Split the GCE cloud provider into more managable chunks

Each major interface is now in its own file. Any package private
functions that are only referenced by a particular module was also moved
to the corresponding file. All common helper functions were moved to
gce_util.go.

This change is a pure movement of code; no semantic changes were made.

pkg/cloudprovider/providers/gce/BUILD

@@ -13,6 +13,23 @@ go_library(
     srcs = [
         "doc.go",
         "gce.go",
+        "gce_backendservice.go",
+        "gce_cert.go",
+        "gce_clusters.go",
+        "gce_disks.go",
+        "gce_firewall.go",
+        "gce_forwardingrule.go",
+        "gce_healthchecks.go",
+        "gce_instancegroup.go",
+        "gce_instances.go",
+        "gce_loadbalancer.go",
+        "gce_op.go",
+        "gce_routes.go",
+        "gce_staticip.go",
+        "gce_targetproxy.go",
+        "gce_urlmap.go",
+        "gce_util.go",
+        "gce_zones.go",
         "token_source.go",
     ],
     tags = ["automanaged"],

pkg/cloudprovider/providers/gce/gce_backendservice.go

@@ -0,0 +1,74 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gce
+
+import (
+	"net/http"
+
+	compute "google.golang.org/api/compute/v1"
+)
+
+// BackendService Management
+
+// GetBackendService retrieves a backend by name.
+func (gce *GCECloud) GetBackendService(name string) (*compute.BackendService, error) {
+	return gce.service.BackendServices.Get(gce.projectID, name).Do()
+}
+
+// UpdateBackendService applies the given BackendService as an update to an existing service.
+func (gce *GCECloud) UpdateBackendService(bg *compute.BackendService) error {
+	op, err := gce.service.BackendServices.Update(gce.projectID, bg.Name, bg).Do()
+	if err != nil {
+		return err
+	}
+	return gce.waitForGlobalOp(op)
+}
+
+// DeleteBackendService deletes the given BackendService by name.
+func (gce *GCECloud) DeleteBackendService(name string) error {
+	op, err := gce.service.BackendServices.Delete(gce.projectID, name).Do()
+	if err != nil {
+		if isHTTPErrorCode(err, http.StatusNotFound) {
+			return nil
+		}
+		return err
+	}
+	return gce.waitForGlobalOp(op)
+}
+
+// CreateBackendService creates the given BackendService.
+func (gce *GCECloud) CreateBackendService(bg *compute.BackendService) error {
+	op, err := gce.service.BackendServices.Insert(gce.projectID, bg).Do()
+	if err != nil {
+		return err
+	}
+	return gce.waitForGlobalOp(op)
+}
+
+// ListBackendServices lists all backend services in the project.
+func (gce *GCECloud) ListBackendServices() (*compute.BackendServiceList, error) {
+	// TODO: use PageToken to list all not just the first 500
+	return gce.service.BackendServices.List(gce.projectID).Do()
+}
+
+// GetHealth returns the health of the BackendService identified by the given
+// name, in the given instanceGroup. The instanceGroupLink is the fully
+// qualified self link of an instance group.
+func (gce *GCECloud) GetHealth(name string, instanceGroupLink string) (*compute.BackendServiceGroupHealth, error) {
+	groupRef := &compute.ResourceGroupReference{Group: instanceGroupLink}
+	return gce.service.BackendServices.GetHealth(gce.projectID, name, groupRef).Do()
+}

pkg/cloudprovider/providers/gce/gce_cert.go

@@ -0,0 +1,60 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gce
+
+import (
+	"net/http"
+
+	compute "google.golang.org/api/compute/v1"
+)
+
+// SSL Certificate management
+
+// GetSslCertificate returns the SslCertificate by name.
+func (gce *GCECloud) GetSslCertificate(name string) (*compute.SslCertificate, error) {
+	return gce.service.SslCertificates.Get(gce.projectID, name).Do()
+}
+
+// CreateSslCertificate creates and returns a SslCertificate.
+func (gce *GCECloud) CreateSslCertificate(sslCerts *compute.SslCertificate) (*compute.SslCertificate, error) {
+	op, err := gce.service.SslCertificates.Insert(gce.projectID, sslCerts).Do()
+	if err != nil {
+		return nil, err
+	}
+	if err = gce.waitForGlobalOp(op); err != nil {
+		return nil, err
+	}
+	return gce.GetSslCertificate(sslCerts.Name)
+}
+
+// DeleteSslCertificate deletes the SslCertificate by name.
+func (gce *GCECloud) DeleteSslCertificate(name string) error {
+	op, err := gce.service.SslCertificates.Delete(gce.projectID, name).Do()
+	if err != nil {
+		if isHTTPErrorCode(err, http.StatusNotFound) {
+			return nil
+		}
+		return err
+	}
+	return gce.waitForGlobalOp(op)
+}
+
+// ListSslCertificates lists all SslCertificates in the project.
+func (gce *GCECloud) ListSslCertificates() (*compute.SslCertificateList, error) {
+	// TODO: use PageToken to list all not just the first 500
+	return gce.service.SslCertificates.List(gce.projectID).Do()
+}

pkg/cloudprovider/providers/gce/gce_clusters.go

@@ -0,0 +1,49 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gce
+
+func (gce *GCECloud) ListClusters() ([]string, error) {
+	allClusters := []string{}
+
+	for _, zone := range gce.managedZones {
+		clusters, err := gce.listClustersInZone(zone)
+		if err != nil {
+			return nil, err
+		}
+		// TODO: Scoping?  Do we need to qualify the cluster name?
+		allClusters = append(allClusters, clusters...)
+	}
+
+	return allClusters, nil
+}
+
+func (gce *GCECloud) Master(clusterName string) (string, error) {
+	return "k8s-" + clusterName + "-master.internal", nil
+}
+
+func (gce *GCECloud) listClustersInZone(zone string) ([]string, error) {
+	// TODO: use PageToken to list all not just the first 500
+	list, err := gce.containerService.Projects.Zones.Clusters.List(gce.projectID, zone).Do()
+	if err != nil {
+		return nil, err
+	}
+	result := []string{}
+	for _, cluster := range list.Clusters {
+		result = append(result, cluster.Name)
+	}
+	return result, nil
+}

pkg/cloudprovider/providers/gce/gce_disks.go

@@ -0,0 +1,425 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gce
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"path"
+	"strings"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/kubernetes/pkg/cloudprovider"
+	"k8s.io/kubernetes/pkg/volume"
+
+	"github.com/golang/glog"
+	compute "google.golang.org/api/compute/v1"
+	"google.golang.org/api/googleapi"
+)
+
+type DiskType string
+
+const (
+	DiskTypeSSD      = "pd-ssd"
+	DiskTypeStandard = "pd-standard"
+
+	diskTypeDefault     = DiskTypeStandard
+	diskTypeUriTemplate = "https://www.googleapis.com/compute/v1/projects/%s/zones/%s/diskTypes/%s"
+)
+
+// Disks is interface for manipulation with GCE PDs.
+type Disks interface {
+	// AttachDisk attaches given disk to the node with the specified NodeName.
+	// Current instance is used when instanceID is empty string.
+	AttachDisk(diskName string, nodeName types.NodeName, readOnly bool) error
+
+	// DetachDisk detaches given disk to the node with the specified NodeName.
+	// Current instance is used when nodeName is empty string.
+	DetachDisk(devicePath string, nodeName types.NodeName) error
+
+	// DiskIsAttached checks if a disk is attached to the node with the specified NodeName.
+	DiskIsAttached(diskName string, nodeName types.NodeName) (bool, error)
+
+	// DisksAreAttached is a batch function to check if a list of disks are attached
+	// to the node with the specified NodeName.
+	DisksAreAttached(diskNames []string, nodeName types.NodeName) (map[string]bool, error)
+
+	// CreateDisk creates a new PD with given properties. Tags are serialized
+	// as JSON into Description field.
+	CreateDisk(name string, diskType string, zone string, sizeGb int64, tags map[string]string) error
+
+	// DeleteDisk deletes PD.
+	DeleteDisk(diskToDelete string) error
+
+	// GetAutoLabelsForPD returns labels to apply to PersistentVolume
+	// representing this PD, namely failure domain and zone.
+	// zone can be provided to specify the zone for the PD,
+	// if empty all managed zones will be searched.
+	GetAutoLabelsForPD(name string, zone string) (map[string]string, error)
+}
+
+// GCECloud implements Disks.
+var _ Disks = (*GCECloud)(nil)
+
+type gceDisk struct {
+	Zone string
+	Name string
+	Kind string
+}
+
+func (gce *GCECloud) AttachDisk(diskName string, nodeName types.NodeName, readOnly bool) error {
+	instanceName := mapNodeNameToInstanceName(nodeName)
+	instance, err := gce.getInstanceByName(instanceName)
+	if err != nil {
+		return fmt.Errorf("error getting instance %q", instanceName)
+	}
+	disk, err := gce.getDiskByName(diskName, instance.Zone)
+	if err != nil {
+		return err
+	}
+	readWrite := "READ_WRITE"
+	if readOnly {
+		readWrite = "READ_ONLY"
+	}
+	attachedDisk := gce.convertDiskToAttachedDisk(disk, readWrite)
+
+	attachOp, err := gce.service.Instances.AttachDisk(gce.projectID, disk.Zone, instance.Name, attachedDisk).Do()
+	if err != nil {
+		return err
+	}
+
+	return gce.waitForZoneOp(attachOp, disk.Zone)
+}
+
+func (gce *GCECloud) DetachDisk(devicePath string, nodeName types.NodeName) error {
+	instanceName := mapNodeNameToInstanceName(nodeName)
+	inst, err := gce.getInstanceByName(instanceName)
+	if err != nil {
+		if err == cloudprovider.InstanceNotFound {
+			// If instance no longer exists, safe to assume volume is not attached.
+			glog.Warningf(
+				"Instance %q does not exist. DetachDisk will assume PD %q is not attached to it.",
+				instanceName,
+				devicePath)
+			return nil
+		}
+
+		return fmt.Errorf("error getting instance %q", instanceName)
+	}
+
+	detachOp, err := gce.service.Instances.DetachDisk(gce.projectID, inst.Zone, inst.Name, devicePath).Do()
+	if err != nil {
+		return err
+	}
+
+	return gce.waitForZoneOp(detachOp, inst.Zone)
+}
+
+func (gce *GCECloud) DiskIsAttached(diskName string, nodeName types.NodeName) (bool, error) {
+	instanceName := mapNodeNameToInstanceName(nodeName)
+	instance, err := gce.getInstanceByName(instanceName)
+	if err != nil {
+		if err == cloudprovider.InstanceNotFound {
+			// If instance no longer exists, safe to assume volume is not attached.
+			glog.Warningf(
+				"Instance %q does not exist. DiskIsAttached will assume PD %q is not attached to it.",
+				instanceName,
+				diskName)
+			return false, nil
+		}
+
+		return false, err
+	}
+
+	for _, disk := range instance.Disks {
+		if disk.DeviceName == diskName {
+			// Disk is still attached to node
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
+func (gce *GCECloud) DisksAreAttached(diskNames []string, nodeName types.NodeName) (map[string]bool, error) {
+	attached := make(map[string]bool)
+	for _, diskName := range diskNames {
+		attached[diskName] = false
+	}
+	instanceName := mapNodeNameToInstanceName(nodeName)
+	instance, err := gce.getInstanceByName(instanceName)
+	if err != nil {
+		if err == cloudprovider.InstanceNotFound {
+			// If instance no longer exists, safe to assume volume is not attached.
+			glog.Warningf(
+				"Instance %q does not exist. DisksAreAttached will assume PD %v are not attached to it.",
+				instanceName,
+				diskNames)
+			return attached, nil
+		}
+
+		return attached, err
+	}
+
+	for _, instanceDisk := range instance.Disks {
+		for _, diskName := range diskNames {
+			if instanceDisk.DeviceName == diskName {
+				// Disk is still attached to node
+				attached[diskName] = true
+			}
+		}
+	}
+
+	return attached, nil
+}
+
+// CreateDisk creates a new Persistent Disk, with the specified name &
+// size, in the specified zone. It stores specified tags encoded in
+// JSON in Description field.
+func (gce *GCECloud) CreateDisk(name string, diskType string, zone string, sizeGb int64, tags map[string]string) error {
+	// Do not allow creation of PDs in zones that are not managed. Such PDs
+	// then cannot be deleted by DeleteDisk.
+	isManaged := false
+	for _, managedZone := range gce.managedZones {
+		if zone == managedZone {
+			isManaged = true
+			break
+		}
+	}
+	if !isManaged {
+		return fmt.Errorf("kubernetes does not manage zone %q", zone)
+	}
+
+	tagsStr, err := gce.encodeDiskTags(tags)
+	if err != nil {
+		return err
+	}
+
+	switch diskType {
+	case DiskTypeSSD, DiskTypeStandard:
+		// noop
+	case "":
+		diskType = diskTypeDefault
+	default:
+		return fmt.Errorf("invalid GCE disk type %q", diskType)
+	}
+	diskTypeUri := fmt.Sprintf(diskTypeUriTemplate, gce.projectID, zone, diskType)
+
+	diskToCreate := &compute.Disk{
+		Name:        name,
+		SizeGb:      sizeGb,
+		Description: tagsStr,
+		Type:        diskTypeUri,
+	}
+
+	createOp, err := gce.service.Disks.Insert(gce.projectID, zone, diskToCreate).Do()
+	if err != nil {
+		return err
+	}
+
+	err = gce.waitForZoneOp(createOp, zone)
+	if isGCEError(err, "alreadyExists") {
+		glog.Warningf("GCE PD %q already exists, reusing", name)
+		return nil
+	}
+	return err
+}
+
+func (gce *GCECloud) DeleteDisk(diskToDelete string) error {
+	err := gce.doDeleteDisk(diskToDelete)
+	if isGCEError(err, "resourceInUseByAnotherResource") {
+		return volume.NewDeletedVolumeInUseError(err.Error())
+	}
+
+	if err == cloudprovider.DiskNotFound {
+		return nil
+	}
+	return err
+}
+
+// Builds the labels that should be automatically added to a PersistentVolume backed by a GCE PD
+// Specifically, this builds FailureDomain (zone) and Region labels.
+// The PersistentVolumeLabel admission controller calls this and adds the labels when a PV is created.
+// If zone is specified, the volume will only be found in the specified zone,
+// otherwise all managed zones will be searched.
+func (gce *GCECloud) GetAutoLabelsForPD(name string, zone string) (map[string]string, error) {
+	var disk *gceDisk
+	var err error
+	if zone == "" {
+		// We would like as far as possible to avoid this case,
+		// because GCE doesn't guarantee that volumes are uniquely named per region,
+		// just per zone.  However, creation of GCE PDs was originally done only
+		// by name, so we have to continue to support that.
+		// However, wherever possible the zone should be passed (and it is passed
+		// for most cases that we can control, e.g. dynamic volume provisioning)
+		disk, err = gce.getDiskByNameUnknownZone(name)
+		if err != nil {
+			return nil, err
+		}
+		zone = disk.Zone
+	} else {
+		// We could assume the disks exists; we have all the information we need
+		// However it is more consistent to ensure the disk exists,
+		// and in future we may gather addition information (e.g. disk type, IOPS etc)
+		disk, err = gce.getDiskByName(name, zone)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	region, err := GetGCERegion(zone)
+	if err != nil {
+		return nil, err
+	}
+
+	if zone == "" || region == "" {
+		// Unexpected, but sanity-check
+		return nil, fmt.Errorf("PD did not have zone/region information: %q", disk.Name)
+	}
+
+	labels := make(map[string]string)
+	labels[metav1.LabelZoneFailureDomain] = zone
+	labels[metav1.LabelZoneRegion] = region
+
+	return labels, nil
+}
+
+// Returns a gceDisk for the disk, if it is found in the specified zone.
+// If not found, returns (nil, nil)
+func (gce *GCECloud) findDiskByName(diskName string, zone string) (*gceDisk, error) {
+	disk, err := gce.service.Disks.Get(gce.projectID, zone, diskName).Do()
+	if err == nil {
+		d := &gceDisk{
+			Zone: lastComponent(disk.Zone),
+			Name: disk.Name,
+			Kind: disk.Kind,
+		}
+		return d, nil
+	}
+	if !isHTTPErrorCode(err, http.StatusNotFound) {
+		return nil, err
+	}
+	return nil, nil
+}
+
+// Like findDiskByName, but returns an error if the disk is not found
+func (gce *GCECloud) getDiskByName(diskName string, zone string) (*gceDisk, error) {
+	disk, err := gce.findDiskByName(diskName, zone)
+	if disk == nil && err == nil {
+		return nil, fmt.Errorf("GCE persistent disk not found: diskName=%q zone=%q", diskName, zone)
+	}
+	return disk, err
+}
+
+// Scans all managed zones to return the GCE PD
+// Prefer getDiskByName, if the zone can be established
+// Return cloudprovider.DiskNotFound if the given disk cannot be found in any zone
+func (gce *GCECloud) getDiskByNameUnknownZone(diskName string) (*gceDisk, error) {
+	// Note: this is the gotcha right now with GCE PD support:
+	// disk names are not unique per-region.
+	// (I can create two volumes with name "myvol" in e.g. us-central1-b & us-central1-f)
+	// For now, this is simply undefined behvaiour.
+	//
+	// In future, we will have to require users to qualify their disk
+	// "us-central1-a/mydisk".  We could do this for them as part of
+	// admission control, but that might be a little weird (values changing
+	// on create)
+
+	var found *gceDisk
+	for _, zone := range gce.managedZones {
+		disk, err := gce.findDiskByName(diskName, zone)
+		if err != nil {
+			return nil, err
+		}
+		// findDiskByName returns (nil,nil) if the disk doesn't exist, so we can't
+		// assume that a disk was found unless disk is non-nil.
+		if disk == nil {
+			continue
+		}
+		if found != nil {
+			return nil, fmt.Errorf("GCE persistent disk name was found in multiple zones: %q", diskName)
+		}
+		found = disk
+	}
+	if found != nil {
+		return found, nil
+	}
+	glog.Warningf("GCE persistent disk %q not found in managed zones (%s)",
+		diskName, strings.Join(gce.managedZones, ","))
+
+	return nil, cloudprovider.DiskNotFound
+}
+
+// encodeDiskTags encodes requested volume tags into JSON string, as GCE does
+// not support tags on GCE PDs and we use Description field as fallback.
+func (gce *GCECloud) encodeDiskTags(tags map[string]string) (string, error) {
+	if len(tags) == 0 {
+		// No tags -> empty JSON
+		return "", nil
+	}
+
+	enc, err := json.Marshal(tags)
+	if err != nil {
+		return "", err
+	}
+	return string(enc), nil
+}
+
+func (gce *GCECloud) doDeleteDisk(diskToDelete string) error {
+	disk, err := gce.getDiskByNameUnknownZone(diskToDelete)
+	if err != nil {
+		return err
+	}
+
+	deleteOp, err := gce.service.Disks.Delete(gce.projectID, disk.Zone, disk.Name).Do()
+	if err != nil {
+		return err
+	}
+
+	return gce.waitForZoneOp(deleteOp, disk.Zone)
+}
+
+// Converts a Disk resource to an AttachedDisk resource.
+func (gce *GCECloud) convertDiskToAttachedDisk(disk *gceDisk, readWrite string) *compute.AttachedDisk {
+	return &compute.AttachedDisk{
+		DeviceName: disk.Name,
+		Kind:       disk.Kind,
+		Mode:       readWrite,
+		Source: "https://" + path.Join(
+			"www.googleapis.com/compute/v1/projects/",
+			gce.projectID, "zones", disk.Zone, "disks", disk.Name),
+		Type: "PERSISTENT",
+	}
+}
+
+// isGCEError returns true if given error is a googleapi.Error with given
+// reason (e.g. "resourceInUseByAnotherResource")
+func isGCEError(err error, reason string) bool {
+	apiErr, ok := err.(*googleapi.Error)
+	if !ok {
+		return false
+	}
+
+	for _, e := range apiErr.Errors {
+		if e.Reason == reason {
+			return true
+		}
+	}
+	return false
+}

pkg/cloudprovider/providers/gce/gce_firewall.go

@@ -0,0 +1,90 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gce
+
+import (
+	"k8s.io/kubernetes/pkg/api/v1"
+	netsets "k8s.io/kubernetes/pkg/util/net/sets"
+
+	compute "google.golang.org/api/compute/v1"
+)
+
+// Firewall management: These methods are just passthrough to the existing
+// internal firewall creation methods used to manage TCPLoadBalancer.
+
+// GetFirewall returns the Firewall by name.
+func (gce *GCECloud) GetFirewall(name string) (*compute.Firewall, error) {
+	return gce.service.Firewalls.Get(gce.projectID, name).Do()
+}
+
+// CreateFirewall creates the given firewall rule.
+func (gce *GCECloud) CreateFirewall(name, desc string, sourceRanges netsets.IPNet, ports []int64, hostNames []string) error {
+	region, err := GetGCERegion(gce.localZone)
+	if err != nil {
+		return err
+	}
+	// TODO: This completely breaks modularity in the cloudprovider but the methods
+	// shared with the TCPLoadBalancer take v1.ServicePorts.
+	svcPorts := []v1.ServicePort{}
+	// TODO: Currently the only consumer of this method is the GCE L7
+	// loadbalancer controller, which never needs a protocol other than TCP.
+	// We should pipe through a mapping of port:protocol and default to TCP
+	// if UDP ports are required. This means the method signature will change
+	// forcing downstream clients to refactor interfaces.
+	for _, p := range ports {
+		svcPorts = append(svcPorts, v1.ServicePort{Port: int32(p), Protocol: v1.ProtocolTCP})
+	}
+	hosts, err := gce.getInstancesByNames(hostNames)
+	if err != nil {
+		return err
+	}
+	return gce.createFirewall(name, region, desc, sourceRanges, svcPorts, hosts)
+}
+
+// DeleteFirewall deletes the given firewall rule.
+func (gce *GCECloud) DeleteFirewall(name string) error {
+	region, err := GetGCERegion(gce.localZone)
+	if err != nil {
+		return err
+	}
+	return gce.deleteFirewall(name, region)
+}
+
+// UpdateFirewall applies the given firewall rule as an update to an existing
+// firewall rule with the same name.
+func (gce *GCECloud) UpdateFirewall(name, desc string, sourceRanges netsets.IPNet, ports []int64, hostNames []string) error {
+	region, err := GetGCERegion(gce.localZone)
+	if err != nil {
+		return err
+	}
+	// TODO: This completely breaks modularity in the cloudprovider but the methods
+	// shared with the TCPLoadBalancer take v1.ServicePorts.
+	svcPorts := []v1.ServicePort{}
+	// TODO: Currently the only consumer of this method is the GCE L7
+	// loadbalancer controller, which never needs a protocol other than TCP.
+	// We should pipe through a mapping of port:protocol and default to TCP
+	// if UDP ports are required. This means the method signature will change,
+	// forcing downstream clients to refactor interfaces.
+	for _, p := range ports {
+		svcPorts = append(svcPorts, v1.ServicePort{Port: int32(p), Protocol: v1.ProtocolTCP})
+	}
+	hosts, err := gce.getInstancesByNames(hostNames)
+	if err != nil {
+		return err
+	}
+	return gce.updateFirewall(name, region, desc, sourceRanges, svcPorts, hosts)
+}

pkg/cloudprovider/providers/gce/gce_forwardingrule.go

@@ -0,0 +1,79 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gce
+
+import (
+	"net/http"
+
+	compute "google.golang.org/api/compute/v1"
+)
+
+// GlobalForwardingRule management
+
+// CreateGlobalForwardingRule creates and returns a
+// GlobalForwardingRule that points to the given TargetHttp(s)Proxy.
+// targetProxyLink is the SelfLink of a TargetHttp(s)Proxy.
+func (gce *GCECloud) CreateGlobalForwardingRule(targetProxyLink, ip, name, portRange string) (*compute.ForwardingRule, error) {
+	rule := &compute.ForwardingRule{
+		Name:       name,
+		IPAddress:  ip,
+		Target:     targetProxyLink,
+		PortRange:  portRange,
+		IPProtocol: "TCP",
+	}
+	op, err := gce.service.GlobalForwardingRules.Insert(gce.projectID, rule).Do()
+	if err != nil {
+		return nil, err
+	}
+	if err = gce.waitForGlobalOp(op); err != nil {
+		return nil, err
+	}
+	return gce.GetGlobalForwardingRule(name)
+}
+
+// SetProxyForGlobalForwardingRule links the given TargetHttp(s)Proxy with the given GlobalForwardingRule.
+// targetProxyLink is the SelfLink of a TargetHttp(s)Proxy.
+func (gce *GCECloud) SetProxyForGlobalForwardingRule(fw *compute.ForwardingRule, targetProxyLink string) error {
+	op, err := gce.service.GlobalForwardingRules.SetTarget(gce.projectID, fw.Name, &compute.TargetReference{Target: targetProxyLink}).Do()
+	if err != nil {
+		return err
+	}
+	return gce.waitForGlobalOp(op)
+}
+
+// DeleteGlobalForwardingRule deletes the GlobalForwardingRule by name.
+func (gce *GCECloud) DeleteGlobalForwardingRule(name string) error {
+	op, err := gce.service.GlobalForwardingRules.Delete(gce.projectID, name).Do()
+	if err != nil {
+		if isHTTPErrorCode(err, http.StatusNotFound) {
+			return nil
+		}
+		return err
+	}
+	return gce.waitForGlobalOp(op)
+}
+
+// GetGlobalForwardingRule returns the GlobalForwardingRule by name.
+func (gce *GCECloud) GetGlobalForwardingRule(name string) (*compute.ForwardingRule, error) {
+	return gce.service.GlobalForwardingRules.Get(gce.projectID, name).Do()
+}
+
+// ListGlobalForwardingRules lists all GlobalForwardingRules in the project.
+func (gce *GCECloud) ListGlobalForwardingRules() (*compute.ForwardingRuleList, error) {
+	// TODO: use PageToken to list all not just the first 500
+	return gce.service.GlobalForwardingRules.List(gce.projectID).Do()
+}

pkg/cloudprovider/providers/gce/gce_healthchecks.go

@@ -0,0 +1,66 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gce
+
+import (
+	"net/http"
+
+	compute "google.golang.org/api/compute/v1"
+)
+
+// Health Checks
+
+// GetHttpHealthCheck returns the given HttpHealthCheck by name.
+func (gce *GCECloud) GetHttpHealthCheck(name string) (*compute.HttpHealthCheck, error) {
+	return gce.service.HttpHealthChecks.Get(gce.projectID, name).Do()
+}
+
+// UpdateHttpHealthCheck applies the given HttpHealthCheck as an update.
+func (gce *GCECloud) UpdateHttpHealthCheck(hc *compute.HttpHealthCheck) error {
+	op, err := gce.service.HttpHealthChecks.Update(gce.projectID, hc.Name, hc).Do()
+	if err != nil {
+		return err
+	}
+	return gce.waitForGlobalOp(op)
+}
+
+// DeleteHttpHealthCheck deletes the given HttpHealthCheck by name.
+func (gce *GCECloud) DeleteHttpHealthCheck(name string) error {
+	op, err := gce.service.HttpHealthChecks.Delete(gce.projectID, name).Do()
+	if err != nil {
+		if isHTTPErrorCode(err, http.StatusNotFound) {
+			return nil
+		}
+		return err
+	}
+	return gce.waitForGlobalOp(op)
+}
+
+// CreateHttpHealthCheck creates the given HttpHealthCheck.
+func (gce *GCECloud) CreateHttpHealthCheck(hc *compute.HttpHealthCheck) error {
+	op, err := gce.service.HttpHealthChecks.Insert(gce.projectID, hc).Do()
+	if err != nil {
+		return err
+	}
+	return gce.waitForGlobalOp(op)
+}
+
+// ListHttpHealthCheck lists all HttpHealthChecks in the project.
+func (gce *GCECloud) ListHttpHealthChecks() (*compute.HttpHealthCheckList, error) {
+	// TODO: use PageToken to list all not just the first 500
+	return gce.service.HttpHealthChecks.List(gce.projectID).Do()
+}

pkg/cloudprovider/providers/gce/gce_instancegroup.go

@@ -0,0 +1,148 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gce
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/golang/glog"
+	compute "google.golang.org/api/compute/v1"
+)
+
+// InstanceGroup Management
+
+// CreateInstanceGroup creates an instance group with the given instances. It is the callers responsibility to add named ports.
+func (gce *GCECloud) CreateInstanceGroup(name string, zone string) (*compute.InstanceGroup, error) {
+	op, err := gce.service.InstanceGroups.Insert(
+		gce.projectID, zone, &compute.InstanceGroup{Name: name}).Do()
+	if err != nil {
+		return nil, err
+	}
+	if err = gce.waitForZoneOp(op, zone); err != nil {
+		return nil, err
+	}
+	return gce.GetInstanceGroup(name, zone)
+}
+
+// DeleteInstanceGroup deletes an instance group.
+func (gce *GCECloud) DeleteInstanceGroup(name string, zone string) error {
+	op, err := gce.service.InstanceGroups.Delete(
+		gce.projectID, zone, name).Do()
+	if err != nil {
+		return err
+	}
+	return gce.waitForZoneOp(op, zone)
+}
+
+// ListInstanceGroups lists all InstanceGroups in the project and zone.
+func (gce *GCECloud) ListInstanceGroups(zone string) (*compute.InstanceGroupList, error) {
+	// TODO: use PageToken to list all not just the first 500
+	return gce.service.InstanceGroups.List(gce.projectID, zone).Do()
+}
+
+// ListInstancesInInstanceGroup lists all the instances in a given instance group and state.
+func (gce *GCECloud) ListInstancesInInstanceGroup(name string, zone string, state string) (*compute.InstanceGroupsListInstances, error) {
+	// TODO: use PageToken to list all not just the first 500
+	return gce.service.InstanceGroups.ListInstances(
+		gce.projectID, zone, name,
+		&compute.InstanceGroupsListInstancesRequest{InstanceState: state}).Do()
+}
+
+// AddInstancesToInstanceGroup adds the given instances to the given instance group.
+func (gce *GCECloud) AddInstancesToInstanceGroup(name string, zone string, instanceNames []string) error {
+	if len(instanceNames) == 0 {
+		return nil
+	}
+	// Adding the same instance twice will result in a 4xx error
+	instances := []*compute.InstanceReference{}
+	for _, ins := range instanceNames {
+		instances = append(instances, &compute.InstanceReference{Instance: makeHostURL(gce.projectID, zone, ins)})
+	}
+	op, err := gce.service.InstanceGroups.AddInstances(
+		gce.projectID, zone, name,
+		&compute.InstanceGroupsAddInstancesRequest{
+			Instances: instances,
+		}).Do()
+
+	if err != nil {
+		return err
+	}
+	return gce.waitForZoneOp(op, zone)
+}
+
+// RemoveInstancesFromInstanceGroup removes the given instances from the instance group.
+func (gce *GCECloud) RemoveInstancesFromInstanceGroup(name string, zone string, instanceNames []string) error {
+	if len(instanceNames) == 0 {
+		return nil
+	}
+	instances := []*compute.InstanceReference{}
+	for _, ins := range instanceNames {
+		instanceLink := makeHostURL(gce.projectID, zone, ins)
+		instances = append(instances, &compute.InstanceReference{Instance: instanceLink})
+	}
+	op, err := gce.service.InstanceGroups.RemoveInstances(
+		gce.projectID, zone, name,
+		&compute.InstanceGroupsRemoveInstancesRequest{
+			Instances: instances,
+		}).Do()
+
+	if err != nil {
+		if isHTTPErrorCode(err, http.StatusNotFound) {
+			return nil
+		}
+		return err
+	}
+	return gce.waitForZoneOp(op, zone)
+}
+
+// AddPortToInstanceGroup adds a port to the given instance group.
+func (gce *GCECloud) AddPortToInstanceGroup(ig *compute.InstanceGroup, port int64) (*compute.NamedPort, error) {
+	for _, np := range ig.NamedPorts {
+		if np.Port == port {
+			glog.V(3).Infof("Instance group %v already has named port %+v", ig.Name, np)
+			return np, nil
+		}
+	}
+	glog.Infof("Adding port %v to instance group %v with %d ports", port, ig.Name, len(ig.NamedPorts))
+	namedPort := compute.NamedPort{Name: fmt.Sprintf("port%v", port), Port: port}
+	ig.NamedPorts = append(ig.NamedPorts, &namedPort)
+
+	// setNamedPorts is a zonal endpoint, meaning we invoke it by re-creating a URL like:
+	// {project}/zones/{zone}/instanceGroups/{instanceGroup}/setNamedPorts, so the "zone"
+	// parameter given to SetNamedPorts must not be the entire zone URL.
+	zoneURLParts := strings.Split(ig.Zone, "/")
+	zone := zoneURLParts[len(zoneURLParts)-1]
+
+	op, err := gce.service.InstanceGroups.SetNamedPorts(
+		gce.projectID, zone, ig.Name,
+		&compute.InstanceGroupsSetNamedPortsRequest{
+			NamedPorts: ig.NamedPorts}).Do()
+	if err != nil {
+		return nil, err
+	}
+	if err = gce.waitForZoneOp(op, zone); err != nil {
+		return nil, err
+	}
+	return &namedPort, nil
+}
+
+// GetInstanceGroup returns an instance group by name.
+func (gce *GCECloud) GetInstanceGroup(name string, zone string) (*compute.InstanceGroup, error) {
+	return gce.service.InstanceGroups.Get(gce.projectID, zone, name).Do()
+}

