OpenShift follow-up for NVBugs 6218358 (26.05)

[kheiss-uwzoo]

Summary

• Backport of OpenShift follow-up for NVBug 6218358 #2166 to 26.05: expands Helm README OpenShift guidance per QA RC9 validation (NVBugs 6218358 comment Update README.md #6).
• Adds the full #openshift-deployment section (not yet on 26.05) plus RC9 follow-up items: prebuilt ffmpeg image on restricted-v2, openshift-restricted.yaml profile, internal registry pull secrets, optional NIM LD_LIBRARY_PATH overrides, and Omni caption manual smoke-test request shape.
• Cross-links from deployment-options.md and prerequisites-support-matrix.md (blob/26.05/... URLs).

NVBugs

6218358 — OpenShift Helm chart SCC/PodSecurity documentation follow-up (comment #6).

PR scope check

• Base: 26.05
• Commits: 2 — OpenShift follow-up docs + page-role cross-link alignment
• Files changed: nemo_retriever/helm/README.md, docs/docs/extraction/deployment-options.md, docs/docs/extraction/prerequisites-support-matrix.md
• Red flags: none (docs only; no .cursor/, link-audit artifacts, chart/code changes)

26.05 doc rules (pre-merge)

Check	Result
Allowed paths only (NRL product docs)	pass
No nimOperator / nvcr.io leakage off matrix + helm	pass
No 12B VL mentions	pass
Branch-pinned links use blob/26.05/...	pass
Caption smoke-test: one line in Image captioning; detail in helm README	pass
Chart defaults unchanged	pass

Test plan

• helm lint nemo_retriever/helm (docs only)
• Review #openshift-deployment anchors in Helm README on 26.05
• Confirm no chart defaults changed

[greptile-apps]

Greptile Summary

This PR backports OpenShift deployment documentation to the 26.05 branch, adding a full #openshift-deployment section to the Helm README and cross-linking from the deployment-options and prerequisites-support-matrix pages. It also fixes a pre-existing documentation error: the Helm quick-reference table previously listed service.installFfmpeg default as false, but values.yaml has always been true.

• New OpenShift section (~320 lines): SCC/PSA override table, openshift-restricted.yaml profile, prebuilt-ffmpeg image pattern, internal-registry pull-secret guidance, optional NIM LD_LIBRARY_PATH env overrides, vectordb/otel post-install patches, and two install examples (smoke test + full NIM Operator pipeline).
• installFfmpeg default corrected in the README table from false → true, matching the actual values.yaml value; deployment-options.md text is updated consistently.
• Cross-links use blob/26.05/... URLs throughout; { #1-service-image } and { #openshift-deployment } anchors are new and already referenced from audio-video.md and the updated docs pages.

Confidence Score: 5/5

Documentation-only change; no chart, code, or values.yaml modifications. The installFfmpeg default correction aligns the README table with the actual values.yaml. Safe to merge.

All three changed files are Markdown documentation. The largest change — the new OpenShift section — adds accurate operational guidance backed by QA-validated procedures. The service.installFfmpeg default correction from false to true is confirmed by values.yaml (line 179: installFfmpeg: true). The ngcImagePullSecret empty-name behavior is correctly described given the Helm template logic. Cross-links use branch-pinned blob/26.05/... URLs and the new anchors match the sections added in this PR.

No files require special attention. The only notable finding is that the Omni caption smoke-test JSON omits image content, which could confuse users testing the caption pipeline directly.

Important Files Changed

Filename	Overview
nemo_retriever/helm/README.md	Large new #openshift-deployment section (~320 lines) covering SCC/PSA overrides, ffmpeg prebuilt image pattern, internal registry pull secrets, LD_LIBRARY_PATH env, and Omni caption smoke-test guidance; also corrects service.installFfmpeg default from false to true (matches actual values.yaml) and converts see → refer to throughout.
docs/docs/extraction/deployment-options.md	Expanded ffmpeg paragraph to name installFfmpeg=true as the chart default and adds cross-link to the new #openshift-deployment README section; also replaces see with refer to for consistency.
docs/docs/extraction/prerequisites-support-matrix.md	Minor editorial pass: see → refer to, via → through; ffmpeg guidance shortened to a cross-link to audio-video.md which already covers container/Helm ffmpeg setup; adds Image captioning scope note.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[helm install retriever] --> B{OpenShift?}
    B -- No --> C[Generic K8s path\nstock defaults]
    B -- Yes --> D[Apply openshift-restricted.yaml\n- runAsNonRoot only\n- allowPrivilegeEscalation: false\n- capabilities drop ALL\n- seccompProfile: RuntimeDefault]
    D --> E{Need audio/video?}
    E -- No --> F[service.installFfmpeg=false]
    E -- Yes --> G[Build prebuilt service image\nFROM nrl-service + ffmpeg\nPush to NGC / internal registry]
    G --> H[service.image.repository/tag\npoint at prebuilt image]
    D --> I{Internal registry?}
    I -- Yes --> J[imagePullSecrets: default-dockercfg-xxxxx\nngcImagePullSecret.name: empty]
    I -- NGC only --> K[imagePullSecrets: ngc-secret]
    D --> L{Optional NIMs crash?}
    L -- Yes --> M[Add LD_LIBRARY_PATH via\nnimOperator.audio.env / omni.env]
    D --> N{vectordb enabled?}
    N -- Yes --> O[oc patch deployment\nadd securityContext block]
    N -- No --> P[serviceConfig.vectordb.enabled=false]

Loading

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
nemo_retriever/helm/README.md:499-505
**Omni smoke-test request body missing image content**

The sample JSON uses a plain string `"content": "..."` which sends a text-only request to the VLM NIM. Nemotron 3 Nano Omni is a vision–language model, so an actual caption smoke test needs the content to be a multimodal array containing an `image_url` entry (following the OpenAI vision format). Sending this exact body will exercise the `enable_thinking` flag but won't test image captioning — the model will receive no image to caption, which could mask misconfiguration in the caption pipeline.

Consider replacing `"content": "..."` with the multimodal array form, for example:
`"content": [{"type": "image_url", "image_url": {"url": "data:image/png;base64,<BASE64>"}}, {"type": "text", "text": "Describe this image."}]`

_{Reviews (5): Last reviewed commit: "Merge upstream/26.05 into docs/6218358-o..." | Re-trigger Greptile}

[greptile-apps]

Missing blank line between the horizontal rule closing the OpenShift section and the ## Air-gapped deployment heading. While most Markdown parsers handle this, MkDocs (and strict CommonMark renderers) expect a blank line after a --- thematic break before the next block element to guarantee it is not parsed as a setext heading underline for any preceding content.

Suggested change

	---
	## Air-gapped deployment { #air-gapped-deployment }
	---
	## Air-gapped deployment { #air-gapped-deployment }

Prompt To Fix With AI

This is a comment left during a code review.
Path: nemo_retriever/helm/README.md
Line: 1246-1247

Comment:
Missing blank line between the horizontal rule closing the OpenShift section and the `## Air-gapped deployment` heading. While most Markdown parsers handle this, MkDocs (and strict CommonMark renderers) expect a blank line after a `---` thematic break before the next block element to guarantee it is not parsed as a setext heading underline for any preceding content.

```suggestion
---

## Air-gapped deployment { #air-gapped-deployment }
```

How can I resolve this? If you propose a fix, please make it concise.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!