From 70e7fbd8c1192ce970300b9c0ebff527625a0a29 Mon Sep 17 00:00:00 2001 From: Kirby Chin <37311900+kabicin@users.noreply.github.com> Date: Wed, 11 Feb 2026 09:58:38 -0500 Subject: [PATCH 1/4] Add HashData function for secrets --- ...ntime-component.clusterserviceversion.yaml | 2 +- go.mod | 2 ++ go.sum | 4 +++ utils/hash.go | 33 +++++++++++++++++++ utils/hash_test.go | 22 +++++++++++++ utils/utils.go | 12 +++---- 6 files changed, 67 insertions(+), 8 deletions(-) create mode 100644 utils/hash.go create mode 100644 utils/hash_test.go diff --git a/bundle/manifests/runtime-component.clusterserviceversion.yaml b/bundle/manifests/runtime-component.clusterserviceversion.yaml index e75f09e8..dba1871c 100644 --- a/bundle/manifests/runtime-component.clusterserviceversion.yaml +++ b/bundle/manifests/runtime-component.clusterserviceversion.yaml @@ -71,7 +71,7 @@ metadata: categories: Application Runtime certified: "true" containerImage: icr.io/appcafe/runtime-component-operator:daily - createdAt: "2025-12-08T16:01:38Z" + createdAt: "2026-02-06T16:39:18Z" description: Deploys any runtime component with dynamic and auto-tuning configuration features.operators.openshift.io/disconnected: "true" features.operators.openshift.io/fips-compliant: "true" diff --git a/go.mod b/go.mod index 013529a3..6c464171 100644 --- a/go.mod +++ b/go.mod @@ -40,6 +40,7 @@ require ( github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect + github.com/klauspost/cpuid/v2 v2.0.12 // indirect github.com/mailru/easyjson v0.9.0 // indirect github.com/moby/spdystream v0.5.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect @@ -53,6 +54,7 @@ require ( github.com/prometheus/procfs v0.16.1 // indirect github.com/spf13/pflag v1.0.6 // indirect github.com/x448/float16 v0.8.4 // indirect + github.com/zeebo/blake3 v0.2.4 // indirect go.uber.org/multierr v1.11.0 // indirect go.yaml.in/yaml/v2 v2.4.2 // indirect golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac // indirect diff --git a/go.sum b/go.sum index ca5c8833..6d5e9dc4 100644 --- a/go.sum +++ b/go.sum @@ -62,6 +62,8 @@ github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo= github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ= +github.com/klauspost/cpuid/v2 v2.0.12 h1:p9dKCg8i4gmOxtv35DvrYoWqYzQrvEVdjQ762Y0OqZE= +github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -121,6 +123,8 @@ github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/zeebo/blake3 v0.2.4 h1:KYQPkhpRtcqh0ssGYcKLG1JYvddkEA8QwCM/yBqhaZI= +github.com/zeebo/blake3 v0.2.4/go.mod h1:7eeQ6d2iXWRGF6npfaxl2CU+xy2Fjo2gxeyZGCRUjcE= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= diff --git a/utils/hash.go b/utils/hash.go new file mode 100644 index 00000000..f77acb7c --- /dev/null +++ b/utils/hash.go @@ -0,0 +1,33 @@ +package utils + +import ( + "encoding/hex" + "sort" + + "github.com/zeebo/blake3" +) + +func HashData(data map[string][]byte) string { + hasher := blake3.New() + hasher.Write(serializeSecretData(data)) + hash := hasher.Sum(nil) + return hex.EncodeToString(hash) +} + +func serializeSecretData(data map[string][]byte) []byte { + // sort data keys + dataKeys := []string{} + for k := range data { + dataKeys = append(dataKeys, k) + } + sort.Strings(dataKeys) + // load dataBuffer delimited by a null character for every key-value pair \0\0 + dataBuffer := []byte{} + for _, k := range dataKeys { + dataBuffer = append(dataBuffer, []byte(k)...) + dataBuffer = append(dataBuffer, '\000') + dataBuffer = append(dataBuffer, data[k]...) + dataBuffer = append(dataBuffer, '\000') + } + return dataBuffer +} diff --git a/utils/hash_test.go b/utils/hash_test.go new file mode 100644 index 00000000..a3f63263 --- /dev/null +++ b/utils/hash_test.go @@ -0,0 +1,22 @@ +package utils + +import ( + "testing" + + logf "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/log/zap" +) + +func TestHashData(t *testing.T) { + logger := zap.New() + logf.SetLogger(logger) + + data := map[string][]byte{} + data["xyz"] = []byte("contentforxyz") + data["abc"] = []byte("1Ag@aZ821Sd1asd1231nkgrniekghis168adf") + testGHFD := []Test{ + {"Serialize sample data", []byte("abc\0001Ag@aZ821Sd1asd1231nkgrniekghis168adf\000xyz\000contentforxyz\000"), serializeSecretData(data)}, + {"Get hash from serialized data", "2d0b4d0adc4124bdfb959cb8b584473b5392cf2287b69a11663b288c90cfa010", HashData(data)}, + } + verifyTests(testGHFD, t) +} diff --git a/utils/utils.go b/utils/utils.go index 3d016372..098845d3 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -1752,27 +1752,25 @@ func AddOCPCertAnnotation(ba common.BaseComponent, svc *corev1.Service) { } func CustomizePodWithSVCCertificate(pts *corev1.PodTemplateSpec, ba common.BaseComponent, client client.Client) error { - if ba.GetManageTLS() == nil || *ba.GetManageTLS() || ba.GetService().GetCertificateSecretRef() != nil { obj := ba.(metav1.Object) secretName := ba.GetStatus().GetReferences()[common.StatusReferenceCertSecretName] if secretName != "" { - return addSecretResourceVersionAsEnvVar(pts, obj, client, secretName, "SERVICE_CERT") + return addSecretHashAsAnnotation(pts, obj, client, secretName, ba.GetGroupName()) } else { return errors.New("Service certifcate secret name must not be empty") } } return nil } -func addSecretResourceVersionAsEnvVar(pts *corev1.PodTemplateSpec, object metav1.Object, client client.Client, secretName string, envNamePrefix string) error { + +func addSecretHashAsAnnotation(pts *corev1.PodTemplateSpec, object metav1.Object, client client.Client, secretName string, groupName string) error { secret := &corev1.Secret{} err := client.Get(context.Background(), types.NamespacedName{Name: secretName, Namespace: object.GetNamespace()}, secret) if err != nil { return fmt.Errorf("Secret %q was not found in namespace %q, %w", secretName, object.GetNamespace(), err) } - pts.Spec.Containers[0].Env = append(pts.Spec.Containers[0].Env, corev1.EnvVar{ - Name: envNamePrefix + "_SECRET_RESOURCE_VERSION", - Value: secret.ResourceVersion}) + pts.ObjectMeta.Annotations[groupName+"/secret-"+secretName] = HashData(secret.Data) return nil } @@ -1856,7 +1854,7 @@ func GetIssuerResourceVersion(client client.Client, certificate *certmanagerv1.C if err != nil { return "", err } else { - return issuer.ResourceVersion + "," + caSecret.ResourceVersion, nil + return issuer.ResourceVersion + "," + HashData(caSecret.Data), nil } } else { return issuer.ResourceVersion, nil From 9d1f6697ef77b0f0e60754b546f5203d882035aa Mon Sep 17 00:00:00 2001 From: Kirby Chin <37311900+kabicin@users.noreply.github.com> Date: Fri, 13 Feb 2026 12:06:49 -0500 Subject: [PATCH 2/4] Add annotations map nil check --- utils/utils.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/utils/utils.go b/utils/utils.go index 098845d3..1e3b9d5b 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -1770,6 +1770,9 @@ func addSecretHashAsAnnotation(pts *corev1.PodTemplateSpec, object metav1.Object if err != nil { return fmt.Errorf("Secret %q was not found in namespace %q, %w", secretName, object.GetNamespace(), err) } + if pts.ObjectMeta.Annotations == nil { + pts.ObjectMeta.Annotations = make(map[string]string) + } pts.ObjectMeta.Annotations[groupName+"/secret-"+secretName] = HashData(secret.Data) return nil } From f2fd732b09a22d538d38044f6a7fff3779892b54 Mon Sep 17 00:00:00 2001 From: Kirby Chin <37311900+kabicin@users.noreply.github.com> Date: Tue, 17 Feb 2026 15:03:14 -0500 Subject: [PATCH 3/4] Update hash algorithm --- go.mod | 3 ++- go.sum | 6 ++++++ utils/hash.go | 8 +++++--- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 6c464171..1c55159c 100644 --- a/go.mod +++ b/go.mod @@ -9,6 +9,7 @@ require ( github.com/openshift/library-go v0.0.0-20250818065802-cf8518058622 github.com/pkg/errors v0.9.1 github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.78.2 + github.com/zeebo/blake3 v0.2.4 go.uber.org/zap