gce: use set type where order does not matter

justinsb · justinsb · commit 93e782bf958b · 2025-04-27T15:32:03.000-04:00
Starting small with FirewallRule Allowed and SourceRanges,
but this should be easier than explicitly handling values
where order does not matter.
diff --git a/pkg/model/gcemodel/api_loadbalancer.go b/pkg/model/gcemodel/api_loadbalancer.go
@@ -21,6 +21,7 @@ import (
 	"strconv"
 
 	"golang.org/x/exp/slices"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/wellknownports"
 	"k8s.io/kops/pkg/wellknownservices"
@@ -101,9 +102,9 @@ func (b *APILoadBalancerBuilder) addFirewallRules(c *fi.CloudupModelBuilderConte
 		b.AddFirewallRulesTasks(c, "https-api", &gcetasks.FirewallRule{
 			Lifecycle:    b.Lifecycle,
 			Network:      network,
-			SourceRanges: b.Cluster.Spec.API.Access,
+			SourceRanges: sets.New(b.Cluster.Spec.API.Access...),
 			TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane)},
-			Allowed:      []string{"tcp:" + strconv.Itoa(wellknownports.KubeAPIServer)},
+			Allowed:      sets.New("tcp:" + strconv.Itoa(wellknownports.KubeAPIServer)),
 		})
 
 		if b.NetworkingIsIPAlias() {
@@ -112,19 +113,19 @@ func (b *APILoadBalancerBuilder) addFirewallRules(c *fi.CloudupModelBuilderConte
 				Lifecycle:    b.Lifecycle,
 				Network:      network,
 				Family:       gcetasks.AddressFamilyIPv4, // ip alias is always ipv4
-				SourceRanges: []string{b.Cluster.Spec.Networking.PodCIDR},
+				SourceRanges: sets.New(b.Cluster.Spec.Networking.PodCIDR),
 				TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane)},
-				Allowed:      []string{"tcp:" + strconv.Itoa(wellknownports.KubeAPIServer)},
+				Allowed:      sets.New("tcp:" + strconv.Itoa(wellknownports.KubeAPIServer)),
 			})
 		}
 
 		if b.Cluster.UsesNoneDNS() {
 			b.AddFirewallRulesTasks(c, "kops-controller", &gcetasks.FirewallRule{
 				Lifecycle:    b.Lifecycle,
 				Network:      network,
-				SourceRanges: b.Cluster.Spec.API.Access,
+				SourceRanges: sets.New(b.Cluster.Spec.API.Access...),
 				TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane)},
-				Allowed:      []string{"tcp:" + strconv.Itoa(wellknownports.KopsControllerPort)},
+				Allowed:      sets.New("tcp:" + strconv.Itoa(wellknownports.KopsControllerPort)),
 			})
 		}
 	}
diff --git a/pkg/model/gcemodel/external_access.go b/pkg/model/gcemodel/external_access.go
@@ -19,6 +19,7 @@ package gcemodel
 import (
 	"strconv"
 
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/klog/v2"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/wellknownports"
@@ -58,21 +59,21 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.CloudupModelBuilderContext) err
 		b.AddFirewallRulesTasks(c, "ssh-external-to-bastion", &gcetasks.FirewallRule{
 			Lifecycle:    b.Lifecycle,
 			TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleBastion)},
-			Allowed:      []string{"tcp:22"},
-			SourceRanges: b.Cluster.Spec.SSHAccess,
+			Allowed:      sets.New("tcp:22"),
+			SourceRanges: sets.New(b.Cluster.Spec.SSHAccess...),
 			Network:      network,
 		})
 		b.AddFirewallRulesTasks(c, "bastion-to-master-ssh", &gcetasks.FirewallRule{
 			Lifecycle:  b.Lifecycle,
 			TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane), b.GCETagForRole("Master")},
-			Allowed:    []string{"tcp:22"},
+			Allowed:    sets.New("tcp:22"),
 			SourceTags: []string{b.GCETagForRole(kops.InstanceGroupRoleBastion)},
 			Network:    network,
 		})
 		b.AddFirewallRulesTasks(c, "bastion-to-node-ssh", &gcetasks.FirewallRule{
 			Lifecycle:  b.Lifecycle,
 			TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
-			Allowed:    []string{"tcp:22"},
+			Allowed:    sets.New("tcp:22"),
 			SourceTags: []string{b.GCETagForRole(kops.InstanceGroupRoleBastion)},
 			Network:    network,
 		})
@@ -84,16 +85,16 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.CloudupModelBuilderContext) err
 		b.AddFirewallRulesTasks(c, "ssh-external-to-master", &gcetasks.FirewallRule{
 			Lifecycle:    b.Lifecycle,
 			TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane), b.GCETagForRole("Master")},
-			Allowed:      []string{"tcp:22"},
-			SourceRanges: b.Cluster.Spec.SSHAccess,
+			Allowed:      sets.New("tcp:22"),
+			SourceRanges: sets.New(b.Cluster.Spec.SSHAccess...),
 			Network:      network,
 		})
 
