fix: compute a safe label value for terraform plan resources (flux-iac#1714)

alexandermarston · web-flow · commit 36b02c534f87 · 2026-01-30T12:14:21.000Z
diff --git a/api/plan/plan.go b/api/plan/plan.go
@@ -12,14 +12,41 @@ import (
 )
 
 const (
-	TFPlanName                = "tfplan"
-	SavedPlanSecretAnnotation = "savedPlan"
+	// Kubernetes Label names associated with Terraform Plans
+	TFPlanNameLabel      = "infra.contrib.fluxcd.io/plan-name"
+	TFPlanWorkspaceLabel = "infra.contrib.fluxcd.io/plan-workspace"
+
+	// Kubernetes Annotation names associated with Terraform Plans
+	TFPlanFullNameAnnotation = "infra.contrib.fluxcd.io/plan-full-name"
+	TFPlanChunkAnnotation    = "infra.contrib.fluxcd.io/plan-chunk"
+	TFPlanHashAnnotation     = "infra.contrib.fluxcd.io/plan-hash"
+	TFPlanSavedAnnotation    = "savedPlan"
+
+	TFPlanName = "tfplan"
 
 	// resourceDataMaxSizeBytes defines the maximum size of data
 	// that can be stored in a Kubernetes Secret or ConfigMap
 	resourceDataMaxSizeBytes = 1 * 1024 * 1024 // 1MB
 )
 
+// SafeLabelValue returns a string that is safe to use as a Kubernetes label value.
+func SafeLabelValue(value string) string {
+	// Values that are equal to or less than 63 characters are already good
+	if len(value) <= 63 {
+		return value
+	}
+
+	// Create haash
+	checksum := sha256.Sum256([]byte(value))
+
+	// Build a prefix to append to end of truncated value
+	checksumPrefix := fmt.Sprintf("-%x", checksum[:8])
+
+	prefix := value[:63-len(checksumPrefix)]
+
+	return prefix + checksumPrefix
+}
+
 type Plan struct {
 	name      string
 	namespace string
@@ -57,20 +84,20 @@ func NewFromSecrets(name string, namespace string, uuid string, secrets []v1.Sec
 
 		// Grab the chunk index from the secret annotation
 		chunkIndex := 0
-		if idxStr, ok := secret.Annotations["infra.contrib.fluxcd.io/plan-chunk"]; ok && idxStr != "" {
+		if idxStr, ok := secret.Annotations[TFPlanChunkAnnotation]; ok && idxStr != "" {
 			var err error
 			chunkIndex, err = strconv.Atoi(idxStr)
 			if err != nil {
 				return nil, fmt.Errorf("invalid chunk index annotation found on secret %s: %s", secret.Name, err)
 			}
 		}
 
-		workspaceName, ok = secret.Labels["infra.contrib.fluxcd.io/plan-workspace"]
+		workspaceName, ok = secret.Labels[TFPlanWorkspaceLabel]
 		if !ok {
 			return nil, fmt.Errorf("missing plan workspace label on secret %s", secret.Name)
 		}
 
-		planID, ok = secret.Annotations[SavedPlanSecretAnnotation]
+		planID, ok = secret.Annotations[TFPlanSavedAnnotation]
 		if !ok {
 			return nil, fmt.Errorf("missing plan ID annotation on secret %s", secret.Name)
 		}
@@ -120,20 +147,20 @@ func NewFromConfigMaps(name string, namespace string, uuid string, configmaps []
 
 		// Grab the chunk index from the configmap annotation
 		chunkIndex := 0
-		if idxStr, ok := configmap.Annotations["infra.contrib.fluxcd.io/plan-chunk"]; ok && idxStr != "" {
+		if idxStr, ok := configmap.Annotations[TFPlanChunkAnnotation]; ok && idxStr != "" {
 			var err error
 			chunkIndex, err = strconv.Atoi(idxStr)
 			if err != nil {
 				return nil, fmt.Errorf("invalid chunk index annotation found on configmap %s: %s", configmap.Name, err)
 			}
 		}
 
-		workspaceName, ok = configmap.Labels["infra.contrib.fluxcd.io/plan-workspace"]
+		workspaceName, ok = configmap.Labels[TFPlanWorkspaceLabel]
 		if !ok {
 			return nil, fmt.Errorf("missing plan workspace label on configmap %s", configmap.Name)
 		}
 
