[TECH DEBT] Support TLS configuration for Non-OpenAI LLM Providers

[inFocus7]

📋 Prerequisites

• I have searched the existing issues to avoid creating a duplicate
• By submitting this issue, you agree to follow our Code of Conduct

📝 Feature Summary

Add support for ModelConfig TLS configuration for non-openai agent

❓ Problem Statement / Motivation

Currently a ModelConfig's TLS config is only applied for openai providers' clients. We are missing this support for other clients (e.g. Anthropic, Gemini, Ollama).

💡 Proposed Solution

• Investigate the other providers' clients to implement support for attaching the ca certs.
• Add TLS configuration support for the missing providers' clients, where possible.
• Add tests to validate support.
• Ensure backwards compatibility (i.e. use existing configuration if no TLS config is set).

🔄 Alternatives Considered

No response

🎯 Affected Service(s)

None

📚 Additional Context

The config already exists on the kubernetes/go side (crd + translation), it is set on the BaseLLM, which means we just need to pass it down to other providers and configure their clients with the settings.

base

The original implementation PR was #1059, which includes extensive tests, so expanding on tests is hopefully not too difficult.

🙋 Are you willing to contribute?

• I am willing to submit a PR for this feature

[inFocus7]

Investigation

Adding some notes I took down from my investigation into adding SSL configuration for the non-openai clients. They are a bit harder (or not possible at the moment) because we use google/adk-python for configuring them; for OpenAI support, it was a bit more straightforward as we defined it in our codebase.

LLMs

LiteLLM

The underlying litellm accepts a client and ssl_verify (latter for logging) as a kwarg, meaning we may be able to pass a secure client as a kwargs?

Unsure how the default LiteLLM client is configured so that we keep defaults and simply append SSL to it.

GeminiLLM

The underlying GenAI client has a http_options argument that can be used to pass in ssl settings. http_options.(async_)client_args={'verify': False} can likely be used for insecure. I BELIEVE you could also pass in an ssl_context (ssl.create_default_context(...)) as the 'verify' value for setting custom certs.

http_options are not fully exposed through google/adk-python, so we cannot use it.

Note: For the attaching ssl certs, it MAY be possible to set env variables SSL_CERT_FILE/SSL_CERT_DIR as a workaround, but this won't support insecure.

ClaudeLLM

The underlying AnthropixVertex has a http_client argument to configure a custom httpx client.

It is not exposed by google/adk-python though, so we cannot use it. (+ haven't seen if it's possible to append to a default client)

Questions

What was the original reasoning for implementing the openai llm sdk(?) ourselves, as opposed to using a library? Should we implement our own for the other LLMs, or continue using the google/adk ones?