NETOBSERV-2503: use TLS by default in Service mode

api/flowcollector/v1beta2/flowcollector_types.go

@@ -27,9 +27,10 @@ import (
 type FlowCollectorDeploymentModel string
 
 const (
-	DeploymentModelDirect  FlowCollectorDeploymentModel = "Direct"
-	DeploymentModelKafka   FlowCollectorDeploymentModel = "Kafka"
-	DeploymentModelService FlowCollectorDeploymentModel = "Service"
+	DeploymentModelDirect       FlowCollectorDeploymentModel = "Direct"
+	DeploymentModelKafka        FlowCollectorDeploymentModel = "Kafka"
+	DeploymentModelServiceNoTLS FlowCollectorDeploymentModel = "Service-NoTLS"
+	DeploymentModelServiceTLS   FlowCollectorDeploymentModel = "Service-TLS"
 )
 
 // Please notice that the FlowCollectorSpec's properties MUST redefine one of the default
@@ -70,14 +71,15 @@ type FlowCollectorSpec struct {
 	ConsolePlugin FlowCollectorConsolePlugin `json:"consolePlugin,omitempty"`
 
 	// `deploymentModel` defines the desired type of deployment for flow processing. Possible values are:<br>
-	// - `Direct` (default) to make the flow processor listen directly from the agents using the host network, backed by a DaemonSet. Only recommended on small clusters, below 15 nodes.<br>
-	// - `Service` to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
+	// - `Service-TLS` (default) to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
+	// - `Service-NoTLS` to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment. Version without TLS.<br>
 	// - `Kafka` to make flows sent to a Kafka pipeline before consumption by the processor.<br>
+	// - `Direct` to make the flow processor listen directly from the agents using the host network, backed by a DaemonSet. Only recommended on small clusters, below 15 nodes.<br>
 	// Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka).<br>
 	// `Direct` is not recommended on large clusters as it is less memory efficient.
 	// +unionDiscriminator
-	// +kubebuilder:validation:Enum:="Direct";"Service";"Kafka"
-	// +kubebuilder:default:=Direct
+	// +kubebuilder:validation:Enum:="Service-TLS";"Service-NoTLS";"Direct";"Kafka"
+	// +kubebuilder:default:=Service-TLS
 	DeploymentModel FlowCollectorDeploymentModel `json:"deploymentModel,omitempty"`
 
 	// Kafka configuration, allowing to use Kafka as a broker as part of the flow collection pipeline. Available when the `spec.deploymentModel` is `Kafka`.

api/flowcollector/v1beta2/flowcollector_validation_webhook.go

@@ -276,7 +276,7 @@ func (v *validator) validateFLPLogTypes() {
 		if !v.fc.UseLoki() {
 			v.errors = append(v.errors, errors.New("enabling conversation tracking without Loki is not allowed, as it generates extra processing for no benefit"))
 		}
-		if v.fc.DeploymentModel == DeploymentModelService {
+		if v.fc.UseServiceNetwork() {
 			v.errors = append(v.errors, errors.New("cannot enable conversation tracking when spec.deploymentModel is Service: you must disable it, or change the deployment model"))
 		}
 	}

api/flowcollector/v1beta2/flowcollector_validation_webhook_test.go

@@ -516,7 +516,7 @@ func TestValidateConntrack(t *testing.T) {
 					Name: "cluster",
 				},
 				Spec: FlowCollectorSpec{
-					DeploymentModel: DeploymentModelService,
+					DeploymentModel: DeploymentModelServiceNoTLS,
 					Processor: FlowCollectorFLP{
 						LogTypes: ptr.To(LogTypeConversations),
 					},

api/flowcollector/v1beta2/helper.go

@@ -67,6 +67,11 @@ func (spec *FlowCollectorSpec) UseHostNetwork() bool {
 	return spec.DeploymentModel == DeploymentModelDirect
 }
 
+func (spec *FlowCollectorSpec) UseServiceNetwork() bool {
+	return spec.DeploymentModel == DeploymentModelServiceNoTLS ||
+		spec.DeploymentModel == DeploymentModelServiceTLS
+}
+
 func (spec *FlowCollectorEBPF) IsAgentFeatureEnabled(feature AgentFeature) bool {
 	for _, f := range spec.Features {
 		if f == feature {

bundle/manifests/flows.netobserv.io_flowcollectors.yaml

@@ -3217,17 +3217,19 @@ spec:
                     type: boolean
                 type: object
               deploymentModel:
-                default: Direct
+                default: Service-TLS
                 description: |-
                   `deploymentModel` defines the desired type of deployment for flow processing. Possible values are:<br>
-                  - `Direct` (default) to make the flow processor listen directly from the agents using the host network, backed by a DaemonSet. Only recommended on small clusters, below 15 nodes.<br>
-                  - `Service` to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
+                  - `Service-TLS` (default) to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
+                  - `Service-NoTLS` to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment. Version without TLS.<br>
                   - `Kafka` to make flows sent to a Kafka pipeline before consumption by the processor.<br>
+                  - `Direct` to make the flow processor listen directly from the agents using the host network, backed by a DaemonSet. Only recommended on small clusters, below 15 nodes.<br>
                   Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka).<br>
                   `Direct` is not recommended on large clusters as it is less memory efficient.
                 enum:
+                - Service-TLS
+                - Service-NoTLS
                 - Direct
-                - Service
                 - Kafka
                 type: string
               exporters:

