use both addresses and addressetrefs

linode · Nov 27, 2024 · cb2ce9d · cb2ce9d
1 parent 0c44edf
commit cb2ce9d
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 17 deletions.
diff --git a/api/v1alpha2/linodefirewall_types.go b/api/v1alpha2/linodefirewall_types.go
@@ -70,8 +70,8 @@ type FirewallRule struct {
 	// +kubebuilder:validation:Enum=TCP;UDP;ICMP;IPENCAP
 	Protocol  linodego.NetworkProtocol `json:"protocol"`
 	Addresses *NetworkAddresses        `json:"addresses"`
-	// AddressSetRefs is a list of references to AddressSets
-	// If Addresses is present, AddressSetRefs will be ignored
+	// AddressSetRefs is a list of references to AddressSets as an alternative to
+	// using Addresses but can be used in conjunction with it
 	AddressSetRefs []*corev1.ObjectReference `json:"addressSetRefs,omitempty"`
 }
 

diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_linodefirewalls.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_linodefirewalls.yaml
@@ -85,8 +85,8 @@ spec:
                       type: string
                     addressSetRefs:
                       description: |-
-                        AddressSetRefs is a list of references to AddressSets
-                        If Addresses is present, AddressSetRefs will be ignored
+                        AddressSetRefs is a list of references to AddressSets as an alternative to
+                        using Addresses but can be used in conjunction with it
                       items:
                         description: ObjectReference contains enough information to
                           let you inspect or modify the referred object.
@@ -183,8 +183,8 @@ spec:
                       type: string
                     addressSetRefs:
                       description: |-
-                        AddressSetRefs is a list of references to AddressSets
-                        If Addresses is present, AddressSetRefs will be ignored
+                        AddressSetRefs is a list of references to AddressSets as an alternative to
+                        using Addresses but can be used in conjunction with it
                       items:
                         description: ObjectReference contains enough information to
                           let you inspect or modify the referred object.

diff --git a/internal/controller/linodefirewall_controller_helpers.go b/internal/controller/linodefirewall_controller_helpers.go
@@ -188,7 +188,8 @@ func processOutboundRule(ctx context.Context, k8sClient clients.K8sClient, log l
 	var ruleIPv6s []string
 	if rule.Addresses != nil {
 		ruleIPv4s, ruleIPv6s = processAddresses(rule.Addresses)
-	} else if rule.AddressSetRefs != nil {
+	}
+	if rule.AddressSetRefs != nil {
 		ruleIPv4s, ruleIPv6s = processAddressSetRefs(ctx, k8sClient, rule.AddressSetRefs, log)
 	}
 	ruleLabel := formatRuleLabel(outboundPolicy, rule.Label)
@@ -202,9 +203,9 @@ func processOutboundRule(ctx context.Context, k8sClient clients.K8sClient, log l
 
 // processAddresses extracts and transforms IPv4 and IPv6 addresses
 func processAddresses(addresses *infrav1alpha2.NetworkAddresses) (ipv4s, ipv6s []string) {
-	// Initialize empty slices for consistent return type
-	ipv4s = make([]string, 0)
-	ipv6s = make([]string, 0)
+	// Declare "sets". Empty structs occupy 0 memory
+	ipv4Set := make(map[string]struct{})
+	ipv6Set := make(map[string]struct{})
 
 	// Early return if addresses is nil
 	if addresses == nil {
@@ -214,25 +215,32 @@ func processAddresses(addresses *infrav1alpha2.NetworkAddresses) (ipv4s, ipv6s [
 	// Process IPv4 addresses
 	if addresses.IPv4 != nil {
 		for _, ip := range *addresses.IPv4 {
-			ipv4s = append(ipv4s, transformToCIDR(ip))
+			ipv4Set[transformToCIDR(ip)] = struct{}{}
 		}
 	}
 
 	// Process IPv6 addresses
 	if addresses.IPv6 != nil {
 		for _, ip := range *addresses.IPv6 {
-			ipv6s = append(ipv6s, transformToCIDR(ip))
+			ipv6Set[transformToCIDR(ip)] = struct{}{}
 		}
 	}
 
+	for ipv4 := range ipv4Set {
+		ipv4s = append(ipv4s, ipv4)
+	}
+	for ipv6 := range ipv6Set {
+		ipv6s = append(ipv6s, ipv6)
+	}
+
 	return ipv4s, ipv6s
 }
 
 // processAddressSetRefs extracts and transforms IPv4 and IPv6 addresses from the reference AddressSet(s)
 func processAddressSetRefs(ctx context.Context, k8sClient clients.K8sClient, addressSetRefs []*corev1.ObjectReference, log logr.Logger) (ipv4s, ipv6s []string) {
-	// Initialize empty slices for consistent return type
-	ipv4s = make([]string, 0)
-	ipv6s = make([]string, 0)
+	// Declare "sets". Empty structs occupy 0 memory
+	ipv4Set := make(map[string]struct{})
+	ipv6Set := make(map[string]struct{})
 
 	for _, addrSetRef := range addressSetRefs {
 		addrSet := &infrav1alpha2.AddressSet{}
@@ -243,17 +251,23 @@ func processAddressSetRefs(ctx context.Context, k8sClient clients.K8sClient, add
 		// Process IPv4 addresses
 		if addrSet.Spec.IPv4 != nil {
 			for _, ip := range *addrSet.Spec.IPv4 {
-				ipv4s = append(ipv4s, transformToCIDR(ip))
+				ipv4Set[transformToCIDR(ip)] = struct{}{}
 			}
 		}
 
 		// Process IPv6 addresses
 		if addrSet.Spec.IPv6 != nil {
 			for _, ip := range *addrSet.Spec.IPv6 {
-				ipv6s = append(ipv6s, transformToCIDR(ip))
+				ipv6Set[transformToCIDR(ip)] = struct{}{}
 			}
 		}
 	}
+	for ipv4 := range ipv4Set {
+		ipv4s = append(ipv4s, ipv4)
+	}
+	for ipv6 := range ipv6Set {
+		ipv6s = append(ipv6s, ipv6)
+	}
 
 	return ipv4s, ipv6s
 }