Loosen file name validation for kubernetes service bindings (#4525)

tomkennedy513 · web-flow · commit c4a118b5711b · 2025-08-21T11:18:02.000+02:00
- The ServiceBinding spec has been updated to explicitly mention that underscores are valid in credential keys (https://github.com/servicebinding/spec/blob/main/README.md#workload-projection). Updating the implementation to match the change in the spec Signed-off-by: Tom Kennedy <kennedy513@gmail.com>
diff --git a/lib/cloud_controller/diego/service_binding_files_builder.rb b/lib/cloud_controller/diego/service_binding_files_builder.rb
@@ -37,7 +37,7 @@ def build_service_binding_k8s
         @service_bindings.select(&:create_succeeded?).each do |service_binding|
           sb_hash = ServiceBindingPresenter.new(service_binding, include_instance: true).to_hash
           name = sb_hash[:name]
-          raise IncompatibleBindings.new("Invalid binding name: '#{name}'. Name must match #{binding_naming_convention.inspect}") unless valid_name?(name)
+          raise IncompatibleBindings.new("Invalid binding name: '#{name}'. Name must match #{binding_naming_convention.inspect}") unless valid_binding_name?(name)
           raise IncompatibleBindings.new("Duplicate binding name: #{name}") if names.add?(name).nil?
 
           # add the credentials first
@@ -72,13 +72,17 @@ def binding_naming_convention
         /^[a-z0-9\-.]{1,253}$/
       end
 
+      def file_naming_convention
+        /^[a-z0-9\-._]{1,253}$/
+      end
+
       # - adds a Diego::Bbs::Models::File object to the service_binding_files hash
       # - binding name is used as the directory name, key is used as the file name
       # - returns the bytesize of the path and content
       # - skips (and returns 0) if the value is nil or an empty array or hash
       # - serializes the value to JSON if it is a non-string object
       def add_file(service_binding_files, name, key, value)
-        raise IncompatibleBindings.new("Invalid file name: #{key}") unless valid_name?(key)
+        raise IncompatibleBindings.new("Invalid file name: #{key}") unless valid_file_name?(key)
 
         path = "#{name}/#{key}"
         content = if value.nil?
@@ -95,10 +99,14 @@ def add_file(service_binding_files, name, key, value)
         path.bytesize + content.bytesize
       end
 
-      def valid_name?(name)
+      def valid_binding_name?(name)
         name.match?(binding_naming_convention)
       end
 
+      def valid_file_name?(name)
+        name.match?(file_naming_convention)
+      end
+
       def transform_vcap_services_attribute(name)
         if %w[binding_guid binding_name instance_guid instance_name syslog_drain_url volume_mounts].include?(name)
           name.tr('_', '-')
diff --git a/spec/unit/lib/cloud_controller/diego/service_binding_files_builder_spec.rb b/spec/unit/lib/cloud_controller/diego/service_binding_files_builder_spec.rb
@@ -274,6 +274,14 @@ module VCAP::CloudController::Diego
               expect { service_binding_files }.to raise_error(ServiceBindingFilesBuilder::IncompatibleBindings, 'Invalid file name: ../secret')
             end
           end
+
+          context 'when credential keys contain underscores' do
+            let(:credentials) { { some_secret: 'hidden' } }
+
+            it 'does not return an error' do
+              expect { service_binding_files }.not_to raise_error
+            end
+          end
         end
       end
 
