redhat-ai-dev
diff --git a/‎LICENSE‎
Lines changed: 2 additions & 1 deletion b/‎LICENSE‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎docs/REMOTE_CLUSTER_CONFIGURATION.md‎
Lines changed: 137 additions & 0 deletions b/‎docs/REMOTE_CLUSTER_CONFIGURATION.md‎
Lines changed: 137 additions & 0 deletions
diff --git a/‎documentation/app/mkdocs.yml‎
Lines changed: 1 addition & 0 deletions b/‎documentation/app/mkdocs.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎documentation/app/template-remote-cluster.md‎
Lines changed: 192 additions & 0 deletions b/‎documentation/app/template-remote-cluster.md‎
Lines changed: 192 additions & 0 deletions
diff --git a/‎scripts/util‎
Lines changed: 15 additions & 0 deletions b/‎scripts/util‎
Lines changed: 15 additions & 0 deletions
@@ -1,3 +1,4 @@
+
                                  Apache License
                            Version 2.0, January 2004
                         http://www.apache.org/licenses/
@@ -198,4 +199,4 @@
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License.
+   limitations under the License.
@@ -0,0 +1,137 @@
+# Remote cluster configuration with ai-rhdh-installer
+
+Use this guide if you manage RHDH via the `ai-rhdh-installer` repository and want to enable remote cluster deployments. If you are not using the installer, see `Bring your own cluster: documentation/app/template-remote-cluster.md`.
+
+---
+
+## Prerequisites
+- Two OpenShift clusters:
+  - Host cluster: runs RHDH, Argo CD, Tekton
+  - Remote cluster: receives the application deployment
+- CLI access: `oc`/`kubectl` authenticated to both clusters, `ArgoCD` CLI
+- Versions: RHDH 1.8 with OCP 4.17
+- If deploying RHOAI-based apps on the remote cluster, install:
+  - Node Feature Discovery (with a `NodeFeatureDiscovery` CR)
+  - NVIDIA GPU Operator (with a `ClusterPolicy` CR)
+  - OpenShift AI Operator (with a `DataScienceCluster` CR)
+
+---
+
+## Step 1: Configure RHDH with ai-rhdh-installer (preferred)
+
+### Interactive setup
+
+First, create a non-expiring service account token with view permissions on the **remote** cluster:
+
+```bash
+oc create serviceaccount rhdh-sa -n default
+
+# Grant read-only access cluster-wide
+oc create clusterrolebinding rhdh-sa-view \
+  --clusterrole=view \
+  --serviceaccount=default:rhdh-sa
+
+# Create a Secret that yields a permanent token
+cat <<'EOF' | oc apply -f -
+apiVersion: v1
+kind: Secret
+metadata:
+  name: rhdh-sa-token
+  namespace: default
+  annotations:
+    kubernetes.io/service-account.name: rhdh-sa
+type: kubernetes.io/service-account-token
+EOF
+
+# Retrieve and print the token
+oc get secret rhdh-sa-token -n default -o jsonpath='{.data.token}' | base64 --decode
+```
+
+Run the installer and answer the prompts to enable remote cluster support:
+
+```bash
+bash configure.sh
+```
+
+When prompted:
+- "Would you like to enable remote cluster setup? (y/n):" → enter `y`
+- Provide the remote cluster API URL (e.g., `https://api.<remote-cluster>:443`)
+- Provide a remote cluster name
+- Paste a Service Account token that has read access (view/cluster-reader)
+- Choose TLS verification preference (for labs you may skip TLS; in production provide a CA)
+
+The installer updates dynamic plugins (Kubernetes/Topology, optionally Tekton) with the remote cluster. Then proceed to Argo CD cluster registration and namespace preparation.
