chore(recipes): bump 6 components to upstream latest (phase 1)

[yuanchen8911]

Summary

Bump 6 Helm components in recipes/registry.yaml and overlay/mixin pins to upstream latest. No values schema changes. Pure recipe-pin diff (7 files; example recipes refreshed; orphan-manifest reference in aks-training cleaned up).

Motivation / Context

Phase 1 of the version refresh campaign tracked in #698. Low-risk minor/patch bumps batched together; major bumps (network-operator, gpu-operator) follow in subsequent phases.

Component	Current	New
aws-ebs-csi-driver	2.55.0	2.59.0
cert-manager	v1.17.2	v1.20.2
kube-prometheus-stack	82.8.0	84.4.0
kueue	0.17.0	0.17.1
nodewright-operator (skyhook)	v0.14.0	v0.15.1
nvsentinel	v1.1.0	v1.3.0

Excluded from this PR (deferred to follow-ups):

• kgateway / kgateway-crds (v2.0.0 → v2.2.3) — v2.2.3 silently drops the inferenceExtension.enabled value. AICR uses kgateway specifically for the CNCF AI Conformance "Advanced Ingress for AI/ML Inference" requirement, so the silent feature regression would break inference bundles. Migration requires a values + RBAC rework.
• aws-efa (v0.5.3 → v0.5.26) — 23 minor bumps; requires both image.tag cleanup and a securityContext cleanup (chart now defaults to privileged: true, conflicting with our hardened allowPrivilegeEscalation: false). Deferred for proper EKS / security review.
• kai-scheduler (v0.13.0 → v0.14.1) — repo transferred from NVIDIA/ to kai-scheduler/ org; chart publishing moved to ghcr.io/kai-scheduler/kai-scheduler. Migration + bump belongs in a small standalone follow-up.
• kubeflow-trainer (2.1.0 → 2.2.0) — coupled to a Go change in validators/performance/trainer_lifecycle.go. Belong together in a follow-up to keep this PR pure config / no Go changes.

Example recipes: examples/recipes/{kind,eks-training,aks-training,eks-gb200-ubuntu-training-with-validation}.yaml refreshed to match the bumped registry defaults (cert-manager, nodewright-operator, kube-prometheus-stack, nvsentinel). Matches the convention from prior bump PRs (#283, #336, #450).

Orphan-manifest fix in aks-training.yaml (supersedes #716): also removes a stale manifestFiles: reference to components/nvsentinel/manifests/allow-intra-namespace.yaml that has been broken since #415. The workaround source file was deleted in #309. aicr bundle examples/recipes/aks-training.yaml was failing on main; this fix restores it.

Fixes: aks-training example bundling failure on main
Related: #698, supersedes #716

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• Build/CI/tooling

Component(s) Affected

• Recipe engine / data (pkg/recipe)

Implementation Notes

• All bumps are minor or patch within the same major version.
• cert-manager spans 3 minors (1.17 → 1.20); spot-checked changelog — no breaking API changes affecting our values surface.
• kube-prometheus-stack 82.8 → 84.4: chart-level bumps; values used in this repo unaffected.
• All 6 chart versions verified pullable via helm pull.
• kgateway feature regression discovered via post-bump rendered-output diff; reverted before merge.
• Rebased onto post-fix(ci): trigger H100 GPU tests on shared recipe changes #717 / post-fix(recipes): use Helm manifest-only pattern for gke-nccl-tcpxo #718 main; the gke-nccl-tcpxo registry fix that previously rode along in this PR is now upstream via fix(recipes): use Helm manifest-only pattern for gke-nccl-tcpxo #718, so this PR is back to pure pin bumps + example refresh.

Testing

make tidy    # no-op (clean)
make lint    # 0 issues
make test    # all packages pass
go test -count=1 ./pkg/recipe/...    # ok
helm pull oci://...                  # verified all 6 bumped charts pullable
aicr bundle -r examples/recipes/aks-training.yaml -o /tmp/bundle  # succeeds

End-to-end on real EKS H100 clusters (post-rebase):

• Deployed and tested inference performance on aicr2 (eks/h100/inference/ubuntu/dynamo): bundle 20/20 components healthy, aicr validate --phase performance passed — throughput 38,771 tok/s, TTFT p99 133 ms.
• Deployed and tested pytorch-mnist on aicr1 (eks/h100/training/ubuntu/kubeflow): bundle 16/16 components healthy, demo TrainJob from demos/cuj1-eks.md ran end-to-end on 1× H100 (accuracy 0.74). The pytorch job requires the fix in fix(recipes): drop hook-succeeded from torch-distributed runtime #719 (pre-existing main bug, unrelated to this PR — surfaced when exercising the kubeflow path).

