flyte 2.0.0b32__py3-none-any.whl

flyte/remote/_app.py

@@ -0,0 +1,57 @@
+from __future__ import annotations
+
+from flyteidl2.app import app_definition_pb2, app_payload_pb2
+
+from flyte._initialize import ensure_client, get_client, get_init_config
+from flyte.syncify import syncify
+
+from ._common import ToJSONMixin
+
+
+class App(ToJSONMixin):
+    pb2: app_definition_pb2.App
+
+    def __init__(self, pb2: app_definition_pb2.App):
+        self.pb2 = pb2
+
+    @property
+    def name(self) -> str:
+        return self.pb2.metadata.id.name
+
+    @property
+    def revision(self) -> int:
+        return self.pb2.metadata.revision
+
+    @property
+    def endpoint(self) -> str:
+        return self.pb2.status.ingress.public_url
+
+    @classmethod
+    @syncify
+    async def get(
+        cls,
+        name: str,
+        project: str | None = None,
+        domain: str | None = None,
+    ) -> App:
+        """
+        Get an app by name.
+
+        :param name: The name of the app.
+        :param project: The project of the app.
+        :param domain: The domain of the app.
+        :return: The app remote object.
+        """
+        ensure_client()
+        cfg = get_init_config()
+        resp = await get_client().app_service.Get(
+            request=app_payload_pb2.GetRequest(
+                app_id=app_definition_pb2.Identifier(
+                    org=cfg.org,
+                    project=project or cfg.project,
+                    domain=domain or cfg.domain,
+                    name=name,
+                ),
+            )
+        )
+        return cls(pb2=resp.app)

flyte/remote/_client/_protocols.py

@@ -0,0 +1,189 @@
+from typing import AsyncIterator, Protocol
+
+from flyteidl.admin import project_attributes_pb2, project_pb2, version_pb2
+from flyteidl.service import dataproxy_pb2, identity_pb2
+from flyteidl2.app import app_payload_pb2
+from flyteidl2.secret import payload_pb2
+from flyteidl2.task import task_service_pb2
+from flyteidl2.trigger import trigger_service_pb2
+from flyteidl2.workflow import run_logs_service_pb2, run_service_pb2
+from grpc.aio import UnaryStreamCall
+from grpc.aio._typing import RequestType
+
+
+class MetadataServiceProtocol(Protocol):
+    async def GetVersion(self, request: version_pb2.GetVersionRequest) -> version_pb2.GetVersionResponse: ...
+
+
+class ProjectDomainService(Protocol):
+    async def RegisterProject(
+        self, request: project_pb2.ProjectRegisterRequest
+    ) -> project_pb2.ProjectRegisterResponse: ...
+
+    async def UpdateProject(self, request: project_pb2.Project) -> project_pb2.ProjectUpdateResponse: ...
+
+    async def GetProject(self, request: project_pb2.ProjectGetRequest) -> project_pb2.Project: ...
+
+    async def ListProjects(self, request: project_pb2.ProjectListRequest) -> project_pb2.Projects: ...
+
+    async def GetDomains(self, request: project_pb2.GetDomainRequest) -> project_pb2.GetDomainsResponse: ...
+
+    async def UpdateProjectDomainAttributes(
+        self, request: project_attributes_pb2.ProjectAttributesUpdateRequest
+    ) -> project_pb2.ProjectUpdateResponse: ...
+
+    async def GetProjectDomainAttributes(
+        self, request: project_attributes_pb2.ProjectAttributesGetRequest
+    ) -> project_attributes_pb2.ProjectAttributes: ...
+
+    async def DeleteProjectDomainAttributes(
+        self, request: project_attributes_pb2.ProjectAttributesDeleteRequest
+    ) -> project_attributes_pb2.ProjectAttributesDeleteResponse: ...
+
+    async def UpdateProjectAttributes(
+        self, request: project_attributes_pb2.ProjectAttributesUpdateRequest
+    ) -> project_attributes_pb2.ProjectAttributesUpdateResponse: ...