pkg/cloudprovider/providers/gce/gce_instances.go

@@ -0,0 +1,351 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gce
+
+import (
+	"fmt"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"cloud.google.com/go/compute/metadata"
+	"github.com/golang/glog"
+	compute "google.golang.org/api/compute/v1"
+
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/kubernetes/pkg/api/v1"
+	"k8s.io/kubernetes/pkg/cloudprovider"
+)
+
+// NodeAddresses is an implementation of Instances.NodeAddresses.
+func (gce *GCECloud) NodeAddresses(_ types.NodeName) ([]v1.NodeAddress, error) {
+	internalIP, err := metadata.Get("instance/network-interfaces/0/ip")
+	if err != nil {
+		return nil, fmt.Errorf("couldn't get internal IP: %v", err)
+	}
+	externalIP, err := metadata.Get("instance/network-interfaces/0/access-configs/0/external-ip")
+	if err != nil {
+		return nil, fmt.Errorf("couldn't get external IP: %v", err)
+	}
+	return []v1.NodeAddress{
+		{Type: v1.NodeInternalIP, Address: internalIP},
+		{Type: v1.NodeExternalIP, Address: externalIP},
+	}, nil
+}
+
+// ExternalID returns the cloud provider ID of the node with the specified NodeName (deprecated).
+func (gce *GCECloud) ExternalID(nodeName types.NodeName) (string, error) {
+	instanceName := mapNodeNameToInstanceName(nodeName)
+	if gce.useMetadataServer {
+		// Use metadata, if possible, to fetch ID. See issue #12000
+		if gce.isCurrentInstance(instanceName) {
+			externalInstanceID, err := getCurrentExternalIDViaMetadata()
+			if err == nil {
+				return externalInstanceID, nil
+			}
+		}
+	}
+
+	// Fallback to GCE API call if metadata server fails to retrieve ID
+	inst, err := gce.getInstanceByName(instanceName)
+	if err != nil {
+		return "", err
+	}
+	return strconv.FormatUint(inst.ID, 10), nil
+}
+
+// InstanceID returns the cloud provider ID of the node with the specified NodeName.
+func (gce *GCECloud) InstanceID(nodeName types.NodeName) (string, error) {
+	instanceName := mapNodeNameToInstanceName(nodeName)
+	if gce.useMetadataServer {
+		// Use metadata, if possible, to fetch ID. See issue #12000
+		if gce.isCurrentInstance(instanceName) {
+			projectID, zone, err := getProjectAndZone()
+			if err == nil {
+				return projectID + "/" + zone + "/" + canonicalizeInstanceName(instanceName), nil
+			}
+		}
+	}
+	instance, err := gce.getInstanceByName(instanceName)
+	if err != nil {
+		return "", err
+	}
+	return gce.projectID + "/" + instance.Zone + "/" + instance.Name, nil
+}
+
+// InstanceType returns the type of the specified node with the specified NodeName.
+func (gce *GCECloud) InstanceType(nodeName types.NodeName) (string, error) {
+	instanceName := mapNodeNameToInstanceName(nodeName)
+	if gce.useMetadataServer {
+		// Use metadata, if possible, to fetch ID. See issue #12000
+		if gce.isCurrentInstance(instanceName) {
+			mType, err := getCurrentMachineTypeViaMetadata()
+			if err == nil {
+				return mType, nil
+			}
+		}
+	}
+	instance, err := gce.getInstanceByName(instanceName)
+	if err != nil {
+		return "", err
+	}
+	return instance.Type, nil
+}
+
+func (gce *GCECloud) AddSSHKeyToAllInstances(user string, keyData []byte) error {
+	return wait.Poll(2*time.Second, 30*time.Second, func() (bool, error) {
+		project, err := gce.service.Projects.Get(gce.projectID).Do()
+		if err != nil {
+			glog.Errorf("Could not get project: %v", err)
+			return false, nil
+		}
+		keyString := fmt.Sprintf("%s:%s %s@%s", user, strings.TrimSpace(string(keyData)), user, user)
+		found := false
+		for _, item := range project.CommonInstanceMetadata.Items {
+			if item.Key == "sshKeys" {
+				if strings.Contains(*item.Value, keyString) {
+					// We've already added the key
+					glog.Info("SSHKey already in project metadata")
+					return true, nil
+				}
+				value := *item.Value + "\n" + keyString
+				item.Value = &value
+				found = true
+				break
+			}
+		}
+		if !found {
+			// This is super unlikely, so log.
+			glog.Infof("Failed to find sshKeys metadata, creating a new item")
+			project.CommonInstanceMetadata.Items = append(project.CommonInstanceMetadata.Items,
+				&compute.MetadataItems{
+					Key:   "sshKeys",
+					Value: &keyString,
+				})
+		}
+		op, err := gce.service.Projects.SetCommonInstanceMetadata(gce.projectID, project.CommonInstanceMetadata).Do()
+		if err != nil {
+			glog.Errorf("Could not Set Metadata: %v", err)
+			return false, nil
+		}
+		if err := gce.waitForGlobalOp(op); err != nil {
+			glog.Errorf("Could not Set Metadata: %v", err)
+			return false, nil
+		}
+		glog.Infof("Successfully added sshKey to project metadata")
+		return true, nil
+	})
+}
+
+// GetAllZones returns all the zones in which nodes are running
+func (gce *GCECloud) GetAllZones() (sets.String, error) {
+	// Fast-path for non-multizone
+	if len(gce.managedZones) == 1 {
+		return sets.NewString(gce.managedZones...), nil
+	}
+
+	// TODO: Caching, but this is currently only called when we are creating a volume,
+	// which is a relatively infrequent operation, and this is only # zones API calls
+	zones := sets.NewString()
+
+	// TODO: Parallelize, although O(zones) so not too bad (N <= 3 typically)
+	for _, zone := range gce.managedZones {
+		// We only retrieve one page in each zone - we only care about existence
+		listCall := gce.service.Instances.List(gce.projectID, zone)
+
+		// No filter: We assume that a zone is either used or unused
+		// We could only consider running nodes (like we do in List above),
+		// but probably if instances are starting we still want to consider them.
+		// I think we should wait until we have a reason to make the
+		// call one way or the other; we generally can't guarantee correct
+		// volume spreading if the set of zones is changing
+		// (and volume spreading is currently only a heuristic).
+		// Long term we want to replace GetAllZones (which primarily supports volume
+		// spreading) with a scheduler policy that is able to see the global state of
+		// volumes and the health of zones.
+
+		// Just a minimal set of fields - we only care about existence
+		listCall = listCall.Fields("items(name)")
+
+		res, err := listCall.Do()
+		if err != nil {
+			return nil, err
+		}
+		if len(res.Items) != 0 {
+			zones.Insert(zone)
+		}
+	}
+
+	return zones, nil
+}
+
+// Implementation of Instances.CurrentNodeName
+func (gce *GCECloud) CurrentNodeName(hostname string) (types.NodeName, error) {
+	return types.NodeName(hostname), nil
+}
+
+// Gets the named instances, returning cloudprovider.InstanceNotFound if any instance is not found
+func (gce *GCECloud) getInstancesByNames(names []string) ([]*gceInstance, error) {
+	instances := make(map[string]*gceInstance)
+	remaining := len(names)
+
+	nodeInstancePrefix := gce.nodeInstancePrefix
+	for _, name := range names {
+		name = canonicalizeInstanceName(name)
+		if !strings.HasPrefix(name, gce.nodeInstancePrefix) {
+			glog.Warningf("instance '%s' does not conform to prefix '%s', removing filter", name, gce.nodeInstancePrefix)
+			nodeInstancePrefix = ""
+		}
+		instances[name] = nil
+	}
+
+	for _, zone := range gce.managedZones {
+		if remaining == 0 {
+			break
+		}
+
+		pageToken := ""
+		page := 0
+		for ; page == 0 || (pageToken != "" && page < maxPages); page++ {
+			listCall := gce.service.Instances.List(gce.projectID, zone)
+
+			if nodeInstancePrefix != "" {
+				// Add the filter for hosts
+				listCall = listCall.Filter("name eq " + nodeInstancePrefix + ".*")
+			}
+
+			// TODO(zmerlynn): Internal bug 29524655
+			// listCall = listCall.Fields("items(name,id,disks,machineType)")
+			if pageToken != "" {
+				listCall.PageToken(pageToken)
+			}
+
+			res, err := listCall.Do()
+			if err != nil {
+				return nil, err
+			}
+			pageToken = res.NextPageToken
+			for _, i := range res.Items {
+				name := i.Name
+				if _, ok := instances[name]; !ok {
+					continue
+				}
+
+				instance := &gceInstance{
+					Zone:  zone,
+					Name:  name,
+					ID:    i.Id,
+					Disks: i.Disks,
+					Type:  lastComponent(i.MachineType),
+				}
+				instances[name] = instance
+				remaining--
+			}
+		}
+		if page >= maxPages {
+			glog.Errorf("getInstancesByNames exceeded maxPages=%d for Instances.List: truncating.", maxPages)
+		}
+	}
+
+	instanceArray := make([]*gceInstance, len(names))
+	for i, name := range names {
+		name = canonicalizeInstanceName(name)
+		instance := instances[name]
+		if instance == nil {
+			glog.Errorf("Failed to retrieve instance: %q", name)
+			return nil, cloudprovider.InstanceNotFound
+		}
+		instanceArray[i] = instances[name]
+	}
+
+	return instanceArray, nil
+}
+
+// Gets the named instance, returning cloudprovider.InstanceNotFound if the instance is not found
+func (gce *GCECloud) getInstanceByName(name string) (*gceInstance, error) {
+	// Avoid changing behaviour when not managing multiple zones
+	for _, zone := range gce.managedZones {
+		name = canonicalizeInstanceName(name)
+		res, err := gce.service.Instances.Get(gce.projectID, zone, name).Do()
+		if err != nil {
+			glog.Errorf("getInstanceByName: failed to get instance %s; err: %v", name, err)
+
+			if isHTTPErrorCode(err, http.StatusNotFound) {
+				continue
+			}
+			return nil, err
+		}
+		return &gceInstance{
+			Zone:  lastComponent(res.Zone),
+			Name:  res.Name,
+			ID:    res.Id,
+			Disks: res.Disks,
+			Type:  lastComponent(res.MachineType),
+		}, nil
+	}
+
+	return nil, cloudprovider.InstanceNotFound
+}
+
+func getInstanceIDViaMetadata() (string, error) {
+	result, err := metadata.Get("instance/hostname")
+	if err != nil {
+		return "", err
+	}
+	parts := strings.Split(result, ".")
+	if len(parts) == 0 {
+		return "", fmt.Errorf("unexpected response: %s", result)
+	}
+	return parts[0], nil
+}
+
+func getCurrentExternalIDViaMetadata() (string, error) {
+	externalID, err := metadata.Get("instance/id")
+	if err != nil {
+		return "", fmt.Errorf("couldn't get external ID: %v", err)
+	}
+	return externalID, nil
+}
+
+func getCurrentMachineTypeViaMetadata() (string, error) {
+	mType, err := metadata.Get("instance/machine-type")
+	if err != nil {
+		return "", fmt.Errorf("couldn't get machine type: %v", err)
+	}
+	parts := strings.Split(mType, "/")
+	if len(parts) != 4 {
+		return "", fmt.Errorf("unexpected response for machine type: %s", mType)
+	}
+
+	return parts[3], nil
+}
+
+// isCurrentInstance uses metadata server to check if specified
+// instanceID matches current machine's instanceID
+func (gce *GCECloud) isCurrentInstance(instanceID string) bool {
+	currentInstanceID, err := getInstanceIDViaMetadata()
+	if err != nil {
+		// Log and swallow error
+		glog.Errorf("Failed to fetch instanceID via Metadata: %v", err)
+		return false
+	}
+
+	return currentInstanceID == canonicalizeInstanceName(instanceID)
+}

