Inject service-account.json into test container

hack/jenkins/dockerized-e2e-runner.sh

@@ -29,14 +29,13 @@ mkdir -p "${HOST_ARTIFACTS_DIR}"
 : ${JENKINS_GCE_SSH_PRIVATE_KEY_FILE:='/var/lib/jenkins/gce_keys/google_compute_engine'}
 : ${JENKINS_GCE_SSH_PUBLIC_KEY_FILE:='/var/lib/jenkins/gce_keys/google_compute_engine.pub'}
 
-env -u HOME -u PATH -u PWD -u WORKSPACE >${WORKSPACE}/env.list
-
-# Add all uncommented lines for metadata.google.internal in /etc/hosts to the
-# test container.
-readonly METADATA_SERVER_ADD_HOST_ARGS=($(
-  grep '^[0-9a-fA-F\.:]\+ \+metadata\.google\.internal' /etc/hosts |\
-  cut -f1 -d' ' |\
-  xargs -r printf -- '--add-host="metadata.google.internal:%s"\n'))
+env \
+  -u HOME \
+  -u KUBEKINS_SERVICE_ACCOUNT_FILE \
+  -u PATH \
+  -u PWD \
+  -u WORKSPACE \
+  >${WORKSPACE}/env.list
 
 docker_extra_args=()
 if [[ "${JENKINS_ENABLE_DOCKER_IN_DOCKER:-}" =~ ^[yY]$ ]]; then
@@ -56,10 +55,11 @@ docker run --rm=true -i \
   ${JENKINS_AWS_SSH_PRIVATE_KEY_FILE:+-v "${JENKINS_AWS_SSH_PRIVATE_KEY_FILE}:/workspace/.ssh/kube_aws_rsa:ro"} \
   ${JENKINS_AWS_SSH_PUBLIC_KEY_FILE:+-v "${JENKINS_AWS_SSH_PUBLIC_KEY_FILE}:/workspace/.ssh/kube_aws_rsa.pub:ro"} \
   ${JENKINS_AWS_CREDENTIALS_FILE:+-v "${JENKINS_AWS_CREDENTIALS_FILE}:/workspace/.aws/credentials:ro"} \
+  ${KUBEKINS_SERVICE_ACCOUNT_FILE:+-v "${KUBEKINS_SERVICE_ACCOUNT_FILE}:/service-account.json:ro"} \
   --env-file "${WORKSPACE}/env.list" \
   -e "HOME=/workspace" \
   -e "WORKSPACE=/workspace" \
+  ${KUBEKINS_SERVICE_ACCOUNT_FILE:+-e "KUBEKINS_SERVICE_ACCOUNT_FILE=/service-account.json"} \
   "${docker_extra_args[@]:+${docker_extra_args[@]}}" \
-  "${METADATA_SERVER_ADD_HOST_ARGS[@]:+${METADATA_SERVER_ADD_HOST_ARGS[@]}}" \
   gcr.io/google_containers/kubekins-test:go1.6.2-docker1.9.1-rev3 \
   bash -c "bash <(curl -fsS --retry 3 --keepalive-time 2 'https://raw.githubusercontent.com/kubernetes/kubernetes/master/hack/jenkins/e2e-runner.sh')"

hack/jenkins/e2e-runner.sh

@@ -190,13 +190,6 @@ if running_in_docker; then
     fi
 fi
 
-if [[ -f "${KUBEKINS_SERVICE_ACCOUNT_FILE:-}" ]]; then
-  echo 'Activating service account...'  # No harm in doing this multiple times.
-  gcloud auth activate-service-account --key-file="${KUBEKINS_SERVICE_ACCOUNT_FILE}"
-elif [[ -n "${KUBEKINS_SERVICE_ACCOUNT_FILE:-}" ]]; then
-  echo "ERROR: cannot access service account file at: ${KUBEKINS_SERVICE_ACCOUNT_FILE}"
-fi
-
 # Install gcloud from a custom path if provided. Used to test GKE with gcloud
 # at HEAD, release candidate.
 # TODO: figure out how to avoid installing the cloud sdk twice if run inside Docker.
@@ -230,6 +223,16 @@ if [[ -n "${JENKINS_GCI_IMAGE_FAMILY:-}" ]]; then
   fi
 fi
 
+if [[ -f "${KUBEKINS_SERVICE_ACCOUNT_FILE:-}" ]]; then
+  echo 'Activating service account...'  # No harm in doing this multiple times.
+  gcloud auth activate-service-account --key-file="${KUBEKINS_SERVICE_ACCOUNT_FILE}"
+  export GCE_SERVICE_ACCOUNT=$(gcloud auth list 2> /dev/null | grep active | cut -f3 -d' ')
+  unset KUBEKINS_SERVICE_ACCOUNT_FILE
+elif [[ -n "${KUBEKINS_SERVICE_ACCOUNT_FILE:-}" ]]; then
+  echo "ERROR: cannot access service account file at: ${KUBEKINS_SERVICE_ACCOUNT_FILE}"
+fi
+
+
 function e2e_test() {
     local -r ginkgo_test_args="${1}"
     # Check to make sure the cluster is up before running tests, and fail if it's not.