spectrocloud · blik616287 · Jun 11, 2026 · Jun 12, 2026 · Jun 15, 2026
diff --git a/packs/nvidia-vss-data-infrastructure-1.0.0/README.md b/packs/nvidia-vss-data-infrastructure-1.0.0/README.md
@@ -0,0 +1,35 @@
+# NVIDIA VSS Data Infrastructure
+
+The data layer for NVIDIA VSS: Neo4j (graph), ArangoDB, MinIO (object), Milvus (+ etcd, milvus-minio) vector store, and Elasticsearch. Also owns the shared `hf-token-secret` and the `vss-platform` ConfigMap. Part of the upstream **VSS 2.4.1** blueprint.
+
+## Prerequisites
+
+- A HuggingFace token (`HF_TOKEN`) for the shared secret consumed by the VLM.
+- A default StorageClass for the data-store PVCs (validated with Longhorn).
+
+## Parameters
+
+| **Parameter** | **Description** | **Type** | **Default** | **Required** |
+|---|---|---|---|---|
+| `spectro.var.HF_TOKEN` | HuggingFace token (shared `hf-token-secret`) | String (masked) | — | No |
+| `spectro.var.GRAPH_DB_USERNAME` / `GRAPH_DB_PASSWORD` | Neo4j credentials | String | `neo4j` / — | No |
+| `spectro.var.MINIO_ACCESS_KEY` / `MINIO_SECRET_KEY` | MinIO credentials | String | — | No |
+| `spectro.var.ARANGO_DB_USERNAME` / `ARANGO_DB_PASSWORD` | ArangoDB credentials | String | `root` / — | No |
+| `spectro.var.VSS_PLATFORM` | Hardware platform preset | String | `DGX-SPARK` | No |
+
+## Usage
+
+Add first in the VSS add-on profile (install-priority 5) so the data stores, `hf-token-secret`, and `vss-platform` ConfigMap exist before the NIM/LLM/engine packs.
+
+---
+**Upstream:** NVIDIA VSS Blueprint 2.4.1. **Pack version:** 1.0.x.
+
+## Container Images
+
+Data-store images are bumped to the latest patched tag within each VSS-compatible minor: neo4j `5.26.27`, arangodb `3.12.9.1`, minio `RELEASE.2025-09-07T16-13-09Z`, milvusdb/etcd `3.5.25-r1` (with `podSecurityContext.fsGroup: 0` — the image runs as `uid=1001` and the etcd command writes `--data-dir /etcd`, so the data PVC must be group-writable; verified `1/1 Running` on the DGX Spark)
+
+> `milvusdb/milvus:v2.6.5` is deployed by this pack but is **not** listed in `pack.content.images`: every official Milvus image ships default sample TLS keys under `/milvus/configs/cert/*.key`, which the secret scan flags. It is documented here instead; CVEs/secrets in upstream data-store images are the image vendors' to remediate.
+
+> **Note on image overrides:** the generic-workload subcharts read each container image from `applicationSpecs.<workload>.containers.<container>.image` — the top-level `<subchart>.image` is an unused fallback. All data-store CVE bumps are set at the `applicationSpecs` path (verified with `helm template`). elasticsearch is pinned to `8.17.9` (the VSS-2.4.1-compatible 8.x line; the chart default `9.2.1` is a major drift).
+
+> **Note — milvus & `content.images`:** `milvusdb/milvus:v2.6.5` is intentionally omitted from `pack.content.images`. The upstream image bundles public **sample** TLS certs (`/milvus/configs/cert/{ca,client,server}.key` — Milvus's published TLS-tutorial example keys), which the image secret-scanner flags as a false positive. Milvus still deploys via this pack's Helm chart, so runtime and Palette air-gap image collection (which enumerates chart images) are unaffected. All other data-store images are listed and scanned.
