feat: Add TargetAllocator MTLS configuration to operator chart

Makefile

@@ -7,7 +7,7 @@ generate-examples:
 	for chart_name in $(CHARTS); do \
 		helm dependency build charts/$${chart_name}; \
 		EXAMPLES_DIR=charts/$${chart_name}/examples; \
-		EXAMPLES=$$(find $${EXAMPLES_DIR} -type d -maxdepth 1 -mindepth 1 -exec basename \{\} \;); \
+		EXAMPLES=$$(find $${EXAMPLES_DIR} -maxdepth 1 -mindepth 1 -type d -exec basename \{\} \;); \
 		for example in $${EXAMPLES}; do \
 			echo "Generating example: $${example}"; \
 			VALUES=$$(find $${EXAMPLES_DIR}/$${example} -name *values.yaml); \
@@ -17,7 +17,7 @@ generate-examples:
 				mv $${EXAMPLES_DIR}/$${example}/rendered/$${chart_name}/templates/* "$${EXAMPLES_DIR}/$${example}/rendered"; \
 				SUBCHARTS_DIR=$${EXAMPLES_DIR}/$${example}/rendered/$${chart_name}/charts; \
 				if [ -d "$${SUBCHARTS_DIR}" ]; then \
-					SUBCHARTS=$$(find $${SUBCHARTS_DIR} -type d -maxdepth 1 -mindepth 1 -exec basename \{\} \;); \
+					SUBCHARTS=$$(find $${SUBCHARTS_DIR} -maxdepth 1 -mindepth 1 -type d -exec basename \{\} \;); \
 					for subchart in $${SUBCHARTS}; do \
 						mkdir -p "$${EXAMPLES_DIR}/$${example}/rendered/$${subchart}"; \
 						mv $${SUBCHARTS_DIR}/$${subchart}/templates/* "$${EXAMPLES_DIR}/$${example}/rendered/$${subchart}"; \
@@ -32,15 +32,15 @@ generate-examples:
 check-examples:
 	for chart_name in $(CHARTS); do \
 		EXAMPLES_DIR=charts/$${chart_name}/examples; \
-		EXAMPLES=$$(find $${EXAMPLES_DIR} -type d -maxdepth 1 -mindepth 1 -exec basename \{\} \;); \
+		EXAMPLES=$$(find $${EXAMPLES_DIR} -maxdepth 1 -mindepth 1 -type d -exec basename \{\} \;); \
 		for example in $${EXAMPLES}; do \
 			echo "Checking example: $${example}"; \
 			VALUES=$$(find $${EXAMPLES_DIR}/$${example} -name *values.yaml); \
 			for value in $${VALUES}; do \
 				helm dependency build charts/$${chart_name}; \
 				helm template example charts/$${chart_name} --namespace default --values $${value} --output-dir "${TMP_DIRECTORY}/$${example}"; \
 				SUBCHARTS_DIR=${TMP_DIRECTORY}/$${example}/$${chart_name}/charts; \
-				SUBCHARTS=$$(find $${SUBCHARTS_DIR} -type d -maxdepth 1 -mindepth 1 -exec basename \{\} \;); \
+				SUBCHARTS=$$(find $${SUBCHARTS_DIR} -maxdepth 1 -mindepth 1 -type d -exec basename \{\} \;); \
 				for subchart in $${SUBCHARTS}; do \
 					mkdir -p "${TMP_DIRECTORY}/$${example}/$${chart_name}/templates/$${subchart}"; \
 					mv ${TMP_DIRECTORY}/$${example}/$${chart_name}/charts/$${subchart}/templates/* "${TMP_DIRECTORY}/$${example}/$${chart_name}/templates/$${subchart}"; \

charts/opentelemetry-operator/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: opentelemetry-operator
-version: 0.72.0
+version: 0.72.1
 description: OpenTelemetry Operator Helm chart for Kubernetes
 type: application
 home: https://opentelemetry.io/

charts/opentelemetry-operator/UPGRADING.md

@@ -1,5 +1,9 @@
 # Upgrade guidelines
 
+## 0.72.0 to 0.72.1
+
+Prior to 0.72.1, feature gates could be enabled via the `manager.featureGates` property. As feature gates may require extra configuration to work properly, e.g. deploying extra permissions on the ClusterRole, the chart has been updated to make use of the `manager.featureGatesMap` property which allows the chart to smartly configure feature gates. If the `manager.featureGatesMap` property is set, the old `manager.featureGates` property will be ignored.
+
 ## 0.57.0 to 0.58.0
 
