Skip to content

Commit 446d859

Browse files
digivavadigivava
committed
Simplify comment
1 parent dac89c3 commit 446d859

File tree

1 file changed

+8
-10
lines changed

1 file changed

+8
-10
lines changed

vault/cache_key.go

Lines changed: 8 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -139,16 +139,10 @@ func ComputeClientCacheKeyFromMeta(ctx context.Context, client ctrlclient.Client
139139

140140
// ComputeClientCacheKey for use in a ClientCache. It is derived by combining instances of
141141
// VaultAuth, VaultConnection, and a CredentialProvider UID.
142-
//
143-
// When isStandalone is false (normal VSO operation with K8s resources):
144-
// - Uses K8s resource UIDs and generations from authObj, connObj, and providerUID
145-
// - Validates that all UIDs are exactly 36 characters
146-
// - Checks for duplicate UIDs
147-
//
148-
// When isStandalone is true (standalone mode without K8s resources):
149-
// - Uses content-based hashes of authObj.Spec and connObj.Spec instead of UIDs
150-
// - Allows empty UIDs from objects not fetched from K8s API
151-
// - Generation is always 1 since objects aren't K8s resources
142+
// All of these elements are summed together into a SHA256 checksum,
143+
// and prefixed with the VaultAuth method. The chances of a collision are extremely remote,
144+
// since the inputs into the hash should always be unique. For example, we use the UUID
145+
// from three different sources as inputs.
152146
//
153147
// The resulting key will resemble something like: kubernetes-2a8108711ae49ac0faa724, where the prefix
154148
// is the VaultAuth.Spec.Method, and the remainder is the concatenation of the
@@ -160,6 +154,10 @@ func ComputeClientCacheKeyFromMeta(ctx context.Context, client ctrlclient.Client
160154
//
161155
// If the computed cache-key exceeds 63 characters, the limit imposed for Kubernetes resource names,
162156
// or if any of the inputs do not conform in any way, an error will be returned.
157+
//
158+
// Cache key generation is simpler when isStandalone is true (indicating a client without access to k8s resources):
159+
// - Uses content-based hashes of authObj.Spec and connObj.Spec instead of UIDs
160+
// - Generation is always 1 since objects aren't actual k8s resources
163161
func computeClientCacheKey(authObj *secretsv1beta1.VaultAuth, connObj *secretsv1beta1.VaultConnection, providerUID types.UID, isStandalone bool) (ClientCacheKey, error) {
164162
var errs error
165163
method := authObj.Spec.Method

0 commit comments

Comments
 (0)