v1.27.0 k8s.io/api v0.33.3 k8s.io/apimachinery v0.33.3 @@ -54,7 +55,6 @@ require ( github.com/prometheus/procfs v0.16.1 // indirect github.com/spf13/pflag v1.0.6 // indirect github.com/x448/float16 v0.8.4 // indirect - github.com/zeebo/blake3 v0.2.4 // indirect go.uber.org/multierr v1.11.0 // indirect go.yaml.in/yaml/v2 v2.4.2 // indirect golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac // indirect @@ -74,6 +74,7 @@ require ( k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect k8s.io/utils v0.0.0-20241210054802-24370beab758 // indirect knative.dev/networking v0.0.0-20250716125000-edb1a4a0c863 // indirect + lukechampine.com/blake3 v1.4.1 sigs.k8s.io/gateway-api v1.1.0 // indirect sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect sigs.k8s.io/randfill v1.0.0 // indirect diff --git a/go.sum b/go.sum index 6d5e9dc4..38148f62 100644 --- a/go.sum +++ b/go.sum @@ -123,8 +123,12 @@ github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/zeebo/assert v1.1.0 h1:hU1L1vLTHsnO8x8c9KAR5GmM5QscxHg5RNU5z5qbUWY= +github.com/zeebo/assert v1.1.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0= github.com/zeebo/blake3 v0.2.4 h1:KYQPkhpRtcqh0ssGYcKLG1JYvddkEA8QwCM/yBqhaZI= github.com/zeebo/blake3 v0.2.4/go.mod h1:7eeQ6d2iXWRGF6npfaxl2CU+xy2Fjo2gxeyZGCRUjcE= +github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo= +github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= @@ -216,6 +220,8 @@ knative.dev/pkg v0.0.0-20250817152444-53ed1d53d232 h1:DqXSNueFZ28EAoU4wrPu8nsFBN knative.dev/pkg v0.0.0-20250817152444-53ed1d53d232/go.mod h1:ZIbXYkQ/A4WeXhPyeZ9OtEuW4RTkpxeYNByJeC0h6Zs= knative.dev/serving v0.46.1 h1:nkbZMcu5r1c+hZhOSW3MIh/7mJp/WLQ4j89PHknDXyU= knative.dev/serving v0.46.1/go.mod h1:NHcCSU65kUFC8rmvxoa+v3HEqWsahTBWsobGvqp3Dd0= +lukechampine.com/blake3 v1.4.1 h1:I3Smz7gso8w4/TunLKec6K2fn+kyKtDxr/xcQEN84Wg= +lukechampine.com/blake3 v1.4.1/go.mod h1:QFosUxmjB8mnrWFSNwKmvxHpfY72bmD2tQ0kBMM3kwo= sigs.k8s.io/controller-runtime v0.19.7 h1:DLABZfMr20A+AwCZOHhcbcu+TqBXnJZaVBri9K3EO48= sigs.k8s.io/controller-runtime v0.19.7/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM= diff --git a/utils/hash.go b/utils/hash.go index f77acb7c..e8b9ed57 100644 --- a/utils/hash.go +++ b/utils/hash.go @@ -1,15 +1,17 @@ package utils import ( + "bytes" "encoding/hex" + "io" "sort" - "github.com/zeebo/blake3" + "lukechampine.com/blake3" ) func HashData(data map[string][]byte) string { - hasher := blake3.New() - hasher.Write(serializeSecretData(data)) + hasher := blake3.New(32, nil) + io.Copy(hasher, bytes.NewReader(serializeSecretData(data))) hash := hasher.Sum(nil) return hex.EncodeToString(hash) } From 3608e7b30edcca99a0db7a6abaec6e8dde749c43 Mon Sep 17 00:00:00 2001 From: Kirby Chin <37311900+kabicin@users.noreply.github.com> Date: Thu, 19 Feb 2026 11:11:20 -0500 Subject: [PATCH 4/4] go mod tidy --- go.mod | 1 - go.sum | 6 ------ 2 files changed, 7 deletions(-) diff --git a/go.mod b/go.mod index 1c55159c..1c03cd14 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,6 @@ require ( github.com/openshift/library-go v0.0.0-20250818065802-cf8518058622 github.com/pkg/errors v0.9.1 github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.78.2 - github.com/zeebo/blake3 v0.2.4 go.uber.org/zap v1.27.0 k8s.io/api v0.33.3 k8s.io/apimachinery v0.33.3 diff --git a/go.sum b/go.sum index 38148f62..7f7dd884 100644 --- a/go.sum +++ b/go.sum @@ -123,12 +123,6 @@ github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/zeebo/assert v1.1.0 h1:hU1L1vLTHsnO8x8c9KAR5GmM5QscxHg5RNU5z5qbUWY= -github.com/zeebo/assert v1.1.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0= -github.com/zeebo/blake3 v0.2.4 h1:KYQPkhpRtcqh0ssGYcKLG1JYvddkEA8QwCM/yBqhaZI= -github.com/zeebo/blake3 v0.2.4/go.mod h1:7eeQ6d2iXWRGF6npfaxl2CU+xy2Fjo2gxeyZGCRUjcE= -github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo= -github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=