Valid Semver 2.0 not compatible with kubernetes labels

[itay-grudev]

What happened?

Semver is allowed to have the following syntax: 1.2.3+45, where 45 is the build number. We are using this versioning approach, and when we tried to put that into the app.kubernetes.io/version label we got the following error:

a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')

I think this is a slight oversight and I think the regex there should be extended to:

(([A-Za-z0-9][-A-Za-z0-9_+.]*)?[A-Za-z0-9])?
                         ^ plus sign added here

From what I understand adding support for a + character doesn't have any additional implications and should be safe.

What did you expect to happen?

I expected that a valid Semver is accepted as a label value.

How can we reproduce it (as minimally and precisely as possible)?

Add the following K8s label to any object:

metadata:
  labels:
    app.kubernetes.io/version: 1.2.3+45

Example:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: test
  labels:
    app.kubernetes.io/version: 1.2.3+45

Kubernetes version

Client Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.0", GitCommit:"b46a3f887ca979b1a5d14fd39cb1af43e7e5d12d", GitTreeState:"clean", BuildDate:"2022-12-09T16:23:44Z", GoVersion:"go1.19.4", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"24+", GitVersion:"v1.24.8-eks-ffeb93d", GitCommit:"abb98ec0631dfe573ec5eae40dc48fd8f2017424", GitTreeState:"clean", BuildDate:"2022-11-29T18:45:03Z", GoVersion:"go1.18.8", Compiler:"gc", Platform:"linux/amd64"}

Cloud provider

AWS EKS

OS version

Bottlerocket OS 1.11.1 (aws-k8s-1.24)

[k8s-ci-robot]

@itay-grudev: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[neolit123]

/sig architecture api-machinery

[sftim]

What version of SemVer are you using @itay-grudev?

[sftim]

If we relax the restriction on labels (see https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set), we might need to update lots of software in the ecosystem with the new definition of what characters are valid.

[sftim]

We could also perhaps define a new annotation (not label) such as app.kubernetes.io/semantic-version-1.0 and app.kubernetes.io/semantic-version-2.0, and encourage people to use these.

[itay-grudev]

What version of SemVer are you using @itay-grudev?

@sftim, AFAIK the +build_number was introduced in Semver 2.0, which is the version we are following.

[liggitt]

I think the odds of expanding the label value character set are low. @sftim's comment about there being many distributed components / software that would not understand/expect the expanded characters is accurate. As a simple example, label values read from the API today do not contain any characters that require URL-encoding, so a labelSelector query could be constructed directly using a validated label value. With the addition of a + character, that would no longer be true.

[sftim]

What do people think about the annotation idea?

[cici37]

/remove-sig api-machinery

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[itay-grudev]

@sftim I think using annotations instead is a good solution.

/remove-lifecycle rotten

[na-jakobs]

@itay-grudev @sftim This is needed to support the SemVer standard. Any news on this?

[sftim]

/uncc

I'm not tracking this work.

[na-jakobs]

Can the regex be updated to support the industry standard https://semver.org/spec/v2.0.0.html ?

Error: unable to upgrade <app>: pre-upgrade hooks failed: warning: Hook pre-upgrade
deployment/templates/imagepull-secrets.yaml failed: 1 error occurred:
	* Secret "ghcr.io" is invalid: [metadata.labels: Invalid value: "5.0.1-RC.1+GCP": a valid label
	must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and
	end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for
	validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?'), metadata.labels: Invalid
	value: "deployment-5.0.1-RC.1+GCP": a valid label must be an empty string or consist of alphanumeric
	characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue', 
	or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')]

edit: the new annotation would be a nice way to implement this

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[itay-grudev]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale