Update vllm-cpu image for FIPS compatibility

[threcc]

Description

Updates the vllm-cpu image used by llmd tests to a version compatible with FIPS security standards.

The previous image defaulted to weak SHA-1 based ciphers for TLS 1.2. This caused handshake failures (SYSCALL error) on FIPS-enabled clusters where Envoy enforces a strict security policy (SECLEVEL=2).

Tests

Validated successfully across all tests using this image on:
✅ FIPS-enabled clusters
✅ Standard (non-FIPS) clusters

Summary by CodeRabbit

• Chores
  • Updated VLLM CPU container image to a new version.
  • Added SSL cipher and KV cache configuration for VLLM CPU deployments.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[github-actions]

The following are automatically added/executed:

• PR size label.
• Run pre-commit
• Run tox
• Add PR author as the PR assignee
• Build image based on the PR

Available user actions:

• To mark a PR as WIP, add /wip in a comment. To remove it from the PR comment /wip cancel to the PR.
• To block merging of a PR, add /hold in a comment. To un-block merging of PR comment /hold cancel.
• To mark a PR as approved, add /lgtm in a comment. To remove, add /lgtm cancel.
  lgtm label removed on each new commit push.
• To mark PR as verified comment /verified to the PR, to un-verify comment /verified cancel to the PR.
  verified label removed on each new commit push.
• To Cherry-pick a merged PR /cherry-pick <target_branch_name> to the PR. If <target_branch_name> is valid,
  and the current PR is merged, a cherry-picked PR would be created and linked to the current PR.
• To build and push image to quay, add /build-push-pr-image in a comment. This would create an image with tag
  pr-<pr_number> to quay repository. This image tag, however would be deleted on PR merge or close action.

Supported labels

{'/hold', '/wip', '/verified', '/lgtm', '/build-push-pr-image', '/cherry-pick'}

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes update a VLLM CPU container image reference from a SHA256 digest-based URL to a tag-based URL and configure additional FIPS-compatible environment variables when the VLLM CPU container image is used in the LLM service creation function.

Changes

Cohort / File(s)	Summary
Container image reference update utilities/constants.py	Updated ContainerImages.VLLM.CPU from digest-based image (sha256:f084b3c2...) to tag-based image (66196731a)
VLLM CPU environment configuration utilities/llmd_utils.py	Added import of ContainerImages and conditional logic in create_llmisvc to append FIPS-compatible environment variables (VLLM_ADDITIONAL_ARGS and VLLM_CPU_KVCACHE_SPACE) when using the VLLM CPU container image

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: updating the vllm-cpu container image to be FIPS-compatible, which is reflected in the constants update and environment variables configuration.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mwaykole]

/lgtm

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@utilities/constants.py`:
- Around line 444-445: Update the VLLM CPU image constant to pin the image by
digest: replace the current VLLM.CPU value "quay.io/pierdipi/vllm-cpu:66196731a"
with the digest-pinned form
"quay.io/pierdipi/vllm-cpu:66196731a@sha256:<digest>" where <digest> is the
manifest sha256 you obtain from Quay or a registry tool (e.g., `skopeo inspect`
or Quay API); ensure you edit the class VLLM and its CPU attribute so the string
uses the `@sha256`:<digest> suffix for reproducible image references.

In `@utilities/llmd_utils.py`:
- Around line 250-257: The FIPS-related env vars for the vLLM CPU image are only
added when container_env is None, causing them to be omitted when callers
provide a custom container_env; update the logic in llmd_utils.py so the check
for container_image == ContainerImages.VLLM_CPU runs regardless of container_env
being None, and then merge the FIPS env entries ("VLLM_ADDITIONAL_ARGS" and
"VLLM_CPU_KVCACHE_SPACE") into the existing container_env (create a list when
container_env is None) while avoiding clobbering any user-specified variables
(e.g., by appending entries only if names are not already present or by
overriding intentionally documented keys).

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7fd9561 and ad2819e.

📒 Files selected for processing (2)

• utilities/constants.py
• utilities/llmd_utils.py

🧰 Additional context used

🧬 Code graph analysis (1)

utilities/llmd_utils.py (2)

utilities/constants.py (1)

• ContainerImages (441-462)

utilities/llmd_constants.py (1)

• ContainerImages (40-43)

🔇 Additional comments (1)

utilities/llmd_utils.py (1)

21-26: LGTM: centralized container image constant usage.

Nice to see the shared alias pulled in to avoid string comparisons.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[fege]

/lgtm

[github-actions]

Status of building tag latest: success.
Status of pushing tag latest to image registry: success.