github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #78552 from mtaufen/use-auth-header 

Windows startup scripts should use Authorization header for GCS requests
k3s-v1.15.3
Kubernetes Prow Robot 2019-06-01 12:12:41 -07:00 committed by GitHub
parent ed4c1ddd23 e2116ef572
commit b82d7cabf4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 32 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
cluster/gce/windows/common.psm1
View File

@ -131,16 +131,23 @@ function MustDownload-File {
param (
[parameter(Mandatory=$false)] [string]$Hash,
[parameter(Mandatory=$true)] [string]$OutFile,
[parameter(Mandatory=$true)] [System.Collections.Generic.List[String]]$URLs
[parameter(Mandatory=$true)] [System.Collections.Generic.List[String]]$URLs,
[parameter(Mandatory=$false)] [System.Collections.IDictionary]$Headers = @{}
)
While($true) {
ForEach($url in $URLs) {
# If the URL is for GCS and the node has dev storage scope, add the
# service account token to the request headers.
if (($url -match "^https://storage`.googleapis`.com.*") -and $(Check-StorageScope)) {
$Headers["Authorization"] = "Bearer $(Get-Credentials)"
}
# Attempt to download the file
Try {
# TODO(mtaufen): When we finally get a Windows version that has Powershell 6
# installed we can set `-MaximumRetryCount 6 -RetryIntervalSec 10` to make this even more robust.
Invoke-WebRequest $url -OutFile $OutFile -TimeoutSec 300
$result = Invoke-WebRequest $url -Headers $Headers -OutFile $OutFile -TimeoutSec 300
} Catch {
$message = $_.Exception.ToString()
Log-Output "Failed to download file from $url. Will retry. Error: $message"
@ -164,6 +171,29 @@ function MustDownload-File {
}
}
# Returns the default service account token for the VM, retrieved from
# the instance metadata.
function Get-Credentials {
While($true) {
$data = Get-InstanceMetadata -Key "service-accounts/default/token"
if ($data) {
return ($data | ConvertFrom-Json).access_token
}
Start-Sleep -Seconds 1
}
}
# Returns True if the VM has the dev storage scope, False otherwise.
function Check-StorageScope {
While($true) {
$data = Get-InstanceMetadata -Key "service-accounts/default/scopes"
if ($data) {
return ($data -match "auth/devstorage")
}
Start-Sleep -Seconds 1
}
}
# This compiles some C# code that can make syscalls, and pulls the
# result into our powershell environment so we can make syscalls from this script.
# We make syscalls directly, because whatever the powershell cmdlets do under the hood,