jumpstarter-dev · bennyz · Apr 19, 2026 · Apr 19, 2026 · Apr 19, 2026 · Apr 19, 2026
diff --git a/.github/workflows/python-tests.yaml b/.github/workflows/python-tests.yaml
@@ -131,7 +131,7 @@ jobs:
               echo "::error::No coverage.xml files found"
               exit 1
             fi
-            uv run diff-cover $coverage_files --compare-branch=origin/${{ github.base_ref }} --fail-under=80
+            uv run diff-cover $coverage_files --compare-branch=origin/${{ github.base_ref }} --fail-under=80 --exclude '*_pb2.py' '*_pb2_grpc.py'
 
   # https://github.com/orgs/community/discussions/26822
   pytest:

diff --git a/controller/api/v1alpha1/lease_helpers.go b/controller/api/v1alpha1/lease_helpers.go
@@ -3,6 +3,7 @@ package v1alpha1
 import (
 	"context"
 	"fmt"
+	"strings"
 	"time"
 
 	cpb "github.com/jumpstarter-dev/jumpstarter-controller/internal/protocol/jumpstarter/client/v1"
@@ -16,6 +17,7 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/selection"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/utils/ptr"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
@@ -169,6 +171,26 @@ func ParseLabelSelector(selectorStr string) (*metav1.LabelSelector, error) {
 	}, nil
 }
 
+// ValidateLeaseTags validates user-defined lease tags against the given maxTags limit.
+func ValidateLeaseTags(tags map[string]string, maxTags int) error {
+	if len(tags) > maxTags {
+		return fmt.Errorf("too many tags: %d (maximum %d)", len(tags), maxTags)
+	}
+	for k, v := range tags {
+		if strings.HasPrefix(k, LeaseTagMetadataPrefix) || strings.HasPrefix(k, "jumpstarter.dev/") {
+			return fmt.Errorf("tag key %q must not use reserved prefix", k)
+		}
+		prefixedKey := LeaseTagMetadataPrefix + k
+		if errs := validation.IsQualifiedName(prefixedKey); len(errs) > 0 {
+			return fmt.Errorf("tag key %q is not a valid label key: %s", k, strings.Join(errs, "; "))
+		}
+		if errs := validation.IsValidLabelValue(v); len(errs) > 0 {
+			return fmt.Errorf("tag value for key %q is not a valid label value: %s", k, strings.Join(errs, "; "))
+		}
+	}
+	return nil
+}
+
 func LeaseFromProtobuf(
 	req *cpb.Lease,
 	key types.NamespacedName,
@@ -195,16 +217,38 @@ func LeaseFromProtobuf(
 		return nil, err
 	}
 
+	// Build ObjectMeta labels: start with selector matchLabels (excluding reserved prefix), then add prefixed user tags
+	metaLabels := make(map[string]string)
+	for k, v := range selector.MatchLabels {
+		if strings.HasPrefix(k, LeaseTagMetadataPrefix) {
+			continue
+		}
+		metaLabels[k] = v
+	}
+	for k, v := range req.Tags {
+		metaLabels[LeaseTagMetadataPrefix+k] = v
+	}
+
+	// Store user tags in spec (without prefix)
+	var specTags map[string]string
+	if len(req.Tags) > 0 {
+		specTags = make(map[string]string, len(req.Tags))
+		for k, v := range req.Tags {
+			specTags[k] = v
+		}
+	}
+
 	return &Lease{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: key.Namespace,
 			Name:      key.Name,
-			Labels:    selector.MatchLabels,
+			Labels:    metaLabels,
 		},
 		Spec: LeaseSpec{
 			ClientRef: clientRef,
 			Duration:  duration,
 			Selector:  *selector,
+			Tags:      specTags,
 			ExporterRef: func() *corev1.LocalObjectReference {
 				if req.ExporterName == nil || *req.ExporterName == "" {
 					return nil
@@ -238,6 +282,7 @@ func (l *Lease) ToProtobuf() *cpb.Lease {
 		Selector:   metav1.FormatLabelSelector(&l.Spec.Selector),
 		Client:     ptr.To(fmt.Sprintf("namespaces/%s/clients/%s", l.Namespace, l.Spec.ClientRef.Name)),
 		Conditions: conditions,
+		Tags:       l.Spec.Tags,
 	}
 	if l.Spec.ExporterRef != nil {
 		lease.ExporterName = ptr.To(l.Spec.ExporterRef.Name)

