fix comments

Author: jwtty

pkg/utils/azure.go

@@ -0,0 +1,51 @@
+/*
+Copyright 2025 The KubeFleet Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package utils
+
+import (
+	"slices"
+
+	authenticationv1 "k8s.io/api/authentication/v1"
+)
+
+// This file contains constants and utility functions related to Azure-specific logic.
+// We define these in a separate file to avoid potential merge conflicts from the KubeFleet repository when backporting changes.
+const (
+	// ReconcileLabelKey is the label key added to resources that should be reconciled.
+	// The value indicates the reason the resource should be reconciled.
+	ReconcileLabelKey = "fleet.azure.com/reconcile"
+	// ReconcileLabelValue is the label value paired with ReconcileLabelKey,
+	// indicating the resource is managed and should be reconciled.
+	ReconcileLabelValue = "managed"
+
+	// AKSServiceUserName is the username whose deployment requests should be mutated.
+	AKSServiceUserName = "aksService"
+	// SystemMastersGroup is the Kubernetes group representing cluster administrators.
+	SystemMastersGroup = "system:masters"
+)
+
+// IsAKSService reports whether the user is the aksService user with
+// system:masters group membership.
+func IsAKSService(userInfo authenticationv1.UserInfo) bool {
+	return userInfo.Username == AKSServiceUserName && slices.Contains(userInfo.Groups, SystemMastersGroup)
+}
+
+// HasReconcileLabel reports whether the given labels contain the fleet reconcile
+// label key with a non-empty value.
+func HasReconcileLabel(labels map[string]string) bool {
+	return labels[ReconcileLabelKey] != ""
+}

pkg/utils/common.go

@@ -60,13 +60,6 @@ const (
 	MutatingPathFmt            = "/mutate-%s-%s-%s"
 	lessGroupsStringFormat     = "groups: %v"
 	moreGroupsStringFormat     = "groups: [%s, %s, %s,......]"
-
-	// ReconcileLabelKey is the label key added to resources that should be reconciled.
-	// The value indicates the reason the resource should be reconciled.
-	ReconcileLabelKey = "fleet.azure.com/reconcile"
-	// ReconcileLabelValue is the label value paired with ReconcileLabelKey,
-	// indicating the resource is managed and should be reconciled.
-	ReconcileLabelValue = "managed"
 )
 
 const (
@@ -511,12 +504,6 @@ func IsReservedNamespace(namespace string) bool {
 	return strings.HasPrefix(namespace, fleetPrefix) || strings.HasPrefix(namespace, kubePrefix)
 }
 
-// HasReconcileLabel reports whether the given labels contain the fleet reconcile
-// label key with a non-empty value.
-func HasReconcileLabel(labels map[string]string) bool {
-	return labels[ReconcileLabelKey] != ""
-}
-
 // IsFleetMemberNamespace indicates if an argued namespace is a fleet member namespace.
 func IsFleetMemberNamespace(namespace string) bool {
 	return strings.HasPrefix(namespace, fleetMemberNamespacePrefix)

…eployment/deployment_mutating_webhook.go …g/webhook/deployment/mutating_webhook.gopkg/webhook/deployment/deployment_mutating_webhook.go renamed to pkg/webhook/deployment/mutating_webhook.go pkg/webhook/deployment/deployment_mutating_webhook.go renamed to pkg/webhook/deployment/mutating_webhook.go

@@ -58,7 +58,7 @@ func (m *deploymentMutator) Handle(_ context.Context, req admission.Request) adm
 
 	// Only mutate when the request was made by the aksService user with
 	// system:masters group membership.
-	if !isAKSService(req.UserInfo) {
+	if !utils.IsAKSService(req.UserInfo) {
 		return admission.Allowed("user is not aksService, no mutation needed")
 	}
 

…ment/deployment_mutating_webhook_test.go …hook/deployment/mutating_webhook_test.gopkg/webhook/deployment/deployment_mutating_webhook_test.go renamed to pkg/webhook/deployment/mutating_webhook_test.go pkg/webhook/deployment/deployment_mutating_webhook_test.go renamed to pkg/webhook/deployment/mutating_webhook_test.go

@@ -58,18 +58,18 @@ func TestHandle(t *testing.T) {
 	decoder := admission.NewDecoder(scheme)
 
 	aksServiceUser := authenticationv1.UserInfo{
-		Username: AKSServiceUserName,
-		Groups:   []string{SystemMastersGroup},
+		Username: utils.AKSServiceUserName,
+		Groups:   []string{utils.SystemMastersGroup},
 	}
 
 	aksServiceUserNoMasters := authenticationv1.UserInfo{
-		Username: AKSServiceUserName,
+		Username: utils.AKSServiceUserName,
 		Groups:   []string{"system:authenticated"},
 	}
 
 	regularUser := authenticationv1.UserInfo{
 		Username: "regular-user",
-		Groups:   []string{SystemMastersGroup, "system:authenticated"},
+		Groups:   []string{utils.SystemMastersGroup, "system:authenticated"},
 	}
 
 	// Deployment with no existing labels.

…loyment/deployment_validating_webhook.go …webhook/deployment/validating_webhook.gopkg/webhook/deployment/deployment_validating_webhook.go renamed to pkg/webhook/deployment/validating_webhook.go pkg/webhook/deployment/deployment_validating_webhook.go renamed to pkg/webhook/deployment/validating_webhook.go

@@ -25,11 +25,9 @@ import (
 	"context"
 	"fmt"
 	"net/http"
-	"slices"
 
 	admissionv1 "k8s.io/api/admission/v1"
 	appsv1 "k8s.io/api/apps/v1"
-	authenticationv1 "k8s.io/api/authentication/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/klog/v2"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
@@ -41,12 +39,6 @@ import (
 
 const (
 	deniedReconcileLabelFmt = "the %s label is reserved for aksService and cannot be set by user %q"
-
-	// AKSServiceUserName is the username whose deployment requests should be mutated.
-	AKSServiceUserName = "aksService"
-
-	// SystemMastersGroup is the Kubernetes group representing cluster administrators.
-	SystemMastersGroup = "system:masters"
 )
 
 // ValidationPath is the webhook service path for validating Deployment resources.
@@ -91,7 +83,7 @@ func (v *deploymentValidator) Handle(_ context.Context, req admission.Request) a
 
 	// The reconcile label is present — only aksService with system:masters is
 	// allowed to set it.
-	if isAKSService(req.UserInfo) {
+	if utils.IsAKSService(req.UserInfo) {
 		klog.V(2).InfoS("aksService user allowed to set reconcile label",
 			"namespacedName", namespacedName)
 		return admission.Allowed("aksService user is allowed to set the reconcile label")
@@ -101,9 +93,3 @@ func (v *deploymentValidator) Handle(_ context.Context, req admission.Request) a
 		"user", req.UserInfo.Username, "groups", req.UserInfo.Groups, "namespacedName", namespacedName)
 	return admission.Denied(fmt.Sprintf(deniedReconcileLabelFmt, utils.ReconcileLabelKey, req.UserInfo.Username))
 }
-
-// isAKSService reports whether the user is the aksService user with
-// system:masters group membership.
-func isAKSService(userInfo authenticationv1.UserInfo) bool {
-	return userInfo.Username == AKSServiceUserName && slices.Contains(userInfo.Groups, SystemMastersGroup)
-}

…nt/deployment_validating_webhook_test.go …ok/deployment/validating_webhook_test.gopkg/webhook/deployment/deployment_validating_webhook_test.go renamed to pkg/webhook/deployment/validating_webhook_test.go pkg/webhook/deployment/deployment_validating_webhook_test.go renamed to pkg/webhook/deployment/validating_webhook_test.go

@@ -51,12 +51,12 @@ func TestValidatingHandle(t *testing.T) {
 	decoder := admission.NewDecoder(scheme)
 
 	aksServiceUser := authenticationv1.UserInfo{
-		Username: AKSServiceUserName,
-		Groups:   []string{SystemMastersGroup},
+		Username: utils.AKSServiceUserName,
+		Groups:   []string{utils.SystemMastersGroup},
 	}
 
 	aksServiceUserNoMasters := authenticationv1.UserInfo{
-		Username: AKSServiceUserName,
+		Username: utils.AKSServiceUserName,
 		Groups:   []string{"system:authenticated"},
 	}
 
@@ -67,7 +67,7 @@ func TestValidatingHandle(t *testing.T) {
 
 	regularUserWithMasters := authenticationv1.UserInfo{
 		Username: "regular-user",
-		Groups:   []string{SystemMastersGroup, "system:authenticated"},
+		Groups:   []string{utils.SystemMastersGroup, "system:authenticated"},
 	}
 
 	// Deployment without the reconcile label.
@@ -357,51 +357,51 @@ func TestIsAKSService(t *testing.T) {
 	}{
 		"aksService with system:masters": {
 			userInfo: authenticationv1.UserInfo{
-				Username: AKSServiceUserName,
-				Groups:   []string{SystemMastersGroup},
+				Username: utils.AKSServiceUserName,
+				Groups:   []string{utils.SystemMastersGroup},
 			},
 			want: true,
 		},
 		"aksService with system:masters and other groups": {
 			userInfo: authenticationv1.UserInfo{
-				Username: AKSServiceUserName,
-				Groups:   []string{"system:authenticated", SystemMastersGroup, "custom-group"},
+				Username: utils.AKSServiceUserName,
+				Groups:   []string{"system:authenticated", utils.SystemMastersGroup, "custom-group"},
 			},
 			want: true,
 		},
 		"aksService without system:masters": {
 			userInfo: authenticationv1.UserInfo{
-				Username: AKSServiceUserName,
+				Username: utils.AKSServiceUserName,
 				Groups:   []string{"system:authenticated"},
 			},
 			want: false,
 		},
 		"aksService with empty groups": {
 			userInfo: authenticationv1.UserInfo{
-				Username: AKSServiceUserName,
+				Username: utils.AKSServiceUserName,
 				Groups:   []string{},
 			},
 			want: false,
 		},
 		"regular user with system:masters": {
 			userInfo: authenticationv1.UserInfo{
 				Username: "regular-user",
-				Groups:   []string{SystemMastersGroup},
+				Groups:   []string{utils.SystemMastersGroup},
 			},
 			want: false,
 		},
 		"empty username with system:masters": {
 			userInfo: authenticationv1.UserInfo{
 				Username: "",
-				Groups:   []string{SystemMastersGroup},
+				Groups:   []string{utils.SystemMastersGroup},
 			},
 			want: false,
 		},
 	}
 
 	for testName, tc := range testCases {
 		t.Run(testName, func(t *testing.T) {
-			got := isAKSService(tc.userInfo)
+			got := utils.IsAKSService(tc.userInfo)
 			if got != tc.want {
 				t.Errorf("isAKSService(%+v) = %v, want %v", tc.userInfo, got, tc.want)
 			}