 		b.AddFirewallRulesTasks(c, "ssh-external-to-node", &gcetasks.FirewallRule{
 			Lifecycle:    b.Lifecycle,
 			TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
-			Allowed:      []string{"tcp:22"},
-			SourceRanges: b.Cluster.Spec.SSHAccess,
+			Allowed:      sets.New("tcp:22"),
+			SourceRanges: sets.New(b.Cluster.Spec.SSHAccess...),
 			Network:      network,
 		})
 	}
@@ -113,11 +114,11 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.CloudupModelBuilderContext) err
 		b.AddFirewallRulesTasks(c, "nodeport-external-to-node", &gcetasks.FirewallRule{
 			Lifecycle:  b.Lifecycle,
 			TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
-			Allowed: []string{
-				"tcp:" + nodePortRangeString,
-				"udp:" + nodePortRangeString,
-			},
-			SourceRanges: b.Cluster.Spec.NodePortAccess,
+			Allowed: sets.New(
+				"tcp:"+nodePortRangeString,
+				"udp:"+nodePortRangeString,
+			),
+			SourceRanges: sets.New(b.Cluster.Spec.NodePortAccess...),
 			Network:      network,
 		})
 	}
@@ -136,8 +137,8 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.CloudupModelBuilderContext) err
 		b.AddFirewallRulesTasks(c, "kubernetes-master-https", &gcetasks.FirewallRule{
 			Lifecycle:    b.Lifecycle,
 			TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane), b.GCETagForRole("Master")},
-			Allowed:      []string{"tcp:443"},
-			SourceRanges: b.Cluster.Spec.API.Access,
+			Allowed:      sets.New("tcp:443"),
+			SourceRanges: sets.New(b.Cluster.Spec.API.Access...),
 			Network:      network,
 		})
 
@@ -147,9 +148,9 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.CloudupModelBuilderContext) err
 				Lifecycle:    b.Lifecycle,
 				Network:      network,
 				Family:       gcetasks.AddressFamilyIPv4, // ip alias is always ipv4
-				SourceRanges: []string{b.Cluster.Spec.Networking.PodCIDR},
+				SourceRanges: sets.New(b.Cluster.Spec.Networking.PodCIDR),
 				TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane)},
-				Allowed:      []string{"tcp:" + strconv.Itoa(wellknownports.KubeAPIServer)},
+				Allowed:      sets.New("tcp:" + strconv.Itoa(wellknownports.KubeAPIServer)),
 			})
 		}
 	}
diff --git a/pkg/model/gcemodel/firewall.go b/pkg/model/gcemodel/firewall.go
@@ -21,6 +21,7 @@ import (
 	"net"
 	"strings"
 
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/klog/v2"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/apis/kops/model"
@@ -57,16 +58,16 @@ func (b *FirewallModelBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 			Lifecycle: b.Lifecycle,
 			Network:   network,
 			Family:    gcetasks.AddressFamilyIPv4,
-			SourceRanges: []string{
+			SourceRanges: sets.New(
 				// IP ranges for load balancer health checks
 				// https://cloud.google.com/load-balancing/docs/health-checks
 				"35.191.0.0/16",
 				"130.211.0.0/22",
 				"209.85.204.0/22",
 				"209.85.152.0/22",
-			},
+			),
 			TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane)},
-			Allowed:    []string{"tcp"},
+			Allowed:    sets.New("tcp"),
 		})
 	}
 
