fix(admin): clamp seed-fallback targets to maxNodes

Codex P2 on 501b017: when every discovery RPC fails (or the caller
context cancels, or refreshMembership returns an unexpected type),
currentTargets / refreshMembership returned the raw f.seeds list,
bypassing the maxNodes bound that membersFrom otherwise enforces. With
an oversized --nodes list (or under outage conditions where the
fallback path actually fires), /api/cluster/overview could spawn one
RPC per seed entry — exactly when the system is already degraded.

Add fanout.seedTargets() that returns a deduplicated copy of f.seeds
clamped to f.maxNodes, and replace all three raw-seed-return sites
with it. Regression test feeds 9 seeds (1 duplicate) with maxNodes=5
and asserts the result is 5 distinct entries.

Author: bootjp

cmd/elastickv-admin/main.go

@@ -313,7 +313,7 @@ type fanout struct {
 	// "skip seed entries" check. Seeds are immutable after construction so
 	// rebuilding the map on every cache-full eviction (under f.mu) is pure
 	// waste — Gemini flagged the per-call allocation.
-	seedSet         map[string]struct{}
+	seedSet map[string]struct{}
 	// maxNodes bounds both the per-overview discovery list and the gRPC
 	// client cache. Configurable via --maxDiscoveredNodes; values ≤0 fall
 	// back to defaultMaxDiscoveredNodes so the bound is never disabled.
@@ -669,7 +669,7 @@ func (f *fanout) currentTargets(ctx context.Context) []string {
 			return addrs
 		}
 		log.Printf("elastickv-admin: membership refresh returned unexpected type %T; falling back to seeds", r.Val)
-		return append([]string(nil), f.seeds...)
+		return f.seedTargets()
 	case <-ctx.Done():
 		// Caller bailed. Give them whatever targets we can assemble without
 		// blocking: the last cached membership if we have one, else seeds.
@@ -680,10 +680,40 @@ func (f *fanout) currentTargets(ctx context.Context) []string {
 		if f.members != nil {
 			return append([]string(nil), f.members.addrs...)
 		}
-		return append([]string(nil), f.seeds...)
+		return f.seedTargets()
 	}
 }
 
+// seedTargets returns a deduplicated copy of f.seeds clamped to f.maxNodes.
+// Callers use it on seed-fallback paths (discovery error, ctx cancel,
+// unexpected refresh result, no cached members yet) so a misconfigured huge
+// --nodes list never bypasses the fan-out bound that membersFrom otherwise
+// enforces. Codex P2 on 501b0173: previously these paths returned the raw
+// f.seeds, which under outages or oversized seed lists could spawn more
+// concurrent RPCs than configured.
+func (f *fanout) seedTargets() []string {
+	cap := f.maxNodes
+	if cap <= 0 {
+		cap = defaultMaxDiscoveredNodes
+	}
+	if len(f.seeds) < cap {
+		cap = len(f.seeds)
+	}
+	out := make([]string, 0, cap)
+	seen := make(map[string]struct{}, cap)
+	for _, s := range f.seeds {
+		if _, dup := seen[s]; dup {
+			continue
+		}
+		if len(out) >= f.maxNodes && f.maxNodes > 0 {
+			break
+		}
+		seen[s] = struct{}{}
+		out = append(out, s)
+	}
+	return out
+}
+
 // refreshMembership performs the actual discovery RPC. It honours the caller's
 // context for overall cancellation but derives a short per-seed timeout from
 // discoveryRPCTimeout so a slow first seed does not stall the whole request.
@@ -713,7 +743,7 @@ func (f *fanout) refreshMembership(ctx context.Context) []string {
 	}
 
 	log.Printf("elastickv-admin: all seeds unreachable for membership refresh; falling back to static seed list")
-	return append([]string(nil), f.seeds...)
+	return f.seedTargets()
 }
 
 // membersFrom extracts a deduplicated address list from a cluster overview

cmd/elastickv-admin/main_test.go

@@ -276,6 +276,33 @@ func TestMembersFromCapsAtMaxDiscoveredNodes(t *testing.T) {
 	}
 }
 
+// TestFanoutSeedTargetsClampsToMaxNodes asserts that the seed-fallback path
+// clamps to f.maxNodes and deduplicates so an oversized --nodes list cannot
+// bypass the per-overview fan-out bound enforced in membersFrom. Codex P2 on
+// 501b0173: previously these paths returned the raw seeds list, letting an
+// outage spawn more concurrent RPCs than configured.
+func TestFanoutSeedTargetsClampsToMaxNodes(t *testing.T) {
+	t.Parallel()
+	const cap_ = 5
+	seeds := []string{
+		"a:1", "b:1", "c:1", "d:1", "e:1", "f:1", "g:1", "h:1",
+		"a:1", // duplicate — must be deduplicated, not counted twice
+	}
+	f := newFanout(seeds, "", time.Second, insecure.NewCredentials(), cap_)
+	defer f.Close()
+
+	got := f.seedTargets()
+	if len(got) != cap_ {
+		t.Fatalf("len = %d, want %d (clamped to maxNodes)", len(got), cap_)
+	}
+	seen := map[string]struct{}{}
+	for _, s := range got {
+		if _, dup := seen[s]; dup {
+			t.Fatalf("seedTargets returned duplicates: %v", got)
+		}
+		seen[s] = struct{}{}
+	}
+}
 
 // TestFanoutClientForDeduplicatesConcurrentDials asserts that N goroutines
 // asking for the same fresh address run only one grpc.NewClient call between