- Public Kubernetes/OpenShift manifests, Helm values, and Tekton pipeline definitions.
- Passwords in YAML files are CRC/local demo credentials only (for example
swim,admin,swim123) and sample Keycloak client secrets for the demo realm. - Do not use these values in production.
| Forbidden | Configure instead |
|---|---|
| Quay.io or GitHub tokens | oc create secret in namespace swim-pipeline |
Real TLS material (.pem, .key, .p12, .jks) |
cert-manager in the cluster |
keycloak-swim-role-spi.jar |
Fetched at deploy time from GitHub Release into cluster secret (not stored in git) |
| Personal kubeconfig | Local environment only |
pull-secret.txt / Red Hat pull secret JSON |
Download; repo root, .gitignore only; make crc-start |
| Production or regulatory passwords | Private overlays or Sealed Secrets (future) |
./scripts/pre-push-security-check.shFor operational ANSP/INSP environments:
- Replace all demo passwords in overlays.
- Use Sealed Secrets or External Secrets Operator.
- Configure Argo CD sync policy (manual sync or approval) per your audit requirements.
- Never copy cluster secrets (
oc get secret -o yaml) into git.
Open an issue on swim-developer/swim-gitops without attaching real secrets.