RHDHBUGS-2274: Changes to the RHOAI docs

[pabel-rh]

IMPORTANT: Do Not Merge - To be merged by Docs Team Only

Version(s):
1.8, main
Issue:
RHDHBUGS-2274
Preview:
https://redhat-developer.github.io/red-hat-developers-documentation-rhdh/pr-1588/openshift-ai-connector-for-rhdh/

[rhdh-bot]

Updated preview: https://redhat-developer.github.io/red-hat-developers-documentation-rhdh/pr-1588/ @ 12/01/25 17:43:27

[gabemontero]

As part of my PR review @pabel-rh I'll use the YAML from https://redhat-developer.github.io/red-hat-developers-documentation-rhdh/pr-1588/ to set up the connector, and confirm we avoid the hiccups James hit.

[gabemontero]

Independent of the code changes @pabel-rh I noticed this sort of duplication:

Role and RoleBinding to allow ConfigMap updates within the RHDH namespace (ai-rhdh). For example:

# Example for `Role` in the {product-very-short} namespace (ai-rhdh)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: rhdh-rhoai-connector
  namespace: ai-rhdh
rules:
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "list", "watch", "create", "update", "patch"]
# Example for `RoleBinding` in the {product-very-short} namespace (ai-rhdh)
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: rhdh-rhoai-connector
  namespace: ai-rhdh
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: rhdh-rhoai-connector
subjects:
  - kind: ServiceAccount
    name: rhdh-rhoai-connector
    namespace: ai-rhdh
RoleBinding in the RHOAI namespace (rhoai-model-registries) to grant the RHDH ServiceAccount read permissions to the model registry data (binding to registry-user-modelregistry-public).

# Example for `RoleBinding` in the {rhoai-short} namespace (rhoai-model-registries)
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: rhdh-rhoai-connector
  namespace: ai-rhdh
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: rhdh-rhoai-connector
subjects:
  - kind: ServiceAccount
    name: rhdh-rhoai-connector
    namespace: ai-rhdh

perhaps rather than printing out the yaml for the rhdh-rhoai-connector twice, we merge the the two # Example .. comments

WDYT?

[gabemontero]

some changes wrt the message warnings in the container logs

as part of that, the image ref for the location container should be changed to
quay.io/redhat-ai-dev/model-catalog-location-service@sha256:763311530fb842a1366447e661ca22563e6ef22505d993716aea350bbbfae9a0

[gabemontero]

forgot to mention here (though I did in the Jira bug) - I was able to grab the sidecar yaml from the preview server's display, insert in the backstage CR instance via oc edit ... and the sidecars came up

this includes the normalizer's metrics port getting set to 8081 so it did not conflict with lightspeed's 8080

[gabemontero]

@pabel-rh can you let me know here when the preview server is updated with the responses to my comments (it did not appear to be when I checked just now).

at this point that is the easier way for me to review at this point :-)

[gabemontero]

see comment #1588 (comment) from the previously resolved thread

And I think I've sorted the proper guidance for you with what started with #1588 (comment)

[gabemontero]

@pabel-rh - still not seeing what I tried to describe with #1588 (comment) .... where is the note

During startup, you may see non-critical log errors, such as  `in cluster config error: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory`, in the sidecar logs. This error is expected during the initial setup and do not indicate a failure, provided the container eventually becomes healthy.

this is the modification of the original note after I made the change so that the location container does not produce the connection refused error