Problem using swagger generated api with Kubeflow behind IAP in GCP

[vmolina]

/kind bug

What steps did you take and what happened:
The swagger generated api does not use any authentication therefore it cannot be access from outside the kubeflow cluster when it is behind the IAP service In Google Cloud.

What did you expect to happen:
I set up the client authentication in a similar maner to that of kubeflow pipelines.

    config = openapi_client.Configuration()
    config.host = "https://kubeflowtest.endpoints.edo-dev-ds-datalake.cloud.goog/metadata"
    token = get_auth_token(client_id)
    config.api_key['authorization'] = token
    config.api_key_prefix['authorization'] = 'Bearer'
    client = openapi_client.ApiClient(config)
    MetadataApi = openapi_client.MetadataServiceApi(client)
    executions = MetadataApi.list_executions2()

Notice that get_auth_token is copy pasted from kfp._auth library.

The obtained response is
kubeflow.metadata.openapi_client.exceptions.ApiException: (401) Reason: Unauthorized HTTP response headers: HTTPHeaderDict({'Date': 'Tue, 29 Oct 2019 19:58:05 GMT', 'Content-Length': '36', 'Content-Type': 'text/html; charset=UTF-8', 'X-Goog-IAP-Generated-Response': 'true', 'Alt-Svc': 'clear'}) HTTP response body: Invalid IAP credentials: empty token

The problem is that int he swagger files
there is no mention to the authentication.

Adding security definitions as in https://github.com/kubeflow/pipelines/blob/master/backend/api/swagger/run.swagger.json
should work.

[jtfogarty]

/area engprod
/priority p2

[jtfogarty]

/platform gcp