First attempt to the ACS onboarding#100
Open
p-rog wants to merge 55 commits intovalidatedpatterns:mainfrom
Open
First attempt to the ACS onboarding#100p-rog wants to merge 55 commits intovalidatedpatterns:mainfrom
p-rog wants to merge 55 commits intovalidatedpatterns:mainfrom
Conversation
Collaborator
Author
|
I have to fix the ACS init secret issue:
|
- Fix indentation in values-hub.yaml (stackrox namespace) - Comment out acs-init-bundle secret (not needed for same-cluster deployment) - RHACS operator auto-generates auth for co-located Central + SecuredCluster Fixes vault namespace deployment issue. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Collaborator
Author
|
The secret issue is fixed. |
…ndle and integration
This commit resolves two critical issues preventing ACS Central and SecuredCluster Custom Resources from being deployed: 1. Uncommented extraValueFiles for acs-central and acs-secured-cluster applications in values-hub.yaml. This enables helm charts to receive global configuration values (localClusterDomain, secretStore, etc.) required for proper template rendering. 2. Added ExternalSecret template for central-htpasswd admin password. This syncs the admin password from Vault (hub/infra/acs) to the Kubernetes secret expected by the Central CR. With these fixes, ArgoCD will successfully render and deploy: - Central CR (Wave 10) with PostgreSQL DB and Scanner components - Init bundle job (Wave 12) to generate TLS secrets - OAuth integration job (Wave 13) for OpenShift authentication - SecuredCluster CR (Wave 15) with Sensor, Collector, and Admission Controller Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
… the central-cr.yaml and secured-cluster-cr.yaml, removing the perNode duplication, adding explicit scannerV4 configuration to central-cr.yaml
The cluster only has ACM release-2.15 channel available. Changed from release-2.14 to release-2.15 to fix subscription failure. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Two critical fixes to resolve ArgoCD manifest generation errors: 1. Fixed acs-central chart: Removed Helm template syntax from comment in create-cluster-init-bundle.yaml line 4. Helm parses template syntax even in comments, causing 'invalid value; expected string' error at column 98. 2. Fixed acs-secured-cluster chart: Removed quotes from clusterName override value in values-hub.yaml. The quoted template syntax caused 'key } has no value' error because ArgoCD was passing literal curly braces to helm --set command. These fixes allow both ACS applications to render manifests correctly. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Fixed nil pointer error in ExternalSecret template by adding default
secretStore configuration to values.yaml.
Error: 'nil pointer evaluating interface {}.name'
Root cause: global.secretStore.name and global.secretStore.kind were
undefined, causing ExternalSecret template to fail.
Solution: Added default values matching validated patterns convention:
- secretStore.name: vault-backend
- secretStore.kind: ClusterSecretStore
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Changed Vault secret path from 'hub/infra/acs' to 'hub/infra/acs/acs-central'
to match the actual location where validated patterns framework stores
the secret.
Root cause: Framework creates secrets at {vaultPrefixes}/{name} which
results in hub/infra/acs/acs-central, not hub/infra/acs.
This fixes the error: 'Secret does not exist at hub/infra/acs'
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Disabled both scanner V3 and V4 to reduce resource requirements. This allows Central to deploy on resource-constrained clusters. Scanners can be re-enabled later when more resources are available. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This reverts commit 906d5c4.
…e to the central-htpasswd secret
…mplate labels - Changed adminPasswordSecretRef to adminPasswordSecret (correct API field) - Added labels to create-cluster-init-bundle Job template (required by Kubernetes) - Fixes authentication error preventing init-bundle generation
- Add create-htpasswd-field job to automatically generate bcrypt htpasswd entry from the plain password in central-htpasswd secret (sync-wave 6) - Modify create-cluster-init-bundle job to: * Check for existing init bundles with the same cluster name * Delete existing bundle before creating new one * Validate API response contains kubectlBundle before attempting to apply - Fixes authentication issues and init bundle conflicts
- Replace heredoc with printf for Python script (heredoc inside YAML literal block causes parse errors) - Fix quote escaping in Python one-liners (use single quotes for outer, double for inner) - Ensures YAML parses correctly in ArgoCD
- Remove output redirection to /dev/null to make errors visible - Add progress messages to help debug installation issues
- Change image registry from registry.redhat.io to registry.access.redhat.com - Remove Sync hook annotation to prevent blocking ArgoCD sync - httpd-tools package is available in ubi-9-appstream-rpms repository
- Bcrypt generates different hashes each time due to random salt - Change logic to check if valid bcrypt htpasswd entry exists (starts with admin:$2[aby]$) - This makes the job idempotent - exits successfully if valid entry already exists
Root cause analysis revealed three critical issues: 1. UBI9 base image lacks kubectl binary 2. Container runs as non-root (UID 1000810000) due to OpenShift SCC 3. Cannot install httpd-tools with dnf (requires root privileges) Solution: - Use OpenShift CLI image (has oc/kubectl and python3) - Replace htpasswd command with Python's crypt module - Python crypt.METHOD_BLOWFISH generates valid bcrypt hashes - Change kubectl to oc (both work, oc is native to image) - Set imagePullPolicy to Always for internal registry Tested successfully: - Python crypt generates valid bcrypt: admin:$2b$12$... - OpenShift CLI image runs without privilege issues - Job is now idempotent and works in restricted SCC Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The openid scope is mandatory for OIDC authentication. Added scope definition and included it in realm default scopes and ACS client configuration. Also moved offline_access to optional scopes for ACS client. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Changed OIDC mode from "auto" to "query" to use standard authorization code flow - Added offline_access role to admin user to allow offline token requests - Prevents "code already used" and "offline tokens not allowed" errors Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add retry loop to wait for Keycloak OIDC discovery endpoint to be available before attempting to create the auth provider. This prevents 404 errors when ACS tries to validate the OIDC configuration during provider creation. Fixes timing issue where create-auth-provider job runs before Keycloak realm is fully imported and ready. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Show Keycloak discovery endpoint response before creating provider - Capture and display HTTP status codes for all API calls - Show full response bodies for debugging - Better error messages with HTTP codes This will help diagnose issues with auth provider creation and role mapping. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add "roles": "roles" to claimMappings so ACS knows to look for the roles claim in the OIDC token. Without this, ACS cannot map Keycloak roles to ACS roles, resulting in "no valid role" error. This is the critical fix for role-based authorization with Keycloak OIDC. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Collaborator
Author
|
An update: I fixed all ACS-Keycloak OIDC Integration issues.
Why:
Now ACS can be automatically deployed as a part of the layered-zero-trust pattern and by default uses Keycloak OIDC authentication. Let me know if I should add to the ACS deployment documentation workflow how the Keycloak integration works. |
p-rog
requested review from
mlorenzofr and
sabre1041
and removed request for
sabre1041
sabre1041
requested changes
Mar 8, 2026
values-hub.yaml
Outdated
| path: charts/acs-central | ||
| overrides: | ||
| - name: central.persistence.storageClass | ||
| value: gp3-csi |
Collaborator
There was a problem hiding this comment.
lets comment this out to avoid users from having to modify the values for their environment so that they can leverage the default StorageClass. Commenting it out still makes it visible ad provides insights for users to the configurations they need to apply
charts/acs-central/templates/jobs/create-cluster-init-bundle.yaml
Outdated
Show resolved
Hide resolved
values-hub.yaml
Outdated
| namespace: openshift-operators | ||
| channel: stable | ||
| source: redhat-operators | ||
| # csv: rhacs-operator.v4.9.0 |
Collaborator
There was a problem hiding this comment.
Should the csv be removed?
- Commented out hardcoded gp3-csi storageClass in values-hub.yaml to use cluster default 2. Job Container Image - Made Configurable - Added jobImage configuration in values.yaml (registry, repository, tag, pullPolicy) - Changed default imagePullPolicy from Always to IfNotPresent - Applied to all 3 jobs: create-auth-provider, create-cluster-init-bundle, create-htpasswd-field 3. Service Account - Made Configurable - Added serviceAccountName to values.yaml (default: create-cluster-init) - Updated all 3 job templates to use the variable - Updated all 4 RBAC templates (ServiceAccount, Role, RoleBinding, ClusterRoleBinding) 4. OIDC/Keycloak Integration Improvements - Removed unused KEYCLOAK_REALM environment variable - Made OIDC claim mappings configurable (name, email, groups, roles) for multi-provider support - Changed auth provider name from Keycloak OIDC to generic OIDC 5. Central CR Template Fix - Fixed exposure configuration to use values directly instead of conditional rendering with hardcoded enabled: true Files Modified: 10 - values-hub.yaml - charts/acs-central/values.yaml - charts/acs-central/templates/central-cr.yaml - charts/acs-central/templates/jobs/* (3 files) - charts/acs-central/templates/rbac/* (4 files)
p-rog
commented
Mar 10, 2026
Collaborator
Author
p-rog
left a comment
p-rog
left a comment
There was a problem hiding this comment.
@sabre1041 I addressed all your concerns and suggestions.
values-hub.yaml
Outdated
| path: charts/acs-central | ||
| overrides: | ||
| - name: central.persistence.storageClass | ||
| value: gp3-csi |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Red Hat Advanced Cluster Security (RHACS/StackRox) consists of two main deployment types:
Central Services (Hub Cluster)
Central:
Scanner:
Secured Cluster Services (Per Cluster)
Sensor:
Admission Controller:
Collector: