fix: reconcile selector and sandbox label drift for sandbox-owned Services

[rayowang]

Fixes #560

Summary

This change makes reconcileService repair critical drift on Services that are already owned by the Sandbox.

Previously, the controller repaired unowned Services during adoption, but skipped reconciliation for already-owned Services. As a result, an owned Service could keep a stale selector or lose the sandbox label indefinitely.

With this change, owned Services now reconcile:

• metadata.labels[agents.x-k8s.io/sandbox-name-hash]
• spec.selector

Unrelated labels are preserved, and the Service is only updated when drift is detected.

[netlify]

✅ Deploy Preview for agent-sandbox canceled.

Name	Link
🔨 Latest commit	bf25040
🔍 Latest deploy log	https://app.netlify.com/projects/agent-sandbox/deploys/69d79de51485a50008f5b664

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rayowang
Once this PR has been reviewed and has the lgtm label, please assign barney-s for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @rayowang. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[codebot-robot]

Overall, this is a clean and solid fix that addresses the service drift issue nicely. The PR successfully implements the drift reconciliation for metadata.labels and spec.selector on already-owned Services, preserving unrelated user labels as intended.

I've left a few minor, non-blocking suggestions detailing some improvements that may be helpful for long-term maintainability:

• Go Standards: Consider swapping reflect.DeepEqual with the newer standard library feature maps.Equal for better performance.
• Observability: Include namespace context in the new logging statement.
• Controller best practices: A suggestion to evaluate .Patch instead of .Update to mitigate potential OptimisticLockErrors on highly-contested resources.
• Testing: Recommendations to include ClusterIP: "None" and a purely nil test fixture to bulletproof the test suite and improve robustness against fake client behavior.
• Behavior clarification: A quick confirmation regarding strict selector overwriting vs merging.

Great job explicitly handling map initializations to avoid panics. None of these block the PR.

(This review was generated by Overseer)