Add support for benchmarking TLS endpoints#319
Conversation
Enable the benchmark and probe commands to target HTTPS endpoints, including those serving self-signed certificates via a new --insecure flag that skips TLS certificate verification on the SSL context used by worker connections. Also fix HttpResponseProtocol.eof_received() to return False so asyncio closes the transport itself; returning True is a no-op on SSL transports (which don't support TCP half-close) and was leaving pending body futures unresolved on connection teardown.
|
MLCommons CLA bot: |
There was a problem hiding this comment.
Pull request overview
This PR enables HTTPS/TLS targeting for the endpoint client used by the benchmark and probe commands, including an opt-in --insecure flag for connecting to endpoints with self-signed/untrusted certificates. It also fixes HttpResponseProtocol.eof_received() to return False so asyncio reliably closes the transport (including SSL transports) and resolves pending body futures on teardown.
Changes:
- Add
insecure(--insecure) toHTTPClientConfigand propagate it into worker TLSssl.SSLContextconfiguration (skip hostname/cert verification when enabled). - Ensure HTTPS connections are actually established by passing an SSL context into the worker connection pool when the endpoint scheme is
https. - Fix
HttpResponseProtocol.eof_received()to returnFalseand update the unit test expectation accordingly; update benchmark config templates andprobeCLI to expose--insecure.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| tests/unit/endpoint_client/test_http.py | Updates unit test to assert eof_received() returns False for correct asyncio transport closure behavior. |
| src/inference_endpoint/endpoint_client/worker.py | Creates and configures an SSL context for https:// endpoints; applies insecure by disabling verification. |
| src/inference_endpoint/endpoint_client/http.py | Changes eof_received() to return False and documents why this is required (especially for SSL transports). |
| src/inference_endpoint/endpoint_client/config.py | Adds insecure config/CLI flag to control TLS certificate verification. |
| src/inference_endpoint/config/templates/online_template_full.yaml | Adds settings.client.insecure to the full online benchmark template. |
| src/inference_endpoint/config/templates/offline_template_full.yaml | Adds settings.client.insecure to the full offline benchmark template. |
| src/inference_endpoint/config/templates/concurrency_template_full.yaml | Adds settings.client.insecure to the full concurrency benchmark template. |
| src/inference_endpoint/commands/probe.py | Adds --insecure to probe CLI and forwards it into HTTPClientConfig. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces an "insecure" configuration option across the inference endpoint client, CLI, and configuration templates to allow skipping TLS certificate verification. Additionally, it updates the eof_received method in the HTTP protocol implementation to return False, ensuring proper transport closure for SSL connections that do not support TCP half-close. I have no feedback to provide as there were no review comments to evaluate.
Enable the benchmark and probe commands to target HTTPS endpoints, including those serving self-signed certificates via a new --insecure flag that skips TLS certificate verification on the SSL context used by worker connections.
Also fix HttpResponseProtocol.eof_received() to return False so asyncio closes the transport itself; returning True is a no-op on SSL transports (which don't support TCP half-close) and was leaving pending body futures unresolved on connection teardown.
What does this PR do?
Type of change
Related issues
Testing
Checklist