Hi maintainers,
While following up on #658 and #659, I noticed that Grove has several generated-resource naming paths where user-controlled names can unexpectedly consume Kubernetes name or label budgets.
The immediate issue was a generated Secret name being copied into app.kubernetes.io/name, which is limited to 63 characters. The old -initc-sa-token-secret suffix left only 41 characters for the PodCliqueSet name when used as a label value.
Grove already has an effective pod-name budget:
- standalone PodClique:
len(pcsName) + len(pclqName) <= 45
- PodClique in PCSG:
len(pcsName) + len(pcsgName) + len(pclqName) <= 45
I think it would be useful to discuss practical naming guidance before deciding whether Grove should add more admission validation.
Questions:
- Which user-controlled name components should Grove document as part of a shared generated-resource budget?
- Should Grove publish soft planning targets, instead of only hard validation formulas?
- Which generated resources need a complete naming-pattern inventory and boundary tests?
- Should admission validation enforce only proven hard limits, while docs recommend softer headroom?
Areas to include:
- PodCliqueSet name
- PodCliqueScalingGroup template name
- PodClique template name
- generated PodClique, PodCliqueScalingGroup, Pod, PodGang, Service, Role, RoleBinding, ServiceAccount, Secret, ResourceClaim, and ComputeDomain names
- generated names copied into labels such as
app.kubernetes.io/name
Suggested starting point for discussion:
- Keep
PodCliqueSet names around 24 characters when possible.
- Keep standalone PodClique template names around 12 characters.
- Keep PCSG template names around 10-14 characters.
- Keep PodClique template names inside PCSG around 8-12 characters.
- Prefer generated Pod names to stay at or below 35 characters when possible.
- Keep Auto-MNNVL group names short because ComputeDomain / RCT naming includes the PCS name, replica index, and MNNVL group name.
- Complete a generated-resource naming inventory before adding new hard validation.
This seems related to the existing naming guide, which documents Grove's hierarchical pod/resource naming patterns but does not appear to cover this ResourceClaim pod-local name budget yet:
https://github.com/ai-dynamo/grove/blob/main/docs/user-guide/02_pod-and-resource-naming-conventions/02_naming-conventions.md
Related context:
Similar Kubernetes precedents:
Expected outcome: agree on documentation guidance, identify any hard limits worth validating, and add boundary tests for generated-resource naming where appropriate.
Hi maintainers,
While following up on #658 and #659, I noticed that Grove has several generated-resource naming paths where user-controlled names can unexpectedly consume Kubernetes name or label budgets.
The immediate issue was a generated Secret name being copied into
app.kubernetes.io/name, which is limited to 63 characters. The old-initc-sa-token-secretsuffix left only 41 characters for thePodCliqueSetname when used as a label value.Grove already has an effective pod-name budget:
len(pcsName) + len(pclqName) <= 45len(pcsName) + len(pcsgName) + len(pclqName) <= 45I think it would be useful to discuss practical naming guidance before deciding whether Grove should add more admission validation.
Questions:
Areas to include:
app.kubernetes.io/nameSuggested starting point for discussion:
PodCliqueSetnames around 24 characters when possible.This seems related to the existing naming guide, which documents Grove's hierarchical pod/resource naming patterns but does not appear to cover this ResourceClaim pod-local name budget yet:
https://github.com/ai-dynamo/grove/blob/main/docs/user-guide/02_pod-and-resource-naming-conventions/02_naming-conventions.md
Related context:
Similar Kubernetes precedents:
Expected outcome: agree on documentation guidance, identify any hard limits worth validating, and add boundary tests for generated-resource naming where appropriate.