Skip to content

Commit d823874

Browse files
I065450I065450
authored
[JIRA: SAPBTPCFS-28335] fips and update libs (#592)
1 parent e2ca500 commit d823874

File tree

10 files changed

+227
-105
lines changed

10 files changed

+227
-105
lines changed

Dockerfile

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,8 +17,10 @@ COPY internal/ internal/
1717
COPY client/ client/
1818

1919
ARG TARGETOS TARGETARCH
20+
ARG GOFIPS140
21+
2022
# Build
21-
RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH GO111MODULE=on go build -a -o manager main.go
23+
RUN CGO_ENABLED=0 GOFIPS140=v1.0.0 GOOS=$TARGETOS GOARCH=$TARGETARCH GO111MODULE=on go build -a -o manager main.go
2224

2325

2426
FROM alpine:3.23
@@ -27,4 +29,6 @@ WORKDIR /
2729
COPY --from=builder /workspace/manager .
2830
USER 65534:65534
2931

32+
ENV GODEBUG="fips140=on"
33+
3034
ENTRYPOINT ["/manager"]

api/v1/serviceinstance_types.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ limitations under the License.
1717
package v1
1818

1919
import (
20-
"crypto/md5"
20+
"crypto/sha256"
2121
"encoding/hex"
2222
"encoding/json"
2323

@@ -228,6 +228,6 @@ func (si *ServiceInstance) GetSpecHash() string {
228228
spec.Shared = ptr.To(false)
229229
specBytes, _ := json.Marshal(spec)
230230
s := string(specBytes)
231-
hash := md5.Sum([]byte(s))
231+
hash := sha256.Sum256([]byte(s))
232232
return hex.EncodeToString(hash[:])
233233
}

api/v1/serviceinstance_types_test.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
package v1
22

33
import (
4-
"crypto/md5"
4+
"crypto/sha256"
55
"encoding/hex"
66
"encoding/json"
77

@@ -139,7 +139,7 @@ var _ = Describe("Service Instance Type Test", func() {
139139
spec := instance.Spec
140140
spec.Shared = ptr.To(false)
141141
specBytes, _ := json.Marshal(spec)
142-
hash := md5.Sum(specBytes)
142+
hash := sha256.Sum256(specBytes)
143143
expectedHash := hex.EncodeToString(hash[:])
144144

145145
// Get actual hash

controllers/serviceinstance_controller.go

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -95,6 +95,16 @@ func (r *ServiceInstanceReconciler) Reconcile(ctx context.Context, req ctrl.Requ
9595
}
9696
}
9797

98+
// If stored hash is MD5 (32 chars) and we're now using SHA256 (64 chars),
99+
// perform one-time migration by updating the stored hash without triggering update
100+
if len(serviceInstance.Status.HashedSpec) == 32 {
101+
// This is likely an MD5->SHA256 migration, update the stored hash silently
102+
// to prevent unnecessary service updates during FIPS migration
103+
log.Info(fmt.Sprintf("updated hashing for instance '%s' (id=%s)", serviceInstance.Name, serviceInstance.Status.InstanceID))
104+
updateHashedSpecValue(serviceInstance)
105+
return ctrl.Result{}, utils.UpdateStatus(ctx, r.Client, serviceInstance)
106+
}
107+
98108
if len(serviceInstance.Status.OperationURL) > 0 {
99109
// ongoing operation - poll status from SM
100110
return r.poll(ctx, serviceInstance)
@@ -137,7 +147,6 @@ func (r *ServiceInstanceReconciler) Reconcile(ctx context.Context, req ctrl.Requ
137147
return r.createInstance(ctx, smClient, serviceInstance)
138148
}
139149

140-
// Update
141150
if updateRequired(serviceInstance) {
142151
return r.updateInstance(ctx, smClient, serviceInstance)
143152
}

controllers/serviceinstance_controller_test.go

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -628,6 +628,40 @@ var _ = Describe("ServiceInstance controller", func() {
628628
Expect(err.Error()).To(ContainSubstring("modifying spec.userInfo is not allowed"))
629629
})
630630
})
631+
632+
When("hash spec is md5", func() {
633+
When("updateRequired returned true", func() {
634+
BeforeEach(func() {
635+
serviceInstance.Status.HashedSpec = "6dbc872739e7571d1bbf5d7b82537fa0"
636+
serviceInstance.Status.ForceReconcile = true
637+
Expect(k8sClient.Status().Update(ctx, serviceInstance)).Should(Succeed())
638+
fakeClient.UpdateInstanceReturns(nil, "", nil)
639+
})
640+
641+
It("instance should be updated", func() {
642+
newExternalName := "my-new-external-name" + uuid.New().String()
643+
serviceInstance.Spec.ExternalName = newExternalName
644+
serviceInstance = updateInstance(ctx, serviceInstance)
645+
Expect(serviceInstance.Spec.ExternalName).To(Equal(newExternalName))
646+
Expect(fakeClient.UpdateInstanceCallCount()).To(Equal(1))
647+
})
648+
})
649+
650+
When("updateRequired returned false", func() {
651+
BeforeEach(func() {
652+
serviceInstance.Status.HashedSpec = "6dbc872739e7571d1bbf5d7b82537fa0"
653+
Expect(k8sClient.Status().Update(ctx, serviceInstance)).Should(Succeed())
654+
fakeClient.UpdateInstanceReturns(nil, "", nil)
655+
})
656+
It("should not update the instance in SM", func() {
657+
newExternalName := "my-new-external-name" + uuid.New().String()
658+
serviceInstance.Spec.ExternalName = newExternalName
659+
serviceInstance = updateInstance(ctx, serviceInstance)
660+
Expect(serviceInstance.Spec.ExternalName).To(Equal(newExternalName))
661+
Expect(fakeClient.UpdateInstanceCallCount()).To(Equal(0))
662+
})
663+
})
664+
})
631665
})
632666