@@ -82,7 +83,7 @@ func (b *FirewallModelBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 			Network:    network,
 			SourceTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
 			TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
-			Allowed:    allProtocols,
+			Allowed:    sets.New(allProtocols...),
 		}
 		c.AddTask(t)
 	}
@@ -99,7 +100,7 @@ func (b *FirewallModelBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 			Network:    network,
 			SourceTags: []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane), b.GCETagForRole("Master")},
 			TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane), b.GCETagForRole("Master")},
-			Allowed:    allProtocols,
+			Allowed:    sets.New(allProtocols...),
 		}
 		c.AddTask(t)
 	}
@@ -116,7 +117,7 @@ func (b *FirewallModelBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 			Network:    network,
 			SourceTags: []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane), b.GCETagForRole("Master")},
 			TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
-			Allowed:    allProtocols,
+			Allowed:    sets.New(allProtocols...),
 		}
 		c.AddTask(t)
 	}
@@ -133,25 +134,25 @@ func (b *FirewallModelBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 			Network:    network,
 			SourceTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
 			TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane), b.GCETagForRole("Master")},
-			Allowed: []string{
+			Allowed: sets.New(
 				fmt.Sprintf("tcp:%d", wellknownports.KubeAPIServer),
 				fmt.Sprintf("tcp:%d", wellknownports.KubeletAPI),
 				fmt.Sprintf("tcp:%d", wellknownports.KopsControllerPort),
-			},
+			),
 		}
 		if b.Cluster.UsesLegacyGossip() {
-			t.Allowed = append(t.Allowed, fmt.Sprintf("udp:%d", wellknownports.DNSControllerGossipMemberlist))
-			t.Allowed = append(t.Allowed, fmt.Sprintf("tcp:%d", wellknownports.DNSControllerGossipMemberlist))
-			t.Allowed = append(t.Allowed, fmt.Sprintf("udp:%d", wellknownports.ProtokubeGossipMemberlist))
-			t.Allowed = append(t.Allowed, fmt.Sprintf("tcp:%d", wellknownports.ProtokubeGossipMemberlist))
+			t.Allowed.Insert(fmt.Sprintf("udp:%d", wellknownports.DNSControllerGossipMemberlist))
+			t.Allowed.Insert(fmt.Sprintf("tcp:%d", wellknownports.DNSControllerGossipMemberlist))
+			t.Allowed.Insert(fmt.Sprintf("udp:%d", wellknownports.ProtokubeGossipMemberlist))
+			t.Allowed.Insert(fmt.Sprintf("tcp:%d", wellknownports.ProtokubeGossipMemberlist))
 		}
 		if b.NetworkingIsCalico() {
-			t.Allowed = append(t.Allowed, "ipip")
+			t.Allowed.Insert("ipip")
 		}
 		if b.NetworkingIsCilium() {
-			t.Allowed = append(t.Allowed, fmt.Sprintf("udp:%d", wellknownports.VxlanUDP))
+			t.Allowed.Insert(fmt.Sprintf("udp:%d", wellknownports.VxlanUDP))
 			if model.UseCiliumEtcd(b.Cluster) {
-				t.Allowed = append(t.Allowed, fmt.Sprintf("tcp:%d", wellknownports.EtcdCiliumClientPort))
+				t.Allowed.Insert(fmt.Sprintf("tcp:%d", wellknownports.EtcdCiliumClientPort))
 			}
 		}
 		c.AddTask(t)
@@ -174,9 +175,9 @@ func (b *FirewallModelBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 			b.AddFirewallRulesTasks(c, "pod-cidrs-to-node", &gcetasks.FirewallRule{
 				Lifecycle:    b.Lifecycle,
 				Network:      network,
-				SourceRanges: []string{b.Cluster.Spec.Networking.PodCIDR},
+				SourceRanges: sets.New(b.Cluster.Spec.Networking.PodCIDR),
 				TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
-				Allowed:      allProtocols,
+				Allowed:      sets.New(allProtocols...),
 			})
 		}
 	}
@@ -189,19 +190,19 @@ func (b *FirewallModelBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 // Furthermore, an empty SourceRange with empty SourceTags is interpreted as allow-everything,
 // but we intend for it to block everything; so we can Disabled to achieve the desired blocking.
 func (b *GCEModelContext) AddFirewallRulesTasks(c *fi.CloudupModelBuilderContext, name string, rule *gcetasks.FirewallRule) {
-	var ipv4SourceRanges []string
-	var ipv6SourceRanges []string
-	for _, sourceRange := range rule.SourceRanges {
+	ipv4SourceRanges := sets.New[string]()
+	ipv6SourceRanges := sets.New[string]()
+	for sourceRange := range rule.SourceRanges {
 		_, cidr, err := net.ParseCIDR(sourceRange)
 		if err != nil {
 			klog.Fatalf("failed to parse invalid sourceRange %q", sourceRange)
 		}
 
