1. Proposed title of this feature request
Enable Automatic HTTPS Redirection for RHACS Central Route

2. What is the nature and description of the request?

This is an enhancement request to change the default behavior of the Red Hat Advanced Cluster Security (RHACS) Central route. Currently, the route is created as a passthrough or re-encrypt type without the insecureEdgeTerminationPolicy set to Redirect. This means that users who navigate to the Central URL using http:// will not be automatically redirected to https://.

The proposal is to modify the default configuration to set insecureEdgeTerminationPolicy: Redirect for the Central route. Additionally, a new field should be introduced in the Central Custom Resource (CR) to allow administrators to easily enable or disable this HTTP to HTTPS redirection.

$ oc get route central
NAME      HOST/PORT                                      PATH       SERVICES   PORT         TERMINATION   WILDCARD
central   central-stackrox.apps.ocp.example.com          central    https      passthrough   None

3. Why does the customer need this? (List the business requirements here)
The business requirements for this feature are:

Improved User Experience: Users expect modern web applications to automatically redirect from HTTP to HTTPS. Requiring manual entry of https:// is inconvenient and can lead to confusion and support tickets.

Consistency with Platform Standards: Other OpenShift Container Platform (OCP) routes, such as the console and oauth-openshift, already have this redirection enabled by default. This change would align RHACS with the established behavior of the platform, creating a more consistent and predictable environment for administrators and users.

$ oc get route -n openshift-console
NAME        HOST/PORT                                                          PATH   SERVICES    PORT    TERMINATION          WILDCARD
console     console-openshift-console.apps.ocp.example.com            console     https   reencrypt/Redirect   None
downloads   downloads-openshift-console.apps.ocp.example.com          downloads   http    edge/Redirect        None

$ oc get route -n openshift-authentication
NAME              HOST/PORT                                              PATH   SERVICES          PORT   TERMINATION            WILDCARD
oauth-openshift   oauth-openshift.apps.ocp.example.com          oauth-openshift   6443   passthrough/Redirect   None

Enhanced Security Posture: While the data is encrypted with passthrough or re-encrypt, allowing initial insecure connections is not a security best practice. Enforcing HTTPS by default ensures that all traffic to the RHACS Central endpoint is encrypted from the start, reducing any potential for misconfiguration or user error that could lead to insecure access attempts.

Simplified Configuration: Providing an option in the Central CR to manage this setting simplifies administration, removing the need for manual post-deployment modifications of the route.

4. List any affected packages or components.

RHACS