Merge pull request #13594 from ihmccreery/tokens

Second attempt at GCE tokens behavior to new format

cluster/gce/configure-vm.sh

@@ -540,10 +540,11 @@ grains:
     - kubernetes-master
   cloud: gce
 EOF
-  if ! [[ -z "${PROJECT_ID:-}" ]] && ! [[ -z "${TOKEN_URL:-}" ]] && ! [[ -z "${NODE_NETWORK:-}" ]] ; then
+  if ! [[ -z "${PROJECT_ID:-}" ]] && ! [[ -z "${TOKEN_URL:-}" ]] && ! [[ -z "${TOKEN_BODY:-}" ]] && ! [[ -z "${NODE_NETWORK:-}" ]] ; then
     cat <<EOF >/etc/gce.conf
 [global]
 token-url = ${TOKEN_URL}
+token-body = ${TOKEN_BODY}
 project-id = ${PROJECT_ID}
 network-name = ${NODE_NETWORK}
 EOF

pkg/cloudprovider/providers/gce/gce.go

@@ -61,6 +61,7 @@ type GCECloud struct {
 type Config struct {
 	Global struct {
 		TokenURL    string `gcfg:"token-url"`
+		TokenBody   string `gcfg:"token-body"`
 		ProjectID   string `gcfg:"project-id"`
 		NetworkName string `gcfg:"network-name"`
 	}
@@ -159,7 +160,7 @@ func newGCECloud(config io.Reader) (*GCECloud, error) {
 			}
 		}
 		if cfg.Global.TokenURL != "" {
-			tokenSource = newAltTokenSource(cfg.Global.TokenURL)
+			tokenSource = newAltTokenSource(cfg.Global.TokenURL, cfg.Global.TokenBody)
 		}
 	}
 	client := oauth2.NewClient(oauth2.NoContext, tokenSource)

pkg/cloudprovider/providers/gce/token_source.go

@@ -19,6 +19,7 @@ package gce_cloud
 import (
 	"encoding/json"
 	"net/http"
+	"strings"
 	"time"
 
 	"k8s.io/kubernetes/pkg/util"
@@ -59,6 +60,7 @@ func init() {
 type altTokenSource struct {
 	oauthClient *http.Client
 	tokenURL    string
+	tokenBody   string
 	throttle    util.RateLimiter
 }
 
@@ -73,7 +75,7 @@ func (a *altTokenSource) Token() (*oauth2.Token, error) {
 }
 
 func (a *altTokenSource) token() (*oauth2.Token, error) {
-	req, err := http.NewRequest("GET", a.tokenURL, nil)
+	req, err := http.NewRequest("POST", a.tokenURL, strings.NewReader(a.tokenBody))
 	if err != nil {
 		return nil, err
 	}
@@ -86,23 +88,24 @@ func (a *altTokenSource) token() (*oauth2.Token, error) {
 		return nil, err
 	}
 	var tok struct {
-		AccessToken       string `json:"accessToken"`
+		AccessToken string    `json:"accessToken"`
-		ExpiryTimeSeconds int64  `json:"expiryTimeSeconds,string"`
+		ExpireTime  time.Time `json:"expireTime"`
 	}
 	if err := json.NewDecoder(res.Body).Decode(&tok); err != nil {
 		return nil, err
 	}
 	return &oauth2.Token{
 		AccessToken: tok.AccessToken,
-		Expiry:      time.Unix(tok.ExpiryTimeSeconds, 0),
+		Expiry:      tok.ExpireTime,
 	}, nil
 }
 
-func newAltTokenSource(tokenURL string) oauth2.TokenSource {
+func newAltTokenSource(tokenURL, tokenBody string) oauth2.TokenSource {
 	client := oauth2.NewClient(oauth2.NoContext, google.ComputeTokenSource(""))
 	a := &altTokenSource{
 		oauthClient: client,
 		tokenURL:    tokenURL,
+		tokenBody:   tokenBody,
 		throttle:    util.NewTokenBucketRateLimiter(tokenURLQPS, tokenURLBurst),
 	}
 	return oauth2.ReuseTokenSource(nil, a)