps was never built to cross: reconciliation proves that declared state and actual state match. It says nothing about whether the declared state should still exist in its current form. A
AI 资讯
You're Not Doing GitOps (You're Doing CI/CD With Extra Steps)
The Uncomfortable Truth Here's a test: when your deployment fails in production, what happens to your main branch? If the answer is "the broken code is already merged" — congratulations, you're doing CI/CD with a Git trigger. That's not GitOps. It's a pipeline that happens to watch a branch. I've spent years building platform engineering systems at enterprise scale — identity management frameworks, infrastructure-as-code pipelines, AI agent platforms that manage operational code. And I keep seeing the same mistake: teams adopt "GitOps" by adding a deployment step after merge, then wonder why they get drift. True GitOps has one non-negotiable rule: main always equals production. If a deployment fails, main doesn't change. Period. This isn't just my opinion — it's the logical extension of OpenGitOps principles : declarative desired state, versioned in Git, automatically reconciled. The enforcement mechanism I'm describing is how you make those principles real rather than aspirational. The Anti-Pattern Everyone Runs The most common "GitOps" setup I see in enterprise teams looks like this: Developer opens PR CI runs tests Reviewer approves PR merges to main Deployment triggers from main ❌ Deployment fails main now contains code that isn't in production This is merge-then-deploy . It's standard CI/CD with extra steps. The moment you merge before confirming a successful deployment, you've broken the core GitOps contract: Git as the single source of truth for what's actually running. The result? Drift. Stale state in main . A branch that lies about what's deployed. Every subsequent PR is now based on a broken foundation. The Enforcement Pattern: Deploy Before Merge The fix isn't philosophical — it's mechanical. GitHub's Merge Queue gives you exactly the right primitive: Developer opens PR CI runs tests (standard checks) Reviewer approves → PR enters the merge queue Merge queue trigger runs a dry-run deployment against the target environment If dry-run passes → queue trigge