NETOBSERV-2503: use TLS by default in Service mode; make Service the default mode (#2204)

* NETOBSERV-2503: use TLS by default in Service mode

* Back to a single Service mode

Always use TLS, except if SERVER_NOTLS env is set on FLP

* bump FLP

* Update default mode in alm example

Author: jotak

api/flowcollector/v1beta2/flowcollector_types.go

@@ -70,14 +70,14 @@ type FlowCollectorSpec struct {
 	ConsolePlugin FlowCollectorConsolePlugin `json:"consolePlugin,omitempty"`
 
 	// `deploymentModel` defines the desired type of deployment for flow processing. Possible values are:<br>
-	// - `Direct` (default) to make the flow processor listen directly from the agents using the host network, backed by a DaemonSet. Only recommended on small clusters, below 15 nodes.<br>
-	// - `Service` to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
+	// - `Service` (default) to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
 	// - `Kafka` to make flows sent to a Kafka pipeline before consumption by the processor.<br>
+	// - `Direct` to make the flow processor listen directly from the agents using the host network, backed by a DaemonSet. Only recommended on small clusters, below 15 nodes.<br>
 	// Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka).<br>
 	// `Direct` is not recommended on large clusters as it is less memory efficient.
 	// +unionDiscriminator
-	// +kubebuilder:validation:Enum:="Direct";"Service";"Kafka"
-	// +kubebuilder:default:=Direct
+	// +kubebuilder:validation:Enum:="Service";"Direct";"Kafka"
+	// +kubebuilder:default:=Service
 	DeploymentModel FlowCollectorDeploymentModel `json:"deploymentModel,omitempty"`
 
 	// Kafka configuration, allowing to use Kafka as a broker as part of the flow collection pipeline. Available when the `spec.deploymentModel` is `Kafka`.

api/flowcollector/v1beta2/helper.go

@@ -55,10 +55,7 @@ func (spec *FlowCollectorSpec) UseConsolePlugin() bool {
 
 func (spec *FlowCollectorSpec) UseTestConsolePlugin() bool {
 	if spec.ConsolePlugin.Advanced != nil {
-		env := spec.ConsolePlugin.Advanced.Env[constants.EnvTestConsole]
-		// Use ParseBool to allow common variants ("true", "True", "1"...) and ignore non-bools
-		b, err := strconv.ParseBool(env)
-		return err == nil && b
+		return IsEnvEnabled(spec.ConsolePlugin.Advanced.Env, constants.EnvTestConsole)
 	}
 	return false
 }
@@ -221,3 +218,10 @@ func (spec *FlowCollectorConsolePlugin) IsUnmanagedConsolePluginReplicas() bool
 func (spec *FlowCollectorSpec) IsSliceEnabled() bool {
 	return spec.Processor.SlicesConfig != nil && spec.Processor.SlicesConfig.Enable
 }
+
+func IsEnvEnabled(vars map[string]string, key string) bool {
+	env := vars[key]
+	// Use ParseBool to allow common variants ("true", "True", "1"...) and ignore non-bools
+	b, err := strconv.ParseBool(env)
+	return err == nil && b
+}

bundle/manifests/flows.netobserv.io_flowcollectors.yaml

@@ -3217,17 +3217,17 @@ spec:
                     type: boolean
                 type: object
               deploymentModel:
-                default: Direct
+                default: Service
                 description: |-
                   `deploymentModel` defines the desired type of deployment for flow processing. Possible values are:<br>
-                  - `Direct` (default) to make the flow processor listen directly from the agents using the host network, backed by a DaemonSet. Only recommended on small clusters, below 15 nodes.<br>
-                  - `Service` to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
+                  - `Service` (default) to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
                   - `Kafka` to make flows sent to a Kafka pipeline before consumption by the processor.<br>
+                  - `Direct` to make the flow processor listen directly from the agents using the host network, backed by a DaemonSet. Only recommended on small clusters, below 15 nodes.<br>
                   Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka).<br>
                   `Direct` is not recommended on large clusters as it is less memory efficient.
                 enum:
-                - Direct
                 - Service
+                - Direct
                 - Kafka
                 type: string
               exporters:

bundle/manifests/netobserv-operator.clusterserviceversion.yaml

@@ -134,7 +134,7 @@ metadata:
                 }
               }
             },
-            "deploymentModel": "Direct",
+            "deploymentModel": "Service",
             "exporters": [],
             "kafka": {
               "address": "kafka-cluster-kafka-bootstrap.netobserv",

