diff --git a/pkg/controller/poolcoordinator/cert/certificate.go b/pkg/controller/poolcoordinator/cert/certificate.go index f8c0b4f091e..0105cf1ff18 100644 --- a/pkg/controller/poolcoordinator/cert/certificate.go +++ b/pkg/controller/poolcoordinator/cert/certificate.go @@ -98,13 +98,8 @@ func NewSignedCert(client client.Interface, cfg *CertConfig, key crypto.Signer, return nil, errors.Wrapf(err, "init cert %s fail", cfg.CertName) } - for _, ip := range ips { - cfg.IPs = append(cfg.IPs, ip) - } - for _, dnsName := range dnsNames { - cfg.DNSNames = append(cfg.DNSNames, dnsName) - } - + cfg.IPs = append(cfg.IPs, ips...) + cfg.DNSNames = append(cfg.DNSNames, dnsNames...) } // prepare cert serial number diff --git a/pkg/controller/poolcoordinator/cert/poolcoordinator_cert_manager.go b/pkg/controller/poolcoordinator/cert/poolcoordinator_cert_manager.go index 605580df8c2..79e12dbcec8 100644 --- a/pkg/controller/poolcoordinator/cert/poolcoordinator_cert_manager.go +++ b/pkg/controller/poolcoordinator/cert/poolcoordinator_cert_manager.go @@ -21,7 +21,6 @@ import ( "crypto/x509" "fmt" "net" - "reflect" "time" "github.com/pkg/errors" @@ -107,16 +106,6 @@ type CertConfig struct { certInit certInitFunc } -func (c *CertConfig) init(clientSet client.Interface, stopCh <-chan struct{}) (err error) { - if c.certInit != nil { - c.IPs, c.DNSNames, err = c.certInit(clientSet, stopCh) - if err != nil { - return errors.Wrapf(err, "fail to init cert %s", c.CertName) - } - } - return nil -} - var allSelfSignedCerts []CertConfig = []CertConfig{ { CertName: "apiserver-etcd-client", @@ -296,13 +285,31 @@ func initPoolCoordinator(clientSet client.Interface, stopCh <-chan struct{}) err // 1.3 check has dynamic attrs changed if certConf.certInit != nil { - if err := certConf.init(clientSet, stopCh); err != nil { + // receive dynamic IP addresses + ips, _, err := certConf.certInit(clientSet, stopCh) + if err != nil { // if cert init failed, skip this cert - klog.Errorf("fail to init cert when checking dynamic attrs: %v", err) + klog.Errorf("fail to init cert %s when checking dynamic attrs: %v", certConf.CertName, err) continue } else { - // check if dynamic IP address has changed - if !reflect.DeepEqual(certConf.IPs, cert.IPAddresses) { + // check if dynamic IP addresses arleady exist in cert + changed := false + for _, fromService := range ips { + contains := false + for _, fromSecret := range cert.IPAddresses { + // use Equal to compare IP address instead of deep equal + // deep equal does not work for IP address + if fromService.Equal(fromSecret) { + contains = true + break + } + } + if !contains { + changed = true + break + } + } + if changed { klog.Infof("cert %s IP has changed", certConf.CertName) selfSignedCerts = append(selfSignedCerts, certConf) continue