Add nvidia-vss-vllm 1.0.0 (NVIDIA VSS Blueprint 2.4.1)

[blik616287]

nvidia-vss-vllm — upstream VSS 2.4.1, pack 1.0.0

The VSS bounded raw vLLM LLM backend (llm-nim-svc) for sm_121/SBSA platforms.

Versioning: chart/pack version: 1.0.0 (our packaging) · appVersion: 2.4.1 (upstream NVIDIA VSS Blueprint). Images pinned in values.yaml pack.content.images.

Tested on NVIDIA GB10 / DGX Spark (arm64 SBSA)

Deployed via Palette add-on cluster profile vss-dgx-spark-2.4 on edge cluster edge-gx10 (node edge-2436016cbfdf11d3b5eb30c5993e9cd0, single GB10, device-plugin time-slicing = 4 slices). Full stack green:

    NAME                                                     READY  STATUS   AGE
    arango-db-arango-db-deployment-7bb7bf487c-2nsdd          1/1    Running  3h31m
    elasticsearch-elasticsearch-deployment-6574595875-tvc66  1/1    Running  3h31m
    etcd-etcd-deployment-678d465556-gtgjx                    1/1    Running  3h31m
    llm-vllm-75747fff86-w4g4l                                2/2    Running  3h5m
    milvus-milvus-deployment-858fbc46c7-dwjj5                1/1    Running  3h31m
    milvus-minio-milvus-minio-deployment-559fff5f74-47xgq    1/1    Running  3h31m
    minio-minio-deployment-646d9975d5-4fb6n                  1/1    Running  3h31m
    nemo-embedding-embedding-deployment-975db54d4-xwz8w      1/1    Running  3h6m
    neo4j-neo4j-deployment-97fd6f4f5-27d5s                   1/1    Running  3h31m
    vss-vss-deployment-6bb9d89d6b-hrbhc                      1/1    Running  66m

• vss-engine GET /health/ready → 200
• Cosmos-Reason2-8B VLM loaded on GPU; vLLM LLM (llm-nim-svc) ready; embedding NIM ready.

Cluster profile composition (install-priority order) — secrets masked

profile JSON (masked)

{
  "profileName": "vss-dgx-spark-2.4",
  "type": "add-on",
  "cloudType": "all",
  "packs": [
    {
      "name": "nvidia-vss-data-infrastructure",
      "version": "1.0.0",
      "layer": "addon",
      "appVersion": "2.4.1",
      "installPriority": 5
    },
    {
      "name": "nvidia-vss-core-nims",
      "version": "1.0.0",
      "layer": "addon",
      "appVersion": "2.4.1",
      "installPriority": 10
    },
    {
      "name": "nvidia-vss-vllm",
      "version": "1.0.0",
      "layer": "addon",
      "appVersion": "2.4.1",
      "installPriority": 12
    },
    {
      "name": "nvidia-vss-application",
      "version": "1.0.0",
      "layer": "addon",
      "appVersion": "2.4.1",
      "installPriority": 15
    }
  ],
  "variables": [
    {
      "name": "VSS_PLATFORM",
      "sensitive": false,
      "default": "DGX-SPARK"
    },
    {
      "name": "NGC_API_KEY",
      "sensitive": true,
      "default": null
    },
    {
      "name": "HF_TOKEN",
      "sensitive": true,
      "default": null
    },
    {
      "name": "GRAPH_DB_USERNAME",
      "sensitive": false,
      "default": "neo4j"
    },
    {
      "name": "GRAPH_DB_PASSWORD",
      "sensitive": true,
      "default": "<masked>"
    },
    {
      "name": "MINIO_ACCESS_KEY",
      "sensitive": false,
      "default": "vssminio"
    },
    {
      "name": "MINIO_SECRET_KEY",
      "sensitive": true,
      "default": "<masked>"
    },
    {
      "name": "ARANGO_DB_USERNAME",
      "sensitive": false,
      "default": "root"
    },
    {
      "name": "ARANGO_DB_PASSWORD",
      "sensitive": true,
      "default": "<masked>"
    }
  ]
}

Validated end-to-end: this pack deploys and reaches Ready as part of the VSS 2.4.1 stack on DGX Spark. Pack values use {{.spectro.var.*}} macros (NGC_API_KEY / HF_TOKEN / DB creds) supplied as masked profile variables — no secrets in the pack.

