diff --git a/clustertool/pkg/sops/checkencrypt.go b/clustertool/pkg/sops/checkencrypt.go index 2ee9f0700fc..0a65d6b8472 100644 --- a/clustertool/pkg/sops/checkencrypt.go +++ b/clustertool/pkg/sops/checkencrypt.go @@ -1,11 +1,13 @@ package sops import ( + "bufio" "bytes" "fmt" "os" "path/filepath" "regexp" + "strings" "github.com/rs/zerolog/log" "github.com/truecharts/public/clustertool/pkg/helper" @@ -179,6 +181,7 @@ func CheckFilesAndReportEncryption(tryEncrypt bool, checkStaged bool) error { log.Fatal().Msg("Exiting due to unencrypted files after encryption attempt") os.Exit(1) } + shamCheck() } } @@ -190,6 +193,33 @@ func CheckFilesAndReportEncryption(tryEncrypt bool, checkStaged bool) error { return nil } +// shamCheck checks if clusterenv contains the phrase "shamir_threshold" indicating it is indeed encrypted +func shamCheck() { + log.Debug().Msg("Checking if clusterenv contains shamir_threshold to ensure encryption...") + file, err := os.Open(helper.ClusterEnvFile) + if err != nil { + log.Error().Err(err).Msgf("error opening file: %w", err) + } + defer file.Close() + + scanner := bufio.NewScanner(file) + for scanner.Scan() { + if strings.Contains(scanner.Text(), "shamir_threshold") { + log.Debug().Msg("clusterenv contains shamir_threshold, continuing...") + return + } else { + log.Error().Msg("clusterenv is NOT encrypted and encryption-check failed!\n DO NOT UPLOAD!") + os.Exit(1) + } + } + + if err := scanner.Err(); err != nil { + log.Error().Err(err).Msgf("error reading file: %w", err) + } + + return +} + // filesToCheck returns a list of files to check for encryption based on the logic in .sops.yaml. func filesToCheck(config SopsConfig) ([]EncrFileData, error) { log.Debug().Msg("Starting filesToCheck")