pkg/cloudprovider/providers/gce/gce_op.go

@@ -0,0 +1,105 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gce
+
+import (
+	"fmt"
+	"time"
+
+	"k8s.io/apimachinery/pkg/util/wait"
+
+	"github.com/golang/glog"
+	compute "google.golang.org/api/compute/v1"
+	"google.golang.org/api/googleapi"
+)
+
+func (gce *GCECloud) waitForOp(op *compute.Operation, getOperation func(operationName string) (*compute.Operation, error)) error {
+	if op == nil {
+		return fmt.Errorf("operation must not be nil")
+	}
+
+	if opIsDone(op) {
+		return getErrorFromOp(op)
+	}
+
+	opStart := time.Now()
+	opName := op.Name
+	return wait.Poll(operationPollInterval, operationPollTimeoutDuration, func() (bool, error) {
+		start := time.Now()
+		gce.operationPollRateLimiter.Accept()
+		duration := time.Now().Sub(start)
+		if duration > 5*time.Second {
+			glog.Infof("pollOperation: throttled %v for %v", duration, opName)
+		}
+		pollOp, err := getOperation(opName)
+		if err != nil {
+			glog.Warningf("GCE poll operation %s failed: pollOp: [%v] err: [%v] getErrorFromOp: [%v]",
+				opName, pollOp, err, getErrorFromOp(pollOp))
+		}
+		done := opIsDone(pollOp)
+		if done {
+			duration := time.Now().Sub(opStart)
+			if duration > 1*time.Minute {
+				// Log the JSON. It's cleaner than the %v structure.
+				enc, err := pollOp.MarshalJSON()
+				if err != nil {
+					glog.Warningf("waitForOperation: long operation (%v): %v (failed to encode to JSON: %v)",
+						duration, pollOp, err)
+				} else {
+					glog.Infof("waitForOperation: long operation (%v): %v",
+						duration, string(enc))
+				}
+			}
+		}
+		return done, getErrorFromOp(pollOp)
+	})
+}
+
+func opIsDone(op *compute.Operation) bool {
+	return op != nil && op.Status == "DONE"
+}
+
+func getErrorFromOp(op *compute.Operation) error {
+	if op != nil && op.Error != nil && len(op.Error.Errors) > 0 {
+		err := &googleapi.Error{
+			Code:    int(op.HttpErrorStatusCode),
+			Message: op.Error.Errors[0].Message,
+		}
+		glog.Errorf("GCE operation failed: %v", err)
+		return err
+	}
+
+	return nil
+}
+
+func (gce *GCECloud) waitForGlobalOp(op *compute.Operation) error {
+	return gce.waitForOp(op, func(operationName string) (*compute.Operation, error) {
+		return gce.service.GlobalOperations.Get(gce.projectID, operationName).Do()
+	})
+}
+
+func (gce *GCECloud) waitForRegionOp(op *compute.Operation, region string) error {
+	return gce.waitForOp(op, func(operationName string) (*compute.Operation, error) {
+		return gce.service.RegionOperations.Get(gce.projectID, region, operationName).Do()
+	})
+}
+
+func (gce *GCECloud) waitForZoneOp(op *compute.Operation, zone string) error {
+	return gce.waitForOp(op, func(operationName string) (*compute.Operation, error) {
+		return gce.service.ZoneOperations.Get(gce.projectID, zone, operationName).Do()
+	})
+}

