abevz · abevz · Sep 19, 2025 · Sep 2, 2025 · Sep 2, 2025 · Sep 3, 2025
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -0,0 +1,38 @@
+name: Linting
+
+on:
+  pull_request:
+    branches:
+      - main
+      - 'feature/**'
+
+jobs:
+  shellcheck:
+    name: Shellcheck
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Install shellcheck
+        run: sudo apt-get update && sudo apt-get install -y shellcheck
+
+      - name: Run shellcheck
+        run: make lint-shell
+
+  tflint:
+    name: TFLint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Install tflint
+        run: |
+          TFLINT_VERSION=$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep '"tag_name"' | cut -d'"' -f4 | sed 's/v//')
+          wget "https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/tflint_linux_amd64.zip"
+          unzip tflint_linux_amd64.zip
+          sudo mv tflint /usr/local/bin/
+
+      - name: Run tflint
+        run: cd terraform && tflint
diff --git a/.gitignore b/.gitignore
@@ -22,3 +22,18 @@ cpc.env
 secrets.sops.yaml
 terraform_state.json
 terraform/snippets/summary.txt
+
+# Gemini-generated files
+GEMINI.md
+TEST_COMPLIANCE_REPORT.md
+
+# Test environment files
+envs/test-clone.env
+envs/ubuntu-test.env
+
+# Log files
+kube-bench-full.log
+
+# Temp files
+tmp/
+next_step.md
diff --git a/.shellcheckrc b/.shellcheckrc
@@ -0,0 +1,2 @@
+# Ignore SC2086 (Double quote to prevent globbing and word splitting)
+disable=SC2086
diff --git a/.tflint.hcl b/.tflint.hcl
@@ -0,0 +1,3 @@
+config {
+  preset = "all"
+}
diff --git a/CPC_AUTO_README.md b/CPC_AUTO_README.md
@@ -0,0 +1,75 @@
+# CPC Auto Environment Loading
+
+## Overview
+CPC now supports automatic loading of environment variables into your shell session. This allows you to access secrets and configuration variables in your terminal without running `cpc load_secrets` manually.
+
+## Commands
+
+### `cpc auto`
+Loads all environment variables and outputs export commands for shell sourcing.
+
+```bash
+# View available variables
+./cpc auto
+
+# Load variables into current shell
+eval "$(./cpc auto 2>/dev/null | grep -E '^export ')"
+
+# Load variables into new shell
+zsh -c 'eval "$(./cpc auto 2>/dev/null | grep -E \"^export \")" && ./cpc ctx'
+```
+
+### `cpc-auto` script
+Simple wrapper script for loading environment variables.
+
+```bash
+# Load variables into current shell
+./cpc-auto
+
+# Use in new shell
+zsh -c './cpc-auto && ./cpc ctx'
+```
+
+## What gets loaded
+
+The auto-loading system loads variables from:
+
+1. **Global configuration** (`cpc.env`):
+   - Proxmox connection settings
+   - General project configuration
+
+2. **Workspace configuration** (`envs/{context}.env`):
+   - Kubernetes versions
+   - VM specifications
+   - DNS settings
+   - Template configurations
+
+3. **Secrets** (`terraform/secrets.sops.yaml`):
+   - Proxmox credentials
+   - SSH keys
+   - Cloud provider credentials
+   - Docker registry credentials
+
+## Usage Examples
+
+```bash
+# Load variables and run tofu
+./cpc-auto && tofu plan
+
+# Load variables and check cluster status
+./cpc-auto && ./cpc cluster-info
+
+# Use in scripts
+#!/bin/bash
+./cpc-auto
+echo "Using TEMPLATE_VM_ID: $TEMPLATE_VM_ID"
+echo "Using AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID"
+```
+
+## Troubleshooting
+
+If you encounter AWS credential errors in tofu/OpenTofu, make sure to load the environment variables first:
+
+```bash
+./cpc-auto && tofu workspace select k8s133
+```
diff --git a/Makefile b/Makefile
@@ -1,14 +1,15 @@
 # CPC Project Makefile
 # Provides convenient commands for development, testing, and maintenance
 