 		// Split into ipv4s and ipv6s, but treat IPv4-mapped IPv6 addresses as IPv6
 		if cidr.IP.To4() != nil && !strings.Contains(sourceRange, ":") {
-			ipv4SourceRanges = append(ipv4SourceRanges, sourceRange)
+			ipv4SourceRanges.Insert(sourceRange)
 		} else {
-			ipv6SourceRanges = append(ipv6SourceRanges, sourceRange)
+			ipv6SourceRanges.Insert(sourceRange)
 		}
 	}
 
@@ -214,7 +215,7 @@ func (b *GCEModelContext) AddFirewallRulesTasks(c *fi.CloudupModelBuilderContext
 			// This is helpful because empty SourceRanges and SourceTags are interpreted as allow everything,
 			// but the intent is usually to block everything, which can be achieved with Disabled=true.
 			ipv4.Disabled = true
-			ipv4.SourceRanges = []string{"0.0.0.0/0"}
+			ipv4.SourceRanges = sets.New("0.0.0.0/0")
 		}
 	}
 	c.AddTask(&ipv4)
@@ -227,16 +228,16 @@ func (b *GCEModelContext) AddFirewallRulesTasks(c *fi.CloudupModelBuilderContext
 		if len(ipv6.SourceRanges) == 0 {
 			// We specify explicitly so the rule is in IPv6 mode
 			ipv6.Disabled = true
-			ipv6.SourceRanges = []string{"::/0"}
+			ipv6.SourceRanges = sets.New("::/0")
 		}
 	}
-	var ipv6Allowed []string
-	for _, allowed := range ipv6.Allowed {
+	ipv6Allowed := sets.New[string]()
+	for allowed := range ipv6.Allowed {
 		// Map icmp to icmpv6; easier than maintaining separate lists
 		if allowed == "icmp" {
 			allowed = "58" // 58 == the IANA protocol number for ICMPv6
 		}
-		ipv6Allowed = append(ipv6Allowed, allowed)
+		ipv6Allowed.Insert(allowed)
 	}
 	ipv6.Allowed = ipv6Allowed
 	c.AddTask(&ipv6)
diff --git a/upup/pkg/fi/changes.go b/upup/pkg/fi/changes.go
@@ -138,12 +138,11 @@ func equalFieldValues(a, e reflect.Value) bool {
 
 // equalMapValues performs a deep-equality check on a map, but using our custom comparison logic (equalFieldValues)
 func equalMapValues(a, e reflect.Value) bool {
-	if a.IsNil() != e.IsNil() {
+	aIsEmpty := a.IsNil() || a.Len() == 0
+	eIsEmpty := e.IsNil() || e.Len() == 0
+	if aIsEmpty != eIsEmpty {
 		return false
 	}
-	if a.IsNil() && e.IsNil() {
-		return true
-	}
 	if a.Len() != e.Len() {
 		return false
 	}
diff --git a/upup/pkg/fi/cloudup/gcetasks/firewallrule.go b/upup/pkg/fi/cloudup/gcetasks/firewallrule.go
@@ -22,6 +22,7 @@ import (
 	"strings"
 
 	compute "google.golang.org/api/compute/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/cloudup/gce"
 	"k8s.io/kops/upup/pkg/fi/cloudup/terraform"
@@ -42,9 +43,9 @@ type FirewallRule struct {
 
