[BUG] SHA-1 hashing should not be used for secret data on owning resource

[scartledge]

Describe the bug
SHA-1 hashing is used by the Reloader operator to store secret data on an environment variable or annotation of the owning resource. Given the weakness of SHA-1, a stronger hashing algorithm should be used like SHA-2 and SHA-3 with a minimal digest of 256 bits.

To Reproduce
Use the Reloader operator for a secret on a deployment. Depending on the reload strategy, the SHA-1 hashed secret data will be stored on the owning resource in either an environment variable or annotation.

Expected behavior
Use a stronger hashing algorithm when storing secret data on the owning resource.

Screenshots
N/A

Environment

• Operator Version: v1.0.56
• Kubernetes/OpenShift Version: 1.27

Additional context
None

[IdanAdar]

Related PR #527

[paketb0te]

I am not sure I understand the issue correctly.

AFAIK, the weaknesses of SHA-1 are only related to being able to create collisions (if input A creates a hash value X, it might be possible to find another input B that results in the same hash value), which is why it is not suitable for cryptographic operations.
But since it is (AFAIK) not possible to get the original input from the hash value, I think that there is no problem storing these hash values in env vars / annotations.

Are there any other weaknesses of SHA-1 that I am unaware of?
Or did I maybe misunderstand the issue?
@scartledge thanks for clarifying.