github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-24 20:24:09 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #78552 from mtaufen/use-auth-header

Browse Source 
Windows startup scripts should use Authorization header for GCS requests
This commit is contained in:
Kubernetes Prow Robot 2019-06-01 12:12:41 -07:00 committed by GitHub
commit b82d7cabf4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 32 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
cluster/gce/windows/common.psm1
View File

@ -131,16 +131,23 @@ function MustDownload-File {
param ( param (
[parameter(Mandatory=$false)] [string]$Hash, [parameter(Mandatory=$false)] [string]$Hash,
[parameter(Mandatory=$true)] [string]$OutFile, [parameter(Mandatory=$true)] [string]$OutFile,
[parameter(Mandatory=$true)] [System.Collections.Generic.List[String]]$URLs [parameter(Mandatory=$true)] [System.Collections.Generic.List[String]]$URLs,
[parameter(Mandatory=$false)] [System.Collections.IDictionary]$Headers = @{}
) )
While($true) { While($true) {
ForEach($url in $URLs) { ForEach($url in $URLs) {
# If the URL is for GCS and the node has dev storage scope, add the
# service account token to the request headers.
if (($url -match "^https://storage`.googleapis`.com.*") -and $(Check-StorageScope)) {
$Headers["Authorization"] = "Bearer $(Get-Credentials)"
}
# Attempt to download the file # Attempt to download the file
Try { Try {
# TODO(mtaufen): When we finally get a Windows version that has Powershell 6 # TODO(mtaufen): When we finally get a Windows version that has Powershell 6
# installed we can set `-MaximumRetryCount 6 -RetryIntervalSec 10` to make this even more robust. # installed we can set `-MaximumRetryCount 6 -RetryIntervalSec 10` to make this even more robust.
Invoke-WebRequest $url -OutFile $OutFile -TimeoutSec 300 $result = Invoke-WebRequest $url -Headers $Headers -OutFile $OutFile -TimeoutSec 300
} Catch { } Catch {
$message = $_.Exception.ToString() $message = $_.Exception.ToString()
Log-Output "Failed to download file from $url. Will retry. Error: $message" Log-Output "Failed to download file from $url. Will retry. Error: $message"
@ -164,6 +171,29 @@ function MustDownload-File {
} }
} }
# Returns the default service account token for the VM, retrieved from
# the instance metadata.
function Get-Credentials {
While($true) {
$data = Get-InstanceMetadata -Key "service-accounts/default/token"
if ($data) {
return ($data | ConvertFrom-Json).access_token
}
Start-Sleep -Seconds 1
}
}
# Returns True if the VM has the dev storage scope, False otherwise.
function Check-StorageScope {
While($true) {
$data = Get-InstanceMetadata -Key "service-accounts/default/scopes"
if ($data) {
return ($data -match "auth/devstorage")
}
Start-Sleep -Seconds 1
}
}
# This compiles some C# code that can make syscalls, and pulls the # This compiles some C# code that can make syscalls, and pulls the
# result into our powershell environment so we can make syscalls from this script. # result into our powershell environment so we can make syscalls from this script.
# We make syscalls directly, because whatever the powershell cmdlets do under the hood, # We make syscalls directly, because whatever the powershell cmdlets do under the hood,