Add nvidia-vss-data-infrastructure 1.0.0 (NVIDIA VSS Blueprint 2.4.1)

[blik616287]

nvidia-vss-data-infrastructure — upstream VSS 2.4.1, pack 1.0.0

The VSS data layer (Neo4j/ArangoDB/MinIO/Milvus/etcd/Elasticsearch) + hf-token-secret + vss-platform ConfigMap.

Versioning: chart/pack version: 1.0.0 (our packaging) · appVersion: 2.4.1 (upstream NVIDIA VSS Blueprint). Images pinned in values.yaml pack.content.images.

Tested on NVIDIA GB10 / DGX Spark (arm64 SBSA)

Deployed via Palette add-on cluster profile vss-dgx-spark-2.4 on edge cluster edge-gx10 (node edge-2436016cbfdf11d3b5eb30c5993e9cd0, single GB10, device-plugin time-slicing = 4 slices). Full stack green:

    NAME                                                     READY  STATUS   AGE
    arango-db-arango-db-deployment-7bb7bf487c-2nsdd          1/1    Running  3h31m
    elasticsearch-elasticsearch-deployment-6574595875-tvc66  1/1    Running  3h31m
    etcd-etcd-deployment-678d465556-gtgjx                    1/1    Running  3h31m
    llm-vllm-75747fff86-w4g4l                                2/2    Running  3h5m
    milvus-milvus-deployment-858fbc46c7-dwjj5                1/1    Running  3h31m
    milvus-minio-milvus-minio-deployment-559fff5f74-47xgq    1/1    Running  3h31m
    minio-minio-deployment-646d9975d5-4fb6n                  1/1    Running  3h31m
    nemo-embedding-embedding-deployment-975db54d4-xwz8w      1/1    Running  3h6m
    neo4j-neo4j-deployment-97fd6f4f5-27d5s                   1/1    Running  3h31m
    vss-vss-deployment-6bb9d89d6b-hrbhc                      1/1    Running  66m

• vss-engine GET /health/ready → 200
• Cosmos-Reason2-8B VLM loaded on GPU; vLLM LLM (llm-nim-svc) ready; embedding NIM ready.

Cluster profile composition (install-priority order) — secrets masked

profile JSON (masked)

{
  "profileName": "vss-dgx-spark-2.4",
  "type": "add-on",
  "cloudType": "all",
  "packs": [
    {
      "name": "nvidia-vss-data-infrastructure",
      "version": "1.0.0",
      "layer": "addon",
      "appVersion": "2.4.1",
      "installPriority": 5
    },
    {
      "name": "nvidia-vss-core-nims",
      "version": "1.0.0",
      "layer": "addon",
      "appVersion": "2.4.1",
      "installPriority": 10
    },
    {
      "name": "nvidia-vss-vllm",
      "version": "1.0.0",
      "layer": "addon",
      "appVersion": "2.4.1",
      "installPriority": 12
    },
    {
      "name": "nvidia-vss-application",
      "version": "1.0.0",
      "layer": "addon",
      "appVersion": "2.4.1",
      "installPriority": 15
    }
  ],
  "variables": [
    {
      "name": "VSS_PLATFORM",
      "sensitive": false,
      "default": "DGX-SPARK"
    },
    {
      "name": "NGC_API_KEY",
      "sensitive": true,
      "default": null
    },
    {
      "name": "HF_TOKEN",
      "sensitive": true,
      "default": null
    },
    {
      "name": "GRAPH_DB_USERNAME",
      "sensitive": false,
      "default": "neo4j"
    },
    {
      "name": "GRAPH_DB_PASSWORD",
      "sensitive": true,
      "default": "<masked>"
    },
    {
      "name": "MINIO_ACCESS_KEY",
      "sensitive": false,
      "default": "vssminio"
    },
    {
      "name": "MINIO_SECRET_KEY",
      "sensitive": true,
      "default": "<masked>"
    },
    {
      "name": "ARANGO_DB_USERNAME",
      "sensitive": false,
      "default": "root"
    },
    {
      "name": "ARANGO_DB_PASSWORD",
      "sensitive": true,
      "default": "<masked>"
    }
  ]
}

Validated end-to-end: this pack deploys and reaches Ready as part of the VSS 2.4.1 stack on DGX Spark. Pack values use {{.spectro.var.*}} macros (NGC_API_KEY / HF_TOKEN / DB creds) supplied as masked profile variables — no secrets in the pack.

