get-kube-binaries: use GCE token to fetch artifacts from GCS

Change-Id: Ibbb61470d6a6bcd70b33cc326d425e3c382317cf

cluster/get-kube-binaries.sh

@@ -143,13 +143,35 @@ function sha1sum_file() {
   fi
 }
 
+# Get default service account credentials of the VM.
+GCE_METADATA_INTERNAL="http://metadata.google.internal/computeMetadata/v1/instance"
+function get-credentials {
+  curl "${GCE_METADATA_INTERNAL}/service-accounts/default/token" -H "Metadata-Flavor: Google" -s | python -c \
+    'import sys; import json; print(json.loads(sys.stdin.read())["access_token"])'
+}
+
+function valid-storage-scope {
+  curl "${GCE_METADATA_INTERNAL}/service-accounts/default/scopes" -H "Metadata-Flavor: Google" -s | grep -q "auth/devstorage"
+}
+
 function download_tarball() {
   local -r download_path="$1"
   local -r file="$2"
+  local trace_on="off"
+  if [[ -o xtrace ]]; then 
+    trace_on="on"
+    set +x
+  fi
   url="${DOWNLOAD_URL_PREFIX}/${file}"
   mkdir -p "${download_path}"
   if [[ $(which curl) ]]; then
-    curl -fL --retry 3 --keepalive-time 2 "${url}" -o "${download_path}/${file}"
+    # if the url belongs to GCS API we should use oauth2_token in the headers
+    local curl_headers=""
+    if { [[ "${KUBERNETES_PROVIDER:-gce}" == "gce" ]] || [[ "${KUBERNETES_PROVIDER}" == "gke" ]] ; } &&
+       [[ "$url" =~ ^https://storage.googleapis.com.* ]] && valid-storage-scope ; then
+      curl_headers="Authorization: Bearer $(get-credentials)"
+    fi
+    curl ${curl_headers:+-H "${curl_headers}"} -fL --retry 3 --keepalive-time 2 "${url}" -o "${download_path}/${file}"
   elif [[ $(which wget) ]]; then
     wget "${url}" -O "${download_path}/${file}"
   else
@@ -164,6 +186,9 @@ function download_tarball() {
   echo "sha1sum(${file})=${sha1sum}"
   echo
   # TODO: add actual verification
+  if [[ "${trace_on}" == "on" ]]; then
+    set -x
+  fi
 }
 
 function extract_arch_tarball() {