This document lists all required and optional TLS certificates for NetObserv. You can also refer to the Helm chart templates for cert-manager.
Those certificates are always required and are not configurable:
| Service name | Resource kind | Resource name | Resource keys |
|---|---|---|---|
| netobserv-webhook-service | Secret | webhook-server-cert | tls.crt, tls.key |
| netobserv-metrics-service | Secret | manager-metrics-tls | tls.crt, tls.key |
When spec.deploymentModel is "Service", the traffic from eBPF agents to flowlogs-pipeline pods uses TLS by default. It is possible to disable TLS, though not recommended in production-grade environments, as it decreases the security of the NetObserv deployments.
In "Kafka" mode, the TLS/SASL configuration depends on your installation. The Kafka clients used in NetObserv support simple TLS, mTLS, SASL as well as no TLS. We recommend the use of mTLS for higher security standards.
In "Direct" mode, the traffic doesn't leave the host and is not encrypted.
The tables below apply to the "Service" mode.
When spec.processor.service.tlsType is "Auto":
| Needed by | Resource kind | Resource name | Resource keys | Notes |
|---|---|---|---|---|
| flowlogs-pipeline | Secret | flowlogs-pipeline-cert | tls.crt, tls.key | |
| eBPF Agents | ConfigMap | netobserv-ca | service-ca.crt | Must be installed in netobserv-privileged namespace. |
When spec.processor.service.tlsType is "Auto-mTLS":
| Needed by | Resource kind | Resource name | Resource keys | Notes |
|---|---|---|---|---|
| flowlogs-pipeline | Secret | flowlogs-pipeline-cert | tls.crt, tls.key | |
| flowlogs-pipeline | ConfigMap | netobserv-ca | service-ca.crt | |
| eBPF Agents | Secret | ebpf-agent-cert | tls.crt, tls.key | Must be installed in netobserv-privileged namespace. |
| eBPF Agents | ConfigMap | netobserv-ca | service-ca.crt | Must be installed in netobserv-privileged namespace. |
When spec.processor.service.tlsType is "Provided", you can specify any Secret or ConfigMap for TLS or mTLS, via spec.processor.service.providedCertificates.
For mTLS, configure spec.processor.service.providedCertificates.clientCert. For simple TLS, do not set the client cert config.