From 1c62d285a11c33196bcd4ff8741143955023aea4 Mon Sep 17 00:00:00 2001 From: Sen Lu Date: Tue, 17 Sep 2019 11:07:37 -0700 Subject: [PATCH] auth/cloud-platform is a superset of devstorage. Also fix the curl in get-kube.sh --- cluster/gce/gci/configure.sh | 2 +- cluster/get-kube-binaries.sh | 19 ++++++++++++++++++- cluster/get-kube.sh | 19 ++++++++++++++++++- 3 files changed, 37 insertions(+), 3 deletions(-) diff --git a/cluster/gce/gci/configure.sh b/cluster/gce/gci/configure.sh index 5c3002e480bf..d7bae9dfb959 100644 --- a/cluster/gce/gci/configure.sh +++ b/cluster/gce/gci/configure.sh @@ -131,7 +131,7 @@ function get-credentials { } function valid-storage-scope { - curl "${GCE_METADATA_INTERNAL}/service-accounts/default/scopes" -H "Metadata-Flavor: Google" -s | grep -q "auth/devstorage" + curl --fail --retry 5 --retry-delay 3 ${CURL_RETRY_CONNREFUSED} --silent --show-error "${GCE_METADATA_INTERNAL}/service-accounts/default/scopes" -H "Metadata-Flavor: Google" -s | grep -E "auth/devstorage|auth/cloud-platform" } # Retry a download until we get it. Takes a hash and a set of URLs. diff --git a/cluster/get-kube-binaries.sh b/cluster/get-kube-binaries.sh index 4d2e769946b3..1e3e1f6619cf 100755 --- a/cluster/get-kube-binaries.sh +++ b/cluster/get-kube-binaries.sh @@ -143,13 +143,30 @@ function sha1sum_file() { fi } +# Get default service account credentials of the VM. +GCE_METADATA_INTERNAL="http://metadata.google.internal/computeMetadata/v1/instance" +function get-credentials { + curl "${GCE_METADATA_INTERNAL}/service-accounts/default/token" -H "Metadata-Flavor: Google" -s | python -c \ + 'import sys; import json; print(json.loads(sys.stdin.read())["access_token"])' +} + +function valid-storage-scope { + curl "${GCE_METADATA_INTERNAL}/service-accounts/default/scopes" -H "Metadata-Flavor: Google" -s | grep -E "auth/devstorage|auth/cloud-platform" +} + function download_tarball() { local -r download_path="$1" local -r file="$2" url="${DOWNLOAD_URL_PREFIX}/${file}" mkdir -p "${download_path}" if [[ $(which curl) ]]; then - curl -fL --retry 3 --keepalive-time 2 "${url}" -o "${download_path}/${file}" + # if the url belongs to GCS API we should use oauth2_token in the headers + curl_headers="" + if { [[ "${KUBERNETES_PROVIDER:-gce}" == "gce" ]] || [[ "${KUBERNETES_PROVIDER}" == "gke" ]] ; } && + [[ "$url" =~ ^https://storage.googleapis.com.* ]] && valid-storage-scope ; then + curl_headers="Authorization: Bearer $(get-credentials)" + fi + curl ${curl_headers:+-H "${curl_headers}"} -fL --retry 3 --keepalive-time 2 "${url}" -o "${download_path}/${file}" elif [[ $(which wget) ]]; then wget "${url}" -O "${download_path}/${file}" else diff --git a/cluster/get-kube.sh b/cluster/get-kube.sh index ac1fd9765812..510ef378c12a 100755 --- a/cluster/get-kube.sh +++ b/cluster/get-kube.sh @@ -122,6 +122,17 @@ function create_cluster { ) } +# Get default service account credentials of the VM. +GCE_METADATA_INTERNAL="http://metadata.google.internal/computeMetadata/v1/instance" +function get-credentials { + curl "${GCE_METADATA_INTERNAL}/service-accounts/default/token" -H "Metadata-Flavor: Google" -s | python -c \ + 'import sys; import json; print(json.loads(sys.stdin.read())["access_token"])' +} + +function valid-storage-scope { + curl "${GCE_METADATA_INTERNAL}/service-accounts/default/scopes" -H "Metadata-Flavor: Google" -s | grep -E "auth/devstorage|auth/cloud-platform" +} + if [[ -n "${KUBERNETES_SKIP_DOWNLOAD-}" ]]; then create_cluster exit 0 @@ -228,7 +239,13 @@ fi if "${need_download}"; then if [[ $(which curl) ]]; then - curl -fL --retry 5 --keepalive-time 2 "${kubernetes_tar_url}" -o "${file}" + # if the url belongs to GCS API we should use oauth2_token in the headers + curl_headers="" + if { [[ "${KUBERNETES_PROVIDER:-gce}" == "gce" ]] || [[ "${KUBERNETES_PROVIDER}" == "gke" ]] ; } && + [[ "$kubernetes_tar_url" =~ ^https://storage.googleapis.com.* ]] && valid-storage-scope ; then + curl_headers="Authorization: Bearer $(get-credentials)" + fi + curl ${curl_headers:+-H "${curl_headers}"} -fL --retry 3 --keepalive-time 2 "${kubernetes_tar_url}" -o "${file}" elif [[ $(which wget) ]]; then wget "${kubernetes_tar_url}" else