Connectors chart incorrectly includes annotations as labels

[myc-jhicks]

What happened?

When using the connectors helm chart .Values.deployment.annotations will be included in the rendered deployment labels. Because labels and annotations have different validation rules, this can lead to manifests that get rejected by the kubernetes api.

Specific example:

❯ cat myvalues.yaml
deployment:
  annotations:
    "vault.security.banzaicloud.io/mutate-probes": "true"
    "vault.security.banzaicloud.io/vault-addr": "https://vault.mycompany.com"
    "vault.security.banzaicloud.io/vault-env-daemon": "true"

produces (abbreviated for clarity)

❯ helm template connectors/ -f myvalues.yaml
---
# Source: connectors/templates/entry-point.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  creationTimestamp: null
  labels:
    app.kubernetes.io/component: connectors
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: connectors
    helm.sh/chart: connectors-0.1.14
    vault.security.banzaicloud.io/mutate-probes: "true"
    vault.security.banzaicloud.io/vault-addr: https://vault.mycompany.com
    vault.security.banzaicloud.io/vault-env-daemon: "true"
  name: release-name-connectors
spec:

which will lead to

The Deployment "release-name-connectors" is invalid: metadata.labels: Invalid value: "https://vault.mycompany.com": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')

What did you expect to happen?

Annotations and labels should be handled separately. Given that there is no field currently for labels on deployments, I would expect the template to use the commonLabels on deployments and deployments.annotations as annotations.

How can we reproduce it (as minimally and precisely as possible)?. Please include values file.

Included above in the description, here again for ease of location.

deployment:
  annotations:
    "vault.security.banzaicloud.io/mutate-probes": "true"
    "vault.security.banzaicloud.io/vault-addr": "https://vault.mycompany.com"
    "vault.security.banzaicloud.io/vault-env-daemon": "true"

Anything else we need to know?

Assuming that the issue was here, I did a quick scan and want to conjecture that the issue is on line 97 (at least today):

			Labels: helmette.Merge(FullLabels(dot), values.Deployment.Annotations),

I'm not prepared to spend any more time to test or provide a PR, but it might be a good place to start if anyone else looks at this.

Which are the affected charts?

Connectors

Chart Version(s)

0.1.14

Cloud provider

azure, but expect it to be true everywhere

JIRA Link: K8S-599

[chrisseto]

This was actually done intentionally to preserve backwards compatibility 😓

Given the behavior that you're seeing, I agree this should now be considered a bug.

Thanks for tracking down the line, you're correct that's where the issue is stemming from!