feat(slinky-slurm): add cluster chart and EKS/Kind leaves

[faganihajizada]

Summary

Wires the Slinky slurm cluster chart into AICR as an opt-in component (platform-slurm-cluster mixin) and ships the first two leaf recipes that consume both the Slinky operator and cluster:

• h100-eks-ubuntu-training-slurm
• h100-kind-training-slurm

Changes

Component (recipes/components/slinky-slurm/values.yaml):

• Overrides the chart's native slinky keys for nodesets / loginsets so user values merge with chart defaults (avoids the nodeset.logfile typed-merge failure observed with custom sub-keys).
• Production-leaning defaults: priority/multifactor scheduler tuning via extraConfMap (strings explicitly quoted to dodge YAML 1.1 coercion), cgroup + gres config files, ClusterIP restapi.
• Accounting (slurmdbd) and DCGM job-mapping are disabled by default — accounting needs an external MariaDB AICR does not bundle; DCGM needs dcgm-exporter on workers. Both opt in via valuesFile / --set. accounting.storageConfig is kept as an inert documented example (chart wraps the entire Accounting CR in if accounting.enabled).

Mixin (recipes/mixins/platform-slurm-cluster.yaml): opt-in slinky-slurm cluster with deps on slinky-slurm-operator + slinky-slurm-operator-crds.

Health check (recipes/checks/slinky-slurm/health-check.yaml): asserts Slinky CRs (Controller, LoginSet, NodeSet, RestApi at slinky.slurm.net/v1beta1 under the slinky-slurm release name) AND underlying workload readiness (Deployment / StatefulSet availableReplicas > 0) before the generic pod-health step. Standardized on availableReplicas across all sub-checks.

Registry: adds slinky-slurm with nodeScheduling:

• system tier: nodeSelectorPaths + tolerationPaths for controller.podSpec.*, restapi.podSpec.*, loginsets.slinky.podSpec.*
• accelerated tier: nodeSelectorPaths + tolerationPaths for nodesets.slinky.podSpec.*

Both --system-node-* and --accelerated-node-* CLI flags now steer the correct pods.

Leaves:

• Both leaves intentionally have no validation: block — inherit the full set from their *-training parents (mirrors *-kubeflow leaves).

KWOK (kwok/scripts/validate-scheduling.sh): extracts the platform criterion so *-slurm overlays resolve to the slinky bundle they ship. Flag is intentionally scoped to slurm only — a full matrix run revealed the harness's sequential CRD cleanup is broken for NFD / KAI / run.ai (orphans block pre-flight on the second recipe onward), so widening to kubeflow/dynamo is deferred to a follow-up.

Tests:

• pkg/recipe/deployment_order_guard_test.go: 2 new cases asserting cert-manager → slinky-slurm-operator-crds → slinky-slurm-operator → slinky-slurm.
• pkg/recipe/components_test.go: new targeted test verifies registry node-scheduling paths line up with the actual slinky map-keys in components/slinky-slurm/values.yaml (prevents silent drift on key renames).

Docs: docs/integrator/recipe-development.md documents the two-mixin opt-in pattern; docs/user/container-images.md regenerated via make bom-docs.

Verified against upstream chart v1.1.0

All component values cross-checked against SlinkyProject/slurm-operator helm/slurm v1.1.0 and main. Notably:

• accounting.storageConfig.passwordKeyRef matches chart defaults (name: mariadb-password, key: password).
• All extraConfMap values quoted as strings — chart serializes the map as map[string]string and bare YAML 1.1 no would coerce to bool.

Test plan

• make test — full unit suite (includes deployment-order guard and components_test).
• make lint — go/yaml/license/agents-sync/docs-sidebar.
• make qualify — end-to-end pre-PR pass.
• aicr recipe + aicr bundle smoke for both leaves.
• make check-health against live Kind cluster for both slinky-slurm-operator and slinky-slurm.
• aicr validate against deployed Kind cluster.
• KWOK scheduling validation for h100-kind-training-slurm and h100-eks-ubuntu-training-slurm.
• CI: kwok-recipes, chainsaw, lint, build.

Notes for reviewers

• The slurm-only KWOK guard is deliberate — widening to other platforms is blocked on harness CRD-cleanup fixes, not on the resolver behavior itself.
• The slinky map-key alignment between registry and values is enforced by the new components_test to catch future renames at unit-test time rather than via opaque scheduling failures.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Introduces an opt-in slinky-slurm cluster component and a platform-slurm-cluster mixin that composes it atop the always-applied platform-slurm operator. Adds Helm values for the slinky-slurm chart, registry entries, documentation updates (platform->mixin resolution), two recipe overlays (EKS and Kind H100 training with platform: slurm), a Chainsaw/Kyverno health check for the cluster, unit and ordering tests, and a conditional --platform slurm forward in validate-scheduling.sh.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• NVIDIA/aicr#878: Overlaps with container-images/BOM adjustments related to Slurm component image listings.
• NVIDIA/aicr#866: Related to adding slurm platform plumbing that the validate-scheduling.sh change forwards to aicr recipe.

Suggested labels

enhancement, area/tests, size/L

Suggested reviewers

• mchmarny
• lockwobr
• njhensley

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and specifically summarizes the main changes: adding a Slinky Slurm cluster chart as an opt-in component and introducing two new leaf recipes for EKS and Kind.
Description check	✅ Passed	The PR description is comprehensive and directly related to the changeset, detailing all major changes including component values, mixin, health checks, registry updates, leaves, KWOK modifications, tests, and documentation updates.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/user/container-images.md`:
- Line 198: Replace the mutable image reference
`docker.io/library/alpine:latest` with a pinned tag or digest in the
slinky-slurm values (e.g., set the image to something like
`docker.io/library/alpine:3.18.4` or a sha256 digest) and then regenerate the
BOM/docs; locate the `docker.io/library/alpine:latest` string in the values
source for slinky-slurm, update it to the chosen immutable tag/digest, and run
the doc/BOM generation step so the docs reflect the pinned image.

