Merge pull request #101884 from avrittrohwer/gce-curl-cleanup

Gce curl cleanup
2025-11-03 19:58:17 +00:00 · 2021-05-12 20:42:24 -07:00
parent e6e6536c1f 0a5a697882
commit 2076dabc38
5 changed files with 68 additions and 54 deletions
--- a/cluster/common.sh
+++ b/cluster/common.sh
@@ -221,7 +221,7 @@ function get-kubeconfig-user-basicauth() {
 #   KUBE_PASSWORD
 function gen-kube-basicauth() {
    KUBE_USER='admin'
-    KUBE_PASSWORD=$(python -c 'import string,random; print("".join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16)))')
+    KUBE_PASSWORD=$(python3 -c 'import string,random; print("".join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16)))')
 }

 # Get the bearer token for the current-context in kubeconfig if one exists.
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -28,6 +28,9 @@ set -o pipefail
 ### Hardcoded constants
 METADATA_SERVER_IP="${METADATA_SERVER_IP:-169.254.169.254}"

+# Standard curl flags.
+CURL_FLAGS='--fail --silent --show-error --retry 5 --retry-delay 3 --connect-timeout 10 --retry-connrefused'
+
 function convert-manifest-params {
  # A helper function to convert the manifest args from a string to a list of
  # flag arguments.
@@ -2278,14 +2281,10 @@ function download-extra-addons {

  mkdir -p "${out_dir}"

+  # shellcheck disable=SC2206
  local curl_cmd=(
    "curl"
-    "--fail"
-    "--retry" "5"
-    "--retry-delay" "3"
-    "--silent"
-    "--show-error"
-    "--retry-connrefused"
+    ${CURL_FLAGS}
  )
  if [[ -n "${EXTRA_ADDONS_HEADER:-}" ]]; then
    curl_cmd+=("-H" "${EXTRA_ADDONS_HEADER}")
@@ -2307,14 +2306,10 @@ function get-metadata-value {
  local default="${2:-}"

  local status
-  curl \
-      --retry 5 \
-      --retry-delay 3 \
-      --retry-connrefused \
-      --fail \
-      --silent \
-      -H 'Metadata-Flavor: Google' \
-      "http://metadata/computeMetadata/v1/${1}" \
+  # shellcheck disable=SC2086
+  curl ${CURL_FLAGS} \
+    -H 'Metadata-Flavor: Google' \
+    "http://metadata/computeMetadata/v1/${1}" \
  || status="$?"
  status="${status:-0}"

@@ -3158,7 +3153,7 @@ function log-trap-pop {
 function log-error {
  local bootstep="$1"

-  log-proto "${bootstep}" "${LOG_STATUS_ERROR}" "error calling '${BASH_COMMAND}'"
+  log-proto "${bootstep}" "${LOG_STATUS_ERROR}" "encountered non-zero exit code"
 }

 # Wraps a command with bootstrap logging.
--- a/cluster/gce/gci/configure.sh
+++ b/cluster/gce/gci/configure.sh
@@ -33,6 +33,9 @@ DEFAULT_CRICTL_HASH='e4fb9822cb5f71ab8f85021c66170613aae972f4b32030e42868fb36a3b
 DEFAULT_MOUNTER_TAR_SHA='7956fd42523de6b3107ddc3ce0e75233d2fcb78436ff07a1389b6eaac91fb2b1b72a08f7a219eaf96ba1ca4da8d45271002e0d60e0644e796c665f99bb356516'
 ###

+# Standard curl flags.
+CURL_FLAGS='--fail --silent --show-error --retry 5 --retry-delay 3 --connect-timeout 10 --retry-connrefused'
+
 function set-broken-motd {
  cat > /etc/motd <<EOF
 Broken (or in progress) Kubernetes node setup! Check the cluster initialization status
@@ -59,14 +62,10 @@ function get-metadata-value {
  local default="${2:-}"

  local status
-  curl \
-      --retry 5 \
-      --retry-delay 3 \
-      --retry-connrefused \
-      --fail \
-      --silent \
-      -H 'Metadata-Flavor: Google' \
-      "http://metadata/computeMetadata/v1/${1}" \
+  # shellcheck disable=SC2086
+  curl ${CURL_FLAGS} \
+    -H 'Metadata-Flavor: Google' \
+    "http://metadata/computeMetadata/v1/${1}" \
  || status="$?"
  status="${status:-0}"

@@ -82,7 +81,8 @@ function download-kube-env {
  (
    umask 077
    local -r tmp_kube_env="/tmp/kube-env.yaml"
-    curl --fail --retry 5 --retry-delay 3 --retry-connrefused --silent --show-error \
+    # shellcheck disable=SC2086
+    retry-forever 10 curl ${CURL_FLAGS} \
      -H "X-Google-Metadata-Request: True" \
      -o "${tmp_kube_env}" \
      http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-env
@@ -104,16 +104,13 @@ function download-kubelet-config {
  (
    umask 077
    local -r tmp_kubelet_config="/tmp/kubelet-config.yaml"
-    if curl --fail --retry 5 --retry-delay 3 --retry-connrefused --silent --show-error \
-        -H "X-Google-Metadata-Request: True" \
-        -o "${tmp_kubelet_config}" \
-        http://metadata.google.internal/computeMetadata/v1/instance/attributes/kubelet-config; then
-      # only write to the final location if curl succeeds
-      mv "${tmp_kubelet_config}" "${dest}"
-    elif [[ "${REQUIRE_METADATA_KUBELET_CONFIG_FILE:-false}" == "true" ]]; then
-      echo "== Failed to download required Kubelet config file from metadata server =="
-      exit 1
-    fi
+    # shellcheck disable=SC2086
+    retry-forever 10 curl ${CURL_FLAGS} \
+      -H "X-Google-Metadata-Request: True" \
+      -o "${tmp_kubelet_config}" \
+      http://metadata.google.internal/computeMetadata/v1/instance/attributes/kubelet-config
+    # only write to the final location if curl succeeds
+    mv "${tmp_kubelet_config}" "${dest}"
  )
 }

@@ -122,7 +119,8 @@ function download-kube-master-certs {
  (
    umask 077
    local -r tmp_kube_master_certs="/tmp/kube-master-certs.yaml"
-    curl --fail --retry 5 --retry-delay 3 --retry-connrefused --silent --show-error \
+    # shellcheck disable=SC2086
+    retry-forever 10 curl ${CURL_FLAGS} \
      -H "X-Google-Metadata-Request: True" \
      -o "${tmp_kube_master_certs}" \
      http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-master-certs
@@ -152,12 +150,19 @@ function validate-hash {
 # Get default service account credentials of the VM.
 GCE_METADATA_INTERNAL="http://metadata.google.internal/computeMetadata/v1/instance"
 function get-credentials {
-  curl --fail --retry 5 --retry-delay 3 --retry-connrefused --silent --show-error "${GCE_METADATA_INTERNAL}/service-accounts/default/token" -H "Metadata-Flavor: Google" -s | python3 -c \
-    'import sys; import json; print(json.loads(sys.stdin.read())["access_token"])'
+  # shellcheck disable=SC2086
+  curl ${CURL_FLAGS} \
+    -H "Metadata-Flavor: Google" \
+    "${GCE_METADATA_INTERNAL}/service-accounts/default/token" \
+  | python3 -c 'import sys; import json; print(json.loads(sys.stdin.read())["access_token"])'
 }

 function valid-storage-scope {
-  curl --fail --retry 5 --retry-delay 3 --retry-connrefused --silent --show-error "${GCE_METADATA_INTERNAL}/service-accounts/default/scopes" -H "Metadata-Flavor: Google" -s | grep -E "auth/devstorage|auth/cloud-platform"
+  # shellcheck disable=SC2086
+  curl ${CURL_FLAGS} \
+    -H "Metadata-Flavor: Google" \
+    "${GCE_METADATA_INTERNAL}/service-accounts/default/scopes" \
+  | grep -E "auth/devstorage|auth/cloud-platform"
 }

 # Retry a download until we get it. Takes a hash and a set of URLs.
@@ -455,8 +460,11 @@ function install-docker {
  release=$(lsb_release -cs)

  # Add the Docker apt-repository
-  curl -fsSL "https://download.docker.com/${HOST_PLATFORM}/$(. /etc/os-release; echo "$ID")/gpg" \
-    | apt-key add -
+  # shellcheck disable=SC2086
+  curl ${CURL_FLAGS} \
+    --location \
+    "https://download.docker.com/${HOST_PLATFORM}/$(. /etc/os-release; echo "$ID")/gpg" \
+  | apt-key add -
  add-apt-repository \
    "deb [arch=${HOST_ARCH}] https://download.docker.com/${HOST_PLATFORM}/$(. /etc/os-release; echo "$ID") \
    $release stable"
@@ -491,8 +499,11 @@ function install-containerd-ubuntu {
  release=$(lsb_release -cs)

  # Add the Docker apt-repository (as we install containerd from there)
-  curl -fsSL "https://download.docker.com/${HOST_PLATFORM}/$(. /etc/os-release; echo "$ID")/gpg" \
-    | apt-key add -
+  # shellcheck disable=SC2086
+  curl ${CURL_FLAGS} \
+    --location \
+    "https://download.docker.com/${HOST_PLATFORM}/$(. /etc/os-release; echo "$ID")/gpg" \
+  | apt-key add -
  add-apt-repository \
    "deb [arch=${HOST_ARCH}] https://download.docker.com/${HOST_PLATFORM}/$(. /etc/os-release; echo "$ID") \
    $release stable"
@@ -511,8 +522,13 @@ function install-containerd-ubuntu {
      exit 2
    fi
    # containerd versions have slightly different url(s), so try both
-    ( curl -fsSL "https://github.com/containerd/containerd/releases/download/${UBUNTU_INSTALL_CONTAINERD_VERSION}/containerd-${UBUNTU_INSTALL_CONTAINERD_VERSION:1}-${HOST_PLATFORM}-${HOST_ARCH}.tar.gz" || \
-      curl -fsSL "https://github.com/containerd/containerd/releases/download/${UBUNTU_INSTALL_CONTAINERD_VERSION}/containerd-${UBUNTU_INSTALL_CONTAINERD_VERSION:1}.${HOST_PLATFORM}-${HOST_ARCH}.tar.gz" ) \
+    # shellcheck disable=SC2086
+    ( curl ${CURL_FLAGS} \
+        --location \
+        "https://github.com/containerd/containerd/releases/download/${UBUNTU_INSTALL_CONTAINERD_VERSION}/containerd-${UBUNTU_INSTALL_CONTAINERD_VERSION:1}-${HOST_PLATFORM}-${HOST_ARCH}.tar.gz" \
+      || curl ${CURL_FLAGS} \
+        --location \
+        "https://github.com/containerd/containerd/releases/download/${UBUNTU_INSTALL_CONTAINERD_VERSION}/containerd-${UBUNTU_INSTALL_CONTAINERD_VERSION:1}.${HOST_PLATFORM}-${HOST_ARCH}.tar.gz" ) \
    | tar --overwrite -xzv -C /usr/
  fi
  if [[ -n "${UBUNTU_INSTALL_RUNC_VERSION:-}" ]]; then
@@ -521,7 +537,11 @@ function install-containerd-ubuntu {
      echo "Unable to automatically install runc in non-amd64. Bailing out..."
      exit 2
    fi
-    curl -fsSL "https://github.com/opencontainers/runc/releases/download/${UBUNTU_INSTALL_RUNC_VERSION}/runc.${HOST_ARCH}" --output /usr/sbin/runc && chmod 755 /usr/sbin/runc
+    # shellcheck disable=SC2086
+    curl ${CURL_FLAGS} \
+      --location \
+      "https://github.com/opencontainers/runc/releases/download/${UBUNTU_INSTALL_RUNC_VERSION}/runc.${HOST_ARCH}" --output /usr/sbin/runc \
+    && chmod 755 /usr/sbin/runc
  fi
  sudo systemctl start containerd
 }
@@ -755,7 +775,7 @@ function log-trap-pop {
 function log-error {
  local bootstep="$1"

-  log-proto "${bootstep}" "${LOG_STATUS_ERROR}" "error calling '${BASH_COMMAND}'"
+  log-proto "${bootstep}" "${LOG_STATUS_ERROR}" "encountered non-zero exit code"
 }

 # Wraps a command with bootstrap logging.
@@ -855,14 +875,14 @@ KUBE_HOME="/home/kubernetes"
 KUBE_BIN="${KUBE_HOME}/bin"

 # download and source kube-env
-log-wrap 'DownloadKubeEnv' retry-forever 30 download-kube-env
+log-wrap 'DownloadKubeEnv' download-kube-env
 log-wrap 'SourceKubeEnv' source "${KUBE_HOME}/kube-env"

-log-wrap 'DownloadKubeletConfig' retry-forever 10 download-kubelet-config "${KUBE_HOME}/kubelet-config.yaml"
+log-wrap 'DownloadKubeletConfig' download-kubelet-config "${KUBE_HOME}/kubelet-config.yaml"

 # master certs
 if [[ "${KUBERNETES_MASTER:-}" == "true" ]]; then
-  log-wrap 'DownloadKubeMasterCerts' retry-forever 10 download-kube-master-certs
+  log-wrap 'DownloadKubeMasterCerts' download-kube-master-certs
 fi

 # ensure chosen container runtime is present
--- a/cluster/gce/gci/master.yaml
+++ b/cluster/gce/gci/master.yaml
@@ -9,7 +9,6 @@ users:
 - name: kube-bootstrap-logs-forwarder
  gecos: User the kube-bootstrap-logs-forwarder.service runs as.
  system: true
-  sudo: false

 write_files:
  - path: /etc/systemd/system/kube-bootstrap-logs-forwarder.service
@@ -46,7 +45,7 @@ write_files:
      ExecStartPre=/bin/mkdir -p /home/kubernetes/bin
      ExecStartPre=/bin/mount --bind /home/kubernetes/bin /home/kubernetes/bin
      ExecStartPre=/bin/mount -o remount,exec /home/kubernetes/bin
-      ExecStartPre=/usr/bin/curl --fail --retry 600 --retry-delay 3 --retry-connrefused --silent --show-error -H "X-Google-Metadata-Request: True" -o /home/kubernetes/bin/configure.sh http://metadata.google.internal/computeMetadata/v1/instance/attributes/configure-sh
+      ExecStartPre=/usr/bin/curl --fail --retry 600 --retry-delay 3 --retry-connrefused --connect-timeout 10 --silent --show-error -H "X-Google-Metadata-Request: True" -o /home/kubernetes/bin/configure.sh http://metadata.google.internal/computeMetadata/v1/instance/attributes/configure-sh
      ExecStartPre=/bin/chmod 544 /home/kubernetes/bin/configure.sh
      ExecStart=/home/kubernetes/bin/configure.sh

@@ -65,7 +64,7 @@ write_files:
      [Service]
      Type=oneshot
      RemainAfterExit=yes
-      ExecStartPre=/usr/bin/curl --fail --retry 5 --retry-delay 3 --retry-connrefused --silent --show-error -H "X-Google-Metadata-Request: True" -o /home/kubernetes/bin/kube-master-internal-route.sh http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-master-internal-route
+      ExecStartPre=/usr/bin/curl --fail --retry 5 --retry-delay 3 --retry-connrefused --connect-timeout 10 --silent --show-error -H "X-Google-Metadata-Request: True" -o /home/kubernetes/bin/kube-master-internal-route.sh http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-master-internal-route
      ExecStartPre=/bin/chmod 544 /home/kubernetes/bin/kube-master-internal-route.sh
      ExecStart=/home/kubernetes/bin/kube-master-internal-route.sh

--- a/cluster/gce/util.sh
+++ b/cluster/gce/util.sh
@@ -1911,7 +1911,7 @@ function update-or-verify-gcloud() {
  else
    local version
    version=$(gcloud version --format=json)
-    python -c"
+    python3 -c"
 import json,sys
 from distutils import version