refactor: checksum for configmap and secret data

2026-01-27 10:19:29 +00:00 · 2022-09-09 18:55:21 +02:00
parent 65519d4f22
commit df8ca7c1d1
15 changed files with 56 additions and 30 deletions
--- a/internal/kubeadm/types.go
+++ b/internal/kubeadm/types.go
@@ -22,13 +22,13 @@ func (c *Configuration) Checksum() string {
 	kubeconfig, _ := json.Marshal(c.Kubeconfig)
 	parameters, _ := json.Marshal(c.Parameters)

-	data := map[string]string{
-		"InitConfiguration": string(initConfiguration),
-		"Kubeconfig":        string(kubeconfig),
-		"Parameters":        string(parameters),
+	data := map[string][]byte{
+		"InitConfiguration": initConfiguration,
+		"Kubeconfig":        kubeconfig,
+		"Parameters":        parameters,
 	}

-	return utilities.CalculateConfigMapChecksum(data)
+	return utilities.CalculateMapChecksum(data)
 }

 type Parameters struct {
--- a/internal/resources/api_server_certificate.go
+++ b/internal/resources/api_server_certificate.go
@@ -133,7 +133,7 @@ func (r *APIServerCertificate) mutate(ctx context.Context, tenantControlPlane *k
 		if annotations == nil {
 			annotations = map[string]string{}
 		}
-		annotations[constants.Checksum] = utilities.CalculateConfigMapChecksum(r.resource.StringData)
+		annotations[constants.Checksum] = utilities.CalculateMapChecksum(r.resource.Data)
 		r.resource.SetAnnotations(annotations)

 		r.resource.SetLabels(utilities.MergeMaps(
--- a/internal/resources/api_server_kubelet_client_certificate.go
+++ b/internal/resources/api_server_kubelet_client_certificate.go
@@ -142,7 +142,7 @@ func (r *APIServerKubeletClientCertificate) mutate(ctx context.Context, tenantCo
 		if annotations == nil {
 			annotations = map[string]string{}
 		}
-		annotations[constants.Checksum] = utilities.CalculateConfigMapChecksum(r.resource.StringData)
+		annotations[constants.Checksum] = utilities.CalculateMapChecksum(r.resource.Data)
 		r.resource.SetAnnotations(annotations)

 		return ctrl.SetControllerReference(tenantControlPlane, r.resource, r.Client.Scheme())
--- a/internal/resources/ca_certificate.go
+++ b/internal/resources/ca_certificate.go
@@ -128,7 +128,7 @@ func (r *CACertificate) mutate(ctx context.Context, tenantControlPlane *kamajiv1
 		if annotations == nil {
 			annotations = map[string]string{}
 		}
-		annotations[constants.Checksum] = utilities.CalculateConfigMapChecksum(r.resource.StringData)
+		annotations[constants.Checksum] = utilities.CalculateMapChecksum(r.resource.Data)
 		r.resource.SetAnnotations(annotations)

 		return ctrl.SetControllerReference(tenantControlPlane, r.resource, r.Client.Scheme())
--- a/internal/resources/datastore/datastore_certificate.go
+++ b/internal/resources/datastore/datastore_certificate.go
@@ -89,7 +89,7 @@ func (r *Certificate) mutate(ctx context.Context, tenantControlPlane *kamajiv1al

 		r.resource.Data["ca.crt"] = ca

-		if r.resource.GetAnnotations()[constants.Checksum] == utilities.CalculateConfigMapChecksum(r.resource.StringData) {
+		if r.resource.GetAnnotations()[constants.Checksum] == utilities.CalculateMapChecksum(r.resource.Data) {
 			if r.DataStore.Spec.Driver == kamajiv1alpha1.EtcdDriver {
 				if isValid, _ := crypto.IsValidCertificateKeyPairBytes(r.resource.Data["server.crt"], r.resource.Data["server.key"]); isValid {
 					return nil
@@ -145,7 +145,7 @@ func (r *Certificate) mutate(ctx context.Context, tenantControlPlane *kamajiv1al
 		if annotations == nil {
 			annotations = map[string]string{}
 		}
-		annotations[constants.Checksum] = utilities.CalculateConfigMapChecksum(r.resource.StringData)
+		annotations[constants.Checksum] = utilities.CalculateMapChecksum(r.resource.Data)
 		r.resource.SetAnnotations(annotations)

 		r.resource.SetLabels(utilities.MergeMaps(
--- a/internal/resources/datastore/datastore_storage_config.go
+++ b/internal/resources/datastore/datastore_storage_config.go
@@ -80,7 +80,7 @@ func (r *Config) mutate(_ context.Context, tenantControlPlane *kamajiv1alpha1.Te

 		savedHash, ok := r.resource.GetAnnotations()[constants.Checksum]
 		switch {
-		case ok && savedHash == utilities.CalculateConfigMapChecksum(r.resource.StringData):
+		case ok && savedHash == utilities.CalculateMapChecksum(r.resource.Data):
 			password = r.resource.Data["DB_PASSWORD"]
 		default:
 			password = []byte(uuid.New().String())
@@ -98,7 +98,7 @@ func (r *Config) mutate(_ context.Context, tenantControlPlane *kamajiv1alpha1.Te
 			annotations = map[string]string{}
 		}