 OpenTelemetry Operator [0.99.0](https://github.com/open-telemetry/opentelemetry-operator/releases/tag/v0.99.0) includes a new version of the `OpenTelemetryCollector` CRD. See [this document][v1beta1_migration] for upgrade instructions for the new Operator CRD. Please make sure you also follow the [helm upgrade instructions](./UPGRADING.md#0560-to-0570) for helm chart 0.57.0.
@@ -29,7 +33,7 @@ You can also delete the CRDs and let Helm recreate them, but doing so will also
 
 ## 0.55.3 to 0.56.0
 
-> [!WARNING]  
+> [!WARNING]
 > As part of working towards using the [OpenTelemetry Collector Kubernetes Distro](https://github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-k8s) by default, the chart now requires users to explicitly set a collector image repository. If you are already explicitly setting a collector image repository this breaking change does not affect you.
 
 If you are using a OpenTelemetry Community distribution of the Collector we recommend you use `otel/opentelemetry-collector-k8s`, but carefully review the [components included in this distribution](https://github.com/open-telemetry/opentelemetry-collector-releases/blob/main/distributions/otelcol-k8s/manifest.yaml) to make sure it includes all the components you use in your configuration. In the future this distribution will become the default image used for the chart.

charts/opentelemetry-operator/examples/default/rendered/admission-webhooks/operator-webhook-with-cert-manager.yaml

@@ -6,7 +6,7 @@ metadata:
   annotations:
     cert-manager.io/inject-ca-from: default/example-opentelemetry-operator-serving-cert
   labels:
-    helm.sh/chart: opentelemetry-operator-0.72.0
+    helm.sh/chart: opentelemetry-operator-0.72.1
     app.kubernetes.io/name: opentelemetry-operator
     app.kubernetes.io/version: "0.111.0"
     app.kubernetes.io/managed-by: Helm
@@ -91,7 +91,7 @@ metadata:
   annotations:
     cert-manager.io/inject-ca-from: default/example-opentelemetry-operator-serving-cert
   labels:
-    helm.sh/chart: opentelemetry-operator-0.72.0
+    helm.sh/chart: opentelemetry-operator-0.72.1
     app.kubernetes.io/name: opentelemetry-operator
     app.kubernetes.io/version: "0.111.0"
     app.kubernetes.io/managed-by: Helm

charts/opentelemetry-operator/examples/default/rendered/certmanager.yaml

@@ -4,7 +4,7 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   labels:
-    helm.sh/chart: opentelemetry-operator-0.72.0
+    helm.sh/chart: opentelemetry-operator-0.72.1
     app.kubernetes.io/name: opentelemetry-operator
     app.kubernetes.io/version: "0.111.0"
     app.kubernetes.io/managed-by: Helm
@@ -30,7 +30,7 @@ apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   labels:
-    helm.sh/chart: opentelemetry-operator-0.72.0
+    helm.sh/chart: opentelemetry-operator-0.72.1
     app.kubernetes.io/name: opentelemetry-operator
     app.kubernetes.io/version: "0.111.0"
     app.kubernetes.io/managed-by: Helm

charts/opentelemetry-operator/examples/default/rendered/clusterrole.yaml

@@ -4,7 +4,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: opentelemetry-operator-0.72.0
+    helm.sh/chart: opentelemetry-operator-0.72.1
     app.kubernetes.io/name: opentelemetry-operator
     app.kubernetes.io/version: "0.111.0"
     app.kubernetes.io/managed-by: Helm
@@ -223,7 +223,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: opentelemetry-operator-0.72.0
+    helm.sh/chart: opentelemetry-operator-0.72.1
     app.kubernetes.io/name: opentelemetry-operator
     app.kubernetes.io/version: "0.111.0"
     app.kubernetes.io/managed-by: Helm
@@ -242,7 +242,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: opentelemetry-operator-0.72.0
+    helm.sh/chart: opentelemetry-operator-0.72.1
     app.kubernetes.io/name: opentelemetry-operator
     app.kubernetes.io/version: "0.111.0"
     app.kubernetes.io/managed-by: Helm

