*: use a stable hash for client-side short-circuits

The previous approach here was to use go-spew, which, unfortunately, is
not a stable and germane encoding for objects. We are encoding objects
that we send to the Kubernetes API server, so features of go-spew like
printing the capacity of slices are not germane. This led to hashes of
otherwise identical (as far as the server was concerned) objects to be
determined as hashing differently.

Signed-off-by: Steve Kuznetsov <[email protected]>

Author: stevekuznetsov

.github/workflows/sanity.yaml

@@ -27,3 +27,4 @@ jobs:
       uses: "golangci/golangci-lint-action@v3"
       with:
         version: "v1.51.1"
+  

go.mod

@@ -5,7 +5,6 @@ go 1.20
 require (
 	github.com/blang/semver/v4 v4.0.0
 	github.com/coreos/go-semver v0.3.0
-	github.com/davecgh/go-spew v1.1.1
 	github.com/distribution/distribution v2.7.1+incompatible
 	github.com/evanphx/json-patch v5.6.0+incompatible
 	github.com/fsnotify/fsnotify v1.6.0
@@ -89,6 +88,7 @@ require (
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/docker/cli v23.0.1+incompatible // indirect
 	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/docker/docker v23.0.3+incompatible // indirect

pkg/controller/install/deployment.go

@@ -2,15 +2,13 @@ package install
 
 import (
 	"fmt"
-	"hash/fnv"
 	"time"
 
 	log "github.com/sirupsen/logrus"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	k8slabels "k8s.io/apimachinery/pkg/labels"
-	"k8s.io/apimachinery/pkg/util/rand"
 	"k8s.io/utils/pointer"
 
 	"github.com/operator-framework/api/pkg/operators/v1alpha1"
@@ -181,7 +179,10 @@ func (i *StrategyDeploymentInstaller) deploymentForSpec(name string, spec appsv1
 	// to 2 ReplicaSets per deployment it manages, saving memory.
 	dep.Spec.RevisionHistoryLimit = pointer.Int32(1)
 
-	hash = HashDeploymentSpec(dep.Spec)
+	hash, err = hashutil.DeepHashObject(&dep.Spec)
+	if err != nil {
+		return nil, "", err
+	}
 	dep.Labels[DeploymentSpecHashLabelKey] = hash
 
 	deployment = dep
@@ -327,11 +328,3 @@ func (i *StrategyDeploymentInstaller) cleanupOrphanedDeployments(deploymentSpecs
 
 	return nil
 }
-
-// HashDeploymentSpec calculates a hash given a copy of the deployment spec from a CSV, stripping any
-// operatorgroup annotations.
-func HashDeploymentSpec(spec appsv1.DeploymentSpec) string {
-	hasher := fnv.New32a()
-	hashutil.DeepHashObject(hasher, &spec)
-	return rand.SafeEncodeString(fmt.Sprint(hasher.Sum32()))
-}

pkg/controller/install/deployment_test.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"testing"
 
+	hashutil "github.com/operator-framework/operator-lifecycle-manager/pkg/lib/kubernetes/pkg/util/hash"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	appsv1 "k8s.io/api/apps/v1"
@@ -352,7 +353,11 @@ func TestInstallStrategyDeploymentCheckInstallErrors(t *testing.T) {
 			dep := testDeployment("olm-dep-1", namespace, &mockOwner)
 			dep.Spec.Template.SetAnnotations(map[string]string{"test": "annotation"})
 			dep.Spec.RevisionHistoryLimit = &revisionHistoryLimit
-			dep.SetLabels(labels.CloneAndAddLabel(dep.ObjectMeta.GetLabels(), DeploymentSpecHashLabelKey, HashDeploymentSpec(dep.Spec)))
+			hash, err := hashutil.DeepHashObject(&dep.Spec)
+			if err != nil {
+				t.Fatal(err)
+			}
+			dep.SetLabels(labels.CloneAndAddLabel(dep.ObjectMeta.GetLabels(), DeploymentSpecHashLabelKey, hash))
 			dep.Labels[OLMManagedLabelKey] = OLMManagedLabelValue
 			dep.Status.Conditions = append(dep.Status.Conditions, appsv1.DeploymentCondition{
 				Type:   appsv1.DeploymentAvailable,
@@ -374,7 +379,11 @@ func TestInstallStrategyDeploymentCheckInstallErrors(t *testing.T) {
 			deployment := testDeployment("olm-dep-1", namespace, &mockOwner)
 			deployment.Spec.Template.SetAnnotations(map[string]string{"test": "annotation"})
 			deployment.Spec.RevisionHistoryLimit = &revisionHistoryLimit
-			deployment.SetLabels(labels.CloneAndAddLabel(dep.ObjectMeta.GetLabels(), DeploymentSpecHashLabelKey, HashDeploymentSpec(deployment.Spec)))
+			hash, err = hashutil.DeepHashObject(&deployment.Spec)
+			if err != nil {
+				t.Fatal(err)
+			}
+			deployment.SetLabels(labels.CloneAndAddLabel(dep.ObjectMeta.GetLabels(), DeploymentSpecHashLabelKey, hash))
 			fakeClient.CreateOrUpdateDeploymentReturns(&deployment, tt.createDeploymentErr)
 			defer func() {
 				require.Equal(t, &deployment, fakeClient.CreateOrUpdateDeploymentArgsForCall(0))

pkg/controller/install/webhook.go

@@ -3,14 +3,12 @@ package install
 import (
 	"context"
 	"fmt"
-	"hash/fnv"
 
 	log "github.com/sirupsen/logrus"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
-	"k8s.io/apimachinery/pkg/util/rand"
 	"k8s.io/client-go/util/retry"
 