diff --git a/controller/api/v1alpha1/lease_helpers_test.go b/controller/api/v1alpha1/lease_helpers_test.go
@@ -17,6 +17,8 @@ limitations under the License.
 package v1alpha1
 
 import (
+	"fmt"
+	"strings"
 	"testing"
 	"time"
 
@@ -331,5 +333,183 @@ var _ = Describe("LeaseFromProtobuf", func() {
 			Expect(lease.Spec.ExporterRef).NotTo(BeNil())
 			Expect(lease.Spec.ExporterRef.Name).To(Equal(exporterName))
 		})
+
+		It("should store tags in spec and prefix them in ObjectMeta labels", func() {
+			pbLease := &cpb.Lease{
+				Selector: "board=rpi4",
+				Duration: durationpb.New(time.Hour),
+				Tags: map[string]string{
+					"team":   "devops",
+					"ci-job": "12345",
+				},
+			}
+			key := types.NamespacedName{Name: "test-lease", Namespace: "default"}
+			clientRef := corev1.LocalObjectReference{Name: "test-client"}
+
+			lease, err := LeaseFromProtobuf(pbLease, key, clientRef)
+
+			Expect(err).NotTo(HaveOccurred())
+			// Tags in spec (unprefixed)
+			Expect(lease.Spec.Tags).To(HaveKeyWithValue("team", "devops"))
+			Expect(lease.Spec.Tags).To(HaveKeyWithValue("ci-job", "12345"))
+			// Tags in ObjectMeta.Labels (prefixed)
+			Expect(lease.Labels).To(HaveKeyWithValue("metadata.jumpstarter.dev/team", "devops"))
+			Expect(lease.Labels).To(HaveKeyWithValue("metadata.jumpstarter.dev/ci-job", "12345"))
+			// Selector matchLabels still present
+			Expect(lease.Labels).To(HaveKeyWithValue("board", "rpi4"))
+		})
+
+		It("should handle lease with no tags", func() {
+			pbLease := &cpb.Lease{
+				Selector: "board=rpi4",
+				Duration: durationpb.New(time.Hour),
+			}
+			key := types.NamespacedName{Name: "test-lease", Namespace: "default"}
+			clientRef := corev1.LocalObjectReference{Name: "test-client"}
+
+			lease, err := LeaseFromProtobuf(pbLease, key, clientRef)
+
+			Expect(err).NotTo(HaveOccurred())
+			Expect(lease.Spec.Tags).To(BeNil())
+			// Only selector matchLabels in ObjectMeta
+			Expect(lease.Labels).To(HaveKeyWithValue("board", "rpi4"))
+		})
+	})
+})
+
+var _ = Describe("ValidateLeaseTags", func() {
+	It("should accept empty tags", func() {
+		Expect(ValidateLeaseTags(nil, 10)).To(Succeed())
+		Expect(ValidateLeaseTags(map[string]string{}, 10)).To(Succeed())
+	})
+
+	It("should accept valid tags", func() {
+		tags := map[string]string{
+			"team":   "devops",
+			"ci-job": "12345",
+			"env":    "staging",
+		}
+		Expect(ValidateLeaseTags(tags, 10)).To(Succeed())
+	})
+
+	It("should reject more than 10 tags", func() {
+		tags := make(map[string]string)
+		for i := 0; i < 11; i++ {
+			tags[fmt.Sprintf("key%d", i)] = "value"
+		}
+		err := ValidateLeaseTags(tags, 10)
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("too many tags"))
+	})
+
+	It("should reject tag key longer than 63 chars", func() {
+		tags := map[string]string{
+			strings.Repeat("a", 64): "value",
+		}
+		err := ValidateLeaseTags(tags, 10)
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("tag key"))
+		Expect(err.Error()).To(ContainSubstring("not a valid label key"))
+	})
+
+	It("should reject tag value longer than 63 chars", func() {
+		tags := map[string]string{
+			"key": strings.Repeat("v", 64),
+		}
+		err := ValidateLeaseTags(tags, 10)
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("tag value"))
+		Expect(err.Error()).To(ContainSubstring("not a valid label value"))
+	})
+
+	It("should reject invalid label key characters", func() {
+		tags := map[string]string{
+			"invalid key!": "value",
+		}
+		err := ValidateLeaseTags(tags, 10)
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("not a valid label key"))
+	})
+
+	It("should reject invalid label value characters", func() {
+		tags := map[string]string{
+			"key": "invalid value!",
+		}
+		err := ValidateLeaseTags(tags, 10)
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("not a valid label value"))
+	})
+
+	It("should reject reserved prefix jumpstarter.dev/", func() {
+		tags := map[string]string{
+			"jumpstarter.dev/custom": "value",
+		}
+		err := ValidateLeaseTags(tags, 10)
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("reserved prefix"))
+	})
+
+	It("should reject reserved prefix metadata.jumpstarter.dev/", func() {
+		tags := map[string]string{
+			"metadata.jumpstarter.dev/team": "value",
+		}
+		err := ValidateLeaseTags(tags, 10)
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("reserved prefix"))
+	})
+
+	It("should accept exactly 10 tags", func() {
+		tags := make(map[string]string)
+		for i := 0; i < 10; i++ {
+			tags[fmt.Sprintf("key%d", i)] = "value"
+		}
+		Expect(ValidateLeaseTags(tags, 10)).To(Succeed())
+	})
+
+	It("should accept key and value of exactly 63 chars", func() {
+		tags := map[string]string{
+			strings.Repeat("k", 63): strings.Repeat("v", 63),
+		}
+		Expect(ValidateLeaseTags(tags, 10)).To(Succeed())
+	})
+})
+
+var _ = Describe("Lease.ToProtobuf", func() {
+	It("should include tags in protobuf output", func() {
+		lease := &Lease{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test-lease",
+				Namespace: "default",
+			},
+			Spec: LeaseSpec{
+				ClientRef: corev1.LocalObjectReference{Name: "test-client"},
+				Duration:  &metav1.Duration{Duration: time.Hour},
+				Selector:  metav1.LabelSelector{MatchLabels: map[string]string{"board": "rpi4"}},
+				Tags:      map[string]string{"team": "devops", "ci-job": "12345"},
+			},
+		}
+
+		pb := lease.ToProtobuf()
+
+		Expect(pb.Tags).To(HaveKeyWithValue("team", "devops"))
+		Expect(pb.Tags).To(HaveKeyWithValue("ci-job", "12345"))
+	})
+
+	It("should handle nil tags", func() {
+		lease := &Lease{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test-lease",
+				Namespace: "default",
+			},
+			Spec: LeaseSpec{
+				ClientRef: corev1.LocalObjectReference{Name: "test-client"},
+				Duration:  &metav1.Duration{Duration: time.Hour},
+				Selector:  metav1.LabelSelector{MatchLabels: map[string]string{"board": "rpi4"}},
+			},
+		}
+
+		pb := lease.ToProtobuf()
+
+		Expect(pb.Tags).To(BeEmpty())
 	})
 })
diff --git a/controller/api/v1alpha1/lease_types.go b/controller/api/v1alpha1/lease_types.go
@@ -35,6 +35,10 @@ type LeaseSpec struct {
 	Selector metav1.LabelSelector `json:"selector"`
 	// Optionally pin this lease to a specific exporter name.
 	ExporterRef *corev1.LocalObjectReference `json:"exporterRef,omitempty"`
+	// User-defined tags for the lease. Immutable after creation.
+	// Maximum 10 entries. Keys and values must conform to Kubernetes label rules.
+	// +kubebuilder:validation:MaxProperties=10
+	Tags map[string]string `json:"tags,omitempty"`
-	// User-defined tags for the lease. Immutable after creation.
-	// Maximum 10 entries. Keys and values must conform to Kubernetes label rules.
-	// +kubebuilder:validation:MaxProperties=10
-	Tags map[string]string `json:"tags,omitempty"`
+	// User-defined tags for the lease. Immutable after creation.
+	// Maximum 10 entries. Keys and values must conform to Kubernetes label rules.
+	// +kubebuilder:validation:MaxProperties=10
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="lease tags are immutable"
+	Tags map[string]string `json:"tags,omitempty"`
-	// User-defined tags for the lease. Immutable after creation.
-	// Maximum 10 entries. Keys and values must conform to Kubernetes label rules.
-	// +kubebuilder:validation:MaxProperties=10
-	Tags map[string]string `json:"tags,omitempty"`
+	// User-defined tags for the lease. Immutable after creation.
+	// Maximum 10 entries. Keys and values must conform to Kubernetes label rules.
+	// +kubebuilder:validation:MaxProperties=10
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="lease tags are immutable"
+	Tags map[string]string `json:"tags,omitempty"`
 	// The release flag requests the controller to end the lease now
 	Release bool `json:"release,omitempty"`
 	// Requested start time. If omitted, lease starts when exporter is acquired.
@@ -70,8 +74,9 @@ const (
 type LeaseLabel string
 
 const (
-	LeaseLabelEnded      LeaseLabel = "jumpstarter.dev/lease-ended"
-	LeaseLabelEndedValue string     = "true"
+	LeaseLabelEnded        LeaseLabel = "jumpstarter.dev/lease-ended"
+	LeaseLabelEndedValue   string     = "true"
+	LeaseTagMetadataPrefix string     = "metadata.jumpstarter.dev/"
 )
 
 // +kubebuilder:object:root=true

diff --git a/controller/api/v1alpha1/zz_generated.deepcopy.go b/controller/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/controller/cmd/main.go b/controller/cmd/main.go
@@ -219,7 +219,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	authenticator, prefix, router, option, provisioning, err := config.LoadConfiguration(
+	authenticator, prefix, router, option, provisioning, leasePolicy, err := config.LoadConfiguration(
 		context.Background(),
 		mgr.GetAPIReader(),
 		mgr.GetScheme(),
@@ -283,6 +283,7 @@ func main() {
 		}),
 		Router:        router,
 		ServerOptions: option,
+		LeasePolicy:   leasePolicy,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create service", "service", "Controller")
 		os.Exit(1)

diff --git a/...elm/jumpstarter/charts/jumpstarter-controller/templates/crds/jumpstarter.dev_clients.yaml b/...elm/jumpstarter/charts/jumpstarter-controller/templates/crds/jumpstarter.dev_clients.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.3
+    controller-gen.kubebuilder.io/version: v0.18.0
   name: clients.jumpstarter.dev
 spec:
   group: jumpstarter.dev

diff --git a/.../charts/jumpstarter-controller/templates/crds/jumpstarter.dev_exporteraccesspolicies.yaml b/.../charts/jumpstarter-controller/templates/crds/jumpstarter.dev_exporteraccesspolicies.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.3
+    controller-gen.kubebuilder.io/version: v0.18.0
   name: exporteraccesspolicies.jumpstarter.dev
 spec:
   group: jumpstarter.dev

diff --git a/...m/jumpstarter/charts/jumpstarter-controller/templates/crds/jumpstarter.dev_exporters.yaml b/...m/jumpstarter/charts/jumpstarter-controller/templates/crds/jumpstarter.dev_exporters.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.3
+    controller-gen.kubebuilder.io/version: v0.18.0
   name: exporters.jumpstarter.dev
 spec:
   group: jumpstarter.dev