feat: Complete PII cleanup and fully automatic pipeline

🧹 PII Cleanup & Security:
- Remove all hardcoded domains (darknex.us, hndrx.co)
- Remove all hardcoded emails (admin@ references)
- Replace all personal info with environment variables
- Repository now 100% generic and reusable

🚀 Fully Automatic Pipeline:
- Pipeline now runs automatically develop → staging → production
- No manual intervention required for production promotions
- Auto-promotion triggers after successful tests
- All workflows use commit-specific image tags

🔧 Environment Variables:
- All manifests use ${VARIABLE_NAME} syntax
- All scripts source from .env file
- GitHub Actions use secrets for sensitive data
- Complete .env.example template provided

📚 Documentation:
- New comprehensive WORKFLOWS.md with pipeline details
- New PIPELINE_QUICK_REFERENCE.md for quick reference
- Updated all docs to use generic placeholders
- Added security/privacy section to README

🔐 Security Enhancements:
- Updated .gitignore for all sensitive files
- Created PII verification script (verify-pii-removal.sh)
- Created cleanup automation script (cleanup-pii.sh)
- Repository verified PII-free and production-ready

BREAKING: Repository now requires .env configuration
- Copy .env.example to .env and configure for your environment
- Set GitHub repository secrets for CI/CD workflows
- All deployments now use environment-specific configuration

manifests/knative-domain-config.yaml

@@ -4,13 +4,13 @@ metadata:
   name: config-domain
   namespace: knative-serving
 data:
-  dev.wa.darknex.us: |
+  dev.${BASE_DOMAIN}: |
     selector:
       environment: development
-  staging.wa.darknex.us: |
+  staging.${BASE_DOMAIN}: |
     selector:
       environment: staging
-  wa.darknex.us: |
+  ${BASE_DOMAIN}: |
     selector:
       environment: production
   autocreate-cluster-domain-claims: "true"

manifests/nginx-certificate.yaml

@@ -9,7 +9,7 @@ spec:
     name: letsencrypt-prod
     kind: ClusterIssuer
   dnsNames:
-  - "2048-dev.wa.darknex.us"
+  - "${DEV_DOMAIN}"
 
 ---
 apiVersion: cert-manager.io/v1
@@ -23,7 +23,7 @@ spec:
     name: letsencrypt-prod
     kind: ClusterIssuer
   dnsNames:
-  - "2048-staging.wa.darknex.us"
+  - "${STAGING_DOMAIN}"
 
 ---
 apiVersion: cert-manager.io/v1
@@ -37,4 +37,4 @@ spec:
     name: letsencrypt-prod
     kind: ClusterIssuer
   dnsNames:
-  - "2048.wa.darknex.us"
+  - "${PROD_DOMAIN}"

manifests/nginx-to-istio-proxy.yaml

@@ -10,15 +10,15 @@ metadata:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
     nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
     nginx.ingress.kubernetes.io/configuration-snippet: |
-      proxy_set_header Host game-2048-dev.game-2048-dev.dev.wa.darknex.us;
+      proxy_set_header Host ${DEV_CANONICAL_DOMAIN};
 spec:
   ingressClassName: nginx
   tls:
   - hosts:
-    - 2048-dev.wa.darknex.us
+    - ${DEV_DOMAIN}
     secretName: game-2048-dev-nginx-tls
   rules:
-  - host: 2048-dev.wa.darknex.us
+  - host: ${DEV_DOMAIN}
     http:
       paths:
       - path: /
@@ -41,15 +41,15 @@ metadata:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
     nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
     nginx.ingress.kubernetes.io/configuration-snippet: |
-      proxy_set_header Host game-2048-staging.game-2048-staging.staging.wa.darknex.us;
+      proxy_set_header Host ${STAGING_CANONICAL_DOMAIN};
 spec:
   ingressClassName: nginx
   tls:
   - hosts:
-    - 2048-staging.wa.darknex.us
+    - ${STAGING_DOMAIN}
     secretName: game-2048-staging-nginx-tls
   rules:
-  - host: 2048-staging.wa.darknex.us
+  - host: ${STAGING_DOMAIN}
     http:
       paths:
       - path: /
@@ -72,15 +72,15 @@ metadata:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
     nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
     nginx.ingress.kubernetes.io/configuration-snippet: |
-      proxy_set_header Host game-2048-prod.game-2048-prod.wa.darknex.us;
+      proxy_set_header Host ${PROD_CANONICAL_DOMAIN};
 spec:
   ingressClassName: nginx
   tls:
   - hosts:
-    - 2048.wa.darknex.us
+    - ${PROD_DOMAIN}
     secretName: game-2048-prod-nginx-tls
   rules:
-  - host: 2048.wa.darknex.us
+  - host: ${PROD_DOMAIN}
     http:
       paths:
       - path: /

manifests/prod/service.yml

@@ -15,7 +15,7 @@ spec:
         autoscaling.knative.dev/target: "100"
     spec:
       containers:
-      - image: ghcr.io/ghndrx/k8s-game-2048:latest
+      - image: ${CONTAINER_REGISTRY}/${GITHUB_REPOSITORY}:latest
         imagePullPolicy: Always
         ports:
         - containerPort: 80

manifests/ssl-certificate.yaml

@@ -5,7 +5,23 @@ metadata:
 spec:
   acme:
     server: https://acme-v02.api.letsencrypt.org/directory
-    email: admin@hndrx.co
+    email: ${CERT_EMAIL}
+    privateKeySecretRef:
+      name: letsencrypt-prod-private-key
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: ${CERT_EMAIL}
     privateKeySecretRef:
       name: letsencrypt-prod
     solvers:

manifests/webhook/webhook-ingress.yaml

@@ -28,10 +28,10 @@ spec:
   ingressClassName: nginx
   tls:
   - hosts:
-    - webhook.wa.darknex.us
+    - ${WEBHOOK_DOMAIN}
     secretName: webhook-tls
   rules:
-  - host: webhook.wa.darknex.us
+  - host: ${WEBHOOK_DOMAIN}
     http:
       paths:
       - path: /