feat(telemetry): add custom headers for OTLP exports (metrics, tracing, access logs)

[codefromthecrypt]

What type of PR is this?
feat(telemetry): add new feature

What this PR does / why we need it:
Adds support for custom headers on all OTLP/gRPC exports (metrics, tracing, and access logs), enabling authentication with collectors like Elastic Cloud, Datadog, or cloud providers that require API keys or bearer tokens.

This uses Envoy's GrpcService.initial_metadata to send headers as gRPC metadata.

Release Notes: Yes

Notes:
This PR includes an example showing authenticated OTLP exports for all three signals. The example uses otel-tui, but could use anything else.

Changes

• Metrics: Added Headers field to ProxyOpenTelemetrySink in telemetry.metrics.sinks[].openTelemetry
• Tracing: Added Headers field to TracingProvider in telemetry.tracing.provider
• Access Logs: Added Headers field to OpenTelemetryAccessLog in telemetry.accessLog.settings[].sinks[].openTelemetry

All three use the same pattern: a list of HTTPHeader objects with name and value fields.

FAQ

Why not use SecretObjectReference for sensitive headers?

For EnvoyProxy config that supports file-based standalone mode, Kubernetes secrets are not available. Plain text headers are needed regardless.

For example, Honeycomb requires non-secret headers like x-honeycomb-dataset. Secret support can be added in a follow-up for Kubernetes mode.

[codecov]

Codecov Report

❌ Patch coverage is 92.00000% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 72.81%. Comparing base (dd2861f) to head (c3d6f0a).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/gatewayapi/listener.go	66.66%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7674      +/-   ##
==========================================
+ Coverage   72.77%   72.81%   +0.03%     
==========================================
  Files         235      236       +1     
  Lines       35165    35190      +25     
==========================================
+ Hits        25592    25623      +31     
+ Misses       7756     7750       -6     
  Partials     1817     1817              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[codefromthecrypt]

ok made a revision also to PR desc to hopefully answer questions in comments. I will revisit this again monday if there is more feedback.

[codefromthecrypt]

pulling into draft while I remove the port dodging things for things we can't control yet.

[codefromthecrypt]

also I just realized we never added this for tracing either, so will add that to the PR

[codefromthecrypt]

These problems are too much to do in this PR, and I can over time try to clean these up also

[codefromthecrypt]

@mathetake @anuraaga you might like this sneaky trick to verify the headers/metadata received by otel. propagate them into fake span attrs

[codefromthecrypt]

ok I updated this as I noticed the same thing was missing everywhere, in logs metrics and tracing. fixed so that the tests are coherent and we don't need to go back and clean this up multiple times. There's been a history of fragmentation and not following up later, so doing otel holistically for one thing is a good thing.

[codefromthecrypt]

if this lasts until 2026 I will close it as unplanned/unwanted. I won't be attending to perpetual rebasing. I want to make things better, but this has been a low-light. Not only were things left half-finished, but finishing them has been beyond arduous

[codefromthecrypt]

re ran soup to nuts and the example works fine

[zirain]

/retest

[codefromthecrypt]

does anyone have access to merge this considering there are 2 approvals?

[arkodg]

LGTM thanks