pkg/cloudprovider/providers/gce/gce_routes.go

@@ -0,0 +1,115 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gce
+
+import (
+	"fmt"
+	"net/http"
+	"path"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/kubernetes/pkg/cloudprovider"
+
+	"github.com/golang/glog"
+	compute "google.golang.org/api/compute/v1"
+)
+
+func (gce *GCECloud) ListRoutes(clusterName string) ([]*cloudprovider.Route, error) {
+	var routes []*cloudprovider.Route
+	pageToken := ""
+	page := 0
+	for ; page == 0 || (pageToken != "" && page < maxPages); page++ {
+		listCall := gce.service.Routes.List(gce.projectID)
+
+		prefix := truncateClusterName(clusterName)
+		listCall = listCall.Filter("name eq " + prefix + "-.*")
+		if pageToken != "" {
+			listCall = listCall.PageToken(pageToken)
+		}
+		res, err := listCall.Do()
+		if err != nil {
+			glog.Errorf("Error getting routes from GCE: %v", err)
+			return nil, err
+		}
+		pageToken = res.NextPageToken
+		for _, r := range res.Items {
+			if r.Network != gce.networkURL {
+				continue
+			}
+			// Not managed if route description != "k8s-node-route"
+			if r.Description != k8sNodeRouteTag {
+				continue
+			}
+			// Not managed if route name doesn't start with <clusterName>
+			if !strings.HasPrefix(r.Name, prefix) {
+				continue
+			}
+
+			target := path.Base(r.NextHopInstance)
+			// TODO: Should we lastComponent(target) this?
+			targetNodeName := types.NodeName(target) // NodeName == Instance Name on GCE
+			routes = append(routes, &cloudprovider.Route{Name: r.Name, TargetNode: targetNodeName, DestinationCIDR: r.DestRange})
+		}
+	}
+	if page >= maxPages {
+		glog.Errorf("ListRoutes exceeded maxPages=%d for Routes.List; truncating.", maxPages)
+	}
+	return routes, nil
+}
+
+func (gce *GCECloud) CreateRoute(clusterName string, nameHint string, route *cloudprovider.Route) error {
+	routeName := truncateClusterName(clusterName) + "-" + nameHint
+
+	instanceName := mapNodeNameToInstanceName(route.TargetNode)
+	targetInstance, err := gce.getInstanceByName(instanceName)
+	if err != nil {
+		return err
+	}
+	insertOp, err := gce.service.Routes.Insert(gce.projectID, &compute.Route{
+		Name:            routeName,
+		DestRange:       route.DestinationCIDR,
+		NextHopInstance: fmt.Sprintf("zones/%s/instances/%s", targetInstance.Zone, targetInstance.Name),
+		Network:         gce.networkURL,
+		Priority:        1000,
+		Description:     k8sNodeRouteTag,
+	}).Do()
+	if err != nil {
+		if isHTTPErrorCode(err, http.StatusConflict) {
+			glog.Info("Route %v already exists.")
+			return nil
+		} else {
+			return err
+		}
+	}
+	return gce.waitForGlobalOp(insertOp)
+}
+
+func (gce *GCECloud) DeleteRoute(clusterName string, route *cloudprovider.Route) error {
+	deleteOp, err := gce.service.Routes.Delete(gce.projectID, route.Name).Do()
+	if err != nil {
+		return err
+	}
+	return gce.waitForGlobalOp(deleteOp)
+}
+
+func truncateClusterName(clusterName string) string {
+	if len(clusterName) > 26 {
+		return clusterName[:26]
+	}
+	return clusterName
+}

pkg/cloudprovider/providers/gce/gce_staticip.go

@@ -0,0 +1,51 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gce
+
+import compute "google.golang.org/api/compute/v1"
+
+// Global static IP management
+
+// ReserveGlobalStaticIP creates a global static IP.
+// Caller is allocated a random IP if they do not specify an ipAddress. If an
+// ipAddress is specified, it must belong to the current project, eg: an
+// ephemeral IP associated with a global forwarding rule.
+func (gce *GCECloud) ReserveGlobalStaticIP(name, ipAddress string) (address *compute.Address, err error) {
+	op, err := gce.service.GlobalAddresses.Insert(gce.projectID, &compute.Address{Name: name, Address: ipAddress}).Do()
+	if err != nil {
+		return nil, err
+	}
+	if err := gce.waitForGlobalOp(op); err != nil {
+		return nil, err
+	}
+	// We have to get the address to know which IP was allocated for us.
+	return gce.service.GlobalAddresses.Get(gce.projectID, name).Do()
+}
+
+// DeleteGlobalStaticIP deletes a global static IP by name.
+func (gce *GCECloud) DeleteGlobalStaticIP(name string) error {
+	op, err := gce.service.GlobalAddresses.Delete(gce.projectID, name).Do()
+	if err != nil {
+		return err
+	}
+	return gce.waitForGlobalOp(op)
+}
+
+// GetGlobalStaticIP returns the global static IP by name.
+func (gce *GCECloud) GetGlobalStaticIP(name string) (address *compute.Address, err error) {
+	return gce.service.GlobalAddresses.Get(gce.projectID, name).Do()
+}

pkg/cloudprovider/providers/gce/gce_targetproxy.go

@@ -0,0 +1,133 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gce
+
+import (
+	"net/http"
+
+	compute "google.golang.org/api/compute/v1"
+)
+
+// TargetHttpProxy management
+
+// GetTargetHttpProxy returns the UrlMap by name.
+func (gce *GCECloud) GetTargetHttpProxy(name string) (*compute.TargetHttpProxy, error) {
+	return gce.service.TargetHttpProxies.Get(gce.projectID, name).Do()
+}
+
+// CreateTargetHttpProxy creates and returns a TargetHttpProxy with the given UrlMap.
+func (gce *GCECloud) CreateTargetHttpProxy(urlMap *compute.UrlMap, name string) (*compute.TargetHttpProxy, error) {
+	proxy := &compute.TargetHttpProxy{
+		Name:   name,
+		UrlMap: urlMap.SelfLink,
+	}
+	op, err := gce.service.TargetHttpProxies.Insert(gce.projectID, proxy).Do()
+	if err != nil {
+		return nil, err
+	}
+	if err = gce.waitForGlobalOp(op); err != nil {
+		return nil, err
+	}
+	return gce.GetTargetHttpProxy(name)
+}
+
+// SetUrlMapForTargetHttpProxy sets the given UrlMap for the given TargetHttpProxy.
+func (gce *GCECloud) SetUrlMapForTargetHttpProxy(proxy *compute.TargetHttpProxy, urlMap *compute.UrlMap) error {
+	op, err := gce.service.TargetHttpProxies.SetUrlMap(gce.projectID, proxy.Name, &compute.UrlMapReference{UrlMap: urlMap.SelfLink}).Do()
+	if err != nil {
+		return err
+	}
+	return gce.waitForGlobalOp(op)
+}
+
+// DeleteTargetHttpProxy deletes the TargetHttpProxy by name.
+func (gce *GCECloud) DeleteTargetHttpProxy(name string) error {
+	op, err := gce.service.TargetHttpProxies.Delete(gce.projectID, name).Do()
+	if err != nil {
+		if isHTTPErrorCode(err, http.StatusNotFound) {
+			return nil
+		}
+		return err
+	}
+	return gce.waitForGlobalOp(op)
+}
+
+// ListTargetHttpProxies lists all TargetHttpProxies in the project.
+func (gce *GCECloud) ListTargetHttpProxies() (*compute.TargetHttpProxyList, error) {
+	// TODO: use PageToken to list all not just the first 500
+	return gce.service.TargetHttpProxies.List(gce.projectID).Do()
+}
+
+// TargetHttpsProxy management
+
+// GetTargetHttpsProxy returns the UrlMap by name.
+func (gce *GCECloud) GetTargetHttpsProxy(name string) (*compute.TargetHttpsProxy, error) {
+	return gce.service.TargetHttpsProxies.Get(gce.projectID, name).Do()
+}
+
+// CreateTargetHttpsProxy creates and returns a TargetHttpsProxy with the given UrlMap and SslCertificate.
+func (gce *GCECloud) CreateTargetHttpsProxy(urlMap *compute.UrlMap, sslCert *compute.SslCertificate, name string) (*compute.TargetHttpsProxy, error) {
+	proxy := &compute.TargetHttpsProxy{
+		Name:            name,
+		UrlMap:          urlMap.SelfLink,
+		SslCertificates: []string{sslCert.SelfLink},
+	}
+	op, err := gce.service.TargetHttpsProxies.Insert(gce.projectID, proxy).Do()
+	if err != nil {
+		return nil, err
+	}
+	if err = gce.waitForGlobalOp(op); err != nil {
+		return nil, err
+	}
+	return gce.GetTargetHttpsProxy(name)
+}
+
+// SetUrlMapForTargetHttpsProxy sets the given UrlMap for the given TargetHttpsProxy.
+func (gce *GCECloud) SetUrlMapForTargetHttpsProxy(proxy *compute.TargetHttpsProxy, urlMap *compute.UrlMap) error {
+	op, err := gce.service.TargetHttpsProxies.SetUrlMap(gce.projectID, proxy.Name, &compute.UrlMapReference{UrlMap: urlMap.SelfLink}).Do()
+	if err != nil {
+		return err
+	}
+	return gce.waitForGlobalOp(op)
+}
+
+// SetSslCertificateForTargetHttpsProxy sets the given SslCertificate for the given TargetHttpsProxy.
+func (gce *GCECloud) SetSslCertificateForTargetHttpsProxy(proxy *compute.TargetHttpsProxy, sslCert *compute.SslCertificate) error {
+	op, err := gce.service.TargetHttpsProxies.SetSslCertificates(gce.projectID, proxy.Name, &compute.TargetHttpsProxiesSetSslCertificatesRequest{SslCertificates: []string{sslCert.SelfLink}}).Do()
+	if err != nil {
+		return err
+	}
+	return gce.waitForGlobalOp(op)
+}
+
+// DeleteTargetHttpsProxy deletes the TargetHttpsProxy by name.
+func (gce *GCECloud) DeleteTargetHttpsProxy(name string) error {
+	op, err := gce.service.TargetHttpsProxies.Delete(gce.projectID, name).Do()
+	if err != nil {
+		if isHTTPErrorCode(err, http.StatusNotFound) {
+			return nil
+		}
+		return err
+	}
+	return gce.waitForGlobalOp(op)
+}
+
+// ListTargetHttpsProxies lists all TargetHttpsProxies in the project.
+func (gce *GCECloud) ListTargetHttpsProxies() (*compute.TargetHttpsProxyList, error) {
+	// TODO: use PageToken to list all not just the first 500
+	return gce.service.TargetHttpsProxies.List(gce.projectID).Do()
+}

