Documentation
¶
Overview ¶
Package hash provides the spec hash computation and comparison for the Effectiveness Monitor. It computes a deterministic canonical hash of the target resource's spec to detect whether the remediation's changes are still in effect (no drift).
Business Requirements: - BR-EM-004: Spec hash comparison to detect configuration drift
Hash Algorithm (DD-EM-002):
- Uses pkg/shared/hash.CanonicalResourceFingerprint for cross-service consistency
- Both the RO (pre-remediation) and EM (post-remediation) use the same algorithm
- Deterministic, map-order independent, slice-order independent
- Returns "sha256:<lowercase-hex>" format
Pre/Post Comparison:
- When a pre-remediation hash is available (from DS audit trail), the Computer compares it with the post-remediation hash and sets the Match field
- Match=true means no spec change (possible drift-back or no-op remediation)
- Match=false means spec changed (expected for successful remediations)
- Match=nil means no pre-hash available (comparison not possible)
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ComputeResult ¶
type ComputeResult struct {
// Hash is the post-remediation canonical hash ("sha256:<64-char-hex>").
Hash string
// PreHash is the pre-remediation hash from the DS audit trail.
// Empty string if not available.
PreHash string
// Match indicates whether pre and post hashes are identical.
// nil if no PreHash was provided (comparison not possible).
// true if hashes match (no spec change detected).
// false if hashes differ (spec changed, expected for successful remediations).
Match *bool
// Component is the full ComponentResult for audit reporting.
Component types.ComponentResult
}
ComputeResult contains the outcome of a hash computation and optional comparison.
type Computer ¶
type Computer interface {
// Compute calculates the canonical SHA-256 hash of the given spec map
// and optionally compares it with the pre-remediation hash.
Compute(input SpecHashInput) ComputeResult
}
Computer computes deterministic canonical hashes of Kubernetes resource specs and optionally compares them with pre-remediation hashes.
type DeferralResult ¶
type DeferralResult struct {
// ShouldDefer is true when hash computation must be postponed.
ShouldDefer bool
// RequeueAfter is the duration to wait before retrying. Zero when no deferral needed.
RequeueAfter time.Duration
}
DeferralResult contains the outcome of a hash deferral check (DD-EM-004).
func CheckHashDeferral ¶
func CheckHashDeferral(ea *eav1.EffectivenessAssessment) DeferralResult
CheckHashDeferral evaluates whether hash computation should be deferred for an EffectivenessAssessment based on the HashComputeDelay duration in EAConfig.
Business behavior (BR-EM-010.1, DD-EM-004, Issue #277):
- When HashComputeDelay is nil or zero: compute hash immediately (backward compatible)
- When creation + HashComputeDelay is in the past: compute hash immediately
- When creation + HashComputeDelay is in the future: defer and requeue after remaining duration
The RO sets HashComputeDelay for async-managed targets (GitOps, operator CRDs) so the EM captures the post-remediation spec after the external controller reconciles.
type SpecHashInput ¶
type SpecHashInput struct {
// Spec is the target resource's full obj.Object (for CanonicalResourceFingerprint).
// When FunctionalState is non-nil, it takes precedence over Spec.
Spec map[string]interface{}
// FunctionalState is the full K8s object (obj.Object) for CanonicalResourceFingerprint (#765).
// When set, the Computer uses CanonicalResourceFingerprint on the full object.
FunctionalState map[string]interface{}
// PreHash is the pre-remediation spec hash from the DS audit trail.
// Format: "sha256:<hex>". Empty string if not available.
// When provided, the Computer will compare pre and post hashes.
PreHash string
// ConfigMapHashes is a map of ConfigMap name -> content hash ("sha256:<hex>").
// Pre-computed by the caller using pkg/shared/hash.ConfigMapDataHash.
// When non-empty, the Computer produces a composite hash that incorporates
// both the fingerprint and the ConfigMap content hashes (#396, BR-EM-004).
// When nil or empty, the Computer falls back to fingerprint-only hash.
ConfigMapHashes map[string]string
}
SpecHashInput contains the data needed to compute a resource fingerprint.
Source Files