auth/cloud-platform is a superset of devstorage.

Also fix the curl in get-kube.sh
This commit is contained in:
Sen Lu 2019-09-17 11:07:37 -07:00
parent e7090e8f5e
commit e3fdebbe62
3 changed files with 21 additions and 4 deletions

View File

@ -131,7 +131,7 @@ function get-credentials {
}
function valid-storage-scope {
curl --fail --retry 5 --retry-delay 3 ${CURL_RETRY_CONNREFUSED} --silent --show-error "${GCE_METADATA_INTERNAL}/service-accounts/default/scopes" -H "Metadata-Flavor: Google" -s | grep -q "auth/devstorage"
curl --fail --retry 5 --retry-delay 3 ${CURL_RETRY_CONNREFUSED} --silent --show-error "${GCE_METADATA_INTERNAL}/service-accounts/default/scopes" -H "Metadata-Flavor: Google" -s | grep -E "auth/devstorage|auth/cloud-platform"
}
# Retry a download until we get it. Takes a hash and a set of URLs.

View File

@ -151,7 +151,7 @@ function get-credentials {
}
function valid-storage-scope {
curl "${GCE_METADATA_INTERNAL}/service-accounts/default/scopes" -H "Metadata-Flavor: Google" -s | grep -q "auth/devstorage"
curl "${GCE_METADATA_INTERNAL}/service-accounts/default/scopes" -H "Metadata-Flavor: Google" -s | grep -E "auth/devstorage|auth/cloud-platform"
}
function download_tarball() {
@ -166,7 +166,7 @@ function download_tarball() {
mkdir -p "${download_path}"
if [[ $(which curl) ]]; then
# if the url belongs to GCS API we should use oauth2_token in the headers
local curl_headers=""
curl_headers=""
if { [[ "${KUBERNETES_PROVIDER:-gce}" == "gce" ]] || [[ "${KUBERNETES_PROVIDER}" == "gke" ]] ; } &&
[[ "$url" =~ ^https://storage.googleapis.com.* ]] && valid-storage-scope ; then
curl_headers="Authorization: Bearer $(get-credentials)"

View File

@ -122,6 +122,17 @@ function create_cluster {
)
}
# Get default service account credentials of the VM.
GCE_METADATA_INTERNAL="http://metadata.google.internal/computeMetadata/v1/instance"
function get-credentials {
curl "${GCE_METADATA_INTERNAL}/service-accounts/default/token" -H "Metadata-Flavor: Google" -s | python -c \
'import sys; import json; print(json.loads(sys.stdin.read())["access_token"])'
}
function valid-storage-scope {
curl "${GCE_METADATA_INTERNAL}/service-accounts/default/scopes" -H "Metadata-Flavor: Google" -s | grep -E "auth/devstorage|auth/cloud-platform"
}
if [[ -n "${KUBERNETES_SKIP_DOWNLOAD-}" ]]; then
create_cluster
exit 0
@ -228,7 +239,13 @@ fi
if "${need_download}"; then
if [[ $(which curl) ]]; then
curl -fL --retry 5 --keepalive-time 2 "${kubernetes_tar_url}" -o "${file}"
# if the url belongs to GCS API we should use oauth2_token in the headers
curl_headers=""
if { [[ "${KUBERNETES_PROVIDER:-gce}" == "gce" ]] || [[ "${KUBERNETES_PROVIDER}" == "gke" ]] ; } &&
[[ "$kubernetes_tar_url" =~ ^https://storage.googleapis.com.* ]] && valid-storage-scope ; then
curl_headers="Authorization: Bearer $(get-credentials)"
fi
curl ${curl_headers:+-H "${curl_headers}"} -fL --retry 3 --keepalive-time 2 "${kubernetes_tar_url}" -o "${file}"
elif [[ $(which wget) ]]; then
wget "${kubernetes_tar_url}"
else