Addresses review comments

Author: vsantwana

flink-kubernetes-operator/src/main/java/org/apache/flink/kubernetes/operator/observer/JobStatusObserver.java

@@ -29,6 +29,7 @@
 import org.apache.flink.kubernetes.operator.reconciler.ReconciliationUtils;
 import org.apache.flink.kubernetes.operator.utils.EventRecorder;
 import org.apache.flink.kubernetes.operator.utils.ExceptionUtils;
+import org.apache.flink.kubernetes.operator.utils.K8sAnnotationsSanitizer;
 import org.apache.flink.runtime.client.JobStatusMessage;
 import org.apache.flink.runtime.rest.messages.JobExceptionsInfoWithHistory;
 
@@ -40,6 +41,7 @@
 import java.util.HashMap;
 import java.util.Map;
 import java.util.concurrent.TimeoutException;
+import java.util.regex.Pattern;
 
 import static org.apache.flink.kubernetes.operator.utils.FlinkResourceExceptionUtils.updateFlinkResourceException;
 
@@ -49,6 +51,8 @@ public class JobStatusObserver<R extends AbstractFlinkResource<?, ?>> {
     private static final Logger LOG = LoggerFactory.getLogger(JobStatusObserver.class);
 
     public static final String JOB_NOT_FOUND_ERR = "Job Not Found";
+    private static final Pattern VALID_K8S_ANNOTATION_KEY_PATTERN =
+            Pattern.compile("^[a-zA-Z0-9./-]{1,63}$");
 
     protected final EventRecorder eventRecorder;
 
@@ -85,11 +89,9 @@ public boolean observe(FlinkResourceContext<R> ctx) {
                 var newJobStatus = newJobStatusOpt.get();
                 updateJobStatus(ctx, newJobStatus);
                 ReconciliationUtils.checkAndUpdateStableSpec(resource.getStatus());
-                // now check if the job is in a terminal state. This might not be need as we have
-                // already
-                // verified that the REST API server is available
-                // now check if the job is NOT in a terminal state
-                if (!newJobStatus.getJobState().isGloballyTerminalState()) {
+                // see if the JM server is up, try to get the exceptions
+                // in case the new
+                if (!previousJobStatus.isGloballyTerminalState()) {
                     observeJobManagerExceptions(ctx);
                 }
                 return true;
@@ -124,9 +126,7 @@ protected void observeJobManagerExceptions(FlinkResourceContext<R> ctx) {
             //  but the JobExceptionsMessageParameters does not expose the parameters and nor does
             // it have setters.
             var history =
-                    ctx.getFlinkService()
-                            .getJobExceptions(
-                                    resource, jobId, ctx.getDeployConfig(resource.getSpec()));
+                    ctx.getFlinkService().getJobExceptions(resource, jobId, ctx.getObserveConfig());
 
             if (history == null || history.getExceptionHistory() == null) {
                 return;
@@ -241,7 +241,7 @@ private void emitJobManagerExceptionEvent(
                 EventRecorder.Component.JobManagerDeployment,
                 "jobmanager-exception-" + keyMessage.hashCode(),
                 ctx.getKubernetesClient(),
-                annotations);
+                K8sAnnotationsSanitizer.sanitizeAnnotations(annotations));
     }
 
     /**

flink-kubernetes-operator/src/main/java/org/apache/flink/kubernetes/operator/service/AbstractFlinkService.java

@@ -851,9 +851,9 @@ public RestClusterClient<String> getClusterClient(Configuration conf) throws Exc
 
     @Override
     public JobExceptionsInfoWithHistory getJobExceptions(
-            AbstractFlinkResource resource, JobID jobId, Configuration deployConfig) {
+            AbstractFlinkResource resource, JobID jobId, Configuration observeConfig) {
         JobExceptionsHeaders jobExceptionsHeaders = JobExceptionsHeaders.getInstance();
-        int port = deployConfig.getInteger(RestOptions.PORT);
+        int port = observeConfig.getInteger(RestOptions.PORT);
         String host =
                 ObjectUtils.firstNonNull(
                         operatorConfig.getFlinkServiceHostOverride(),
@@ -862,7 +862,7 @@ public JobExceptionsInfoWithHistory getJobExceptions(
                                 resource.getMetadata().getNamespace()));
         JobExceptionsMessageParameters params = new JobExceptionsMessageParameters();
         params.jobPathParameter.resolve(jobId);
-        try (var restClient = getRestClient(deployConfig)) {
+        try (var restClient = getRestClient(observeConfig)) {
             return restClient
                     .sendRequest(
                             host,

flink-kubernetes-operator/src/main/java/org/apache/flink/kubernetes/operator/service/FlinkResourceContextFactory.java

@@ -39,8 +39,7 @@
 
 import io.javaoperatorsdk.operator.api.reconciler.Context;
 import io.javaoperatorsdk.operator.processing.event.ResourceID;
-import lombok.Getter;
-import lombok.Setter;
+import lombok.Data;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -55,8 +54,7 @@ public class FlinkResourceContextFactory {
     private static final Logger LOG = LoggerFactory.getLogger(FlinkResourceContextFactory.class);
 
     /** The cache entry for the last recorded exception timestamp for a JobID. */
-    @Getter
-    @Setter
+    @Data
     public static final class ExceptionCacheEntry {
         private String jobId;
         private long lastTimestamp;

flink-kubernetes-operator/src/main/java/org/apache/flink/kubernetes/operator/service/FlinkService.java

@@ -130,7 +130,7 @@ Map<String, String> getMetrics(Configuration conf, String jobId, List<String> me
     RestClusterClient<String> getClusterClient(Configuration conf) throws Exception;
 
     JobExceptionsInfoWithHistory getJobExceptions(
-            AbstractFlinkResource resource, JobID jobId, Configuration deployConfig)
+            AbstractFlinkResource resource, JobID jobId, Configuration observeConfig)
             throws Exception;
 
     /** Result of a cancel operation. */

flink-kubernetes-operator/src/main/java/org/apache/flink/kubernetes/operator/utils/K8sAnnotationsSanitizer.java

@@ -0,0 +1,131 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.flink.kubernetes.operator.utils;
+
+import org.apache.flink.annotation.VisibleForTesting;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.regex.Pattern;
+
+/**
+ * Utility class for sanitizing Kubernetes annotations as per k8s rules. See <a
+ * href="https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set">Kubernetes
+ * Annotations Syntax and Character Set</a>
+ */
+public class K8sAnnotationsSanitizer {
+
+    private static final int MAX_PREFIX_LENGTH = 253;
+    private static final int MAX_NAME_LENGTH = 63;
+
+    // Name: starts and ends with alphanumeric, allows alphanum, '-', '_', '.' in middle
+    private static final Pattern NAME_PATTERN =
+            Pattern.compile("^[a-zA-Z0-9]([a-zA-Z0-9_.-]*[a-zA-Z0-9])?$");
+
+    // DNS label: alphanumeric, may have hyphens inside, length ≤ 63
+    private static final Pattern DNS_LABEL_PATTERN =
+            Pattern.compile("^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$");
+
+    /**
+     * Sanitizes the input annotations by validating keys and cleaning values. Only includes entries
+     * with valid keys and non-null values.
+     */
+    public static Map<String, String> sanitizeAnnotations(Map<String, String> annotations) {
+        Map<String, String> sanitized = new HashMap<>();
+        if (annotations == null) {
+            return sanitized;
+        }
+
+        for (Map.Entry<String, String> entry : annotations.entrySet()) {
+            String key = entry.getKey();
+            String value = entry.getValue();
+
+            if (isValidAnnotationKey(key)) {
+                String sanitizedValue = sanitizeAnnotationValue(value);
+                if (sanitizedValue != null) {
+                    sanitized.put(key, sanitizedValue);
+                }
+            }
+        }
+        return sanitized;
+    }
+
+    /** Validates the annotation key according to Kubernetes rules: Optional prefix + "/" + name. */
+    @VisibleForTesting
+    static boolean isValidAnnotationKey(String key) {
+        if (key == null || key.isEmpty()) {
+            return false;
+        }
+
+        String[] parts = key.split("/", 2);
+        if (parts.length == 2) {
+            return isValidPrefix(parts[0]) && isValidName(parts[1]);
+        } else {
+            return isValidName(parts[0]);
+        }
+    }
+
+    /**
+     * Validates the prefix as a DNS subdomain: series of DNS labels separated by dots, total length
+     * ≤ 253.
+     */
+    private static boolean isValidPrefix(String prefix) {
+        if (prefix.length() > MAX_PREFIX_LENGTH) {
+            return false;
+        }
+        if (prefix.endsWith(".")) {
+            return false; // no trailing dot allowed
+        }
+        String[] labels = prefix.split("\\.");
+        for (String label : labels) {
+            if (label.isEmpty() || label.length() > 63) {
+                return false;
+            }
+            if (!DNS_LABEL_PATTERN.matcher(label).matches()) {
+                return false;
+            }
+        }
+        return true;
+    }
+
+    /** Validates the name part of the key. */
+    private static boolean isValidName(String name) {
+        return name != null
+                && name.length() <= MAX_NAME_LENGTH
+                && NAME_PATTERN.matcher(name).matches();
+    }
+
+    /**
+     * Sanitizes the annotation value by trimming and removing control characters, replacing
+     * newlines and tabs with spaces. No length limit.
+     */
+    @VisibleForTesting
+    static String sanitizeAnnotationValue(String value) {
+        if (value == null) {
+            return null;
+        }
+
+        // Trim whitespace, remove control chars except \r \n \t, replace those with space
+        String sanitized =
+                value.trim()
+                        .replaceAll("[\\p{Cntrl}&&[^\r\n\t]]", "")
+                        .replaceAll("[\\r\\n\\t]+", " ");
+
+        return sanitized;
+    }
+}

flink-kubernetes-operator/src/test/java/org/apache/flink/kubernetes/operator/TestingFlinkService.java

@@ -315,7 +315,7 @@ public Optional<JobStatusMessage> getJobStatus(Configuration conf, JobID jobID)
 
     @Override
     public JobExceptionsInfoWithHistory getJobExceptions(
-            AbstractFlinkResource resource, JobID jobId, Configuration deployConfig) {
+            AbstractFlinkResource resource, JobID jobId, Configuration observeConfig) {
         return jobExceptionsMap.getOrDefault(jobId, null);
     }
 

flink-kubernetes-operator/src/test/java/org/apache/flink/kubernetes/operator/utils/K8sAnnotationsSanitizerTest.java

@@ -0,0 +1,123 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.flink.kubernetes.operator.utils;
+
+import org.junit.jupiter.api.Test;
+
+import java.util.Map;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/** Tests for {@link K8sAnnotationsSanitizer}. */
+public class K8sAnnotationsSanitizerTest {
+
+    @Test
+    public void testValidKeysWithoutPrefix() {
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("foo")).isTrue();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("foo-bar")).isTrue();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("foo.bar")).isTrue();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("foo_bar")).isTrue();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("f")).isTrue();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("f1")).isTrue();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("1f")).isTrue();
+    }
+
+    @Test
+    public void testInvalidKeysWithoutPrefix() {
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("")).isFalse();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey(null)).isFalse();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("-foo")).isFalse();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("foo-")).isFalse();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey(".foo")).isFalse();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("foo.")).isFalse();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("_foo")).isFalse();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("foo_")).isFalse();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("foo@bar")).isFalse();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("foo/bar/baz"))
+                .isFalse(); // multiple slashes invalid
+    }
+
+    @Test
+    public void testValidKeysWithPrefix() {
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("example.com/foo")).isTrue();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("a.b.c/foo-bar")).isTrue();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("abc/foo_bar")).isTrue();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("abc/foo.bar")).isTrue();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("a/foo")).isTrue();
+    }
+
+    @Test
+    public void testInvalidPrefix() {
+        String longPrefix = "a".repeat(254);
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey(longPrefix + "/foo")).isFalse();
+
+        String longLabel = "a".repeat(64);
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey(longLabel + ".com/foo")).isFalse();
+
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("ex_ample.com/foo")).isFalse();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("-example.com/foo")).isFalse();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("example-.com/foo")).isFalse();
+
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey(".example.com/foo")).isFalse();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("example..com/foo")).isFalse();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("example.com./foo")).isFalse();
+    }
+
+    @Test
+    public void testInvalidNameWithPrefix() {
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("example.com/-foo")).isFalse();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("example.com/foo-")).isFalse();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("example.com/.foo")).isFalse();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("example.com/foo.")).isFalse();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("example.com/foo@bar")).isFalse();
+        assertThat(K8sAnnotationsSanitizer.isValidAnnotationKey("example.com/")).isFalse();
+    }
+
+    @Test
+    public void testSanitizeAnnotationValue() {
+        assertThat(K8sAnnotationsSanitizer.sanitizeAnnotationValue(null)).isNull();
+
+        assertThat(K8sAnnotationsSanitizer.sanitizeAnnotationValue("  value  ")).isEqualTo("value");
+
+        String rawValue = "line1\nline2\r\nline3\tend\u0007"; // \u0007 is bell (control char)
+        String expected = "line1 line2 line3 end";
+        assertThat(K8sAnnotationsSanitizer.sanitizeAnnotationValue(rawValue)).isEqualTo(expected);
+
+        String unicode = "café résumé – test";
+        assertThat(K8sAnnotationsSanitizer.sanitizeAnnotationValue(unicode)).isEqualTo(unicode);
+    }
+
+    @Test
+    public void testSanitizeAnnotations() {
+        Map<String, String> input =
+                Map.of(
+                        "valid-key", " some value ",
+                        "example.com/valid-name", "value\nwith\nnewlines",
+                        "invalid key", "value",
+                        "prefix_with_underscore/foo", "value",
+                        "validprefix/foo-", "value",
+                        "example.com/invalid_name@", "value");
+
+        Map<String, String> sanitized = K8sAnnotationsSanitizer.sanitizeAnnotations(input);
+
+        assertThat(sanitized).hasSize(2).containsKeys("valid-key", "example.com/valid-name");
+
+        assertThat(sanitized.get("valid-key")).isEqualTo("some value");
+        assertThat(sanitized.get("example.com/valid-name")).isEqualTo("value with newlines");
+    }
+}