netobserv · jotak · Feb 19, 2026 · Feb 19, 2026 · Feb 19, 2026 · Feb 26, 2026
diff --git a/README.md b/README.md
@@ -30,17 +30,20 @@ The following architectures are supported: _amd64_, _arm64_, _ppc64le_ and _s390
 
 NetObserv has a couple of dependencies that must be installed on your cluster:
 
-- Cert-manager
+- Cert-manager / trust-manager
 - Prometheus
 - Loki
 
-Cert-manager has to be installed separately. For example, using helm:
+Cert-manager and Trust-manager have to be installed separately. For example, using helm:
 
 ```bash
 helm repo add cert-manager https://charts.jetstack.io
-helm install my-cert-manager cert-manager/cert-manager --set crds.enabled=true
+helm install cert-manager -n cert-manager --create-namespace cert-manager/cert-manager --set crds.enabled=true
+helm upgrade trust-manager oci://quay.io/jetstack/charts/trust-manager --install --namespace cert-manager --wait
 ```
 
+If you don't want to use Cert-manager and Trust-manager, you need to provide certificates by other means: refer to [TLS.md](./docs/TLS.md).
+
 Prometheus and Loki can be installed separately, or as dependencies of NetObserv (see below).
 
 Loki is not mandatory but improves the overall experience with NetObserv.
@@ -54,13 +57,13 @@ Loki is not mandatory but improves the overall experience with NetObserv.
 helm repo add netobserv https://netobserv.io/static/helm/ --force-update
 
 # Standalone install, including dependencies:
-helm install my-netobserv -n netobserv --create-namespace --set install.loki=true --set install.prom-stack=true netobserv/netobserv-operator
+helm install netobserv -n netobserv --create-namespace --set install.loki=true --set install.prom-stack=true netobserv/netobserv-operator
 
 # OR minimal install (Prometheus/Loki must be installed separately)
-helm install my-netobserv -n netobserv --create-namespace netobserv/netobserv-operator
+helm install netobserv -n netobserv --create-namespace netobserv/netobserv-operator
 ```
 
-You can now create a `FlowCollector` resource. Refer to the [Configuration section](#configuration) of this document. A short `FlowCollector` should work, using most default values, plus with the standalone console enabled:
+You can then create a `FlowCollector` resource ([full API reference](https://github.com/netobserv/network-observability-operator/blob/main/docs/FlowCollector.md#flowsnetobserviov1beta2)). A short `FlowCollector` should work:
 
 ```bash
 cat <<EOF | kubectl apply -f -
@@ -75,27 +78,25 @@ spec:
   consolePlugin:
     standalone: true
   processor:
-    advanced:
-      env:
-        SERVER_NOTLS: "true"
+    service:
+      tlsType: Auto-mTLS
   loki:
     mode: Monolithic
     monolithic:
-      url: 'http://my-netobserv-loki.netobserv.svc.cluster.local.:3100/'
+      url: 'http://netobserv-loki.netobserv.svc.cluster.local.:3100/'
   prometheus:
     querier:
       mode: Manual
       manual:
-        url: http://my-netobserv-kube-promethe-prometheus.netobserv.svc.cluster.local.:9090/
+        url: http://netobserv-prom-stack-prometheus.netobserv.svc.cluster.local.:9090/
         alertManager:
-          url: http://my-netobserv-kube-promethe-alertmanager.netobserv.svc.cluster.local.:9093/
+          url: http://netobserv-prom-stack-alertmanager.netobserv.svc.cluster.local.:9093/
 EOF
 ```
 
 A few remarks:
-- You can change the Prometheus and Loki URLs depending on your installation. This example works if you use the "standalone" installation described above, with `install.loki=true` and `install.prom-stack=true`. Check more configuration options for [Prometheus](https://github.com/netobserv/network-observability-operator/blob/main/docs/FlowCollector.md#flowcollectorspecprometheus-1) and [Loki](https://github.com/netobserv/network-observability-operator/blob/main/docs/FlowCollector.md#flowcollectorspecloki-1).
+- You can change the Prometheus and Loki URLs depending on your installation. The `FlowCollector` example works if you use the "standalone" installation described above, with `install.loki=true` and `install.prom-stack=true`. Check more configuration options for [Prometheus](https://github.com/netobserv/network-observability-operator/blob/main/docs/FlowCollector.md#flowcollectorspecprometheus-1) and [Loki](https://github.com/netobserv/network-observability-operator/blob/main/docs/FlowCollector.md#flowcollectorspecloki-1).
 - You can enable networkPolicy, which makes the operator lock down the namespaces that it manages; however, this is highly dependent on your cluster topology, and may cause malfunctions, such as preventing NetObserv pods from communicating with the Kube API server.
-- The processor env `SERVER_NOTLS` means that the communication between eBPF agents and Flowlogs-pipeline won't be encrypted. To enable TLS, you need to supply the TLS certificates to Flowlogs-pipeline (a Secret named `flowlogs-pipeline-cert`), and the CA to the eBPF agents (a ConfigMap named `flowlogs-pipeline-ca` in the privileged namespace). [Check this issue](https://github.com/netobserv/network-observability-operator/issues/2360) if you want to help making it simpler.
 
 To view the test console, you can port-forward 9001:
 

diff --git a/RELEASE.md b/RELEASE.md
@@ -43,38 +43,36 @@ When all component drafts are ready, you can test the helm chart on your cluster
 
