fix: escape the shadowpod creator label

When a token of a service account is used as identity for a virtual
node, the creation of a shadowpod fails due to the
`liqo.io/creator-user` which contains a string like the following, when
the token of a SA is used:
"system:serviceaccount:liqo-tenant-cl01:user01". This PR make sure
that the string is escaped before being written in the label field.

Author: claudiolor

pkg/utils/getters/k8sGetters.go

@@ -41,6 +41,7 @@ import (
 	offloadingv1beta1 "github.com/liqotech/liqo/apis/offloading/v1beta1"
 	"github.com/liqotech/liqo/pkg/consts"
 	liqolabels "github.com/liqotech/liqo/pkg/utils/labels"
+	"github.com/liqotech/liqo/pkg/utils/resource"
 	vkforge "github.com/liqotech/liqo/pkg/vkMachinery/forge"
 )
 
@@ -463,7 +464,7 @@ func GetKubeconfigSecretFromIdentity(ctx context.Context, cl client.Client, iden
 // ListShadowPodsByCreator returns the list of ShadowPods created by the given user.
 func ListShadowPodsByCreator(ctx context.Context, cl client.Client, creator string) (*offloadingv1beta1.ShadowPodList, error) {
 	list := new(offloadingv1beta1.ShadowPodList)
-	if err := cl.List(ctx, list, client.MatchingLabels{consts.CreatorLabelKey: creator}); err != nil {
+	if err := cl.List(ctx, list, client.MatchingLabels{consts.CreatorLabelKey: resource.EscapeLabel(creator)}); err != nil {
 		return nil, err
 	}
 	return list, nil
@@ -479,7 +480,7 @@ func GetQuotaByUser(ctx context.Context, cl client.Client,
 	}
 
 	for i := range quotas.Items {
-		if quotas.Items[i].Spec.User == user {
+		if resource.EscapeLabel(quotas.Items[i].Spec.User) == user {
 			return &quotas.Items[i], nil
 		}
 	}

pkg/utils/resource/labels.go

@@ -16,13 +16,15 @@ package resource
 
 import (
 	"maps"
+	"regexp"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 var (
 	// globalLabels stores the global labels that should be added to all resources.
-	globalLabels = make(map[string]string)
+	globalLabels     = make(map[string]string)
+	regexLabelEscape = regexp.MustCompile(`[^\w\-\.]`)
 )
 
 // SetGlobalLabels sets the global labels that should be added to all resources.
@@ -47,3 +49,8 @@ func AddGlobalLabels(obj metav1.Object) {
 	}
 	maps.Copy(obj.GetLabels(), globalLabels)
 }
+
+// EscapeLabel escapes a label value so that it is compliant.
+func EscapeLabel(val string) string {
+	return regexLabelEscape.ReplaceAllString(val, "-")
+}

pkg/webhooks/shadowpod/webhook.go

@@ -33,6 +33,7 @@ import (
 	"github.com/liqotech/liqo/pkg/consts"
 	"github.com/liqotech/liqo/pkg/utils/getters"
 	pod "github.com/liqotech/liqo/pkg/utils/pod"
+	"github.com/liqotech/liqo/pkg/utils/resource"
 	"github.com/liqotech/liqo/pkg/virtualKubelet/forge"
 )
 
@@ -296,7 +297,7 @@ func (spm *Mutator) HandleCreate(req *admission.Request) admission.Response {
 	if sp.Labels == nil {
 		sp.Labels = map[string]string{}
 	}
-	sp.Labels[consts.CreatorLabelKey] = creatorName
+	sp.Labels[consts.CreatorLabelKey] = resource.EscapeLabel(creatorName)
 
 	marshaledShadowPod, err := json.Marshal(sp)
 	if err != nil {
@@ -333,14 +334,14 @@ func (spm *Mutator) HandleUpdate(req *admission.Request) admission.Response {
 		return admission.Denied(err.Error())
 	}
 
-	if oldCreatorName != creatorName {
+	if oldCreatorName != resource.EscapeLabel(creatorName) {
 		return admission.Denied("creator name cannot be modified")
 	}
 
 	if sp.Labels == nil {
 		sp.Labels = map[string]string{}
 	}
-	sp.Labels[consts.CreatorLabelKey] = creatorName
+	sp.Labels[consts.CreatorLabelKey] = resource.EscapeLabel(creatorName)
 
 	marshaledShadowPod, err := json.Marshal(sp)
 	if err != nil {