[GCP] Pin PyOpenSSL version for gcloud service account bug

[romilbhardwaj]

gsutil has issues when using a service account. googleapis/google-api-python-client#2554

Repro [needs double checking]:

Deploy API server with GCP enabled and using service account auth:

NAMESPACE=skypilot
kubectl create secret generic gcp-credentials \
  -n $NAMESPACE \
  --from-file=gcp-cred.json=<SERVICE ACCOUNT JSON HERE>

NAMESPACE=skypilot
RELEASE_NAME=skypilot
WEB_USERNAME=skypilot
WEB_PASSWORD=skypilot
AUTH_STRING=$(htpasswd -nb $WEB_USERNAME $WEB_PASSWORD)
helm upgrade --install $RELEASE_NAME skypilot/skypilot-nightly --devel \
  --namespace $NAMESPACE \
  --create-namespace \
  --set ingress.authCredentials=$AUTH_STRING \
  --set apiService.image=berkeleyskypilot/skypilot-nightly:1.0.0.dev20250326 \
  --set gcpCredentials.enabled=true \
  --set gcpCredentials.projectId=<INSERT PROJECT ID HERE> \
  --set-file apiService.config=config.yaml

Define task YAML:

resources:
  cloud: gcp

file_mounts:
  /data:
    name: romil-test
    source: /tmp/mydir

run: |
  ls -l /data

Try sky launch task.yaml. Fails during bucket upload with:

ERROR: module 'OpenSSL.crypto' has no attribute 'sign'

Looks like a known issue: googleapis/google-api-python-client#2554

I fixed by downgrading to pyOpenSSL==24.2.1 on my API server deployment.

Need someone to take over this PR and:

• Reproduce this reliably. I ran into this on an API server deployment setup from scratch on a GKE cluster but wasn't able to reproduce on my mac.
• Validate the fix.

[cg505]

See also #4719 and https://skypilot-org.slack.com/archives/C03J2KQQZSS/p1741280255286309

[zpoint]

I need to manually install a specific version of pyopenssl on the Buildkite Docker image to avoid this issue.

[cg505]

I kind of think we should just merge this but we should include a constraint >= 23.2.0. Thoughts @aylei @Michaelvll ?

[romilbhardwaj]

Ran into this again