Skip to content

sanitizeLabelValue truncation can produce invalid label values ending with hyphen/underscore #1245

New issue
New issue
Open
Open
sanitizeLabelValue truncation can produce invalid label values ending with hyphen/underscore#1245
@mh21

Description

@mh21
mh21
opened on Jan 22, 2026

Description

The sanitizeLabelValue function in api/v1alpha1/webhooks/author/webhook.go can produce invalid Kubernetes label values when truncating long usernames. After truncation to MaxLabelLength (63 characters), the resulting string may end with a hyphen, underscore, or dot, which violates the Kubernetes label value format.

Steps to Reproduce

  1. Create a Release using a service account with a long name, e.g., system:serviceaccount:hummingbird-tenant:hummingbird-dashboard-retrigger
  2. The webhook transforms this to: system_serviceaccount_hummingbird-tenant_hummingbird-dashboard-retrigger (71 chars)
  3. After truncation to 63 chars: system_serviceaccount_hummingbird-tenant_hummingbird-dashboard-
  4. This ends with a hyphen, which fails Kubernetes label validation

Error Message

Release.appstudio.redhat.com "..." is invalid: metadata.labels: Invalid value: 
"system_serviceaccount_hummingbird-tenant_hummingbird-dashboard-": a valid label 
must be an empty string or consist of alphanumeric characters, '-', '_' or '.', 
and must start and end with an alphanumeric character

Current Code

func (w *Webhook) sanitizeLabelValue(username string) string {
    author := strings.Replace(username, ":", "_", -1)
    author = strings.Replace(author, "@", ".", 1)

    if len(author) > metadata.MaxLabelLength {
        author = string(author)[0:metadata.MaxLabelLength]  // Bug: doesn't strip trailing invalid chars
    }

    return author
}

Suggested Fix

After truncation, strip any trailing characters that aren't alphanumeric:

func (w *Webhook) sanitizeLabelValue(username string) string {
    author := strings.Replace(username, ":", "_", -1)
    author = strings.Replace(author, "@", ".", 1)

    if len(author) > metadata.MaxLabelLength {
        author = author[0:metadata.MaxLabelLength]
    }

    // Strip trailing non-alphanumeric characters
    author = strings.TrimRight(author, "-_.")

    return author
}

Environment

  • Konflux cluster with release-service webhook enabled
  • Service account names that exceed 63 characters after colon-to-underscore replacement

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions