Allow sidecar server to reload TLS certificates by pierDipi · Pull Request #607 · llm-d/llm-d-inference-scheduler

pierDipi · 2026-02-10T11:21:10Z

Enables TLS certificates to be rotated without restarting sidecar and vLLM deployments.

pierDipi · 2026-02-13T08:34:28Z

/cc @shmuelk @elevran

shmuelk · 2026-02-19T12:04:29Z

/lgtm
/approve

pierDipi · 2026-02-23T07:18:28Z

@elevran @shmuelk can we merge this PR?

Copilot

Pull request overview

This PR moves TLS certificate handling into the sidecar proxy server and adds support for reloading TLS certificates from disk so sidecar/vLLM deployments can rotate certs without restarts.

Changes:

Add Config.CertPath and Config.SecureServing, and remove passing a *tls.Certificate into Server.Start().
Configure http.Server.TLSConfig to use GetCertificate, optionally backed by a cert reloader when CertPath is set.
Update sidecar main and proxy tests to use the new config-driven TLS setup.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
cmd/pd-sidecar/main.go	Moves TLS config inputs into `proxy.Config` and updates `Start()` call signature.
pkg/sidecar/proxy/proxy.go	Extends `Config` with TLS fields and updates `Start()`/data-parallel startup signatures.
pkg/sidecar/proxy/proxy_helpers.go	Implements TLS cert loading/self-signed fallback and hooks in cert reloading via `GetCertificate`.
pkg/sidecar/proxy/data_parallel.go	Updates data-parallel startup path to no longer pass a cert into `startHTTP()`.
pkg/sidecar/proxy/proxy_test.go	Updates tests to enable TLS via config rather than injecting a cert.
pkg/sidecar/proxy/data_parallel_test.go	Updates test call sites for the new `startDataParallel()` signature.
pkg/sidecar/proxy/connector_test.go	Updates `Start()` call sites for the new signature.
pkg/sidecar/proxy/connector_nixlv2_test.go	Updates `Start()` call sites for the new signature.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

pkg/sidecar/proxy/data_parallel.go

Copilot · 2026-02-23T07:23:51Z

pkg/sidecar/proxy/proxy_helpers.go

+			tempCert, err = tls.LoadX509KeyPair(s.config.CertPath+"/tls.crt", s.config.CertPath+"/tls.key")
+		} else {
+			tempCert, err = CreateSelfSignedTLSCertificate()
+		}
+		if err != nil {
+			return fmt.Errorf("failed to create TLS certificate: %w", err)
+		}


The error message "failed to create TLS certificate" is used for both loading a keypair from CertPath and generating a self-signed cert. It would be more actionable to distinguish these cases (e.g., include the cert/key filenames when LoadX509KeyPair fails, and a separate message for self-signed generation failure).

Suggested change

tempCert, err = tls.LoadX509KeyPair(s.config.CertPath+"/tls.crt", s.config.CertPath+"/tls.key")

} else {

tempCert, err = CreateSelfSignedTLSCertificate()

}

if err != nil {

return fmt.Errorf("failed to create TLS certificate: %w", err)

}

certFile := s.config.CertPath + "/tls.crt"

keyFile := s.config.CertPath + "/tls.key"

tempCert, err = tls.LoadX509KeyPair(certFile, keyFile)

if err != nil {

return fmt.Errorf("failed to load TLS key pair from cert %q and key %q: %w", certFile, keyFile, err)

}

} else {

tempCert, err = CreateSelfSignedTLSCertificate()

if err != nil {

return fmt.Errorf("failed to generate self-signed TLS certificate: %w", err)

}

}

I like Copilot's suggestion.

Suggested change

tempCert, err = tls.LoadX509KeyPair(s.config.CertPath+"/tls.crt", s.config.CertPath+"/tls.key")

} else {

tempCert, err = CreateSelfSignedTLSCertificate()

}

if err != nil {

return fmt.Errorf("failed to create TLS certificate: %w", err)

}

certFile := s.config.CertPath + "/tls.crt"

keyFile := s.config.CertPath + "/tls.key"

tempCert, err = tls.LoadX509KeyPair(certFile, keyFile)

if err != nil {

return fmt.Errorf("failed to load TLS key pair from cert %q and key %q: %w", certFile, keyFile, err)

}

} else {

tempCert, err = CreateSelfSignedTLSCertificate()

if err != nil {

return fmt.Errorf("failed to generate self-signed TLS certificate: %w", err)

}

}

I can do this improvement but the current logic follows the existing logic and the returned error contains the context of the failure

Copilot · 2026-02-23T07:23:52Z

pkg/sidecar/proxy/proxy_helpers.go

+		if s.config.CertPath != "" {
+			reloader, err := common.NewCertReloader(ctx, s.config.CertPath, cert)
+			if err != nil {
+				return fmt.Errorf("failed to start reloader: %w", err)
+			}


TLS certificate reloading via common.NewCertReloader is newly introduced but doesn’t appear to be covered by tests. Adding an integration/unit test that starts the server with CertPath pointing to a temp dir, rotates tls.crt/tls.key, and verifies a new TLS handshake presents the updated cert would help prevent regressions.

github-actions · 2026-03-02T07:27:10Z

🚨 Unsigned commits detected! Please sign your commits.

For instructions on how to set up GPG/SSH signing and verify your commits, please see GitHub Documentation.

Enables TLS certificates to be rotated without restarting sidecar and vLLM deployments. Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

pierDipi · 2026-03-02T07:47:37Z

/cc @shmuelk @elevran @nirrozenbaum

shmuelk · 2026-03-02T08:05:14Z

pkg/sidecar/proxy/proxy_helpers.go

+			tempCert, err = tls.LoadX509KeyPair(s.config.CertPath+"/tls.crt", s.config.CertPath+"/tls.key")
+		} else {
+			tempCert, err = CreateSelfSignedTLSCertificate()
+		}
+		if err != nil {
+			return fmt.Errorf("failed to create TLS certificate: %w", err)
+		}


I like Copilot's suggestion.

Suggested change

tempCert, err = tls.LoadX509KeyPair(s.config.CertPath+"/tls.crt", s.config.CertPath+"/tls.key")

} else {

tempCert, err = CreateSelfSignedTLSCertificate()

}

if err != nil {

return fmt.Errorf("failed to create TLS certificate: %w", err)

}

certFile := s.config.CertPath + "/tls.crt"

keyFile := s.config.CertPath + "/tls.key"

tempCert, err = tls.LoadX509KeyPair(certFile, keyFile)

if err != nil {

return fmt.Errorf("failed to load TLS key pair from cert %q and key %q: %w", certFile, keyFile, err)

}

} else {

tempCert, err = CreateSelfSignedTLSCertificate()

if err != nil {

return fmt.Errorf("failed to generate self-signed TLS certificate: %w", err)

}

}

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

elevran · 2026-03-03T08:51:00Z

@shmuelk - can you please clear the Requested changes via the GH UI once this is good to merge from your point of view?

elevran · 2026-03-03T16:26:55Z

@pierDipi will cherry-pick into 0.6.0-RC2 if it's ready in time.

* Allow sidecar server to reload TLS certificates Enables TLS certificates to be rotated without restarting sidecar and vLLM deployments. Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com> * Pass certPath to reloader Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com> * Improvements Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com> --------- Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

github-project-automation bot added this to llm-d-inference-scheduler Feb 10, 2026

github-actions bot requested review from nilig and nirrozenbaum February 10, 2026 11:21

github-actions bot requested review from elevran and shmuelk February 13, 2026 08:34

github-actions bot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 19, 2026

github-actions bot previously approved these changes Feb 19, 2026

View reviewed changes

github-project-automation bot moved this to In review in llm-d-inference-scheduler Feb 19, 2026

Copilot AI review requested due to automatic review settings February 23, 2026 07:20

pierDipi dismissed github-actions[bot]’s stale review via b1747a6 February 23, 2026 07:20

Copilot started reviewing on behalf of pierDipi February 23, 2026 07:20 View session

Copilot AI reviewed Feb 23, 2026

View reviewed changes

pierDipi force-pushed the sidecar-auto-reload-certs branch from 6262305 to 1d5dbfa Compare March 2, 2026 07:27

pierDipi force-pushed the sidecar-auto-reload-certs branch from 1d5dbfa to cd2c0ea Compare March 2, 2026 07:29

pierDipi added 2 commits March 2, 2026 08:31

Allow sidecar server to reload TLS certificates

6f9cc74

Enables TLS certificates to be rotated without restarting sidecar and vLLM deployments. Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

Pass certPath to reloader

3a6c935

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

pierDipi force-pushed the sidecar-auto-reload-certs branch from cd2c0ea to 3a6c935 Compare March 2, 2026 07:31

shmuelk requested changes Mar 2, 2026

View reviewed changes

Improvements

2f0b129

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

pierDipi requested a review from shmuelk March 3, 2026 08:20

elevran added this to the v0.6 milestone Mar 3, 2026

shmuelk approved these changes Mar 4, 2026

View reviewed changes

elevran merged commit c910eeb into llm-d:main Mar 4, 2026
8 checks passed

github-project-automation bot moved this from In review to Done in llm-d-inference-scheduler Mar 4, 2026

pierDipi deleted the sidecar-auto-reload-certs branch March 4, 2026 12:49

Conversation

pierDipi commented Feb 10, 2026

Uh oh!

pierDipi commented Feb 13, 2026

Uh oh!

shmuelk commented Feb 19, 2026

Uh oh!

pierDipi commented Feb 23, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Copilot AI Feb 23, 2026

Choose a reason for hiding this comment

Uh oh!

shmuelk Mar 2, 2026

Choose a reason for hiding this comment

Uh oh!

pierDipi Mar 3, 2026

Choose a reason for hiding this comment

Uh oh!

Copilot AI Feb 23, 2026

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Mar 2, 2026

Uh oh!

pierDipi commented Mar 2, 2026

Uh oh!

shmuelk Mar 2, 2026

Choose a reason for hiding this comment

Uh oh!

elevran commented Mar 3, 2026

Uh oh!

elevran commented Mar 3, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants