Adding an option to ACS to use cluster CA, not self signed for ACS Central#131
Adding an option to ACS to use cluster CA, not self signed for ACS Central#131p-rog wants to merge 2 commits into
Conversation
sabre1041
left a comment
sabre1041
left a comment
There was a problem hiding this comment.
Like where this is headed. Heres my though on the default strategy. When you enable the reencrypt functionality, it creates a separate route in addition to the default centrla route. Instead, can we disable the default route (that uses a self signed cert) and specify the reeencrypt route with the URL that would be used by the default route. This way, to the end user, there is just the standard ACS route that has certificates set up properly
| @@ -21,6 +21,13 @@ spec: | |||
| port: 443 | |||
| route: | |||
| enabled: {{ .Values.central.exposure.route.enabled }} | |||
There was a problem hiding this comment.
If reencrypt is enabled, lets disable the default route
There was a problem hiding this comment.
Like I mentioned in the PR description, we have to keep the self-signed route because this is required for the communication between ACS Central and Sensors. Here is official ACS explanation:
https://access.redhat.com/solutions/7019861
and here is how it's coded:
https://github.com/stackrox/stackrox/blob/master/operator/api/v1alpha1/central_types.go#L458
The same is in the Central CRD manifest:
DESCRIPTION:
Expose Central with a reencrypt route.
Should not be used for sensor communication.
The default is: false.
So if we disable passthrough and use only reencrypt (with the same hostname) it would break sensor communication.
| reencrypt: | ||
| enabled: true | ||
| {{- if .Values.central.exposure.route.reencrypt.host }} | ||
| host: {{ .Values.central.exposure.route.reencrypt.host }} |
There was a problem hiding this comment.
If reencrypt is enabled, lets set the value to the default central hostname (unless explicitly declared)
There was a problem hiding this comment.
But we have to keep the passthrough for the sensors communication, hence the reencrypt route needs its own, distinct hostname.
Did some testing and to enable the desired feature, all that would need to be added to the - name: central.exposure.route.enabled
value: "false"
- name: central.exposure.route.reencrypt.host
value: "central-stackrox.{{ $.Values.global.localClusterDomain }}" |
See my earlier comment. We have to keep the |
|
I added a short explanation why we have to keep |
2 participants
With this update Central CR deploys with both route.enabled: true (passthrough) and route.reencrypt.enabled: true. RHACS operator creates both routes automatically. The passthrough route communication is necessary for the Secured cluster and Sensor communication.
The ConsoleLink points to central-reencrypt-stackrox when reencrypt is enabled (by default).
Keycloak client accepts any hostname, so the redirect to the reencrypt route works on any cluster domain.
This should work with public certs (cloud deployment like AWS) signed by a public CA, and also on BareMetal with self-signed certs. Browsers that trust the org's CA chain see no warning. Even without proxyCA, it's still an improvement because users see the cluster's ingress CA cert (consistent with all other OCP routes) instead of a random ACS-generated self-signed cert.