charts/opentelemetry-operator/examples/default/rendered/clusterrolebinding.yaml

@@ -4,7 +4,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: opentelemetry-operator-0.72.0
+    helm.sh/chart: opentelemetry-operator-0.72.1
     app.kubernetes.io/name: opentelemetry-operator
     app.kubernetes.io/version: "0.111.0"
     app.kubernetes.io/managed-by: Helm
@@ -26,7 +26,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: opentelemetry-operator-0.72.0
+    helm.sh/chart: opentelemetry-operator-0.72.1
     app.kubernetes.io/name: opentelemetry-operator
     app.kubernetes.io/version: "0.111.0"
     app.kubernetes.io/managed-by: Helm

charts/opentelemetry-operator/examples/default/rendered/deployment.yaml

@@ -4,7 +4,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    helm.sh/chart: opentelemetry-operator-0.72.0
+    helm.sh/chart: opentelemetry-operator-0.72.1
     app.kubernetes.io/name: opentelemetry-operator
     app.kubernetes.io/version: "0.111.0"
     app.kubernetes.io/managed-by: Helm

charts/opentelemetry-operator/examples/default/rendered/role.yaml

@@ -4,7 +4,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: opentelemetry-operator-0.72.0
+    helm.sh/chart: opentelemetry-operator-0.72.1
     app.kubernetes.io/name: opentelemetry-operator
     app.kubernetes.io/version: "0.111.0"
     app.kubernetes.io/managed-by: Helm

charts/opentelemetry-operator/examples/default/rendered/rolebinding.yaml

@@ -4,7 +4,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: opentelemetry-operator-0.72.0
+    helm.sh/chart: opentelemetry-operator-0.72.1
     app.kubernetes.io/name: opentelemetry-operator
     app.kubernetes.io/version: "0.111.0"
     app.kubernetes.io/managed-by: Helm

charts/opentelemetry-operator/examples/default/rendered/service.yaml

@@ -4,7 +4,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: opentelemetry-operator-0.72.0
+    helm.sh/chart: opentelemetry-operator-0.72.1
     app.kubernetes.io/name: opentelemetry-operator
     app.kubernetes.io/version: "0.111.0"
     app.kubernetes.io/managed-by: Helm
@@ -32,7 +32,7 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    helm.sh/chart: opentelemetry-operator-0.72.0
+    helm.sh/chart: opentelemetry-operator-0.72.1
     app.kubernetes.io/name: opentelemetry-operator
     app.kubernetes.io/version: "0.111.0"
     app.kubernetes.io/managed-by: Helm

charts/opentelemetry-operator/examples/default/rendered/serviceaccount.yaml

@@ -6,7 +6,7 @@ metadata:
   name: opentelemetry-operator
   namespace: default
   labels:
-    helm.sh/chart: opentelemetry-operator-0.72.0
+    helm.sh/chart: opentelemetry-operator-0.72.1
     app.kubernetes.io/name: opentelemetry-operator
     app.kubernetes.io/version: "0.111.0"
     app.kubernetes.io/managed-by: Helm

charts/opentelemetry-operator/examples/default/rendered/tests/test-certmanager-connection.yaml

@@ -6,7 +6,7 @@ metadata:
   name: "example-opentelemetry-operator-cert-manager"
   namespace: default
   labels:
-    helm.sh/chart: opentelemetry-operator-0.72.0
+    helm.sh/chart: opentelemetry-operator-0.72.1
     app.kubernetes.io/name: opentelemetry-operator
     app.kubernetes.io/version: "0.111.0"
     app.kubernetes.io/managed-by: Helm

charts/opentelemetry-operator/examples/default/rendered/tests/test-service-connection.yaml

