Merge pull request #3687 from replicatedhq/131449

Explain HelmChart requirements for Helm CLI installs and Security Center

Author: paigecalvert

docs/partials/helm/_helm-install-prereqs.mdx

@@ -1 +1,6 @@
-To deploy Helm charts, KOTS requires a unique HelmChart custom resource for each Helm chart `.tgz` archive in the release. You configure the HelmChart custom resource to provide the necessary instructions to KOTS for processing and preparing the chart for deployment. Additionally, the HelmChart custom resource creates a mapping between KOTS and your Helm chart to allow Helm values to be dynamically set during installation or upgrade.
+For installations with a Replicated installer (Embedded Cluster, KOTS, kURL), a unique HelmChart custom resource is required for each Helm chart `.tgz` archive in a release. The primary purpose of the HelmChart custom resource is to provide the necessary instructions to the Replicated installer for processing and preparing the given Helm chart for deployment.
+
+The HelmChart custom resource is also used to generate a list of required images for the chart, which is required for the following use cases:
+* Air gap installations with the Helm CLI or with a Replicated installer
+* Online installations with a Replicated installer where the user will push images to a local image registry
+* Online or air gap installations that use the [Security Center (Alpha)](/vendor/security-center-about) to scan and report on Helm chart images

docs/partials/helm/_kots-helm-cr-description.mdx

@@ -23,8 +23,6 @@ This topic describes the KOTS HelmChart v2 custom resource.
 
 <KotsHelmCrDescription/>
 
-For more information, see [About Distributing Helm Charts with KOTS](/vendor/helm-native-about).
-
 ## Example
 
 The following is an example manifest file for the HelmChart v2 custom resource:
@@ -93,17 +91,18 @@ For an example of recursive and non-recursive merging, see [About Recursive Merg
 
 The `builder` key contains the minimum Helm values required so that the output of `helm template` exposes all container images needed to install the chart in an air-gapped environment.
 
-The Replicated Vendor Portal uses the Helm values that you provide in the `builder` key to run `helm template` on the chart, then parses the output to discover the list of required images for the chart. 
-
-The Vendor Portal uses this list of images to create the Helm air gap installation instructions that are automatically made available to customers in the Replicated Enterprise Portal or Download Portal. For more information about installing with Helm in air-gapped environments, see [Install and Update with Helm in Air Gap Environments](/vendor/helm-install-airgap). 
+The Replicated Vendor Portal uses the Helm values that you provide in the `builder` key to run `helm template` on the chart, then parses the output to generate a list of required images for the chart. 
 
-The list of images is also used when you build the `.airgap` bundle for a release to support air gap installations with a Replicated installer (Embedded Cluster, KOTS, kURL). For more information about how to build `.airgap` bundles, see [Package Air Gap Bundles for Helm Charts](/vendor/helm-packaging-airgap-bundles).
+The Vendor Portal then uses this list of images to do the following:
+* Create the Helm CLI air gap installation instructions that are automatically made available to customers in the Replicated Enterprise Portal or Download Portal. For more information, see [Install and Update with Helm in Air Gap Environments](/vendor/helm-install-airgap). 
+* Build the `.airgap` bundle for a release to support air gap installations with a Replicated installer (Embedded Cluster, KOTS, kURL). For more information about how to build `.airgap` bundles, see [Package Air Gap Bundles for Helm Charts](/vendor/helm-packaging-airgap-bundles).
+* Determine which images to scan and report on in the Security Center (Alpha). For more information about the Security Center, see [About the Security Center (Alpha)](/vendor/security-center-about).
 
 The `builder` key is required to support the following installation types:
 
 * Air gap installations with a Replicated installer (Embedded Cluster, KOTS, kURL)
-* Air gap installations with Helm
-* Online installations with a Replicated installer where the user configured a local image registry in the Admin Console
+* Air gap installations with the Helm CLI
+* Online installations with a Replicated installer where the user will push images to a local image registry
 
 #### Requirements
 

docs/reference/custom-resource-helmchart-v2.mdx

@@ -12,17 +12,13 @@ These instructions assume that the customer is logged in to the portal on a work
 
 Before you install, complete the following prerequisites:
 
-* Declare the SDK as a dependency in your Helm chart. For more information, see [Install the SDK as a Subchart](replicated-sdk-installing#install-the-sdk-as-a-subchart) in _Installing the Replicated SDK_.
+* Declare the Replicated SDK as a dependency in your Helm chart. For more information, see [Install the SDK as a Subchart](replicated-sdk-installing#install-the-sdk-as-a-subchart) in _Installing the Replicated SDK_.
 
