Fix issue with TLS Auto, where server cert was not created

jotak · jotak · commit e133290f9323 · 2026-02-26T12:47:42.000+01:00
Also:
- add tests
- improve docs
- add validation hook on provided
diff --git a/README.md b/README.md
@@ -38,11 +38,11 @@ Cert-manager and Trust-manager have to be installed separately. For example, usi
 
 ```bash
 helm repo add cert-manager https://charts.jetstack.io
-helm install my-cert-manager cert-manager/cert-manager --set crds.enabled=true
+helm install cert-manager -n cert-manager --create-namespace cert-manager/cert-manager --set crds.enabled=true
 helm upgrade trust-manager oci://quay.io/jetstack/charts/trust-manager --install --namespace cert-manager --wait
 ```
 
-If you don't want to use Cert-manager and Trust-manager, you will need to provide the expected certificates by other means (refer to [TLS.md](./docs/TLS.md)).
+If you don't want to use Cert-manager and Trust-manager, you need to provide certificates by other means: refer to [TLS.md](./docs/TLS.md).
 
 Prometheus and Loki can be installed separately, or as dependencies of NetObserv (see below).
 
@@ -63,7 +63,36 @@ helm install netobserv -n netobserv --create-namespace --set install.loki=true -
 helm install netobserv -n netobserv --create-namespace netobserv/netobserv-operator
 ```
 
-You can then create a `FlowCollector` resource ([full API reference](https://github.com/netobserv/network-observability-operator/blob/main/docs/FlowCollector.md#flowsnetobserviov1beta2)). A short `FlowCollector` should work; an example is provided in the post-install welcome message.
+You can then create a `FlowCollector` resource ([full API reference](https://github.com/netobserv/network-observability-operator/blob/main/docs/FlowCollector.md#flowsnetobserviov1beta2)). A short `FlowCollector` should work:
+
+```bash
+cat <<EOF | kubectl apply -f -
+apiVersion: flows.netobserv.io/v1beta2
+kind: FlowCollector
+metadata:
+  name: cluster
+spec:
+  namespace: netobserv
+  networkPolicy:
+    enable: false
+  consolePlugin:
+    standalone: true
+  processor:
+    service:
+      tlsType: Auto-mTLS
+  loki:
+    mode: Monolithic
+    monolithic:
+      url: 'http://netobserv-loki.netobserv.svc.cluster.local.:3100/'
+  prometheus:
+    querier:
+      mode: Manual
+      manual:
+        url: http://netobserv-prom-stack-prometheus.netobserv.svc.cluster.local.:9090/
+        alertManager:
+          url: http://netobserv-prom-stack-alertmanager.netobserv.svc.cluster.local.:9093/
+EOF
+```
 
 A few remarks:
 - You can change the Prometheus and Loki URLs depending on your installation. The `FlowCollector` example works if you use the "standalone" installation described above, with `install.loki=true` and `install.prom-stack=true`. Check more configuration options for [Prometheus](https://github.com/netobserv/network-observability-operator/blob/main/docs/FlowCollector.md#flowcollectorspecprometheus-1) and [Loki](https://github.com/netobserv/network-observability-operator/blob/main/docs/FlowCollector.md#flowcollectorspecloki-1).
diff --git a/RELEASE.md b/RELEASE.md
@@ -56,10 +56,10 @@ metadata:
 spec:
   networkPolicy:
     enable: false
-  consumerReplicas: 1
   consolePlugin:
     standalone: true
   processor:
+    consumerReplicas: 1
     service:
       tlsType: Auto-mTLS
   loki:
diff --git a/api/flowcollector/v1beta2/flowcollector_types.go b/api/flowcollector/v1beta2/flowcollector_types.go
@@ -423,7 +423,8 @@ type FlowCollectorKafka struct {
 	// Kafka topic to use. It must exist. NetObserv does not create it.
 	Topic string `json:"topic"`
 
-	// TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.
+	// TLS and mTLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.
+	// We recommend the use of mTLS for higher security standards.