+
+
+## Step 2: Register the remote cluster in Argo CD (host cluster)
+
+```bash
+# 1) Inspect kubeconfig contexts on your workstation
+oc config get-contexts
+
+# 2) Use the remote cluster context and verify access
+oc config use-context <remote-cluster-context-name>
+oc get nodes
+
+# 3) Ensure you're logged into the remote cluster with oc (OpenShift)
+#    If not logged in, authenticate with a token (adjust flags as needed)
+oc whoami || oc login https://api.<remote-cluster>:443
+
+# 4) Log into Argo CD (host cluster)
+#    Use --insecure if you don't have a valid TLS cert; add --sso if SSO is enabled
+argocd login <argocd-url>
+
+# 5) Register the remote cluster with Argo CD using its kubeconfig context
+argocd cluster add <remote-cluster-context-name>
+
+# 6) Verify Argo CD sees the cluster
+argocd cluster list
+```
+
+#### To rotate the Argo CD bearer token for an external cluster
+
+```bash
+# Run against the external cluster's kubeconfig context
+oc config use-context <remote-cluster-context-name>
+
+# Delete the argocd-manager token secret so a new one is created
+oc delete secret argocd-manager-token-XXXXXX -n kube-system
+
+# Re-add the cluster to rotate credentials
+argocd cluster add <remote-cluster-context-name>
+```
+Permanent, non-expiring service account token to view:
+
+- Kubernetes: Manually create a Secret for a Service Account — `https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-a-secret-for-a-service-account`
+- Backstage: Kubernetes configuration — `https://backstage.io/docs/next/features/kubernetes/configuration/`
+
+See: Argo CD — External cluster credentials: https://argo-cd.readthedocs.io/en/stable/operator-manual/security/#external-cluster-credentials
+
+
+## Step 3: Use the Software Template (Application Engineers)
+- Import the desired template into RHDH
+- Select Remote deployment in the wizard
+- Enter the remote API URL exactly as in the Argo CD secret `server`
+- Enter the namespace (same name will be used for host-side Tekton PipelineRuns)
+
+---
+
+## Validation
+- Topology/Kubernetes plugins show the remote cluster’s resources
+- Argo CD has two apps:
+  - `app` targets the remote cluster and syncs application workloads
+  - `app-tekton` targets the host cluster and manages Tekton resources
+- PipelineRuns execute on the host cluster; workloads appear on the remote namespace
+
+---
+
+## Troubleshooting
+- Remote resources not appearing: verify pluginConfig cluster entry and token
+- Argo CD sync errors: check the cluster secret `server`/token and TLS settings
+- Image pull errors: ensure pull secrets exist in the remote namespace
+
+---
+
+## Notes
+- Same namespace name on host and remote is required in this iteration
+- Multi-namespace remote deployments are out-of-scope and may be added later 
@@ -3,6 +3,7 @@ nav:
   - Overview: index.md
   - Prerequisites: template-prerequisites.md
   - Template Usage: usage.md
+  - Remote Cluster configuration: template-remote-cluster.md
   - Deployed Application: application.md
 plugins:
   - techdocs-core
@@ -0,0 +1,192 @@
+## Bring your own cluster (remote deployments)
+
+This guide explains how to deploy application workloads to a remote OpenShift cluster while keeping Tekton Pipelines and webhooks on the host (RHDH) cluster. The GitOps application is split into two Argo CD apps:
+
+- app: Deploys the application manifests to the destination cluster (host or remote)
+- app-tekton: Manages Tekton resources on the host cluster so all PipelineRuns execute there
+
+### High-level behavior
+- Tekton webhooks and PipelineRuns stay on the host cluster.
+- When a remote cluster is selected, only the application runtime resources deploy to the remote cluster.
+- The same namespace name is used on both clusters. For the initial iteration, choosing different namespaces across clusters is not supported.
+
+### Who should use this
+
+#### Platform Engineers
+- Configure the remote cluster in the dynamic plugins (Topology and Kubernetes) so RHDH can read cluster resources.
+- Register the remote cluster in Argo CD on the host cluster via a cluster secret.
+- Ensure the remote namespace is prepared with required secrets/permissions or provide a bootstrap mechanism.
+
+#### Application Engineers
+- Use the Software Template wizard to select Remote cluster deployment.
+- Provide the remote cluster API URL (must match the Argo CD cluster `server`).
