langflow icon indicating copy to clipboard operation
langflow copied to clipboard

feat: Add support for custom CA bundle to openAI API

Open schuellerf opened this issue 11 months ago • 5 comments

For a local self signed deployment (e.g. vLLM) this is handy to get the custom CA bundle into the workflow easy.

Implemented for OpenAIModelComponent and OpenAIEmbeddingsComponent, which effectively also adds this feature to the OpenAI Agent component.

As the API of e.g. vLLM is compatible with OpenAI, I thought it might be ok to just patch this in here.

Looking forward to feedback if this PR is ok.

schuellerf avatar May 13 '25 14:05 schuellerf

Hey @schuellerf

I feel like this is a safe change. Not having it blocks you from achieving something in Langflow?

ogabrielluiz avatar May 13 '25 19:05 ogabrielluiz

@ogabrielluiz yes, it blocks me from connecting to the inferencing servers from our internal IT 😅

schuellerf avatar May 13 '25 19:05 schuellerf

I'm not sure how to get the CI green - should I be updating the starter projects?

schuellerf avatar May 14 '25 18:05 schuellerf

@ogabrielluiz please give me some hints how I can get this PR green & merged 🙏

schuellerf avatar May 20 '25 08:05 schuellerf

Note: I just found out, that setting then environment variable SSL_CERT_FILE serves the same purpose (with a file, not the content…), so strictly speaking this PR is not really needed, but might still be helpful for container setups where it could be harder to explain to users how to get your certificate in…

schuellerf avatar May 27 '25 11:05 schuellerf

@schuellerf, Thanks for writing this bug and associated PR as we are also interested in this feature. We have a self hosted inference endpoint, OpenAI compatible, that is using a private CA.

I do not think the LANGFLOW_SSL_CERT_FILE env variable does what we want. The documentation is a little vague, but it appears to for specifying the SSL cert to be presented by the Langflow's internal HTTP server.

I tried manually getting the certificates into the OS keystore location and running update-ca-certificates, but that didn't help.

troy256 avatar Jun 02 '25 19:06 troy256

@troy256 I was talking about literally SSL_CERT_FILE from the python internals. https://peps.python.org/pep-0476/#trust-database Which works for me

schuellerf avatar Jun 03 '25 07:06 schuellerf

Walkthrough

This update adds support for custom Certificate Authority (CA) bundles across various OpenAI-related components and starter project configurations. New multiline input fields allow users to provide custom CA certificates for self-signed deployments. The components now create and use custom SSL contexts and HTTP clients when a custom CA bundle is provided, ensuring secure communication with OpenAI endpoints.

Changes

File(s) Change Summary
src/backend/base/langflow/components/embeddings/openai.py, src/backend/base/langflow/components/languagemodels/openai_chat_model.py Added custom_ca_bundle multiline input; updated logic to create SSL context and pass custom HTTP clients to OpenAI classes when provided. Enhanced model dropdowns with combobox and real-time refresh.
src/backend/base/langflow/initial_setup/starter_projects/Basic Prompt Chaining.json, Basic Prompting.json, Blog Writer.json, Document Q&A.json, Financial Report Parser.json, Hybrid Search RAG.json, Image Sentiment Analysis.json, Instagram Copywriter.json, Market Research.json, Meeting Summary.json, Memory Chatbot.json, Research Agent.json, SEO Keyword Generator.json, Text Sentiment Analysis.json, Twitter Thread Generator.json, Vector Store RAG.json, Youtube Analysis.json Added custom_ca_bundle multiline input to OpenAI model component(s); updated build_model to create SSL context and pass custom HTTP clients to ChatOpenAI when provided. Updated input metadata and schema.
src/backend/base/langflow/initial_setup/starter_projects/Financial Agent.json, Gmail Agent.json, Invoice Summarizer.json, News Aggregator.json, Pokédex Agent.json, Price Deal Finder.json, SaaS Pricing.json, Search agent.json, Sequential Tasks Agents.json, Simple Agent.json, Social Media Agent.json, Travel Planning Agents.json Added custom_ca_bundle multiline input to Agent component(s) with advanced, dynamic, and traceable metadata. No logic changes, only input schema extension.
src/backend/base/langflow/initial_setup/starter_projects/Vector Store RAG.json Both OpenAI Embeddings and Model components updated: added custom_ca_bundle input, SSL context logic, and enhanced model dropdowns.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Component
    participant OpenAI API

    User->>Component: Provide custom_ca_bundle (optional)
    Component->>Component: If custom_ca_bundle provided, create SSL context
    Component->>Component: Instantiate httpx.Client/AsyncClient with SSL context
    Component->>OpenAI API: Make secure API request using custom HTTP client
    OpenAI API-->>Component: Respond over secure connection
    Component-->>User: Return result

Suggested labels

size:L

✨ Finishing Touches
  • [ ] 📝 Generate Docstrings

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

coderabbitai[bot] avatar Jun 03 '25 11:06 coderabbitai[bot]

Note: I just found out, that setting then environment variable SSL_CERT_FILE serves the same purpose (with a file, not the content…), so strictly speaking this PR is not really needed, but might still be helpful for container setups where it could be harder to explain to users how to get your certificate in…

It would be harder but putting a certificate in a flow would be a bit weird too. Maybe we should add documentation for this instead?

If it works then we should avoid adding complexity to the component.

ogabrielluiz avatar Jun 03 '25 12:06 ogabrielluiz

I agree, from what I learned from the certificates, that adding code to the component for this is an overkill. I'll close this and create a documentation PR if I find a good place where this belongs to.

schuellerf avatar Oct 28 '25 15:10 schuellerf