fix: fqdn to allow secret names bigger than 92 characters (#4955)

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

pkg/controllers/externalsecret/externalsecret_controller.go

@@ -62,7 +62,8 @@ import (
 )
 
 const (
-	fieldOwnerTemplate = "externalsecrets.external-secrets.io/%v"
+	fieldOwnerTemplate    = "externalsecrets.external-secrets.io/%v"
+	fieldOwnerTemplateSha = "externalsecrets.external-secrets.io/sha3/%x"
 
 	// condition messages for "SecretSynced" reason.
 	msgSynced       = "secret synced"
@@ -233,7 +234,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ct
 	// if the secret exists but does not have the "managed" label, add the label
 	// using a PATCH so it is visible in the cache, then requeue immediately
 	if secretPartial.UID != "" && secretPartial.Labels[esv1.LabelManaged] != esv1.LabelManagedValue {
-		fqdn := fmt.Sprintf(fieldOwnerTemplate, externalSecret.Name)
+		fqdn := fqdnFor(externalSecret.Name)
 		patch := client.MergeFrom(secretPartial.DeepCopy())
 		if secretPartial.Labels == nil {
 			secretPartial.Labels = make(map[string]string)
@@ -630,7 +631,7 @@ func (r *Reconciler) deleteOrphanedSecrets(ctx context.Context, externalSecret *
 
 // createSecret creates a new secret with the given mutation function.
 func (r *Reconciler) createSecret(ctx context.Context, mutationFunc func(secret *v1.Secret) error, es *esv1.ExternalSecret, secretName string) error {
-	fqdn := fmt.Sprintf(fieldOwnerTemplate, es.Name)
+	fqdn := fqdnFor(es.Name)
 
 	// define and mutate the new secret
 	newSecret := &v1.Secret{
@@ -658,7 +659,7 @@ func (r *Reconciler) createSecret(ctx context.Context, mutationFunc func(secret
 }
 
 func (r *Reconciler) updateSecret(ctx context.Context, existingSecret *v1.Secret, mutationFunc func(secret *v1.Secret) error, es *esv1.ExternalSecret, secretName string) error {
-	fqdn := fmt.Sprintf(fieldOwnerTemplate, es.Name)
+	fqdn := fqdnFor(es.Name)
 
 	// fail if the secret does not exist
 	// this should never happen because we check this before calling this function
@@ -754,7 +755,7 @@ func getManagedFieldKeys(
 	fieldOwner string,
 	process func(fields map[string]any) []string,
 ) ([]string, error) {
-	fqdn := fmt.Sprintf(fieldOwnerTemplate, fieldOwner)
+	fqdn := fqdnFor(fieldOwner)
 	var keys []string
 	for _, v := range secret.ObjectMeta.ManagedFields {
 		if v.Manager != fqdn {

pkg/controllers/externalsecret/util.go

@@ -15,6 +15,9 @@ limitations under the License.
 package externalsecret
 
 import (
+	"crypto/sha3"
+	"fmt"
+
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
@@ -79,3 +82,13 @@ func filterOutCondition(conditions []esv1.ExternalSecretStatusCondition, condTyp
 	}
 	return newConditions
 }
+
+func fqdnFor(name string) string {
+	fqdn := fmt.Sprintf(fieldOwnerTemplate, name)
+	// If secret name is just too big, use the SHA3 hash of the secret name
+	// Done this way for backwards compatibility thus avoiding breaking changes
+	if len(fqdn) > 63 {
+		fqdn = fmt.Sprintf(fieldOwnerTemplateSha, sha3.Sum224([]byte(name)))
+	}
+	return fqdn
+}

pkg/controllers/templating/parser.go

@@ -16,6 +16,7 @@ package templating
 
 import (
 	"context"
+	"crypto/sha3"
 	"encoding/json"
 	"fmt"
 	"strings"
@@ -29,6 +30,7 @@ import (
 )
 
 const fieldOwnerTemplate = "externalsecrets.external-secrets.io/%v"
+const fieldOwnerTemplateSha = "externalsecrets.external-secrets.io/sha3/%x"
 
 var (
 	errTplCMMissingKey  = "error in configmap %s: missing key %s"
@@ -222,7 +224,12 @@ func getManagedFieldKeys(
 	fieldOwner string,
 	process func(fields map[string]any) []string,
 ) ([]string, error) {
+	// If secret name is just too big, use the SHA3 hash of the secret name
+	// Done this way for backwards compatibility thus avoiding breaking changes
 	fqdn := fmt.Sprintf(fieldOwnerTemplate, fieldOwner)
+	if len(fieldOwner) > 63 {
+		fqdn = fmt.Sprintf(fieldOwnerTemplateSha, sha3.Sum224([]byte(fieldOwner)))
+	}
 	var keys []string
 	for _, v := range secret.ObjectMeta.ManagedFields {
 		if v.Manager != fqdn {