Adding an option to ACS to use cluster CA, not self signed, for ACS Central

Author: p-rog

charts/acs-central/templates/central-cr.yaml

@@ -21,6 +21,13 @@ spec:
         port: 443
       route:
         enabled: {{ .Values.central.exposure.route.enabled }}
+        {{- if .Values.central.exposure.route.reencrypt.enabled }}
+        reencrypt:
+          enabled: true
+          {{- if .Values.central.exposure.route.reencrypt.host }}
+          host: {{ .Values.central.exposure.route.reencrypt.host }}
+          {{- end }}
+        {{- end }}
 
     {{- if .Values.central.persistence.enabled }}
     persistence:

charts/acs-central/templates/console-link.yaml

@@ -8,7 +8,11 @@ metadata:
   annotations:
     argocd.argoproj.io/sync-wave: "46"
 spec:
+  {{- if .Values.central.exposure.route.reencrypt.enabled }}
+  href: https://central-reencrypt-{{ .Release.Namespace }}.{{ .Values.global.localClusterDomain }}
+  {{- else }}
   href: https://central-{{ .Release.Namespace }}.{{ .Values.global.localClusterDomain }}
+  {{- end }}
   location: ApplicationMenu
   text: Advanced Cluster Security
   applicationMenu:

charts/acs-central/templates/jobs/create-auth-provider.yaml

@@ -86,7 +86,7 @@ spec:
                 exit 0
               fi
 
-              ACS_CENTRAL_HOSTNAME="$(oc get route central -n stackrox -o jsonpath='{.spec.host}')"
+              ACS_CENTRAL_HOSTNAME="$(oc get route central-reencrypt -n stackrox -o jsonpath='{.spec.host}' 2>/dev/null || oc get route central -n stackrox -o jsonpath='{.spec.host}')"
               echo "ACS Central hostname: $ACS_CENTRAL_HOSTNAME"
 
               cat > /tmp/oidc-config.json << 'OIDCEOF'

charts/acs-central/values.yaml

@@ -73,10 +73,11 @@ central:
   exposure:
     route:
       enabled: true
-      # Use cluster wildcard certificate
       tls:
         enabled: true
         termination: passthrough
+      reencrypt:
+        enabled: true
     loadBalancer:
       enabled: false