Documentation
¶
Overview ¶
Package hash provides a canonical hashing utility for Kubernetes resource specs.
DD-EM-002: Both the Remediation Orchestrator and Effectiveness Monitor use CanonicalResourceFingerprint to compute deterministic, order-independent SHA-256 hashes of resource functional state. This enables cross-process pre/post remediation comparison without being affected by Go's non-deterministic map iteration or Kubernetes API server slice reordering.
Guarantees:
- Idempotent: same logical content always produces the same hash
- Map-order independent: key iteration order does not affect output
- Slice-order independent: element reordering does not affect output
- Cross-process portable: separate binaries produce identical hashes
- Format: "sha256:<64-lowercase-hex>" (71 characters total)
Package hash -- ConfigMap-aware composite hashing for #396 (BR-EM-004).
ExtractConfigMapRefs walks a Kubernetes resource's unstructured .spec to find all ConfigMap references (volumes, projected volumes, envFrom, env valueFrom) across containers, initContainers, and ephemeralContainers. Kind-aware: resolves the pod template path based on the resource Kind.
ConfigMapDataHash computes a deterministic SHA-256 of a ConfigMap's .data and .binaryData fields, suitable for inclusion in a composite spec hash.
CompositeSpecHash combines a spec hash with sorted per-ConfigMap hashes into a single digest. Identity when no ConfigMap hashes are provided.
Index ¶
- func CanonicalResourceFingerprint(obj map[string]interface{}) (string, error)
- func CompositeResourceFingerprint(fingerprint string, configMapHashes map[string]string) (string, error)
- func CompositeSpecHash(specHash string, configMapHashes map[string]string) (string, error)deprecated
- func ConfigMapDataHash(data map[string]string, binaryData map[string][]byte) (string, error)
- func ExtractConfigMapRefs(spec map[string]interface{}, kind string) []string
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CanonicalResourceFingerprint ¶ added in v1.3.0
CanonicalResourceFingerprint computes a deterministic SHA-256 hash of a Kubernetes resource's functional state (DD-EM-002 v2.0, #765).
It strips non-functional top-level keys (apiVersion, kind, metadata, status) and hashes the remaining map. For a Deployment this is {spec: {...}}, for a ConfigMap it's {data: {...}, binaryData: {...}}, for a ClusterRole it's {rules: [...], aggregationRule: {...}}.
Normalization guarantees:
- Map-order independent
- Slice-order independent
- Idempotent
- Format: "sha256:<64-lowercase-hex>" (71 characters)
func CompositeResourceFingerprint ¶ added in v1.3.0
func CompositeResourceFingerprint(fingerprint string, configMapHashes map[string]string) (string, error)
CompositeResourceFingerprint combines a resource fingerprint with per-ConfigMap content hashes into a single composite digest (#765, DD-EM-002 v2.0).
ConfigMap names are sorted before concatenation to ensure order independence. Identity: if configMapHashes is nil or empty, returns fingerprint unchanged.
Note: Secrets are excluded from cascading per project policy (Vault-managed, rotational, not functional configuration state).
func CompositeSpecHash
deprecated
added in
v1.2.0
CompositeSpecHash combines a spec hash with per-ConfigMap content hashes into a single composite digest. ConfigMap names are sorted before concatenation to ensure order independence.
Identity: if configMapHashes is nil or empty, returns specHash unchanged. This preserves backward compatibility for resources with no ConfigMap refs.
Deprecated: Use CompositeResourceFingerprint for new code (#765).
func ConfigMapDataHash ¶ added in v1.2.0
ConfigMapDataHash computes a deterministic SHA-256 hash of a ConfigMap's content. String data keys are serialized as "key=value"; binary data keys are serialized as "key=base64(<bytes>)". All keys are sorted before hashing. Returns "sha256:<64-lowercase-hex>" (71 chars total).
func ExtractConfigMapRefs ¶ added in v1.2.0
ExtractConfigMapRefs returns a deduplicated, sorted list of ConfigMap names referenced by the given resource spec. The kind parameter determines how to locate the pod template within the spec:
- Deployment, StatefulSet, DaemonSet, ReplicaSet, Job: spec.template.spec
- Pod: spec directly
- CronJob: spec.jobTemplate.spec.template.spec
- All other kinds: returns nil (no pod template)
Never panics on malformed input; uses defensive type assertions throughout.
Types ¶
This section is empty.
Source Files