fix(mapper): prevent index out of bounds in ToEndpointName with multi-dot suffix

[carterpewpew]

What does it do ?

Adds bounds checks in AffixNameMapper.ToEndpointName to prevent two index-out-of-bounds panics when a multi-dot txt-suffix (e.g. .foo.bar) is configured and DNS names have fewer labels than the suffix expects.

Motivation

ToEndpointName is called on every TXT record during Records() in both the TXT and DynamoDB registries. When using a multi-dot suffix, DNS names with fewer labels than the suffix cause slice index panics that crash the controller:

1. parts[:1+dc] panics when len(parts) <= dc
2. parts[1+dc] panics when len(parts) == 1+dc

This generalizes the single-label fix from #4885, which only guarded the zero-dot case via strings.Contains. The !strings.Contains check is replaced with proper length checks that cover all short-label cases.

More

• Yes, this PR title follows Conventional Commits
• Yes, I added unit tests
• Yes, I updated end user documentation accordingly

[k8s-ci-robot]

Hi @carterpewpew. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[u-kai]

/ok-to-test

[coveralls]

Coverage Report for CI Build 26103801569

Coverage increased (+0.006%) to 80.629%

Details

• Coverage increased (+0.006%) from the base build.
• Patch coverage: No coverable lines changed in this PR.
• No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.

---

Coverage Stats

Relevant Lines:	21424
Covered Lines:	17274
Line Coverage:	80.63%
Coverage Strength:	1449.61 hits per line

---

💛 - Coveralls

[u-kai]

Thank you for the PR!

Just to confirm my understanding: after this fix, stale TXT records created under a previous --txt-suffix with fewer dots will no longer panic — ToEndpointName returns ("", "") for them instead.

Not panicking is clearly better.
But I'm wondering if there are any negative consequences from that silent ("", "") return.
Wdyt??

[carterpewpew]

Thank you for the PR!

Just to confirm my understanding: after this fix, stale TXT records created under a previous --txt-suffix with fewer dots will no longer panic — ToEndpointName returns ("", "") for them instead.

Not panicking is clearly better. But I'm wondering if there are any negative consequences from that silent ("", "") return. Wdyt??

Thanks @u-kai for taking a look at this PR, as I see it there are no real negative consequences here. ("", "") is already what the mapper returns for any record it can't parse (e.g. no affix match), so the callers already handle this path. The empty key just won't match any real endpoint, meaning the stale TXT record is effectively ignored. In the DynamoDB registry it actually gets picked up by the cleanup loop. I am happy to add a debug log for these cases in a follow-up if that'd be useful for operator visibility.

[ivankatliarchuk]

I knows it was there before, could you change the case to Go convention. Should be dnsName

[carterpewpew]

Addressed, renamed to parts (took inspiration from your code suggestion 😄).

[ivankatliarchuk]

There is no direct test case for the full path with trailing labels - e.g., a-example.foo.bar.com with suffix .foo.bar should return ("example.com", "A"). The TestToEndpointNameNewTXT round-trip test for "suffix with multiple dots" covers a 3-dot suffix case indirectly, but adding an explicit assertion for trailing labels with a 2-dot suffix would close the gap and document the expected behavior.

[carterpewpew]

You're right, that was an oversight on my part. Added an explicit test for a-example.foo.bar.com with suffix .foo.bar expecting ("example.com", "A").

[ivankatliarchuk]

I could be wrong here. The early-exit guard calling dropAffixExtractType(lowerDNSName) when there are too few labels is fine, but it's misleading - the name can't possibly match the suffix at that point, so it always returns ("", ""). Being explicit is cleaner. Also, domainWithSuffix can be inlined:

if a.isSuffix() {
      dc := strings.Count(a.suffix, ".")
      parts := strings.SplitN(lowerDNSName, ".", 2+dc)
      if len(parts) <= dc {
          log.Debugf("skipping TXT record %q: too few labels for suffix %q", dns, a.suffix)
          return "", ""
      }
      r, rType := a.dropAffixExtractType(strings.Join(parts[:1+dc], "."))
      if len(parts) <= 1+dc {
          return r, rType
      }
      return r + "." + parts[1+dc], rType
  }

^ Same algorithm, no slightly misleading fallthrough call, no intermediate variable. The parts name is also more conventional than DNSName in Go.

[carterpewpew]

I have addressed this as well in the latest commit

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from ivankatliarchuk. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[carterpewpew]

Thank you @ivankatliarchuk for the insights and suggestions, I have addressed all of them, PTAL