get-kube-binaries: use GCE token to fetch artifacts from GCS

Change-Id: Ibbb61470d6a6bcd70b33cc326d425e3c382317cf
This commit is contained in:
Javier Pérez Hernández 2019-02-20 15:44:48 -08:00
parent 4f29960cb2
commit da05effe4b

View File

@ -143,13 +143,35 @@ function sha1sum_file() {
fi
}
# Get default service account credentials of the VM.
GCE_METADATA_INTERNAL="http://metadata.google.internal/computeMetadata/v1/instance"
function get-credentials {
curl "${GCE_METADATA_INTERNAL}/service-accounts/default/token" -H "Metadata-Flavor: Google" -s | python -c \
'import sys; import json; print(json.loads(sys.stdin.read())["access_token"])'
}
function valid-storage-scope {
curl "${GCE_METADATA_INTERNAL}/service-accounts/default/scopes" -H "Metadata-Flavor: Google" -s | grep -q "auth/devstorage"
}
function download_tarball() {
local -r download_path="$1"
local -r file="$2"
local trace_on="off"
if [[ -o xtrace ]]; then
trace_on="on"
set +x
fi
url="${DOWNLOAD_URL_PREFIX}/${file}"
mkdir -p "${download_path}"
if [[ $(which curl) ]]; then
curl -fL --retry 3 --keepalive-time 2 "${url}" -o "${download_path}/${file}"
# if the url belongs to GCS API we should use oauth2_token in the headers
local curl_headers=""
if { [[ "${KUBERNETES_PROVIDER:-gce}" == "gce" ]] || [[ "${KUBERNETES_PROVIDER}" == "gke" ]] ; } &&
[[ "$url" =~ ^https://storage.googleapis.com.* ]] && valid-storage-scope ; then
curl_headers="Authorization: Bearer $(get-credentials)"
fi
curl ${curl_headers:+-H "${curl_headers}"} -fL --retry 3 --keepalive-time 2 "${url}" -o "${download_path}/${file}"
elif [[ $(which wget) ]]; then
wget "${url}" -O "${download_path}/${file}"
else
@ -164,6 +186,9 @@ function download_tarball() {
echo "sha1sum(${file})=${sha1sum}"
echo
# TODO: add actual verification
if [[ "${trace_on}" == "on" ]]; then
set -x
fi
}
function extract_arch_tarball() {