633667
Describe("Delete", func() {

go.mod

Lines changed: 26 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -10,14 +10,14 @@ require (
1010
github.com/kelseyhightower/envconfig v1.4.0
1111
github.com/lithammer/dedent v1.1.0
1212
github.com/onsi/ginkgo v1.16.5
13-
github.com/onsi/gomega v1.38.0
13+
github.com/onsi/gomega v1.38.3
1414
github.com/pkg/errors v0.9.1
15-
golang.org/x/oauth2 v0.30.0
16-
k8s.io/api v0.33.0
17-
k8s.io/apimachinery v0.33.0
18-
k8s.io/client-go v0.33.0
19-
k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738
20-
sigs.k8s.io/controller-runtime v0.21.0
15+
golang.org/x/oauth2 v0.34.0
16+
k8s.io/api v0.35.0
17+
k8s.io/apimachinery v0.35.0
18+
k8s.io/client-go v0.35.0
19+
k8s.io/utils v0.0.0-20251222233032-718f0e51e6d2
20+
sigs.k8s.io/controller-runtime v0.22.4
2121
sigs.k8s.io/yaml v1.6.0
2222
)
2323

@@ -26,19 +26,18 @@ require (
2626
github.com/Masterminds/goutils v1.1.1 // indirect
2727
github.com/Masterminds/semver/v3 v3.4.0 // indirect
2828
github.com/beorn7/perks v1.0.1 // indirect
29-
github.com/blang/semver/v4 v4.0.0 // indirect
3029
github.com/cespare/xxhash/v2 v2.3.0 // indirect
3130
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
32-
github.com/emicklei/go-restful/v3 v3.11.0 // indirect
33-
github.com/fsnotify/fsnotify v1.7.0 // indirect
34-
github.com/fxamacker/cbor/v2 v2.7.0 // indirect
31+
github.com/emicklei/go-restful/v3 v3.12.2 // indirect
32+
github.com/fsnotify/fsnotify v1.9.0 // indirect
33+
github.com/fxamacker/cbor/v2 v2.9.0 // indirect
3534
github.com/go-logr/zapr v1.3.0 // indirect
3635
github.com/go-openapi/jsonpointer v0.21.0 // indirect
3736
github.com/go-openapi/jsonreference v0.20.2 // indirect
3837
github.com/go-openapi/swag v0.23.0 // indirect
3938
github.com/gogo/protobuf v1.3.2 // indirect
4039
github.com/google/btree v1.1.3 // indirect
41-
github.com/google/gnostic-models v0.6.9 // indirect
40+
github.com/google/gnostic-models v0.7.0 // indirect
4241
github.com/google/go-cmp v0.7.0 // indirect
4342
github.com/huandu/xstrings v1.5.0 // indirect
4443
github.com/josharian/intern v1.0.0 // indirect
@@ -47,37 +46,39 @@ require (
4746
github.com/mitchellh/copystructure v1.2.0 // indirect
4847
github.com/mitchellh/reflectwalk v1.0.2 // indirect
4948
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
50-
github.com/modern-go/reflect2 v1.0.2 // indirect
49+
github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
5150
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
5251
github.com/nxadm/tail v1.4.8 // indirect
52+
github.com/pmezard/go-difflib v1.0.0 // indirect
5353
github.com/prometheus/client_golang v1.22.0 // indirect
5454
github.com/prometheus/client_model v0.6.1 // indirect
5555
github.com/prometheus/common v0.62.0 // indirect
5656
github.com/prometheus/procfs v0.15.1 // indirect
5757
github.com/shopspring/decimal v1.4.0 // indirect
5858
github.com/spf13/cast v1.7.0 // indirect
59-
github.com/spf13/pflag v1.0.5 // indirect
59+
github.com/spf13/pflag v1.0.9 // indirect
6060
github.com/x448/float16 v0.8.4 // indirect
6161
go.uber.org/multierr v1.11.0 // indirect
6262
go.uber.org/zap v1.27.0 // indirect
63-
go.yaml.in/yaml/v2 v2.4.2 // indirect
64-
golang.org/x/crypto v0.45.0 // indirect
63+
go.yaml.in/yaml/v2 v2.4.3 // indirect
64+
go.yaml.in/yaml/v3 v3.0.4 // indirect
65+
golang.org/x/crypto v0.46.0 // indirect
6566
golang.org/x/net v0.47.0 // indirect
66-
golang.org/x/sync v0.18.0 // indirect
67-
golang.org/x/sys v0.38.0 // indirect
68-
golang.org/x/term v0.37.0 // indirect
69-
golang.org/x/text v0.31.0 // indirect
67+
golang.org/x/sync v0.19.0 // indirect
68+
golang.org/x/sys v0.39.0 // indirect
69+
golang.org/x/term v0.38.0 // indirect
70+
golang.org/x/text v0.32.0 // indirect
7071
golang.org/x/time v0.9.0 // indirect
7172
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
7273
google.golang.org/protobuf v1.36.11 // indirect
73-
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
74+
gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
7475
gopkg.in/inf.v0 v0.9.1 // indirect
7576
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
7677
gopkg.in/yaml.v3 v3.0.1 // indirect
77-
k8s.io/apiextensions-apiserver v0.33.0 // indirect
78+
k8s.io/apiextensions-apiserver v0.34.1 // indirect
7879
k8s.io/klog/v2 v2.130.1 // indirect
79-
k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
80-
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
80+
k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
81+
sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
8182
sigs.k8s.io/randfill v1.0.0 // indirect
82-
sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
83+
sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
8384
)

0 commit comments

Comments
 (0)