gce: use set type where order does not matter

Starting small with FirewallRule Allowed field,
but this should be easier than explicitly handling values
where order does not matter.

Author: justinsb

pkg/model/gcemodel/api_loadbalancer.go

@@ -21,6 +21,7 @@ import (
 	"strconv"
 
 	"golang.org/x/exp/slices"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/wellknownports"
 	"k8s.io/kops/pkg/wellknownservices"
@@ -103,7 +104,7 @@ func (b *APILoadBalancerBuilder) addFirewallRules(c *fi.CloudupModelBuilderConte
 			Network:      network,
 			SourceRanges: b.Cluster.Spec.API.Access,
 			TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane)},
-			Allowed:      []string{"tcp:" + strconv.Itoa(wellknownports.KubeAPIServer)},
+			Allowed:      sets.New("tcp:" + strconv.Itoa(wellknownports.KubeAPIServer)),
 		})
 
 		if b.NetworkingIsIPAlias() {
@@ -114,7 +115,7 @@ func (b *APILoadBalancerBuilder) addFirewallRules(c *fi.CloudupModelBuilderConte
 				Family:       gcetasks.AddressFamilyIPv4, // ip alias is always ipv4
 				SourceRanges: []string{b.Cluster.Spec.Networking.PodCIDR},
 				TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane)},
-				Allowed:      []string{"tcp:" + strconv.Itoa(wellknownports.KubeAPIServer)},
+				Allowed:      sets.New("tcp:" + strconv.Itoa(wellknownports.KubeAPIServer)),
 			})
 		}
 
@@ -124,7 +125,7 @@ func (b *APILoadBalancerBuilder) addFirewallRules(c *fi.CloudupModelBuilderConte
 				Network:      network,
 				SourceRanges: b.Cluster.Spec.API.Access,
 				TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane)},
-				Allowed:      []string{"tcp:" + strconv.Itoa(wellknownports.KopsControllerPort)},
+				Allowed:      sets.New("tcp:" + strconv.Itoa(wellknownports.KopsControllerPort)),
 			})
 		}
 	}

pkg/model/gcemodel/external_access.go

@@ -19,6 +19,7 @@ package gcemodel
 import (
 	"strconv"
 
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/klog/v2"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/wellknownports"
@@ -58,21 +59,21 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.CloudupModelBuilderContext) err
 		b.AddFirewallRulesTasks(c, "ssh-external-to-bastion", &gcetasks.FirewallRule{
 			Lifecycle:    b.Lifecycle,
 			TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleBastion)},
-			Allowed:      []string{"tcp:22"},
+			Allowed:      sets.New("tcp:22"),
 			SourceRanges: b.Cluster.Spec.SSHAccess,
 			Network:      network,
 		})
 		b.AddFirewallRulesTasks(c, "bastion-to-master-ssh", &gcetasks.FirewallRule{
 			Lifecycle:  b.Lifecycle,
 			TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane), b.GCETagForRole("Master")},
-			Allowed:    []string{"tcp:22"},
+			Allowed:    sets.New("tcp:22"),
 			SourceTags: []string{b.GCETagForRole(kops.InstanceGroupRoleBastion)},
 			Network:    network,
 		})
 		b.AddFirewallRulesTasks(c, "bastion-to-node-ssh", &gcetasks.FirewallRule{
 			Lifecycle:  b.Lifecycle,
 			TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
-			Allowed:    []string{"tcp:22"},
+			Allowed:    sets.New("tcp:22"),
 			SourceTags: []string{b.GCETagForRole(kops.InstanceGroupRoleBastion)},
 			Network:    network,
 		})
@@ -84,15 +85,15 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.CloudupModelBuilderContext) err
 		b.AddFirewallRulesTasks(c, "ssh-external-to-master", &gcetasks.FirewallRule{
 			Lifecycle:    b.Lifecycle,
 			TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane), b.GCETagForRole("Master")},
-			Allowed:      []string{"tcp:22"},
+			Allowed:      sets.New("tcp:22"),
 			SourceRanges: b.Cluster.Spec.SSHAccess,
 			Network:      network,
 		})
 
