Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revise proxy configuration, add integration testing #325

Merged
merged 32 commits into from
Mar 21, 2024

Conversation

jhamon
Copy link
Collaborator

@jhamon jhamon commented Mar 19, 2024

Problem

We want to expose proxy configuration fields as top-level config params and move away from users passing an OpenApiConfiguration instance with openapi_config (as was done in 2.x versions of the sdk). Passing these objects is not something we documented or had shown as a named configuration param, but is something people assumed would work as a hangover from the way things were done in the old client.

Currently OpenApi generated code is part of our implementation, but we may want to swap out something else in the future so it doesn't make sense to use this OpenApiConfiguration object as part of our public interface. And since the openapi config object also needs to be configured with api key and host, it competes with these other config params in a way that is pretty confusing.

Solution

  • Add new configuration parameters for proxy_url, proxy_headers, ssl_ca_certs, and ssl_verify.
  • Document the use of these properties in the README and doc strings
  • Emit a warning message when users are passing openapi_config encouraging them to use the new properties.
  • Implement integration tests that run with mitmproxy docker image. For now these are only run in local development.

Usage

from pinecone import Pinecone
import urllib3 import make_headers

pc = Pinecone(
    api_key="YOUR_API_KEY",
    proxy_url='https://your-proxy.com',
    proxy_headers=make_headers(proxy_basic_auth='username:password'),
    ssl_ca_certs='path/to/cert-bundle.pem'
)

This will work, but should emit a deprecation warning:

from pinecone import Pinecone
from pinecone.core.client.configuration import OpenApiConfiguration
import urllib3 import make_headers

config = OpenApiConfiguration()
config.ssl_ca_certs = 'path/to/cert-bundle.pem'
config.proxy_headers = make_headers(proxy_basic_auth='username:password')
config.proxy_url = 'https://your-proxy.com'

pc = Pinecone(
    api_key="YOUR_API_KEY",
    openapi_config=config
) # emits deprecation notice

Future work

We will need to figure out how to deploy the mitmproxy elsewhere (cloud run?) before running tests in CI because Github Actions seems to have a lot of issues with running these docker containers and debugging the errors has proven quite difficult. While GHA can run docker containers, mounting a volume with the required certs causes the container to crash. I'm guessing this is some kind of file permissions issue, but don't have much visibility for debugging.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update
  • Infrastructure change (CI configs, etc)
  • Non-code change (docs, etc)
  • None of the above: (explain here)

Test Plan

Run new tests locally with PINECONE_API_KEY='foo' PINECONE_INDEX_NAME='bar' poetry run pytest tests/integration/proxy_config/ -s -v

Copy link

gitguardian bot commented Mar 20, 2024

⚠️ GitGuardian has uncovered 2 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request
GitGuardian id GitGuardian status Secret Commit Filename
10042887 Triggered RSA Private Key b9517f2 tests/integration/proxy_config/.mitm/proxy1/mitmproxy-ca.pem View secret
10042888 Triggered RSA Private Key b9517f2 tests/integration/proxy_config/.mitm/proxy2/mitmproxy-ca.pem View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secrets safely. Learn here the best practices.
  3. Revoke and rotate these secrets.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider


🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

Our GitHub checks need improvements? Share your feedbacks!

@jhamon jhamon changed the title Proxy configuration and intiegration testing Proxy configuration and integration testing Mar 21, 2024
@jhamon jhamon changed the title Proxy configuration and integration testing Revise proxy configuration, add integration testing Mar 21, 2024
@@ -158,3 +158,19 @@ jobs:
index_name: '${{ needs.dependency-matrix-setup.outputs.index_name }}'
PINECONE_API_KEY: '${{ secrets.PINECONE_API_KEY }}'
urllib3_version: '${{ matrix.urllib3_version }}'

deps-cleanup:
Copy link
Collaborator Author

@jhamon jhamon Mar 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not really related to the config changes, but keeps us from getting failures due to 20 index per-project limit.

@@ -3,6 +3,54 @@ name: "Integration Tests"
workflow_call: {}

jobs:
# setup-index:
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Leaving this commented code in as I have plans to bring back CI integration tests in a future PR.

@@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All of these cert / key things are generated by mitmproxy.

@jhamon jhamon marked this pull request as ready for review March 21, 2024 16:57
Copy link
Contributor

@austin-denoble austin-denoble left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for putting so much effort into this, I think what you've learned working on the implementation here will help us across the board. Overall this all looks good to me, thanks for adding test coverage generally. 🚢

### Proxy configuration

If your network setup requires you to interact with Pinecone via a proxy, you will need
to pass additional configuration using optional keyword parameters. These optional parameters are forwarded to `urllib3`, which is the underlying library currently used by the Pinecone client to make HTTP requests. You may find it helpful to refer to the [urllib3 documentation on working with proxies](https://urllib3.readthedocs.io/en/stable/advanced-usage.html#http-and-https-proxies) while troubleshooting these settings.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice docs-touch referring folks out to urllib3 👍

Comment on lines +68 to +69
# the kwarg will take precedence.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I may be reading this incorrectly, but it doesn't look like we're doing anything with kwargs here or in build?

Is the comment meant to be referencing overriding openapi_config with config?

Copy link
Collaborator Author

@jhamon jhamon Mar 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The config object is built using kwarg values (specifically PineconeConfig.build called from the Pinecone constructor). Sorry it's not more clear. Things get confusing when trying to manage and merge these different sources of configuration, which is a big reason I want to deprecate passing openapi_config.

}
}

def docker_command(proxy):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work getting all of this set up, thank you.

@jhamon jhamon merged commit 6fa0447 into main Mar 21, 2024
125 checks passed
@jhamon jhamon deleted the jhamon/ssl-config-params branch March 21, 2024 19:56
mcpaddy added a commit to mcpaddy/pinecone-python-client that referenced this pull request May 22, 2024
* 'main' of github.com:pinecone-io/pinecone-python-client:
  [skip ci] Bump version to v4.1.0
  Bump tqdm from 4.66.1 to 4.66.3 (pinecone-io#344)
  Bump idna from 3.4 to 3.7 (pinecone-io#345)
  Bump jinja2 from 3.1.3 to 3.1.4 (pinecone-io#343)
  Add better error messages for mistaken `from_texts` and `from_documents` (pinecone-io#342)
  Support proxy_url and ssl_ca_certs options for gRPC (pinecone-io#341)
  Remove serverless public preview warnings (pinecone-io#340)
  [skip ci] Bump version to v4.0.0
  Improve upsert throughput by 3x (pinecone-io#334)
  Remove `merge` workflow and update `build-and-publish-docs` workflow to be manually runnable (pinecone-io#335)
  [skip ci] Bump version to v3.2.2
  [Fix] openapi_config deprecation warning incorrectly shown (pinecone-io#327)
  Add grpc unit test run, expand testing of VectorFactory (pinecone-io#326)
  [skip ci] Bump version to v3.2.1
  Allow clients to tag requests with a source_tag (pinecone-io#324)
  [skip ci] Bump version to v3.2.0
  Revise proxy configuration, add integration testing (pinecone-io#325)
  [Fix] Configuring SSL proxy via openapi_config object (pinecone-io#321)
  Update README.md (pinecone-io#323)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants