OpenShift follow-up for NVBugs 6218358 (26.05)

[kheiss-uwzoo]

Summary

• Backport of OpenShift follow-up for NVBug 6218358 #2166 to 26.05: expands Helm README OpenShift guidance per QA RC9 validation (NVBugs 6218358 comment Update README.md #6).
• Adds the full #openshift-deployment section (not yet on 26.05) plus RC9 follow-up items: prebuilt ffmpeg image on restricted-v2, openshift-restricted.yaml profile, internal registry pull secrets, optional NIM LD_LIBRARY_PATH overrides, and Omni caption manual smoke-test request shape.
• Cross-links from deployment-options.md and prerequisites-support-matrix.md (blob/26.05/... URLs).

NVBugs

6218358 — OpenShift Helm chart SCC/PodSecurity documentation follow-up (comment #6).

PR scope check

• Base: 26.05
• Commits: 2 — OpenShift follow-up docs + page-role cross-link alignment
• Files changed: nemo_retriever/helm/README.md, docs/docs/extraction/deployment-options.md, docs/docs/extraction/prerequisites-support-matrix.md
• Red flags: none (docs only; no .cursor/, link-audit artifacts, chart/code changes)

26.05 doc rules (pre-merge)

Check	Result
Allowed paths only (NRL product docs)	pass
No nimOperator / nvcr.io leakage off matrix + helm	pass
No 12B VL mentions	pass
Branch-pinned links use blob/26.05/...	pass
Caption smoke-test: one line in Image captioning; detail in helm README	pass
Chart defaults unchanged	pass

Test plan

• helm lint nemo_retriever/helm (docs only)
• Review #openshift-deployment anchors in Helm README on 26.05
• Confirm no chart defaults changed

[greptile-apps]

Greptile Summary

This documentation-only backport expands the Helm README with a full #openshift-deployment section covering SCC/PSA overrides, a prebuilt-ffmpeg image workflow, OpenShift internal registry pull-secret patterns, optional NIM LD_LIBRARY_PATH overrides, and an Omni caption smoke-test request shape. Cross-links from deployment-options.md and prerequisites-support-matrix.md are added and correctly branch-pinned to blob/26.05/....

• Helm README gains ~300 lines of OpenShift guidance including a sample openshift-restricted.yaml, vectordb/otel patch commands, and two worked helm install examples validated on OpenShift 4.20.
• prerequisites-support-matrix.md adds an OpenShift callout in the ffmpeg prerequisites and a cross-link to the Omni caption smoke-test section.
• deployment-options.md adds a one-line OpenShift restricted-v2 note pointing readers to the new Helm README section.

Confidence Score: 5/5

Safe to merge — all changes are documentation only with no chart defaults or code modified.

The PR touches only Markdown files. All new anchors are verified present, branch-pinned cross-links point to blob/26.05/..., and the security posture guidance (no-anyuid, restricted-v2 baseline) is technically sound. The minor image-name discrepancy between the Dockerfile snippet and the Quick Start default is worth clarifying but does not block the docs from being correct and useful.

The nrl-service vs nemo-retriever-service naming in nemo_retriever/helm/README.md is worth a second look to confirm both names refer to the same image or to align the Quick Start default accordingly.

Important Files Changed

Filename	Overview
nemo_retriever/helm/README.md	Adds a comprehensive ~300-line OpenShift deployment section with SCC/PSA override guidance, ffmpeg prebuilt image instructions, pull-secret examples, and smoke-test commands; one image-name inconsistency (nrl-service vs nemo-retriever-service) between the new subsection and the existing Quick Start default.
docs/docs/extraction/deployment-options.md	Adds a two-sentence OpenShift restricted-v2 callout with a branch-pinned cross-link into the Helm README; no issues found.
docs/docs/extraction/prerequisites-support-matrix.md	Adds OpenShift prebuilt-image note to ffmpeg prerequisites and a smoke-test cross-link under Image captioning (26.05); all anchors verified present and branch-pinned URLs correct.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[helm install on OpenShift] --> B{restricted-v2 SCC?}
    B -- No --> C[Stock install with generic K8s defaults]
    B -- Yes --> D[Apply openshift-restricted.yaml overrides]
    D --> E{Audio/video needed?}
    E -- No --> F[Leave installFfmpeg=false]
    E -- Yes --> G[Build custom image with ffmpeg baked in]
    G --> H{Image source?}
    H -- NGC/private registry --> I[Set service.image.repository + tag]
    H -- OpenShift internal registry --> J[Add SA pull secret to imagePullSecrets]
    D --> K{Optional NIMs crashing?}
    K -- Yes --> L[Add LD_LIBRARY_PATH via nimOperator.*.env]
    K -- No --> M[NIMs healthy]
    D --> N{vectordb enabled?}
    N -- Yes --> O[oc patch Deployment to add securityContext]
    N -- No --> P[Skip - disabled in values]

Loading

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
nemo_retriever/helm/README.md:1041
**`nrl-service` vs `nemo-retriever-service` base image mismatch**

The Dockerfile base image `nvcr.io/nvstaging/nim/nrl-service:<BASE_TAG>` uses a different NGC repository name than the chart's own Quick Start default (`nvcr.io/nvstaging/nim/nemo-retriever-service:043020205-001`). The same discrepancy appears in the example install `--set` flags on lines 1169 and 1196. A user extending the chart's default service image to bake in `ffmpeg` would take the `nrl-service` path from these docs but may have pulled `nemo-retriever-service` as their base, resulting in a mismatched or unexpected base layer. If `nrl-service` is the current canonical repository for 26.05 (and the Quick Start snippet is stale), the Quick Start section should be updated; if `nemo-retriever-service` is still correct, the Dockerfile `FROM` line and example `--set` flags here need adjusting.

_{Reviews (3): Last reviewed commit: "docs(helm): fix audit findings for OpenS..." | Re-trigger Greptile}

[greptile-apps]

Missing blank line between the horizontal rule closing the OpenShift section and the ## Air-gapped deployment heading. While most Markdown parsers handle this, MkDocs (and strict CommonMark renderers) expect a blank line after a --- thematic break before the next block element to guarantee it is not parsed as a setext heading underline for any preceding content.

Suggested change

	---
	## Air-gapped deployment { #air-gapped-deployment }
	---
	## Air-gapped deployment { #air-gapped-deployment }

Prompt To Fix With AI

This is a comment left during a code review.
Path: nemo_retriever/helm/README.md
Line: 1246-1247

Comment:
Missing blank line between the horizontal rule closing the OpenShift section and the `## Air-gapped deployment` heading. While most Markdown parsers handle this, MkDocs (and strict CommonMark renderers) expect a blank line after a `---` thematic break before the next block element to guarantee it is not parsed as a setext heading underline for any preceding content.

```suggestion
---

## Air-gapped deployment { #air-gapped-deployment }
```

How can I resolve this? If you propose a fix, please make it concise.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!