vars: fix migration - secrets end up in public store

2024-11-26 17:01:42 +07:00
parent 72ef3006b4
commit 173436632d
2 changed files with 18 additions and 4 deletions
--- a/pkgs/clan-cli/clan_cli/vars/generate.py
+++ b/pkgs/clan-cli/clan_cli/vars/generate.py
@@ -274,9 +274,14 @@ def _migrate_file(
        old_value = machine.public_facts_store.get(service_name, fact_name)
    is_shared = machine.vars_generators[generator_name]["share"]
    is_deployed = machine.vars_generators[generator_name]["files"][var_name]["deploy"]
-    machine.public_vars_store.set(
-        generator_name, var_name, old_value, shared=is_shared, deployed=is_deployed
-    )
+    if is_secret:
+        machine.secret_vars_store.set(
+            generator_name, var_name, old_value, shared=is_shared, deployed=is_deployed
+        )
+    else:
+        machine.public_vars_store.set(
+            generator_name, var_name, old_value, shared=is_shared, deployed=is_deployed
+        )


 def _migrate_files(
--- a/pkgs/clan-cli/tests/test_vars.py
+++ b/pkgs/clan-cli/tests/test_vars.py
@@ -782,9 +782,13 @@ def test_migration(
    config["nixpkgs"]["hostPlatform"] = "x86_64-linux"
    my_service = config["clan"]["core"]["facts"]["services"]["my_service"]
    my_service["public"]["my_value"] = {}
-    my_service["generator"]["script"] = "echo -n hello > $facts/my_value"
+    my_service["secret"]["my_secret"] = {}
+    my_service["generator"]["script"] = (
+        "echo -n hello > $facts/my_value && echo -n hello > $secrets/my_secret"
+    )
    my_generator = config["clan"]["core"]["vars"]["generators"]["my_generator"]
    my_generator["files"]["my_value"]["secret"] = False
+    my_generator["files"]["my_secret"]["secret"] = True
    my_generator["migrateFact"] = "my_service"
    my_generator["script"] = "echo -n world > $out/my_value"
    flake.refresh()
@@ -795,8 +799,13 @@ def test_migration(
    in_repo_store = in_repo.FactStore(
        Machine(name="my_machine", flake=FlakeId(str(flake.path)))
    )
+    sops_store = sops.SecretStore(
+        Machine(name="my_machine", flake=FlakeId(str(flake.path)))
+    )
    assert in_repo_store.exists("my_generator", "my_value")
    assert in_repo_store.get("my_generator", "my_value").decode() == "hello"
+    assert sops_store.exists("my_generator", "my_secret")
+    assert sops_store.get("my_generator", "my_secret").decode() == "hello"


@pytest.mark.impure