-		annotations[constants.Checksum] = utilities.CalculateConfigMapChecksum(r.resource.StringData)
+		annotations[constants.Checksum] = utilities.CalculateMapChecksum(r.resource.Data)
 		r.resource.SetAnnotations(annotations)

 		r.resource.SetLabels(utilities.MergeMaps(
--- a/internal/resources/front-proxy-client-certificate.go
+++ b/internal/resources/front-proxy-client-certificate.go
@@ -141,7 +141,7 @@ func (r *FrontProxyClientCertificate) mutate(ctx context.Context, tenantControlP
 		if annotations == nil {
 			annotations = map[string]string{}
 		}
-		annotations[constants.Checksum] = utilities.CalculateConfigMapChecksum(r.resource.StringData)
+		annotations[constants.Checksum] = utilities.CalculateMapChecksum(r.resource.Data)
 		r.resource.SetAnnotations(annotations)

 		return ctrl.SetControllerReference(tenantControlPlane, r.resource, r.Client.Scheme())
--- a/internal/resources/front_proxy_ca_certificate.go
+++ b/internal/resources/front_proxy_ca_certificate.go
@@ -127,7 +127,7 @@ func (r *FrontProxyCACertificate) mutate(ctx context.Context, tenantControlPlane
 		if annotations == nil {
 			annotations = map[string]string{}
 		}
-		annotations[constants.Checksum] = utilities.CalculateConfigMapChecksum(r.resource.StringData)
+		annotations[constants.Checksum] = utilities.CalculateMapChecksum(r.resource.Data)
 		r.resource.SetAnnotations(annotations)

 		return ctrl.SetControllerReference(tenantControlPlane, r.resource, r.Client.Scheme())
--- a/internal/resources/konnectivity/certificate_resource.go
+++ b/internal/resources/konnectivity/certificate_resource.go
@@ -97,7 +97,7 @@ func (r *CertificateResource) mutate(ctx context.Context, tenantControlPlane *ka
 	return func() error {
 		logger := log.FromContext(ctx, "resource", r.GetName())

-		if checksum := tenantControlPlane.Status.Addons.Konnectivity.Certificate.Checksum; len(checksum) > 0 && checksum == utilities.CalculateConfigMapChecksum(r.resource.StringData) {
+		if checksum := tenantControlPlane.Status.Addons.Konnectivity.Certificate.Checksum; len(checksum) > 0 && checksum == utilities.CalculateMapChecksum(r.resource.Data) {
 			isValid, err := crypto.IsValidCertificateKeyPairBytes(r.resource.Data[corev1.TLSCertKey], r.resource.Data[corev1.TLSPrivateKeyKey])
 			if err != nil {
 				logger.Info(fmt.Sprintf("%s certificate-private_key pair is not valid: %s", konnectivityCertAndKeyBaseName, err.Error()))
@@ -146,7 +146,7 @@ func (r *CertificateResource) mutate(ctx context.Context, tenantControlPlane *ka
 		if annotations == nil {
 			annotations = map[string]string{}
 		}
-		annotations[constants.Checksum] = utilities.CalculateConfigMapChecksum(r.resource.StringData)
+		annotations[constants.Checksum] = utilities.CalculateMapChecksum(r.resource.Data)
 		r.resource.SetAnnotations(annotations)

 		return ctrl.SetControllerReference(tenantControlPlane, r.resource, r.Client.Scheme())
--- a/internal/resources/konnectivity/egress_selector_configuration_resource.go
+++ b/internal/resources/konnectivity/egress_selector_configuration_resource.go
@@ -121,7 +121,7 @@ func (r *EgressSelectorConfigurationResource) mutate(_ context.Context, tenantCo
 		if annotations == nil {
 			annotations = map[string]string{}
 		}
-		annotations[constants.Checksum] = utilities.MD5Checksum(yamlConfiguration)
+		annotations[constants.Checksum] = utilities.CalculateMapChecksum(r.resource.Data)

