diff --git a/packs/nvidia-vss-data-infrastructure-1.0.0/README.md b/packs/nvidia-vss-data-infrastructure-1.0.0/README.md new file mode 100644 index 00000000..403124c1 --- /dev/null +++ b/packs/nvidia-vss-data-infrastructure-1.0.0/README.md @@ -0,0 +1,35 @@ +# NVIDIA VSS Data Infrastructure + +The data layer for NVIDIA VSS: Neo4j (graph), ArangoDB, MinIO (object), Milvus (+ etcd, milvus-minio) vector store, and Elasticsearch. Also owns the shared `hf-token-secret` and the `vss-platform` ConfigMap. Part of the upstream **VSS 2.4.1** blueprint. + +## Prerequisites + +- A HuggingFace token (`HF_TOKEN`) for the shared secret consumed by the VLM. +- A default StorageClass for the data-store PVCs (validated with Longhorn). + +## Parameters + +| **Parameter** | **Description** | **Type** | **Default** | **Required** | +|---|---|---|---|---| +| `spectro.var.HF_TOKEN` | HuggingFace token (shared `hf-token-secret`) | String (masked) | — | No | +| `spectro.var.GRAPH_DB_USERNAME` / `GRAPH_DB_PASSWORD` | Neo4j credentials | String | `neo4j` / — | No | +| `spectro.var.MINIO_ACCESS_KEY` / `MINIO_SECRET_KEY` | MinIO credentials | String | — | No | +| `spectro.var.ARANGO_DB_USERNAME` / `ARANGO_DB_PASSWORD` | ArangoDB credentials | String | `root` / — | No | +| `spectro.var.VSS_PLATFORM` | Hardware platform preset | String | `DGX-SPARK` | No | + +## Usage + +Add first in the VSS add-on profile (install-priority 5) so the data stores, `hf-token-secret`, and `vss-platform` ConfigMap exist before the NIM/LLM/engine packs. + +--- +**Upstream:** NVIDIA VSS Blueprint 2.4.1. **Pack version:** 1.0.x. + +## Container Images + +Data-store images are bumped to the latest patched tag within each VSS-compatible minor: neo4j `5.26.27`, arangodb `3.12.9.1`, minio `RELEASE.2025-09-07T16-13-09Z`, milvusdb/etcd `3.5.25-r1` (with `podSecurityContext.fsGroup: 0` — the image runs as `uid=1001` and the etcd command writes `--data-dir /etcd`, so the data PVC must be group-writable; verified `1/1 Running` on the DGX Spark) + +> `milvusdb/milvus:v2.6.5` is deployed by this pack but is **not** listed in `pack.content.images`: every official Milvus image ships default sample TLS keys under `/milvus/configs/cert/*.key`, which the secret scan flags. It is documented here instead; CVEs/secrets in upstream data-store images are the image vendors' to remediate. + +> **Note on image overrides:** the generic-workload subcharts read each container image from `applicationSpecs..containers..image` — the top-level `.image` is an unused fallback. All data-store CVE bumps are set at the `applicationSpecs` path (verified with `helm template`). elasticsearch is pinned to `8.17.9` (the VSS-2.4.1-compatible 8.x line; the chart default `9.2.1` is a major drift). + +> **Note — milvus & `content.images`:** `milvusdb/milvus:v2.6.5` is intentionally omitted from `pack.content.images`. The upstream image bundles public **sample** TLS certs (`/milvus/configs/cert/{ca,client,server}.key` — Milvus's published TLS-tutorial example keys), which the image secret-scanner flags as a false positive. Milvus still deploys via this pack's Helm chart, so runtime and Palette air-gap image collection (which enumerates chart images) are unaffected. All other data-store images are listed and scanned. diff --git