Problem using swagger generated api with Kubeflow behind IAP in GCP #146
Description
/kind bug
What steps did you take and what happened:
The swagger generated api does not use any authentication therefore it cannot be access from outside the kubeflow cluster when it is behind the IAP service In Google Cloud.
What did you expect to happen:
I set up the client authentication in a similar maner to that of kubeflow pipelines.
config = openapi_client.Configuration()
config.host = "https://kubeflowtest.endpoints.edo-dev-ds-datalake.cloud.goog/metadata"
token = get_auth_token(client_id)
config.api_key['authorization'] = token
config.api_key_prefix['authorization'] = 'Bearer'
client = openapi_client.ApiClient(config)
MetadataApi = openapi_client.MetadataServiceApi(client)
executions = MetadataApi.list_executions2()Notice that get_auth_token is copy pasted from kfp._auth library.
The obtained response is
kubeflow.metadata.openapi_client.exceptions.ApiException: (401) Reason: Unauthorized HTTP response headers: HTTPHeaderDict({'Date': 'Tue, 29 Oct 2019 19:58:05 GMT', 'Content-Length': '36', 'Content-Type': 'text/html; charset=UTF-8', 'X-Goog-IAP-Generated-Response': 'true', 'Alt-Svc': 'clear'}) HTTP response body: Invalid IAP credentials: empty token
The problem is that int he swagger files
there is no mention to the authentication.
Adding security definitions as in https://github.com/kubeflow/pipelines/blob/master/backend/api/swagger/run.swagger.json
should work.