 	// +optional
 	TLS ClientTLS `json:"tls"`
 
diff --git a/api/flowcollector/v1beta2/flowcollector_validation_webhook.go b/api/flowcollector/v1beta2/flowcollector_validation_webhook.go
@@ -247,6 +247,7 @@ func (v *validator) validateFLP() {
 	v.validateFLPFilters()
 	v.validateFLPAlerts()
 	v.validateFLPMetricsForAlerts()
+	v.validateFLPTLS()
 }
 
 func (v *validator) validateScheduling() {
@@ -421,6 +422,27 @@ func (v *validator) validateFLPMetricsForAlerts() {
 	}
 }
 
+func (v *validator) validateFLPTLS() {
+	if v.fc.DeploymentModel == DeploymentModelService && v.fc.Processor.Service != nil && v.fc.Processor.Service.TLSType == TLSProvided {
+		if v.fc.Processor.Service.ProvidedCertificates == nil {
+			v.errors = append(
+				v.errors,
+				errors.New("missing configuration in spec.processor.providedCertificates despite spec.processor.tlsType being set to Provided"),
+			)
+		} else if v.fc.Processor.Service.ProvidedCertificates.CAFile == nil {
+			v.errors = append(
+				v.errors,
+				errors.New("missing configuration in spec.processor.providedCertificates.caFile despite spec.processor.tlsType being set to Provided"),
+			)
+		} else if v.fc.Processor.Service.ProvidedCertificates.ServerCert == nil {
+			v.errors = append(
+				v.errors,
+				errors.New("missing configuration in spec.processor.providedCertificates.serverCert despite spec.processor.tlsType being set to Provided"),
+			)
+		}
+	}
+}
+
 func GetFirstRequiredMetrics(anyRequired, actual []string) string {
 	for _, m := range anyRequired {
 		if slices.Contains(actual, m) {
diff --git a/api/flowcollector/v1beta2/flowcollector_validation_webhook_test.go b/api/flowcollector/v1beta2/flowcollector_validation_webhook_test.go
@@ -860,6 +860,21 @@ func TestValidateFLP(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:       "Missing provided TLS config",
+			ocpVersion: "4.18.0",
+			fc: &FlowCollector{
+				Spec: FlowCollectorSpec{
+					DeploymentModel: DeploymentModelService,
+					Processor: FlowCollectorFLP{
+						Service: &ProcessorServiceConfig{
+							TLSType: TLSProvided,
+						},
+					},
+				},
+			},
+			expectedError: "missing configuration in spec.processor.providedCertificates despite spec.processor.tlsType being set to Provided",
+		},
 	}
 
 	CurrentClusterInfo = &cluster.Info{}
diff --git a/bundle/manifests/flows.netobserv.io_flowcollectors.yaml b/bundle/manifests/flows.netobserv.io_flowcollectors.yaml
@@ -3358,9 +3358,9 @@ spec:
                               type: string
                           type: object
                         tls:
-                          description: TLS client configuration. When using TLS, verify
-                            that the address matches the Kafka port used for TLS,
-                            generally 9093.
+                          description: |-
+                            TLS and mTLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.
+                            We recommend the use of mTLS for higher security standards.
                           properties:
                             caCert:
                               description: '`caCert` defines the reference of the
@@ -3677,9 +3677,9 @@ spec:
                         type: string
                     type: object
                   tls:
-                    description: TLS client configuration. When using TLS, verify
-                      that the address matches the Kafka port used for TLS, generally
-                      9093.
+                    description: |-
+                      TLS and mTLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.
+                      We recommend the use of mTLS for higher security standards.
                     properties:
                       caCert:
                         description: '`caCert` defines the reference of the certificate
diff --git a/config/crd/bases/flows.netobserv.io_flowcollectors.yaml b/config/crd/bases/flows.netobserv.io_flowcollectors.yaml
@@ -3138,7 +3138,9 @@ spec:
                                 type: string
                             type: object
                           tls:
-                            description: TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.
+                            description: |-
+                              TLS and mTLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.
+                              We recommend the use of mTLS for higher security standards.
                             properties:
                               caCert:
                                 description: '`caCert` defines the reference of the certificate for the Certificate Authority.'
@@ -3409,7 +3411,9 @@ spec:
                           type: string
                       type: object
                     tls:
-                      description: TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.
+                      description: |-
+                        TLS and mTLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.
