Bugfix: fix handle poolcoordinator certificates in case of restarting…

… yurt-controller-manager
openyurtio · Feb 5, 2023 · b906279 · b906279
1 parent a36f3be
commit b906279
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 22 deletions.
diff --git a/pkg/controller/poolcoordinator/cert/certificate.go b/pkg/controller/poolcoordinator/cert/certificate.go
@@ -98,13 +98,8 @@ func NewSignedCert(client client.Interface, cfg *CertConfig, key crypto.Signer,
 			return nil, errors.Wrapf(err, "init cert %s fail", cfg.CertName)
 		}
 
-		for _, ip := range ips {
-			cfg.IPs = append(cfg.IPs, ip)
-		}
-		for _, dnsName := range dnsNames {
-			cfg.DNSNames = append(cfg.DNSNames, dnsName)
-		}
-
+		cfg.IPs = append(cfg.IPs, ips...)
+		cfg.DNSNames = append(cfg.DNSNames, dnsNames...)
 	}
 
 	// prepare cert serial number

diff --git a/pkg/controller/poolcoordinator/cert/poolcoordinator_cert_manager.go b/pkg/controller/poolcoordinator/cert/poolcoordinator_cert_manager.go
@@ -21,7 +21,6 @@ import (
 	"crypto/x509"
 	"fmt"
 	"net"
-	"reflect"
 	"time"
 
 	"github.com/pkg/errors"
@@ -107,16 +106,6 @@ type CertConfig struct {
 	certInit certInitFunc
 }
 
-func (c *CertConfig) init(clientSet client.Interface, stopCh <-chan struct{}) (err error) {
-	if c.certInit != nil {
-		c.IPs, c.DNSNames, err = c.certInit(clientSet, stopCh)
-		if err != nil {
-			return errors.Wrapf(err, "fail to init cert %s", c.CertName)
-		}
-	}
-	return nil
-}
-
 var allSelfSignedCerts []CertConfig = []CertConfig{
 	{
 		CertName:     "apiserver-etcd-client",
@@ -296,13 +285,31 @@ func initPoolCoordinator(clientSet client.Interface, stopCh <-chan struct{}) err
 
 			// 1.3 check has dynamic attrs changed
 			if certConf.certInit != nil {
-				if err := certConf.init(clientSet, stopCh); err != nil {
+				// receive dynamic IP addresses
+				ips, _, err := certConf.certInit(clientSet, stopCh)
+				if err != nil {
 					// if cert init failed, skip this cert
-					klog.Errorf("fail to init cert when checking dynamic attrs: %v", err)
+					klog.Errorf("fail to init cert %s when checking dynamic attrs: %v", certConf.CertName, err)
 					continue
 				} else {
-					// check if dynamic IP address has changed
-					if !reflect.DeepEqual(certConf.IPs, cert.IPAddresses) {
+					// check if dynamic IP addresses arleady exist in cert
+					changed := false
+					for _, fromService := range ips {
+						contains := false
+						for _, fromSecret := range cert.IPAddresses {
+							// use Equal to compare IP address instead of deep equal
+							// deep equal does not work for IP address
+							if fromService.Equal(fromSecret) {
+								contains = true
+								break
+							}
+						}
+						if !contains {
+							changed = true
+							break
+						}
+					}
+					if changed {
 						klog.Infof("cert %s IP has changed", certConf.CertName)
 						selfSignedCerts = append(selfSignedCerts, certConf)
 						continue