+- Provide the namespace to deploy into (same name will be used on host for Tekton PipelineRuns).
+
+---
+
+## Prerequisites
+- Two OpenShift clusters:
+  - Host cluster: runs RHDH, Argo CD, Tekton
+  - Remote cluster: receives the application deployment
+- CLI access: `oc`/`kubectl` authenticated to both clusters, `ArgoCD` CLI
+- Versions: RHDH 1.8 with OCP 4.17
+- If deploying RHOAI-based apps on the remote cluster, install:
+  - Node Feature Discovery (with a `NodeFeatureDiscovery` CR)
+  - NVIDIA GPU Operator (with a `ClusterPolicy` CR)
+  - OpenShift AI Operator (with a `DataScienceCluster` CR)
+
+---
+
+## Step 1: Expose the remote cluster to RHDH UI via dynamic plugins (Topology/Kubernetes)
+
+Before installing/configuring RHDH using the ai-rhdh-installer, add the remote cluster to the installer’s dynamic plugin configuration so the Topology and Kubernetes plugins can read it.
+
+On the remote cluster, create a service account and bind permissions:
+
+#### Create a service account token
+
+
+Permanent, non-expiring service account token to view:
+
+- Kubernetes: Manually create a Secret for a Service Account — `https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-a-secret-for-a-service-account`
+- Backstage: Kubernetes configuration — `https://backstage.io/docs/next/features/kubernetes/configuration/`
+
+
+```bash
+oc create serviceaccount rhdh-sa -n default
+
+# Grant read-only access cluster-wide
+oc create clusterrolebinding rhdh-sa-view \
+  --clusterrole=view \
+  --serviceaccount=default:rhdh-sa
+
+# Create a Secret that yields a permanent token
+cat <<'EOF' | oc apply -f -
+apiVersion: v1
+kind: Secret
+metadata:
+  name: rhdh-sa-token
+  namespace: default
+  annotations:
+    kubernetes.io/service-account.name: rhdh-sa
+type: kubernetes.io/service-account-token
+EOF
+
+# Retrieve and print the token
+oc get secret rhdh-sa-token -n default -o jsonpath='{.data.token}' | base64 --decode
+```
+
+Add a cluster entry to the installer’s plugin config. Example shapes for cluster locator configuration:
+
+Minimal entry (used by some dynamic plugins):
+
+```yaml
+- authProvider: serviceAccount
+  name: <remote-cluster-name>
+  serviceAccountToken: <paste-token-here>
+  skipTLSVerify: true
+  url: https://api.<your-remote-cluster>.
+```
+
+Full Backstage Kubernetes backend plugin config using `clusterLocatorMethods`:
+
+```yaml
+pluginConfig:
+  kubernetes:
+    serviceLocatorMethod:
+      type: multiTenant
+    clusterLocatorMethods:
+      - type: config
+        clusters:
+          - url: https://api.<remote-cluster>:443
+            name: <remote-cluster-name>
+            authProvider: serviceAccount
+            serviceAccountToken: ${K8S_SA_TOKEN}
+            skipTLSVerify: true
+          # Your remote cluster info goes here
+    customResources:
+      - group: route.openshift.io
+        apiVersion: v1
+        plural: routes
+      - group: tekton.dev
+        apiVersion: v1
+        plural: pipelineruns
+      - group: tekton.dev
+        apiVersion: v1
+        plural: taskruns
+```
+
+Notes:
+- For more options (e.g., `catalog`, `gke`, metrics, dashboards), see the Backstage docs: [Backstage Kubernetes configuration](https://backstage.io/docs/next/features/kubernetes/configuration/).
+- Avoid storing tokens in catalog annotations; prefer the config locator method with `serviceAccountToken`.
+
+Then proceed with the installer’s configure step to apply changes.
+
+---
+
+## Step 2: Register the remote cluster in Argo CD (host cluster)
+Argo CD must know how to reach the remote cluster to deploy the application there. You can register the cluster either via the Argo CD CLI (recommended) or by creating a cluster Secret (manual).