 		b.AddFirewallRulesTasks(c, "ssh-external-to-node", &gcetasks.FirewallRule{
 			Lifecycle:    b.Lifecycle,
 			TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
-			Allowed:      []string{"tcp:22"},
+			Allowed:      sets.New("tcp:22"),
 			SourceRanges: b.Cluster.Spec.SSHAccess,
 			Network:      network,
 		})
@@ -113,10 +114,10 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.CloudupModelBuilderContext) err
 		b.AddFirewallRulesTasks(c, "nodeport-external-to-node", &gcetasks.FirewallRule{
 			Lifecycle:  b.Lifecycle,
 			TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
-			Allowed: []string{
-				"tcp:" + nodePortRangeString,
-				"udp:" + nodePortRangeString,
-			},
+			Allowed: sets.New(
+				"tcp:"+nodePortRangeString,
+				"udp:"+nodePortRangeString,
+			),
 			SourceRanges: b.Cluster.Spec.NodePortAccess,
 			Network:      network,
 		})
@@ -136,7 +137,7 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.CloudupModelBuilderContext) err
 		b.AddFirewallRulesTasks(c, "kubernetes-master-https", &gcetasks.FirewallRule{
 			Lifecycle:    b.Lifecycle,
 			TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane), b.GCETagForRole("Master")},
-			Allowed:      []string{"tcp:443"},
+			Allowed:      sets.New("tcp:443"),
 			SourceRanges: b.Cluster.Spec.API.Access,
 			Network:      network,
 		})
@@ -149,7 +150,7 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.CloudupModelBuilderContext) err
 				Family:       gcetasks.AddressFamilyIPv4, // ip alias is always ipv4
 				SourceRanges: []string{b.Cluster.Spec.Networking.PodCIDR},
 				TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane)},
-				Allowed:      []string{"tcp:" + strconv.Itoa(wellknownports.KubeAPIServer)},
+				Allowed:      sets.New("tcp:" + strconv.Itoa(wellknownports.KubeAPIServer)),
 			})
 		}
 	}

pkg/model/gcemodel/firewall.go

@@ -21,6 +21,7 @@ import (
 	"net"
 	"strings"
 
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/klog/v2"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/apis/kops/model"
@@ -66,7 +67,7 @@ func (b *FirewallModelBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 				"209.85.152.0/22",
 			},
 			TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane)},
-			Allowed:    []string{"tcp"},
+			Allowed:    sets.New("tcp"),
 		})
 	}
 
@@ -82,7 +83,7 @@ func (b *FirewallModelBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 			Network:    network,
 			SourceTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
 			TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
-			Allowed:    allProtocols,
+			Allowed:    sets.New(allProtocols...),
 		}
 		c.AddTask(t)
 	}
@@ -99,7 +100,7 @@ func (b *FirewallModelBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 			Network:    network,
 			SourceTags: []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane), b.GCETagForRole("Master")},
 			TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane), b.GCETagForRole("Master")},
-			Allowed:    allProtocols,
+			Allowed:    sets.New(allProtocols...),
 		}
 		c.AddTask(t)
 	}
@@ -116,7 +117,7 @@ func (b *FirewallModelBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 			Network:    network,
 			SourceTags: []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane), b.GCETagForRole("Master")},
 			TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
-			Allowed:    allProtocols,
+			Allowed:    sets.New(allProtocols...),
 		}
 		c.AddTask(t)
 	}
@@ -133,25 +134,25 @@ func (b *FirewallModelBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 			Network:    network,
 			SourceTags: []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
 			TargetTags: []string{b.GCETagForRole(kops.InstanceGroupRoleControlPlane), b.GCETagForRole("Master")},
-			Allowed: []string{
+			Allowed: sets.New(
 				fmt.Sprintf("tcp:%d", wellknownports.KubeAPIServer),
 				fmt.Sprintf("tcp:%d", wellknownports.KubeletAPI),
 				fmt.Sprintf("tcp:%d", wellknownports.KopsControllerPort),
-			},
+			),
 		}
 		if b.Cluster.UsesLegacyGossip() {
-			t.Allowed = append(t.Allowed, fmt.Sprintf("udp:%d", wellknownports.DNSControllerGossipMemberlist))
-			t.Allowed = append(t.Allowed, fmt.Sprintf("tcp:%d", wellknownports.DNSControllerGossipMemberlist))
-			t.Allowed = append(t.Allowed, fmt.Sprintf("udp:%d", wellknownports.ProtokubeGossipMemberlist))
-			t.Allowed = append(t.Allowed, fmt.Sprintf("tcp:%d", wellknownports.ProtokubeGossipMemberlist))
+			t.Allowed.Insert(fmt.Sprintf("udp:%d", wellknownports.DNSControllerGossipMemberlist))
+			t.Allowed.Insert(fmt.Sprintf("tcp:%d", wellknownports.DNSControllerGossipMemberlist))
+			t.Allowed.Insert(fmt.Sprintf("udp:%d", wellknownports.ProtokubeGossipMemberlist))
+			t.Allowed.Insert(fmt.Sprintf("tcp:%d", wellknownports.ProtokubeGossipMemberlist))
 		}
 		if b.NetworkingIsCalico() {
-			t.Allowed = append(t.Allowed, "ipip")
+			t.Allowed.Insert("ipip")
 		}
 		if b.NetworkingIsCilium() {
-			t.Allowed = append(t.Allowed, fmt.Sprintf("udp:%d", wellknownports.VxlanUDP))
+			t.Allowed.Insert(fmt.Sprintf("udp:%d", wellknownports.VxlanUDP))
 			if model.UseCiliumEtcd(b.Cluster) {
-				t.Allowed = append(t.Allowed, fmt.Sprintf("tcp:%d", wellknownports.EtcdCiliumClientPort))
+				t.Allowed.Insert(fmt.Sprintf("tcp:%d", wellknownports.EtcdCiliumClientPort))
 			}
 		}
 		c.AddTask(t)
@@ -176,7 +177,7 @@ func (b *FirewallModelBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 				Network:      network,
 				SourceRanges: []string{b.Cluster.Spec.Networking.PodCIDR},
 				TargetTags:   []string{b.GCETagForRole(kops.InstanceGroupRoleNode)},
-				Allowed:      allProtocols,
+				Allowed:      sets.New(allProtocols...),
 			})
 		}
 	}
@@ -230,13 +231,13 @@ func (b *GCEModelContext) AddFirewallRulesTasks(c *fi.CloudupModelBuilderContext
 			ipv6.SourceRanges = []string{"::/0"}
 		}
 	}
-	var ipv6Allowed []string
-	for _, allowed := range ipv6.Allowed {
+	ipv6Allowed := sets.New[string]()
+	for allowed := range ipv6.Allowed {
 		// Map icmp to icmpv6; easier than maintaining separate lists
 		if allowed == "icmp" {
 			allowed = "58" // 58 == the IANA protocol number for ICMPv6
 		}
-		ipv6Allowed = append(ipv6Allowed, allowed)
+		ipv6Allowed.Insert(allowed)
 	}
 	ipv6.Allowed = ipv6Allowed
 	c.AddTask(&ipv6)

upup/pkg/fi/cloudup/gcetasks/firewallrule.go

@@ -22,6 +22,7 @@ import (
 	"strings"
 
 	compute "google.golang.org/api/compute/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/cloudup/gce"
 	"k8s.io/kops/upup/pkg/fi/cloudup/terraform"
@@ -44,7 +45,7 @@ type FirewallRule struct {
 	SourceTags   []string
 	SourceRanges []string
 	TargetTags   []string
-	Allowed      []string
+	Allowed      sets.Set[string]
 
 	// Disabled: Denotes whether the firewall rule is disabled. When set to
 	// true, the firewall rule is not enforced and the network behaves as if
@@ -79,7 +80,10 @@ func (e *FirewallRule) Find(c *fi.CloudupContext) (*FirewallRule, error) {
 	actual.SourceTags = r.SourceTags
 	actual.Disabled = r.Disabled
 	for _, a := range r.Allowed {
-		actual.Allowed = append(actual.Allowed, serializeFirewallAllowed(a))
+		if actual.Allowed == nil {
+			actual.Allowed = sets.New[string]()
+		}
+		actual.Allowed.Insert(serializeFirewallAllowed(a))
 	}
 
 	// Ignore "system" fields
@@ -182,7 +186,7 @@ func serializeFirewallAllowed(r *compute.FirewallAllowed) string {
 func (e *FirewallRule) mapToGCE(project string) (*compute.Firewall, error) {
 	var allowed []*compute.FirewallAllowed
 	if e.Allowed != nil {
-		for _, a := range e.Allowed {
+		for a := range e.Allowed {
 			p, err := parseFirewallAllowed(a)
 			if err != nil {
 				return nil, err

upup/pkg/fi/topological_sort.go

@@ -125,6 +125,18 @@ func getDependencies[T SubContext](tasks map[string]Task[T], v reflect.Value) []
 				return nil
 			}
 
+			// Ignore empty struct (struct{}) and other non-addressable types
+			if !v.CanAddr() {
+				typeName := v.Type().PkgPath() + "/" + v.Type().Name()
+				switch typeName {
+				case "k8s.io/apimachinery/pkg/util/sets/Empty":
+					// known
+				default:
+					klog.Warningf("skipping non-addressable type %v name=%q", v.Type(), typeName)
+				}
+				return nil
+			}
+
 			// TODO: Can we / should we use a type-switch statement
 			intf := v.Addr().Interface()
 			if hd, ok := intf.(HasDependencies[T]); ok {