netobserv
diff --git a/‎RELEASE.md‎
Lines changed: 4 additions & 2 deletions b/‎RELEASE.md‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎api/flowcollector/v1beta2/flowcollector_types.go‎
Lines changed: 42 additions & 6 deletions b/‎api/flowcollector/v1beta2/flowcollector_types.go‎
Lines changed: 42 additions & 6 deletions
diff --git a/‎api/flowcollector/v1beta2/zz_generated.deepcopy.go‎
Lines changed: 57 additions & 2 deletions b/‎api/flowcollector/v1beta2/zz_generated.deepcopy.go‎
Lines changed: 57 additions & 2 deletions
diff --git a/‎bundle/manifests/flows.netobserv.io_flowcollectors.yaml‎
Lines changed: 110 additions & 0 deletions b/‎bundle/manifests/flows.netobserv.io_flowcollectors.yaml‎
Lines changed: 110 additions & 0 deletions
diff --git a/‎bundle/manifests/netobserv-operator.clusterserviceversion.yaml‎
Lines changed: 40 additions & 0 deletions b/‎bundle/manifests/netobserv-operator.clusterserviceversion.yaml‎
Lines changed: 40 additions & 0 deletions
@@ -54,12 +54,14 @@ kind: FlowCollector
 metadata:
   name: cluster
 spec:
-  namespace: netobserv
   networkPolicy:
     enable: false
-  deploymentModel: Direct
+  consumerReplicas: 1
   consolePlugin:
     standalone: true
+  processor:
+    service:
+      tlsType: Auto-mTLS
   loki:
     mode: Monolithic
     monolithic:
 
@@ -516,12 +516,13 @@ type FlowCollectorOpenTelemetry struct {
 	Metrics FlowCollectorOpenTelemetryMetrics `json:"metrics"`
 }
 
-type ServerTLSConfigType string
+type TLSConfigType string
 
 const (
-	ServerTLSDisabled ServerTLSConfigType = "Disabled"
-	ServerTLSProvided ServerTLSConfigType = "Provided"
-	ServerTLSAuto     ServerTLSConfigType = "Auto"
+	TLSDisabled TLSConfigType = "Disabled"
+	TLSProvided TLSConfigType = "Provided"
+	TLSAuto     TLSConfigType = "Auto"
+	TLSAutoMTLS TLSConfigType = "Auto-mTLS"
 )
 
 // `ServerTLS` define the TLS configuration, server side
@@ -534,7 +535,7 @@ type ServerTLS struct {
 	// +kubebuilder:validation:Enum:="Disabled";"Provided";"Auto"
 	// +kubebuilder:validation:Required
 	//+kubebuilder:default:="Disabled"
-	Type ServerTLSConfigType `json:"type,omitempty"`
+	Type TLSConfigType `json:"type,omitempty"`
 
 	// TLS configuration when `type` is set to `Provided`.
 	// +optional
@@ -547,7 +548,22 @@ type ServerTLS struct {
 
 	// Reference to the CA file when `type` is set to `Provided`.
 	// +optional
-	ProvidedCaFile *FileReference `json:"providedCaFile,omitempty"`
+	ProvidedCAFile *FileReference `json:"providedCaFile,omitempty"`
+}
+
+// `ClientServerTLS` define the TLS configuration for both client and server sides
+type ClientServerTLS struct {
+	// TLS client certificate reference.
+	// +optional
+	ClientCert *CertificateReference `json:"clientCert,omitempty"`
+
+	// TLS server certificate reference.
+	// +optional
+	ServerCert *CertificateReference `json:"serverCert,omitempty"`
+
+	// Reference to the CA file.
+	// +optional
+	CAFile *FileReference `json:"caFile,omitempty"`
 }
 
 // `MetricsServerConfig` define the metrics server endpoint configuration for Prometheus scraper
@@ -707,6 +723,10 @@ type FlowCollectorFLP struct {
 	//+optional
 	SlicesConfig *SlicesConfig `json:"slicesConfig,omitempty"`
 
+	// Service configuration, only used when `spec.deploymentModel` is `Service`.
+	// +optional
+	Service *ProcessorServiceConfig `json:"service,omitempty"`
+
 	// `advanced` allows setting some aspects of the internal configuration of the flow processor.
 	// This section is aimed mostly for debugging and fine-grained performance optimizations,
 	// such as `GOGC` and `GOMAXPROCS` environment variables. Set these values at your own risk.
@@ -1510,6 +1530,22 @@ type SubnetLabel struct {
 	Name string `json:"name,omitempty"`
 }
 
+type ProcessorServiceConfig struct {
+	// Select the type of TLS configuration:<br>
+	// - `Disabled` to not configure TLS for the endpoint.
+	// - `Provided` to manually provide cert file and a key file. [Unsupported (*)].
+	// - `Auto` (default) to try to determine if TLS can be enabled based on the running environment.
+	// - `Auto-mTLS` to preconfigure mTLS. [Unsupported (*)].
+	// +kubebuilder:validation:Enum:="Disabled";"Provided";"Auto";"Auto-mTLS"
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default:="Auto"
+	TLSType TLSConfigType `json:"tlsType,omitempty"`
+
+	// TLS or mTLS configuration when `type` is set to `Provided`.
+	// +optional
+	ProvidedCertificates *ClientServerTLS `json:"providedCertificates,omitempty"`
+}
+
 // Add more exporter types below
 type ExporterType string
 
 
@@ -6165,6 +6165,116 @@ spec:
                           More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
                         type: object
                     type: object
+                  service:
+                    description: Service configuration, only used when `spec.deploymentModel`
+                      is `Service`.
+                    properties:
+                      providedCertificates:
+                        description: TLS or mTLS configuration when `type` is set
+                          to `Provided`.
+                        properties:
+                          caFile:
+                            description: Reference to the CA file.
+                            properties:
+                              file:
+                                description: File name within the config map or secret.
+                                type: string
+                              name:
+                                description: Name of the config map or secret containing
+                                  the file.
+                                type: string
+                              namespace:
+                                default: ""
+                                description: |-
+                                  Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+                                  If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+                                type: string
+                              type:
+                                description: 'Type for the file reference: `configmap`
+                                  or `secret`.'
+                                enum:
+                                - configmap
+                                - secret
+                                type: string
+                            type: object
+                          clientCert:
+                            description: TLS client certificate reference.
+                            properties:
+                              certFile:
+                                description: '`certFile` defines the path to the certificate
+                                  file name within the config map or secret.'
+                                type: string
+                              certKey:
+                                description: '`certKey` defines the path to the certificate
+                                  private key file name within the config map or secret.
+                                  Omit when the key is not necessary.'
+                                type: string
+                              name:
+                                description: Name of the config map or secret containing
+                                  certificates.
+                                type: string
+                              namespace:
+                                default: ""
+                                description: |-
+                                  Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+                                  If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+                                type: string
+                              type:
+                                description: 'Type for the certificate reference:
+                                  `configmap` or `secret`.'
+                                enum:
+                                - configmap
+                                - secret
+                                type: string
+                            type: object
+                          serverCert:
+                            description: TLS server certificate reference.
+                            properties:
+                              certFile:
+                                description: '`certFile` defines the path to the certificate
+                                  file name within the config map or secret.'
+                                type: string
+                              certKey:
+                                description: '`certKey` defines the path to the certificate
+                                  private key file name within the config map or secret.
+                                  Omit when the key is not necessary.'
+                                type: string
+                              name:
+                                description: Name of the config map or secret containing
+                                  certificates.
+                                type: string
+                              namespace:
+                                default: ""
+                                description: |-
+                                  Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where NetObserv is deployed.
+                                  If the namespace is different, the config map or the secret is copied so that it can be mounted as required.
+                                type: string
+                              type:
+                                description: 'Type for the certificate reference:
+                                  `configmap` or `secret`.'
+                                enum:
+                                - configmap
+                                - secret
+                                type: string
+                            type: object
+                        type: object
+                      tlsType:
+                        default: Auto
+                        description: |-
+                          Select the type of TLS configuration:<br>
+                          - `Disabled` to not configure TLS for the endpoint.
+                          - `Provided` to manually provide cert file and a key file. [Unsupported (*)].
+                          - `Auto` (default) to try to determine if TLS can be enabled based on the running environment.
+                          - `Auto-mTLS` to preconfigure mTLS. [Unsupported (*)].
+                        enum:
+                        - Disabled
+                        - Provided
+                        - Auto
+                        - Auto-mTLS
+                        type: string
+                    required:
+                    - tlsType
+                    type: object
                   slicesConfig:
                     description: Global configuration managing FlowCollectorSlices
                       custom resources.
 
@@ -470,6 +470,46 @@ spec:
         path: processor.metrics.includeList
       - displayName: Port
         path: processor.metrics.server.port
+      - displayName: Service
+        path: processor.service
+      - displayName: Provided certificates
+        path: processor.service.providedCertificates
+      - displayName: Ca file
+        path: processor.service.providedCertificates.caFile
+      - displayName: File
+        path: processor.service.providedCertificates.caFile.file
+      - displayName: Name
+        path: processor.service.providedCertificates.caFile.name
+      - displayName: Namespace
+        path: processor.service.providedCertificates.caFile.namespace
+      - displayName: Type
+        path: processor.service.providedCertificates.caFile.type
+      - displayName: Client cert
+        path: processor.service.providedCertificates.clientCert
+      - displayName: Cert file
+        path: processor.service.providedCertificates.clientCert.certFile
+      - displayName: Cert key
+        path: processor.service.providedCertificates.clientCert.certKey
+      - displayName: Name
+        path: processor.service.providedCertificates.clientCert.name
+      - displayName: Namespace
+        path: processor.service.providedCertificates.clientCert.namespace
+      - displayName: Type
+        path: processor.service.providedCertificates.clientCert.type
+      - displayName: Server cert
+        path: processor.service.providedCertificates.serverCert
+      - displayName: Cert file
+        path: processor.service.providedCertificates.serverCert.certFile
+      - displayName: Cert key
+        path: processor.service.providedCertificates.serverCert.certKey
+      - displayName: Name
+        path: processor.service.providedCertificates.serverCert.name
+      - displayName: Namespace
+        path: processor.service.providedCertificates.serverCert.namespace
+      - displayName: Type
+        path: processor.service.providedCertificates.serverCert.type
+      - displayName: Tls type
+        path: processor.service.tlsType
       - displayName: Slices config
         path: processor.slicesConfig
       - displayName: Collection mode