+
+### Register via Argo CD CLI
+
+```bash
+# 1) Inspect kubeconfig contexts on your workstation
+kubectl config get-contexts
+
+# 2) Use the remote cluster context and verify access
+kubectl config use-context <remote-cluster-context-name>
+kubectl get nodes
+
+# 3) Ensure you're logged into the remote cluster with oc (OpenShift)
+#    If not logged in, authenticate with a token (adjust flags as needed)
+oc whoami || oc login https://api.<remote-cluster>:443
+
+# 4) Log into Argo CD (host cluster)
+#    Use --insecure if you don't have a valid TLS cert; add --sso if SSO is enabled
+argocd login <argocd-url>
+
+# 5) Register the remote cluster with Argo CD using its kubeconfig context
+argocd cluster add <remote-cluster-context-name>
+
+# 6) Verify Argo CD sees the cluster
+argocd cluster list
+```
+
+### Rotate the Argo CD bearer token for an external cluster
+
+```bash
+# Run against the external cluster's kubeconfig context
+kubectl config use-context <remote-cluster-context-name>
+
+# Delete the argocd-manager token secret so a new one is created
+kubectl delete secret argocd-manager-token-XXXXXX -n kube-system
+
+# Re-add the cluster to rotate credentials
+argocd cluster add <remote-cluster-context-name>
+```
+
+See: [Argo CD — External cluster credentials](https://argo-cd.readthedocs.io/en/stable/operator-manual/security/#external-cluster-credentials)
+
+
+## Step 4: Generate and import the template
+- Regenerate templates in your fork if needed:
+
+- Import the updated template into RHDH.
+- In the template wizard, select Remote cluster deployment and provide the remote API URL that matches the Argo CD secret `server` value.
+- Choose the target namespace (same name will be used on the host for Tekton PipelineRuns).
+
+---
+
+## Validation
+- Topology/Kubernetes plugins show the remote cluster’s resources
+- Argo CD has two apps:
+  - `app` targets the remote cluster and syncs application workloads
+  - `app-tekton` targets the host cluster and manages Tekton resources
+- PipelineRuns execute on the host cluster; workloads appear on the remote namespace
+
+---
+
+## Notes and limitations
+- Same namespace name on host and remote is required for this iteration.
+- Multiple remote namespaces per template are out of scope and may require future enhancements.
+- This feature is evolving; comprehensive end-user documentation improvements are being tracked upstream.
@@ -11,6 +11,8 @@ function apply-configurations() {
     TEMPLATE_TECHDOC_TYPE=$3
 
     DOC_SRC_ROOT="$ROOT_DIR/documentation/$TEMPLATE_TECHDOC_TYPE"
+
+    # template-prerequisites.md documentation
     SAMPLE_DOC_SRC="$DOC_SRC_ROOT/$SAMPLENAME"
     PREREQ_DOC_SRC="$DOC_SRC_ROOT/template-prerequisites.md"
     if [ -d $DOC_SRC_ROOT ]; then
@@ -23,6 +25,19 @@ function apply-configurations() {
         cp -r $DOC_SRC_ROOT/mkdocs.yml $DEST/mkdocs.yml
     fi
 
+    # template-remote-cluster.md documentation
+    SAMPLE_DOC_SRC="$DOC_SRC_ROOT/$SAMPLENAME"
+    REMOTE_DOC_SRC="$DOC_SRC_ROOT/template-remote-cluster.md"
+    if [ -d $DOC_SRC_ROOT ]; then
+        if [ -d $SAMPLE_DOC_SRC ]; then
+            cp -r $SAMPLE_DOC_SRC $DEST/docs
+            if [ -f $REMOTE_DOC_SRC ]; then
+                cp $REMOTE_DOC_SRC $DEST/docs/template-remote-cluster.md
+            fi
+        fi
+        cp -r $DOC_SRC_ROOT/mkdocs.yml $DEST/mkdocs.yml
+    fi
+
     cp $SKELETON_DIR/template.yaml $DEST/template.yaml
 
     # get default env variables