 ```bash
 helm repo add cert-manager https://charts.jetstack.io
-helm install my-cert-manager cert-manager/cert-manager --set crds.enabled=true
+helm install cert-manager -n cert-manager --create-namespace cert-manager/cert-manager --set crds.enabled=true
+helm upgrade trust-manager oci://quay.io/jetstack/charts/trust-manager --install --namespace cert-manager --wait
 
-helm install my-netobserv -n netobserv --create-namespace --set install.loki=true --set install.prom-stack=true ./helm
+helm install netobserv -n netobserv --create-namespace --set install.loki=true --set install.prom-stack=true ./helm
 
 cat <<EOF | kubectl apply -f -
 apiVersion: flows.netobserv.io/v1beta2
 kind: FlowCollector
 metadata:
   name: cluster
 spec:
-  namespace: netobserv
-  agent:
-    eBPF:
-      privileged: true
-      features:
-      - NetworkEvents
   networkPolicy:
     enable: false
-  deploymentModel: Direct
   consolePlugin:
     standalone: true
+  processor:
+    consumerReplicas: 1
+    service:
+      tlsType: Auto-mTLS
   loki:
     mode: Monolithic
     monolithic:
-      url: 'http://my-netobserv-loki.netobserv.svc.cluster.local.:3100/'
+      url: 'http://netobserv-loki.netobserv.svc.cluster.local.:3100/'
   prometheus:
     querier:
       mode: Manual
       manual:
-        url: http://my-netobserv-kube-promethe-prometheus.netobserv.svc.cluster.local.:9090/
+        url: http://netobserv-prom-stack-prometheus.netobserv.svc.cluster.local.:9090/
         alertManager:
-          url: http://my-netobserv-kube-promethe-alertmanager.netobserv.svc.cluster.local.:9093/
+          url: http://netobserv-prom-stack-alertmanager.netobserv.svc.cluster.local.:9093/
 EOF
 
 # Check components image:
@@ -90,7 +88,7 @@ Then open http://localhost:9001/ in your browser, and do some manual smoke tests
 To clean up:
 
 ```bash
-helm delete my-netobserv -n netobserv
+helm delete netobserv -n netobserv
 ```
 
 ### Commit operator changes

diff --git a/api/flowcollector/v1beta2/flowcollector_types.go b/api/flowcollector/v1beta2/flowcollector_types.go
@@ -423,7 +423,8 @@ type FlowCollectorKafka struct {
 	// Kafka topic to use. It must exist. NetObserv does not create it.
 	Topic string `json:"topic"`
 
-	// TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.
+	// TLS and mTLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.
+	// We recommend the use of mTLS for higher security standards.
 	// +optional
 	TLS ClientTLS `json:"tls"`
 
@@ -516,12 +517,13 @@ type FlowCollectorOpenTelemetry struct {
 	Metrics FlowCollectorOpenTelemetryMetrics `json:"metrics"`
 }
 
-type ServerTLSConfigType string
+type TLSConfigType string
 
 const (
-	ServerTLSDisabled ServerTLSConfigType = "Disabled"
-	ServerTLSProvided ServerTLSConfigType = "Provided"
-	ServerTLSAuto     ServerTLSConfigType = "Auto"
+	TLSDisabled TLSConfigType = "Disabled"
+	TLSProvided TLSConfigType = "Provided"
+	TLSAuto     TLSConfigType = "Auto"
+	TLSAutoMTLS TLSConfigType = "Auto-mTLS"
 )
 
 // `ServerTLS` define the TLS configuration, server side
@@ -534,7 +536,7 @@ type ServerTLS struct {
 	// +kubebuilder:validation:Enum:="Disabled";"Provided";"Auto"
 	// +kubebuilder:validation:Required
 	//+kubebuilder:default:="Disabled"
-	Type ServerTLSConfigType `json:"type,omitempty"`
+	Type TLSConfigType `json:"type,omitempty"`
 
 	// TLS configuration when `type` is set to `Provided`.
 	// +optional
@@ -547,7 +549,22 @@ type ServerTLS struct {
 
 	// Reference to the CA file when `type` is set to `Provided`.
 	// +optional
-	ProvidedCaFile *FileReference `json:"providedCaFile,omitempty"`
+	ProvidedCAFile *FileReference `json:"providedCaFile,omitempty"`
+}
+
+// `ClientServerTLS` define the TLS configuration for both client and server sides
+type ClientServerTLS struct {
+	// TLS client certificate reference.
+	// +optional
+	ClientCert *CertificateReference `json:"clientCert,omitempty"`
+
+	// TLS server certificate reference.
+	// +optional
+	ServerCert *CertificateReference `json:"serverCert,omitempty"`
+
+	// Reference to the CA file.
+	// +optional
+	CAFile *FileReference `json:"caFile,omitempty"`
 }
 
 // `MetricsServerConfig` define the metrics server endpoint configuration for Prometheus scraper
@@ -707,6 +724,10 @@ type FlowCollectorFLP struct {
 	//+optional
 	SlicesConfig *SlicesConfig `json:"slicesConfig,omitempty"`
 
+	// Service configuration, only used when `spec.deploymentModel` is `Service`.
+	// +optional
+	Service *ProcessorServiceConfig `json:"service,omitempty"`
+
 	// `advanced` allows setting some aspects of the internal configuration of the flow processor.
 	// This section is aimed mostly for debugging and fine-grained performance optimizations,
 	// such as `GOGC` and `GOMAXPROCS` environment variables. Set these values at your own risk.
@@ -1510,6 +1531,22 @@ type SubnetLabel struct {
 	Name string `json:"name,omitempty"`
 }
 
+type ProcessorServiceConfig struct {
+	// Select the type of TLS configuration:<br>
+	// - `Disabled` to not configure TLS for the endpoint.
+	// - `Provided` to manually provide cert file and a key file. [Unsupported (*)].
+	// - `Auto` (default) to try to determine if TLS can be enabled based on the running environment.
+	// - `Auto-mTLS` to preconfigure mTLS. [Unsupported (*)].
+	// +kubebuilder:validation:Enum:="Disabled";"Provided";"Auto";"Auto-mTLS"
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default:="Auto"
+	TLSType TLSConfigType `json:"tlsType,omitempty"`
+
+	// TLS or mTLS configuration when `type` is set to `Provided`.
+	// +optional
+	ProvidedCertificates *ClientServerTLS `json:"providedCertificates,omitempty"`
+}
+
 // Add more exporter types below
 type ExporterType string
 

diff --git a/api/flowcollector/v1beta2/flowcollector_validation_webhook.go b/api/flowcollector/v1beta2/flowcollector_validation_webhook.go
@@ -247,6 +247,7 @@ func (v *validator) validateFLP() {
 	v.validateFLPFilters()
 	v.validateFLPAlerts()
 	v.validateFLPMetricsForAlerts()
+	v.validateFLPTLS()
 }
 
 func (v *validator) validateScheduling() {
@@ -421,6 +422,27 @@ func (v *validator) validateFLPMetricsForAlerts() {
 	}
 }
 
+func (v *validator) validateFLPTLS() {
+	if v.fc.DeploymentModel == DeploymentModelService && v.fc.Processor.Service != nil && v.fc.Processor.Service.TLSType == TLSProvided {
+		if v.fc.Processor.Service.ProvidedCertificates == nil {
+			v.errors = append(
+				v.errors,
+				errors.New("missing configuration in spec.processor.providedCertificates despite spec.processor.tlsType being set to Provided"),
+			)
+		} else if v.fc.Processor.Service.ProvidedCertificates.CAFile == nil {
+			v.errors = append(
+				v.errors,
+				errors.New("missing configuration in spec.processor.providedCertificates.caFile despite spec.processor.tlsType being set to Provided"),
+			)
+		} else if v.fc.Processor.Service.ProvidedCertificates.ServerCert == nil {
+			v.errors = append(
+				v.errors,
+				errors.New("missing configuration in spec.processor.providedCertificates.serverCert despite spec.processor.tlsType being set to Provided"),
+			)
+		}
+	}
+}
+
 func GetFirstRequiredMetrics(anyRequired, actual []string) string {
 	for _, m := range anyRequired {
 		if slices.Contains(actual, m) {

diff --git a/api/flowcollector/v1beta2/flowcollector_validation_webhook_test.go b/api/flowcollector/v1beta2/flowcollector_validation_webhook_test.go
@@ -860,6 +860,21 @@ func TestValidateFLP(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:       "Missing provided TLS config",
+			ocpVersion: "4.18.0",
+			fc: &FlowCollector{
+				Spec: FlowCollectorSpec{
+					DeploymentModel: DeploymentModelService,
+					Processor: FlowCollectorFLP{
+						Service: &ProcessorServiceConfig{
+							TLSType: TLSProvided,
+						},
+					},
+				},
+			},
+			expectedError: "missing configuration in spec.processor.providedCertificates despite spec.processor.tlsType being set to Provided",
+		},
 	}
 
 	CurrentClusterInfo = &cluster.Info{}

diff --git a/api/flowcollector/v1beta2/zz_generated.deepcopy.go b/api/flowcollector/v1beta2/zz_generated.deepcopy.go