Merge pull request #1131 from nebius/dev

Release 1.21.1

Author: itechdima

.github/workflows/e2e_test.yml

@@ -2,7 +2,8 @@ name: E2E test soperator
 
 on:
   schedule:
-    - cron: '0 */2 * * *'
+    # Every hour
+    - cron: '0 */1 * * *'
   workflow_dispatch:
     inputs:
       terraform_repo:
@@ -51,7 +52,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
         with:
           egress-policy: audit
 

.github/workflows/github_release.yml

@@ -95,7 +95,7 @@ jobs:
                 {
                     "key": "docs",
                     "title": "## 📔Docs",
-                    "labels": ["doc", "docs"]
+                    "labels": ["doc", "docs", "documentation"]
                 },
                 {
                     "key": "other",

.github/workflows/gpubench_only.yml

@@ -17,7 +17,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
         with:
           egress-policy: audit
 

.github/workflows/one_job.yml

@@ -5,6 +5,8 @@ on:
     branches:
       - main
       - dev
+    tags:
+      - 'build**'  # Trigger on tags starting with "build"
     paths-ignore:
       - 'docs/**'
       - 'CODEOWNERS'
@@ -40,7 +42,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
         with:
           egress-policy: audit
 
@@ -98,7 +100,7 @@ jobs:
             runner: ARM64
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
         with:
           egress-policy: audit
 

VERSION

@@ -1 +1 @@
-1.21.0
+1.21.1

api/v1/slurmcluster_types.go

@@ -85,7 +85,7 @@ type SlurmClusterSpec struct {
 	// SlurmConfig represents the Slurm configuration in slurm.conf. Not all options are supported.
 	//
 	// +kubebuilder:validation:Optional
-	// +kubebuilder:default={defMemPerNode: 1228800, defCpuPerGPU: 16, completeWait: 5, debugFlags: "Cgroup,CPU_Bind,Gres,JobComp,Priority,Script,SelectType,Steps,TraceJobs", epilog: "", prolog: "", taskPluginParam: "Autobind=Cores", maxJobCount: 10000, minJobAge: 86400}
+	// +kubebuilder:default={defMemPerNode: 1048576, defCpuPerGPU: 4, completeWait: 5, epilog: "", prolog: "", taskPluginParam: "Autobind=Cores", maxJobCount: 10000, minJobAge: 86400, messageTimeout: 60}
 	SlurmConfig SlurmConfig `json:"slurmConfig,omitempty"`
 
 	// CustomSlurmConfig represents the raw Slurm configuration from slurm.conf.
@@ -105,7 +105,7 @@ type SlurmClusterSpec struct {
 	// PlugStackConfig represents the Plugin stack configurations in `plugstack.conf`.
 	//
 	// +kubebuilder:validation:Optional
-	// +kubebuilder:default={ pyxis: { required: true, containerImageSave: "/var/cache/enroot-container-images/" }, ncclDebug: { required: false, enabled: false, logLevel: "INFO", outputToFile: true, outputToStdOut: false, outputDirectory: "/opt/soperator-outputs/nccl_logs" } }
+	// +kubebuilder:default={ pyxis: { required: true, containerImageSave: "/var/cache/enroot-container-images/" }, ncclDebug: { required: false, enabled: false, logLevel: "INFO", outputToFile: true, outputToStdOut: false, outputDirectory: "/opt/soperator-outputs/%h/nccl_logs" } }
 	PlugStackConfig PlugStackConfig `json:"plugStackConfig,omitempty"`
 
 	// SlurmTopologyConfigMapRefName is the name of the slurm topology config.
@@ -141,24 +141,18 @@ type SlurmConfig struct {
 	// Default real memory size available per allocated node in mebibytes.
 	//
 	// +kubebuilder:validation:Optional
-	// +kubebuilder:default=1228800
+	// +kubebuilder:default=1048576
 	DefMemPerNode *int32 `json:"defMemPerNode,omitempty"`
 	// Default count of CPUs allocated per allocated GPU
 	//
 	// +kubebuilder:validation:Optional
-	// +kubebuilder:default=16
+	// +kubebuilder:default=4
 	DefCpuPerGPU *int32 `json:"defCpuPerGPU,omitempty"`
 	// The time to wait, in seconds, when any job is in the COMPLETING state before any additional jobs are scheduled.
 	//
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:default=5
 	CompleteWait *int32 `json:"completeWait,omitempty"`
-	// Defines specific subsystems which should provide more detailed event logging.
-	//
-	// +kubebuilder:validation:Optional
-	// +kubebuilder:default="Priority,Script,SelectType,Steps"
-	// +kubebuilder:validation:Pattern="^((Accrue|Agent|AuditRPCs|Backfill|BackfillMap|BurstBuffer|Cgroup|ConMgr|CPU_Bind|CpuFrequency|Data|DBD_Agent|Dependency|Elasticsearch|Energy|Federation|FrontEnd|Gres|Hetjob|Gang|GLOB_SILENCE|JobAccountGather|JobComp|JobContainer|License|Network|NetworkRaw|NodeFeatures|NO_CONF_HASH|Power|Priority|Profile|Protocol|Reservation|Route|Script|SelectType|Steps|Switch|TLS|TraceJobs|Triggers)(,)?)+$"
-	DebugFlags *string `json:"debugFlags,omitempty"`
 	// Defines specific file to run the epilog when job ends. Default value is no epilog
 	//
 	// +kubebuilder:validation:Optional
@@ -197,7 +191,7 @@ type SlurmConfig struct {
 	TopologyPlugin string `json:"topologyPlugin,omitempty"`
 	// TopologyParam is list of comma-separated options identifying network topology options.
 	//
-	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=topology/tree
 	TopologyParam string `json:"topologyParam,omitempty"`
 }
 
