From bd1089afd8efc22bf3f2cd033dd39bdc1f7c9483 Mon Sep 17 00:00:00 2001 From: Przemyslaw Roguski Date: Fri, 8 May 2026 15:05:03 +0200 Subject: [PATCH 1/5] Adding an option to ACS to use cluster CA, not self signed, for ACS Central --- charts/acs-central/templates/central-cr.yaml | 7 +++++++ charts/acs-central/templates/console-link.yaml | 4 ++++ .../acs-central/templates/jobs/create-auth-provider.yaml | 2 +- charts/acs-central/values.yaml | 3 ++- 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/charts/acs-central/templates/central-cr.yaml b/charts/acs-central/templates/central-cr.yaml index 6b91dac4..b11d9138 100644 --- a/charts/acs-central/templates/central-cr.yaml +++ b/charts/acs-central/templates/central-cr.yaml @@ -21,6 +21,13 @@ spec: port: 443 route: enabled: {{ .Values.central.exposure.route.enabled }} + {{- if .Values.central.exposure.route.reencrypt.enabled }} + reencrypt: + enabled: true + {{- if .Values.central.exposure.route.reencrypt.host }} + host: {{ .Values.central.exposure.route.reencrypt.host }} + {{- end }} + {{- end }} {{- if .Values.central.persistence.enabled }} persistence: diff --git a/charts/acs-central/templates/console-link.yaml b/charts/acs-central/templates/console-link.yaml index 3030fa41..9cb25e01 100644 --- a/charts/acs-central/templates/console-link.yaml +++ b/charts/acs-central/templates/console-link.yaml @@ -8,7 +8,11 @@ metadata: annotations: argocd.argoproj.io/sync-wave: "46" spec: + {{- if .Values.central.exposure.route.reencrypt.enabled }} + href: https://central-reencrypt-{{ .Release.Namespace }}.{{ .Values.global.localClusterDomain }} + {{- else }} href: https://central-{{ .Release.Namespace }}.{{ .Values.global.localClusterDomain }} + {{- end }} location: ApplicationMenu text: Advanced Cluster Security applicationMenu: diff --git a/charts/acs-central/templates/jobs/create-auth-provider.yaml b/charts/acs-central/templates/jobs/create-auth-provider.yaml index ae5dc4fb..71626a01 100644 --- a/charts/acs-central/templates/jobs/create-auth-provider.yaml +++ b/charts/acs-central/templates/jobs/create-auth-provider.yaml @@ -86,7 +86,7 @@ spec: exit 0 fi - ACS_CENTRAL_HOSTNAME="$(oc get route central -n stackrox -o jsonpath='{.spec.host}')" + ACS_CENTRAL_HOSTNAME="$(oc get route central-reencrypt -n stackrox -o jsonpath='{.spec.host}' 2>/dev/null || oc get route central -n stackrox -o jsonpath='{.spec.host}')" echo "ACS Central hostname: $ACS_CENTRAL_HOSTNAME" cat > /tmp/oidc-config.json << 'OIDCEOF' diff --git a/charts/acs-central/values.yaml b/charts/acs-central/values.yaml index 9c01ba9d..2f30f67e 100644 --- a/charts/acs-central/values.yaml +++ b/charts/acs-central/values.yaml @@ -73,10 +73,11 @@ central: exposure: route: enabled: true - # Use cluster wildcard certificate tls: enabled: true termination: passthrough + reencrypt: + enabled: true loadBalancer: enabled: false From 479f2f734537b34a526dda84f7a4eaa3ffa1051b Mon Sep 17 00:00:00 2001 From: Przemyslaw Roguski Date: Mon, 11 May 2026 19:24:35 +0200 Subject: [PATCH 2/5] Adding explanation how ACS handles two OCP routes --- docs/acs-deployment.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/docs/acs-deployment.md b/docs/acs-deployment.md index 1d694d0a..7e67ee48 100644 --- a/docs/acs-deployment.md +++ b/docs/acs-deployment.md @@ -48,6 +48,34 @@ The ACS deployment in the Layered Zero Trust pattern is implemented using: - Admission Controller (policy enforcement) - Collector (DaemonSet for runtime monitoring) +## Route and TLS Configuration + +ACS Central exposes two OpenShift routes with different TLS termination modes: + +| Route | TLS Mode | Purpose | +|---|---|---| +| `central` | Passthrough | Sensor/SecuredCluster gRPC communication (mTLS) | +| `central-reencrypt` | Reencrypt | Browser UI access using cluster wildcard certificate | + +The **passthrough route is required** for sensor communication. Sensors use +mutual TLS with certificates from the cluster init bundle, and the RHACS +operator [explicitly states](https://github.com/stackrox/stackrox/blob/master/operator/api/v1alpha1/central_types.go) +that the reencrypt route *"should not be used for sensor communication"* +because the router terminates the sensor's TLS session, breaking mTLS +authentication. + +The **reencrypt route** is enabled by default (`central.exposure.route.reencrypt.enabled: true`) +so that browser users see the cluster's wildcard certificate instead of +Central's self-signed certificate. This works on all platforms: + +- **Cloud (AWS, Azure, GCP)**: wildcard cert is signed by a public CA — no browser warning +- **BareMetal / vSphere**: wildcard cert uses the cluster ingress CA — trusted + if `ztvp-certificates` has injected it via `proxyCA` + +The RHACS operator auto-generates the reencrypt route hostname +(`central-reencrypt-stackrox.apps.`). The ConsoleLink and OIDC auth +provider `uiEndpoint` automatically point to the reencrypt route when enabled. + ## Deployment Workflow ### Phase 1: Operator Installation (Managed by Pattern Framework) From cd3dc6e4f576bb857062d0782327ab1275e5398a Mon Sep 17 00:00:00 2001 From: Przemyslaw Roguski Date: Wed, 13 May 2026 13:18:47 +0200 Subject: [PATCH 3/5] switching from the internal OCP image registry (image-registry.openshift-image-registry.svc:5000/openshift/cli) to the public Red Hat registry (registry.redhat.io/openshift4/ose-cli) --- charts/acs-central/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/acs-central/values.yaml b/charts/acs-central/values.yaml index 2f30f67e..46a7dba0 100644 --- a/charts/acs-central/values.yaml +++ b/charts/acs-central/values.yaml @@ -171,8 +171,8 @@ integration: # Container image for the auth provider configuration job # Uses OpenShift CLI tools (curl, oc, jq, etc.) jobImage: - registry: image-registry.openshift-image-registry.svc:5000 - repository: openshift/cli + registry: registry.redhat.io + repository: openshift4/ose-cli tag: latest pullPolicy: IfNotPresent # Service account used by jobs (init bundle, auth provider, htpasswd) From ca9a5d5f70535dae2429bf42698b70847e31f3e1 Mon Sep 17 00:00:00 2001 From: Przemyslaw Roguski Date: Thu, 14 May 2026 11:11:56 +0200 Subject: [PATCH 4/5] UX polish, the user-facing URL becomes central.apps. which is simpler and more intuitive --- charts/acs-central/templates/central-cr.yaml | 3 +++ charts/acs-central/templates/console-link.yaml | 10 +++++++++- charts/acs-central/values.yaml | 2 ++ values-hub.yaml | 2 ++ 4 files changed, 16 insertions(+), 1 deletion(-) diff --git a/charts/acs-central/templates/central-cr.yaml b/charts/acs-central/templates/central-cr.yaml index b11d9138..ac56bd89 100644 --- a/charts/acs-central/templates/central-cr.yaml +++ b/charts/acs-central/templates/central-cr.yaml @@ -21,6 +21,9 @@ spec: port: 443 route: enabled: {{ .Values.central.exposure.route.enabled }} + {{- if .Values.central.exposure.route.host }} + host: {{ .Values.central.exposure.route.host }} + {{- end }} {{- if .Values.central.exposure.route.reencrypt.enabled }} reencrypt: enabled: true diff --git a/charts/acs-central/templates/console-link.yaml b/charts/acs-central/templates/console-link.yaml index 9cb25e01..01acf02a 100644 --- a/charts/acs-central/templates/console-link.yaml +++ b/charts/acs-central/templates/console-link.yaml @@ -9,10 +9,18 @@ metadata: argocd.argoproj.io/sync-wave: "46" spec: {{- if .Values.central.exposure.route.reencrypt.enabled }} - href: https://central-reencrypt-{{ .Release.Namespace }}.{{ .Values.global.localClusterDomain }} + {{- if .Values.central.exposure.route.reencrypt.host }} + href: https://{{ .Values.central.exposure.route.reencrypt.host }} + {{- else }} + href: https://central.{{ .Values.global.localClusterDomain }} + {{- end }} + {{- else }} + {{- if .Values.central.exposure.route.host }} + href: https://{{ .Values.central.exposure.route.host }} {{- else }} href: https://central-{{ .Release.Namespace }}.{{ .Values.global.localClusterDomain }} {{- end }} + {{- end }} location: ApplicationMenu text: Advanced Cluster Security applicationMenu: diff --git a/charts/acs-central/values.yaml b/charts/acs-central/values.yaml index 46a7dba0..605aad5d 100644 --- a/charts/acs-central/values.yaml +++ b/charts/acs-central/values.yaml @@ -73,11 +73,13 @@ central: exposure: route: enabled: true + host: "" # Autogenerate if not specified tls: enabled: true termination: passthrough reencrypt: enabled: true + host: "" # Autogenerate if not specified loadBalancer: enabled: false diff --git a/values-hub.yaml b/values-hub.yaml index dae08bf8..03ff30e6 100644 --- a/values-hub.yaml +++ b/values-hub.yaml @@ -594,6 +594,8 @@ clusterGroup: # value: gp3-csi # Example for AWS - name: central.exposure.route.enabled value: "true" + - name: central.exposure.route.reencrypt.host + value: "central.{{ $.Values.global.localClusterDomain }}" - name: integration.keycloak.enabled value: "true" - name: integration.keycloak.realm From 394e71a2fbd6ea6ce3eb7fc726654d4e92afb170 Mon Sep 17 00:00:00 2001 From: Przemyslaw Roguski Date: Thu, 14 May 2026 11:35:04 +0200 Subject: [PATCH 5/5] Using the newest OC CLI image, built based on RHEL9 --- charts/acs-central/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/acs-central/values.yaml b/charts/acs-central/values.yaml index 605aad5d..1d8c965a 100644 --- a/charts/acs-central/values.yaml +++ b/charts/acs-central/values.yaml @@ -174,7 +174,7 @@ integration: # Uses OpenShift CLI tools (curl, oc, jq, etc.) jobImage: registry: registry.redhat.io - repository: openshift4/ose-cli + repository: openshift4/ose-cli-rhel9 tag: latest pullPolicy: IfNotPresent # Service account used by jobs (init bundle, auth provider, htpasswd)