fix(controller): use '.' not '/' in mirrored-from label value#229
Merged
Conversation
Kubernetes label values cannot contain '/' (only label keys may use the 'prefix/name' form). The mirror_configmap / mirror_secret helpers built the value as '<kind>/<name>'.lower(), which K8s rejected with: ConfigMap "toolpolicy-<sandbox>-<ref>-profile" is invalid: metadata.labels: Invalid value: "toolpolicy/toolpolicy-...-profile" This blocked the entire ClawSandbox reconcile (no sandbox pod created, WebUI port-forward target absent), surfaced on launch-eve via 'azureclaw up' on a fresh sandbox. Switch separator to '.' (allowed in label values per the regex '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?') and add a doc comment on MIRROR_OWNER_LABEL to prevent regression. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
pallakatos
added a commit
that referenced
this pull request
May 12, 2026
Kubernetes label values cannot contain '/' (only label keys may use the 'prefix/name' form). The mirror_configmap / mirror_secret helpers built the value as '<kind>/<name>'.lower(), which K8s rejected with: ConfigMap "toolpolicy-<sandbox>-<ref>-profile" is invalid: metadata.labels: Invalid value: "toolpolicy/toolpolicy-...-profile" This blocked the entire ClawSandbox reconcile (no sandbox pod created, WebUI port-forward target absent), surfaced on launch-eve via 'azureclaw up' on a fresh sandbox. Switch separator to '.' (allowed in label values per the regex '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?') and add a doc comment on MIRROR_OWNER_LABEL to prevent regression. Co-authored-by: Pal Lakatos-Toth <pallakatos@github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
azureclaw upon a fresh sandbox failed with the controller stuck reconciling, no sandbox pod created, WebUI port-forward target absent. Controller log:Root cause
mirror_configmap/mirror_secretinreconciler/governance_mounts.rsbuilt theazureclaw.azure.com/mirrored-fromlabel value as<kind>/<name>. K8s allows/only in label keys (as a prefix), never in values.Fix
Switch separator to
.(allowed in label values). Doc-commentMIRROR_OWNER_LABELso this stays put.Test
cargo test --package azureclaw-controller governance_mounts— all 5 mount tests still pass. No test asserted the/format (no consumer parses this label value).CI gap
Same class as #226 / #227: no integration test runs the patch against a real or fake apiserver, so K8s validation rules never fire on builders. Tracked for post-launch (CRD/object schema validation in
npm test+ Rust integration test for ConfigMap mirror).Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com