search

stakater / Reloader

A Kubernetes controller to watch changes in ConfigMap and Secrets and do rolling upgrades on Pods with their associated Deployment, StatefulSet, DaemonSet and DeploymentConfig – [✩Star] if you're using it!
https://docs.stakater.com/reloader/
Apache License 2.0
7.2k stars 474 forks source link

[BUG] SHA-1 hashing should not be used for secret data on owning resource #594

Open scartledge opened 7 months ago

scartledge commented 7 months ago

Describe the bug SHA-1 hashing is used by the Reloader operator to store secret data on an environment variable or annotation of the owning resource. Given the weakness of SHA-1, a stronger hashing algorithm should be used like SHA-2 and SHA-3 with a minimal digest of 256 bits.

To Reproduce Use the Reloader operator for a secret on a deployment. Depending on the reload strategy, the SHA-1 hashed secret data will be stored on the owning resource in either an environment variable or annotation.

Expected behavior Use a stronger hashing algorithm when storing secret data on the owning resource.

Screenshots N/A

Environment

Additional context None

IdanAdar commented 7 months ago

Related PR https://github.com/stakater/Reloader/pull/527

paketb0te commented 2 months ago

I am not sure I understand the issue correctly.

AFAIK, the weaknesses of SHA-1 are only related to being able to create collisions (if input A creates a hash value X, it might be possible to find another input B that results in the same hash value), which is why it is not suitable for cryptographic operations. But since it is (AFAIK) not possible to get the original input from the hash value, I think that there is no problem storing these hash values in env vars / annotations.

Are there any other weaknesses of SHA-1 that I am unaware of? Or did I maybe misunderstand the issue? @scartledge thanks for clarifying.