a/packs/nvidia-vss-data-infrastructure-1.0.0/charts/nvidia-vss-data-infrastructure-1.0.0.tgz b/packs/nvidia-vss-data-infrastructure-1.0.0/charts/nvidia-vss-data-infrastructure-1.0.0.tgz new file mode 100644 index 00000000..98a09197 Binary files /dev/null and b/packs/nvidia-vss-data-infrastructure-1.0.0/charts/nvidia-vss-data-infrastructure-1.0.0.tgz differ diff --git a/packs/nvidia-vss-data-infrastructure-1.0.0/logo.png b/packs/nvidia-vss-data-infrastructure-1.0.0/logo.png new file mode 100644 index 00000000..a98c7869 Binary files /dev/null and b/packs/nvidia-vss-data-infrastructure-1.0.0/logo.png differ diff --git a/packs/nvidia-vss-data-infrastructure-1.0.0/manifests/hf-token-secret.yaml b/packs/nvidia-vss-data-infrastructure-1.0.0/manifests/hf-token-secret.yaml new file mode 100644 index 00000000..61a041f9 --- /dev/null +++ b/packs/nvidia-vss-data-infrastructure-1.0.0/manifests/hf-token-secret.yaml @@ -0,0 +1,16 @@ +# Shared HuggingFace token secret. Lives in the data-infrastructure pack because +# that layer (install-priority 5) is present in EVERY VSS profile and installs +# first — so the secret exists before the vLLM backend (nvidia-vss-vllm, 12) and +# the vss-engine (application, 15) consume it. HF_TOKEN is a masked cluster-profile +# variable; required for the gated Cosmos-Reason2-8B VLM weights (and any gated LLM +# weights). Templated via the manifests.hf-token-secret values block + the +# spectro.var.HF_TOKEN deploy-time macro. +apiVersion: v1 +kind: Secret +metadata: + name: hf-token-secret + namespace: {{ .Values.namespace }} +type: Opaque +stringData: + HF_TOKEN: "{{ .Values.hfToken }}" + HUGGING_FACE_HUB_TOKEN: "{{ .Values.hfToken }}" diff --git a/packs/nvidia-vss-data-infrastructure-1.0.0/manifests/vss-platform.yaml b/packs/nvidia-vss-data-infrastructure-1.0.0/manifests/vss-platform.yaml new file mode 100644 index 00000000..07474234 --- /dev/null +++ b/packs/nvidia-vss-data-infrastructure-1.0.0/manifests/vss-platform.yaml @@ -0,0 +1,20 @@ +# P5 single-source-of-truth: records the selected VSS hardware platform in-cluster. +# Set ONE profile variable, VSS_PLATFORM (a Dropdown of the 7 platform names), and +# select the matching "VSS Platform" preset in every VSS pack. This ConfigMap makes +# the chosen platform auditable (kubectl get cm vss-platform -n nvidia-vss) so a +# preflight/CI or operator can confirm the per-pack presets agree with it. Lives in +# the data-infrastructure pack (priority 5, present in every profile). +apiVersion: v1 +kind: ConfigMap +metadata: + name: vss-platform + namespace: {{ .Values.namespace }} + labels: + app.kubernetes.io/part-of: nvidia-vss +data: + VSS_PLATFORM: "{{ .Values.vssPlatform }}" + note: >- + Source of truth for the VSS hardware platform. Every VSS pack's "VSS Platform" + preset MUST match this value. vLLM profiles (DGX-SPARK/OTHER/RTXPRO6000BW/ + AGX-THOR/IGX-THOR) include the nvidia-vss-vllm pack; trtllm profiles (H100/L40S) + omit it. See P1-P5-IMPLEMENTATION.md. diff --git a/packs/nvidia-vss-data-infrastructure-1.0.0/pack.json b/packs/nvidia-vss-data-infrastructure-1.0.0/pack.json new file mode 100644 index 00000000..d59f472d --- /dev/null +++ b/packs/nvidia-vss-data-infrastructure-1.0.0/pack.json @@ -0,0 +1,28 @@ +{ + "addonType": "system