In `@recipes/components/slinky-slurm/values.yaml`:
- Around line 59-60: The comment points out a mismatch between the documented
Secret name and the value used by accounting.storageConfig.passwordKeyRef;
update either the comment or the passwordKeyRef so both reference the same
Secret/key (e.g., make passwordKeyRef.secretName = "mariadb-password" and key =
"password" or change the comment to require Secret named "mariadb"), and apply
the same fix for the duplicate occurrence referenced around the other block
(accounting.storageConfig.passwordKeyRef at the later section) so the guidance
and defaults align and the accounting opt-in will not break.

In `@recipes/registry.yaml`:
- Around line 601-610: Add node selector path mappings for the system tier so
the --system-node-selector override is applied: in the same mapping that defines
system.tolerationPaths, add a system.nodeSelectorPaths array with entries
mirroring the toleration ones (e.g. controller.podSpec.nodeSelector,
restapi.podSpec.nodeSelector, loginsets.slinky.podSpec.nodeSelector) so
controller/restapi/loginset pods are steered by the system-node-selector
override.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: e72860d5-3271-4166-a452-b585d2891df9

📥 Commits

Reviewing files that changed from the base of the PR and between 66f8e7b and cda91eb.

📒 Files selected for processing (13)

• docs/integrator/recipe-development.md
• docs/user/component-catalog.md
• docs/user/container-images.md
• kwok/scripts/validate-scheduling.sh
• pkg/recipe/components_test.go
• pkg/recipe/deployment_order_guard_test.go
• recipes/checks/slinky-slurm-operator/health-check.yaml
• recipes/checks/slinky-slurm/health-check.yaml
• recipes/components/slinky-slurm/values.yaml
• recipes/mixins/platform-slurm-cluster.yaml
• recipes/overlays/h100-eks-ubuntu-training-slurm.yaml
• recipes/overlays/h100-kind-training-slurm.yaml
• recipes/registry.yaml

[github-actions]

🌿 Preview your docs: https://nvidia-preview-feat-slinky-slurm-cluster-leaves.docs.buildwithfern.com/aicr

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@kwok/scripts/validate-scheduling.sh`:
- Around line 331-334: The script currently ignores non-empty platform values
that aren't "slurm", causing silent behavior; update the logic around the
platform variable and recipe_args so the script fails fast: if platform is
non-empty and not equal to "slurm" then emit a clear error message (including
the invalid $platform value) to stderr and exit non-zero, otherwise when
platform == "slurm" append --platform "$platform" to recipe_args as before
(modify the existing if block for platform or add an explicit else branch that
calls echo >&2 and exit 1). Ensure you reference the same variable name
"platform" and the array "recipe_args" so the change is localized.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: d0dc40d1-8f40-4107-b26c-7dfa73f3f5e6

📥 Commits

Reviewing files that changed from the base of the PR and between a3c854f and 27cadab.

📒 Files selected for processing (13)

• docs/integrator/recipe-development.md
• docs/user/component-catalog.md
• docs/user/container-images.md
• kwok/scripts/validate-scheduling.sh
• pkg/recipe/components_test.go
• pkg/recipe/deployment_order_guard_test.go
• recipes/checks/slinky-slurm-operator/health-check.yaml
• recipes/checks/slinky-slurm/health-check.yaml
• recipes/components/slinky-slurm/values.yaml
• recipes/mixins/platform-slurm-cluster.yaml
• recipes/overlays/h100-eks-ubuntu-training-slurm.yaml
• recipes/overlays/h100-kind-training-slurm.yaml
• recipes/registry.yaml

[mchmarny]

Solid wiring overall — the mixin split (platform-slurm always-on operator vs opt-in platform-slurm-cluster) is the right shape, and the new TestComponentRegistry_SlinkySlurm_NodeSchedulingPaths cross-check between registry paths and values.yaml map-keys is exactly the kind of guard this codebase needs more of. Deployment-order test additions also look correct.

One blocker and a few non-blocking nits:

• CI (blocker): both Tier 2: h100-kind-training-slurm and Tier 2: h100-eks-ubuntu-training-slurm KWOK lanes were cancelled at ~15min (every other lane finished in 5–7min), which is what failed KWOK Test Summary. Since those are the very recipes this PR adds, please confirm whether it's a runner timeout vs. OCI pull stall vs. resolver/bundle slowdown, and get the lanes green before merge.
• Defaults posture (non-blocking): PriorityFlags: NO_NORMAL_ALL + raw priority weights + MaxTime: UNLIMITED are real site-policy choices baked into the shipped default. Reasonable for a research cluster; worth at least re-labeling these as "chosen policy" rather than generic "production-leaning defaults", or moving the multifactor / unlimited bits behind an opt-in valuesFile.
• Health-check release-name pinning (non-blocking): the slinky-slurm/health-check.yaml resource names assume the localformat release name — fine for make check-health, but flux/argocd deployers will silently break this. The file flags it; just don't let "needs a parameterized variant" stay a comment forever.
• KWOK platform allowlist (non-blocking): the platform == "slurm" allowlist will bit-rot the next time someone adds a leaf with a non-allowlisted criteria.platform — consider a log line so the next author gets a hint.
• Comment trim regression (nit): the slinky-slurm-operator/health-check.yaml rewrite drops the non-obvious "chainsaw error passes vacuously on empty namespace" rationale.

Also, the branch is behind main — please rebase before re-pushing.