combine the various places where hashing happens into one single package

On-behalf-of: @SAP [email protected]

Author: xrstf

internal/controller/apiresourceschema/controller.go

@@ -18,9 +18,6 @@ package apiresourceschema
 
 import (
 	"context"
-	"crypto/sha1"
-	"encoding/hex"
-	"encoding/json"
 	"fmt"
 	"reflect"
 	"strings"
@@ -29,6 +26,7 @@ import (
 	"go.uber.org/zap"
 
 	"github.com/kcp-dev/api-syncagent/internal/controllerutil/predicate"
+	"github.com/kcp-dev/api-syncagent/internal/crypto"
 	"github.com/kcp-dev/api-syncagent/internal/discovery"
 	"github.com/kcp-dev/api-syncagent/internal/projection"
 	syncagentv1alpha1 "github.com/kcp-dev/api-syncagent/sdk/apis/syncagent/v1alpha1"
@@ -255,15 +253,7 @@ func (r *Reconciler) applyProjection(apiGroup string, crd *apiextensionsv1.Custo
 // getAPIResourceSchemaName generates the name for the ARS in kcp. Note that
 // kcp requires, just like CRDs, that ARS are named following a specific pattern.
 func (r *Reconciler) getAPIResourceSchemaName(apiGroup string, crd *apiextensionsv1.CustomResourceDefinition) string {
-	hash := sha1.New()
-	if err := json.NewEncoder(hash).Encode(crd.Spec.Names); err != nil {
-		// This is not something that should ever happen at runtime and is also not
-		// something we can really gracefully handle, so crashing and restarting might
-		// be a good way to signal the service owner that something is up.
-		panic(fmt.Sprintf("Failed to hash PublishedResource source: %v", err))
-	}
-
-	checksum := hex.EncodeToString(hash.Sum(nil))
+	checksum := crypto.Hash(crd.Spec.Names)
 
 	// include a leading "v" to prevent SHA-1 hashes with digits to break the name
 	return fmt.Sprintf("v%s.%s.%s", checksum[:8], crd.Spec.Names.Plural, apiGroup)

internal/crypto/hash.go

@@ -0,0 +1,51 @@
+/*
+Copyright 2025 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package crypto
+
+import (
+	"crypto/sha1"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+)
+
+func Hash(data any) string {
+	hash := sha1.New()
+
+	var err error
+	switch asserted := data.(type) {
+	case string:
+		_, err = hash.Write([]byte(asserted))
+	case []byte:
+		_, err = hash.Write(asserted)
+	default:
+		err = json.NewEncoder(hash).Encode(data)
+	}
+
+	if err != nil {
+		// This is not something that should ever happen at runtime and is also not
+		// something we can really gracefully handle, so crashing and restarting might
+		// be a good way to signal the service owner that something is up.
+		panic(fmt.Sprintf("Failed to hash: %v", err))
+	}
+
+	return hex.EncodeToString(hash.Sum(nil))
+}
+
+func ShortHash(data any) string {
+	return Hash(data)[:20]
+}

internal/projection/naming.go

@@ -17,13 +17,12 @@ limitations under the License.
 package projection
 
 import (
-	"crypto/sha1"
-	"encoding/hex"
 	"fmt"
 	"strings"
 
 	"github.com/kcp-dev/logicalcluster/v3"
 
+	"github.com/kcp-dev/api-syncagent/internal/crypto"
 	syncagentv1alpha1 "github.com/kcp-dev/api-syncagent/sdk/apis/syncagent/v1alpha1"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -44,9 +43,9 @@ func GenerateLocalObjectName(pr *syncagentv1alpha1.PublishedResource, object met
 	replacer := strings.NewReplacer(
 		// order of elements is important here, "$fooHash" needs to be defined before "$foo"
 		syncagentv1alpha1.PlaceholderRemoteClusterName, clusterName.String(),
-		syncagentv1alpha1.PlaceholderRemoteNamespaceHash, shortSha1Hash(object.GetNamespace()),
+		syncagentv1alpha1.PlaceholderRemoteNamespaceHash, crypto.ShortHash(object.GetNamespace()),
 		syncagentv1alpha1.PlaceholderRemoteNamespace, object.GetNamespace(),
-		syncagentv1alpha1.PlaceholderRemoteNameHash, shortSha1Hash(object.GetName()),
+		syncagentv1alpha1.PlaceholderRemoteNameHash, crypto.ShortHash(object.GetName()),
 		syncagentv1alpha1.PlaceholderRemoteName, object.GetName(),
 	)
 
@@ -68,17 +67,3 @@ func GenerateLocalObjectName(pr *syncagentv1alpha1.PublishedResource, object met
 
 	return result
 }
-
-func shortSha1Hash(value string) string {
-	hash := sha1.New()
-	if _, err := hash.Write([]byte(value)); err != nil {
-		// This is not something that should ever happen at runtime and is also not
-		// something we can really gracefully handle, so crashing and restarting might
-		// be a good way to signal the service owner that something is up.
-		panic(fmt.Sprintf("Failed to hash string: %v", err))
-	}
-
-	encoded := hex.EncodeToString(hash.Sum(nil))
-
-	return encoded[:20]
-}

internal/sync/state_store.go

@@ -17,12 +17,10 @@ limitations under the License.
 package sync
 
 import (
-	"crypto/sha1"
-	"encoding/hex"
-	"encoding/json"
 	"fmt"
 	"strings"
 
+	"github.com/kcp-dev/api-syncagent/internal/crypto"
 	"github.com/kcp-dev/logicalcluster/v3"
 
 	corev1 "k8s.io/api/core/v1"
@@ -112,34 +110,24 @@ type kubernetesBackend struct {
 }
 
 func hashObject(obj *unstructured.Unstructured) string {
-	data := map[string]any{
+	return crypto.ShortHash(map[string]any{
 		"apiVersion": obj.GetAPIVersion(),
+		"kind":       obj.GetKind(),
 		"namespace":  obj.GetNamespace(),
 		"name":       obj.GetName(),
-	}
-
-	hash := sha1.New()
-
-	if err := json.NewEncoder(hash).Encode(data); err != nil {
-		// This is not something that should ever happen at runtime and is also not
-		// something we can really gracefully handle, so crashing and restarting might
-		// be a good way to signal the service owner that something is up.
-		panic(fmt.Sprintf("Failed to hash object key: %v", err))
-	}
-
-	return hex.EncodeToString(hash.Sum(nil))
+	})
 }
 
 func newKubernetesBackend(namespace string, primaryObject, stateCluster syncSide) *kubernetesBackend {
-	keyHash := hashObject(primaryObject.object)
+	shortKeyHash := hashObject(primaryObject.object)
 
 	secretLabels := newObjectKey(primaryObject.object, primaryObject.clusterName, primaryObject.workspacePath).Labels()
 	secretLabels[objectStateLabelName] = objectStateLabelValue
 
 	return &kubernetesBackend{
 		secretName: types.NamespacedName{
 			// trim hash down; 20 was chosen at random
-			Name:      fmt.Sprintf("obj-state-%s-%s", primaryObject.clusterName, keyHash[:20]),
+			Name:      fmt.Sprintf("obj-state-%s-%s", primaryObject.clusterName, shortKeyHash),
 			Namespace: namespace,
 		},
 		labels:       secretLabels,