mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 20:24:09 +00:00
Merge pull request #78552 from mtaufen/use-auth-header
Windows startup scripts should use Authorization header for GCS requests
This commit is contained in:
commit
b82d7cabf4
@ -131,16 +131,23 @@ function MustDownload-File {
|
|||||||
param (
|
param (
|
||||||
[parameter(Mandatory=$false)] [string]$Hash,
|
[parameter(Mandatory=$false)] [string]$Hash,
|
||||||
[parameter(Mandatory=$true)] [string]$OutFile,
|
[parameter(Mandatory=$true)] [string]$OutFile,
|
||||||
[parameter(Mandatory=$true)] [System.Collections.Generic.List[String]]$URLs
|
[parameter(Mandatory=$true)] [System.Collections.Generic.List[String]]$URLs,
|
||||||
|
[parameter(Mandatory=$false)] [System.Collections.IDictionary]$Headers = @{}
|
||||||
)
|
)
|
||||||
|
|
||||||
While($true) {
|
While($true) {
|
||||||
ForEach($url in $URLs) {
|
ForEach($url in $URLs) {
|
||||||
|
# If the URL is for GCS and the node has dev storage scope, add the
|
||||||
|
# service account token to the request headers.
|
||||||
|
if (($url -match "^https://storage`.googleapis`.com.*") -and $(Check-StorageScope)) {
|
||||||
|
$Headers["Authorization"] = "Bearer $(Get-Credentials)"
|
||||||
|
}
|
||||||
|
|
||||||
# Attempt to download the file
|
# Attempt to download the file
|
||||||
Try {
|
Try {
|
||||||
# TODO(mtaufen): When we finally get a Windows version that has Powershell 6
|
# TODO(mtaufen): When we finally get a Windows version that has Powershell 6
|
||||||
# installed we can set `-MaximumRetryCount 6 -RetryIntervalSec 10` to make this even more robust.
|
# installed we can set `-MaximumRetryCount 6 -RetryIntervalSec 10` to make this even more robust.
|
||||||
Invoke-WebRequest $url -OutFile $OutFile -TimeoutSec 300
|
$result = Invoke-WebRequest $url -Headers $Headers -OutFile $OutFile -TimeoutSec 300
|
||||||
} Catch {
|
} Catch {
|
||||||
$message = $_.Exception.ToString()
|
$message = $_.Exception.ToString()
|
||||||
Log-Output "Failed to download file from $url. Will retry. Error: $message"
|
Log-Output "Failed to download file from $url. Will retry. Error: $message"
|
||||||
@ -164,6 +171,29 @@ function MustDownload-File {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Returns the default service account token for the VM, retrieved from
|
||||||
|
# the instance metadata.
|
||||||
|
function Get-Credentials {
|
||||||
|
While($true) {
|
||||||
|
$data = Get-InstanceMetadata -Key "service-accounts/default/token"
|
||||||
|
if ($data) {
|
||||||
|
return ($data | ConvertFrom-Json).access_token
|
||||||
|
}
|
||||||
|
Start-Sleep -Seconds 1
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Returns True if the VM has the dev storage scope, False otherwise.
|
||||||
|
function Check-StorageScope {
|
||||||
|
While($true) {
|
||||||
|
$data = Get-InstanceMetadata -Key "service-accounts/default/scopes"
|
||||||
|
if ($data) {
|
||||||
|
return ($data -match "auth/devstorage")
|
||||||
|
}
|
||||||
|
Start-Sleep -Seconds 1
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
# This compiles some C# code that can make syscalls, and pulls the
|
# This compiles some C# code that can make syscalls, and pulls the
|
||||||
# result into our powershell environment so we can make syscalls from this script.
|
# result into our powershell environment so we can make syscalls from this script.
|
||||||
# We make syscalls directly, because whatever the powershell cmdlets do under the hood,
|
# We make syscalls directly, because whatever the powershell cmdlets do under the hood,
|
||||||
|
Loading…
Reference in New Issue
Block a user