+
+    async def GetProjectAttributes(
+        self, request: project_attributes_pb2.ProjectAttributesGetRequest
+    ) -> project_attributes_pb2.ProjectAttributes: ...
+
+    async def DeleteProjectAttributes(
+        self, request: project_attributes_pb2.ProjectAttributesDeleteRequest
+    ) -> project_attributes_pb2.ProjectAttributesDeleteResponse: ...
+
+
+class TaskService(Protocol):
+    async def DeployTask(self, request: task_service_pb2.DeployTaskRequest) -> task_service_pb2.DeployTaskResponse: ...
+
+    async def GetTaskDetails(
+        self, request: task_service_pb2.GetTaskDetailsRequest
+    ) -> task_service_pb2.GetTaskDetailsResponse: ...
+
+    async def ListTasks(self, request: task_service_pb2.ListTasksRequest) -> task_service_pb2.ListTasksResponse: ...
+
+
+class AppService(Protocol):
+    async def Create(self, request: app_payload_pb2.CreateRequest) -> app_payload_pb2.CreateResponse: ...
+
+    async def Get(self, request: app_payload_pb2.GetRequest) -> app_payload_pb2.GetResponse: ...
+
+    async def Update(self, request: app_payload_pb2.UpdateRequest) -> app_payload_pb2.UpdateResponse: ...
+
+    async def UpdateStatus(
+        self, request: app_payload_pb2.UpdateStatusRequest
+    ) -> app_payload_pb2.UpdateStatusResponse: ...
+
+    async def Delete(self, request: app_payload_pb2.DeleteRequest) -> app_payload_pb2.DeleteResponse: ...
+
+    async def List(self, request: app_payload_pb2.ListRequest) -> app_payload_pb2.ListResponse: ...
+
+    async def Watch(self, request: app_payload_pb2.WatchRequest) -> app_payload_pb2.WatchResponse: ...
+
+    async def Lease(self, request: app_payload_pb2.LeaseRequest) -> app_payload_pb2.LeaseResponse: ...
+
+
+class RunService(Protocol):
+    async def CreateRun(self, request: run_service_pb2.CreateRunRequest) -> run_service_pb2.CreateRunResponse: ...
+
+    async def AbortRun(self, request: run_service_pb2.AbortRunRequest) -> run_service_pb2.AbortRunResponse: ...
+
+    async def GetRunDetails(
+        self, request: run_service_pb2.GetRunDetailsRequest
+    ) -> run_service_pb2.GetRunDetailsResponse: ...
+
+    async def WatchRunDetails(
+        self, request: run_service_pb2.WatchRunDetailsRequest
+    ) -> AsyncIterator[run_service_pb2.WatchRunDetailsResponse]: ...
+
+    async def GetActionDetails(
+        self, request: run_service_pb2.GetActionDetailsRequest
+    ) -> run_service_pb2.GetActionDetailsResponse: ...
+
+    async def WatchActionDetails(
+        self, request: run_service_pb2.WatchActionDetailsRequest
+    ) -> AsyncIterator[run_service_pb2.WatchActionDetailsResponse]: ...
+
+    async def GetActionData(
+        self, request: run_service_pb2.GetActionDataRequest
+    ) -> run_service_pb2.GetActionDataResponse: ...
+
+    async def ListRuns(self, request: run_service_pb2.ListRunsRequest) -> run_service_pb2.ListRunsResponse: ...
+
+    async def WatchRuns(
+        self, request: run_service_pb2.WatchRunsRequest
+    ) -> AsyncIterator[run_service_pb2.WatchRunsResponse]: ...
+
+    async def ListActions(self, request: run_service_pb2.ListActionsRequest) -> run_service_pb2.ListActionsResponse: ...
+
+    async def WatchActions(
+        self, request: run_service_pb2.WatchActionsRequest
+    ) -> AsyncIterator[run_service_pb2.WatchActionsResponse]: ...
+
+
+class DataProxyService(Protocol):
+    async def CreateUploadLocation(
+        self, request: dataproxy_pb2.CreateUploadLocationRequest
+    ) -> dataproxy_pb2.CreateUploadLocationResponse: ...
+
+    async def CreateDownloadLocation(
+        self, request: dataproxy_pb2.CreateDownloadLocationRequest
+    ) -> dataproxy_pb2.CreateDownloadLocationResponse: ...
+
+    async def CreateDownloadLink(
+        self, request: dataproxy_pb2.CreateDownloadLinkRequest
+    ) -> dataproxy_pb2.CreateDownloadLinkResponse: ...
+
+    async def GetData(self, request: dataproxy_pb2.GetDataRequest) -> dataproxy_pb2.GetDataResponse: ...
+
+
+class RunLogsService(Protocol):
+    def TailLogs(
+        self, request: run_logs_service_pb2.TailLogsRequest
+    ) -> UnaryStreamCall[RequestType, run_logs_service_pb2.TailLogsResponse]: ...
+
+
+class SecretService(Protocol):
+    async def CreateSecret(self, request: payload_pb2.CreateSecretRequest) -> payload_pb2.CreateSecretResponse: ...
+
+    async def UpdateSecret(self, request: payload_pb2.UpdateSecretRequest) -> payload_pb2.UpdateSecretResponse: ...
+
+    async def GetSecret(self, request: payload_pb2.GetSecretRequest) -> payload_pb2.GetSecretResponse: ...
+
+    async def ListSecrets(self, request: payload_pb2.ListSecretsRequest) -> payload_pb2.ListSecretsResponse: ...
+
+    async def DeleteSecret(self, request: payload_pb2.DeleteSecretRequest) -> payload_pb2.DeleteSecretResponse: ...
+
+
+class IdentityService(Protocol):
+    async def UserInfo(self, request: identity_pb2.UserInfoRequest) -> identity_pb2.UserInfoResponse: ...
+
+
+class TriggerService(Protocol):
+    async def DeployTrigger(
+        self, request: trigger_service_pb2.DeployTriggerRequest
+    ) -> trigger_service_pb2.DeployTriggerResponse: ...
+
+    async def GetTriggerDetails(
+        self, request: trigger_service_pb2.GetTriggerDetailsRequest
+    ) -> trigger_service_pb2.GetTriggerDetailsResponse: ...
+
+    async def GetTriggerRevisionDetails(
+        self, request: trigger_service_pb2.GetTriggerRevisionDetailsRequest
+    ) -> trigger_service_pb2.GetTriggerRevisionDetailsResponse: ...
+
+    async def ListTriggers(
+        self, request: trigger_service_pb2.ListTriggersRequest
+    ) -> trigger_service_pb2.ListTriggersResponse: ...
+
+    async def GetTriggerRevisionHistory(
+        self, request: trigger_service_pb2.GetTriggerRevisionHistoryRequest
+    ) -> trigger_service_pb2.GetTriggerRevisionHistoryResponse: ...
+
+    async def UpdateTriggers(
+        self, request: trigger_service_pb2.UpdateTriggersRequest
+    ) -> trigger_service_pb2.UpdateTriggersResponse: ...
+
+    async def DeleteTriggers(
+        self, request: trigger_service_pb2.DeleteTriggersRequest
+    ) -> trigger_service_pb2.DeleteTriggersResponse: ...

