From 95797c4a79de4ee712d9d17a62f0446471823a71 Mon Sep 17 00:00:00 2001 From: Brad Davidson Date: Sun, 17 Nov 2024 23:49:57 +0000 Subject: [PATCH] Refactor filterCN to use a Set instead of map[string]bool Signed-off-by: Brad Davidson --- pkg/cluster/address_controller.go | 35 ++++++++++--------------------- 1 file changed, 11 insertions(+), 24 deletions(-) diff --git a/pkg/cluster/address_controller.go b/pkg/cluster/address_controller.go index 780942d0d3..bb73a20dea 100644 --- a/pkg/cluster/address_controller.go +++ b/pkg/cluster/address_controller.go @@ -8,20 +8,17 @@ import ( controllerv1 "github.com/rancher/wrangler/v3/pkg/generated/controllers/core/v1" "github.com/sirupsen/logrus" v1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/util/sets" ) func registerAddressHandlers(ctx context.Context, c *Cluster) { nodes := c.config.Runtime.Core.Core().V1().Node() a := &addressesHandler{ nodeController: nodes, - allowed: map[string]bool{}, + allowed: sets.New(c.config.SANs...), } - for _, cn := range c.config.SANs { - a.allowed[cn] = true - } - - logrus.Infof("Starting dynamiclistener CN filter node controller") + logrus.Infof("Starting dynamiclistener CN filter node controller with SANs: %v", c.config.SANs) nodes.OnChange(ctx, "server-cn-filter", a.sync) c.cnFilterFunc = a.filterCN } @@ -30,40 +27,30 @@ type addressesHandler struct { sync.RWMutex nodeController controllerv1.NodeController - allowed map[string]bool + allowed sets.Set[string] } // filterCN filters a list of potential server CNs (hostnames or IPs), removing any which do not correspond to // valid cluster servers (control-plane or etcd), or an address explicitly added via the tls-san option. func (a *addressesHandler) filterCN(cns ...string) []string { - if !a.nodeController.Informer().HasSynced() { + if len(cns) == 0 || !a.nodeController.Informer().HasSynced() { return cns } a.RLock() defer a.RUnlock() - filteredCNs := make([]string, 0, len(cns)) - for _, cn := range cns { - if a.allowed[cn] { - filteredCNs = append(filteredCNs, cn) - } else { - logrus.Debugf("CN filter controller rejecting certificate CN: %s", cn) - } - } - return filteredCNs + return a.allowed.Intersection(sets.New(cns...)).UnsortedList() } // sync updates the allowed address list to include addresses for the node func (a *addressesHandler) sync(key string, node *v1.Node) (*v1.Node, error) { - if node != nil { - if node.Labels[util.ControlPlaneRoleLabelKey] != "" || node.Labels[util.ETCDRoleLabelKey] != "" { - a.Lock() - defer a.Unlock() + if node != nil && (node.Labels[util.ControlPlaneRoleLabelKey] != "" || node.Labels[util.ETCDRoleLabelKey] != "") { + a.Lock() + defer a.Unlock() - for _, address := range node.Status.Addresses { - a.allowed[address.String()] = true - } + for _, address := range node.Status.Addresses { + a.allowed.Insert(address.String()) } } return node, nil