[bulwark-spectrocloud]

✅ CVE scan completed successfully.

Scan Summary:

• Total images scanned: 3
• Clean images: 2
• Images with CVEs: 1
• Total CVEs found: 137

🔴 Critical CVEs: 3
🟠 High CVEs: 21
🟡 Medium CVEs: 18
🟢 Low CVEs: 95

Images with CVEs:

• nginx:1.27-alpine: 137 CVEs (Critical: 3, High: 21, Medium: 18, Low: 95)
  Critical CVEs: CVE-2025-48174, CVE-2026-31789

⚠️ Please review the CVE findings above and address critical/high severity issues before merging.

[bulwark-spectrocloud]

✅ Combined scan completed successfully.

⚠️ Secret Scan Results:

• Found 1 secret(s) in 1 image(s)

Image 1: nvcr.io/nvidia/vllm:26.05.post1-py3

• Secrets detected: 1
• Fingerprints:
  • JWT:/root/.cache/pip/http-v2/8/0/6/3/6/806366e41f528c7b7fbd8d56ea0250ba9ebcf4270a1af519a9bb79da.body:76

Please review the findings above and address any issues before merging.

[bulwark-spectrocloud]

✅ CVE scan completed successfully.

Scan Summary:

• Total images scanned: 3
• Clean images: 2
• Images with CVEs: 1
• Total CVEs found: 47

🔴 Critical CVEs: 0
🟠 High CVEs: 4
🟡 Medium CVEs: 5
🟢 Low CVEs: 38

Images with CVEs:

• nginx:1.30.2-alpine: 47 CVEs (Critical: 0, High: 4, Medium: 5, Low: 38)

⚠️ Please review the CVE findings above and address critical/high severity issues before merging.

[bulwark-spectrocloud]

✅ CVE scan completed successfully.

Scan Summary:

• Total images scanned: 3
• Clean images: 2
• Images with CVEs: 1
• Total CVEs found: 47

🔴 Critical CVEs: 0
🟠 High CVEs: 4
🟡 Medium CVEs: 5
🟢 Low CVEs: 38

Images with CVEs:

• nginx:1.30.2-alpine: 47 CVEs (Critical: 0, High: 4, Medium: 5, Low: 38)

⚠️ Please review the CVE findings above and address critical/high severity issues before merging.

[bulwark-spectrocloud]

✅ CVE scan completed successfully.

Scan Summary:

• Total images scanned: 3
• Clean images: 2
• Images with CVEs: 1
• Total CVEs found: 47

🔴 Critical CVEs: 0
🟠 High CVEs: 4
🟡 Medium CVEs: 5
🟢 Low CVEs: 38

Images with CVEs:

• nginx:1.30.2-alpine: 47 CVEs (Critical: 0, High: 4, Medium: 5, Low: 38)

⚠️ Please review the CVE findings above and address critical/high severity issues before merging.

[blik616287]

Requesting maintainer dismissal of stale CHANGES_REQUESTED review (review #4481628420).

The bulwark secret scan flagged a JWT in nvcr.io/nvidia/vllm:26.05.post1-py3 (a pip HTTP cache body file — not a real credential). This was addressed in commit 8eea834 by reverting to nvcr.io/nvidia/vllm:25.12.post1-py3, which has no secret findings. The branch was subsequently updated with main (commit 15354f1).

All bulwark scans on the current head are clean (0 secrets), and @vishwanaths has approved the current head. Could a maintainer please dismiss the stale review so this PR can proceed?