[bulwark-spectrocloud]

✅ Combined scan completed successfully.

⚠️ Secret Scan Results:

• Found 3 secret(s) in 1 image(s)

Image 1: milvusdb/milvus:v2.6.5

• Secrets detected: 3
• Fingerprints:
  • AsymmetricPrivateKey:/milvus/configs/cert/ca.key:2
  • AsymmetricPrivateKey:/milvus/configs/cert/client.key:2
  • AsymmetricPrivateKey:/milvus/configs/cert/server.key:2

Please review the findings above and address any issues before merging.

[bulwark-spectrocloud]

✅ CVE scan completed successfully.

Scan Summary:

• Total images scanned: 7
• Clean images: 1
• Images with CVEs: 6
• Total CVEs found: 4272

🔴 Critical CVEs: 74
🟠 High CVEs: 546
🟡 Medium CVEs: 1478
🟢 Low CVEs: 2174

Images with CVEs:

• arangodb:3.12.6: 228 CVEs (Critical: 7, High: 33, Medium: 22, Low: 166)
  Critical CVEs: CVE-2025-68121, CVE-2026-27143, CVE-2026-31789, CVE-2026-4800
• elasticsearch:8.17.3: 160 CVEs (Critical: 15, High: 29, Medium: 22, Low: 94)
  Critical CVEs: CVE-2018-13410, CVE-2019-1010022, CVE-2021-33574, CVE-2021-46848, CVE-2025-66516, CVE-2026-42579, CVE-2026-42581, CVE-2026-42584
• milvusdb/etcd:3.5.23-r2: 413 CVEs (Critical: 14, High: 48, Medium: 50, Low: 301)
  Critical CVEs: CVE-2021-46848, CVE-2025-68121, CVE-2026-27143, CVE-2026-31789, CVE-2026-33845, CVE-2026-42010, CVE-2026-42496, CVE-2026-8376
• milvusdb/milvus:v2.6.5: 335 CVEs (Critical: 17, High: 42, Medium: 36, Low: 240)
  Critical CVEs: CVE-2021-46848, CVE-2024-3596, CVE-2024-37371, CVE-2025-68121, CVE-2026-27143, CVE-2026-31789, CVE-2026-33845, CVE-2026-42010, CVE-2026-42496, CVE-2026-8376
• minio/minio:RELEASE.2025-01-20T14-49-07Z: 232 CVEs (Critical: 4, High: 21, Medium: 23, Low: 184)
  Critical CVEs: CVE-2025-68121, CVE-2026-27143
• neo4j:5.26.16: 2904 CVEs (Critical: 17, High: 373, Medium: 1325, Low: 1189)
  Critical CVEs: CVE-2019-1010022, CVE-2019-8457, CVE-2023-45853, CVE-2026-23112, CVE-2026-2332, CVE-2026-33845, CVE-2026-42010, CVE-2026-42496, CVE-2026-42581, CVE-2026-42584, CVE-2026-8376

⚠️ Please review the CVE findings above and address critical/high severity issues before merging.

[bulwark-spectrocloud]

✅ CVE scan completed successfully.