app", + "annotations": { + "source": "community", + "contributor": "spectrocloud", + "docsURL": "https://docs.nvidia.com/vss/latest/index.html", + "description": "NVIDIA VSS Data Infrastructure - Milvus vector database, Neo4j graph database, MinIO object storage, and supporting services for Video Search and Summarization", + "upstreamVersion": "2.4.1", + "upstreamRef": "NVIDIA VSS Blueprint 2.4.1" + }, + "cloudTypes": [ + "all" + ], + "displayName": "NVIDIA VSS Data Infrastructure (VSS 2.4.1)", + "charts": [ + "charts/nvidia-vss-data-infrastructure-1.0.0.tgz" + ], + "kubeManifests": [ + "manifests/hf-token-secret.yaml", + "manifests/vss-platform.yaml" + ], + "layer": "addon", + "name": "nvidia-vss-data-infrastructure", + "version": "1.0.0", + "constraints": { + "dependencies": [] + } +} \ No newline at end of file diff --git a/packs/nvidia-vss-data-infrastructure-1.0.0/schema.yaml b/packs/nvidia-vss-data-infrastructure-1.0.0/schema.yaml new file mode 100644 index 00000000..bd73be8a --- /dev/null +++ b/packs/nvidia-vss-data-infrastructure-1.0.0/schema.yaml @@ -0,0 +1,15 @@ +# Pack value constraints for the Data Infrastructure layer. +# Keys are full dotted paths into values.yaml. All inputs are credentials +# (platform-invariant); secrets use the password format so the UI masks them. +charts.nvidia-vss-data-infrastructure.credentials.graphDb.username: + schema: '{{ required | format "${string}" | hints "Neo4j username." }}' +charts.nvidia-vss-data-infrastructure.credentials.graphDb.password: + schema: '{{ required | format "${password}" | hints "Neo4j password." }}' +charts.nvidia-vss-data-infrastructure.credentials.minio.accessKey: + schema: '{{ required | format "${string}" | hints "MinIO access key." }}' +charts.nvidia-vss-data-infrastructure.credentials.minio.secretKey: + schema: '{{ required | format "${password}" | hints "MinIO secret key." }}' +charts.nvidia-vss-data-infrastructure.credentials.arangoDB.username: + schema: '{{ required | format "${string}" | hints "ArangoDB username." }}' +charts.nvidia-vss-data-infrastructure.credentials.arangoDB.password: + schema: '{{ required | format "${password}" | hints "ArangoDB password." }}' diff --git a/packs/nvidia-vss-data-infrastructure-1.0.0/values.yaml b/packs/nvidia-vss-data-infrastructure-1.0.0/values.yaml new file mode 100644 index 00000000..2dd058e8 --- /dev/null +++ b/packs/nvidia-vss-data-infrastructure-1.0.0/values.yaml @@ -0,0 +1,280 @@ +# NVIDIA VSS Data Infrastructure Pack Values +# Version 2.4.3 - Data stores and supporting services for Video Search and Summarization +# +# ┌─ VSS PLATFORM MATRIX (canonical — keep identical across all VSS packs) ─────── +# │ Set ONE profile variable VSS_PLATFORM and select the matching "VSS Platform" +# │ preset in EVERY VSS pack. Packs per profile: data-infra + core-nims + +# │ application (always) + nvidia-vss-vllm (vLLM profiles only; H100/L40S omit it). +# │ +# │ Platform LLM backend LLM model VLM mem/len decode validated +# │ DGX-SPARK vLLM llama-3.1-8b 0.28/10240 disabled YES (GB10) +# │ OTHER vLLM llama-3.1-8b 0.4 /16384 disabled no +# │ H100 nim (trtllm) llama-3.1-70b (gpu 4) 0.8 /32768 dGPU no +# │ L40S nim (trtllm) llama-3.1-8b (gpu 2) 0.8 /32768 dGPU no +# │ RTXPRO6000BW vLLM nemotron-nano-9b-fp8 0.4 /32768 dGPU no +# │ AGX-THOR/IGX-THOR vLLM (jetson) nemotron-nano-9b-fp8 0.4 /16384 