@@ -6,7 +6,7 @@ metadata:
   name: "example-opentelemetry-operator-metrics"
   namespace: default
   labels:
-    helm.sh/chart: opentelemetry-operator-0.72.0
+    helm.sh/chart: opentelemetry-operator-0.72.1
     app.kubernetes.io/name: opentelemetry-operator
     app.kubernetes.io/version: "0.111.0"
     app.kubernetes.io/managed-by: Helm
@@ -44,7 +44,7 @@ metadata:
   name: "example-opentelemetry-operator-webhook"
   namespace: default
   labels:
-    helm.sh/chart: opentelemetry-operator-0.72.0
+    helm.sh/chart: opentelemetry-operator-0.72.1
     app.kubernetes.io/name: opentelemetry-operator
     app.kubernetes.io/version: "0.111.0"
     app.kubernetes.io/managed-by: Helm

charts/opentelemetry-operator/templates/_helpers.tpl

@@ -150,3 +150,9 @@ The image to use for opentelemetry-operator.
 {{- define "opentelemetry-operator.image" -}}
 {{- printf "%s:%s" .Values.manager.image.repository (default .Chart.AppVersion .Values.manager.image.tag) }}
 {{- end }}
+
+{{- define "opentelemetry-operator.featureGatesMap" -}}
+{{- if .Values.manager.featureGatesMap.targetAllocatorMtls -}}
+--feature-gates=operator.targetallocator.mtls=true
+{{- end }}
+{{- end }}

charts/opentelemetry-operator/templates/clusterrole.yaml

@@ -235,6 +235,24 @@ rules:
       - patch
       - update
       - watch
+  {{- if .Values.manager.featureGatesMap }}
+  {{- if .Values.manager.featureGatesMap.targetAllocatorMtls }}
+  - apiGroups:
+      - cert-manager.io
+    resources:
+      - issuers
+      - certificaterequests
+      - certificates
+    verbs:
+      - create
+      - get
+      - list
+      - watch
+      - update
+      - patch
+      - delete
+  {{- end }}
+  {{- end }}
 
 {{ if .Values.kubeRBACProxy.enabled }}
 ---

charts/opentelemetry-operator/templates/deployment.yaml

@@ -74,8 +74,10 @@ spec:
             {{- if and .Values.manager.autoInstrumentationImage.apacheHttpd.repository .Values.manager.autoInstrumentationImage.apacheHttpd.tag }}
             - --auto-instrumentation-apache-httpd-image={{ .Values.manager.autoInstrumentationImage.apacheHttpd.repository }}:{{ .Values.manager.autoInstrumentationImage.apacheHttpd.tag }}
             {{- end }}
-            {{- if .Values.manager.featureGates }}
-            - --feature-gates={{ .Values.manager.featureGates }}
+            {{- if and .Values.manager.featureGatesMap }}
+            - {{ include "opentelemetry-operator.featureGatesMap" . }}
+            {{- else if ne .Values.manager.featureGates "" }}
+            - --feature-gates={{ .Values.manager.featureGates | quote }}
             {{- end }}
             {{-  if .Values.manager.extraArgs  }}
             {{- .Values.manager.extraArgs | toYaml | nindent 12 }}

charts/opentelemetry-operator/values.schema.json

@@ -512,9 +512,26 @@
                 "featureGates": {
                     "type": "string",
                     "default": "",
+                    "title": "The featureGates to enable",
+                    "examples": ""
+                },
+                "featureGatesMap": {
+                    "type": "object",
+                    "default": {},
                     "title": "The featureGates Schema",
+                    "additionalProperties": false,
+                    "properties": {
+                        "targetAllocatorMtls": {
+                            "type": "boolean",
+                            "default": false,
+                            "title": "Whether to enable MTLS for Target Allocator communication",
+                            "examples": [
+                                false
+                            ]
+                        }
+                    },
                     "examples": [
-                        ""
+                        {}
                     ]
                 },
                 "ports": {

charts/opentelemetry-operator/values.yaml

@@ -74,7 +74,12 @@ manager:
   # Prefix a gate with '-' to disable support.
   # Prefixing a gate with '+' or no prefix will enable support.
   # A full list of valid identifiers can be found here: https://github.com/open-telemetry/opentelemetry-operator/blob/main/pkg/featuregate/featuregate.go
+  # NOTE: the featureGates value is deprecated and will be replaced by featureGatesMap in the future.
   featureGates: ""
+  # The featureGatesMap will enable or disable specific feature gates in the operator as well as deploy any prerequisites for the feature gate.
+  # If this property is not an empty map, the featureGates property will be ignored.
+  featureGatesMap: {}
+    # targetAllocatorMtls: false
   ports:
     metricsPort: 8080
     webhookPort: 9443