Adding an option to ACS to use cluster CA, not self signed for ACS Central#131
Adding an option to ACS to use cluster CA, not self signed for ACS Central#131p-rog wants to merge 1 commit intovalidatedpatterns:mainfrom
Conversation
sabre1041
left a comment
sabre1041
left a comment
There was a problem hiding this comment.
Like where this is headed. Heres my though on the default strategy. When you enable the reencrypt functionality, it creates a separate route in addition to the default centrla route. Instead, can we disable the default route (that uses a self signed cert) and specify the reeencrypt route with the URL that would be used by the default route. This way, to the end user, there is just the standard ACS route that has certificates set up properly
| @@ -21,6 +21,13 @@ spec: | |||
| port: 443 | |||
| route: | |||
| enabled: {{ .Values.central.exposure.route.enabled }} | |||
There was a problem hiding this comment.
If reencrypt is enabled, lets disable the default route
| reencrypt: | ||
| enabled: true | ||
| {{- if .Values.central.exposure.route.reencrypt.host }} | ||
| host: {{ .Values.central.exposure.route.reencrypt.host }} |
There was a problem hiding this comment.
If reencrypt is enabled, lets set the value to the default central hostname (unless explicitly declared)
Did some testing and to enable the desired feature, all that would need to be added to the - name: central.exposure.route.enabled
value: "false"
- name: central.exposure.route.reencrypt.host
value: "central-stackrox.{{ $.Values.global.localClusterDomain }}" |
2 participants
With this update Central CR deploys with both route.enabled: true (passthrough) and route.reencrypt.enabled: true. RHACS operator creates both routes automatically. The passthrough route communication is necessary for the Secured cluster and Sensor communication.
The ConsoleLink points to central-reencrypt-stackrox when reencrypt is enabled (by default).
Keycloak client accepts any hostname, so the redirect to the reencrypt route works on any cluster domain.
This should work with public certs (cloud deployment like AWS) signed by a public CA, and also on BareMetal with self-signed certs. Browsers that trust the org's CA chain see no warning. Even without proxyCA, it's still an improvement because users see the cluster's ingress CA cert (consistent with all other OCP routes) instead of a random ACS-generated self-signed cert.