Skip to content

Inject upstream vLLM version from SBOM into operator CSV#18459

Draft
pierDipi wants to merge 1 commit intored-hat-data-services:rhoai-3.4from
pierDipi:inject-vllm-version-3.4
Draft

Inject upstream vLLM version from SBOM into operator CSV#18459
pierDipi wants to merge 1 commit intored-hat-data-services:rhoai-3.4from
pierDipi:inject-vllm-version-3.4

Conversation

@pierDipi
Copy link
Copy Markdown
Member

@pierDipi pierDipi commented Mar 26, 2026
edited
Loading

RHAIIS container images carry only the Red Hat product version label (e.g. 3.4-EA1), but customers, field teams, and the Dashboard need the upstream vLLM version to assess model compatibility, feature availability, and CVE exposure.

Add inject-vllm-versions.sh which extracts the upstream vLLM version from each RHAIIS image SBOM (via cosign) and injects it as a RELATED_IMAGE_RHAII[S]_VLLM_*_IMAGE_UPSTREAM_VERSION env var into the operator CSV. The script uses sed for surgical edits to avoid reformatting the YAML, and handles both the legacy RHAIIS and new RHAII env var naming conventions.

Update the process-operator-bundle GitHub Actions workflow to install cosign (built from source, pinned to commit SHA) and invoke the script after bundle processing.

The injected version (e.g. 0.13.0+rhai11) will be consumed downstream by the operator to populate params.env, which Model Serving uses to set opendatahub.io/runtime-version on LLMInferenceServiceConfig resources.

https://redhat.atlassian.net/browse/RHAISTRAT-1395

-> $ ./bundle/inject-vllm-versions.sh bundle/manifests/rhods-operator.clusterserviceversion.yaml
-> Inspecting SBOM for RELATED_IMAGE_RHAIIS_VLLM_CPU_IMAGE...
   RELATED_IMAGE_RHAIIS_VLLM_CPU_IMAGE_UPSTREAM_VERSION = 0.13.0+rhai11
-> Inspecting SBOM for RELATED_IMAGE_RHAIIS_VLLM_CUDA_IMAGE...
   RELATED_IMAGE_RHAIIS_VLLM_CUDA_IMAGE_UPSTREAM_VERSION = 0.13.0+rhai11
-> Inspecting SBOM for RELATED_IMAGE_RHAIIS_VLLM_ROCM_IMAGE...
   RELATED_IMAGE_RHAIIS_VLLM_ROCM_IMAGE_UPSTREAM_VERSION = 0.13.0+rhai11
-> Inspecting SBOM for RELATED_IMAGE_RHAIIS_VLLM_SPYRE_IMAGE...
   RELATED_IMAGE_RHAIIS_VLLM_SPYRE_IMAGE_UPSTREAM_VERSION = 0.11.0+rhai8

=== vLLM Version Injection Summary ===
  RELATED_IMAGE_RHAIIS_VLLM_CPU_IMAGE_UPSTREAM_VERSION = "0.13.0+rhai11"
  RELATED_IMAGE_RHAIIS_VLLM_CUDA_IMAGE_UPSTREAM_VERSION = "0.13.0+rhai11"
  RELATED_IMAGE_RHAIIS_VLLM_ROCM_IMAGE_UPSTREAM_VERSION = "0.13.0+rhai11"
  RELATED_IMAGE_RHAIIS_VLLM_SPYRE_IMAGE_UPSTREAM_VERSION = "0.11.0+rhai8"
=======================================
Done. Injected 4 version env var(s).

would produce this diff

diff --git a/bundle/manifests/rhods-operator.clusterserviceversion.yaml b/bundle/manifests/rhods-operator.clusterserviceversion.yaml
index 937d83f84..472c3122c 100644
--- a/bundle/manifests/rhods-operator.clusterserviceversion.yaml
+++ b/bundle/manifests/rhods-operator.clusterserviceversion.yaml
@@ -2099,12 +2099,20 @@ spec:
                   value: registry.redhat.io/openshift4/ose-prom-label-proxy-rhel9@sha256:2adfbbc4205be3d161063234991aae3f34ab6e0557207d9cfa4a498711a922b4
                 - name: RELATED_IMAGE_RHAIIS_VLLM_CPU_IMAGE
                   value: registry.redhat.io/rhaiis/vllm-cpu-rhel9@sha256:f05e773647dddd37ec6c2215cb14bec87e4ab5a7d37f2e110d16cd92355427d3
+                - name: RELATED_IMAGE_RHAIIS_VLLM_CPU_IMAGE_UPSTREAM_VERSION
+                  value: "0.13.0+rhai11"
                 - name: RELATED_IMAGE_RHAIIS_VLLM_CUDA_IMAGE
                   value: registry.redhat.io/rhaiis/vllm-cuda-rhel9@sha256:ec799bb5eeb7e25b4b25a8917ab5161da6b6f1ab830cbba61bba371cffb0c34d
+                - name: RELATED_IMAGE_RHAIIS_VLLM_CUDA_IMAGE_UPSTREAM_VERSION
+                  value: "0.13.0+rhai11"
                 - name: RELATED_IMAGE_RHAIIS_VLLM_ROCM_IMAGE
                   value: registry.redhat.io/rhaiis/vllm-rocm-rhel9@sha256:e345cf9453afae0d3c2afe2f7fb9be8fac772f46593b873e925d38ae2b3ee537
+                - name: RELATED_IMAGE_RHAIIS_VLLM_ROCM_IMAGE_UPSTREAM_VERSION
+                  value: "0.13.0+rhai11"
                 - name: RELATED_IMAGE_RHAIIS_VLLM_SPYRE_IMAGE
                   value: registry.redhat.io/rhaiis/vllm-spyre-rhel9@sha256:75f0ea05a92661a33b40efe2a662d976d53c767db18990b433d4a00dd6693aae
+                - name: RELATED_IMAGE_RHAIIS_VLLM_SPYRE_IMAGE_UPSTREAM_VERSION
+                  value: "0.11.0+rhai8"
                 - name: RELATED_IMAGE_ODH_PYTHON_312_IMAGE
                   value: registry.redhat.io/ubi9/python-312@sha256:e95978812895b9abb2bdc109b501078da2a47c8dbb9fa23758af40ed50ab6023
                 - name: RELATED_IMAGE_PERSES_IMAGE

@pierDipi
Inject upstream vLLM version from SBOM into operator CSV
bd5d67c 
RHAIIS container images carry only the Red Hat product version label
(e.g. 3.4-EA1), but customers, field teams, and the Dashboard need the
upstream vLLM version to assess model compatibility, feature availability,
and CVE exposure.

Add inject-vllm-versions.sh which extracts the upstream vLLM version
from each RHAIIS image SBOM (via cosign) and injects it as a
RELATED_IMAGE_RHAII[S]_VLLM_*_IMAGE_UPSTREAM_VERSION env var into the
operator CSV. The script uses sed for surgical edits to avoid
reformatting the YAML, and handles both the legacy RHAIIS and new RHAII
env var naming conventions.

Update the process-operator-bundle GitHub Actions workflow to install
cosign (built from source, pinned to commit SHA) and invoke the script
after bundle processing.

The injected version (e.g. 0.13.0+rhai11) will be consumed downstream by
the operator to populate params.env, which Model Serving uses to set
opendatahub.io/runtime-version on LLMInferenceServiceConfig resources.

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pierDipi