initial E/PD extension of the sidecar

Signed-off-by: roytman <roytman@il.ibm.com>

Author: roytman

cmd/pd-sidecar/main.go

@@ -32,22 +32,30 @@ import (
 )
 
 var (
-	// supportedConnectors defines all valid P/D connector types
-	supportedConnectors = []string{
-		proxy.ConnectorNIXLV2,
-		proxy.ConnectorSharedStorage,
-		proxy.ConnectorSGLang,
+	// supportedKVConnectors defines all valid KV (Prefiller-Decoder) connector types
+	supportedKVConnectors = []string{
+		proxy.KVConnectorNIXLV2,
+		proxy.KVConnectorSharedStorage,
+		proxy.KVConnectorSGLang,
+	}
+
+	// supportedECConnectors defines all valid EC (Encoder-Prefiller) connector types
+	supportedECConnectors = []string{
+		proxy.ECExampleConnector,
 	}
 )
 
 func main() {
 	port := flag.String("port", "8000", "the port the sidecar is listening on")
 	vLLMPort := flag.String("vllm-port", "8001", "the port vLLM is listening on")
 	vLLMDataParallelSize := flag.Int("data-parallel-size", 1, "the vLLM DATA-PARALLEL-SIZE value")
-	connector := flag.String("connector", proxy.ConnectorNIXLV2, "the P/D connector being used. Supported: "+strings.Join(supportedConnectors, ", "))
+	kvConnector := flag.String("kv-connector", proxy.KVConnectorNIXLV2, "the KV connector between Prefiller and Decoder. Supported: "+strings.Join(supportedKVConnectors, ", "))
+	ecConnector := flag.String("ec-connector", proxy.ECExampleConnector, "the EC connector between Encoder and Prefiller (optional, for EPD mode). Supported: "+strings.Join(supportedECConnectors, ", "))
 	prefillerUseTLS := flag.Bool("prefiller-use-tls", false, "whether to use TLS when sending requests to prefillers")
+	encoderUseTLS := flag.Bool("encoder-use-tls", false, "whether to use TLS when sending requests to encoders")
 	decoderUseTLS := flag.Bool("decoder-use-tls", false, "whether to use TLS when sending requests to the decoder")
 	prefillerInsecureSkipVerify := flag.Bool("prefiller-tls-insecure-skip-verify", false, "configures the proxy to skip TLS verification for requests to prefiller")
+	encoderInsecureSkipVerify := flag.Bool("encoder-tls-insecure-skip-verify", false, "configures the proxy to skip TLS verification for requests to encoder")
 	decoderInsecureSkipVerify := flag.Bool("decoder-tls-insecure-skip-verify", false, "configures the proxy to skip TLS verification for requests to decoder")
 	secureProxy := flag.Bool("secure-proxy", true, "Enables secure proxy. Defaults to true.")
 	certPath := flag.String(
@@ -72,19 +80,37 @@ func main() {
 
 	logger.Info("Proxy starting", "Built on", version.BuildRef, "From Git SHA", version.CommitSHA)
 
-	// Validate connector
+	// Validate KV connector (Prefiller-Decoder)
 	isValidConnector := false
-	for _, validConnector := range supportedConnectors {
-		if *connector == validConnector {
+	for _, validConnector := range supportedKVConnectors {
+		if *kvConnector == validConnector {
 			isValidConnector = true
 			break
 		}
 	}
 	if !isValidConnector {
-		logger.Info("Error: --connector must be one of: " + strings.Join(supportedConnectors, ", "))
+		logger.Info("Error: --kv-connector must be one of: " + strings.Join(supportedKVConnectors, ", "))
 		return
 	}
-	logger.Info("p/d connector validated", "connector", connector)
+	logger.Info("KV connector (prefiller-decoder) validated", "kvConnector", kvConnector)
+
+	// Validate EC connector (Encoder-Prefiller) if specified
+	if *ecConnector != "" {
+		isValidEncoderConnector := false
+		for _, validConnector := range supportedECConnectors {
+			if *ecConnector == validConnector {
+				isValidEncoderConnector = true
+				break
+			}
+		}
+		if !isValidEncoderConnector {
+			logger.Info("Error: --ec-connector must be one of: " + strings.Join(supportedECConnectors, ", "))
+			return
+		}
+		logger.Info("EC connector (encoder-prefiller) validated", "ecConnector", ecConnector)
+	} else {
+		logger.Info("EC connector (encoder-prefiller) not specified, encoder stage will be skipped")
+	}
 
 	// Determine namespace and pool name for SSRF protection
 	if *enableSSRFProtection {
@@ -127,9 +153,12 @@ func main() {
 	}
 
 	config := proxy.Config{
-		Connector:                   *connector,
+		KVConnector:                 *kvConnector,
+		ECConnector:                 *ecConnector,
 		PrefillerUseTLS:             *prefillerUseTLS,
+		EncoderUseTLS:               *encoderUseTLS,
 		PrefillerInsecureSkipVerify: *prefillerInsecureSkipVerify,
+		EncoderInsecureSkipVerify:   *encoderInsecureSkipVerify,
 		DecoderInsecureSkipVerify:   *decoderInsecureSkipVerify,
 		DataParallelSize:            *vLLMDataParallelSize,
 		EnablePrefillerSampling:     *enablePrefillerSampling,

pkg/sidecar/proxy/chat_completions.go

@@ -54,26 +54,68 @@ func (s *Server) chatCompletionsHandler(w http.ResponseWriter, r *http.Request)
 		}
 	}
 
-	if len(prefillHostPort) == 0 {
-		s.logger.V(4).Info("skip disaggregated prefill")
+	// SSRF Protection: Check if the prefill target is allowed (if provided)
+	if len(prefillHostPort) > 0 {
+		if !s.allowlistValidator.IsAllowed(prefillHostPort) {
+			s.logger.Error(nil, "SSRF protection: prefill target not in allowlist",
+				"target", prefillHostPort,
+				"clientIP", r.RemoteAddr,
+				"userAgent", r.Header.Get("User-Agent"),
+				"requestPath", r.URL.Path)
+			http.Error(w, "Forbidden: prefill target not allowed by SSRF protection", http.StatusForbidden)
+			return
+		}
+		s.logger.V(4).Info("SSRF protection: prefill target allowed", "target", prefillHostPort)
+	}
 
-		if !s.forwardDataParallel || !s.dataParallelHandler(w, r) {
-			s.decoderProxy.ServeHTTP(w, r)
+	// Check if encoder headers are present to determine if we should use EPD protocol
+	encoderHostPorts := r.Header.Values(common.EncoderHostsPortsHeader)
+	if len(encoderHostPorts) == 1 {
+		encoderHostPorts = strings.Split(encoderHostPorts[0], ",")
+	}
+
+	// SSRF Protection: Filter encoder targets to only allowed hosts
+	var allowedEncoders []string
+	if len(encoderHostPorts) > 0 {
+		allowedEncoders = make([]string, 0, len(encoderHostPorts))
+		for _, encoderHost := range encoderHostPorts {
+			encoderHost = strings.TrimSpace(encoderHost)
+			if s.allowlistValidator.IsAllowed(encoderHost) {
+				allowedEncoders = append(allowedEncoders, encoderHost)
+				s.logger.V(4).Info("SSRF protection: encoder target allowed", "target", encoderHost)
+			} else {
+				s.logger.Info("SSRF protection: encoder target not in allowlist, removing from list",
+					"target", encoderHost,
+					"clientIP", r.RemoteAddr,
+					"userAgent", r.Header.Get("User-Agent"),
+					"requestPath", r.URL.Path)
+			}
 		}
-		return
 	}
 
-	// SSRF Protection: Check if the prefill target is allowed
-	if !s.allowlistValidator.IsAllowed(prefillHostPort) {
-		s.logger.Error(nil, "SSRF protection: prefill target not in allowlist",
-			"target", prefillHostPort,
-			"clientIP", r.RemoteAddr,
-			"userAgent", r.Header.Get("User-Agent"),
-			"requestPath", r.URL.Path)
-		http.Error(w, "Forbidden: prefill target not allowed by SSRF protection", http.StatusForbidden)
+	// Determine which protocol to use
+	if len(allowedEncoders) > 0 && s.runEPDConnectorProtocol != nil {
+		// Use EPD protocol (Encoder-Prefiller-Decoder or Encoder-Decoder)
+		s.logger.V(4).Info("encoder headers detected, using EPD protocol",
+			"encoderCount", len(allowedEncoders),
+			"hasPrefiller", len(prefillHostPort) > 0)
+		s.runEPDConnectorProtocol(w, r, prefillHostPort, allowedEncoders)
 		return
 	}
 
-	s.logger.V(4).Info("SSRF protection: prefill target allowed", "target", prefillHostPort)
-	s.runConnectorProtocol(w, r, prefillHostPort)
+	// If all encoders were filtered out, log and fall through
+	if len(encoderHostPorts) > 0 && len(allowedEncoders) == 0 {
+		s.logger.Info("SSRF protection: all encoder targets filtered out, falling back to P/D or decoder-only")
+	}
+
+	// Use P/D protocol or decoder-only
+	if len(prefillHostPort) > 0 {
+		s.logger.V(4).Info("using P/D protocol")
+		s.runPDConnectorProtocol(w, r, prefillHostPort)
+	} else {
+		s.logger.V(4).Info("no prefiller or encoder, using decoder only")
+		if !s.forwardDataParallel || !s.dataParallelHandler(w, r) {
+			s.decoderProxy.ServeHTTP(w, r)
+		}
+	}
 }

pkg/sidecar/proxy/chat_completions_test.go

@@ -119,7 +119,7 @@ func TestServer_chatCompletionsHandler(t *testing.T) {
 				s.prefillSamplerFn = func(n int) int { return i % n }
 				// verify the hostPort value
 				var hostPort string
-				s.runConnectorProtocol = func(_ http.ResponseWriter, _ *http.Request, selectedHostPort string) { hostPort = selectedHostPort }
+				s.runPDConnectorProtocol = func(_ http.ResponseWriter, _ *http.Request, selectedHostPort string) { hostPort = selectedHostPort }
 				var passthrough bool
 				s.decoderProxy = http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) {
 					passthrough = true