From bd1089afd8efc22bf3f2cd033dd39bdc1f7c9483 Mon Sep 17 00:00:00 2001
From: Przemyslaw Roguski <proguski@redhat.com>
Date: Fri, 8 May 2026 15:05:03 +0200
Subject: [PATCH 1/2] Adding an option to ACS to use cluster CA, not self
 signed, for ACS Central

---
 charts/acs-central/templates/central-cr.yaml               | 7 +++++++
 charts/acs-central/templates/console-link.yaml             | 4 ++++
 .../acs-central/templates/jobs/create-auth-provider.yaml   | 2 +-
 charts/acs-central/values.yaml                             | 3 ++-
 4 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/charts/acs-central/templates/central-cr.yaml b/charts/acs-central/templates/central-cr.yaml
index 6b91dac4..b11d9138 100644
--- a/charts/acs-central/templates/central-cr.yaml
+++ b/charts/acs-central/templates/central-cr.yaml
@@ -21,6 +21,13 @@ spec:
         port: 443
       route:
         enabled: {{ .Values.central.exposure.route.enabled }}
+        {{- if .Values.central.exposure.route.reencrypt.enabled }}
+        reencrypt:
+          enabled: true
+          {{- if .Values.central.exposure.route.reencrypt.host }}
+          host: {{ .Values.central.exposure.route.reencrypt.host }}
+          {{- end }}
+        {{- end }}
 
     {{- if .Values.central.persistence.enabled }}
     persistence:
diff --git a/charts/acs-central/templates/console-link.yaml b/charts/acs-central/templates/console-link.yaml
index 3030fa41..9cb25e01 100644
--- a/charts/acs-central/templates/console-link.yaml
+++ b/charts/acs-central/templates/console-link.yaml
@@ -8,7 +8,11 @@ metadata:
   annotations:
     argocd.argoproj.io/sync-wave: "46"
 spec:
+  {{- if .Values.central.exposure.route.reencrypt.enabled }}
+  href: https://central-reencrypt-{{ .Release.Namespace }}.{{ .Values.global.localClusterDomain }}
+  {{- else }}
   href: https://central-{{ .Release.Namespace }}.{{ .Values.global.localClusterDomain }}
+  {{- end }}
   location: ApplicationMenu
   text: Advanced Cluster Security
   applicationMenu:
diff --git a/charts/acs-central/templates/jobs/create-auth-provider.yaml b/charts/acs-central/templates/jobs/create-auth-provider.yaml
index ae5dc4fb..71626a01 100644
--- a/charts/acs-central/templates/jobs/create-auth-provider.yaml
+++ b/charts/acs-central/templates/jobs/create-auth-provider.yaml
@@ -86,7 +86,7 @@ spec:
                 exit 0
               fi
 
-              ACS_CENTRAL_HOSTNAME="$(oc get route central -n stackrox -o jsonpath='{.spec.host}')"
+              ACS_CENTRAL_HOSTNAME="$(oc get route central-reencrypt -n stackrox -o jsonpath='{.spec.host}' 2>/dev/null || oc get route central -n stackrox -o jsonpath='{.spec.host}')"
               echo "ACS Central hostname: $ACS_CENTRAL_HOSTNAME"
 
               cat > /tmp/oidc-config.json << 'OIDCEOF'
diff --git a/charts/acs-central/values.yaml b/charts/acs-central/values.yaml
index 9c01ba9d..2f30f67e 100644
--- a/charts/acs-central/values.yaml
+++ b/charts/acs-central/values.yaml
@@ -73,10 +73,11 @@ central:
   exposure:
     route:
       enabled: true
-      # Use cluster wildcard certificate
       tls:
         enabled: true
         termination: passthrough
+      reencrypt:
+        enabled: true
     loadBalancer:
       enabled: false
 

From 479f2f734537b34a526dda84f7a4eaa3ffa1051b Mon Sep 17 00:00:00 2001
From: Przemyslaw Roguski <proguski@redhat.com>
Date: Mon, 11 May 2026 19:24:35 +0200
Subject: [PATCH 2/2] Adding explanation how ACS handles two OCP routes

---
 docs/acs-deployment.md | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/docs/acs-deployment.md b/docs/acs-deployment.md
index 1d694d0a..7e67ee48 100644
--- a/docs/acs-deployment.md
+++ b/docs/acs-deployment.md
@@ -48,6 +48,34 @@ The ACS deployment in the Layered Zero Trust pattern is implemented using:
   - Admission Controller (policy enforcement)
   - Collector (DaemonSet for runtime monitoring)
 
+## Route and TLS Configuration
+
+ACS Central exposes two OpenShift routes with different TLS termination modes:
+
+| Route | TLS Mode | Purpose |
+|---|---|---|
+| `central` | Passthrough | Sensor/SecuredCluster gRPC communication (mTLS) |
+| `central-reencrypt` | Reencrypt | Browser UI access using cluster wildcard certificate |
+
+The **passthrough route is required** for sensor communication. Sensors use
+mutual TLS with certificates from the cluster init bundle, and the RHACS
+operator [explicitly states](https://github.com/stackrox/stackrox/blob/master/operator/api/v1alpha1/central_types.go)
+that the reencrypt route *"should not be used for sensor communication"*
+because the router terminates the sensor's TLS session, breaking mTLS
+authentication.
+
+The **reencrypt route** is enabled by default (`central.exposure.route.reencrypt.enabled: true`)
+so that browser users see the cluster's wildcard certificate instead of
+Central's self-signed certificate. This works on all platforms:
+
+- **Cloud (AWS, Azure, GCP)**: wildcard cert is signed by a public CA — no browser warning
+- **BareMetal / vSphere**: wildcard cert uses the cluster ingress CA — trusted
+  if `ztvp-certificates` has injected it via `proxyCA`
+
+The RHACS operator auto-generates the reencrypt route hostname
+(`central-reencrypt-stackrox.apps.<domain>`). The ConsoleLink and OIDC auth
+provider `uiEndpoint` automatically point to the reencrypt route when enabled.
+
 ## Deployment Workflow
 
 ### Phase 1: Operator Installation (Managed by Pattern Framework)