Risk Assessment

• Low — All bumps are minor/patch within the same major; no values schema changes; isolated to recipe pins.

Rollout notes: No migration steps. Bundles regenerated from this branch will pull the new chart versions; existing installations are unaffected until re-bundled.

Checklist

• Tests pass locally (make test with -race)
• Linter passes (make lint)
• I did not skip/disable tests to make CI green
• I added/updated tests for new functionality (N/A — version bumps only)
• I updated docs if user-facing behavior changed (N/A — pins only)
• Changes follow existing patterns in the codebase
• Commits are cryptographically signed (git commit -S)

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This pull request updates Helm chart versions across multiple YAML recipe files and adjusts Go module dependencies. The changes include version bumps for 15 Helm components across four recipe configuration files (platform-inference, base overlay, EKS overlay, and registry), and two modifications to the Go module: promoting golang.org/x/term v0.42.0 from an indirect to a direct dependency, and updating github.com/go-openapi/strfmt from v0.26.1 to v0.26.2.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title "chore(recipes): bump 6 components to upstream latest (phase 1)" is partially related to the changeset—it refers to component bumping, which is the main type of change, but understates the scope (the PR actually bumps multiple components and includes vendor/go.mod fixes beyond the 6 mentioned).
Description check	✅ Passed	The PR description comprehensively documents version bumps across multiple Helm components, test results, and risk assessment aligned with the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 20: You modified go.mod to pin golang.org/x/term v0.42.0 but did not
include the resulting module metadata and vendored files; run the repository's
make tidy (which runs go mod tidy and go mod vendor) to regenerate go.sum and
vendor/, verify the changes, and commit go.mod, go.sum, and the vendor/
directory together so module metadata and vendored dependencies remain
reproducible.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 8e229029-dfe9-494c-ab4e-800520ab21ef

📥 Commits

Reviewing files that changed from the base of the PR and between 1969a93 and a27aca5.

📒 Files selected for processing (6)

• go.mod
• recipes/components/aws-efa/values.yaml
• recipes/mixins/platform-inference.yaml
• recipes/overlays/base.yaml
• recipes/overlays/eks.yaml
• recipes/registry.yaml

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@recipes/overlays/base.yaml`:
- Line 64: Replace the unavailable version string "v0.15.1" for the
nodewright-operator Helm chart with a published release (e.g., "v0.14.0");
locate the YAML key "version: v0.15.1" in the overlay that references the
nodewright-operator / skyhook-operator chart and update that value to an
available tag such as v0.14.0, then save and re-run your Helm/CI checks to
confirm the chart resolves.

In `@recipes/registry.yaml`:
- Line 146: The kube-prometheus-stack entry uses a non-existent version
(defaultVersion: 84.4.0) and the nvsentinel chart points to the wrong repo;
update the kube-prometheus-stack defaultVersion to 84.3.0 (or the intended
available release) and change the nvsentinel defaultRepository to the correct
OCI registry URL (oci://ghcr.io/nvidia/nvsentinel) in recipes/registry.yaml by
editing the kube-prometheus-stack defaultVersion key and the nvsentinel
defaultRepository key accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 95d71aa7-3a52-4d6b-a8df-1383329f6b3b

📥 Commits

Reviewing files that changed from the base of the PR and between a27aca5 and c6e2d8f.

⛔ Files ignored due to path filters (6)

• go.sum is excluded by !**/*.sum
• vendor/github.com/go-openapi/strfmt/.gitignore is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/CONTRIBUTORS.md is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/README.md is excluded by !vendor/**
• vendor/github.com/go-openapi/strfmt/duration.go is excluded by !vendor/**
• vendor/modules.txt is excluded by !vendor/**

📒 Files selected for processing (5)

• go.mod
• recipes/mixins/platform-inference.yaml
• recipes/overlays/base.yaml
• recipes/overlays/eks.yaml
• recipes/registry.yaml