 	Network      *Network
 	SourceTags   []string
-	SourceRanges []string
+	SourceRanges sets.Set[string]
 	TargetTags   []string
-	Allowed      []string
+	Allowed      sets.Set[string]
 
 	// Disabled: Denotes whether the firewall rule is disabled. When set to
 	// true, the firewall rule is not enforced and the network behaves as if
@@ -75,11 +76,14 @@ func (e *FirewallRule) Find(c *fi.CloudupContext) (*FirewallRule, error) {
 	actual.Name = &r.Name
 	actual.Network = &Network{Name: fi.PtrTo(lastComponent(r.Network))}
 	actual.TargetTags = r.TargetTags
-	actual.SourceRanges = r.SourceRanges
+	actual.SourceRanges = sets.New(r.SourceRanges...)
 	actual.SourceTags = r.SourceTags
 	actual.Disabled = r.Disabled
 	for _, a := range r.Allowed {
-		actual.Allowed = append(actual.Allowed, serializeFirewallAllowed(a))
+		if actual.Allowed == nil {
+			actual.Allowed = sets.New[string]()
+		}
+		actual.Allowed.Insert(serializeFirewallAllowed(a))
 	}
 
 	// Ignore "system" fields
@@ -114,7 +118,7 @@ func (e *FirewallRule) Normalize(c *fi.CloudupContext) error {
 
 	// Make sure we've split the ipv4 / ipv6 addresses.
 	// A single firewall rule can't mix ipv4 and ipv6 addresses, so we split them into two rules.
-	for _, sourceRange := range e.SourceRanges {
+	for sourceRange := range e.SourceRanges {
 		_, cidr, err := net.ParseCIDR(sourceRange)
 		if err != nil {
 			return fmt.Errorf("sourceRange %q is not valid: %w", sourceRange, err)
@@ -182,7 +186,7 @@ func serializeFirewallAllowed(r *compute.FirewallAllowed) string {
 func (e *FirewallRule) mapToGCE(project string) (*compute.Firewall, error) {
 	var allowed []*compute.FirewallAllowed
 	if e.Allowed != nil {
-		for _, a := range e.Allowed {
+		for _, a := range sets.List(e.Allowed) {
 			p, err := parseFirewallAllowed(a)
 			if err != nil {
 				return nil, err
@@ -194,7 +198,7 @@ func (e *FirewallRule) mapToGCE(project string) (*compute.Firewall, error) {
 		Name:         *e.Name,
 		Network:      e.Network.URL(project),
 		SourceTags:   e.SourceTags,
-		SourceRanges: e.SourceRanges,
+		SourceRanges: sets.List(e.SourceRanges),
 		TargetTags:   e.TargetTags,
 		Allowed:      allowed,
 		Disabled:     e.Disabled,
diff --git a/upup/pkg/fi/topological_sort.go b/upup/pkg/fi/topological_sort.go
@@ -125,6 +125,18 @@ func getDependencies[T SubContext](tasks map[string]Task[T], v reflect.Value) []
 				return nil
 			}
 
+			// Ignore empty struct (struct{}) and other non-addressable types
+			if !v.CanAddr() {
+				typeName := v.Type().PkgPath() + "/" + v.Type().Name()
+				switch typeName {
+				case "k8s.io/apimachinery/pkg/util/sets/Empty":
+					// known
+				default:
+					klog.Warningf("skipping non-addressable type %v name=%q", v.Type(), typeName)
+				}
+				return nil
+			}
+
 			// TODO: Can we / should we use a type-switch statement
 			intf := v.Addr().Interface()
 			if hd, ok := intf.(HasDependencies[T]); ok {