pkg/cloudprovider/providers/gce/gce_urlmap.go

@@ -0,0 +1,76 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gce
+
+import (
+	"net/http"
+
+	compute "google.golang.org/api/compute/v1"
+)
+
+// UrlMap management
+
+// GetUrlMap returns the UrlMap by name.
+func (gce *GCECloud) GetUrlMap(name string) (*compute.UrlMap, error) {
+	return gce.service.UrlMaps.Get(gce.projectID, name).Do()
+}
+
+// CreateUrlMap creates an url map, using the given backend service as the default service.
+func (gce *GCECloud) CreateUrlMap(backend *compute.BackendService, name string) (*compute.UrlMap, error) {
+	urlMap := &compute.UrlMap{
+		Name:           name,
+		DefaultService: backend.SelfLink,
+	}
+	op, err := gce.service.UrlMaps.Insert(gce.projectID, urlMap).Do()
+	if err != nil {
+		return nil, err
+	}
+	if err = gce.waitForGlobalOp(op); err != nil {
+		return nil, err
+	}
+	return gce.GetUrlMap(name)
+}
+
+// UpdateUrlMap applies the given UrlMap as an update, and returns the new UrlMap.
+func (gce *GCECloud) UpdateUrlMap(urlMap *compute.UrlMap) (*compute.UrlMap, error) {
+	op, err := gce.service.UrlMaps.Update(gce.projectID, urlMap.Name, urlMap).Do()
+	if err != nil {
+		return nil, err
+	}
+	if err = gce.waitForGlobalOp(op); err != nil {
+		return nil, err
+	}
+	return gce.service.UrlMaps.Get(gce.projectID, urlMap.Name).Do()
+}
+
+// DeleteUrlMap deletes a url map by name.
+func (gce *GCECloud) DeleteUrlMap(name string) error {
+	op, err := gce.service.UrlMaps.Delete(gce.projectID, name).Do()
+	if err != nil {
+		if isHTTPErrorCode(err, http.StatusNotFound) {
+			return nil
+		}
+		return err
+	}
+	return gce.waitForGlobalOp(op)
+}
+
+// ListUrlMaps lists all UrlMaps in the project.
+func (gce *GCECloud) ListUrlMaps() (*compute.UrlMapList, error) {
+	// TODO: use PageToken to list all not just the first 500
+	return gce.service.UrlMaps.List(gce.projectID).Do()
+}

pkg/cloudprovider/providers/gce/gce_util.go

@@ -0,0 +1,102 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gce
+
+import (
+	"fmt"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/types"
+
+	"cloud.google.com/go/compute/metadata"
+	compute "google.golang.org/api/compute/v1"
+	"google.golang.org/api/googleapi"
+)
+
+type gceInstance struct {
+	Zone  string
+	Name  string
+	ID    uint64
+	Disks []*compute.AttachedDisk
+	Type  string
+}
+
+func getProjectAndZone() (string, string, error) {
+	result, err := metadata.Get("instance/zone")
+	if err != nil {
+		return "", "", err
+	}
+	parts := strings.Split(result, "/")
+	if len(parts) != 4 {
+		return "", "", fmt.Errorf("unexpected response: %s", result)
+	}
+	zone := parts[3]
+	projectID, err := metadata.ProjectID()
+	if err != nil {
+		return "", "", err
+	}
+	return projectID, zone, nil
+}
+
+// Take a GCE instance 'hostname' and break it down to something that can be fed
+// to the GCE API client library.  Basically this means reducing 'kubernetes-
+// node-2.c.my-proj.internal' to 'kubernetes-node-2' if necessary.
+func canonicalizeInstanceName(name string) string {
+	ix := strings.Index(name, ".")
+	if ix != -1 {
+		name = name[:ix]
+	}
+	return name
+}
+
+// Returns the last component of a URL, i.e. anything after the last slash
+// If there is no slash, returns the whole string
+func lastComponent(s string) string {
+	lastSlash := strings.LastIndex(s, "/")
+	if lastSlash != -1 {
+		s = s[lastSlash+1:]
+	}
+	return s
+}
+
+// mapNodeNameToInstanceName maps a k8s NodeName to a GCE Instance Name
+// This is a simple string cast.
+func mapNodeNameToInstanceName(nodeName types.NodeName) string {
+	return string(nodeName)
+}
+
+// mapInstanceToNodeName maps a GCE Instance to a k8s NodeName
+func mapInstanceToNodeName(instance *compute.Instance) types.NodeName {
+	return types.NodeName(instance.Name)
+}
+
+// GetGCERegion returns region of the gce zone. Zone names
+// are of the form: ${region-name}-${ix}.
+// For example, "us-central1-b" has a region of "us-central1".
+// So we look for the last '-' and trim to just before that.
+func GetGCERegion(zone string) (string, error) {
+	ix := strings.LastIndex(zone, "-")
+	if ix == -1 {
+		return "", fmt.Errorf("unexpected zone: %s", zone)
+	}
+	return zone[:ix], nil
+}
+
+func isHTTPErrorCode(err error, code int) bool {
+	apiErr, ok := err.(*googleapi.Error)
+	return ok && apiErr.Code == code
+}

pkg/cloudprovider/providers/gce/gce_zones.go

@@ -0,0 +1,26 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gce
+
+import "k8s.io/kubernetes/pkg/cloudprovider"
+
+func (gce *GCECloud) GetZone() (cloudprovider.Zone, error) {
+	return cloudprovider.Zone{
+		FailureDomain: gce.localZone,
+		Region:        gce.region,
+	}, nil
+}