mirror of https://github.com/k3s-io/k3s
Refactor filterCN to use a Set instead of map[string]bool
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>pull/11430/head
parent
67fd5fa9e5
commit
95797c4a79
|
@ -8,20 +8,17 @@ import (
|
||||||
controllerv1 "github.com/rancher/wrangler/v3/pkg/generated/controllers/core/v1"
|
controllerv1 "github.com/rancher/wrangler/v3/pkg/generated/controllers/core/v1"
|
||||||
"github.com/sirupsen/logrus"
|
"github.com/sirupsen/logrus"
|
||||||
v1 "k8s.io/api/core/v1"
|
v1 "k8s.io/api/core/v1"
|
||||||
|
"k8s.io/apimachinery/pkg/util/sets"
|
||||||
)
|
)
|
||||||
|
|
||||||
func registerAddressHandlers(ctx context.Context, c *Cluster) {
|
func registerAddressHandlers(ctx context.Context, c *Cluster) {
|
||||||
nodes := c.config.Runtime.Core.Core().V1().Node()
|
nodes := c.config.Runtime.Core.Core().V1().Node()
|
||||||
a := &addressesHandler{
|
a := &addressesHandler{
|
||||||
nodeController: nodes,
|
nodeController: nodes,
|
||||||
allowed: map[string]bool{},
|
allowed: sets.New(c.config.SANs...),
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, cn := range c.config.SANs {
|
logrus.Infof("Starting dynamiclistener CN filter node controller with SANs: %v", c.config.SANs)
|
||||||
a.allowed[cn] = true
|
|
||||||
}
|
|
||||||
|
|
||||||
logrus.Infof("Starting dynamiclistener CN filter node controller")
|
|
||||||
nodes.OnChange(ctx, "server-cn-filter", a.sync)
|
nodes.OnChange(ctx, "server-cn-filter", a.sync)
|
||||||
c.cnFilterFunc = a.filterCN
|
c.cnFilterFunc = a.filterCN
|
||||||
}
|
}
|
||||||
|
@ -30,40 +27,30 @@ type addressesHandler struct {
|
||||||
sync.RWMutex
|
sync.RWMutex
|
||||||
|
|
||||||
nodeController controllerv1.NodeController
|
nodeController controllerv1.NodeController
|
||||||
allowed map[string]bool
|
allowed sets.Set[string]
|
||||||
}
|
}
|
||||||
|
|
||||||
// filterCN filters a list of potential server CNs (hostnames or IPs), removing any which do not correspond to
|
// filterCN filters a list of potential server CNs (hostnames or IPs), removing any which do not correspond to
|
||||||
// valid cluster servers (control-plane or etcd), or an address explicitly added via the tls-san option.
|
// valid cluster servers (control-plane or etcd), or an address explicitly added via the tls-san option.
|
||||||
func (a *addressesHandler) filterCN(cns ...string) []string {
|
func (a *addressesHandler) filterCN(cns ...string) []string {
|
||||||
if !a.nodeController.Informer().HasSynced() {
|
if len(cns) == 0 || !a.nodeController.Informer().HasSynced() {
|
||||||
return cns
|
return cns
|
||||||
}
|
}
|
||||||
|
|
||||||
a.RLock()
|
a.RLock()
|
||||||
defer a.RUnlock()
|
defer a.RUnlock()
|
||||||
|
|
||||||
filteredCNs := make([]string, 0, len(cns))
|
return a.allowed.Intersection(sets.New(cns...)).UnsortedList()
|
||||||
for _, cn := range cns {
|
|
||||||
if a.allowed[cn] {
|
|
||||||
filteredCNs = append(filteredCNs, cn)
|
|
||||||
} else {
|
|
||||||
logrus.Debugf("CN filter controller rejecting certificate CN: %s", cn)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return filteredCNs
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// sync updates the allowed address list to include addresses for the node
|
// sync updates the allowed address list to include addresses for the node
|
||||||
func (a *addressesHandler) sync(key string, node *v1.Node) (*v1.Node, error) {
|
func (a *addressesHandler) sync(key string, node *v1.Node) (*v1.Node, error) {
|
||||||
if node != nil {
|
if node != nil && (node.Labels[util.ControlPlaneRoleLabelKey] != "" || node.Labels[util.ETCDRoleLabelKey] != "") {
|
||||||
if node.Labels[util.ControlPlaneRoleLabelKey] != "" || node.Labels[util.ETCDRoleLabelKey] != "" {
|
a.Lock()
|
||||||
a.Lock()
|
defer a.Unlock()
|
||||||
defer a.Unlock()
|
|
||||||
|
|
||||||
for _, address := range node.Status.Addresses {
|
for _, address := range node.Status.Addresses {
|
||||||
a.allowed[address.String()] = true
|
a.allowed.Insert(address.String())
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return node, nil
|
return node, nil
|
||||||
|
|
Loading…
Reference in New Issue