Adding an option to ACS to use cluster CA, not self signed for ACS Central

charts/acs-central/templates/central-cr.yaml

@@ -21,6 +21,13 @@ spec:
         port: 443
       route:
         enabled: {{ .Values.central.exposure.route.enabled }}
+        {{- if .Values.central.exposure.route.reencrypt.enabled }}
+        reencrypt:
+          enabled: true
+          {{- if .Values.central.exposure.route.reencrypt.host }}
+          host: {{ .Values.central.exposure.route.reencrypt.host }}
+          {{- end }}
+        {{- end }}
 
     {{- if .Values.central.persistence.enabled }}
     persistence:

charts/acs-central/templates/console-link.yaml

@@ -8,7 +8,11 @@ metadata:
   annotations:
     argocd.argoproj.io/sync-wave: "46"
 spec:
+  {{- if .Values.central.exposure.route.reencrypt.enabled }}
+  href: https://central-reencrypt-{{ .Release.Namespace }}.{{ .Values.global.localClusterDomain }}
+  {{- else }}
   href: https://central-{{ .Release.Namespace }}.{{ .Values.global.localClusterDomain }}
+  {{- end }}
   location: ApplicationMenu
   text: Advanced Cluster Security
   applicationMenu:

charts/acs-central/templates/jobs/create-auth-provider.yaml

@@ -86,7 +86,7 @@ spec:
                 exit 0
               fi
 
-              ACS_CENTRAL_HOSTNAME="$(oc get route central -n stackrox -o jsonpath='{.spec.host}')"
+              ACS_CENTRAL_HOSTNAME="$(oc get route central-reencrypt -n stackrox -o jsonpath='{.spec.host}' 2>/dev/null || oc get route central -n stackrox -o jsonpath='{.spec.host}')"
               echo "ACS Central hostname: $ACS_CENTRAL_HOSTNAME"
 
               cat > /tmp/oidc-config.json << 'OIDCEOF'

charts/acs-central/values.yaml

@@ -73,10 +73,11 @@ central:
   exposure:
     route:
       enabled: true
-      # Use cluster wildcard certificate
       tls:
         enabled: true
         termination: passthrough
+      reencrypt:
+        enabled: true
     loadBalancer:
       enabled: false
 

docs/acs-deployment.md

@@ -48,6 +48,34 @@ The ACS deployment in the Layered Zero Trust pattern is implemented using:
   - Admission Controller (policy enforcement)
   - Collector (DaemonSet for runtime monitoring)
 
+## Route and TLS Configuration
+
+ACS Central exposes two OpenShift routes with different TLS termination modes:
+
+| Route | TLS Mode | Purpose |
+|---|---|---|
+| `central` | Passthrough | Sensor/SecuredCluster gRPC communication (mTLS) |
+| `central-reencrypt` | Reencrypt | Browser UI access using cluster wildcard certificate |
+
+The **passthrough route is required** for sensor communication. Sensors use
+mutual TLS with certificates from the cluster init bundle, and the RHACS
+operator [explicitly states](https://github.com/stackrox/stackrox/blob/master/operator/api/v1alpha1/central_types.go)
+that the reencrypt route *"should not be used for sensor communication"*
+because the router terminates the sensor's TLS session, breaking mTLS
+authentication.
+
+The **reencrypt route** is enabled by default (`central.exposure.route.reencrypt.enabled: true`)
+so that browser users see the cluster's wildcard certificate instead of
+Central's self-signed certificate. This works on all platforms:
+
+- **Cloud (AWS, Azure, GCP)**: wildcard cert is signed by a public CA — no browser warning
+- **BareMetal / vSphere**: wildcard cert uses the cluster ingress CA — trusted
+  if `ztvp-certificates` has injected it via `proxyCA`
+
+The RHACS operator auto-generates the reencrypt route hostname
+(`central-reencrypt-stackrox.apps.<domain>`). The ConsoleLink and OIDC auth
+provider `uiEndpoint` automatically point to the reencrypt route when enabled.
+
 ## Deployment Workflow
 
 ### Phase 1: Operator Installation (Managed by Pattern Framework)