config/crd/bases/flows.netobserv.io_flowcollectors.yaml

@@ -3011,17 +3011,19 @@ spec:
                       type: boolean
                   type: object
                 deploymentModel:
-                  default: Direct
+                  default: Service-TLS
                   description: |-
                     `deploymentModel` defines the desired type of deployment for flow processing. Possible values are:<br>
-                    - `Direct` (default) to make the flow processor listen directly from the agents using the host network, backed by a DaemonSet. Only recommended on small clusters, below 15 nodes.<br>
-                    - `Service` to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
+                    - `Service-TLS` (default) to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
+                    - `Service-NoTLS` to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment. Version without TLS.<br>
                     - `Kafka` to make flows sent to a Kafka pipeline before consumption by the processor.<br>
+                    - `Direct` to make the flow processor listen directly from the agents using the host network, backed by a DaemonSet. Only recommended on small clusters, below 15 nodes.<br>
                     Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka).<br>
                     `Direct` is not recommended on large clusters as it is less memory efficient.
                   enum:
+                    - Service-TLS
+                    - Service-NoTLS
                     - Direct
-                    - Service
                     - Kafka
                   type: string
                 exporters:

docs/FlowCollector.md

@@ -112,14 +112,15 @@ for these features as a best effort only.
         <td>enum</td>
         <td>
           `deploymentModel` defines the desired type of deployment for flow processing. Possible values are:<br>
-- `Direct` (default) to make the flow processor listen directly from the agents using the host network, backed by a DaemonSet. Only recommended on small clusters, below 15 nodes.<br>
-- `Service` to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
+- `Service-TLS` (default) to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
+- `Service-NoTLS` to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment. Version without TLS.<br>
 - `Kafka` to make flows sent to a Kafka pipeline before consumption by the processor.<br>
+- `Direct` to make the flow processor listen directly from the agents using the host network, backed by a DaemonSet. Only recommended on small clusters, below 15 nodes.<br>
 Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka).<br>
 `Direct` is not recommended on large clusters as it is less memory efficient.<br/>
           <br/>
-            <i>Enum</i>: Direct, Service, Kafka<br/>
-            <i>Default</i>: Direct<br/>
+            <i>Enum</i>: Service-TLS, Service-NoTLS, Direct, Kafka<br/>
+            <i>Default</i>: Service-TLS<br/>
         </td>
         <td>false</td>
       </tr><tr>

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/google/go-cmp v0.7.0
 	github.com/grafana/loki/operator/apis/loki v0.0.0-20241021105923-5e970e50b166
 	github.com/netobserv/flowlogs-pipeline v1.10.0-community
-	github.com/netobserv/netobserv-ebpf-agent v1.10.0-community
+	github.com/netobserv/netobserv-ebpf-agent v1.10.0-community.0.20251125162210-4be10c36721e
 	github.com/onsi/ginkgo/v2 v2.27.2
 	github.com/onsi/gomega v1.38.2
 	github.com/openshift/api v0.0.0-20250707164913-2cd5821c9080
@@ -80,32 +80,32 @@ require (
 	github.com/stoewer/go-strcase v1.3.1 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
-	go.opentelemetry.io/otel v1.37.0 // indirect
+	go.opentelemetry.io/otel v1.38.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0 // indirect
-	go.opentelemetry.io/otel/metric v1.37.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.37.0 // indirect
-	go.opentelemetry.io/otel/trace v1.37.0 // indirect
+	go.opentelemetry.io/otel/metric v1.38.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.38.0 // indirect
+	go.opentelemetry.io/otel/trace v1.38.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.7.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect
-	golang.org/x/mod v0.28.0 // indirect
-	golang.org/x/net v0.46.0 // indirect
+	golang.org/x/mod v0.29.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
 	golang.org/x/oauth2 v0.32.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/sys v0.37.0 // indirect
-	golang.org/x/term v0.36.0 // indirect
-	golang.org/x/text v0.30.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
-	golang.org/x/tools v0.37.0 // indirect
+	golang.org/x/tools v0.38.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250804133106-a7a43d27e69b // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b // indirect
-	google.golang.org/grpc v1.76.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect
+	google.golang.org/grpc v1.77.0 // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
@@ -119,3 +119,5 @@ require (
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 )
+
+replace github.com/netobserv/flowlogs-pipeline => github.com/jotak/flowlogs-pipeline v0.0.0-20251201132339-09e5c7677a99