open-telemetry
diff --git a/‎.chloggen/tls-profile.yaml‎
Lines changed: 28 additions & 0 deletions b/‎.chloggen/tls-profile.yaml‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎apis/v1beta1/collector_webhook.go‎
Lines changed: 4 additions & 0 deletions b/‎apis/v1beta1/collector_webhook.go‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎apis/v1beta1/config.go‎
Lines changed: 9 additions & 5 deletions b/‎apis/v1beta1/config.go‎
Lines changed: 9 additions & 5 deletions
diff --git a/‎bundle/community/manifests/opentelemetry-operator.clusterserviceversion.yaml‎
Lines changed: 1 addition & 1 deletion b/‎bundle/community/manifests/opentelemetry-operator.clusterserviceversion.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎bundle/openshift/manifests/opentelemetry-operator.clusterserviceversion.yaml‎
Lines changed: 5 additions & 1 deletion b/‎bundle/openshift/manifests/opentelemetry-operator.clusterserviceversion.yaml‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎config/overlays/openshift/manager-patch.yaml‎
Lines changed: 10 additions & 0 deletions b/‎config/overlays/openshift/manager-patch.yaml‎
Lines changed: 10 additions & 0 deletions
@@ -0,0 +1,28 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
+component: operator, collector
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Allow operator to get TLS settings from OpenShift `APIServer` CR and configure operands TLS settings.
+
+# One or more tracking issues related to the change
+issues: [4669]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: |
+  Added operator flag `--tls-cluster-profile` which obtains the TLS min version and cipher suites from the OpenShift `APIServer` `cluster` custom resource (CR).
+  It overrides the `--tls-min-version` and `--tls-cipher-suites` flags if set.
+  The flags is disabled by default on Kubernetes and enabled on OpenShift.
+  
+  Added operator flag `--tls-configure-operands` which configures operands TLS settings (min version, cipher suites)
+  based on the supplied operator TLS flags (`--tls-cipher-suites` and `--tls-min-version`) or from the OpenShift `APIServer` CR
+  if `--tls-cluster-profile` is enabled.
+  The flag is disabled by default on Kubernetes and enabled on OpenShift.
+  
+  The `--tls-min-version` defaults to `TLSv1.2` which matches the collector's default.
+  The `--tls-cipher-suites` is empty by default which matches the collector's default.
+  Therefore enabling `--tls-configure-operands` with the default TLS flags should not change the collector's behavior.
@@ -102,6 +102,10 @@ func (c CollectorWebhook) Default(_ context.Context, obj runtime.Object) error {
 		trueVal := true
 		otelcol.Spec.NetworkPolicy.Enabled = &trueVal
 	}
+	// Apply config defaults (service pipelines, etc.) but NOT TLS.
+	// TLS defaults are applied at reconciliation time (ConfigMap generation) so that
+	// existing collectors automatically get updated TLS settings when the operator
+	// restarts after a cluster TLS profile change.
 	events, err := otelcol.Spec.Config.ApplyDefaults(c.logger)
 	if err != nil {
 		return err
 
@@ -265,8 +265,9 @@ func (c *Config) getEnvironmentVariablesForComponentKinds(logger logr.Logger, co
 }
 
 // applyDefaultForComponentKinds applies defaults to the endpoints for the given ComponentKind(s).
+// If defaultsCfg.TLSProfile is set, TLS defaults are also applied via the Parser.GetDefaultConfig method.
 // Returns a list of events that should be recorded by the caller.
-func (c *Config) applyDefaultForComponentKinds(logger logr.Logger, componentKinds ...ComponentKind) ([]EventInfo, error) {
+func (c *Config) applyDefaultForComponentKinds(logger logr.Logger, parserOpts []components.DefaultOption, componentKinds ...ComponentKind) ([]EventInfo, error) {
 	events, err := c.Service.ApplyDefaults(logger)
 	if err != nil {
 		return events, err
@@ -280,7 +281,8 @@ func (c *Config) applyDefaultForComponentKinds(logger logr.Logger, componentKind
 			retriever = receivers.ReceiverFor
 			cfg = c.Receivers
 		case KindExporter, KindProcessor:
-			continue
+			retriever = exporters.ParserFor
+			cfg = c.Exporters
 		case KindExtension:
 			if c.Extensions == nil {
 				continue
@@ -291,7 +293,7 @@ func (c *Config) applyDefaultForComponentKinds(logger logr.Logger, componentKind
 		for componentName := range enabledComponents[componentKind] {
 			parser := retriever(componentName)
 			componentConf := cfg.Object[componentName]
-			newCfg, err := parser.GetDefaultConfig(logger, componentConf)
+			newCfg, err := parser.GetDefaultConfig(logger, componentConf, parserOpts...)
 			if err != nil {
 				return events, err
 			}
@@ -347,8 +349,10 @@ func (c *Config) GetAllRbacRules(logger logr.Logger) ([]rbacv1.PolicyRule, error
 	return c.getRbacRulesForComponentKinds(logger, KindReceiver, KindExporter, KindProcessor, KindExtension)
 }
 
-func (c *Config) ApplyDefaults(logger logr.Logger) ([]EventInfo, error) {
-	return c.applyDefaultForComponentKinds(logger, KindReceiver, KindExtension)
+// ApplyDefaults applies default configuration values to the collector config.
+// Optional DefaultsOption arguments can be provided to customize behavior.
+func (c *Config) ApplyDefaults(logger logr.Logger, opts ...components.DefaultOption) ([]EventInfo, error) {
+	return c.applyDefaultForComponentKinds(logger, opts, KindReceiver, KindExporter, KindExtension)
 }
 
 // GetLivenessProbe gets the first enabled liveness probe. There should only ever be one extension enabled
 
@@ -99,7 +99,7 @@ metadata:
     categories: Logging & Tracing,Monitoring,Observability
     certified: "false"
     containerImage: ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator
-    createdAt: "2026-03-04T09:54:20Z"
+    createdAt: "2026-03-04T12:42:01Z"
     description: Provides the OpenTelemetry components, including the Collector
     operators.operatorframework.io/builder: operator-sdk-v1.29.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
 
@@ -99,7 +99,7 @@ metadata:
     categories: Logging & Tracing,Monitoring,Observability
     certified: "false"
     containerImage: ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator
-    createdAt: "2026-03-04T09:54:21Z"
+    createdAt: "2026-03-04T12:42:01Z"
     description: Provides the OpenTelemetry components, including the Collector
     operators.operatorframework.io/builder: operator-sdk-v1.29.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
@@ -572,6 +572,10 @@ spec:
                   value: "true"
                 - name: FEATURE_GATES
                   value: operator.networkpolicy,operand.networkpolicy
+                - name: TLS_CLUSTER_PROFILE
+                  value: "true"
+                - name: TLS_CONFIGURE_OPERANDS
+                  value: "true"
                 image: ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator:0.145.0
                 livenessProbe:
                   httpGet:
 
@@ -58,3 +58,13 @@
   value:
     name: FEATURE_GATES
     value: "operator.networkpolicy,operand.networkpolicy"
+- op: add
+  path: "/spec/template/spec/containers/0/env/-"
+  value:
+    name: TLS_CLUSTER_PROFILE
+    value: "true"
+- op: add
+  path: "/spec/template/spec/containers/0/env/-"
+  value:
+    name: TLS_CONFIGURE_OPERANDS
+    value: "true"