Merge pull request #41269 from Srivaralakshmi/namespaced-helm-repo

Document adding namepsace-scoped Helm Chart Repository and Note on disabling Helm for the Multicluster Console (TP)

Author: Preeticp

applications/working_with_helm_charts/configuring-custom-helm-chart-repositories.adoc

@@ -6,15 +6,17 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
+[role="_abstract"]
 You can install Helm charts on an {product-title} cluster using the following methods:
 
 * The CLI.
 * The *Developer* perspective of the web console.
 
 The *Developer Catalog*, in the *Developer* perspective of the web console, displays the Helm charts available in the cluster. By default, it lists the Helm charts from the Red Hat OpenShift Helm chart repository. For a list of the charts, see link:https://charts.openshift.io/index.yaml[the Red Hat `Helm index` file].
 
-As a cluster administrator, you can add multiple Helm chart repositories, apart from the default one, and display the Helm charts from these repositories in the *Developer Catalog*.
+As a cluster administrator, you can add multiple cluster-scoped and namespace-scoped Helm chart repositories, separate from the default cluster-scoped Helm repository, and display the Helm charts from these repositories in the *Developer Catalog*.
 
+As a regular user or project member with the appropriate role-based access control (RBAC) permissions, you can add multiple namespace-scoped Helm chart repositories, apart from the default cluster-scoped Helm repository, and display the Helm charts from these repositories in the *Developer Catalog*.
 
 include::modules/helm-installing-a-helm-chart-on-an-openshift-cluster.adoc[leveloffset=+1]
 
@@ -28,6 +30,8 @@ include::modules/helm-creating-a-custom-helm-chart-on-openshift.adoc[leveloffset
 
 include::modules/helm-adding-helm-chart-repositories.adoc[leveloffset=+1]
 
+include::modules/helm-adding-namespace-scoped-helm-chart-repositories.adoc[leveloffset=+1]
+
 include::modules/helm-creating-credentials-and-certificates-to-add-helm-repositories.adoc[leveloffset=+1]
 
 include::modules/helm-filtering-helm-charts-by-certification-level.adoc[leveloffset=+1]

applications/working_with_helm_charts/understanding-helm.adoc

@@ -6,6 +6,7 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
+[role="_abstract"]
 Helm is a software package manager that simplifies deployment of applications and services to {product-title} clusters.
 
 Helm uses a packaging format called _charts_.
@@ -25,6 +26,12 @@ Helm provides the ability to:
 * Create your own charts with {product-title} or Kubernetes resources.
 * Package and share your applications as charts.
 
+[NOTE]
+====
+In {product-title} 4.10, Helm is disabled for the xref:../../release_notes/ocp-4-10-release-notes.adoc#ocp-4-10-multicluster-console-technology-preview[Multicluster Console] (Technology Preview).
+//Note to the reviewers: The "Multicluster Console" term in this sentence will have a link to the Dev Console multi-cluster docs or to the Web console section that is under the New features and enhancements section in the 4.10 RN. Awaiting for the links from the concerned author Olivia Payne as the concerned draft for Dev Console multi-cluster docs is in progress now.
+====
+
 == Red Hat Certification of Helm charts for OpenShift
 
 You can choose to verify and certify your Helm charts by Red Hat for all the components you will be deploying on the Red Hat {product-title}. Charts go through an automated Red Hat OpenShift certification workflow that guarantees security compliance as well as best integration and experience with the platform. Certification assures the integrity of the chart and ensures that the Helm chart works seamlessly on Red Hat OpenShift clusters.

images/odc_namespace_helm_chart_repo_filter.png

@@ -0,0 +1,92 @@
+// Module included in the following assemblies:
+//
+// * applications/working_with_helm_charts/configuring-custom-helm-chart-repositories.adoc
+
+:_content-type: PROCEDURE
+[id="adding-namespace-scoped-helm-chart-repositories.adoc_{context}"]
+= Adding namespace-scoped custom Helm chart repositories
+
+[role="_abstract"]
+The cluster-scoped `HelmChartRepository` custom resource definition (CRD) for Helm repository provides the ability for administrators to add Helm repositories as custom resources. The namespace-scoped `ProjectHelmChartRepository` CRD allows project members with the appropriate role-based access control (RBAC) permissions to create Helm repository resources of their choice but scoped to their namespace. Such project members can see charts from both cluster-scoped and namespace-scoped Helm repository resources.
+
+[NOTE]
+====
+* Administrators can limit users from creating namespace-scoped Helm repository resources. By limiting users, administrators have the flexibility to control the RBAC through a namespace role instead of a cluster role. This avoids unnecessary permission elevation for the user and prevents access to unauthorized services or applications.
+* The addition of the namespace-scoped Helm repository does not impact the behavior of the existing cluster-scoped Helm repository.
+====
+
+As a regular user or project member with the appropriate RBAC permissions, you can add custom namespace-scoped Helm chart repositories to your cluster and enable access to the Helm charts from these repositories in the *Developer Catalog*.
+
+.Procedure
+
+. To add a new namespace-scoped Helm Chart Repository, you must add the Helm Chart Repository custom resource (CR) to your namespace.
++
+.Sample Namespace-scoped Helm Chart Repository CR
+
+[source,yaml]
+----
+apiVersion: helm.openshift.io/v1beta1
+kind: ProjectHelmChartRepository
+metadata:
+  name: <name>
+spec:
+  url: https://my.chart-repo.org/stable
+
+  # optional name that might be used by console
+  name: <chart-repo-display-name>
+
+  # optional and only needed for UI purposes
+  description: <My private chart repo>
+
+  # required: chart repository URL
+  connectionConfig:
+    url: <helm-chart-repository-url>
+----
++
+For example, to add an Azure sample chart repository scoped to your `my-namespace` namespace, run:
++
+[source,terminal]
+----
+$ cat <<EOF | oc apply --namespace my-namespace -f -
+apiVersion: helm.openshift.io/v1beta1
+kind: ProjectHelmChartRepository
+metadata:
+  name: azure-sample-repo
+spec:
+  name: azure-sample-repo
+  connectionConfig:
+    url: https://raw.githubusercontent.com/Azure-Samples/helm-charts/master/docs
+EOF
+----
++
+The output verifies that the namespace-scoped Helm Chart Repository CR is created:
++
+.Example output
+----
+projecthelmchartrepository.helm.openshift.io/azure-sample-repo created
+----
+
+. Navigate to  the *Developer Catalog* in the web console to verify that the Helm charts from the chart repository are displayed in your `my-namespace` namespace.
++
+For example, use the *Chart repositories* filter to search for a Helm chart from the repository.
++
+.Chart repositories filter in your namespace
+image::odc_namespace_helm_chart_repo_filter.png[]
++
+Alternatively, run:
++
+[source,terminal]
+----
+$ oc get projecthelmchartrepositories --namespace my-namespace
+----
++
+.Example output
+----
+NAME                     AGE
+azure-sample-repo        1m
+----
++
+[NOTE]
+====
+If a cluster administrator or a regular user with appropriate RBAC permissions removes all of the chart repositories in a specific namespace, then you cannot view the Helm option in the *+Add* view, *Developer Catalog*, and left navigation panel for that specific namespace.
+====