diff --git a/packs/nvidia-vss-data-infrastructure-1.0.0/charts/nvidia-vss-data-infrastructure-1.0.0.tgz b/packs/nvidia-vss-data-infrastructure-1.0.0/charts/nvidia-vss-data-infrastructure-1.0.0.tgz
diff --git a/packs/nvidia-vss-data-infrastructure-1.0.0/logo.png b/packs/nvidia-vss-data-infrastructure-1.0.0/logo.png
diff --git a/packs/nvidia-vss-data-infrastructure-1.0.0/manifests/hf-token-secret.yaml b/packs/nvidia-vss-data-infrastructure-1.0.0/manifests/hf-token-secret.yaml
@@ -0,0 +1,16 @@
+# Shared HuggingFace token secret. Lives in the data-infrastructure pack because
+# that layer (install-priority 5) is present in EVERY VSS profile and installs
+# first — so the secret exists before the vLLM backend (nvidia-vss-vllm, 12) and
+# the vss-engine (application, 15) consume it. HF_TOKEN is a masked cluster-profile
+# variable; required for the gated Cosmos-Reason2-8B VLM weights (and any gated LLM
+# weights). Templated via the manifests.hf-token-secret values block + the
+# spectro.var.HF_TOKEN deploy-time macro.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: hf-token-secret
+  namespace: {{ .Values.namespace }}
+type: Opaque
+stringData:
+  HF_TOKEN: "{{ .Values.hfToken }}"
+  HUGGING_FACE_HUB_TOKEN: "{{ .Values.hfToken }}"
diff --git a/packs/nvidia-vss-data-infrastructure-1.0.0/manifests/vss-platform.yaml b/packs/nvidia-vss-data-infrastructure-1.0.0/manifests/vss-platform.yaml
@@ -0,0 +1,20 @@
+# P5 single-source-of-truth: records the selected VSS hardware platform in-cluster.
+# Set ONE profile variable, VSS_PLATFORM (a Dropdown of the 7 platform names), and
+# select the matching "VSS Platform" preset in every VSS pack. This ConfigMap makes
+# the chosen platform auditable (kubectl get cm vss-platform -n nvidia-vss) so a
+# preflight/CI or operator can confirm the per-pack presets agree with it. Lives in
+# the data-infrastructure pack (priority 5, present in every profile).
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vss-platform
+  namespace: {{ .Values.namespace }}
+  labels:
+    app.kubernetes.io/part-of: nvidia-vss
+data:
+  VSS_PLATFORM: "{{ .Values.vssPlatform }}"
+  note: >-
+    Source of truth for the VSS hardware platform. Every VSS pack's "VSS Platform"
+    preset MUST match this value. vLLM profiles (DGX-SPARK/OTHER/RTXPRO6000BW/
+    AGX-THOR/IGX-THOR) include the nvidia-vss-vllm pack; trtllm profiles (H100/L40S)
+    omit it. See P1-P5-IMPLEMENTATION.md.
diff --git a/packs/nvidia-vss-data-infrastructure-1.0.0/pack.json b/packs/nvidia-vss-data-infrastructure-1.0.0/pack.json
@@ -0,0 +1,28 @@
+{
+  "addonType": "system app",
+  "annotations": {
+    "source": "community",
+    "contributor": "spectrocloud",
+    "docsURL": "https://docs.nvidia.com/vss/latest/index.html",
+    "description": "NVIDIA VSS Data Infrastructure - Milvus vector database, Neo4j graph database, MinIO object storage, and supporting services for Video Search and Summarization",
+    "upstreamVersion": "2.4.1",
+    "upstreamRef": "NVIDIA VSS Blueprint 2.4.1"
+  },
+  "cloudTypes": [
+    "all"
+  ],
+  "displayName": "NVIDIA VSS Data Infrastructure (VSS 2.4.1)",
+  "charts": [
+    "charts/nvidia-vss-data-infrastructure-1.0.0.tgz"
+  ],
+  "kubeManifests": [
+    "manifests/hf-token-secret.yaml",
+    "manifests/vss-platform.yaml"
+  ],
+  "layer": "addon",
+  "name": "nvidia-vss-data-infrastructure",
+  "version": "1.0.0",
+  "constraints": {
+    "dependencies": []
+  }
+}
diff --git a/packs/nvidia-vss-data-infrastructure-1.0.0/schema.yaml b/packs/nvidia-vss-data-infrastructure-1.0.0/schema.yaml
@@ -0,0 +1,15 @@
+# Pack value constraints for the Data Infrastructure layer.
+# Keys are full dotted paths into values.yaml. All inputs are credentials
+# (platform-invariant); secrets use the password format so the UI masks them.
+charts.nvidia-vss-data-infrastructure.credentials.graphDb.username:
+  schema: '{{ required | format "${string}" | hints "Neo4j username." }}'
+charts.nvidia-vss-data-infrastructure.credentials.graphDb.password:
+  schema: '{{ required | format "${password}" | hints "Neo4j password." }}'
+charts.nvidia-vss-data-infrastructure.credentials.minio.accessKey:
+  schema: '{{ required | format "${string}" | hints "MinIO access key." }}'
+charts.nvidia-vss-data-infrastructure.credentials.minio.secretKey:
+  schema: '{{ required | format "${password}" | hints "MinIO secret key." }}'
+charts.nvidia-vss-data-infrastructure.credentials.arangoDB.username:
+  schema: '{{ required | format "${string}" | hints "ArangoDB username." }}'
+charts.nvidia-vss-data-infrastructure.credentials.arangoDB.password:
+  schema: '{{ required | format "${password}" | hints "ArangoDB password." }}'