Open scartledge opened 7 months ago
I am not sure I understand the issue correctly.
AFAIK, the weaknesses of SHA-1 are only related to being able to create collisions (if input A creates a hash value X, it might be possible to find another input B that results in the same hash value), which is why it is not suitable for cryptographic operations. But since it is (AFAIK) not possible to get the original input from the hash value, I think that there is no problem storing these hash values in env vars / annotations.
Are there any other weaknesses of SHA-1 that I am unaware of? Or did I maybe misunderstand the issue? @scartledge thanks for clarifying.
Describe the bug SHA-1 hashing is used by the Reloader operator to store secret data on an environment variable or annotation of the owning resource. Given the weakness of SHA-1, a stronger hashing algorithm should be used like SHA-2 and SHA-3 with a minimal digest of 256 bits.
To Reproduce Use the Reloader operator for a secret on a deployment. Depending on the reload strategy, the SHA-1 hashed secret data will be stored on the owning resource in either an environment variable or annotation.
Expected behavior Use a stronger hashing algorithm when storing secret data on the owning resource.
Screenshots N/A
Environment
Additional context None