From 9c6e04fa3f5181ce311bd12c925531e7cd4b4e42 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Thu, 14 Nov 2024 13:17:50 +0100
Subject: [PATCH] vars: introduce ensure_machine_has_access method for sops

this should help avoiding overriding existing shared secrets by not
triggering vars regeneration if a machine has no access.

wip
---
 pkgs/clan-cli/clan_cli/vars/generate.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkgs/clan-cli/clan_cli/vars/generate.py b/pkgs/clan-cli/clan_cli/vars/generate.py
index e20de0c7a..a0a7c5965 100644
--- a/pkgs/clan-cli/clan_cli/vars/generate.py
+++ b/pkgs/clan-cli/clan_cli/vars/generate.py
@@ -297,6 +297,10 @@ def _check_can_migrate(
             if machine.secret_vars_store.exists(
                 generator_name, fname, vars_generator["share"]
             ):
+                if vars_generator["deploy"]:
+                    machine.secret_vars_store.ensure_machine_has_access(
+                        generator_name, fname, vars_generator["share"]
+                    )
                 return False
         else:
             if machine.public_vars_store.exists(