-.PHONY: help test test-unit test-integration lint lint-shell lint-ansible clean setup dev-setup
+.PHONY: help test test-unit test-integration lint lint-shell lint-ansible clean setup dev-setup security
 
 # Default target
 help:
 	@echo "CPC Project Makefile"
 	@echo "==================="
 	@echo ""
 	@echo "Available targets:"
+	@echo "  security       - Run security checks for secrets"
 	@echo "  test           - Run all tests"
 	@echo "  test-unit      - Run unit tests only"
 	@echo "  test-integration - Run integration tests only"
@@ -34,17 +35,25 @@ test-integration:
 	python -m pytest tests/integration/ -v --tb=short
 
 # Linting targets
-lint: lint-shell lint-ansible
+lint: lint-shell lint-tf lint-ansible
 
 lint-shell:
 	@echo "Running shell linting..."
-	shellcheck cpc modules/*.sh
-	bashate cpc modules/*.sh
+	find . -name "*.sh" -not -path "./.git/*" -print0 | xargs -0 shellcheck
+
+lint-tf:
+	@echo "Running Terraform linting..."
+	cd terraform && tflint
 
 lint-ansible:
 	@echo "Running Ansible linting..."
 	ansible-lint ansible/playbooks/
 
+# Security targets
+security:
+	@echo "Running security checks..."
+	./scripts/security_check.sh
+
 # Cleanup
 clean:
 	@echo "Cleaning up..."

diff --git a/README.md b/README.md
@@ -11,6 +11,7 @@
 
 ## 📋 Table of Contents
 
+- [🔒 Security & Secrets](#-security--secrets)
 - [🎯 Overview](#-overview)
 - [✨ Key Features](#-key-features)
 - [🚀 Quick Start](#-quick-start)
@@ -26,6 +27,29 @@
 
 ---
 
+## 🔒 Security & Secrets
+
+**⚠️ IMPORTANT**: This project handles sensitive information including API keys, passwords, and tokens. Always follow security best practices:
+
+### 🚨 Never Commit Secrets
+- **DO NOT** commit files containing real secrets to version control
+- Use `secrets.sops.yaml` (encrypted with SOPS) for sensitive data
+- Temporary files like `secrets_temp.yaml` are **automatically ignored**
+- Always run `gitleaks detect` before pushing to check for exposed secrets
+
+### 🔐 Secret Management
+- Use [SOPS](https://github.com/getsops/sops) for encrypting secrets
+- Store encrypted secrets in `secrets.sops.yaml`
+- Decrypt only when needed: `sops decrypt secrets.sops.yaml`
+- Never store decrypted secrets in the repository
+
+### 🛡️ Security Tools
+- Run `gitleaks detect` regularly to scan for exposed secrets
+- Use `.gitignore` to prevent accidental commits of sensitive files
+- Rotate compromised credentials immediately
+
+---
+
 ## 🎯 Overview
 
 **CPC (Cluster Provisioning Control)** is a comprehensive, production-ready solution for deploying and managing Kubernetes clusters on Proxmox Virtual Environment. Built with infrastructure as code principles, it provides:

diff --git a/RELEASE_PREPARATION.md b/RELEASE_PREPARATION.md
diff --git a/ansible/addons/addon_discovery.sh b/ansible/addons/addon_discovery.sh
@@ -83,7 +83,7 @@ addon_display_interactive_menu() {
     for addon in "${addons_in_cat[@]}"; do
       local description
       description=$(addon_get_description "$addon")
-      printf "  %2d) %-30s - %s\n" $choice_num "$addon" "$description" >&2
+      printf "  %2d) %-30s - %s\n" "$choice_num" "$addon" "$description" >&2
       choice_to_addon[$choice_num]="$addon"
       ((choice_num++))
     done
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# Ignore SC2086 (Double quote to prevent globbing and word splitting)
		disable=SC2086
Comment thread abevz marked this conversation as resolved.