Skip to content

Support scraping metrics from target running with TLS #1190

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jul 22, 2025
Merged

Support scraping metrics from target running with TLS #1190

merged 5 commits into from
Jul 22, 2025

Conversation

pierDipi
Copy link
Contributor

vLLM server can run with TLS and metrics scraping doesn't work currently in that case.

Support setting --model-server-metrics-scheme=http|https and --model-server-metrics-https-insecure-skip-verify=false|true.

The change is backward compatible.

Fixes #1189

@netlify Netlify
Copy link

netlify bot commented Jul 18, 2025
edited
Loading

Deploy Preview for gateway-api-inference-extension ready!

Name Link
🔨 Latest commit d26fb0d
🔍 Latest deploy log https://app.netlify.com/projects/gateway-api-inference-extension/deploys/687fcfc701594e00087c0dac
😎 Deploy Preview https://deploy-preview-1190--gateway-api-inference-extension.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jul 18, 2025
@k8s-ci-robot
Copy link
Contributor

Welcome @pierDipi!

It looks like this is your first PR to kubernetes-sigs/gateway-api-inference-extension 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/gateway-api-inference-extension has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jul 18, 2025
@k8s-ci-robot
Copy link
Contributor

Hi @pierDipi. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jul 18, 2025
@pierDipi
Copy link
Contributor Author

/cc @nirrozenbaum @ahg-g @kfswain

@nirrozenbaum
Copy link
Contributor

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 18, 2025
@pierDipi pierDipi force-pushed the https-scraping branch 2 times, most recently from 84a7c4d to 5d5825c Compare July 18, 2025 10:48
@pierDipi
Support scraping metrics from target running with TLS
bb8696c 
vLLM server can run with TLS and metrics scraping doesn't
work currently in that case.

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
kfswain
kfswain reviewed Jul 18, 2025
View reviewed changes
cmd/epp/runner/runner.go
modelServerMetricsPort = flag.Int("model-server-metrics-port", 0, "Port to scrape metrics from pods. "+
"Default value will be set to InferencePool.Spec.TargetPortNumber if not set.")
modelServerMetricsPath = flag.String("model-server-metrics-path", "/metrics", "Path to scrape metrics from pods")
modelServerMetricsPath = flag.String("model-server-metrics-path", "/metrics", "Path to scrape metrics from pods")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Do you mind adding these flags (with the same defaults) to the helm chart? Example:

gateway-api-inference-extension/config/charts/inferencepool/templates/epp-deployment.yaml

Line 41 in 6cf8f31

- "--enable-pprof={{ .Values.inferenceExtension.enablePprof }}"

Thanks!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the feedback Kellen, done!

@kfswain
Copy link
Collaborator

kfswain commented Jul 18, 2025

Looks great! Just adding a request to update helm also. Thanks!

@pierDipi
Add '--model-server-metrics-*' flags to Helm values and EPP template
5110a95 
Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
@pierDipi pierDipi requested a review from kfswain July 21, 2025 07:39
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 22, 2025
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 22, 2025
elevran
elevran reviewed Jul 22, 2025
View reviewed changes
Copy link
Contributor

@elevran elevran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code wise - LGTM.
Not clear how the CA for the metrics endpoint certificate is added to the HTTPS client configuration in GIE.

cmd/epp/runner/runner.go
metricsHttpClient = &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: *modelServerMetricsHttpsInsecureSkipVerify,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how is the CA added to the TLS context? Is it intended to be added to the default certificate roots in the image?
Without adding the CA to the allowed list - won't you be forced to always use insecure-skip-verify set to true?

Copy link
Contributor

@ahg-g ahg-g Jul 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, we should actually remove the flag for now and set this to true

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@elevran agreed that this is suboptimal. Unfortunately this seems to be blocking downstream & is being pushed to be included in a v0.5.1 patch. WE will move forward with this, but would like @pierDipi to create an issue to track CA validation to help prevent MITM vulnerabilites.

Copy link
Contributor Author

@pierDipi pierDipi Jul 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In Go, we can inject the default loaded CA certs file and dirs paths via env variables https://go.dev/src/crypto/x509/root_unix.go or use well-known files/directories https://go.dev/src/crypto/x509/root_linux.go:

	// certFileEnv is the environment variable which identifies where to locate
	// the SSL certificate file. If set this overrides the system default.
	certFileEnv = "SSL_CERT_FILE"

	// certDirEnv is the environment variable which identifies which directory
	// to check for SSL certificate files. If set this overrides the system default.
	// It is a colon separated list of directories.
	// See https://www.openssl.org/docs/man1.0.2/man1/c_rehash.html.
	certDirEnv = "SSL_CERT_DIR"
// Possible certificate files; stop after finding one.
var certFiles = []string{
	"/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
	"/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
	"/etc/ssl/ca-bundle.pem",                            // OpenSUSE
	"/etc/pki/tls/cacert.pem",                           // OpenELEC
	"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
	"/etc/ssl/cert.pem",                                 // Alpine Linux
}

// Possible directories with certificate files; all will be read.
var certDirectories = []string{
	"/etc/ssl/certs",     // SLES10/SLES11, https://golang.org/issue/12139
	"/etc/pki/tls/certs", // Fedora/RHEL
}

func init() {
	if goos.IsAndroid == 1 {
		certDirectories = append(certDirectories,
			"/system/etc/security/cacerts",    // Android system roots
			"/data/misc/keychain/certs-added", // User trusted CA folder
		)
	}
}

do we still want to add the explicit CA path flags or we can leverage built-in/standard methods to inject custom CA bundles?

Copy link
Contributor

@elevran elevran Jul 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pierDipi as far as I can tell, this configures Go for directory locations where CA files are located.
I think the question is which component is responsible for adding the relevant CA(s) to the EPP Pods. Without orchestrating that, we would need to skip verification on the client (EPP) side since there's no assurance the CA signing the vLLM certs is known to the EPP.
It's a process/deployment concern, not a technical limitation per-se.
Agree it's better handled in a separate issue/PR and we use insecure-skip-verify=true for now to get the encryption enabled.

ahg-g
ahg-g reviewed Jul 22, 2025
View reviewed changes
ahg-g
ahg-g reviewed Jul 22, 2025
View reviewed changes
@kfswain @ahg-g
Update config/charts/inferencepool/values.yaml
54dcf0d 
Co-authored-by: Abdullah Gharaibeh <40361897+ahg-g@users.noreply.github.com>
@kfswain @ahg-g
Update cmd/epp/runner/runner.go
d26fb0d 
Co-authored-by: Abdullah Gharaibeh <40361897+ahg-g@users.noreply.github.com>
@kfswain
Copy link
Collaborator

kfswain commented Jul 22, 2025

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 22, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kfswain, pierDipi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 22, 2025
@k8s-ci-robot k8s-ci-robot merged commit 7f5ccbf into kubernetes-sigs:main Jul 22, 2025
9 checks passed
kfswain added a commit that referenced this pull request Jul 22, 2025
@pierDipi @kfswain @ahg-g
Support scraping metrics from target running with TLS (#1190)
b4cf5e2 
* Support scraping metrics from target running with TLS

vLLM server can run with TLS and metrics scraping doesn't
work currently in that case.

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

* Add '--model-server-metrics-*' flags to Helm values and EPP template

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

* Update config/charts/inferencepool/values.yaml

Co-authored-by: Abdullah Gharaibeh <40361897+ahg-g@users.noreply.github.com>

* Update cmd/epp/runner/runner.go

Co-authored-by: Abdullah Gharaibeh <40361897+ahg-g@users.noreply.github.com>

---------

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
Co-authored-by: Kellen Swain <kfswain@google.com>
Co-authored-by: Abdullah Gharaibeh <40361897+ahg-g@users.noreply.github.com>
@elevran elevran mentioned this pull request Jul 24, 2025
Closed
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ahg-g ahg-g ahg-g left review comments

@danehans danehans Awaiting requested review from danehans

@robscott robscott Awaiting requested review from robscott

@nirrozenbaum nirrozenbaum Awaiting requested review from nirrozenbaum

@kfswain kfswain Awaiting requested review from kfswain

+1 more reviewer

@elevran elevran elevran left review comments

Reviewers whose approvals may not affect merge requirements
Assignees

@kfswain kfswain

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support scraping metrics from target running with TLS
6 participants
@pierDipi @k8s-ci-robot @nirrozenbaum @kfswain @elevran @ahg-g