Homepage: https://github.com/validatedpatterns/layered-zero-trust
| Name | URL | |
|---|---|---|
| Validated Patterns Team | validatedpatterns@googlegroups.com |
The ACS deployment in the Layered Zero Trust pattern is implemented using:
- GitOps: Argo CD manages the deployment lifecycle
- Helm Charts: Two separate charts for Central and Secured Cluster
- Operator-based: Uses Red Hat's RHACS Operator
- Vault Integration: Secrets stored in HashiCorp Vault
- Keycloak SSO: OIDC authentication (enabled by default)
- Installed via: OLM (Operator Lifecycle Manager)
- Namespace:
openshift-operators - Channel:
stable - Source:
redhat-operators
- Purpose: Central management console, Scanner V4, Policy engine
- Namespace:
stackrox - Components:
- Central (management console)
- Scanner V4 Indexer
- Scanner V4 Matcher
- PostgreSQL databases (Central DB, Scanner DB)
- Purpose: Per-cluster enforcement and monitoring
- Namespace:
stackrox(same as Central on hub cluster) - Components:
- Sensor (communicates with Central)
- Admission Controller (policy enforcement)
- Collector (DaemonSet for runtime monitoring)
ACS Central exposes two OpenShift routes with different TLS termination modes:
| Route | TLS Mode | Purpose |
|---|---|---|
central |
Passthrough | Sensor/SecuredCluster gRPC communication (mTLS) |
central-reencrypt |
Reencrypt | Browser UI access using cluster wildcard certificate |
The passthrough route is required for sensor communication. Sensors use mutual TLS with certificates from the cluster init bundle, and the RHACS operator explicitly states that the reencrypt route "should not be used for sensor communication" because the router terminates the sensor's TLS session, breaking mTLS authentication.
The reencrypt route is enabled by default (central.exposure.route.reencrypt.enabled: true)
so that browser users see the cluster's wildcard certificate instead of
Central's self-signed certificate. This works on all platforms:
- Cloud (AWS, Azure, GCP): wildcard cert is signed by a public CA — no browser warning
- BareMetal / vSphere: wildcard cert uses the cluster ingress CA — trusted
if
ztvp-certificateshas injected it viaproxyCA
The RHACS operator auto-generates the reencrypt route hostname
(central-reencrypt-stackrox.apps.<domain>). The ConsoleLink and OIDC auth
provider uiEndpoint automatically point to the reencrypt route when enabled.
When: During initial pattern deployment
Configuration File: values-hub.yaml
When: After operator is ready
Helm Chart: charts/acs-central/
File: central-htpasswd-external-secret.yaml
Purpose: Fetch admin password from Vault
Creates: Secret central-htpasswd with key password
Why: Central needs this secret before deployment
File: admin-password-secret.yaml
Condition: Only if useExternalSecret: false
Purpose: Generate bcrypt htpasswd entry for admin user
Why Important:
- Central CR expects
htpasswdfield for authentication - Bcrypt generates different hash each time (random salt)
- Job is idempotent (checks for existing valid entry)
Purpose: Generate cluster init bundle for Secured Cluster authentication
Result: Secured Cluster components can authenticate to Central
Status: Enabled by default
Condition: Default integration.keycloak.enabled: true
Purpose: Configure Keycloak authentication
Job: create-auth-provider
Result: Users can log in via OpenShift OAuth instead of htpasswd
What it does:
- Waits for ACS Central to be ready (max 30 retries, 10s interval)
- Creates OIDC auth provider named "OIDC"
- Configures OIDC settings (Issuer, Client ID, Client Secret, Callback URL)
- Maps Keycloak user claims to ACS attributes
Minimum (Development/Testing):
- Node Size: 3 worker nodes with 8 vCPU / 16Gi RAM each
- Total Capacity: ~24 vCPU / 48Gi RAM
Production:
- Node Size: 3-5 worker nodes with 16 vCPU / 32Gi RAM each
- Total Capacity: ~48-80 vCPU / 96-160Gi RAM
Resource Breakdown:
- OpenShift Platform: ~8-12 CPU / ~15-20Gi
- Validated Pattern Base: ~4-6 CPU / ~8-10Gi
- ACS Central Services: ~2 CPU / ~8Gi
- ACS Secured Cluster: ~1 CPU / ~2Gi
- Total Minimum: ~15-21 CPU / ~33-40Gi