 		return ctrl.SetControllerReference(tenantControlPlane, r.resource, r.Client.Scheme())
 	}
--- a/internal/resources/konnectivity/kubeconfig_resource.go
+++ b/internal/resources/konnectivity/kubeconfig_resource.go
@@ -167,7 +167,7 @@ func (r *KubeconfigResource) mutate(ctx context.Context, tenantControlPlane *kam
 		if annotations == nil {
 			annotations = map[string]string{}
 		}
-		annotations[constants.Checksum] = utilities.CalculateConfigMapChecksum(r.resource.StringData)
+		annotations[constants.Checksum] = utilities.CalculateMapChecksum(r.resource.Data)
 		r.resource.SetLabels(utilities.MergeMaps(
 			utilities.KamajiLabels(),
 			map[string]string{
--- a/internal/resources/kubeadm_config.go
+++ b/internal/resources/kubeadm_config.go
@@ -109,20 +109,17 @@ func (r *KubeadmConfigResource) mutate(ctx context.Context, tenantControlPlane *
 		if err != nil {
 			return err
 		}
-		data, err := kubeadm.GetKubeadmInitConfigurationMap(*config)
-		if err != nil {
+		if r.resource.Data, err = kubeadm.GetKubeadmInitConfigurationMap(*config); err != nil {
 			logger.Error(err, "cannot retrieve kubeadm init configuration")

 			return err
 		}

-		r.resource.Data = data
-
 		annotations := r.resource.GetAnnotations()
 		if annotations == nil {
 			annotations = map[string]string{}
 		}
-		annotations[constants.Checksum] = utilities.CalculateConfigMapChecksum(data)
+		annotations[constants.Checksum] = utilities.CalculateMapChecksum(r.resource.Data)
 		r.resource.SetAnnotations(annotations)

 		if err := ctrl.SetControllerReference(tenantControlPlane, r.resource, r.Client.Scheme()); err != nil {
--- a/internal/resources/kubeconfig.go
+++ b/internal/resources/kubeconfig.go
@@ -111,10 +111,10 @@ func (r *KubeconfigResource) CreateOrUpdate(ctx context.Context, tenantControlPl
 }

 func (r *KubeconfigResource) checksum(apiServerCertificatesSecret *corev1.Secret, kubeadmChecksum string) string {
-	return utilities.CalculateConfigMapChecksum(map[string]string{
-		"ca-cert-checksum": string(apiServerCertificatesSecret.Data[kubeadmconstants.CACertName]),
-		"ca-key-checksum":  string(apiServerCertificatesSecret.Data[kubeadmconstants.CAKeyName]),
-		"kubeadmconfig":    kubeadmChecksum,
+	return utilities.CalculateMapChecksum(map[string][]byte{
+		"ca-cert-checksum": apiServerCertificatesSecret.Data[kubeadmconstants.CACertName],
+		"ca-key-checksum":  apiServerCertificatesSecret.Data[kubeadmconstants.CAKeyName],
+		"kubeadmconfig":    []byte(kubeadmChecksum),
 	})
 }

--- a/internal/resources/sa_certificate.go
+++ b/internal/resources/sa_certificate.go
@@ -126,7 +126,7 @@ func (r *SACertificate) mutate(ctx context.Context, tenantControlPlane *kamajiv1
 		if annotations == nil {
 			annotations = map[string]string{}
 		}
-		annotations[constants.Checksum] = utilities.CalculateConfigMapChecksum(r.resource.StringData)
+		annotations[constants.Checksum] = utilities.CalculateMapChecksum(r.resource.Data)
 		r.resource.SetAnnotations(annotations)

 		return ctrl.SetControllerReference(tenantControlPlane, r.resource, r.Client.Scheme())
--- a/internal/utilities/checksum.go
+++ b/internal/utilities/checksum.go
@@ -9,8 +9,20 @@ import (
 	"sort"
 )

-// CalculateConfigMapChecksum orders the map according to its key, and calculating the overall md5 of the values.
-func CalculateConfigMapChecksum(data map[string]string) string {
+// CalculateMapChecksum orders the map according to its key, and calculating the overall md5 of the values.
+// It's expected to work with ConfigMap (map[string]string) and Secrets (map[string][]byte).
+func CalculateMapChecksum(data any) string {
+	switch t := data.(type) {
+	case map[string]string:
+		return calculateMapStringString(t)
+	case map[string][]byte:
+		return calculateMapStringByte(t)
+	default:
+		return ""
+	}
+}
+
+func calculateMapStringString(data map[string]string) string {
 	keys := make([]string, 0, len(data))
 	for key := range data {
 		keys = append(keys, key)
@@ -27,6 +39,23 @@ func CalculateConfigMapChecksum(data map[string]string) string {
 	return MD5Checksum([]byte(checksum))
 }

+func calculateMapStringByte(data map[string][]byte) string {
+	keys := make([]string, 0, len(data))
+	for key := range data {
+		keys = append(keys, key)
+	}
+
+	sort.Strings(keys)
+
+	var checksum string
+
+	for _, key := range keys {
+		checksum += string(data[key])
+	}
+
+	return MD5Checksum([]byte(checksum))
+}
+
 func MD5Checksum(value []byte) string {
 	hash := md5.Sum(value)