 	"github.com/operator-framework/api/pkg/operators/v1alpha1"
@@ -285,17 +283,14 @@ func addWebhookLabels(object metav1.Object, webhookDesc v1alpha1.WebhookDescript
 	if labels == nil {
 		labels = map[string]string{}
 	}
+	hash, err := hashutil.DeepHashObject(&webhookDesc)
+	if err != nil {
+		return err
+	}
 	labels[WebhookDescKey] = webhookDesc.GenerateName
-	labels[WebhookHashKey] = HashWebhookDesc(webhookDesc)
+	labels[WebhookHashKey] = hash
 	labels[OLMManagedLabelKey] = OLMManagedLabelValue
 	object.SetLabels(labels)
 
 	return nil
 }
-
-// HashWebhookDesc calculates a hash given a webhookDescription
-func HashWebhookDesc(webhookDesc v1alpha1.WebhookDescription) string {
-	hasher := fnv.New32a()
-	hashutil.DeepHashObject(hasher, &webhookDesc)
-	return rand.SafeEncodeString(fmt.Sprint(hasher.Sum32()))
-}

pkg/controller/operators/catalog/operator_test.go

@@ -999,15 +999,15 @@ func TestSyncCatalogSources(t *testing.T) {
 			},
 			expectedError: nil,
 			expectedObjs: []runtime.Object{
-				pod(*grpcCatalog),
+				pod(t, *grpcCatalog),
 			},
 		},
 		{
 			testName:      "CatalogSourceWithGrpcImage/EnsuresCorrectImage",
 			namespace:     "cool-namespace",
 			catalogSource: grpcCatalog,
 			k8sObjs: []runtime.Object{
-				pod(v1alpha1.CatalogSource{
+				pod(t, v1alpha1.CatalogSource{
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "cool-catalog",
 						Namespace: "cool-namespace",
@@ -1031,7 +1031,7 @@ func TestSyncCatalogSources(t *testing.T) {
 			},
 			expectedError: nil,
 			expectedObjs: []runtime.Object{
-				pod(*grpcCatalog),
+				pod(t, *grpcCatalog),
 			},
 		},
 		{
@@ -1110,7 +1110,7 @@ func TestSyncCatalogSources(t *testing.T) {
 				},
 			}),
 			k8sObjs: []runtime.Object{
-				pod(*grpcCatalog),
+				pod(t, *grpcCatalog),
 				service(grpcCatalog.GetName(), grpcCatalog.GetNamespace()),
 				serviceAccount(grpcCatalog.GetName(), grpcCatalog.GetNamespace(), "", objectReference("init secret")),
 			},
@@ -2119,14 +2119,17 @@ func toManifest(t *testing.T, obj runtime.Object) string {
 	return string(raw)
 }
 
-func pod(s v1alpha1.CatalogSource) *corev1.Pod {
+func pod(t *testing.T, s v1alpha1.CatalogSource) *corev1.Pod {
 	serviceAccount := &corev1.ServiceAccount{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: s.GetNamespace(),
 			Name:      s.GetName(),
 		},
 	}
-	pod := reconciler.Pod(&s, "registry-server", "central-opm", "central-util", s.Spec.Image, serviceAccount, s.GetLabels(), s.GetAnnotations(), 5, 10, 1001)
+	pod, err := reconciler.Pod(&s, "registry-server", "central-opm", "central-util", s.Spec.Image, serviceAccount, s.GetLabels(), s.GetAnnotations(), 5, 10, 1001)
+	if err != nil {
+		t.Fatal(err)
+	}
 	ownerutil.AddOwner(pod, &s, false, true)
 	return pod
 }

pkg/controller/operators/olm/apiservices.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 
+	hashutil "github.com/operator-framework/operator-lifecycle-manager/pkg/lib/kubernetes/pkg/util/hash"
 	log "github.com/sirupsen/logrus"
 	appsv1 "k8s.io/api/apps/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -414,7 +415,11 @@ func (a *Operator) areWebhooksAvailable(csv *v1alpha1.ClusterServiceVersion) (bo
 		// Create Webhook Label Selector
 		webhookLabels := ownerutil.OwnerLabel(csv, v1alpha1.ClusterServiceVersionKind)
 		webhookLabels[install.WebhookDescKey] = desc.GenerateName
-		webhookLabels[install.WebhookHashKey] = install.HashWebhookDesc(desc)
+		hash, err := hashutil.DeepHashObject(&desc)
+		if err != nil {
+			return false, err
+		}
+		webhookLabels[install.WebhookHashKey] = hash
 		webhookSelector := labels.SelectorFromSet(webhookLabels).String()
 
 		webhookCount := 0