mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-07 11:13:48 +00:00
k8s: gci: configure: add token to curl calls
Modify script to use curl to get metadata and Service Account token. When the SA doesn't have 'Storage Read' scope, it can only read public files.
This commit is contained in:
parent
07da603b59
commit
708d7df561
@ -123,6 +123,12 @@ function validate-hash {
|
||||
fi
|
||||
}
|
||||
|
||||
# Get default service account credentials of the VM.
|
||||
function get-credentials {
|
||||
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google" -s | python -c \
|
||||
'import sys; import json; print(json.loads(sys.stdin.read())["access_token"])'
|
||||
}
|
||||
|
||||
# Retry a download until we get it. Takes a hash and a set of URLs.
|
||||
#
|
||||
# $1 is the sha1 of the URL. Can be "" if the sha1 is unknown.
|
||||
@ -136,7 +142,12 @@ function download-or-bust {
|
||||
for url in "${urls[@]}"; do
|
||||
local file="${url##*/}"
|
||||
rm -f "${file}"
|
||||
if ! curl -f --ipv4 -Lo "${file}" --connect-timeout 20 --max-time 300 --retry 6 --retry-delay 10 ${CURL_RETRY_CONNREFUSED} "${url}"; then
|
||||
# if the url belongs to GCS API we should use oauth2_token in the headers
|
||||
local curl_headers=""
|
||||
if [[ "$url" =~ ^https://storage.googleapis.com.* ]]; then
|
||||
curl_headers="Authorization: Bearer $(get-credentials)"
|
||||
fi
|
||||
if ! curl ${curl_headers:+-H "${curl_headers}"} -f --ipv4 -Lo "${file}" --connect-timeout 20 --max-time 300 --retry 6 --retry-delay 10 ${CURL_RETRY_CONNREFUSED} "${url}"; then
|
||||
echo "== Failed to download ${url}. Retrying. =="
|
||||
elif [[ -n "${hash}" ]] && ! validate-hash "${file}" "${hash}"; then
|
||||
echo "== Hash validation of ${url} failed. Retrying. =="
|
||||
|
Loading…
Reference in New Issue
Block a user