Ta update configs to enable mtls (#3015)

* Initial commit * Added Cert Manager CRDs & RBAC validation and management * Added relevant resources and started adding tests * Bump github.com/gin-gonic/gin from 1.9.1 to 1.10.0 (#2953) Bumps [github.com/gin-gonic/gin](https://github.com/gin-gonic/gin) from 1.9.1 to 1.10.0. - [Release notes](https://github.com/gin-gonic/gin/releases) - [Changelog](https://github.com/gin-gonic/gin/blob/master/CHANGELOG.md) - [Commits](gin-gonic/gin@v1.9.1...v1.10.0) --- updated-dependencies: - dependency-name: github.com/gin-gonic/gin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/prometheus/prometheus in the prometheus group (#2951) Bumps the prometheus group with 1 update: [github.com/prometheus/prometheus](https://github.com/prometheus/prometheus). Updates `github.com/prometheus/prometheus` from 0.51.2 to 0.52.0 - [Release notes](https://github.com/prometheus/prometheus/releases) - [Changelog](https://github.com/prometheus/prometheus/blob/main/CHANGELOG.md) - [Commits](prometheus/prometheus@v0.51.2...v0.52.0) --- updated-dependencies: - dependency-name: github.com/prometheus/prometheus dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prometheus ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Support for collector readinessProbe (#2944) * enable readiness Probe for otel operator Signed-off-by: Janario Oliveira <[email protected]> * generate CRD and controller changes Signed-off-by: Janario Oliveira <[email protected]> * Adjusted code to be similar to Liveness logic Signed-off-by: Janario Oliveira <[email protected]> * Generated manifests Signed-off-by: Janario Oliveira <[email protected]> * Add changelog Signed-off-by: Janario Oliveira <[email protected]> * Fix lint Signed-off-by: Janario Oliveira <[email protected]> * Removed readinessProbe from alpha CRD Signed-off-by: Janario Oliveira <[email protected]> * Generated manifests Signed-off-by: Janario Oliveira <[email protected]> * Fix lint Signed-off-by: Janario Oliveira <[email protected]> * Centralized probe validation Signed-off-by: Janario Oliveira <[email protected]> --------- Signed-off-by: Janario Oliveira <[email protected]> Co-authored-by: hesam.hamdarsi <[email protected]> * Bump github.com/docker/docker (#2954) Bumps [github.com/docker/docker](https://github.com/docker/docker) from 26.0.1+incompatible to 26.0.2+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v26.0.1...v26.0.2) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Added new Log Enconder Config (#2927) * Added new Log Enconder Config Signed-off-by: Yuri Sa <[email protected]> * Added new Log Enconder Config Signed-off-by: Yuri Sa <[email protected]> * Added new Log Enconder Config Signed-off-by: Yuri Sa <[email protected]> * Added new Log Enconder Config Signed-off-by: Yuri Sa <[email protected]> * Added new Log Enconder Config Signed-off-by: Yuri Sa <[email protected]> * Added new Log Enconder Config Signed-off-by: Yuri Sa <[email protected]> * Added new Debug doc Signed-off-by: Yuri Sa <[email protected]> --------- Signed-off-by: Yuri Sa <[email protected]> * [chore] move VineethReddy02 to emeritus (#2957) Signed-off-by: Juraci Paixão Kröhling <[email protected]> * Cleanup cluster roles and bindings (#2938) * Fix Signed-off-by: Pavol Loffay <[email protected]> * Fix Signed-off-by: Pavol Loffay <[email protected]> * Fix Signed-off-by: Pavol Loffay <[email protected]> * Fix Signed-off-by: Pavol Loffay <[email protected]> * Add test Signed-off-by: Pavol Loffay <[email protected]> --------- Signed-off-by: Pavol Loffay <[email protected]> * Fixed non-expected warnings on TA webhook. (#2962) Signed-off-by: Yuri Sa <[email protected]> * Verify ServiceMonitor and PodMonitor are installed in prom cr availability check (#2964) * Verify ServiceMonitor and PodMonitor are installed in prom cr availability check * Added changelog * Bump kyverno/action-install-chainsaw from 0.2.0 to 0.2.1 (#2968) Bumps [kyverno/action-install-chainsaw](https://github.com/kyverno/action-install-chainsaw) from 0.2.0 to 0.2.1. - [Release notes](https://github.com/kyverno/action-install-chainsaw/releases) - [Commits](kyverno/action-install-chainsaw@v0.2.0...v0.2.1) --- updated-dependencies: - dependency-name: kyverno/action-install-chainsaw dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Fix labels for Service Monitors (#2878) * Create a separate Service Monitor when the Prometheus exporter is present Signed-off-by: Israel Blancas <[email protected]> * Improve changelog