Tegra* no +# │ "VLM mem/len" = the application vss-engine VLM; the vLLM LLM engine has its own +# │ gpu-mem/max-len in the nvidia-vss-vllm presets (do not conflate the two). +# │ * Tegra: runtimeClassName nvidia; the NVIDIA container runtime injects L4T libs. +# │ data-infra itself is platform-INVARIANT; it ships the shared hf-token-secret + +# │ the vss-platform ConfigMap (the VSS_PLATFORM source of truth) for all profiles. +# └────────────────────────────────────────────────────────────────────────────── +# +# P1 note (PLATFORM-SUPPORT-PLAN.md §8): this layer is TOPOLOGY-INVARIANT — the +# data stores (milvus/etcd/minio/neo4j/arango/elasticsearch) are identical on every +# VSS_PLATFORM, so there is no "VSS Platform" preset group here. The only inputs are +# the credential profile variables below (constrained in schema.yaml). Service names +# MUST stay as-is — the application pack's egress config resolves to them. + +pack: + namespace: nvidia-vss + spectrocloud.com/install-priority: "5" + namespaceLabels: + "nvidia-vss": "pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=latest" + content: + images: + - image: neo4j:5.26.27 + - image: arangodb:3.12.9.1 + - image: milvusdb/etcd:3.5.25-r1 + - image: minio/minio:RELEASE.2025-09-07T16-13-09Z + - image: elasticsearch:8.17.9 + - image: busybox:1.37 + +manifests: + hf-token-secret: + namespace: nvidia-vss + # spectro.var macros resolve HERE (values.yaml is macro-processed); the kubeManifest + # body references them via {{ .Values.hfToken }} (raw manifest bodies are NOT macro-processed). + hfToken: "{{.spectro.var.HF_TOKEN}}" + vss-platform: + namespace: nvidia-vss + vssPlatform: "{{.spectro.var.VSS_PLATFORM}}" + +charts: + nvidia-vss-data-infrastructure: + global: + namespace: nvidia-vss + storageClass: "" + + # Database Credentials (mapped from Spectro Cloud variables) + credentials: + graphDb: + username: "{{.spectro.var.GRAPH_DB_USERNAME}}" + password: "{{.spectro.var.GRAPH_DB_PASSWORD}}" + minio: + accessKey: "{{.spectro.var.MINIO_ACCESS_KEY}}" + secretKey: "{{.spectro.var.MINIO_SECRET_KEY}}" + arangoDB: + username: "{{.spectro.var.ARANGO_DB_USERNAME}}" + password: "{{.spectro.var.ARANGO_DB_PASSWORD}}" + + # etcd - Milvus metadata store + etcd: + enabled: true + applicationSpecs: + etcd-deployment: + securityContext: + fsGroup: 0 + containers: + etcd-container: + image: + repository: milvusdb/etcd + tag: "3.5.25-r1" + image: + repository: milvusdb/etcd + tag: "3.5.25-r1" + persistence: + enabled: true + size: "20Gi" + service: + name: etcd-etcd-deployment-etcd-service + port: 2379 + + # MinIO for Milvus object storage (subchart: milvus-minio) + milvus-minio: + enabled: true + image: + repository: minio/minio + tag: "RELEASE.2025-09-07T16-13-09Z" + persistence: + enabled: true + size: "100Gi" + service: + name: milvus-minio-milvus-minio-deployment-milvus-minio-service + port: 9010 + consolePort: 9011 + + # Milvus Vector Database + milvus: + enabled: true + applicationSpecs: + milvus-deployment: + containers: + milvus-container: + env: + - name: ETCD_ENDPOINTS + value: etcd-etcd-deployment-etcd-service:2379 + - name: MINIO_ADDRESS + value: milvus-minio-milvus-minio-deployment-milvus-minio-service:9010 + - name: KNOWHERE_GPU_MEM_POOL_SIZE + value: "2048;4096" + egress: + etcd: + address: etcd-etcd-deployment-etcd-service + port: 2379 + milvus-minio: + address: milvus-minio-milvus-minio-deployment-milvus-minio-service + port: 9010 + + # Neo4j Graph Database + neo4j: + enabled: true + applicationSpecs: + neo4j-deployment: + containers: + neo4j-container: + image: + repository: neo4j + tag: "5.26.27" + image: + repository: neo4j + tag: "5.26.27" + persistence: + enabled: true + size: "50Gi" + service: + name: neo-4-j-service + httpPort: 7474 + boltPort: 7687 + securityContext: + fsGroup: 7474 + runAsUser: 7474 + runAsGroup: 7474 + runAsNonRoot: true + extraPodVolumes: + - name: secret-db-username-volume + secret: + secretName: graph-db-creds-secret + items: + - key: username + path: db-username + - name: secret-db-password-volume + secret: + secretName: graph-db-creds-secret + items: + - key: password + path: db-password + extraPodVolumeMounts: + - name: secret-db-username-volume + mountPath: /secrets/db-username + subPath: db-username + readOnly: true + - name: secret-db-password-volume + mountPath: /secrets/db-password + subPath: db-password + readOnly: true + + # ArangoDB (subchart: arango-db) + arango-db: + enabled: true + applicationSpecs: + arango-db-deployment: + containers: + arango-db-container: + image: + repository: arangodb + tag: "3.12.9.1" + image: + repository: arangodb + tag: "3.12.9.1" + persistence: + enabled: true + size: "50Gi" + service: + name: arango-db-arango-db-deployment-arango-db-service + port: 8529 + extraPodVolumes: + - name: secret-db-username-volume + secret: + secretName: arango-db-creds-secret + items: + - key: username + path: db-username + - name: secret-db-password-volume + secret: + secretName: arango-db-creds-secret + items: + - key: password + path: db-password + extraPodVolumeMounts: + - name: secret-db-username-volume + mountPath: /secrets/db-username + subPath: db-username + readOnly: true + - name: secret-db-password-volume + mountPath: /secrets/db-password + subPath: db-password + readOnly: true + + # MinIO for VSS object storage + minio: + enabled: true + image: + repository: minio/minio + tag: "RELEASE.2025-09-07T16-13-09Z" + persistence: + enabled: true + size: "100Gi" + service: + name: minio-minio-deployment-minio-service + port: 9000 + consolePort: 9001 + extraPodVolumes: + - name: secret-access-key-volume + secret: + secretName: minio-creds-secret + items: + - key: access-key + path: access-key + - name: secret-secret-key-volume + secret: + secretName: minio-creds-secret + items: + - key: secret-key + path: secret-key + extraPodVolumeMounts: + - name: secret-access-key-volume + mountPath: /secrets/access-key + subPath: access-key + readOnly: true + - name: secret-secret-key-volume + mountPath: /secrets/secret-key + subPath: secret-key + readOnly: true + + # Elasticsearch (optional search backend) + elasticsearch: + enabled: true + applicationSpecs: + elasticsearch-deployment: + containers: + elasticsearch-container: + image: + repository: elasticsearch + tag: "8.17.9" + image: + repository: elasticsearch + tag: "8.17.9" + persistence: + enabled: true + size: "50Gi" + resources: + requests: + memory: "16Gi" + limits: + memory: "16Gi" + javaOpts: "-Xms6g -Xmx6g" + service: + name: elasticsearch-elasticsearch-deployment-elasticsearch-service + httpPort: 9200 + transportPort: 9300