Mirror secret label value contains invalid '/' character (blocks #304/#310 apply) #315

New issue

Closed

opened 2026-04-28 04:53:43 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-04-28 04:53:43 +00:00

Contributor

Type

Bug

Lineage

Discovered scope from operator-side make tofu-apply attempt (2026-04-26 by Ava). PR #310 introduced a mirror-of label on the new mirror secret with value basketball-api/admin-app-db-url. Tofu validate passed (syntax-OK) but k8s API rejects on apply because label values can't contain /. Bug landed unblocked because no apply was attempted between merge and now.

Repo

forgejo_admin/pal-e-platform

What Broke

tofu apply on module.database.kubernetes_secret_v1.admin_app_db_url_westside_admin fails with:

Error: metadata.0.labels ("basketball-api/admin-app-db-url") a valid label must be
an empty string or consist of alphanumeric characters, '-', '_' or '.', and must
start and end with an alphanumeric character (e.g. 'MyValue', or 'my_value', or '12345',
regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')

Source: terraform/modules/database/main.tf line 309 — "mirror-of" = "basketball-api/admin-app-db-url". The / separator is structurally invalid for k8s label VALUES (it's only valid in the prefix of label KEYS like app.kubernetes.io/managed-by).

Repro Steps

cd ~/pal-e-platform/terraform && tofu apply (or make tofu-apply)
Apply tries to create kubernetes_secret_v1.admin_app_db_url_westside_admin
Errors with metadata.0.labels validation error citing / in basketball-api/admin-app-db-url

Expected Behavior

Apply succeeds, both secrets land (basketball-api/admin-app-db-url + westside-admin/admin-app-db-url with the mirror label).

Environment

pal-e-platform terraform/modules/database/main.tf line 309
k8s API label validation regex: (([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?
Tofu provider: kubernetes (passes validate, fails on apply)

User Story

story:admin-row-crud — As the operator running the apply that creates westside-admin's DATABASE_URL secret mirror, I need the label value to be k8s-valid so the apply doesn't fail.

Architecture

arch:postgres

Context

The label was meant to document provenance (which source secret this mirrors). Using / as a separator is intuitive but invalid in label values. Replace with . (matches the convention used in label KEYS) or remove the label entirely (the mirror-of semantic is also captured by the local.admin_app_database_url reference shared between source and mirror).

This is the second post-merge runtime gap discovered during apply (the first was salt master being down for 12 days). Worth a follow-up convention: any new k8s resource PR should include a successful tofu plan -lock=false against real state OR an explicit "apply not yet attempted" flag in the PR body so reviewers know runtime hasn't been exercised.

File Targets

terraform/modules/database/main.tf line 309 — change basketball-api/admin-app-db-url to basketball-api.admin-app-db-url

Acceptance Criteria

tofu apply succeeds on the mirror secret resource
Label mirror-of present on the resulting secret with k8s-valid value
No regression: source secret in basketball-api ns unchanged

Test Expectations

cd terraform && tofu apply proceeds past the mirror secret resource
kubectl get secret admin-app-db-url -n westside-admin --show-labels shows the new label

Constraints

Don't restructure the resource — minimum diff
Don't introduce a new label key

Checklist

Reviewed via /review-ticket
Label value fixed
Local apply re-attempted
PR opened with Closes #THIS
Merged via standard hook

Caused by: PR #310 (mirror secret addition, merged unblocked)
Blocks: pal-e-platform PR #304 apply (Job + source secret) — they're in the same plan run
Memory: feedback_verification_before_completion (PR #310's tests didn't exercise apply against k8s)

### Type Bug ### Lineage Discovered scope from operator-side `make tofu-apply` attempt (2026-04-26 by Ava). PR #310 introduced a `mirror-of` label on the new mirror secret with value `basketball-api/admin-app-db-url`. Tofu validate passed (syntax-OK) but k8s API rejects on apply because label values can't contain `/`. Bug landed unblocked because no apply was attempted between merge and now. ### Repo forgejo_admin/pal-e-platform ### What Broke `tofu apply` on `module.database.kubernetes_secret_v1.admin_app_db_url_westside_admin` fails with: ``` Error: metadata.0.labels ("basketball-api/admin-app-db-url") a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue', or 'my_value', or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?') ``` Source: `terraform/modules/database/main.tf` line 309 — `"mirror-of" = "basketball-api/admin-app-db-url"`. The `/` separator is structurally invalid for k8s label VALUES (it's only valid in the prefix of label KEYS like `app.kubernetes.io/managed-by`). ### Repro Steps 1. `cd ~/pal-e-platform/terraform && tofu apply` (or `make tofu-apply`) 2. Apply tries to create `kubernetes_secret_v1.admin_app_db_url_westside_admin` 3. Errors with `metadata.0.labels` validation error citing `/` in `basketball-api/admin-app-db-url` ### Expected Behavior Apply succeeds, both secrets land (basketball-api/admin-app-db-url + westside-admin/admin-app-db-url with the mirror label). ### Environment - pal-e-platform `terraform/modules/database/main.tf` line 309 - k8s API label validation regex: `(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?` - Tofu provider: `kubernetes` (passes validate, fails on apply) ### User Story story:admin-row-crud — As the operator running the apply that creates westside-admin's DATABASE_URL secret mirror, I need the label value to be k8s-valid so the apply doesn't fail. ### Architecture arch:postgres ### Context The label was meant to document provenance (which source secret this mirrors). Using `/` as a separator is intuitive but invalid in label values. Replace with `.` (matches the convention used in label KEYS) or remove the label entirely (the `mirror-of` semantic is also captured by the `local.admin_app_database_url` reference shared between source and mirror). This is the second post-merge runtime gap discovered during apply (the first was salt master being down for 12 days). Worth a follow-up convention: any new k8s resource PR should include a successful `tofu plan -lock=false` against real state OR an explicit "apply not yet attempted" flag in the PR body so reviewers know runtime hasn't been exercised. ### File Targets - `terraform/modules/database/main.tf` line 309 — change `basketball-api/admin-app-db-url` to `basketball-api.admin-app-db-url` ### Acceptance Criteria - [ ] `tofu apply` succeeds on the mirror secret resource - [ ] Label `mirror-of` present on the resulting secret with k8s-valid value - [ ] No regression: source secret in basketball-api ns unchanged ### Test Expectations - `cd terraform && tofu apply` proceeds past the mirror secret resource - `kubectl get secret admin-app-db-url -n westside-admin --show-labels` shows the new label ### Constraints - Don't restructure the resource — minimum diff - Don't introduce a new label key ### Checklist - [ ] Reviewed via /review-ticket - [ ] Label value fixed - [ ] Local apply re-attempted - [ ] PR opened with `Closes #THIS` - [ ] Merged via standard hook ### Related - Caused by: PR #310 (mirror secret addition, merged unblocked) - Blocks: pal-e-platform PR #304 apply (Job + source secret) — they're in the same plan run - Memory: `feedback_verification_before_completion` (PR #310's tests didn't exercise apply against k8s)