Feat: Enable proxy-authorization in admin client

[fg91]

TL;DR

Part of an effort to integrate Flyte with GCP Identity Aware Proxy, see flyteorg/flyte#3965.

Allows the flyteidl admin client to sent a "proxy-authorization" header with every request to flyteadmin. Tokens for this header are created using an external command which is configured via the new proxyCommand config entry.

Same logic as was introduced in flytekit in flyteorg/flytekit#1787.

I replicated the existing logic in MaterializeCredentials and NewAuthInterceptor for the second token. The external command is called a single time per flytectl call.

Type

• Bug Fix
• Feature
• Plugin

Are all requirements met?

• Code completed
• Smoke tested
• Unit tests added
• Code documentation added
• Any pending items have an associated Issue

Complete description

See flyteorg/flyte#3965

Tracking Issue

Closes flyteorg/flyte#3965

Follow-up issue

NA

[codecov]

Codecov Report

Patch coverage: 73.01% and project coverage change: +2.46% 🎉

Comparison is base (7f62a15) 75.92% compared to head (4141f5e) 78.39%.
Report is 2 commits behind head on master.

❗ Current head 4141f5e differs from pull request most recent head 89ab23c. Consider uploading reports for the commit 89ab23c to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #437      +/-   ##
==========================================
+ Coverage   75.92%   78.39%   +2.46%     
==========================================
  Files          18       18              
  Lines        1458     1296     -162     
==========================================
- Hits         1107     1016      -91     
+ Misses        294      217      -77     
- Partials       57       63       +6     

Flag	Coverage Δ
unittests	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Changed	Coverage Δ
clients/go/admin/config.go	50.00% <ø> (ø)
clients/go/admin/client.go	84.68% <70.00%> (-2.54%)	⬇️
clients/go/admin/auth_interceptor.go	73.75% <71.73%> (+8.93%)	⬆️
clients/go/admin/pkce/auth_flow_orchestrator.go	51.02% <75.00%> (-13.98%)	⬇️
clients/go/admin/pkce/handle_app_call_back.go	94.11% <100.00%> (-0.76%)	⬇️

... and 13 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[fg91]

Adapted from MaterializeAuthCredentials.

[fg91]

Adapted from NewAuthInterceptor.

[fg91]

If using a proxy, we need to use the http client created in auth_interceptor.go to retrieve the token. So far, this client wasn't used.

[fg91]

The external command is called a single time per call of flytectl. After the call of the external command, the credentials future is initialized and can be reused for further grpc calls.

[wild-endeavor]

looks okay by me. tested with existing aws clusters as well - client credentials, pkce, device flow all continue to work

[eapolinario]

I moved this PR to the monorepo: flyteorg/flyte#4189.