@@ -221,7 +215,7 @@ type PlugStackConfig struct {
 	// NcclDebug represents the 'NCCL Debug' SPANK plugin configuration.
 	//
 	// +kubebuilder:validation:Optional
-	// +kubebuilder:default={ required: false, enabled: false, logLevel: "INFO", outputToFile: true, outputToStdOut: false, outputDirectory: "/opt/soperator-outputs/nccl_logs" }
+	// +kubebuilder:default={ required: false, enabled: false, logLevel: "INFO", outputToFile: true, outputToStdOut: false, outputDirectory: "/opt/soperator-outputs/%h/nccl_logs" }
 	NcclDebug PluginConfigNcclDebug `json:"ncclDebug,omitempty"`
 
 	// PluginConfigCustom represents a configuration of custom SPANK plugins.
@@ -277,7 +271,7 @@ type PluginConfigNcclDebug struct {
 
 	// OutputToFile defines whether to additionally redirect `NCCL_DEBUG` outputs to the output file.
 	// Output filename will have the following format:
-	//  <WORKER_NAME>.<JOB_ID>.<STEP_ID>.out
+	//  <JOB_ID>.<STEP_ID>.out
 	//
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:default=true
@@ -298,7 +292,7 @@ type PluginConfigNcclDebug struct {
 	// If the path does not exist, it will be created by the plugin.
 	//
 	// +kubebuilder:validation:Optional
-	// +kubebuilder:default="/opt/soperator-outputs/nccl_logs"
+	// +kubebuilder:default="/opt/soperator-outputs/%h/nccl_logs"
 	OutputDirectory string `json:"outputDirectory,omitempty"`
 }
 
@@ -720,10 +714,35 @@ type ExternalDB struct {
 	//
 	// +kubebuilder:validation:Optional
 	User string `json:"user"`
-	// SecretRef defines the reference to the secret with the password key for the external database
+	// PasswordSecretKeyRef defines the reference to the secret with the password key for the external database.
+	// Either this or tls.clientCertSecretName must be provided as client credentials.
 	//
 	// +kubebuilder:validation:Optional
 	PasswordSecretKeyRef PasswordSecretKeyRef `json:"passwordSecretKeyRef"`
+	// TLS provides the configuration required to establish TLS connection with the external MariaDB.
+	//
+	// +kubebuilder:validation:Optional
+	TLS ExternalDBTLSConfig `json:"tls,omitempty"`
+	// StorageParameters defines the list of additional parameters to set in slurmdbd.conf's StorageParameters.
+	// Some values here may be overridden by TLS configuration
+	//
+	// +kubebuilder:validation:Optional
+	StorageParameters map[string]string `json:"storageParameters,omitempty"`
+}
+
+type ExternalDBTLSConfig struct {
+	// ServerCASecretRef defines the reference to a Secret containing the MariaDB server CA certificates.
+	// The secret should contain a 'ca.crt' key.
+	// If set, it overrides SSL_CA value in storageParameters
+	//
+	// +kubebuilder:validation:Optional
+	ServerCASecretRef string `json:"serverCASecretRef,omitempty"`
+	// ClientCertSecretName defines the reference to a Kubernetes TLS Secret (with tls.crt and tls.key files).
+	// Either this or passwordSecretKeyRef must be provided as client credentials.
+	// If set, it overrides SSL_CERT and SSL_KEY values in storageParameters
+	//
+	// +kubebuilder:validation:Optional
+	ClientCertSecretRef string `json:"clientCertSecretRef,omitempty"`
 }
 
 type PasswordSecretKeyRef struct {

api/v1/zz_generated.deepcopy.go

@@ -1292,7 +1292,7 @@ spec:
                   ncclDebug:
                     enabled: false
                     logLevel: INFO
-                    outputDirectory: /opt/soperator-outputs/nccl_logs
+                    outputDirectory: /opt/soperator-outputs/%h/nccl_logs
                     outputToFile: true
                     outputToStdOut: false
                     required: false
@@ -1336,7 +1336,7 @@ spec:
                     default:
                       enabled: false
                       logLevel: INFO
-                      outputDirectory: /opt/soperator-outputs/nccl_logs
+                      outputDirectory: /opt/soperator-outputs/%h/nccl_logs
                       outputToFile: true
                       outputToStdOut: false
                       required: false
@@ -1357,7 +1357,7 @@ spec:
                         - TRACE
                         type: string
                       outputDirectory:
-                        default: /opt/soperator-outputs/nccl_logs
+                        default: /opt/soperator-outputs/%h/nccl_logs
                         description: |-
                           OutputDirectory defines a directory path where OutputToFile has to be created.
 
