diff --git a/cluster/gce/configure-vm.sh b/cluster/gce/configure-vm.sh index 6e41453649f..c199a6643c5 100644 --- a/cluster/gce/configure-vm.sh +++ b/cluster/gce/configure-vm.sh @@ -540,10 +540,11 @@ grains: - kubernetes-master cloud: gce EOF - if ! [[ -z "${PROJECT_ID:-}" ]] && ! [[ -z "${TOKEN_URL:-}" ]] && ! [[ -z "${NODE_NETWORK:-}" ]] ; then + if ! [[ -z "${PROJECT_ID:-}" ]] && ! [[ -z "${TOKEN_URL:-}" ]] && ! [[ -z "${TOKEN_BODY:-}" ]] && ! [[ -z "${NODE_NETWORK:-}" ]] ; then cat </etc/gce.conf [global] token-url = ${TOKEN_URL} +token-body = ${TOKEN_BODY} project-id = ${PROJECT_ID} network-name = ${NODE_NETWORK} EOF diff --git a/pkg/cloudprovider/providers/gce/gce.go b/pkg/cloudprovider/providers/gce/gce.go index fbe172ab23f..3829956b98e 100644 --- a/pkg/cloudprovider/providers/gce/gce.go +++ b/pkg/cloudprovider/providers/gce/gce.go @@ -61,6 +61,7 @@ type GCECloud struct { type Config struct { Global struct { TokenURL string `gcfg:"token-url"` + TokenBody string `gcfg:"token-body"` ProjectID string `gcfg:"project-id"` NetworkName string `gcfg:"network-name"` } @@ -159,7 +160,7 @@ func newGCECloud(config io.Reader) (*GCECloud, error) { } } if cfg.Global.TokenURL != "" { - tokenSource = newAltTokenSource(cfg.Global.TokenURL) + tokenSource = newAltTokenSource(cfg.Global.TokenURL, cfg.Global.TokenBody) } } client := oauth2.NewClient(oauth2.NoContext, tokenSource) diff --git a/pkg/cloudprovider/providers/gce/token_source.go b/pkg/cloudprovider/providers/gce/token_source.go index 4bf33246ca0..e5e327d03c8 100644 --- a/pkg/cloudprovider/providers/gce/token_source.go +++ b/pkg/cloudprovider/providers/gce/token_source.go @@ -19,6 +19,7 @@ package gce_cloud import ( "encoding/json" "net/http" + "strings" "time" "k8s.io/kubernetes/pkg/util" @@ -59,6 +60,7 @@ func init() { type altTokenSource struct { oauthClient *http.Client tokenURL string + tokenBody string throttle util.RateLimiter } @@ -73,7 +75,7 @@ func (a *altTokenSource) Token() (*oauth2.Token, error) { } func (a *altTokenSource) token() (*oauth2.Token, error) { - req, err := http.NewRequest("GET", a.tokenURL, nil) + req, err := http.NewRequest("POST", a.tokenURL, strings.NewReader(a.tokenBody)) if err != nil { return nil, err } @@ -86,23 +88,24 @@ func (a *altTokenSource) token() (*oauth2.Token, error) { return nil, err } var tok struct { - AccessToken string `json:"accessToken"` - ExpiryTimeSeconds int64 `json:"expiryTimeSeconds,string"` + AccessToken string `json:"accessToken"` + ExpireTime time.Time `json:"expireTime"` } if err := json.NewDecoder(res.Body).Decode(&tok); err != nil { return nil, err } return &oauth2.Token{ AccessToken: tok.AccessToken, - Expiry: time.Unix(tok.ExpiryTimeSeconds, 0), + Expiry: tok.ExpireTime, }, nil } -func newAltTokenSource(tokenURL string) oauth2.TokenSource { +func newAltTokenSource(tokenURL, tokenBody string) oauth2.TokenSource { client := oauth2.NewClient(oauth2.NoContext, google.ComputeTokenSource("")) a := &altTokenSource{ oauthClient: client, tokenURL: tokenURL, + tokenBody: tokenBody, throttle: util.NewTokenBucketRateLimiter(tokenURLQPS, tokenURLBurst), } return oauth2.ReuseTokenSource(nil, a)