ytt
ytt copied to clipboard
carvel-dev
Please support bcrypt cryptography
Hello, I would appreciate it if YTT could support bcrypt in the same way as it does SHA256. Maybe using something like https://godoc.org/golang.org/x/crypto/bcrypt
Thanks!
hey @dben, ytt has a goal to produce configuration deterministically (one example is no access to random data). bcrypt ultimately needs a salt (in addition to password and cost factor) as an input. https://godoc.org/golang.org/x/crypto/bcrypt internally uses crypt/rand to get x number of random bytes. even if we expose bcrypt function that explicitly takes salt argument, one would have to provide it via a data value (similar to password content) or hard code, and of course hard coding of salt would not be great. im curious how are you planning to use bcrypt in your configuration to understand if we can do something about it.
closing this for now since bcrypt requires access to randomness unless salt is provided explicitly. at that point you might as well provide bcrypted password. feel free to reopen if more info arises.
Came up again: https://kubernetes.slack.com/archives/CH8KCCKA5/p1658338062768589
Providing the salt to make things consistent seems like a doable workaround, since the password would already need to be stored securely and the salt could be generated prior to ytt call
Re-opened because we're seriously entertaining this. Exploring the viability of the "workaround" suggested, here.