@@ -1371,7 +1371,7 @@ spec:
                         description: |-
                           OutputToFile defines whether to additionally redirect `NCCL_DEBUG` outputs to the output file.
                           Output filename will have the following format:
-                           <WORKER_NAME>.<JOB_ID>.<STEP_ID>.out
+                           <JOB_ID>.<STEP_ID>.out
                         type: boolean
                       outputToStdOut:
                         default: false
@@ -3183,11 +3183,11 @@ spec:
               slurmConfig:
                 default:
                   completeWait: 5
-                  debugFlags: Cgroup,CPU_Bind,Gres,JobComp,Priority,Script,SelectType,Steps,TraceJobs
-                  defCpuPerGPU: 16
-                  defMemPerNode: 1228800
+                  defCpuPerGPU: 4
+                  defMemPerNode: 1048576
                   epilog: ""
                   maxJobCount: 10000
+                  messageTimeout: 60
                   minJobAge: 86400
                   prolog: ""
                   taskPluginParam: Autobind=Cores
@@ -3200,19 +3200,13 @@ spec:
                       the COMPLETING state before any additional jobs are scheduled.
                     format: int32
                     type: integer
-                  debugFlags:
-                    default: Priority,Script,SelectType,Steps
-                    description: Defines specific subsystems which should provide
-                      more detailed event logging.
-                    pattern: ^((Accrue|Agent|AuditRPCs|Backfill|BackfillMap|BurstBuffer|Cgroup|ConMgr|CPU_Bind|CpuFrequency|Data|DBD_Agent|Dependency|Elasticsearch|Energy|Federation|FrontEnd|Gres|Hetjob|Gang|GLOB_SILENCE|JobAccountGather|JobComp|JobContainer|License|Network|NetworkRaw|NodeFeatures|NO_CONF_HASH|Power|Priority|Profile|Protocol|Reservation|Route|Script|SelectType|Steps|Switch|TLS|TraceJobs|Triggers)(,)?)+$
-                    type: string
                   defCpuPerGPU:
-                    default: 16
+                    default: 4
                     description: Default count of CPUs allocated per allocated GPU
                     format: int32
                     type: integer
                   defMemPerNode:
-                    default: 1228800
+                    default: 1048576
                     description: Default real memory size available per allocated
                       node in mebibytes.
                     format: int32
@@ -3250,6 +3244,7 @@ spec:
                     description: Additional parameters for the task plugin
                     type: string
                   topologyParam:
+                    default: topology/tree
                     description: TopologyParam is list of comma-separated options
                       identifying network topology options.
                     type: string
@@ -4723,8 +4718,9 @@ spec:
                               database
                             type: string
                           passwordSecretKeyRef:
-                            description: SecretRef defines the reference to the secret
-                              with the password key for the external database
+                            description: |-
+                              PasswordSecretKeyRef defines the reference to the secret with the password key for the external database.
+                              Either this or tls.clientCertSecretName must be provided as client credentials.
                             properties:
                               key:
                                 description: Key defines the key of password in the
@@ -4741,6 +4737,30 @@ spec:
                               database
                             format: int32
                             type: integer
+                          storageParameters:
+                            additionalProperties:
+                              type: string
+                            description: |-
+                              StorageParameters defines the list of additional parameters to set in slurmdbd.conf's StorageParameters.
+                              Some values here may be overridden by TLS configuration
+                            type: object
+                          tls:
+                            description: TLS provides the configuration required to
+                              establish TLS connection with the external MariaDB.
+                            properties:
+                              clientCertSecretRef:
+                                description: |-
+                                  ClientCertSecretName defines the reference to a Kubernetes TLS Secret (with tls.crt and tls.key files).
+                                  Either this or passwordSecretKeyRef must be provided as client credentials.
+                                  If set, it overrides SSL_CERT and SSL_KEY values in storageParameters
+                                type: string
+                              serverCASecretRef:
+                                description: |-
+                                  ServerCASecretRef defines the reference to a Secret containing the MariaDB server CA certificates.
+                                  The secret should contain a 'ca.crt' key.
+                                  If set, it overrides SSL_CA value in storageParameters
+                                type: string
+                            type: object
                           user:
                             description: Key defines the key of username and password
                               in the secret

config/crd/bases/slurm.nebius.ai_slurmclusters.yaml

@@ -3,4 +3,4 @@ resources:
 images:
   - name: controller
     newName: cr.eu-north1.nebius.cloud/soperator/slurm-operator
-    newTag: 1.21.0
+    newTag: 1.21.1

config/manager/kustomization.yaml

@@ -87,7 +87,7 @@ spec:
             value: "false"
           - name: SLURM_OPERATOR_WATCH_NAMESPACES
             value: "*"
-        image: controller:1.21.0
+        image: controller:1.21.1
         imagePullPolicy: Always
         name: manager
         securityContext: