bug: If the OpenAI key is invalid, the weather agent logs it, exposing it to anyone with K8s log read access

[esnible]

Describe the bug

If Kagenti is configured with an invalid API OpenAI API key, following the instructions to deploy and use the weather service cause Kubernetes logs to contain the invalid API key value.

This is a bad practice; the Authorization header should never be logged.

Steps To Reproduce

Have an invalid value for the OpenAI key and install Kagenti and follow the weather example. (In my case, I had my valid OpenAI API key, but it had a trailing newline.)

Expected Behavior

The Authorization header should never be logged, the API key should not be visible when doing oc -n team1 logs deployment/weather-service.

Additional Context

While troubleshooting #632 , I did echo $OPENAI_API_KEY | base64 then to put my OpenAI API key into a running Kagenti instance. Note that this is wrong, the correct way to get the needed base64 encoding of an API key is to use echo -n $OPENAI_API_KEY | base64

I created the weather service and attempted to interact with it.

The interactions failed with Error: Failed to process weather request. Connection error. in the Kagenti UI, but my personal OpenAI secret key appeared in the log.

[esnible]

FYI the weather agent still logs "Illegal header value b'Bearer '".
This happens when the Kagenti admin doesn't customize deployments/envs/.secret_values.yaml charts.kagenti.values.secrets.openaiApiKey but leaves it blank.

• A PR for this bug should have the weather agent log, and possibly return to the UI, "Warning: weather agent has no API key (not set during Kagenti installation in charts.kagenti.values.secrets.openaiApiKey"