fix(sdk): validate labels in SetLabel to prevent retry loops

[rajanarahul93]

/kind bug

What this PR does / Why we need it:
This PR adds early validation to the SDK sidecar SetLabel RPC to prevent invalid Kubernetes labels from being enqueued and retried indefinitely.

Previously, SetLabel accepted any key/value pair and queued it for synchronization. When the label was invalid (for example, containing spaces), the Kubernetes API server rejected the update. Because the failure was deterministic, the SDK worker queue retried forever, resulting in a retry loop and blocking subsequent label updates.

This change validates label keys and values up front using Kubernetes validation rules and returns a clear InvalidArgument gRPC error to the client, avoiding unnecessary retries and improving debuggability.

Which issue(s) this PR fixes:
Closes #4385

Special notes for your reviewer:
This PR intentionally limits its scope to SetLabel, as described in the linked issue.
A similar validation pattern may also apply to SetAnnotation, but that is left out here to keep the fix minimal and focused.

[lacroixthomas]

/gcbrun

[lacroixthomas]

Hi @rajanarahul93,
Thanks for the contribution !

I've put a minor change, but will need confirmation first

[lacroixthomas]

Even though that seems totally valid, I wonder if we should not use errors.Errorf instead, to be consistent with the rest of the code ? 🤔 @markmandel

[markmandel]

You know - I'm not against it. But it does mean this method could return a 4xx rather than a 5xx like in most (all?) other cases.

I'm almost wondering if we should create a ticket to go back and make our grpc errors proper gRPC errors. The only thing I can think it might break is manual REST implementations that expect a 500 response in some way. WDYT?

[agones-bot]

Build Succeeded 🥳

Build Id: ef21dadb-64dc-41b3-b0df-79a0ff209b94

The following development artifacts have been built, and will exist for the next 30 days:

• image: us-docker.pkg.dev/agones-images/ci/agones-controller:1.55.0-dev-cf25183
• image: us-docker.pkg.dev/agones-images/ci/agones-extensions:1.55.0-dev-cf25183
• image: us-docker.pkg.dev/agones-images/ci/agones-sdk:1.55.0-dev-cf25183-linux
• image: us-docker.pkg.dev/agones-images/ci/agones-ping:1.55.0-dev-cf25183
• image: us-docker.pkg.dev/agones-images/ci/agones-allocator:1.55.0-dev-cf25183
• image: us-docker.pkg.dev/agones-images/ci/agones-processor:1.55.0-dev-cf25183
• Linux C++ SDK (build): agonessdk-1.55.0-dev-cf25183-linux-arch_64.tar.gz
• SDK Server: agonessdk-server-1.55.0-dev-cf25183.zip

A preview of the website (the last 30 builds are retained):

• https://cf25183-dot-preview-dot-agones-images.appspot.com/

To install this version:

git fetch https://github.com/googleforgames/agones.git pull/4386/head:pr_4386 && git checkout pr_4386
helm install agones ./install/helm/agones --namespace agones-system --set agones.image.registry=us-docker.pkg.dev/agones-images/ci --set agones.image.tag=1.55.0-dev-cf25183

[rajanarahul93]

Good question, thanks for raising it!

I used status.Errorf(codes.InvalidArgument, ...) intentionally here so that the SDK returns a proper gRPC InvalidArgument error, which is translated by the grpc-gateway into an HTTP 400 response for REST clients.

Using errors.Errorf would result in a generic gRPC error (codes.Unknown), which would map to an HTTP 500 and wouldn’t reflect a client-side validation failure.

Happy to adjust if there’s a preferred pattern for returning gRPC status errors elsewhere in the SDK.

[lacroixthomas]

Hey ! @rajanarahul93
I don't see any issues to return the status code from gRPC, it would indeed give more feedback for the user, would make things clearer
I was checking the sdks (./sdks/*) and they seems to be all fine as well they already returns the error as expected (from what I see, nothing to change / no breaking changes)

I don't know what you think about it @markmandel but I'm fine with it, LGTM, but if you're also good with it, I'll create some issues to ensure the other functions from the sdkServers also returns gRPC status code to be consistent (and also give more context / proper status code for the user)

/gcbrun

[markmandel]

Hey ! @rajanarahul93
I don't see any issues to return the status code from gRPC, it would indeed give more feedback for the user, would make things clearer
I was checking the sdks (./sdks/*) and they seems to be all fine as well they already returns the error as expected (from what I see, nothing to change / no breaking changes)

That's a fair point. I should go look, but I'm willing to bet that most SDK methods don't even return errors ever? Or if they do, it's very rare. Pretty much everything goes straight into a worker queue. So this shouldn't be a big breaking change really.

(Totally on mobile and haven't looked at the code at all 🙂)

[lacroixthomas]

From what I've seen, they only returns go errors (even for invalidArguments - which is why I think we can create issues to improve the other ones as well), but the SDKs either returns it directly or wrap the errors (depending of the language - most of them don't return any errors indeed), I can only see benefit from it, and in term of breaking changes, I only see improvements of the error handling, for the SetLabels from this PR, it was previously returning no errors at all

(No pressure at all, was only going through some PR reviews 😄)

[agones-bot]

Build Succeeded 🥳

Build Id: 47e2143e-7dd3-4282-9bca-3b8da6456159

The following development artifacts have been built, and will exist for the next 30 days:

• image: us-docker.pkg.dev/agones-images/ci/agones-controller:1.55.0-dev-d8ede0b
• image: us-docker.pkg.dev/agones-images/ci/agones-extensions:1.55.0-dev-d8ede0b
• image: us-docker.pkg.dev/agones-images/ci/agones-sdk:1.55.0-dev-d8ede0b-linux
• image: us-docker.pkg.dev/agones-images/ci/agones-ping:1.55.0-dev-d8ede0b
• image: us-docker.pkg.dev/agones-images/ci/agones-allocator:1.55.0-dev-d8ede0b
• image: us-docker.pkg.dev/agones-images/ci/agones-processor:1.55.0-dev-d8ede0b
• Linux C++ SDK (build): agonessdk-1.55.0-dev-d8ede0b-linux-arch_64.tar.gz
• SDK Server: agonessdk-server-1.55.0-dev-d8ede0b.zip

A preview of the website (the last 30 builds are retained):

• https://d8ede0b-dot-preview-dot-agones-images.appspot.com/

To install this version:

git fetch https://github.com/googleforgames/agones.git pull/4386/head:pr_4386 && git checkout pr_4386
helm install agones ./install/helm/agones --namespace agones-system --set agones.image.registry=us-docker.pkg.dev/agones-images/ci --set agones.image.tag=1.55.0-dev-d8ede0b

[rajanarahul93]

Thanks a lot for the review and the discussion!

Glad to hear this approach makes sense and improves the user-facing error handling.
I’m happy to keep this PR scoped to SetLabel for now, and it sounds great to track consistency improvements for other SDK server methods separately.

Let me know if you’d like me to do anything else here.

[markmandel]

whoops, never submitted this pending review.

[markmandel]

You know - I'm not against it. But it does mean this method could return a 4xx rather than a 5xx like in most (all?) other cases.

I'm almost wondering if we should create a ticket to go back and make our grpc errors proper gRPC errors. The only thing I can think it might break is manual REST implementations that expect a 500 response in some way. WDYT?

[markmandel]

Let's get this merged! Shall we also do SetAnnotation() at some point? If someone could make an issue for it, that would be ace.

/gcbrun

[agones-bot]

Build Failed 😭

Build Id: 0fdbb16c-b47c-4589-8437-791600a3155d

Status: FAILURE

• Cloud Build view
• Cloud Build log download

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

[markmandel]

/gcbrun

[agones-bot]

Build Succeeded 🥳

Build Id: 067e4ff2-7025-491b-95bd-e749e7077f1f

The following development artifacts have been built, and will exist for the next 30 days:

• image: us-docker.pkg.dev/agones-images/ci/agones-controller:1.55.0-dev-77e2729
• image: us-docker.pkg.dev/agones-images/ci/agones-extensions:1.55.0-dev-77e2729
• image: us-docker.pkg.dev/agones-images/ci/agones-sdk:1.55.0-dev-77e2729-linux
• image: us-docker.pkg.dev/agones-images/ci/agones-ping:1.55.0-dev-77e2729
• image: us-docker.pkg.dev/agones-images/ci/agones-allocator:1.55.0-dev-77e2729
• image: us-docker.pkg.dev/agones-images/ci/agones-processor:1.55.0-dev-77e2729
• Linux C++ SDK (build): agonessdk-1.55.0-dev-77e2729-linux-arch_64.tar.gz
• SDK Server: agonessdk-server-1.55.0-dev-77e2729.zip

A preview of the website (the last 30 builds are retained):

• https://77e2729-dot-preview-dot-agones-images.appspot.com/

To install this version:

git fetch https://github.com/googleforgames/agones.git pull/4386/head:pr_4386 && git checkout pr_4386
helm install agones ./install/helm/agones --namespace agones-system --set agones.image.registry=us-docker.pkg.dev/agones-images/ci --set agones.image.tag=1.55.0-dev-77e2729