-* If your Helm chart's default values do not expose all the required and optional images that might be needed to install in air-gapped environments, add the Replicated HelmChart custom resource to your release and configure `builder` key. For more information, see [builder](/reference/custom-resource-helmchart-v2#builder) in _HelmChart v2_. If your default values expose all images needed for air gap installations, you do not need to configure the `builder` key. 
+* For each Helm chart in your release, add the Replicated HelmChart custom resource. Additionally, if the chart's default values do not expose all the required and optional images that might be needed to install in air-gapped environments, configure the HelmChart resource's `builder` key. For more information about how to configure the `builder` key, see [builder](/reference/custom-resource-helmchart-v2#builder) in _HelmChart v2_.
 
-     <details>
-       <summary>What is the purpose of the `builder` key?</summary>
+   Configuring the `builder` key ensures all the images that might be needed to install in air-gapped environments are included in the Helm CLI installation instructions in the Enterprise Portal. For installations that use the [Security Center (Alpha)](/vendor/security-center-about), the HelmChart custom resource is also required to build the list of images that are scanned in the Security Center. 
 
-     Configuring the `builder` key ensures that the Vendor Portal can template the chart to discover the full list of container images required to install the chart in an air-gapped environment. The Vendor Portal uses this list of required images to create the Helm air gap installation instructions for the customer. 
-     </details> 
-
-* The customer used to install must have the following:
+* The customer record in the Vendor Portal must have the following:
 
      * A valid email address. This email address is only used as a username for the Replicated registry and is never contacted. For more information, see [Creating a Customer](/vendor/releases-creating-customer).
 
@@ -36,7 +32,7 @@ Helm air gap installation instructions are provided in either the Enterprise Por
 
 For more information about enabling the Enterprise Portal for a customer, see [Manage Customer Access to the Enterprise Portal](/vendor/enterprise-portal-invite).
 
-### Enterprise Portal (Beta)
+### Enterprise Portal
 
 To install with Helm in an air gap environment using the Enterprise Portal:
 

docs/vendor/helm-install-airgap.mdx

@@ -1,4 +1,3 @@
-import Prerequisites from "../partials/helm/_helm-install-prereqs.mdx"
 import FirewallOpeningsIntro from "../partials/install/_firewall-openings-intro.mdx"
 
 # Install with Helm
@@ -9,7 +8,31 @@ This topic describes how to use Helm to install releases that contain one or mor
 
 Before you install, complete the following prerequisites:
 
-<Prerequisites/>
+* The customer record in the Vendor Portal must have a valid email address. This email address is only used as a username for the Replicated registry and is never contacted. For more information about adding an email address for a customer, see [Creating a Customer](/vendor/releases-creating-customer).
+
+* The customer must have the **Existing Cluster (Helm CLI)** install type enabled. For more information about enabling install types for customers in the Vendor Portal, see [Manage Install Types for a License](licenses-install-types).
+
+* Create an image pull secret for the proxy registry and add it to your Helm chart. This ensures that the Replicated proxy registry can be used to grant proxy access to your application images for Helm CLI installations. To create the image pull secret and add it to your Helm chart, follow the steps in [Use the Proxy Registry with Helm CLI Installations](/vendor/helm-image-registry).
+
+* Declare the Replicated SDK as a dependency in your Helm chart. For more information, see [Install the SDK as a Subchart](replicated-sdk-installing#install-the-sdk-as-a-subchart) in _Installing the Replicated SDK_.
+
+* If the [Security Center (Alpha)](/vendor/security-center-about) is enabled for your account, add a unique HelmChart custom resource for each Helm chart in your release. The HelmChart custom resource is required to create the list of images that are scanned and reported on in the Security Center.
+
+    The following is an example HelmChart custom resource for a chart named `examplechart` with a chart version of `1.0.0`:
+
+    ```yaml
+    apiVersion: kots.io/v1beta2
+    kind: HelmChart
+    metadata:
+      name: examplechart
+    spec:
+      chart:
+        # name must match the name of the chart
+        name: examplechart
+        # chartVersion must match the version of the chart
+        chartVersion: 1.0.0
+    ```
+    For more information about the HelmChart custom resource, see [HelmChart v2](/reference/custom-resource-helmchart-v2).
 
 ## Firewall Openings for Online Installations with Helm {#firewall}
 

docs/vendor/install-with-helm.mdx

@@ -3,7 +3,7 @@
 This topic provides an overview of the Replicated Security Center.
 
 :::note
-The Security Center is Alpha. To access the Security Center, a feature flag must be enabled for your team. See [Limitations](/vendor/security-center-about#limitations) below. 
+The Security Center is Alpha. To get access to the Security Center, reach out to your Replicated account representative. 
 :::
 
 ## Overview
@@ -12,13 +12,35 @@ The Security Center helps you strengthen security enablement in your application
 
 The Security Center is powered by Replicated’s [SecureBuild](https://securebuild.com/) technology. Every image is scanned continuously, not just at release time. Customers can see the same application version security information that you do, driving customer transparency, reduced security questionnaire burden, and adoption of newer, more secure versions of your application. 
 
-## Limitations
-* The Security Center is Alpha. The features and functionality of the Security Center are subject to change.
+## Requirements
+
 * Access to the Security Center Alpha requires a feature flag be turned on for your team. For more information, reach out to your Replicated account representative.
-* Security Center reporting is available only for Embedded Cluster and Helm CLI installations. It is not available for kURL installations or for KOTS installations in an existing cluster.
 * Display and reporting of application images requires the [Replicated SDK version 1.8.0](/release-notes/rn-replicated-sdk#180) or later.
 * Display and reporting of Embedded Cluster images requires the [Replicated SDK version 1.9.0](/release-notes/rn-replicated-sdk#190) or later.
-* In a Helm CLI install, display of all container images observed in the cluster beyond application images requires setting the Replicated SDK to [Report All Images](/vendor/replicated-sdk-customizing#report-all-images). This setting is automatically enabled for Embedded Cluster installations.
+* For Helm CLI installations, to include all container images observed in the cluster in the Security Center reports (rather than application images only), set the Replicated SDK to [Report All Images](/vendor/replicated-sdk-customizing#report-all-images). This setting is automatically enabled for Embedded Cluster installations.
+* Each Helm chart in the release must have a unique [HelmChart](/reference/custom-resource-helmchart-v2) custom resource. The HelmChart custom resource is required to create the list of images that are scanned and reported on in the Security Center. This HelmChart custom resource requirement applies to both Helm CLI and Embedded Cluster installations.
+  
+   The following is an example HelmChart custom resource for a chart named `examplechart` with a chart version of `1.0.0`:
+
+    ```yaml
+    apiVersion: kots.io/v1beta2
+    kind: HelmChart
+    metadata:
+      name: examplechart
+    spec:
+      chart:
+        # name must match the name of the chart
+        name: examplechart
+        # chartVersion must match the version of the chart
+        chartVersion: 1.0.0
+    ```
+    For more information about the HelmChart custom resource, see [HelmChart v2](/reference/custom-resource-helmchart-v2).
+
+## Limitations
+* The Security Center is Alpha. The features and functionality of the Security Center are subject to change.
+* Security Center reporting is available only for Embedded Cluster and Helm CLI installations. It is not available for kURL installations or for KOTS installations in an existing cluster.
+* If you have configured the [`builder`](/reference/custom-resource-helmchart-v2#builder) key in any of the HelmChart custom resources in your release, note that the Security Center uses the Helm values provided in the `builder` key to create the list of images that are scanned and reported on for the given Helm chart. The Security Center will scan and report on this same list of images for both air gap and online installations. If there are any images that you want reported on in the Security Center, ensure that they are exposed by the values provided in the `builder` key.
+
 
 ## Security Center Interfaces