Signed-off-by: Israel Blancas <[email protected]> * Fix prometheus-cr E2E test Signed-off-by: Israel Blancas <[email protected]> * Remove unused target Signed-off-by: Israel Blancas <[email protected]> * Add docstring Signed-off-by: Israel Blancas <[email protected]> * Fix typo Signed-off-by: Israel Blancas <[email protected]> * Change the label name Signed-off-by: Israel Blancas <[email protected]> * Change changelog description Signed-off-by: Israel Blancas <[email protected]> * Recover removed labels Signed-off-by: Israel Blancas <[email protected]> * Add missing labels Signed-off-by: Israel Blancas <[email protected]> * Remove wrong labels Signed-off-by: Israel Blancas <[email protected]> --------- Signed-off-by: Israel Blancas <[email protected]> * Prepare release 0.100.0 (#2960) * Prepare release 0.100.0 Signed-off-by: Vineeth Pothulapati <[email protected]> * update the chlog * update the chlog with #2877 merge --------- Signed-off-by: Vineeth Pothulapati <[email protected]> * [chore] Refactor allocation strategies (#2928) * Refactor consistent-hashing strategy * Refactor per-node strategy * Refactor least-weighted strategy * Minor allocation strategy refactor * Add some common allocation strategy tests * Fix collector and target reassignment * Minor allocator fixes * Add changelog entry * Fix an incorrect comment * Bring back webhook port (#2973) * add back webhook port * chlog * patch 0.100.1 (#2974) * Update the OpenTelemetry Java agent version to 2.4.0 (#2967) * simplify deletion logic (#2971) * Update maintainers in the operator hub PR (#2977) Signed-off-by: Pavol Loffay <[email protected]> * Support for kubernetes 1.30 version (#2975) * Support for kubernetes 1.30 version * Update makefile * [chore] Move TargetAllocator CRD to v1alpha1 (#2918) * [featuregate] Automatically set GOMEMLIMIT and GOMAXPROCS for collector, target allocator, opamp bridge (#2933) * set things * fix kustomize shim * restore, better chlog * Fix querying OpenShift user workload monitoring stack. (#2984) * Bump alpine from 3.19 to 3.20 (#2990) Bumps alpine from 3.19 to 3.20. --- updated-dependencies: - dependency-name: alpine dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump alpine from 3.19 to 3.20 in /cmd/operator-opamp-bridge (#2991) Bumps alpine from 3.19 to 3.20. --- updated-dependencies: - dependency-name: alpine dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/go-logr/logr from 1.4.1 to 1.4.2 (#2987) Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 1.4.1 to 1.4.2. - [Release notes](https://github.com/go-logr/logr/releases) - [Changelog](https://github.com/go-logr/logr/blob/master/CHANGELOG.md) - [Commits](go-logr/logr@v1.4.1...v1.4.2) --- updated-dependencies: - dependency-name: github.com/go-logr/logr dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump kyverno/action-install-chainsaw from 0.2.1 to 0.2.2 (#2989) Bumps [kyverno/action-install-chainsaw](https://github.com/kyverno/action-install-chainsaw) from 0.2.1 to 0.2.2. - [Release notes](https://github.com/kyverno/action-install-chainsaw/releases) - [Commits](kyverno/action-install-chainsaw@v0.2.1...v0.2.2) --- updated-dependencies: - dependency-name: kyverno/action-install-chainsaw dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump the otel group with 5 updates (#2986) Bumps the otel group with 5 updates: | Package | From | To | | --- | --- | --- | | [go.opentelemetry.io/otel](https://github.com/open-telemetry/opentelemetry-go) | `1.26.0` | `1.27.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp](https://github.com/open-telemetry/opentelemetry-go) | `1.26.0` | `1.27.0` | | [go.opentelemetry.io/otel/metric](https://github.com/open-telemetry/opentelemetry-go) | `1.26.0` | `1.27.0` | | [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) | `1.26.0` | `1.27.0` | | [go.opentelemetry.io/otel/sdk/metric](https://github.com/open-telemetry/opentelemetry-go) | `1.26.0` | `1.27.0` | Updates `go.opentelemetry.io/otel` from 1.26.0 to 1.27.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.26.0...v1.27.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp` from 1.26.0 to 1.27.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.26.0...v1.27.0) Updates `go.opentelemetry.io/otel/metric` from 1.26.0 to 1.27.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.26.0...v1.27.0) Updates `go.opentelemetry.io/otel/sdk` from 1.26.0 to 1.27.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.26.0...v1.27.0) Updates `go.opentelemetry.io/otel/sdk/metric` from 1.26.0 to 1.27.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.26.0...v1.27.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel dependency-type: direct:production update-type: version-update:semver-minor dependency-group: otel - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp dependency-type: direct:production update-type: version-update:semver-minor dependency-group: otel - dependency-name: go.opentelemetry.io/otel/metric dependency-type: direct:production update-type: version-update:semver-minor dependency-group: otel - dependency-name: go.opentelemetry.io/otel/sdk dependency-type: direct:production update-type: version-update:semver-minor dependency-group: otel - dependency-name: go.opentelemetry.io/otel/sdk/metric dependency-type: direct:production update-type: version-update:semver-minor dependency-group: otel ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump alpine from 3.19 to 3.20 in /cmd/otel-allocator (#2992) Bumps alpine from 3.19 to 3.20. --- updated-dependencies: - dependency-name: alpine dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Keep multiple versions of Collector Config (#2946) * Prepare v0.101.0 release (#2994) * Prepare v0.101.0 release * Undo kustomize stuff * Undo kustomize stuff again * Undo kustomize stuff again * Apply feedback * Add crd metrics usage information (#2825) * Add crd metrics usage information Signed-off-by: Ruben Vargas <[email protected]> * Add mode metric Signed-off-by: Ruben Vargas <[email protected]> * Refactor CR metrics Signed-off-by: Ruben Vargas <[email protected]> * Add annotation to avoid generate Metrics Signed-off-by: Ruben Vargas <[email protected]> * Add unit tests Signed-off-by: Ruben Vargas <[email protected]> * remove space Signed-off-by: Ruben Vargas <[email protected]> * remove global provider Signed-off-by: Ruben Vargas <[email protected]> * Update main.go Co-authored-by: Israel Blancas <[email protected]> * revert kusttomization.yaml Signed-off-by: Ruben Vargas <[email protected]> * rename some constants Signed-off-by: Ruben Vargas <[email protected]> * Add connectors metrics Signed-off-by: Ruben Vargas <[email protected]> * Update chlog Signed-off-by: Ruben Vargas <[email protected]> * merge new with init, rename some functions, improve changelog entry Signed-off-by: Ruben Vargas <[email protected]> * improve todo comment Signed-off-by: Ruben Vargas <[email protected]> * fix tests Signed-off-by: Ruben Vargas <[email protected]> * set flag to default false Signed-off-by: Ruben Vargas <[email protected]> * fix lint issues Signed-off-by: Ruben Vargas <[email protected]> * breaking line Signed-off-by: Ruben Vargas <[email protected]> * Use api reader to avoid cache issues Signed-off-by: Ruben Vargas <[email protected]> * Add info metric to changelog entry Signed-off-by: Ruben Vargas <[email protected]> --------- Signed-off-by: Ruben Vargas <[email protected]> Co-authored-by: Israel Blancas <[email protected]> * Update selector documentation for Target Allocator (#3001) * Bump github.com/prometheus/prometheus in the prometheus group (#3004) Bumps the prometheus group with 1 update: [github.com/prometheus/prometheus](https://github.com/prometheus/prometheus). Updates `github.com/prometheus/prometheus` from 0.52.0 to 0.52.1 - [Release notes](https://github.com/prometheus/prometheus/releases) - [Changelog](https://github.com/prometheus/prometheus/blob/main/CHANGELOG.md) - [Commits](prometheus/prometheus@v0.52.0...v0.52.1) --- updated-dependencies: - dependency-name: github.com/prometheus/prometheus dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prometheus ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump kyverno/action-install-chainsaw from 0.2.2 to 0.2.3 (#3003) Bumps [kyverno/action-install-chainsaw](https://github.com/kyverno/action-install-chainsaw) from 0.2.2 to 0.2.3. - [Release notes](https://github.com/kyverno/action-install-chainsaw/releases) - [Commits](kyverno/action-install-chainsaw@v0.2.2...v0.2.3) --- updated-dependencies: - dependency-name: kyverno/action-install-chainsaw dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Introduce simplified parsers (#2972) * Bump go.opentelemetry.io/otel/exporters/prometheus in the otel group (#3005) Bumps the otel group with 1 update: [go.opentelemetry.io/otel/exporters/prometheus](https://github.com/open-telemetry/opentelemetry-go). Updates `go.opentelemetry.io/otel/exporters/prometheus` from 0.48.0 to 0.49.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@example/prometheus/v0.48.0...example/prometheus/v0.49.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/prometheus dependency-type: direct:production update-type: version-update:semver-minor dependency-group: otel ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump go.uber.org/zap from 1.26.0 to 1.27.0 (#3006) Bumps [go.uber.org/zap](https://github.com/uber-go/zap) from 1.26.0 to 1.27.0. - [Release notes](https://github.com/uber-go/zap/releases) - [Changelog](https://github.com/uber-go/zap/blob/master/CHANGELOG.md) - [Commits](uber-go/zap@v1.26.0...v1.27.0) --- updated-dependencies: - dependency-name: go.uber.org/zap dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update Kafka version in e2e test (#3009) * [chore] Bump opentelemetry-autoinstrumentation-python to 0.45b0 (#3000) * chore: Bump opentelemetry-autoinstrumentation-python to 0.45b0 * [chore] add psycopg==0.45b0 * Fix annotation/label filter setting (#3008) * fix how options are loaded by removing special casing * oop * chlog * update to specific test * oop * Added Cert Manager CRDs & RBAC validation and management * Added relevant resources and started adding tests * minor change * Minor change * minor change * Cleanup * Cleanup, go tidy and resolved conflics * Restored local dev changes * Refactored, removed init container, minor changes * Use correct files in TLS config * Added default value to getHttpsListenAddr * Added flag to enable mTLS between the Target Allocator and the Collector. go mod cleanup * Using the enable mTLS flag * Using feature gate in place of command line flags to enable the feature * Removed flag from manager yaml * Added featuregate func description * Initial unit/e2e tests. some cleanup * Using TA params * Cleanup makefile from local changes * Added step to create cert manager RBAC for e2e mtls tests * Using Kustomize for patching certmanager permissions * Cleanup chainsaw test * Cleanup chainsaw tests * e2e test case verifying Collector got secret from TA over mTLS * Added changelog, fixed unit tests * restored makefile * Renamed fg import * Linting rules for imports * Added more tests, updated the readme * Added steps in e2e tests for new app * Ran go mod tidy * Added new variable to test TA's AddTAConfigToPromConfig * Setting otel-col-contrib 0.108.0 in e2e test until operator gets updated * Update pkg/featuregate/featuregate.go Co-authored-by: Jacob Aronoff <[email protected]> * Added https, serviceMonitor and tls resources assertions to e2e tests * Using namespaced names for ClusterRoles * Cleanup * Added CertManager resources unit tests * Added unit tests and e2e assertions * Added missing assertion call * Update 00-install.yaml Removed collector image override for e2e test * Update pkg/featuregate/featuregate.go Co-authored-by: Mikołaj Świątek <[email protected]> * Minor fixes * Fixed tests referencing logging exporter * Moved mTLS file naming consts * Added missing curly bracket * Update TA-update-configs-to-enable-mtls.yaml * Update pkg/featuregate/featuregate.go Co-authored-by: Mikołaj Świątek <[email protected]> --------- Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Janario Oliveira <[email protected]> Signed-off-by: Yuri Sa <[email protected]> Signed-off-by: Juraci Paixão Kröhling <[email protected]> Signed-off-by: Pavol Loffay <[email protected]> Signed-off-by: Israel Blancas <[email protected]> Signed-off-by: Vineeth Pothulapati <[email protected]> Signed-off-by: Ruben Vargas <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Janario Oliveira <[email protected]> Co-authored-by: hesam.hamdarsi <[email protected]> Co-authored-by: Yuri Sa <[email protected]> Co-authored-by: Juraci Paixão Kröhling <[email protected]> Co-authored-by: Pavol Loffay <[email protected]> Co-authored-by: Aksel Skaar Leirvaag <[email protected]> Co-authored-by: Israel Blancas <[email protected]> Co-authored-by: Vineeth Pothulapati <[email protected]> Co-authored-by: Mikołaj Świątek <[email protected]> Co-authored-by: Jacob Aronoff <[email protected]> Co-authored-by: OpenTelemetry Bot <[email protected]> Co-authored-by: Vasi Vasireddy <[email protected]> Co-authored-by: Ishwar Kanse <[email protected]> Co-authored-by: Matt Hagenbuch <[email protected]> Co-authored-by: Tyler Helmuth <[email protected]> Co-authored-by: Ruben Vargas <[email protected]> Co-authored-by: brandonkzw <[email protected]> Co-authored-by: Mikołaj Świątek <[email protected]>
open-telemetry · Oct 10, 2024 · b038590 · b038590
1 parent 65b40cb
commit b038590
Show file tree

