fix: limit the trigger name to a maximum of 63 characters for mutate existing rules (#9162) (#9195)

* fix: limit the trigger name to a maximum of 63 characters for mutate existing rules



* fix chainsaw test



---------

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

pkg/background/common/labels.go

@@ -43,7 +43,7 @@ func MutateLabelsSet(policyKey string, trigger Object) pkglabels.Set {
 	}
 	isNil := trigger == nil || (reflect.ValueOf(trigger).Kind() == reflect.Ptr && reflect.ValueOf(trigger).IsNil())
 	if !isNil {
-		set[kyvernov1beta1.URMutateTriggerNameLabel] = trigger.GetName()
+		set[kyvernov1beta1.URMutateTriggerNameLabel] = trimByLength(trigger.GetName(), 63)
 		set[kyvernov1beta1.URMutateTriggerNSLabel] = trigger.GetNamespace()
 		set[kyvernov1beta1.URMutateTriggerKindLabel] = trigger.GetKind()
 		if trigger.GetAPIVersion() != "" {
@@ -102,3 +102,10 @@ func TriggerInfo(labels map[string]string, obj unstructured.Unstructured) {
 func TagSource(labels map[string]string, obj Object) {
 	labels[GenerateTypeCloneSourceLabel] = ""
 }
+
+func trimByLength(value string, character int) string {
+	if len(value) > character {
+		return value[0:character]
+	}
+	return value
+}

test/conformance/chainsaw/mutate/clusterpolicy/cornercases/trigger-name-exceeds-63-characters/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test ensures that mutation is applied when the trigger name exceeds 63 characters.
+
+## Expected Behavior
+
+If the target resource is mutated, the test passes. If it is not mutated, the test fails.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/9134

test/conformance/chainsaw/mutate/clusterpolicy/cornercases/trigger-name-exceeds-63-characters/chainsaw-test.yaml

@@ -0,0 +1,32 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: trigger-name-exceeds-63-characters
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: secret.yaml
+    - assert:
+        file: secret-assert.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: configmap.yaml
+    - assert:
+        file: configmap-assert.yaml
+  - name: step-03
+    try:
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy-assert.yaml
+  - name: step-04
+    try:
+    - apply:
+        file: update-secret.yaml
+  - name: step-05
+    try:
+    - assert:
+        file: patched-configmap.yaml

test/conformance/chainsaw/mutate/clusterpolicy/cornercases/trigger-name-exceeds-63-characters/configmap-assert.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cm-1
+  namespace: default

test/conformance/chainsaw/mutate/clusterpolicy/cornercases/trigger-name-exceeds-63-characters/configmap.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cm-1
+  namespace: default
+data:
+  fookey: fakeval

test/conformance/chainsaw/mutate/clusterpolicy/cornercases/trigger-name-exceeds-63-characters/patched-configmap.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cm-1
+  namespace: default
+  labels: 
+    foo: bar
+data:
+  fookey: fakeval

test/conformance/chainsaw/mutate/clusterpolicy/cornercases/trigger-name-exceeds-63-characters/policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: trigger-deployment-restarts
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/chainsaw/mutate/clusterpolicy/cornercases/trigger-name-exceeds-63-characters/policy.yaml

@@ -0,0 +1,30 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: trigger-deployment-restarts
+spec:
+  mutateExistingOnPolicyUpdate: false
+  rules:
+    - name: trigger-deployment-restarts
+      match:
+        any:
+          - resources:
+              kinds:
+                - Secret
+              names:
+                - my-secret-123456789-123456789-123456789-123456789-123456789-123456789-123456789-123456789-123456789-123456789-123456789
+              namespaces:
+                - default
+              operations:
+                - CREATE
+                - UPDATE
+      mutate:
+        targets:
+          - apiVersion: v1
+            kind: ConfigMap
+            namespace: default
+            name: cm-1
+        patchStrategicMerge:
+          metadata:
+            labels:
+              foo: bar

test/conformance/chainsaw/mutate/clusterpolicy/cornercases/trigger-name-exceeds-63-characters/secret-assert.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-secret-123456789-123456789-123456789-123456789-123456789-123456789-123456789-123456789-123456789-123456789-123456789
+  namespace: default

test/conformance/chainsaw/mutate/clusterpolicy/cornercases/trigger-name-exceeds-63-characters/secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-secret-123456789-123456789-123456789-123456789-123456789-123456789-123456789-123456789-123456789-123456789-123456789
+  namespace: default
+type: Opaque
+stringData:
+  my_key: "my_value"

test/conformance/chainsaw/mutate/clusterpolicy/cornercases/trigger-name-exceeds-63-characters/update-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-secret-123456789-123456789-123456789-123456789-123456789-123456789-123456789-123456789-123456789-123456789-123456789
+  namespace: default
+type: Opaque
+stringData:
+  my_key: "my_value"