From 7735b15de31d499587088a722796e92098bda184 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Pa=C3=B1eda?= <daniel.paneda@clickhouse.com>
Date: Tue, 28 Apr 2026 22:11:59 +0900
Subject: [PATCH] cmd/k8s-operator: truncate long label values in metrics
 resources (#18895)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* cmd/k8s-operator: truncate long label values in metrics resources

Kubernetes label values have a 63-character limit, but resource names
can be up to 253 characters. When a Service or Ingress with a long
name is exposed via Tailscale, the operator fails to reconcile because
it uses the parent resource name directly as label values on metrics
Services.

Truncate label values that may exceed the limit by keeping the first
54 characters and appending a SHA256-based hash suffix to preserve
uniqueness.

Fixes #18894

Signed-off-by: Daniel Pañeda <daniel.paneda@clickhouse.com>
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* cmd/k8s-operator: move TruncateLabelValue to shared k8s-operator package

Move the label truncation helper to k8s-operator/utils.go so it can be
reused by other components that need to produce valid Kubernetes labels.

Signed-off-by: Daniel Pañeda <daniel.paneda@clickhouse.com>
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* cmd/k8s-operator: truncate long domain label values in cert resources

Applies TruncateLabelValue to certResourceLabels in order to prevent API
server validation failures. This covers both the HA Ingress and kube-apiserver
proxy reconcilers, as both flow through certResourceLabels.

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* cmd/k8s-operator: remove empty metrics_resources_test.go, use hyphens in test names to satisfy go vet

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

---------

Signed-off-by: Daniel Pañeda <daniel.paneda@clickhouse.com>
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
Co-authored-by: chaosinthecrd <tom@tmlabs.co.uk>
---
 cmd/k8s-operator/ingress-for-pg.go    |  2 +-
 cmd/k8s-operator/metrics_resources.go | 11 ++--
 k8s-operator/utils.go                 | 16 ++++++
 k8s-operator/utils_test.go            | 78 +++++++++++++++++++++++++++
 4 files changed, 101 insertions(+), 6 deletions(-)
 create mode 100644 k8s-operator/utils_test.go

diff --git a/cmd/k8s-operator/ingress-for-pg.go b/cmd/k8s-operator/ingress-for-pg.go
index 37d0ed014..d6872f680 100644
--- a/cmd/k8s-operator/ingress-for-pg.go
+++ b/cmd/k8s-operator/ingress-for-pg.go
@@ -1081,7 +1081,7 @@ func certResourceLabels(pgName, domain string) map[string]string {
 	return map[string]string{
 		kubetypes.LabelManaged: "true",
 		labelProxyGroup:        pgName,
-		labelDomain:            domain,
+		labelDomain:            tsoperator.TruncateLabelValue(domain),
 	}
 }
 
diff --git a/cmd/k8s-operator/metrics_resources.go b/cmd/k8s-operator/metrics_resources.go
index c7c329a7e..4384f4cba 100644
--- a/cmd/k8s-operator/metrics_resources.go
+++ b/cmd/k8s-operator/metrics_resources.go
@@ -19,6 +19,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	kube "tailscale.com/k8s-operator"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
 	"tailscale.com/kube/kubetypes"
 )
@@ -227,13 +228,13 @@ func metricsResourceLabels(opts *metricsOpts) map[string]string {
 		kubetypes.LabelManaged:   "true",
 		labelMetricsTarget:       opts.proxyStsName,
 		labelPromProxyType:       opts.proxyType,
-		labelPromProxyParentName: opts.proxyLabels[LabelParentName],
+		labelPromProxyParentName: kube.TruncateLabelValue(opts.proxyLabels[LabelParentName]),
 	}
 	// Include namespace label for proxies created for a namespaced type.
 	if isNamespacedProxyType(opts.proxyType) {
-		lbls[labelPromProxyParentNamespace] = opts.proxyLabels[LabelParentNamespace]
+		lbls[labelPromProxyParentNamespace] = kube.TruncateLabelValue(opts.proxyLabels[LabelParentNamespace])
 	}
-	lbls[labelPromJob] = promJobName(opts)
+	lbls[labelPromJob] = kube.TruncateLabelValue(promJobName(opts))
 	return lbls
 }
 
@@ -250,11 +251,11 @@ func promJobName(opts *metricsOpts) string {
 func metricsSvcSelector(proxyLabels map[string]string, proxyType string) map[string]string {
 	sel := map[string]string{
 		labelPromProxyType:       proxyType,
-		labelPromProxyParentName: proxyLabels[LabelParentName],
+		labelPromProxyParentName: kube.TruncateLabelValue(proxyLabels[LabelParentName]),
 	}
 	// Include namespace label for proxies created for a namespaced type.
 	if isNamespacedProxyType(proxyType) {
-		sel[labelPromProxyParentNamespace] = proxyLabels[LabelParentNamespace]
+		sel[labelPromProxyParentNamespace] = kube.TruncateLabelValue(proxyLabels[LabelParentNamespace])
 	}
 	return sel
 }
diff --git a/k8s-operator/utils.go b/k8s-operator/utils.go
index 043a9d7b5..d83d98e0c 100644
--- a/k8s-operator/utils.go
+++ b/k8s-operator/utils.go
@@ -7,6 +7,8 @@
 package kube
 
 import (
+	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
 
 	"tailscale.com/tailcfg"
@@ -50,3 +52,17 @@ func CapVerFromFileName(name string) (tailcfg.CapabilityVersion, error) {
 	_, err := fmt.Sscanf(name, "cap-%d.hujson", &cap)
 	return cap, err
 }
+
+// TruncateLabelValue truncates a Kubernetes label value to fit within the
+// 63-character limit. If the value exceeds the limit, it is truncated and a
+// short hash suffix is appended to preserve uniqueness.
+func TruncateLabelValue(val string) string {
+	const maxLen = 63
+	if len(val) <= maxLen {
+		return val
+	}
+	hash := sha256.Sum256([]byte(val))
+	suffix := hex.EncodeToString(hash[:4]) // 8 hex chars
+	truncated := val[:maxLen-len(suffix)-1]
+	return truncated + "-" + suffix
+}
diff --git a/k8s-operator/utils_test.go b/k8s-operator/utils_test.go
new file mode 100644
index 000000000..7a30df6b4
--- /dev/null
+++ b/k8s-operator/utils_test.go
@@ -0,0 +1,78 @@
+// Copyright (c) Tailscale Inc & contributors
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !plan9
+
+package kube
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestTruncateLabelValue(t *testing.T) {
+	tests := []struct {
+		name  string
+		input string
+		want  string // empty means expect input unchanged
+	}{
+		{
+			name:  "short-value-unchanged",
+			input: "my-service",
+		},
+		{
+			name:  "exactly-63-chars-unchanged",
+			input: strings.Repeat("a", 63),
+		},
+		{
+			name:  "64-chars-gets-truncated",
+			input: strings.Repeat("a", 64),
+		},
+		{
+			name:  "very-long-value-gets-truncated",
+			input: "tailscale-nginx-clickhouse-o11y-server-https-with-extra-long-suffix-that-exceeds-limit",
+		},
+		{
+			name:  "253-chars-max-k8s-resource-name",
+			input: strings.Repeat("x", 253),
+		},
+		{
+			name:  "empty-string-unchanged",
+			input: "",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := TruncateLabelValue(tt.input)
+			if len(got) > 63 {
+				t.Errorf("TruncateLabelValue(%q) = %q (len %d), exceeds 63 chars", tt.input, got, len(got))
+			}
+			if len(tt.input) <= 63 && got != tt.input {
+				t.Errorf("TruncateLabelValue(%q) = %q, want unchanged input", tt.input, got)
+			}
+			if len(tt.input) > 63 && got == tt.input {
+				t.Errorf("TruncateLabelValue(%q) was not truncated", tt.input)
+			}
+		})
+	}
+}
+
+func TestTruncateLabelValueDeterministic(t *testing.T) {
+	input := strings.Repeat("a", 100)
+	first := TruncateLabelValue(input)
+	for i := 0; i < 10; i++ {
+		got := TruncateLabelValue(input)
+		if got != first {
+			t.Fatalf("non-deterministic: got %q, want %q", got, first)
+		}
+	}
+}
+
+func TestTruncateLabelValueUniqueness(t *testing.T) {
+	// Two inputs sharing a long prefix but differing at the end should produce different outputs.
+	a := strings.Repeat("a", 100) + "-one"
+	b := strings.Repeat("a", 100) + "-two"
+	if TruncateLabelValue(a) == TruncateLabelValue(b) {
+		t.Errorf("collision: %q and %q produce the same truncated label", a, b)
+	}
+}