-
Notifications
You must be signed in to change notification settings - Fork 302
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix: Fix GCP Identity Aware Proxy integration errors occurring with grpcio>1.56.0 #2034
Conversation
Signed-off-by: Fabio Grätz <[email protected]>
Signed-off-by: Fabio Grätz <[email protected]>
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #2034 +/- ##
==========================================
+ Coverage 84.78% 85.83% +1.05%
==========================================
Files 251 306 +55
Lines 20145 22904 +2759
Branches 3470 3470
==========================================
+ Hits 17080 19660 +2580
- Misses 2470 2649 +179
Partials 595 595 ☔ View full report in Codecov by Sentry. |
Not sure if we want to refresh credentials on every call. Alternatively, could we consider checking the expiry of an existing token (from the claims?) and use that to determine if the credentials need to be refreshed? This is very reminiscent of this issue. Somewhat interesting that a GCP product does not return an appropriate As mentioned in the above PR, the Go client already maps HTTP errors to GRPC ones if a |
You are right, this is unreasonable. As this issue has been giving me headaches for a while, I was so happy yesterday that all of a sudden I had something working that my brain happily jumped to conclusions ^^
Since flytekit receives the token for the
Isn't it not only similar but exactly the same issue? Here, @yashykt also explained that "the value of content-type key received is text/html which is failing parsing".
Especially interesting that a GCP product does that even after flytekit, with this fix, explicitly says it accepts
Let's do that. |
OMG, now the proxy adds to the woes of grpc? |
Fixed in #2212 |
Why are the changes needed?
Flyte recently integrated with GCP Identity Aware Proxy, including a reference deployment using the GCE Ingress controller instead of the Nginx Ingress controller: flyteorg/flyte#3965
Around the same time as the respective flytekit PR was merged, a restriction on the
grpcio
version required byflytekit
was lifted.With the previously pinned versions of
grpcio
, namely versionsgrpcio>=1.50.0,!=1.55.0,<1.53.1,<2.0
, the integration with GCP Identity Aware Proxy worked. However, for newer versions ofgrpcio
, flytekit isn't able to make requests to flyteadmin through IAP anymore.This PR proposes a fix that enables flytekit to make requests through IAP also for newer
grpcio
versions.What changes were proposed in this pull request?
For these
grpcio
versions, requests through IAP currently work/don't work:For the versions which don't work, the warning/error message is:
When using a version for which the call to flyteadmin is ultimately successful, this warning (similar but not exactly the same) is shown:
E1208 16:37:04.492457000 4307731840 hpack_parser.cc:853] Error parsing metadata: error=invalid value key=content-type value=text/html; charset=UTF-8
A colleague of mine, @fellhorn, realized that when one makes an authenticated request to one of the flyteadmin grpc services through IAP, the content-type of the response is
application/grpc
...... whereas if one makes an unauthenticated request (e.g. incognito window), the content type of the response returned by IAP is
text/html
:This explains the warning:
E1208 16:37:04.492457000 4307731840 hpack_parser.cc:853] Error parsing metadata: error=invalid value key=content-type value=text/html; charset=UTF-8
Flytekit's
AuthUnaryInterceptor
first tries to make an unauthenticated request and if it receives a 401 error, tries again with auth metadata.For authentication with flyteadmin this makes a lot of sense as it might not be configured to use authentication. Generally, the philosophy appears to be that the client doesn't have to be configured correctly, flyteadmin will tell it how to authenticate.
I propose to not attach auth metadata for proxies like GCP Identity Aware Proxy lazily but instead always include it proactively. This solves the error with the wrong content-type.
Considering alternatives:
If flyteadmin is behind a proxy, unauthenticated requests (with the proxy, not flyte) cannot ever reach flyteadmin. This means that flyteadmin cannot tell the user how to authenticate as the requests never reach it and even if they did, flyteadmin is not aware of the proxy. This means the user has to actively configure proxy-authorization by including a
proxyCommand
in the flyte client config anyways. And if the user does so, I would argue that it is also acceptable to make use of the knowledge that requests without proxy-authorization are expected to fail anyways. Also it saves a request every time.The alternative would be to somehow handle the unexpected context type
text/html
on unauthenticated requests.Check all the applicable boxes