Enable reverse proxy in server-requesting pod

[delavet]

Based on our discussion in #363, I have split PR #363 and am resubmitting this PR to introduce the first part of the changes: adding a reverse proxy for server-requesting pods.
I have re-conducted the reverse proxy overhead experiments, primarily updating the experimental parameter configurations and adding monitoring and analysis of pod resource usage. For details, please refer to the documentation below.

https://docs.google.com/document/d/1qX4KtcTJEfdatgVmtsveOMfjm883MG-HW-e7ddmlqkA/edit?usp=sharing

The part on dynamic port allocation in PR #363 can be considered for addition after Milestone 3.

[aavarghese]

There's a strange period at the end here...

[MikeSpreitzer]

Yes. Please change it to a regular period (character code 0x2E).

[rubambiza]

A few suggested changes for debugging and code readability. Not major blockers.

[rubambiza]

Perhaps we should include the requesting pod ip:port pair in the error for troubleshooting an environment with multiple requesters?

[MikeSpreitzer]

The error message should include both host:port pairs.

[rubambiza]

The type being proxy and having a field named proxy is a bit confusing. I'd like to suggest making the type more specific to what it does in FMA, though I don't have an appropriate name off the top of my head.

[MikeSpreitzer]

I agree. But I think that this is moot because it should be a TCP proxy rather than an HTTP proxy.

[MikeSpreitzer]

"start" or "run"?

[delavet]

IMO, “start” is used in error messages (describing the action of failing to start the server). “Run” as a function name indicates a blocking call—the server has started and continues running.
Both terms are semantically correct: the Run() function is invoked to start the server.

[MikeSpreitzer]

If the Run function really is blocking (and I mention this because Kubernetes code has a bad habit of using the wrong name) then saying "start" in the error message is, at best, risky code: it depends on Run only erring during the start phase --- and violations of this expectation are not checked (except by you, too late, when you are debugging). It would be correct to say "failed to run" in response to an error from Run.

[MikeSpreitzer]

New files should be born with the current year here.

[MikeSpreitzer]

This should be declared in a common place where the dual-pods controller can use it too.

[MikeSpreitzer]

Maybe these two timeouts should be configurable?

[MikeSpreitzer]

The level of pointer indirection here is just unhelpful complexity. It could be just

var instance proxy

[MikeSpreitzer]

This code is unnecessary complexity. Just delete it.

[MikeSpreitzer]

The proxy also implements GET /v1/proxy/init, and that should be documented too.

[MikeSpreitzer]

Since there is also a GET on the same path, the design should be modified to conform to REST. Define a schema for the resource at /v1/proxy/init (or maybe just /v1/proxy or /v1/proxy/config?), and define PUT and GET to write and read this resource. GET when uninitialized returns HTTP status 404.

[MikeSpreitzer]

HTTP is too specific. It forecloses things like HTTPS and HTTP 2 or 3. The proxy should be simply a TCP proxy.

[MikeSpreitzer]

I have some comments on the study in https://docs.google.com/document/d/1qX4KtcTJEfdatgVmtsveOMfjm883MG-HW-e7ddmlqkA

"20 req/sec" is cited as a concurrency level, but that is actually a rate. Please be accurate and give a short sharp statement of the behavior of the benchmarking client(s).

Does every request go on a new TCP connection? If not then there is an additional thing to measure, the added latency in TCP connection setup. The measurement would be something like time from (a) client sending request to open connection to (b) client receiving first token from first request.

When doing performance studies we usually pay attention to the distribution of the result. Stuff like average, median, and high percentiles (90, 95, 99, 99.9). Of course, for high percentiles you need enough cycles to get statistically significant results.

[delavet]

I have some comments on the study in https://docs.google.com/document/d/1qX4KtcTJEfdatgVmtsveOMfjm883MG-HW-e7ddmlqkA

"20 req/sec" is cited as a concurrency level, but that is actually a rate. Please be accurate and give a short sharp statement of the behavior of the benchmarking client(s).

Does every request go on a new TCP connection? If not then there is an additional thing to measure, the added latency in TCP connection setup. The measurement would be something like time from (a) client sending request to open connection to (b) client receiving first token from first request.

When doing performance studies we usually pay attention to the distribution of the result. Stuff like average, median, and high percentiles (90, 95, 99, 99.9). Of course, for high percentiles you need enough cycles to get statistically significant results.

Thanks! I’ve just refactored the proxy into a pure TCP proxy. I still need a bit more time to set up a new experiment and investigate these issues.

[aavarghese]

Can we add a new test case to our e2e suite here right after Multiple Instances Share One Launcher?

Claude generated test below:

# ---------------------------------------------------------------------------
# Reverse Proxy Initialization and Forwarding
# ---------------------------------------------------------------------------

intro_case Reverse Proxy Initialization and Forwarding

# Verify the proxy is initialized and pointing at launcher1's IP
kubectl port-forward pod/"$req3" 28091:8081 -n "$NS" &
PF_SPI_PID=$!
sleep 2

proxy_resp=$(curl -sf "http://localhost:28091/v1/proxy/init" 2>/dev/null || echo "")
kill "$PF_SPI_PID" 2>/dev/null || true
wait "$PF_SPI_PID" 2>/dev/null || true

if ! echo "$proxy_resp" | grep -q "proxying to"; then
    echo "ERROR: expected proxy to be initialized, got: '$proxy_resp'" >&2
    exit 1
fi
echo "Proxy is initialized: $proxy_resp"

launcher1_ip=$(kubectl get pod "$launcher1" -n "$NS" -o jsonpath='{.status.podIP}')
if ! echo "$proxy_resp" | grep -qF "$launcher1_ip"; then
    echo "ERROR: proxy target does not contain launcher IP $launcher1_ip: '$proxy_resp'" >&2
    exit 1
fi
echo "Proxy target matches launcher IP: $launcher1_ip"

# On OpenShift the launcher runs a real vLLM — verify traffic actually flows
# through the TCP proxy port (8082) to the launcher's vLLM /health endpoint.
if [ "$E2E_PLATFORM" = "openshift" ]; then
    kubectl port-forward pod/"$req3" 28092:8082 -n "$NS" &
    PF_PROXY_PID=$!
    sleep 2

    health_status=$(curl -s -o /dev/null -w "%{http_code}" \
        "http://localhost:28092/health" 2>/dev/null || echo "000")
    kill "$PF_PROXY_PID" 2>/dev/null || true
    wait "$PF_PROXY_PID" 2>/dev/null || true

    if [ "$health_status" != "200" ]; then
        echo "ERROR: vLLM /health via proxy port returned $health_status (expected 200)" >&2
        exit 1
    fi
    echo "Proxy forwarding verified: /health via proxy port → 200"
fi

cheer Successful reverse proxy initialization and forwarding