fix: make possible mutate provider-id

We should allow changing the Provider ID string in CCM.
And add label key/value validation.

Signed-off-by: Serge Logvinov <[email protected]>

pkg/talos/instances.go

@@ -84,14 +84,14 @@ func (i *instances) InstanceMetadata(ctx context.Context, node *v1.Node) (*cloud
 
 		klog.V(5).Infof("instances.InstanceMetadata() resource: %+v", meta)
 
-		providerID := meta.ProviderID
-		if providerID == "" {
-			providerID = fmt.Sprintf("%s://%s/%s", ProviderName, meta.Platform, nodeIP)
+		if meta.ProviderID == "" {
+			meta.ProviderID = fmt.Sprintf("%s://%s/%s", ProviderName, meta.Platform, nodeIP)
 		}
 
 		// Fix for Azure, resource group name must be lower case.
+		// Since Talos 1.8 fixed it, we can remove this code in the future.
 		if meta.Platform == "azure" {
-			providerID, err = platform.AzureConvertResourceGroupNameToLower(providerID)
+			meta.ProviderID, err = platform.AzureConvertResourceGroupNameToLower(meta.ProviderID)
 			if err != nil {
 				return nil, fmt.Errorf("error converting resource group name to lower case: %w", err)
 			}
@@ -149,7 +149,7 @@ func (i *instances) InstanceMetadata(ctx context.Context, node *v1.Node) (*cloud
 		}
 
 		return &cloudprovider.InstanceMetadata{
-			ProviderID:    providerID,
+			ProviderID:    meta.ProviderID,
 			InstanceType:  meta.InstanceType,
 			NodeAddresses: addresses,
 			Zone:          meta.Zone,

pkg/transformer/transformer.go

@@ -11,6 +11,8 @@ import (
 
 	"github.com/siderolabs/talos-cloud-controller-manager/pkg/nodeselector"
 	"github.com/siderolabs/talos/pkg/machinery/resources/runtime"
+
+	"k8s.io/apimachinery/pkg/util/validation"
 )
 
 // NodeTerm represents expressions and fields to transform node metadata.
@@ -39,6 +41,8 @@ type NodeFeaturesFlagSpec struct {
 var prohibitedPlatformMetadataKeys = []string{"hostname", "platform"}
 
 // TransformNode transforms the node metadata based on the node transformation rules.
+//
+//nolint:gocyclo,cyclop
 func TransformNode(terms []NodeTerm, platformMetadata *runtime.PlatformMetadataSpec) (*NodeSpec, error) {
 	if len(terms) == 0 {
 		return nil, nil
@@ -65,6 +69,10 @@ func TransformNode(terms []NodeTerm, platformMetadata *runtime.PlatformMetadataS
 						return nil, fmt.Errorf("failed to transformer annotation '%q': %w", k, err)
 					}
 
+					if errs := validation.IsQualifiedName(k); len(errs) != 0 {
+						return nil, fmt.Errorf("invalid annotation name %q: %v", k, errs)
+					}
+
 					node.Annotations[k] = t
 				}
 			}
@@ -76,6 +84,14 @@ func TransformNode(terms []NodeTerm, platformMetadata *runtime.PlatformMetadataS
 						return nil, fmt.Errorf("failed to transformer label '%s': %w", k, err)
 					}
 
+					if errs := validation.IsQualifiedName(k); len(errs) != 0 {
+						return nil, fmt.Errorf("invalid label name %q: %v", k, errs)
+					}
+
+					if errs := validation.IsValidLabelValue(t); len(errs) != 0 {
+						return nil, fmt.Errorf("invalid label value %q: %v", t, errs)
+					}
+
 					node.Labels[k] = t
 				}
 			}

pkg/transformer/transformer_test.go

@@ -117,7 +117,7 @@ func TestMatch(t *testing.T) {
 				{
 					Name: "my-transformer",
 					Labels: map[string]string{
-						"label-template": "my-value-{{ .Spot }}-{{ .Zone }}",
+						"label-template": "my-value-{{ .Spot }}-{{ .Zone }}a",
 					},
 				},
 			},
@@ -128,7 +128,7 @@ func TestMatch(t *testing.T) {
 			expected: &transformer.NodeSpec{
 				Annotations: map[string]string{},
 				Labels: map[string]string{
-					"label-template": "my-value-false-",
+					"label-template": "my-value-false-a",
 				},
 			},
 		},
@@ -233,6 +233,22 @@ func TestMatch(t *testing.T) {
 				Zone:     "us-west1",
 			},
 		},
+		{
+			name: "Transform labels with bad label name",
+			terms: []transformer.NodeTerm{
+				{
+					Name: "my-transformer",
+					Labels: map[string]string{
+						"-template": "my-value",
+					},
+				},
+			},
+			metadata: runtime.PlatformMetadataSpec{
+				Platform: "test-platform",
+				Hostname: "test-hostname",
+			},
+			expectedError: fmt.Errorf("invalid label name \"-template\": [name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')]"), //nolint:lll
+		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
 			node, err := transformer.TransformNode(tt.terms, &tt.metadata)