-		planID, ok = configmap.Annotations[SavedPlanSecretAnnotation]
+		planID, ok = configmap.Annotations[TFPlanSavedAnnotation]
 		if !ok {
 			return nil, fmt.Errorf("missing plan ID annotation on secret %s", configmap.Name)
 		}
@@ -183,13 +210,14 @@ func (p *Plan) ToSecret(suffix string) ([]*v1.Secret, error) {
 				Name:      secretIdentifier,
 				Namespace: p.namespace,
 				Annotations: map[string]string{
-					"encoding":                          "gzip",
-					SavedPlanSecretAnnotation:           p.planID,
-					"infra.contrib.fluxcd.io/plan-hash": fmt.Sprintf("%x", sha256.Sum256(encoded)),
+					"encoding":               "gzip",
+					TFPlanFullNameAnnotation: p.name + suffix,
+					TFPlanSavedAnnotation:    p.planID,
+					TFPlanHashAnnotation:     fmt.Sprintf("%x", sha256.Sum256(p.bytes)),
 				},
 				Labels: map[string]string{
-					"infra.contrib.fluxcd.io/plan-name":      p.name + suffix,
-					"infra.contrib.fluxcd.io/plan-workspace": p.workspace,
+					TFPlanNameLabel:      SafeLabelValue(p.name + suffix),
+					TFPlanWorkspaceLabel: p.workspace,
 				},
 				OwnerReferences: []metav1.OwnerReference{
 					{
@@ -223,14 +251,15 @@ func (p *Plan) ToSecret(suffix string) ([]*v1.Secret, error) {
 				Name:      fmt.Sprintf("%s-%d", secretIdentifier, chunk),
 				Namespace: p.namespace,
 				Annotations: map[string]string{
-					"encoding":                           "gzip",
-					SavedPlanSecretAnnotation:            p.planID,
-					"infra.contrib.fluxcd.io/plan-chunk": fmt.Sprintf("%d", chunk),
-					"infra.contrib.fluxcd.io/plan-hash":  fmt.Sprintf("%x", sha256.Sum256(planData)),
+					"encoding":               "gzip",
+					TFPlanFullNameAnnotation: p.name + suffix,
+					TFPlanSavedAnnotation:    p.planID,
+					TFPlanChunkAnnotation:    fmt.Sprintf("%d", chunk),
+					TFPlanHashAnnotation:     fmt.Sprintf("%x", sha256.Sum256(planData)),
 				},
 				Labels: map[string]string{
-					"infra.contrib.fluxcd.io/plan-name":      p.name + suffix,
-					"infra.contrib.fluxcd.io/plan-workspace": p.workspace,
+					TFPlanNameLabel:      SafeLabelValue(p.name + suffix),
+					TFPlanWorkspaceLabel: p.workspace,
 				},
 				OwnerReferences: []metav1.OwnerReference{
 					{
@@ -268,12 +297,13 @@ func (p *Plan) ToConfigMap(suffix string) ([]*v1.ConfigMap, error) {
 				Name:      configMapIdentifier,
 				Namespace: p.namespace,
 				Annotations: map[string]string{
-					SavedPlanSecretAnnotation:           p.planID,
-					"infra.contrib.fluxcd.io/plan-hash": fmt.Sprintf("%x", sha256.Sum256(p.bytes)),
+					TFPlanFullNameAnnotation: p.name + suffix,
+					TFPlanSavedAnnotation:    p.planID,
+					TFPlanHashAnnotation:     fmt.Sprintf("%x", sha256.Sum256(p.bytes)),
 				},
 				Labels: map[string]string{
-					"infra.contrib.fluxcd.io/plan-name":      p.name + suffix,
-					"infra.contrib.fluxcd.io/plan-workspace": p.workspace,
+					TFPlanNameLabel:      SafeLabelValue(p.name + suffix),
+					TFPlanWorkspaceLabel: p.workspace,
 				},
 				OwnerReferences: []metav1.OwnerReference{
 					{
@@ -307,13 +337,14 @@ func (p *Plan) ToConfigMap(suffix string) ([]*v1.ConfigMap, error) {
 				Name:      fmt.Sprintf("%s-%d", configMapIdentifier, chunk),
 				Namespace: p.namespace,
 				Annotations: map[string]string{
-					SavedPlanSecretAnnotation:            p.planID,
-					"infra.contrib.fluxcd.io/plan-chunk": fmt.Sprintf("%d", chunk),
-					"infra.contrib.fluxcd.io/plan-hash":  fmt.Sprintf("%x", sha256.Sum256([]byte(planData))),
+					TFPlanFullNameAnnotation: p.name + suffix,
+					TFPlanSavedAnnotation:    p.planID,
+					TFPlanChunkAnnotation:    fmt.Sprintf("%d", chunk),
+					TFPlanHashAnnotation:     fmt.Sprintf("%x", sha256.Sum256([]byte(planData))),
 				},
 				Labels: map[string]string{
-					"infra.contrib.fluxcd.io/plan-name":      p.name + suffix,
-					"infra.contrib.fluxcd.io/plan-workspace": p.workspace,
+					TFPlanNameLabel:      SafeLabelValue(p.name + suffix),
+					TFPlanWorkspaceLabel: p.workspace,
 				},
 				OwnerReferences: []metav1.OwnerReference{
 					{
diff --git a/internal/informer/branch-planner/informer.go b/internal/informer/branch-planner/informer.go
@@ -284,8 +284,8 @@ func (i *Informer) getPlan(ctx context.Context, obj *infrav1.Terraform) (string,
 	configMaps := &v1.ConfigMapList{}
 