+                        We recommend the use of mTLS for higher security standards.
                       properties:
                         caCert:
                           description: '`caCert` defines the reference of the certificate for the Certificate Authority.'
diff --git a/docs/FlowCollector.md b/docs/FlowCollector.md
@@ -6161,7 +6161,8 @@ Kafka configuration, such as the address and topic, to send enriched flows to.
         <td><b><a href="#flowcollectorspecexportersindexkafkatls">tls</a></b></td>
         <td>object</td>
         <td>
-          TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.<br/>
+          TLS and mTLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.
+We recommend the use of mTLS for higher security standards.<br/>
         </td>
         <td>false</td>
       </tr></tbody>
@@ -6323,7 +6324,8 @@ If the namespace is different, the config map or the secret is copied so that it
 
 
 
-TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.
+TLS and mTLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.
+We recommend the use of mTLS for higher security standards.
 
 <table>
     <thead>
@@ -6901,7 +6903,8 @@ Kafka configuration, allowing to use Kafka as a broker as part of the flow colle
         <td><b><a href="#flowcollectorspeckafkatls">tls</a></b></td>
         <td>object</td>
         <td>
-          TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.<br/>
+          TLS and mTLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.
+We recommend the use of mTLS for higher security standards.<br/>
         </td>
         <td>false</td>
       </tr></tbody>
@@ -7063,7 +7066,8 @@ If the namespace is different, the config map or the secret is copied so that it
 
 
 
-TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.
+TLS and mTLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.
+We recommend the use of mTLS for higher security standards.
 
 <table>
     <thead>
diff --git a/docs/TLS.md b/docs/TLS.md
@@ -1,50 +1,126 @@
-## TLS and expected certificates
+# TLS and expected certificates
 
 This document lists all required and optional TLS certificates for NetObserv. You can also refer to the [Helm chart templates](../helm/templates/certificates.yaml) for cert-manager.
 
+## Required certificates
+
+Those certificates are always required and are not configurable:
+
 <table>
   <thead>
     <tr>
       <th>Service name</th>
-      <th>Required</th>
       <th>Resource kind</th>
       <th>Resource name</th>
       <th>Resource keys</th>
-      <th>Notes</th>
     </tr>
   </thead>
   <tbody>
     <tr>
       <td>netobserv-webhook-service</td>
-      <td>yes</td>
       <td>Secret</td>
       <td>webhook-server-cert</td>
-      <td>ca.crt, tls.crt, tls.key</td>
-      <td></td>
+      <td>tls.crt, tls.key</td>
     </tr>
     <tr>
       <td>netobserv-metrics-service</td>
-      <td>yes</td>
       <td>Secret</td>
       <td>manager-metrics-tls</td>
-      <td>ca.crt, tls.crt, tls.key</td>
+      <td>tls.crt, tls.key</td>
+    </tr>
+  </tbody>
+</table>
+
+## Agent to FLP certificates
+
+When `spec.deploymentModel` is "Service", the traffic from eBPF agents to flowlogs-pipeline pods uses TLS by default. It is possible to disable TLS, though not recommended in production-grade environments, as it decreases the security of the NetObserv deployments.
+
+In "Kafka" mode, the TLS/SASL configuration depends on your installation. The Kafka clients used in NetObserv support simple TLS, mTLS, SASL as well as no TLS. We recommend the use of mTLS for higher security standards.
+
+In "Direct" mode, the traffic doesn't leave the host and is not encrypted.
+
+The tables below apply to the "Service" mode.
+
+### Auto (TLS)
+
+When `spec.processor.service.tlsType` is "Auto":
+
+<table>
+  <thead>
+    <tr>
+      <th>Needed by</th>
+      <th>Resource kind</th>
+      <th>Resource name</th>
+      <th>Resource keys</th>
+      <th>Notes</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>flowlogs-pipeline</td>
+      <td>Secret</td>
+      <td>flowlogs-pipeline-cert</td>
+      <td>tls.crt, tls.key</td>
       <td></td>
     </tr>
+    <tr>
+      <td>eBPF Agents</td>
+      <td>ConfigMap</td>
+      <td>netobserv-ca</td>
+      <td>service-ca.crt</td>
+      <td>Must be installed in netobserv-privileged namespace.</td>
+    </tr>
+  </tbody>
+</table>
+
+### Auto (mTLS)
+
+When `spec.processor.service.tlsType` is "Auto-mTLS":
+
+<table>
+  <thead>
+    <tr>
+      <th>Needed by</th>
+      <th>Resource kind</th>
+      <th>Resource name</th>
+      <th>Resource keys</th>
+      <th>Notes</th>
+    </tr>
+  </thead>
+  <tbody>
     <tr>
       <td>flowlogs-pipeline</td>
-      <td>no</td>
       <td>Secret</td>
       <td>flowlogs-pipeline-cert</td>
-      <td>ca.crt, tls.crt, tls.key</td>
-      <td>Only used when spec.deploymentModel is "Service".</td>
+      <td>tls.crt, tls.key</td>
+      <td></td>
     </tr>
     <tr>
-      <td>flowlogs-pipeline CA</td>
-      <td>no</td>
+      <td>flowlogs-pipeline</td>
       <td>ConfigMap</td>
       <td>netobserv-ca</td>
       <td>service-ca.crt</td>
-      <td>Must be installed in netobserv-privileged namespace. Only used when spec.deploymentModel is "Service".</td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>eBPF Agents</td>
+      <td>Secret</td>
+      <td>ebpf-agent-cert</td>
+      <td>tls.crt, tls.key</td>
+      <td>Must be installed in netobserv-privileged namespace.</td>
+    </tr>
+    <tr>
+      <td>eBPF Agents</td>
+      <td>ConfigMap</td>
+      <td>netobserv-ca</td>
+      <td>service-ca.crt</td>
+      <td>Must be installed in netobserv-privileged namespace.</td>
     </tr>
   </tbody>
 </table>
+
+### Provided
+
+When `spec.processor.service.tlsType` is "Provided", you can specify any Secret or ConfigMap for TLS or mTLS, via `spec.processor.service.providedCertificates`.
+
+For mTLS, configure `spec.processor.service.providedCertificates.clientCert`. For simple TLS, do not set the client cert config.
diff --git a/helm/README.md b/helm/README.md
@@ -34,11 +34,11 @@ Cert-manager and Trust-manager have to be installed separately. For example, usi
 
 ```bash
 helm repo add cert-manager https://charts.jetstack.io
-helm install my-cert-manager cert-manager/cert-manager --set crds.enabled=true
+helm install cert-manager -n cert-manager --create-namespace cert-manager/cert-manager --set crds.enabled=true
 helm upgrade trust-manager oci://quay.io/jetstack/charts/trust-manager --install --namespace cert-manager --wait
 ```
 
-If you don't want to use Cert-manager and Trust-manager, you will need to provide the expected certificates by other means (refer to [TLS.md](https://github.com/netobserv/network-observability-operator/blob/main/docs/TLS.md)).
+If you don't want to use Cert-manager and Trust-manager, you need to provide  certificates by other means: refer to [TLS.md](https://github.com/netobserv/network-observability-operator/blob/main/docs/TLS.md).
 
 Prometheus and Loki can be installed separately, or as dependencies of NetObserv (see below).
 
diff --git a/helm/crds/flows.netobserv.io_flowcollectors.yaml b/helm/crds/flows.netobserv.io_flowcollectors.yaml
@@ -3142,7 +3142,9 @@ spec:
                                 type: string
                             type: object
                           tls:
-                            description: TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.
+                            description: |-
+                              TLS and mTLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.
+                              We recommend the use of mTLS for higher security standards.
                             properties:
                               caCert:
                                 description: '`caCert` defines the reference of the certificate for the Certificate Authority.'
@@ -3413,7 +3415,9 @@ spec:
                           type: string
                       type: object
                     tls:
-                      description: TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.
+                      description: |-
+                        TLS and mTLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.
+                        We recommend the use of mTLS for higher security standards.
                       properties:
                         caCert:
                           description: '`caCert` defines the reference of the certificate for the Certificate Authority.'
diff --git a/internal/pkg/helper/tls.go b/internal/pkg/helper/tls.go
diff --git a/internal/pkg/helper/tls_test.go b/internal/pkg/helper/tls_test.go
