✨Remove the use of the cryptographically weak MD5 hash

Author: 12345lcr

hack/images/ci/conformance.sh

@@ -81,7 +81,12 @@ export TF_VAR_vsphere_network="sddc-cgw-network-3"
 
 # The cluster name is a combination of the build ID and the first seven
 # characters of a hash of the job ID.
-CLUSTER_NAME="prow-$(echo "${BUILD_ID:-1}-${PROW_JOB_ID:-$(date +%s)}" | { md5sum 2>/dev/null || md5; } | awk '{print $1}' | cut -c-7)"
+if command -v python3 >/dev/null 2>&1; then
+  SUFFIX=$(python3 -c "h = 2166136261; [h := ((h ^ b) * 16777619) & 0xffffffff for b in b\"${BUILD_ID:-1}-${PROW_JOB_ID:-$(date +%s)}\"]; print(f\"{h:08x}\")" | cut -c-7)
+else
+  SUFFIX=$(echo "${BUILD_ID:-1}-${PROW_JOB_ID:-$(date +%s)}" | { sha256sum 2>/dev/null || shasum -a 256; } | awk '{print $1}' | cut -c-7)
+fi
+CLUSTER_NAME="prow-${SUFFIX}"
 
 # Write information about the build out to disk.
 cat <<EOF >"${ARTIFACTS-}/build-info.json"

pkg/cloudprovider/vsphereparavirtual/vmservice/vmservice.go

@@ -18,7 +18,7 @@ package vmservice
 
 import (
 	"context"
-	"crypto/md5" // #nosec
+	"crypto/sha256"
 	"encoding/hex"
 	"fmt"
 	"reflect"
@@ -29,6 +29,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 
 	vmop "k8s.io/cloud-provider-vsphere/pkg/cloudprovider/vsphereparavirtual/vmoperator"
 	vmoptypes "k8s.io/cloud-provider-vsphere/pkg/cloudprovider/vsphereparavirtual/vmoperator/types"
@@ -106,15 +107,50 @@ func NewVMService(vmClient vmop.Interface, ns string, ownerRef *metav1.OwnerRefe
 }
 
 func (s *vmService) hashString(str string) string {
-	// #nosec
-	hash := md5.New()
+	// SHA-256 is used as a FIPS-approved, well-distributed hash to derive a
+	// deterministic name suffix. The output is later truncated to
+	// MaxCheckSumLen; this is not a security-sensitive use.
+	hash := sha256.New()
 	if _, err := hash.Write([]byte(str)); err != nil {
 		log.Error(err, "create hash string failed")
 	}
 
 	return hex.EncodeToString(hash.Sum(nil))
 }
 
+// findLegacyVMService locates a VirtualMachineService that was created by an
+// older release using a different name-hashing scheme. It matches on the
+// identifying labels that the CPI has always stamped on every
+// VirtualMachineService, so the lookup is independent of how the name was
+// generated. Returns nil when no matching resource exists.
+//
+// Any List error (including a missing "list" RBAC permission) is logged and
+// treated as "no legacy resource found" so that the primary, name-based flow is
+// never blocked. In particular, a freshly created Service has no
+// VirtualMachineService yet and must still be able to proceed to Create.
+func (s *vmService) findLegacyVMService(ctx context.Context, service *v1.Service, clusterName string) *vmoptypes.VirtualMachineServiceInfo {
+	logger := log.WithValues("name", service.Name, "namespace", service.Namespace)
+
+	selector := labels.SelectorFromSet(labels.Set{
+		LabelClusterNameKey:      clusterName,
+		LabelServiceNameKey:      service.Name,
+		LabelServiceNameSpaceKey: service.Namespace,
+	}).String()
+
+	list, err := s.vmClient.VirtualMachineServices().List(ctx, s.namespace, vmoptypes.ListOptions{LabelSelector: selector})
+	if err != nil {
+		logger.Error(err, "failed to list VirtualMachineServices for legacy lookup; treating as not found")
+		return nil
+	}
+	if len(list) == 0 {
+		return nil
+	}
+	if len(list) > 1 {
+		logger.V(2).Info("multiple VirtualMachineServices matched the legacy label lookup; using the first", "count", len(list))
+	}
+	return list[0]
+}
+
 // GetVMServiceName returns VirtualMachineService name for a lb type of service
 func (s *vmService) GetVMServiceName(service *v1.Service, clusterName string) string {
 	suffix := s.hashString(service.Name + "." + service.Namespace)
@@ -133,9 +169,17 @@ func (s *vmService) Get(ctx context.Context, service *v1.Service, clusterName st
 	logger := log.WithValues("name", service.Name, "namespace", service.Namespace)
 	logger.V(2).Info("Attempting to get VirtualMachineService")
 
-	vmService, err := s.vmClient.VirtualMachineServices().Get(ctx, s.namespace, s.GetVMServiceName(service, clusterName))
+	name := s.GetVMServiceName(service, clusterName)
+	vmService, err := s.vmClient.VirtualMachineServices().Get(ctx, s.namespace, name)
 	if err != nil {
 		if apierrors.IsNotFound(err) {
+			// Fallback for resources created by an older release that used a
+			// different name-hashing scheme. Located via the always-present
+			// identifying labels rather than by recomputing the legacy name.
+			if legacy := s.findLegacyVMService(ctx, service, clusterName); legacy != nil {
+				logger.V(2).Info("VirtualMachineService not found by name; found legacy resource via labels", "legacyName", legacy.Name)
+				return legacy, nil
+			}
 			return nil, nil
 		}
 		logger.Error(ErrGetVMService, fmt.Sprintf("%v", err))
@@ -304,8 +348,27 @@ func (s *vmService) Delete(ctx context.Context, service *v1.Service, clusterName
 	logger := log.WithValues("name", service.Name, "namespace", service.Namespace)
 	logger.V(2).Info("Attempting to delete VirtualMachineService")
 
-	err := s.vmClient.VirtualMachineServices().Delete(ctx, s.namespace, s.GetVMServiceName(service, clusterName))
+	name := s.GetVMServiceName(service, clusterName)
+	err := s.vmClient.VirtualMachineServices().Delete(ctx, s.namespace, name)
 	if err != nil {
+		if apierrors.IsNotFound(err) {
+			// Fallback: a resource created by an older release lives under a
+			// different name. Locate it via the identifying labels and delete it.
+			legacy := s.findLegacyVMService(ctx, service, clusterName)
+			if legacy == nil {
+				return nil
+			}
+			logger.V(2).Info("VirtualMachineService not found by name; deleting legacy resource found via labels", "legacyName", legacy.Name)
+			if derr := s.vmClient.VirtualMachineServices().Delete(ctx, s.namespace, legacy.Name); derr != nil {
+				if apierrors.IsNotFound(derr) {
+					return nil
+				}
+				logger.Error(ErrDeleteVMService, fmt.Sprintf("failed to delete legacy VirtualMachineService: %v", derr))
+				return derr
+			}
+			logger.V(2).Info("Successfully deleted legacy VirtualMachineService")
+			return nil
+		}
 		logger.Error(ErrDeleteVMService, fmt.Sprintf("%v", err))
 		return err
 	}

pkg/cloudprovider/vsphereparavirtual/vmservice/vmservice_test.go

@@ -176,6 +176,62 @@ func TestGetVMService(t *testing.T) {
 	assert.NoError(t, err)
 }
 
+func TestGetVMService_LegacyFallback(t *testing.T) {
+	testK8sService, vms, _ := initTest(testServiceAnnotationPropagationEnabled)
+	k8sService := &v1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      testK8sServiceName,
+			Namespace: testK8sServiceNameSpace,
+		},
+	}
+
+	// Simulate a VirtualMachineService created by an older release: it lives
+	// under a name that does NOT match the current (SHA-256-based) scheme, but it
+	// carries the identifying labels that the CPI has always stamped on every
+	// VirtualMachineService.
+	legacyName := "legacy-" + testClustername + "-deadbeef"
+	ports, _ := findPorts(testK8sService)
+	legacyInfo := &vmoptypes.VirtualMachineServiceInfo{
+		Name:      legacyName,
+		Namespace: testClusterNameSpace,
+		Labels: map[string]string{
+			LabelClusterNameKey:      testClustername,
+			LabelServiceNameKey:      testK8sServiceName,
+			LabelServiceNameSpaceKey: testK8sServiceNameSpace,
+		},
+		Spec: vmoptypes.VirtualMachineServiceSpec{
+			Type:  vmoptypes.VirtualMachineServiceTypeLoadBalancer,
+			Ports: ports,
+			Selector: map[string]string{
+				ClusterSelectorKey: testClustername,
+				NodeSelectorKey:    NodeRole,
+			},
+		},
+	}
+	_, err := vms.(*vmService).vmClient.VirtualMachineServices().Create(context.Background(), legacyInfo)
+	assert.NoError(t, err)
+
+	// Sanity check: the legacy resource is not reachable by the current name.
+	currentName := vms.GetVMServiceName(k8sService, testClustername)
+	assert.NotEqual(t, legacyName, currentName)
+
+	// Get must fall back to the label-based lookup and find the legacy resource.
+	vmServiceObj, err := vms.Get(context.Background(), k8sService, testClustername)
+	assert.NoError(t, err)
+	assert.NotNil(t, vmServiceObj)
+	assert.Equal(t, legacyName, vmServiceObj.Name)
+
+	// Delete must likewise fall back and remove the legacy resource.
+	err = vms.Delete(context.Background(), k8sService, testClustername)
+	assert.NoError(t, err)
+
+	// Verify it is indeed deleted.
+	deletedObj, err := vms.(*vmService).vmClient.VirtualMachineServices().Get(context.Background(), testClusterNameSpace, legacyName)
+	assert.Error(t, err)
+	assert.True(t, apierrors.IsNotFound(err))
+	assert.Nil(t, deletedObj)
+}
+
 func TestCreateVMService(t *testing.T) {
 	testK8sService, vms, _ := initTest(testServiceAnnotationPropagationEnabled)
 	ports, _ := findPorts(testK8sService)