config/crd/bases/flows.netobserv.io_flowcollectors.yaml

@@ -3011,17 +3011,17 @@ spec:
                       type: boolean
                   type: object
                 deploymentModel:
-                  default: Direct
+                  default: Service
                   description: |-
                     `deploymentModel` defines the desired type of deployment for flow processing. Possible values are:<br>
-                    - `Direct` (default) to make the flow processor listen directly from the agents using the host network, backed by a DaemonSet. Only recommended on small clusters, below 15 nodes.<br>
-                    - `Service` to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
+                    - `Service` (default) to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
                     - `Kafka` to make flows sent to a Kafka pipeline before consumption by the processor.<br>
+                    - `Direct` to make the flow processor listen directly from the agents using the host network, backed by a DaemonSet. Only recommended on small clusters, below 15 nodes.<br>
                     Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka).<br>
                     `Direct` is not recommended on large clusters as it is less memory efficient.
                   enum:
-                    - Direct
                     - Service
+                    - Direct
                     - Kafka
                   type: string
                 exporters:

config/samples/flows_v1beta2_flowcollector.yaml

@@ -4,7 +4,7 @@ metadata:
   name: cluster
 spec:
   namespace: netobserv
-  deploymentModel: Direct
+  deploymentModel: Service
   networkPolicy:
     enable: true
     additionalNamespaces: []

docs/FlowCollector.md

@@ -112,14 +112,14 @@ for these features as a best effort only.
         <td>enum</td>
         <td>
           `deploymentModel` defines the desired type of deployment for flow processing. Possible values are:<br>
-- `Direct` (default) to make the flow processor listen directly from the agents using the host network, backed by a DaemonSet. Only recommended on small clusters, below 15 nodes.<br>
-- `Service` to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
+- `Service` (default) to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
 - `Kafka` to make flows sent to a Kafka pipeline before consumption by the processor.<br>
+- `Direct` to make the flow processor listen directly from the agents using the host network, backed by a DaemonSet. Only recommended on small clusters, below 15 nodes.<br>
 Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka).<br>
 `Direct` is not recommended on large clusters as it is less memory efficient.<br/>
           <br/>
-            <i>Enum</i>: Direct, Service, Kafka<br/>
-            <i>Default</i>: Direct<br/>
+            <i>Enum</i>: Service, Direct, Kafka<br/>
+            <i>Default</i>: Service<br/>
         </td>
         <td>false</td>
       </tr><tr>

go.mod

@@ -9,8 +9,8 @@ require (
 	github.com/coreos/go-semver v0.3.1
 	github.com/google/go-cmp v0.7.0
 	github.com/grafana/loki/operator/apis/loki v0.0.0-20241021105923-5e970e50b166
-	github.com/netobserv/flowlogs-pipeline v1.10.0-community
-	github.com/netobserv/netobserv-ebpf-agent v1.10.0-community
+	github.com/netobserv/flowlogs-pipeline v1.10.0-community.0.20251205170812-75a990e42a64
+	github.com/netobserv/netobserv-ebpf-agent v1.10.0-community.0.20251125162210-4be10c36721e
 	github.com/onsi/ginkgo/v2 v2.27.3
 	github.com/onsi/gomega v1.38.3
 	github.com/openshift/api v0.0.0-20250707164913-2cd5821c9080
@@ -80,32 +80,32 @@ require (
 	github.com/stoewer/go-strcase v1.3.1 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
-	go.opentelemetry.io/otel v1.37.0 // indirect
+	go.opentelemetry.io/otel v1.38.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0 // indirect
-	go.opentelemetry.io/otel/metric v1.37.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.37.0 // indirect
-	go.opentelemetry.io/otel/trace v1.37.0 // indirect
+	go.opentelemetry.io/otel/metric v1.38.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.38.0 // indirect
+	go.opentelemetry.io/otel/trace v1.38.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.7.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect
-	golang.org/x/mod v0.28.0 // indirect
-	golang.org/x/net v0.46.0 // indirect
+	golang.org/x/mod v0.29.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
 	golang.org/x/oauth2 v0.32.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/sys v0.37.0 // indirect
-	golang.org/x/term v0.36.0 // indirect
-	golang.org/x/text v0.30.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
-	golang.org/x/tools v0.37.0 // indirect
+	golang.org/x/tools v0.38.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250804133106-a7a43d27e69b // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b // indirect
-	google.golang.org/grpc v1.76.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect
+	google.golang.org/grpc v1.77.0 // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect