[sdk] trusted host is the same as index url

[diegolovison]

Environment

• KFP version:
  kfp 2.7.0
• KFP SDK version:
  NA
• All dependencies version:
  NA

Steps to reproduce

Create a pipeline with @dsl.component(packages_to_install=['pandas'], pip_index_urls=['https://my-host.com:8433/foo/bar'])

Expected result

A pip command like: pip install --index-url https://my-host.com:8433/foo/bar --trusted-host my-host.com --no-cache-dir 'pandas'

Actual result

Traceback (most recent call last):
  File "/home/dlovison/miniconda3/envs/pipe-presentation/bin/pip", line 11, in <module>
    sys.exit(main())
             ^^^^^^
  File "/home/dlovison/miniconda3/envs/pipe-presentation/lib/python3.11/site-packages/pip/_internal/cli/main.py", line 79, in main
    return command.main(cmd_args)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/home/dlovison/miniconda3/envs/pipe-presentation/lib/python3.11/site-packages/pip/_internal/cli/base_command.py", line 101, in main
    return self._main(args)
           ^^^^^^^^^^^^^^^^
  File "/home/dlovison/miniconda3/envs/pipe-presentation/lib/python3.11/site-packages/pip/_internal/cli/base_command.py", line 236, in _main
    self.handle_pip_version_check(options)
  File "/home/dlovison/miniconda3/envs/pipe-presentation/lib/python3.11/site-packages/pip/_internal/cli/req_command.py", line 177, in handle_pip_version_check
    session = self._build_session(
              ^^^^^^^^^^^^^^^^^^^^
  File "/home/dlovison/miniconda3/envs/pipe-presentation/lib/python3.11/site-packages/pip/_internal/cli/req_command.py", line 122, in _build_session
    session = PipSession(
              ^^^^^^^^^^^
  File "/home/dlovison/miniconda3/envs/pipe-presentation/lib/python3.11/site-packages/pip/_internal/network/session.py", line 398, in __init__
    self.add_trusted_host(host, suppress_logging=True)
  File "/home/dlovison/miniconda3/envs/pipe-presentation/lib/python3.11/site-packages/pip/_internal/network/session.py", line 422, in add_trusted_host
    parsed_host, parsed_port = parse_netloc(host)
                               ^^^^^^^^^^^^^^^^^^
  File "/home/dlovison/miniconda3/envs/pipe-presentation/lib/python3.11/site-packages/pip/_internal/utils/misc.py", line 475, in parse_netloc
    parsed = urllib.parse.urlparse(url)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/dlovison/miniconda3/envs/pipe-presentation/lib/python3.11/urllib/parse.py", line 395, in urlparse
    splitresult = urlsplit(url, scheme, allow_fragments)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/dlovison/miniconda3/envs/pipe-presentation/lib/python3.11/urllib/parse.py", line 497, in urlsplit
    raise ValueError("Invalid IPv6 URL")
ValueError: Invalid IPv6 URL

Materials and Reference

NA

Impacted by this bug? Give it a 👍.

[jgarciao]

As we can see in the documentation for pip_index_url , in addition of configuring the indices, the compiler by default set each index as a --trusted-host.

 --trusted-host <hostname>   Mark this host or host:port pair as trusted, even though it does 
not have valid or any HTTPS.

In my opinion, this is a bad practice that could lead into a Man in the Middle attacks

One way to handle this could be to prevent the compiler to automatically set trusted hosts and add a new pip_trusted_hosts parameter in kfp.dsl.component