Changes in response to code-review.

- Make k8sapi.CanI a variadic function (and use where applicable).
- Sort AgentEnv.Excluded before checking slices for equality.

Signed-off-by: Thomas Hallgren <[email protected]>

cmd/traffic/cmd/manager/cluster/info.go

@@ -296,17 +296,14 @@ func clusterDomainFromResolvConf(confFile, namespace string) (string, error) {
 }
 
 func (oi *info) watchNodeSubnets(ctx context.Context, mustSucceed bool) bool {
-	ok, err := k8sapi.CanI(ctx, &auth.ResourceAttributes{
-		Verb:     "list",
-		Resource: "nodes",
-	})
-	if err != nil || !ok {
-		return false
-	}
-	ok, err = k8sapi.CanI(ctx, &auth.ResourceAttributes{
-		Verb:     "watch",
-		Resource: "nodes",
-	})
+	ok, err := k8sapi.CanI(ctx,
+		&auth.ResourceAttributes{
+			Verb:     "list",
+			Resource: "nodes",
+		}, &auth.ResourceAttributes{
+			Verb:     "watch",
+			Resource: "nodes",
+		})
 	if err != nil || !ok {
 		return false
 	}

cmd/traffic/cmd/manager/config/config.go

@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"slices"
+	"sort"
 	"sync"
 
 	core "k8s.io/api/core/v1"
@@ -164,9 +165,12 @@ func (c *config) refreshFile(ctx context.Context, mapData map[string]string) {
 		}
 		if err != nil {
 			dlog.Errorf(ctx, "failed to unmarshal YAML from %s: %v", agentEnvConfigFileName, err)
-		} else if !ae.Equal(c.agentEnv) {
-			c.agentEnv = ae
-			dlog.Debugf(ctx, "Refreshed agent-env:\n%s", yml)
+		} else {
+			sort.Strings(ae.Excluded)
+			if !ae.Equal(c.agentEnv) {
+				c.agentEnv = ae
+				dlog.Debugf(ctx, "Refreshed agent-env:\n%s", yml)
+			}
 		}
 	} else if !c.agentEnv.Equal(ae) {
 		c.agentEnv = ae

pkg/k8sapi/cani.go

@@ -10,26 +10,29 @@ import (
 	"github.com/datawire/dlib/dlog"
 )
 
-func CanI(ctx context.Context, ra *auth.ResourceAttributes) (bool, error) {
+func CanI(ctx context.Context, ras ...*auth.ResourceAttributes) (bool, error) {
 	authHandler := GetK8sInterface(ctx).AuthorizationV1().SelfSubjectAccessReviews()
-	review := auth.SelfSubjectAccessReview{Spec: auth.SelfSubjectAccessReviewSpec{ResourceAttributes: ra}}
-	ar, err := authHandler.Create(ctx, &review, meta.CreateOptions{})
-	if err == nil && ar.Status.Allowed {
-		return true, nil
-	}
-	where := ""
-	if ra.Namespace != "" {
-		where = " in namespace " + ra.Namespace
-	}
-	if err != nil {
-		err = fmt.Errorf(`unable to do "can-i %s %s%s": %v`, ra.Verb, ra.Resource, where, err)
-		if ctx.Err() == nil {
-			dlog.Error(ctx, err)
+	for _, ra := range ras {
+		review := auth.SelfSubjectAccessReview{Spec: auth.SelfSubjectAccessReviewSpec{ResourceAttributes: ra}}
+		ar, err := authHandler.Create(ctx, &review, meta.CreateOptions{})
+		if err == nil && ar.Status.Allowed {
+			continue
+		}
+		where := ""
+		if ra.Namespace != "" {
+			where = " in namespace " + ra.Namespace
+		}
+		if err != nil {
+			err = fmt.Errorf(`unable to do "can-i %s %s%s": %v`, ra.Verb, ra.Resource, where, err)
+			if ctx.Err() == nil {
+				dlog.Error(ctx, err)
+			}
+		} else {
+			dlog.Infof(ctx, `"can-i %s %s%s" is not allowed`, ra.Verb, ra.Resource, where)
 		}
-	} else {
-		dlog.Infof(ctx, `"can-i %s %s%s" is not allowed`, ra.Verb, ra.Resource, where)
+		return false, err
 	}
-	return false, err
+	return true, nil
 }
 
 func CanWatch(ctx context.Context, group, resource, name, ns string) bool {