From a5d013502cd333af6faa62eb5ed9a09b01068c4b Mon Sep 17 00:00:00 2001 From: ChristianZaccaria Date: Fri, 3 Jul 2026 11:06:08 +0100 Subject: [PATCH] docs(openshift): simplify install steps and add Helm README entries for OpenShift overrides Signed-off-by: ChristianZaccaria --- deploy/helm/openshell/README.md | 2 ++ deploy/helm/openshell/README.md.gotmpl | 2 ++ docs/kubernetes/openshift.mdx | 12 +++--------- 3 files changed, 7 insertions(+), 9 deletions(-) diff --git a/deploy/helm/openshell/README.md b/deploy/helm/openshell/README.md index f3a86f884..6bc459567 100644 --- a/deploy/helm/openshell/README.md +++ b/deploy/helm/openshell/README.md @@ -25,6 +25,8 @@ helm install openshell oci://ghcr.io/nvidia/openshell/helm-chart --version -The OpenShift install path is experimental. It currently requires running sandbox pods under the `privileged` SCC and installing the gateway with TLS and the PKI init job disabled. Use only for evaluation on a private network. +The OpenShift install path is experimental. It currently requires running sandbox pods under the `privileged` SCC and installing the gateway with TLS disabled. Use only for evaluation on a private network. OpenShift's [Security Context Constraints](https://docs.openshift.com/container-platform/latest/authentication/managing-security-context-constraints.html) reject the chart's default pod security settings. Installing on OpenShift requires precreating the namespace, granting the `privileged` SCC to the sandbox service account, and overriding a few chart values so the cluster admission controller can assign UIDs and FS groups itself. @@ -46,7 +46,6 @@ oc adm policy add-scc-to-user privileged -z openshell-sandbox -n openshell helm install openshell oci://ghcr.io/nvidia/openshell/helm-chart \ --version \ --namespace openshell \ - --set pkiInitJob.enabled=false \ --set server.disableTls=true \ --set podSecurityContext.fsGroup=null \ --set securityContext.runAsUser=null @@ -54,14 +53,9 @@ helm install openshell oci://ghcr.io/nvidia/openshell/helm-chart \ | Override | Reason | |---|---| -| `pkiInitJob.enabled=false` | Skips the built-in TLS PKI Job. TLS must also be disabled unless you provide TLS Secrets another way. | -| `server.disableTls=true` | The gateway has no certificates without `pkiInitJob`, so it must run plaintext. | +| `server.disableTls=true` | Runs the gateway over plaintext HTTP for simpler evaluation. | | `podSecurityContext.fsGroup=null` / `securityContext.runAsUser=null` | Clear the chart's hardcoded UID and fsGroup so OpenShift's SCC admission can assign them. | -The gateway still needs the sandbox JWT signing Secret. When disabling -`pkiInitJob` without enabling cert-manager, pre-create that Secret before -installing the chart. - ## Wait for the gateway to be ready ```shell @@ -90,6 +84,6 @@ openshell status ## Next Steps -- For TLS-enabled deployments, refer to [Managing Certificates](/kubernetes/managing-certificates) after SCC-compatible PKI is supported. +- For TLS-enabled deployments, refer to [Managing Certificates](/kubernetes/managing-certificates). - To expose the gateway externally, refer to [Ingress](/kubernetes/ingress). - To configure OIDC authentication, refer to [Access Control](/kubernetes/access-control).