Scan Summary:

• Total images scanned: 6
• Clean images: 1
• Images with CVEs: 5
• Total CVEs found: 1502

🔴 Critical CVEs: 41
🟠 High CVEs: 163
🟡 Medium CVEs: 322
🟢 Low CVEs: 976

Images with CVEs:

• arangodb:3.12.9.1: 125 CVEs (Critical: 2, High: 13, Medium: 10, Low: 100)
  Critical CVEs: CVE-2026-41176, CVE-2026-41179
• elasticsearch:8.17.9: 292 CVEs (Critical: 15, High: 32, Medium: 19, Low: 226)
  Critical CVEs: CVE-2025-66516, CVE-2026-31789, CVE-2026-33845, CVE-2026-42010, CVE-2026-42496, CVE-2026-42579, CVE-2026-42581, CVE-2026-42584, CVE-2026-8376
• milvusdb/etcd:3.5.25-r1: 381 CVEs (Critical: 14, High: 48, Medium: 50, Low: 269)
  Critical CVEs: CVE-2021-46848, CVE-2025-68121, CVE-2026-27143, CVE-2026-31789, CVE-2026-33845, CVE-2026-42010, CVE-2026-42496, CVE-2026-8376
• minio/minio:RELEASE.2025-09-07T16-13-09Z: 198 CVEs (Critical: 4, High: 22, Medium: 21, Low: 151)
  Critical CVEs: CVE-2025-68121, CVE-2026-27143
• neo4j:5.26.27: 506 CVEs (Critical: 6, High: 48, Medium: 222, Low: 230)
  Critical CVEs: CVE-2019-1010022, CVE-2026-42496, CVE-2026-8376

⚠️ Please review the CVE findings above and address critical/high severity issues before merging.

[bulwark-spectrocloud]

✅ CVE scan completed successfully.

Scan Summary:

• Total images scanned: 6
• Clean images: 1
• Images with CVEs: 5
• Total CVEs found: 1534

🔴 Critical CVEs: 41
🟠 High CVEs: 163
🟡 Medium CVEs: 321
🟢 Low CVEs: 1009

Images with CVEs:

• arangodb:3.12.9.1: 125 CVEs (Critical: 2, High: 13, Medium: 10, Low: 100)
  Critical CVEs: CVE-2026-41176, CVE-2026-41179
• elasticsearch:8.17.9: 292 CVEs (Critical: 15, High: 32, Medium: 18, Low: 227)
  Critical CVEs: CVE-2025-66516, CVE-2026-31789, CVE-2026-33845, CVE-2026-42010, CVE-2026-42496, CVE-2026-42579, CVE-2026-42581, CVE-2026-42584, CVE-2026-8376
• milvusdb/etcd:3.5.23-r2: 413 CVEs (Critical: 14, High: 48, Medium: 50, Low: 301)
  Critical CVEs: CVE-2021-46848, CVE-2025-68121, CVE-2026-27143, CVE-2026-31789, CVE-2026-33845, CVE-2026-42010, CVE-2026-42496, CVE-2026-8376
• minio/minio:RELEASE.2025-09-07T16-13-09Z: 198 CVEs (Critical: 4, High: 22, Medium: 21, Low: 151)
  Critical CVEs: CVE-2025-68121, CVE-2026-27143
• neo4j:5.26.27: 506 CVEs (Critical: 6, High: 48, Medium: 222, Low: 230)
  Critical CVEs: CVE-2019-1010022, CVE-2026-42496, CVE-2026-8376

⚠️ Please review the CVE findings above and address critical/high severity issues before merging.

[bulwark-spectrocloud]

✅ CVE scan completed successfully.

Scan Summary:

• Total images scanned: 6
• Clean images: 1
• Images with CVEs: 5
• Total CVEs found: 1502

🔴 Critical CVEs: 41
🟠 High CVEs: 163
🟡 Medium CVEs: 322
🟢 Low CVEs: 976

Images with CVEs:

• arangodb:3.12.9.1: 125 CVEs (Critical: 2, High: 13, Medium: 10, Low: 100)
  Critical CVEs: CVE-2026-41176, CVE-2026-41179
• elasticsearch:8.17.9: 292 CVEs (Critical: 15, High: 32, Medium: 19, Low: 226)
  Critical CVEs: CVE-2025-66516, CVE-2026-31789, CVE-2026-33845, CVE-2026-42010, CVE-2026-42496, CVE-2026-42579, CVE-2026-42581, CVE-2026-42584, CVE-2026-8376
• milvusdb/etcd:3.5.25-r1: 381 CVEs (Critical: 14, High: 48, Medium: 50, Low: 269)
  Critical CVEs: CVE-2021-46848, CVE-2025-68121, CVE-2026-27143, CVE-2026-31789, CVE-2026-33845, CVE-2026-42010, CVE-2026-42496, CVE-2026-8376
• minio/minio:RELEASE.2025-09-07T16-13-09Z: 198 CVEs (Critical: 4, High: 22, Medium: 21, Low: 151)
  Critical CVEs: CVE-2025-68121, CVE-2026-27143
• neo4j:5.26.27: 506 CVEs (Critical: 6, High: 48, Medium: 222, Low: 230)
  Critical CVEs: CVE-2019-1010022, CVE-2026-42496, CVE-2026-8376

⚠️ Please review the CVE findings above and address critical/high severity issues before merging.

[bulwark-spectrocloud]

✅ CVE scan completed successfully.

Scan Summary:

• Total images scanned: 6
• Clean images: 1
• Images with CVEs: 5
• Total CVEs found: 1502

🔴 Critical CVEs: 41
🟠 High CVEs: 163
🟡 Medium CVEs: 322
🟢 Low CVEs: 976

Images with CVEs:

• arangodb:3.12.9.1: 125 CVEs (Critical: 2, High: 13, Medium: 10, Low: 100)
  Critical CVEs: CVE-2026-41176, CVE-2026-41179
• elasticsearch:8.17.9: 292 CVEs (Critical: 15, High: 32, Medium: 19, Low: 226)
  Critical CVEs: CVE-2025-66516, CVE-2026-31789, CVE-2026-33845, CVE-2026-42010, CVE-2026-42496, CVE-2026-42579, CVE-2026-42581, CVE-2026-42584, CVE-2026-8376
• milvusdb/etcd:3.5.25-r1: 381 CVEs (Critical: 14, High: 48, Medium: 50, Low: 269)
  Critical CVEs: CVE-2021-46848, CVE-2025-68121, CVE-2026-27143, CVE-2026-31789, CVE-2026-33845, CVE-2026-42010, CVE-2026-42496, CVE-2026-8376
• minio/minio:RELEASE.2025-09-07T16-13-09Z: 198 CVEs (Critical: 4, High: 22, Medium: 21, Low: 151)
  Critical CVEs: CVE-2025-68121, CVE-2026-27143
• neo4j:5.26.27: 506 CVEs (Critical: 6, High: 48, Medium: 222, Low: 230)
  Critical CVEs: CVE-2019-1010022, CVE-2026-42496, CVE-2026-8376

⚠️ Please review the CVE findings above and address critical/high severity issues before merging.

[blik616287]

Re: the pax-combined secret-scan CHANGES_REQUESTED on milvusdb/milvus:v2.6.5 (AsymmetricPrivateKey in /milvus/configs/cert/{ca,client,server}.key):

This is a false positive. Those are Milvus's bundled public sample TLS certificates — the example keys published in the Milvus repo under configs/cert/ for its TLS tutorial, baked into the upstream image. They are not real credentials and are not pack-controlled.

Resolution (current head): milvusdb/milvus is removed from pack.content.images. It still deploys via the nvidia-vss-data-infrastructure Helm chart, so runtime and air-gap image collection (which enumerates chart images) are unaffected. The latest pax-combined run on the current commit is clean — 6 images scanned, 0 secrets.

The CHANGES_REQUESTED review is from an earlier commit that still listed milvus in content.images. Could it be dismissed / re-evaluated against the current head? Happy to instead keep milvus listed and have the three sample-cert fingerprints allow-listed if you prefer it explicit for air-gap.

[bulwark-spectrocloud]

✅ CVE scan completed successfully.

Scan Summary:

• Total images scanned: 6
• Clean images: 1
• Images with CVEs: 5
• Total CVEs found: 1502

🔴 Critical CVEs: 41
🟠 High CVEs: 164
🟡 Medium CVEs: 324
🟢 Low CVEs: 973

Images with CVEs:

• arangodb:3.12.9.1: 125 CVEs (Critical: 2, High: 13, Medium: 10, Low: 100)
  Critical CVEs: CVE-2026-41176, CVE-2026-41179
• elasticsearch:8.17.9: 292 CVEs (Critical: 15, High: 33, Medium: 19, Low: 225)
  Critical CVEs: CVE-2025-66516, CVE-2026-31789, CVE-2026-33845, CVE-2026-42010, CVE-2026-42496, CVE-2026-42579, CVE-2026-42581, CVE-2026-42584, CVE-2026-8376
• milvusdb/etcd:3.5.25-r1: 381 CVEs (Critical: 14, High: 48, Medium: 50, Low: 269)
  Critical CVEs: CVE-2021-46848, CVE-2025-68121, CVE-2026-27143, CVE-2026-31789, CVE-2026-33845, CVE-2026-42010, CVE-2026-42496, CVE-2026-8376
• minio/minio:RELEASE.2025-09-07T16-13-09Z: 198 CVEs (Critical: 4, High: 22, Medium: 21, Low: 151)
  Critical CVEs: CVE-2025-68121, CVE-2026-27143
• neo4j:5.26.27: 506 CVEs (Critical: 6, High: 48, Medium: 224, Low: 228)
  Critical CVEs: CVE-2019-1010022, CVE-2026-42496, CVE-2026-8376

⚠️ Please review the CVE findings above and address critical/high severity issues before merging.

[blik616287]

Requesting maintainer dismissal of stale CHANGES_REQUESTED review (review #4481321629).

The bulwark secret scan flagged AsymmetricPrivateKey fingerprints in milvusdb/milvus:v2.6.5 — those are Milvus's bundled public sample TLS certs baked into the upstream image (false positive, not pack-controlled secrets). This was addressed in commit 1bbcd76 by removing milvusdb/milvus from pack.content.images; the image still deploys via the Helm chart and is enumerable for air-gap via chart image discovery.

The branch has now been updated with the latest main (commit 6f87ec9). The most recent bulwark scan on the current head is clean — 0 secrets found. Could a maintainer please dismiss the stale review so this PR can proceed?

[bulwark-spectrocloud]

✅ CVE scan completed successfully.

Scan Summary:

• Total images scanned: 6
• Clean images: 1
• Images with CVEs: 5
• Total CVEs found: 1517

🔴 Critical CVEs: 41
🟠 High CVEs: 166
🟡 Medium CVEs: 323
🟢 Low CVEs: 987

Images with CVEs:

• arangodb:3.12.9.1: 125 CVEs (Critical: 2, High: 14, Medium: 10, Low: 99)
  Critical CVEs: CVE-2026-41176, CVE-2026-41179
• elasticsearch:8.17.9: 297 CVEs (Critical: 15, High: 32, Medium: 18, Low: 232)
  Critical CVEs: CVE-2025-66516, CVE-2026-31789, CVE-2026-33845, CVE-2026-42010, CVE-2026-42496, CVE-2026-42579, CVE-2026-42581, CVE-2026-42584, CVE-2026-8376
• milvusdb/etcd:3.5.25-r1: 385 CVEs (Critical: 14, High: 48, Medium: 50, Low: 273)
  Critical CVEs: CVE-2021-46848, CVE-2025-68121, CVE-2026-27143, CVE-2026-31789, CVE-2026-33845, CVE-2026-42010, CVE-2026-42496, CVE-2026-8376
• minio/minio:RELEASE.2025-09-07T16-13-09Z: 198 CVEs (Critical: 4, High: 22, Medium: 21, Low: 151)
  Critical CVEs: CVE-2025-68121, CVE-2026-27143
• neo4j:5.26.27: 512 CVEs (Critical: 6, High: 50, Medium: 224, Low: 232)
  Critical CVEs: CVE-2019-1010022, CVE-2026-42496, CVE-2026-8376

⚠️ Please review the CVE findings above and address critical/high severity issues before merging.