Hide file tree

Showing 58 changed files with 2,706 additions and 71 deletions.
diff --git a/.chloggen/TA-update-configs-to-enable-mtls.yaml b/.chloggen/TA-update-configs-to-enable-mtls.yaml
@@ -0,0 +1,18 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
+component: target allocator, collector
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: "Enable mTLS between the TA and collector for passing secrets in the scrape_config securely"
+
+# One or more tracking issues related to the change
+issues: [1669]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: |
+  This change enables mTLS between the collector and the target allocator (requires cert-manager).
+  This is necessary for passing secrets securely from the TA to the collector for scraping endpoints that have authentication.
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -34,13 +34,16 @@ jobs:
          - e2e-upgrade
          - e2e-multi-instrumentation
          - e2e-metadata-filters
+         - e2e-ta-collector-mtls
        include:
          - group: e2e-instrumentation
            setup: "add-instrumentation-params prepare-e2e"
          - group: e2e-multi-instrumentation
            setup: "add-instrumentation-params prepare-e2e"
          - group: e2e-metadata-filters
            setup: "add-operator-arg OPERATOR_ARG='--annotations-filter=.*filter.out --annotations-filter=config.*.gke.io.* --labels-filter=.*filter.out' prepare-e2e"
+         - group: e2e-ta-collector-mtls
+           setup: "add-operator-arg OPERATOR_ARG='--feature-gates=operator.targetallocator.mtls' add-certmanager-permissions prepare-e2e"
          - group: e2e-automatic-rbac
            setup: "add-rbac-permissions-to-operator prepare-e2e"
     steps:

diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,3 @@
-
 # Binaries for programs and plugins
 *.exe
 *.exe~
@@ -39,8 +38,9 @@ config/manager/kustomization.yaml
 kubeconfig
 tests/_build/
 config/rbac/extra-permissions-operator/
+config/rbac/certmanager-permissions/
 
 # autoinstrumentation artifacts
 build
 node_modules
-package-lock.json
+package-lock.json
diff --git a/Makefile b/Makefile
@@ -312,6 +312,18 @@ e2e-prometheuscr: chainsaw
 e2e-targetallocator: chainsaw
 	$(CHAINSAW) test --test-dir ./tests/e2e-targetallocator
 
+.PHONY: add-certmanager-permissions
+add-certmanager-permissions: 
+	# Kustomize only allows patches in the folder where the kustomization is located
+	# This folder is ignored by .gitignore
+	cp -r tests/e2e-ta-collector-mtls/certmanager-permissions config/rbac/certmanager-permissions
+	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path certmanager-permissions/certmanager.yaml
+
+# Target allocator collector mTLS end-to-tests
+.PHONY: e2e-ta-collector-mtls
+e2e-ta-collector-mtls: chainsaw
+	$(CHAINSAW) test --test-dir ./tests/e2e-ta-collector-mtls
+
 # end-to-end-test for Annotations/Labels Filters
 .PHONY: e2e-metadata-filters
 e2e-metadata-filters: chainsaw

diff --git a/cmd/otel-allocator/README.md b/cmd/otel-allocator/README.md
@@ -211,9 +211,42 @@ rules:
 
 ### Service / Pod monitor endpoint credentials
 
-If your service or pod monitor endpoints require credentials or other supported form of authentication (bearer token, basic auth, OAuth2 etc.), you need to ensure that the collector has access to this information. Due to some limitations in how the endpoints configuration is handled, target allocator currently does **not** support credentials provided via secrets. It is only possible to provide credentials in a file (for more details see issue https://github.com/open-telemetry/opentelemetry-operator/issues/1669).
+If your service or pod monitor endpoints require authentication (such as bearer tokens, basic auth, OAuth2, etc.), you must ensure that the collector has access to these credentials.
+
+To secure the connection between the target allocator and the collector so that the secrets can be retrieved, mTLS is used. This involves the use of cert-manager to manage the CA, server, and client certificates.
+
+Prerequisites:
+- Ensure cert-manager is installed in your Kubernetes cluster.
+- Grant RBAC Permissions:
+
+    - The target allocator needs the appropriate RBAC permissions to get the secrets referenced in the Service / Pod monitor.
+
+    -  The operator needs the appropriate RBAC permissions to manage cert-manager resources. The following clusterRole can be used to grant the necessary permissions:
+
+        ```yaml
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: ClusterRole
+        metadata:
+          name:  opentelemetry-operator-controller-manager-cert-manager-role
+        rules:
+        - apiGroups:
+          - cert-manager.io
+          resources:
+          - issuers
+          - certificaterequests
+          - certificates
+          verbs:
+          - create
+          - get
+          - list
+          - watch
+          - update
+          - patch
+          - delete
+        ```
+
+- Enable the `operator.targetallocator.mtls` feature gate in the operator's deployment. 
 
-In order to ensure your endpoints can be scraped, your collector instance needs to have the particular secret mounted as a file at the correct path.
 
 
 # Design

diff --git a/cmd/otel-allocator/config/config.go b/cmd/otel-allocator/config/config.go
@@ -115,29 +115,34 @@ func LoadFromCLI(target *Config, flagSet *pflag.FlagSet) error {
 		target.PrometheusCR.Enabled = prometheusCREnabled
 	}
 
-	target.HTTPS.Enabled, err = getHttpsEnabled(flagSet)
-	if err != nil {
+	if httpsEnabled, changed, err := getHttpsEnabled(flagSet); err != nil {
 		return err
+	} else if changed {
+		target.HTTPS.Enabled = httpsEnabled
 	}
 