flyte/remote/_client/auth/__init__.py

@@ -0,0 +1,12 @@
+from flyte.remote._client.auth._channel import create_channel
+from flyte.remote._client.auth._client_config import AuthType, ClientConfig
+from flyte.remote._client.auth.errors import AccessTokenNotFoundError, AuthenticationError, AuthenticationPending
+
+__all__ = [
+    "AccessTokenNotFoundError",
+    "AuthType",
+    "AuthenticationError",
+    "AuthenticationPending",
+    "ClientConfig",
+    "create_channel",
+]

flyte/remote/_client/auth/_auth_utils.py

@@ -0,0 +1,14 @@
+from __future__ import annotations
+
+import base64
+from typing import Literal
+
+
+def decode_api_key(encoded_str: str) -> tuple[str, str, str, str | Literal["None"]]:
+    """Decode encoded base64 string into app credentials. endpoint, client_id, client_secret, org"""
+    endpoint, client_id, client_secret, org = base64.b64decode(encoded_str.encode("utf-8")).decode("utf-8").split(":")
+    # For consistency, let's make sure org is always a non-empty string
+    if not org:
+        org = "None"
+
+    return endpoint, client_id, client_secret, org

flyte/remote/_client/auth/_authenticators/base.py

@@ -0,0 +1,403 @@
+import asyncio
+import dataclasses
+import ssl
+import typing
+from abc import abstractmethod
+from http import HTTPStatus
+
+import httpx
+from grpc.aio import Metadata
+
+from flyte.remote._client.auth._client_config import ClientConfig, ClientConfigStore
+from flyte.remote._client.auth._keyring import Credentials, KeyringStore
+
+
+@dataclasses.dataclass
+class GrpcAuthMetadata:
+    creds_id: str
+    pairs: Metadata
+
+
+class Authenticator(object):
+    """
+    Base authenticator for all authentication flows
+    """
+
+    def __init__(
+        self,
+        endpoint: str,
+        *,
+        cfg_store: typing.Optional[ClientConfigStore] = None,
+        client_config: typing.Optional[ClientConfig] = None,
+        credentials: typing.Optional[Credentials] = None,
+        http_session: typing.Optional[httpx.AsyncClient] = None,
+        http_proxy_url: typing.Optional[str] = None,
+        verify: bool = True,
+        ca_cert_path: typing.Optional[str] = None,
+        default_header_key: str = "authorization",
+        **kwargs,
+    ):
+        """
+        Initialize the base authenticator.
+
+        :param endpoint: The endpoint URL for authentication
+        :param cfg_store: Optional client configuration store for retrieving remote configuration
+        :param client_config: Optional client configuration containing authentication settings
+        :param credentials: Optional credentials to use for authentication
+        :param http_session: Optional HTTP session to use for requests
+        :param http_proxy_url: Optional HTTP proxy URL
+        :param verify: Whether to verify SSL certificates
+        :param ca_cert_path: Optional path to CA certificate file
+        :param kwargs: Additional keyword arguments passed to get_async_session, which may include:
+            - auth: Authentication implementation to use
+            - params: Query parameters to include in request URLs
+            - headers: HTTP headers to include in requests
+            - cookies: Cookies to include in requests
+            - cert: SSL client certificate (path or tuple)
+            - http1: Whether to enable HTTP/1.1 support
+            - http2: Whether to enable HTTP/2 support
+            - proxies: Proxy configuration mapping
+            - mounts: Mounted transports for specific URL patterns
+            - timeout: Request timeout configuration
+            - follow_redirects: Whether to follow redirects
+            - limits: Connection pool limits
+            - max_redirects: Maximum number of redirects to follow
+            - event_hooks: Event hooks for request/response lifecycle
+            - base_url: Base URL to join with relative URLs
+            - transport: Transport implementation to use
+            - app: ASGI application to handle requests
+        """
+        self._endpoint = endpoint
+        self._creds = credentials or KeyringStore.retrieve(endpoint)
+        self._http_proxy_url = http_proxy_url
+        self._verify = verify
+        self._ca_cert_path = ca_cert_path
+        self._client_config = client_config
+        self._cfg_store = cfg_store
+        # Will be populated by _ensure_remote_config
+        self._resolved_config: ClientConfig | None = None
+        # Lock for coroutine safety
+        self._async_lock = asyncio.Lock()
+        self._http_session = http_session or get_async_session(**kwargs)
+        # Id for tracking credential refresh state
+        self._creds_id = self._creds.id if self._creds else None
+        self._default_header_key = default_header_key
+
+    async def _resolve_config(self) -> ClientConfig:
+        """
+        Resolves and merges client configuration with remote configuration.
+
+        This method fetches the remote configuration from the cfg_store and merges it with
+        the local client_config, prioritizing local settings over remote ones.
+
+        This method is thread-safe and coroutine-safe, ensuring the remote config is fetched
+        only once regardless of concurrent access from multiple threads or coroutines.
+
+        :return: A merged ClientConfig object containing resolved configuration settings
+        """
+        # First check without locks for performance
+        if self._resolved_config is not None:
+            return self._resolved_config
+
+        if self._cfg_store is None:
+            raise ValueError("ClientConfigStore is not set. Cannot resolve configuration.")
+
+        remote_config = await self._cfg_store.get_client_config()
+        self._resolved_config = (
+            remote_config.with_override(self._client_config) if self._client_config else remote_config
+        )
+
+        return self._resolved_config
+
+    def get_credentials(self) -> typing.Optional[Credentials]:
+        """
+        Get the current credentials.
+
+        :return: The current credentials or None if not set
+        """
+        return self._creds
+
+    def _set_credentials(self, creds: Credentials):
+        """
+        Set the credentials.
+
+        :param creds: The credentials to set
+        """
+        self._creds = creds
+
+    async def get_grpc_call_auth_metadata(self) -> typing.Optional[GrpcAuthMetadata]:
+        """
+        Fetch the authentication metadata for gRPC calls.
+
+        :return: A tuple of (header_key, header_value) or None if no credentials are available
+        """
+        creds = self.get_credentials()
+        if creds:
+            header_key = self._default_header_key
+            if self._resolved_config is not None:
+                # We only resolve the config during authentication flow, to avoid unnecessary network calls
+                # and usually the header_key is consistent.
+                header_key = self._resolved_config.header_key
+            return GrpcAuthMetadata(
+                creds_id=creds.id,
+                pairs=Metadata((header_key, f"Bearer {creds.access_token}")),
+            )
+        return None
+
+    async def refresh_credentials(self, creds_id: str | None = None):
+        """
+        Refresh the credentials asynchronously with thread and asyncio safety.
+
+        This method implements a thread-safe and coroutine-safe credential refresh mechanism.
+        It uses a timestamp-based approach to prevent redundant credential refreshes when
+        multiple threads or coroutines attempt to refresh credentials simultaneously.
+
+        The caller should capture the current _creds_timestamp before attempting to use credentials.
+        If credential usage fails, the caller can pass that timestamp to this method.
+        If the timestamp matches the current value, a refresh is needed; otherwise,
+        another thread has already refreshed the credentials.
+
+        :param creds_id: The id of credentials when they were last accessed by the caller.
+                               If None, force a refresh regardless of id.
+        :raises: May raise authentication-related exceptions if the refresh fails
+        """
+        # If creds_id is None, force refresh
+        # If creds_id matches current value, credentials need refresh
+        # If creds_id doesn't match, another thread already refreshed credentials
+        if creds_id and creds_id != self._creds_id:
+            # Credentials have been refreshed by another thread/coroutine since caller read them
+            return
+
+        # Use the async lock to ensure coroutine safety
+        async with self._async_lock:
+            # Double-check pattern to avoid unnecessary work
+            if creds_id and creds_id != self._creds_id:
+                # Another thread/coroutine refreshed credentials while we were waiting for the lock
+                return
+
+            # Perform the actual credential refresh
+            try:
+                self._creds = await self._do_refresh_credentials()
+                KeyringStore.store(self._creds)
+            except Exception:
+                KeyringStore.delete(self._endpoint)
+                raise
+
+            # Update the timestamp to indicate credentials have been refreshed
+            self._creds_id = self._creds.id
+
+    @abstractmethod
+    async def _do_refresh_credentials(self) -> Credentials:
+        """
+        Perform the actual credential refresh operation.
+
+        This method must be implemented by subclasses to handle the specific authentication flow.
+        It should update the internal credentials object (_creds) with a new access token.
+
+        Implementations typically use the resolved configuration from _resolve_config() to
+        determine authentication endpoints, scopes, audience, and other parameters needed for
+        the specific authentication flow.
+
+        :raises: May raise authentication-related exceptions if the refresh fails
+        """
+        ...
+
+
+class AsyncAuthenticatedClient(httpx.AsyncClient):
+    """
+    An httpx.AsyncClient that automatically adds authentication headers to requests.
+    This class extends httpx.AsyncClient which is inherently async for network operations.
+    """
+
+    def __init__(self, authenticator: Authenticator, **kwargs):
+        """
+        Initialize the authenticated client.
+
+        :param authenticator: The authenticator to use for authentication
+        :param kwargs: Additional arguments passed to the httpx.AsyncClient constructor
+        """
+        super().__init__(**kwargs)
+        self.auth_adapter = AsyncAuthenticationHTTPAdapter(authenticator)
+        self.authenticator = authenticator
+
+    async def send(self, request: httpx.Request, **kwargs) -> httpx.Response:
+        """
+        Sends the request with added authentication headers.
+        Must be async because it performs network IO operations and may need to refresh credentials.
+        If the response returns a 401 status code, refreshes the credentials and retries the request.
+
+        :param request: The request object to send.
+        :param kwargs: Additional keyword arguments passed to the parent httpx.AsyncClient.send method, which may
+        include:
+            - auth: Authentication implementation to use for this request
+            - follow_redirects: Whether to follow redirects for this request
+            - timeout: Request timeout configuration for this request
+        :return: The response object.
+        """
+
+        creds_id = await self.auth_adapter.add_auth_header(request)
+        response = await super().send(request, **kwargs)
+
+        if response.status_code == HTTPStatus.UNAUTHORIZED:
+            await self.authenticator.refresh_credentials(creds_id=creds_id)
+            await self.auth_adapter.add_auth_header(request)
+            response = await super().send(request, **kwargs)
+
+        return response
+
+
+class AsyncAuthenticationHTTPAdapter:
+    """
+    A custom async HTTP adapter that adds authentication headers to requests of an httpx.AsyncClient.
+    This is the async equivalent of AuthenticationHTTPAdapter for requests.
+    """
+
+    def __init__(self, authenticator: Authenticator):
+        """
+        Initialize the authentication HTTP adapter.
+
+        :param authenticator: The authenticator to use for authentication
+        """
+        self.authenticator = authenticator
+
+    async def add_auth_header(self, request: httpx.Request) -> typing.Optional[str]:
+        """
+        Adds authentication headers to the request.
+        Must be async because it may call refresh_credentials which performs IO operations.
+
+        :param request: The request object to add headers to.
+        :return: The credentials ID (creds_id) used for tracking credential refresh state
+        """
+        if self.authenticator.get_credentials() is None:
+            await self.authenticator.refresh_credentials()
+
+        metadata = await self.authenticator.get_grpc_call_auth_metadata()
+        if metadata is None:
+            return None
+        for key, value in metadata.pairs.keys():
+            request.headers[key] = value
+        return metadata.creds_id
+
+
+def upgrade_async_session_to_proxy_authenticated(
+    http_session: httpx.AsyncClient, proxy_authenticator: typing.Optional[Authenticator] = None, **kwargs
+) -> httpx.AsyncClient:
+    """
+    Given an httpx.AsyncClient, it returns a new session that uses AsyncAuthenticationHTTPAdapter
+    to perform authentication with a proxy in front of Flyte
+
+    :param http_session: httpx.AsyncClient Precreated session
+    :param proxy_authenticator: Optional authenticator for proxy authentication
+    :param kwargs: Additional arguments passed to AsyncAuthenticatedClient, which may include:
+        - auth: Authentication implementation to use
+        - params: Query parameters to include in request URLs
+        - headers: HTTP headers to include in requests
+        - cookies: Cookies to include in requests
+        - verify: SSL verification mode (True/False/path to certificate)
+        - cert: SSL client certificate (path or tuple)
+        - http1: Whether to enable HTTP/1.1 support
+        - http2: Whether to enable HTTP/2 support
+        - proxies: Proxy configuration mapping
+        - mounts: Mounted transports for specific URL patterns
+        - timeout: Request timeout configuration
+        - follow_redirects: Whether to follow redirects
+        - limits: Connection pool limits
+        - max_redirects: Maximum number of redirects to follow
+        - event_hooks: Event hooks for request/response lifecycle
+        - base_url: Base URL to join with relative URLs
+        - transport: Transport implementation to use
+        - app: ASGI application to handle requests
+    :return: httpx.AsyncClient with authentication
+    """
+    if proxy_authenticator:
+        return AsyncAuthenticatedClient(proxy_authenticator, **kwargs)
+    else:
+        return http_session
+
+
+def get_async_session(
+    proxy_authenticator: Authenticator | None = None,
+    ca_cert_path: str | None = None,
+    verify: bool | None = None,
+    **kwargs,
+) -> httpx.AsyncClient:
+    """
+    Returns a new httpx.AsyncClient with proxy authentication if proxy_authenticator is provided.
+
+    This function creates a new httpx.AsyncClient and optionally configures it with proxy authentication
+    if a proxy authenticator is provided.
+
+    :param proxy_authenticator: Optional authenticator for proxy authentication
+    :param ca_cert_path: Optional path to CA certificate file for SSL verification
+    :param verify: Optional SSL verification mode (True/False/path to certificate)
+    :param kwargs: Additional keyword arguments passed to httpx.AsyncClient constructor and AsyncAuthenticatedClient,
+     which may include:
+        - auth: Authentication implementation to use
+        - params: Query parameters to include in request URLs
+        - headers: HTTP headers to include in requests
+        - cookies: Cookies to include in requests
+        - cert: SSL client certificate (path or tuple)
+        - http1: Whether to enable HTTP/1.1 support
+        - http2: Whether to enable HTTP/2 support
+        - proxies: Proxy configuration mapping
+        - mounts: Mounted transports for specific URL patterns
+        - timeout: Request timeout configuration
+        - follow_redirects: Whether to follow redirects
+        - limits: Connection pool limits
+        - max_redirects: Maximum number of redirects to follow
+        - event_hooks: Event hooks for request/response lifecycle
+        - base_url: Base URL to join with relative URLs
+        - transport: Transport implementation to use
+        - app: ASGI application to handle requests
+        - proxy_env: Environment variables for proxy command
+        - proxy_timeout: Timeout for proxy command execution
+        - header_key: Header key to use for authentication
+        - endpoint: The endpoint URL for authentication
+        - client_id: Client ID for authentication
+        - client_secret: Client secret for authentication
+        - scopes: List of scopes to request during authentication
+        - audience: Audience for the token
+        - http_proxy_url: HTTP proxy URL
+    :return: An httpx.AsyncClient instance, optionally configured with proxy authentication
+    """
+
+    # Extract known httpx.AsyncClient parameters from kwargs
+    client_kwargs = {
+        k: v
+        for k, v in kwargs.items()
+        if k
+        in [
+            "auth",
+            "params",
+            "headers",
+            "cookies",
+            "verify",
+            "cert",
+            "http1",
+            "http2",
+            "proxies",
+            "mounts",
+            "timeout",
+            "follow_redirects",
+            "limits",
+            "max_redirects",
+            "event_hooks",
+            "base_url",
+            "transport",
+            "app",
+        ]
+    }
+
+    if ca_cert_path:
+        context = ssl.create_default_context(capath=ca_cert_path)
+        verify = True if context is not None else False
+
+    if verify is not None:
+        client_kwargs["verify"] = verify
+
+    http_session = httpx.AsyncClient(**client_kwargs)
+    if proxy_authenticator:
+        http_session = upgrade_async_session_to_proxy_authenticated(
+            http_session, proxy_authenticator=proxy_authenticator, **kwargs
+        )
+    return http_session