 	if err := i.client.List(ctx, configMaps, client.InNamespace(obj.GetNamespace()), client.MatchingLabels{
-		"infra.contrib.fluxcd.io/plan-name":      obj.GetName(),
-		"infra.contrib.fluxcd.io/plan-workspace": obj.WorkspaceName(),
+		plan.TFPlanNameLabel:      plan.SafeLabelValue(obj.GetName()),
+		plan.TFPlanWorkspaceLabel: obj.WorkspaceName(),
 	}); err != nil {
 		return "", fmt.Errorf("unable to list plan configmaps: %s", err)
 	}
diff --git a/internal/informer/branch-planner/informer_test.go b/internal/informer/branch-planner/informer_test.go
@@ -10,6 +10,7 @@ import (
 	gom "github.com/onsi/gomega"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
+	"github.com/flux-iac/tofu-controller/api/plan"
 	infrav1 "github.com/flux-iac/tofu-controller/api/v1alpha2"
 	"github.com/flux-iac/tofu-controller/internal/config"
 	"github.com/flux-iac/tofu-controller/internal/git/provider/providerfakes"
@@ -66,11 +67,11 @@ func TestInformer(t *testing.T) {
 			Name:      "tfplan-default-helloworld",
 			Namespace: ns.Name,
 			Labels: map[string]string{
-				"infra.contrib.fluxcd.io/plan-name":      "helloworld",
-				"infra.contrib.fluxcd.io/plan-workspace": "default",
+				plan.TFPlanNameLabel:      plan.SafeLabelValue("helloworld"),
+				plan.TFPlanWorkspaceLabel: "default",
 			},
 			Annotations: map[string]string{
-				"savedPlan": "plan-main-1",
+				plan.TFPlanSavedAnnotation: "plan-main-1",
 			},
 		},
 		Data: map[string]string{
diff --git a/runner/server.go b/runner/server.go
@@ -25,6 +25,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
+	"github.com/flux-iac/tofu-controller/api/plan"
 	infrav1 "github.com/flux-iac/tofu-controller/api/v1alpha2"
 	"github.com/flux-iac/tofu-controller/utils"
 )
@@ -527,8 +528,8 @@ func (r *TerraformRunnerServer) FinalizeSecrets(ctx context.Context, req *Finali
 	secrets := &v1.SecretList{}
 
 	if err := r.Client.List(ctx, secrets, client.InNamespace(req.Namespace), client.MatchingLabels{
-		"infra.contrib.fluxcd.io/plan-name":      req.Name,
-		"infra.contrib.fluxcd.io/plan-workspace": req.Workspace,
+		plan.TFPlanNameLabel:      plan.SafeLabelValue(req.Name),
+		plan.TFPlanWorkspaceLabel: req.Workspace,
 	}); err != nil {
 		log.Error(err, "unable to list existing plan secrets")
 		return nil, err
diff --git a/runner/server_load_tfplan.go b/runner/server_load_tfplan.go
@@ -44,8 +44,8 @@ func loadTFPlan(
 
 		// List relevant secrets
 		if err := kubeClient.List(ctx, secrets, client.InNamespace(req.Namespace), client.MatchingLabels{
-			"infra.contrib.fluxcd.io/plan-name":      req.Name,
-			"infra.contrib.fluxcd.io/plan-workspace": terraform.WorkspaceName(),
+			plan.TFPlanNameLabel:      plan.SafeLabelValue(req.Name),
+			plan.TFPlanWorkspaceLabel: terraform.WorkspaceName(),
 		}); err != nil {
 			log.Error(err, "unable to list existing plan secrets")
 			return nil, err
@@ -65,8 +65,8 @@ func loadTFPlan(
 				continue
 			}
 
-			if s.Annotations[plan.SavedPlanSecretAnnotation] != pendingPlanId {
-				return nil, fmt.Errorf("pending plan %s does not match secret %s (%s)", pendingPlanId, s.Name, s.Annotations[plan.SavedPlanSecretAnnotation])
+			if s.Annotations[plan.TFPlanSavedAnnotation] != pendingPlanId {
+				return nil, fmt.Errorf("pending plan %s does not match secret %s (%s)", pendingPlanId, s.Name, s.Annotations[plan.TFPlanSavedAnnotation])
 			}
 		}
 
diff --git a/runner/server_load_tfplan_test.go b/runner/server_load_tfplan_test.go
@@ -48,8 +48,8 @@ func TestLoadTFPlanWithForceTrue(t *testing.T) {
 			Namespace:   req.Namespace,
 			Annotations: map[string]string{SavedPlanSecretAnnotation: "plan-not-1"},
 			Labels: map[string]string{
-				"infra.contrib.fluxcd.io/plan-name":      req.Name,
-				"infra.contrib.fluxcd.io/plan-workspace": terraform.WorkspaceName(),
+				plan.TFPlanNameLabel:      plan.SafeLabelValue(req.Name),
+				plan.TFPlanWorkspaceLabel: terraform.WorkspaceName(),
 			},
 		},
 		Data: secretData,
@@ -105,8 +105,8 @@ func TestLoadTFPlanWithForceFalse(t *testing.T) {
 			Namespace:   req.Namespace,
 			Annotations: map[string]string{SavedPlanSecretAnnotation: "plan-not-1"},
 			Labels: map[string]string{
-				"infra.contrib.fluxcd.io/plan-name":      req.Name,
-				"infra.contrib.fluxcd.io/plan-workspace": terraform.WorkspaceName(),
+				plan.TFPlanNameLabel:      plan.SafeLabelValue(req.Name),
+				plan.TFPlanWorkspaceLabel: terraform.WorkspaceName(),
 			},
 		},
 		Data: secretData,
diff --git a/runner/server_save_tfplan.go b/runner/server_save_tfplan.go
@@ -98,14 +98,14 @@ func (r *TerraformRunnerServer) SaveTFPlan(ctx context.Context, req *SaveTFPlanR
 	return &SaveTFPlanReply{Message: "ok"}, nil
 }
 
-func (r *TerraformRunnerServer) writePlanAsSecret(ctx context.Context, name string, namespace string, log logr.Logger, planId string, plan *plan.Plan, suffix string, uuid string) error {
+func (r *TerraformRunnerServer) writePlanAsSecret(ctx context.Context, name string, namespace string, log logr.Logger, planId string, tfPlan *plan.Plan, suffix string, uuid string) error {
 	existingSecrets := &v1.SecretList{}
 
 	// Try to get any secrets by using the plan labels
 	// This covers "chunked" secrets as well as a single secret
 	if err := r.Client.List(ctx, existingSecrets, client.InNamespace(namespace), client.MatchingLabels{
-		"infra.contrib.fluxcd.io/plan-name":      name + suffix,
-		"infra.contrib.fluxcd.io/plan-workspace": r.terraform.WorkspaceName(),
+		plan.TFPlanNameLabel:      plan.SafeLabelValue(name + suffix),
+		plan.TFPlanWorkspaceLabel: r.terraform.WorkspaceName(),
 	}); err != nil {
 		log.Error(err, "unable to list existing plan secrets")
 		return err
@@ -129,7 +129,7 @@ func (r *TerraformRunnerServer) writePlanAsSecret(ctx context.Context, name stri
 		}
 	}
 
-	secrets, err := plan.ToSecret(suffix)
+	secrets, err := tfPlan.ToSecret(suffix)
 	if err != nil {
 		log.Error(err, "unable to generate plan secrets", "planId", planId)
 		return err
@@ -149,14 +149,14 @@ func (r *TerraformRunnerServer) writePlanAsSecret(ctx context.Context, name stri
 	return nil
 }
 
-func (r *TerraformRunnerServer) writePlanAsConfigMap(ctx context.Context, name string, namespace string, log logr.Logger, planId string, plan *plan.Plan, suffix string, uuid string) error {
+func (r *TerraformRunnerServer) writePlanAsConfigMap(ctx context.Context, name string, namespace string, log logr.Logger, planId string, tfPlan *plan.Plan, suffix string, uuid string) error {
 	existingConfigMaps := &v1.ConfigMapList{}
 
 	// Try to get any ConfigMaps by using the plan labels
 	// This covers "chunked" ConfigMaps as well as a single ConfigMap
 	if err := r.Client.List(ctx, existingConfigMaps, client.InNamespace(namespace), client.MatchingLabels{
-		"infra.contrib.fluxcd.io/plan-name":      name + suffix,
-		"infra.contrib.fluxcd.io/plan-workspace": r.terraform.WorkspaceName(),
+		plan.TFPlanNameLabel:      plan.SafeLabelValue(name + suffix),
+		plan.TFPlanWorkspaceLabel: r.terraform.WorkspaceName(),
 	}); err != nil {
 		log.Error(err, "unable to list existing plan ConfigMaps")
 		return err
@@ -180,7 +180,7 @@ func (r *TerraformRunnerServer) writePlanAsConfigMap(ctx context.Context, name s
 		}
 	}
 
-	configMaps, err := plan.ToConfigMap(suffix)
+	configMaps, err := tfPlan.ToConfigMap(suffix)
 	if err != nil {
 		log.Error(err, "unable to generate plan ConfigMaps", "planId", planId)
 		return err
diff --git a/tfctl/show_plan.go b/tfctl/show_plan.go
@@ -74,8 +74,8 @@ func readPlanFromConfigmap(ctx context.Context, kubeClient client.Client, resour
 
 	// List relevant configmaps
 	if err := kubeClient.List(ctx, configMaps, client.InNamespace(namespace), client.MatchingLabels{
-		"infra.contrib.fluxcd.io/plan-name":      resource,
-		"infra.contrib.fluxcd.io/plan-workspace": workspace,
+		plan.TFPlanNameLabel:      plan.SafeLabelValue(resource),
+		plan.TFPlanWorkspaceLabel: workspace,
 	}); err != nil {
 		return "", fmt.Errorf("unable to list existing plan configmaps: %s", err)
 	}
@@ -98,8 +98,8 @@ func readPlanFromSecret(ctx context.Context, kubeClient client.Client, resource
 
 	// List relevant secrets
 	if err := kubeClient.List(ctx, secrets, client.InNamespace(namespace), client.MatchingLabels{
-		"infra.contrib.fluxcd.io/plan-name":      resource,
-		"infra.contrib.fluxcd.io/plan-workspace": workspace,
+		plan.TFPlanNameLabel:      plan.SafeLabelValue(resource),
+		plan.TFPlanWorkspaceLabel: workspace,
 	}); err != nil {
 		return "", fmt.Errorf("unable to list existing plan secrets: %s", err)
 	}
diff --git a/tfctl/show_plan_test.go b/tfctl/show_plan_test.go
@@ -58,8 +58,8 @@ func TestShowPlan(t *testing.T) {
 							Name:      "tfplan-default-hello-world",
 							Namespace: "default",
 							Labels: map[string]string{
-								"infra.contrib.fluxcd.io/plan-name":      "hello-world",
-								"infra.contrib.fluxcd.io/plan-workspace": "default",
+								plan.TFPlanNameLabel:      "hello-world",
+								plan.TFPlanWorkspaceLabel: "default",
 							},
 						},
 						Data: map[string][]byte{

Original file line number	Diff line number	Diff line change
`@@ -44,8 +44,8 @@ func loadTFPlan(`
`44`	`44`
`45`	`45`	`// List relevant secrets`
`46`	`46`	`if err := kubeClient.List(ctx, secrets, client.InNamespace(req.Namespace), client.MatchingLabels{`
`47`		`- "infra.contrib.fluxcd.io/plan-name": req.Name,`
`48`		`- "infra.contrib.fluxcd.io/plan-workspace": terraform.WorkspaceName(),`
	`47`	`+ plan.TFPlanNameLabel: plan.SafeLabelValue(req.Name),`
	`48`	`+ plan.TFPlanWorkspaceLabel: terraform.WorkspaceName(),`
`49`	`49`	`}); err != nil {`
`50`	`50`	`log.Error(err, "unable to list existing plan secrets")`
`51`	`51`	`return nil, err`
`@@ -65,8 +65,8 @@ func loadTFPlan(`
`65`	`65`	`continue`
`66`	`66`	`}`
`67`	`67`
`68`		`- if s.Annotations[plan.SavedPlanSecretAnnotation] != pendingPlanId {`
`69`		`- return nil, fmt.Errorf("pending plan %s does not match secret %s (%s)", pendingPlanId, s.Name, s.Annotations[plan.SavedPlanSecretAnnotation])`
	`68`	`+ if s.Annotations[plan.TFPlanSavedAnnotation] != pendingPlanId {`
	`69`	`+ return nil, fmt.Errorf("pending plan %s does not match secret %s (%s)", pendingPlanId, s.Name, s.Annotations[plan.TFPlanSavedAnnotation])`
`70`	`70`	`}`
`71`	`71`	`}`
`72`	`72`