Kubeflow Notebooks: kfp.Client cannot authenticate. Error: JWT issuer is not configured

[ncbkr]

Summary

Working inside a Jupyter Notebook, I want to use Kubeflow Pipelines SDK to create and run pipelines. When creating the notebook, I selected the "Allow access to Kubeflow Pipelines" checkbox from the PodDefault configurations.

When trying to list experiments, the following exception is raised:

ApiException: (401)
Reason: Unauthorized
HTTP response headers: HTTPHeaderDict({'content-length': '28', 'content-type': 'text/plain', 'date': 'Mon, 07 Feb 2022 08:02:50 GMT', 'server': 'envoy', 'x-envoy-upstream-service-time': '23'})
HTTP response body: Jwt issuer is not configured

Reproduction

Create a new notebook server and select the "Allow access to Kubeflow Pipelines" checkbox from the PodDefault configurations. Connect to the notebook and run the following code.

import os

import kfp

# needed because automatic configuration does not work atm
def read_token_from_file(path=None):
    """Read a token found in some file."""
    token = None
    with open(path, "r") as f:
        token = f.read().strip()
    return token

client = kfp.Client(host='http://kubeflow-pipelines-api-server.kubeflow.svc.cluster.local:8888',
                   existing_token=read_token_from_file(path=os.getenv('KF_PIPELINES_SA_TOKEN_PATH')))
print(client.list_experiments())

Additional Info about Your Environment

running a plural managed cluster on AWS EKS with Kubeflow installed.

---

Message from the maintainers:

Impacted by this bug? Give it a 👍. We factor engagement into prioritization.

[ncbkr]

We deleted the RequestAuthentication resource from the kubeflow namespace. After that, authentication against the kf pipelines api server is working as expected.

kubectl delete RequestAuthentication --namespace kubeflow kubeflow-request-auth