Allow sidecar server to reload TLS certificates

Enables TLS certificates to be rotated without restarting
sidecar and vLLM deployments.

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

Author: pierDipi

cmd/pd-sidecar/main.go

@@ -16,7 +16,6 @@ limitations under the License.
 package main
 
 import (
-	"crypto/tls"
 	"flag"
 	"net/url"
 	"os"
@@ -111,28 +110,15 @@ func main() {
 		return
 	}
 
-	var cert *tls.Certificate
-	if *secureProxy {
-		var tempCert tls.Certificate
-		if *certPath != "" {
-			tempCert, err = tls.LoadX509KeyPair(*certPath+"/tls.crt", *certPath+"/tls.key")
-		} else {
-			tempCert, err = proxy.CreateSelfSignedTLSCertificate()
-		}
-		if err != nil {
-			logger.Error(err, "failed to create TLS certificate")
-			return
-		}
-		cert = &tempCert
-	}
-
 	config := proxy.Config{
 		Connector:                   *connector,
 		PrefillerUseTLS:             *prefillerUseTLS,
 		PrefillerInsecureSkipVerify: *prefillerInsecureSkipVerify,
 		DecoderInsecureSkipVerify:   *decoderInsecureSkipVerify,
 		DataParallelSize:            *vLLMDataParallelSize,
 		EnablePrefillerSampling:     *enablePrefillerSampling,
+		SecureServing:               *secureProxy,
+		CertPath:                    *certPath,
 	}
 
 	// Create SSRF protection validator
@@ -144,7 +130,7 @@ func main() {
 
 	proxyServer := proxy.NewProxy(*port, targetURL, config)
 
-	if err := proxyServer.Start(ctx, cert, validator); err != nil {
+	if err := proxyServer.Start(ctx, validator); err != nil {
 		logger.Error(err, "failed to start proxy server")
 	}
 }

pkg/sidecar/proxy/connector_nixlv2_test.go

@@ -41,7 +41,7 @@ var _ = Describe("NIXL Connector (v2)", func() {
 			defer GinkgoRecover()
 
 			validator := &AllowlistValidator{enabled: false}
-			err := testInfo.proxy.Start(testInfo.ctx, nil, validator)
+			err := testInfo.proxy.Start(testInfo.ctx, validator)
 			Expect(err).ToNot(HaveOccurred())
 
 			testInfo.stoppedCh <- struct{}{}

pkg/sidecar/proxy/connector_test.go

@@ -59,7 +59,7 @@ var _ = Describe("Common Connector tests", func() {
 					defer GinkgoRecover()
 
 					validator := &AllowlistValidator{enabled: false}
-					err := testInfo.proxy.Start(testInfo.ctx, nil, validator)
+					err := testInfo.proxy.Start(testInfo.ctx, validator)
 					Expect(err).ToNot(HaveOccurred())
 
 					testInfo.stoppedCh <- struct{}{}
@@ -121,7 +121,7 @@ var _ = Describe("Common Connector tests", func() {
 					defer GinkgoRecover()
 
 					validator := &AllowlistValidator{enabled: false}
-					err := testInfo.proxy.Start(testInfo.ctx, nil, validator)
+					err := testInfo.proxy.Start(testInfo.ctx, validator)
 					Expect(err).ToNot(HaveOccurred())
 
 					testInfo.stoppedCh <- struct{}{}

pkg/sidecar/proxy/data_parallel.go

@@ -2,7 +2,6 @@ package proxy
 
 import (
 	"context"
-	"crypto/tls"
 	"net"
 	"net/http"
 	"net/url"
@@ -35,7 +34,7 @@ func (s *Server) dataParallelHandler(w http.ResponseWriter, r *http.Request) boo
 	return false
 }
 
-func (s *Server) startDataParallel(ctx context.Context, cert *tls.Certificate, grp *errgroup.Group) error {
+func (s *Server) startDataParallel(ctx context.Context, grp *errgroup.Group) error {
 	podIP := os.Getenv("POD_IP")
 	basePort, err := strconv.Atoi(s.port)
 	if err != nil {
@@ -79,7 +78,7 @@ func (s *Server) startDataParallel(ctx context.Context, cert *tls.Certificate, g
 			clone.handler = clone.createRoutes()
 			clone.setConnector()
 
-			return clone.startHTTP(ctx, cert)
+			return clone.startHTTP(ctx)
 		})
 	}
 	return nil

pkg/sidecar/proxy/data_parallel_test.go

@@ -62,7 +62,7 @@ var _ = Describe("Data Parallel support", func() {
 			theProxy.allowlistValidator, err = NewAllowlistValidator(false, DefaultPoolGroup, "", "")
 			Expect(err).ToNot(HaveOccurred())
 
-			err = theProxy.startDataParallel(ctx, nil, grp)
+			err = theProxy.startDataParallel(ctx, grp)
 			Expect(err).ToNot(HaveOccurred())
 
 			Expect(theProxy.dataParallelProxies).To(HaveLen(testDataParallelSize))

pkg/sidecar/proxy/proxy.go

@@ -93,6 +93,11 @@ type Config struct {
 	// EnablePrefillerSampling configures the proxy to randomly choose from the set
 	// of provided prefill hosts instead of always using the first one.
 	EnablePrefillerSampling bool
+
+	// CertPath is the path to TLS certificates for the sidecar server.
+	CertPath string
+	// SecureServing enables TLS for the sidecar server.
+	SecureServing bool
 }
 
 type protocolRunner func(http.ResponseWriter, *http.Request, string)
@@ -143,7 +148,7 @@ func NewProxy(port string, decodeURL *url.URL, config Config) *Server {
 }
 
 // Start the HTTP reverse proxy.
-func (s *Server) Start(ctx context.Context, cert *tls.Certificate, allowlistValidator *AllowlistValidator) error {
+func (s *Server) Start(ctx context.Context, allowlistValidator *AllowlistValidator) error {
 	s.logger = log.FromContext(ctx).WithName("proxy server on port " + s.port)
 
 	s.allowlistValidator = allowlistValidator
@@ -152,12 +157,12 @@ func (s *Server) Start(ctx context.Context, cert *tls.Certificate, allowlistVali
 	s.handler = s.createRoutes()
 
 	grp, ctx := errgroup.WithContext(ctx)
-	if err := s.startDataParallel(ctx, cert, grp); err != nil {
+	if err := s.startDataParallel(ctx, grp); err != nil {
 		return err
 	}
 
 	grp.Go(func() error {
-		return s.startHTTP(ctx, cert)
+		return s.startHTTP(ctx)
 	})
 
 	return grp.Wait()

pkg/sidecar/proxy/proxy_helpers.go

@@ -4,16 +4,19 @@ import (
 	"context"
 	"crypto/tls"
 	"errors"
+	"fmt"
 	"net"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
 	"syscall"
 	"time"
+
+	"sigs.k8s.io/gateway-api-inference-extension/pkg/common"
 )
 
 // startHTTP starts the HTTP reverse proxy.
-func (s *Server) startHTTP(ctx context.Context, cert *tls.Certificate) error {
+func (s *Server) startHTTP(ctx context.Context) error {
 	// Start SSRF protection validator
 	if err := s.allowlistValidator.Start(ctx); err != nil {
 		s.logger.Error(err, "Failed to start allowlist validator")
@@ -35,11 +38,36 @@ func (s *Server) startHTTP(ctx context.Context, cert *tls.Certificate) error {
 		MaxHeaderBytes:    1 << 20,           // 1 MB for headers is sufficient
 	}
 
-	// Create TLS certificates
+	var cert *tls.Certificate
+	if s.config.SecureServing {
+		var tempCert tls.Certificate
+		if s.config.CertPath != "" {
+			tempCert, err = tls.LoadX509KeyPair(s.config.CertPath+"/tls.crt", s.config.CertPath+"/tls.key")
+		} else {
+			tempCert, err = CreateSelfSignedTLSCertificate()
+		}
+		if err != nil {
+			return fmt.Errorf("failed to create TLS certificate: %w", err)
+		}
+		cert = &tempCert
+	}
+
 	if cert != nil {
+		getCertificate := func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+			return cert, nil
+		}
+		if s.config.CertPath != "" {
+			reloader, err := common.NewCertReloader(ctx, "", cert)
+			if err != nil {
+				return fmt.Errorf("failed to start reloader: %w", err)
+			}
+			getCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+				return reloader.Get(), nil
+			}
+		}
+
 		server.TLSConfig = &tls.Config{
-			Certificates: []tls.Certificate{*cert},
-			MinVersion:   tls.VersionTLS12,
+			MinVersion: tls.VersionTLS12,
 			CipherSuites: []uint16{
 				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
@@ -48,6 +76,7 @@ func (s *Server) startHTTP(ctx context.Context, cert *tls.Certificate) error {
 				tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
 				tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
 			},
+			GetCertificate: getCertificate,
 		}
 		s.logger.Info("server TLS configured")
 	}

pkg/sidecar/proxy/proxy_test.go

@@ -53,12 +53,6 @@ var _ = Describe("Reverse Proxy", func() {
 			func(path string, secureProxy bool) {
 
 				ctx := newTestContext()
-				var cert *tls.Certificate
-				if secureProxy {
-					tempCert, err := CreateSelfSignedTLSCertificate()
-					Expect(err).ToNot(HaveOccurred())
-					cert = &tempCert
-				}
 
 				ackHandlerFn := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 					w.WriteHeader(200)
@@ -70,7 +64,9 @@ var _ = Describe("Reverse Proxy", func() {
 				targetURL, err := url.Parse(decodeBackend.URL)
 				Expect(err).ToNot(HaveOccurred())
 
-				cfg := Config{}
+				cfg := Config{
+					SecureServing: secureProxy,
+				}
 				proxy := NewProxy("0", targetURL, cfg) // port 0 to automatically choose one that's available.
 
 				ctx, cancelFn := context.WithCancel(ctx)
@@ -80,7 +76,7 @@ var _ = Describe("Reverse Proxy", func() {
 					defer GinkgoRecover()
 
 					validator := &AllowlistValidator{enabled: false}
-					err := proxy.Start(ctx, cert, validator)
+					err := proxy.Start(ctx, validator)
 					Expect(err).ToNot(HaveOccurred())
 					stoppedCh <- struct{}{}
 				}()
@@ -180,7 +176,7 @@ var _ = Describe("Reverse Proxy", func() {
 					defer GinkgoRecover()
 
 					validator := &AllowlistValidator{enabled: false}
-					err := proxy.Start(ctx, nil, validator)
+					err := proxy.Start(ctx, validator)
 					Expect(err).ToNot(HaveOccurred())
 					stoppedCh <- struct{}{}
 				}()
@@ -254,7 +250,7 @@ var _ = Describe("Reverse Proxy", func() {
 					defer GinkgoRecover()
 
 					validator := &AllowlistValidator{enabled: false}
-					err := proxy.Start(ctx, nil, validator)
+					err := proxy.Start(ctx, validator)
 					Expect(err).ToNot(HaveOccurred())
 					stoppedCh <- struct{}{}
 				}()