refactor(controller): update modelconfig REST API

[supreme-gg-gg]

• Refactor modelconfig HTTP API to raw CRD passthrough rather than hand rolled DTOs
• Update UI types and model pages that read these fields

[Copilot]

Pull request overview

Updates the ModelConfig HTTP REST handlers/types to align the API payloads/responses with newer ModelConfig CRD fields and supported providers.

Changes:

• Extend ModelConfig list/get/update responses to include apiKeyPassthrough, defaultHeaders, and additional provider params (VertexAI + Bedrock).
• Update create/update request handling to accept tls, defaultHeaders, secret references, and Bedrock params.
• Adjust secret-creation/update logic to prefer explicit secret references over inline API keys.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
go/core/internal/httpserver/handlers/modelconfig.go	Adds Bedrock/VertexAI param flattening; surfaces new CRD fields in responses; extends create/update to accept TLS/default headers/secret refs.
go/api/httpapi/types.go	Updates REST API request/response structs with new fields (TLS/default headers/secret refs/Bedrock params; response adds apiKeyPassthrough).

Comments suppressed due to low confidence (2)

go/core/internal/httpserver/handlers/modelconfig.go:491

• shouldUpdateSecret can be true while modelConfig.Spec.APIKeySecretKey is empty (e.g., existing ModelConfigs without a secret key, or Bedrock where the key is optional). This will call createOrUpdateSecretWithOwnerReference with a map containing an empty data key, which Kubernetes will reject. Before updating, ensure a non-empty secret key is set (and set APIKeySecret/APIKeySecretKey defaults when using inline apiKey), or return a 400.

	// Update inline API key secret only when not using an explicit secret ref
	shouldUpdateSecret := req.APIKeySecret == "" && req.APIKey != nil && *req.APIKey != "" && modelConfig.Spec.Provider != v1alpha2.ModelProviderOllama
	if shouldUpdateSecret {
		log.V(1).Info("Updating API key secret")

		err := createOrUpdateSecretWithOwnerReference(
			r.Context(),
			h.KubeClient,
			map[string]string{modelConfig.Spec.APIKeySecretKey: *req.APIKey},
			modelConfig,

go/core/internal/httpserver/handlers/modelconfig.go:274

• The inline apiKey fallback will also run for the Bedrock provider, creating/updating a Secret entry like BEDROCK_API_KEY. Bedrock auth in the translator expects AWS credential keys (e.g., AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY or AWS_BEARER_TOKEN_BEDROCK), so an inline API key flow here will create a non-functional (and potentially misleading) ModelConfig. Consider disallowing inline apiKey for Bedrock (require apiKeySecret), or add explicit Bedrock credential fields.

	} else if providerTypeEnum != v1alpha2.ModelProviderOllama && req.APIKey != "" {
		secretName := modelConfigRef.Name
		secretKey := fmt.Sprintf("%s_API_KEY", strings.ToUpper(req.Provider.Type))
		modelConfigSpec.APIKeySecret = secretName
		modelConfigSpec.APIKeySecretKey = secretKey
	}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.