Refactor filterCN to use a Set instead of map[string]bool

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
pull/11430/head
Brad Davidson 2024-11-17 23:49:57 +00:00 committed by Brad Davidson
parent 67fd5fa9e5
commit 95797c4a79
1 changed files with 11 additions and 24 deletions

View File

@ -8,20 +8,17 @@ import (
controllerv1 "github.com/rancher/wrangler/v3/pkg/generated/controllers/core/v1" controllerv1 "github.com/rancher/wrangler/v3/pkg/generated/controllers/core/v1"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
v1 "k8s.io/api/core/v1" v1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/util/sets"
) )
func registerAddressHandlers(ctx context.Context, c *Cluster) { func registerAddressHandlers(ctx context.Context, c *Cluster) {
nodes := c.config.Runtime.Core.Core().V1().Node() nodes := c.config.Runtime.Core.Core().V1().Node()
a := &addressesHandler{ a := &addressesHandler{
nodeController: nodes, nodeController: nodes,
allowed: map[string]bool{}, allowed: sets.New(c.config.SANs...),
} }
for _, cn := range c.config.SANs { logrus.Infof("Starting dynamiclistener CN filter node controller with SANs: %v", c.config.SANs)
a.allowed[cn] = true
}
logrus.Infof("Starting dynamiclistener CN filter node controller")
nodes.OnChange(ctx, "server-cn-filter", a.sync) nodes.OnChange(ctx, "server-cn-filter", a.sync)
c.cnFilterFunc = a.filterCN c.cnFilterFunc = a.filterCN
} }
@ -30,40 +27,30 @@ type addressesHandler struct {
sync.RWMutex sync.RWMutex
nodeController controllerv1.NodeController nodeController controllerv1.NodeController
allowed map[string]bool allowed sets.Set[string]
} }
// filterCN filters a list of potential server CNs (hostnames or IPs), removing any which do not correspond to // filterCN filters a list of potential server CNs (hostnames or IPs), removing any which do not correspond to
// valid cluster servers (control-plane or etcd), or an address explicitly added via the tls-san option. // valid cluster servers (control-plane or etcd), or an address explicitly added via the tls-san option.
func (a *addressesHandler) filterCN(cns ...string) []string { func (a *addressesHandler) filterCN(cns ...string) []string {
if !a.nodeController.Informer().HasSynced() { if len(cns) == 0 || !a.nodeController.Informer().HasSynced() {
return cns return cns
} }
a.RLock() a.RLock()
defer a.RUnlock() defer a.RUnlock()
filteredCNs := make([]string, 0, len(cns)) return a.allowed.Intersection(sets.New(cns...)).UnsortedList()
for _, cn := range cns {
if a.allowed[cn] {
filteredCNs = append(filteredCNs, cn)
} else {
logrus.Debugf("CN filter controller rejecting certificate CN: %s", cn)
}
}
return filteredCNs
} }
// sync updates the allowed address list to include addresses for the node // sync updates the allowed address list to include addresses for the node
func (a *addressesHandler) sync(key string, node *v1.Node) (*v1.Node, error) { func (a *addressesHandler) sync(key string, node *v1.Node) (*v1.Node, error) {
if node != nil { if node != nil && (node.Labels[util.ControlPlaneRoleLabelKey] != "" || node.Labels[util.ETCDRoleLabelKey] != "") {
if node.Labels[util.ControlPlaneRoleLabelKey] != "" || node.Labels[util.ETCDRoleLabelKey] != "" { a.Lock()
a.Lock() defer a.Unlock()
defer a.Unlock()
for _, address := range node.Status.Addresses { for _, address := range node.Status.Addresses {
a.allowed[address.String()] = true a.allowed.Insert(address.String())
}
} }
} }
return node, nil return node, nil