fix: truncate proposal name in label values to 63 chars

[tremes]

The operator uses proposal.Name directly as a Kubernetes label value (agentic.openshift.io/proposal) when creating result CRs, RBAC resources, sandbox pods, and SandboxClaim CRs. Kubernetes label values are limited to 63 characters, so names exceeding this limit cause resource creation failures.

Apply truncateK8sName() to proposalName in all four label-setting locations as defense in depth.

Assisted-by: Claude Code:claude-opus-4-6

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 80198b3a-c05f-45fa-b1a4-f4b7f6ea35d8

📥 Commits

Reviewing files that changed from the base of the PR and between 2bfc16f and 5243949.

📒 Files selected for processing (8)

• controller/proposal/bare_pod_manager.go
• controller/proposal/bare_pod_manager_test.go
• controller/proposal/rbac.go
• controller/proposal/rbac_test.go
• controller/proposal/results.go
• controller/proposal/results_test.go
• controller/proposal/sandbox.go
• controller/proposal/sandbox_test.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/lightspeed-agentic-sandbox (manual)

---

📝 Walkthrough

Summary by CodeRabbit

Release Notes

• Bug Fixes
  • Proposal names exceeding system naming limits are now automatically truncated to meet Kubernetes naming requirements, ensuring consistent behavior and preventing potential issues across resource creation and management operations.

Walkthrough

truncateK8sName is updated to strip trailing -, ., and _ characters (previously only -) after the 63-character cut. The LabelProposal label value is switched from the raw proposal name to truncateK8sName(proposalName) in rbacLabels, BarePodManager.Claim, resultLabels, and SandboxManager.buildClaim. Tests are added for each site.

Changes

LabelProposal truncation

Layer / File(s)	Summary
truncateK8sName helper: strip trailing -._ controller/proposal/rbac.go, controller/proposal/rbac_test.go	truncateK8sName now trims trailing -, ., _ after the 63-char cut. rbacLabels applies it to LabelProposal. Test table gains dot, underscore, and mixed-suffix cases; TestRBACLabels_TruncatesLongProposalName asserts the exact 63-char value.
Apply truncation to BarePodManager, resultLabels, buildClaim controller/proposal/bare_pod_manager.go, controller/proposal/bare_pod_manager_test.go, controller/proposal/results.go, controller/proposal/results_test.go, controller/proposal/sandbox.go, controller/proposal/sandbox_test.go	Each remaining construction site switches LabelProposal to truncateK8sName(proposalName). Each has a corresponding test asserting the label is ≤ 63 characters with the expected truncated value.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 14.29% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: truncating proposal names in label values to 63 characters, which is the core fix across all four locations.
Description check	✅ Passed	The description clearly explains the problem (63-character Kubernetes label limit), the solution (apply truncateK8sName to all four label-setting locations), and the rationale (defense in depth).
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign blublinsky for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[harche]

This is really about the truncateK8sName helper a few lines up (around line 216) rather than this line exactly, but it's the same concern this PR is fixing so I'll flag it here.

The helper does strings.TrimRight(name[:63], "-"), which only strips a trailing -. Since a Proposal is namespaced, its metadata.name is a DNS-1123 subdomain, so it can also contain ., and a few of the derived names mix in _. A label value has to start and end with an alphanumeric, so if the 63 byte cut happens to land right after a . or _, we'd still produce an invalid label value and hit the exact failure this PR is trying to prevent.

Could we widen the cutset to cover all of them?

name = strings.TrimRight(name[:63], "-._")

Because TrimRight takes a cutset, this cleans up any trailing run of those characters, which is the full set that's legal in the middle of a name but not at the boundary.

It might also be worth adding a truncation test case that ends on one of these, something like strings.Repeat("a", 62) + ".bb", since the current Repeat("a", 80) inputs never exercise a trailing non alphanumeric, so the new behavior would otherwise ship without coverage.

[openshift-ci]

@tremes: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.