Allow custom HTTP headers on the OpenAI embedding client#5704
Open
gabrielcosi wants to merge 1 commit into
Open
Allow custom HTTP headers on the OpenAI embedding client#5704gabrielcosi wants to merge 1 commit into
gabrielcosi wants to merge 1 commit into
Conversation
Gateways in front of OpenAI-compatible embedding services often key behavior (routing, response-cache scoping) off a request header, but the optimizer's OpenAI client only sent Content-Type and Authorization. Add an optional spec.config.optimizer.embeddingHeaders map applied to every embedding request. Admission rejects non-openai providers, reserved names (Authorization, Content-Type), and invalid RFC 7230 header names via CEL, and bounds values through OpenAPI schema constraints; config load mirrors the checks for non-Kubernetes config sources. The client sets its protocol headers last so custom headers can never override them. Closes stacklok#5700
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #5704 +/- ##
=======================================
Coverage 70.61% 70.62%
=======================================
Files 667 667
Lines 67607 67638 +31
=======================================
+ Hits 47743 47767 +24
- Misses 16410 16413 +3
- Partials 3454 3458 +4 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #5633. The gateways this embedding path targets often key
behavior off a request header (request routing, scoping a response cache),
but the OpenAI client only sent
Content-TypeandAuthorization, so therewas no way to add one.
optimizer.embeddingHeadersmap that the OpenAI clientsends with every embedding request. An absent field keeps today's
behavior, and the TEI path is untouched.
openaiprovider andvalid, non-reserved RFC 7230 header names; OpenAPI constraints on the
value type bound length and forbid control characters.
GetAndValidateConfig(using the sharedhttpvalhelpers), so non-Kubernetes config sources fail at load instead of at
request time.
Content-Typeand
Authorizationlast, so custom headers can never override them.Closes #5700
Type of change
Test plan
task test)task lint-fix)Also ran the operator envtest suite (
task operator-test-integration):admission rejects reserved names, non-token names, empty/control-character/
overlong values, and the tei-plus-headers combination, and accepts uncommon
but valid token names (
x-key'name`x), matching the runtime check.API Compatibility
v1beta1API (adds one optional field toOptimizerConfig).Does this introduce a user-facing change?
Yes.
spec.config.optimizer.embeddingHeaderssends extra HTTP headers withevery request the optimizer makes to an OpenAI-compatible embedding service.
The field is optional and existing configurations are unchanged.
Special notes for reviewers
minLength/maxLength/patternon the newEmbeddingHeaderValuetype) rather than CEL: a CELrule iterating unbounded value strings exceeded the apiserver's cost
budget by a factor of 6, which envtest catches at CRD install. Schema
validation has no cost budget.
\x27,\x60) for the'and`token characters, since quote characters can't appear literallyinside the marker string.
Authorizationis rejected on purpose: the API key stays inOPENAI_API_KEY(see Add OpenAI-compatible embedding client to vmcp optimizer #5633), and header values are stored in plain textin the spec and generated ConfigMap.
Assisted by Claude Code. Design, code,
and tests were directed, reviewed, and manually verified by the author.