-	target.HTTPS.ListenAddr, err = getHttpsListenAddr(flagSet)
-	if err != nil {
+	if listenAddrHttps, changed, err := getHttpsListenAddr(flagSet); err != nil {
 		return err
+	} else if changed {
+		target.HTTPS.ListenAddr = listenAddrHttps
 	}
 
-	target.HTTPS.CAFilePath, err = getHttpsCAFilePath(flagSet)
-	if err != nil {
+	if caFilePath, changed, err := getHttpsCAFilePath(flagSet); err != nil {
 		return err
+	} else if changed {
+		target.HTTPS.CAFilePath = caFilePath
 	}
 
-	target.HTTPS.TLSCertFilePath, err = getHttpsTLSCertFilePath(flagSet)
-	if err != nil {
+	if tlsCertFilePath, changed, err := getHttpsTLSCertFilePath(flagSet); err != nil {
 		return err
+	} else if changed {
+		target.HTTPS.TLSCertFilePath = tlsCertFilePath
 	}
 
-	target.HTTPS.TLSKeyFilePath, err = getHttpsTLSKeyFilePath(flagSet)
-	if err != nil {
+	if tlsKeyFilePath, changed, err := getHttpsTLSKeyFilePath(flagSet); err != nil {
 		return err
+	} else if changed {
+		target.HTTPS.TLSKeyFilePath = tlsKeyFilePath
 	}
 
 	return nil

diff --git a/cmd/otel-allocator/config/config_test.go b/cmd/otel-allocator/config/config_test.go
@@ -64,6 +64,7 @@ func TestLoad(t *testing.T) {
 				},
 				HTTPS: HTTPSServerConfig{
 					Enabled:         true,
+					ListenAddr:      ":8443",
 					CAFilePath:      "/path/to/ca.pem",
 					TLSCertFilePath: "/path/to/cert.pem",
 					TLSKeyFilePath:  "/path/to/key.pem",

diff --git a/cmd/otel-allocator/config/flags.go b/cmd/otel-allocator/config/flags.go
@@ -78,22 +78,47 @@ func getPrometheusCREnabled(flagSet *pflag.FlagSet) (value bool, changed bool, e
 	return
 }
 
-func getHttpsListenAddr(flagSet *pflag.FlagSet) (string, error) {
-	return flagSet.GetString(listenAddrHttpsFlagName)
+func getHttpsListenAddr(flagSet *pflag.FlagSet) (value string, changed bool, err error) {
+	if changed = flagSet.Changed(listenAddrHttpsFlagName); !changed {
+		value, err = ":8443", nil
+		return
+	}
+	value, err = flagSet.GetString(listenAddrHttpsFlagName)
+	return
 }
 
-func getHttpsEnabled(flagSet *pflag.FlagSet) (bool, error) {
-	return flagSet.GetBool(httpsEnabledFlagName)
+func getHttpsEnabled(flagSet *pflag.FlagSet) (value bool, changed bool, err error) {
+	if changed = flagSet.Changed(httpsEnabledFlagName); !changed {
+		value, err = false, nil
+		return
+	}
+	value, err = flagSet.GetBool(httpsEnabledFlagName)
+	return
 }
 
-func getHttpsCAFilePath(flagSet *pflag.FlagSet) (string, error) {
-	return flagSet.GetString(httpsCAFilePathFlagName)
+func getHttpsCAFilePath(flagSet *pflag.FlagSet) (value string, changed bool, err error) {
+	if changed = flagSet.Changed(httpsCAFilePathFlagName); !changed {
+		value, err = "", nil
+		return
+	}
+	value, err = flagSet.GetString(httpsCAFilePathFlagName)
+	return
 }
 
-func getHttpsTLSCertFilePath(flagSet *pflag.FlagSet) (string, error) {
-	return flagSet.GetString(httpsTLSCertFilePathFlagName)
+func getHttpsTLSCertFilePath(flagSet *pflag.FlagSet) (value string, changed bool, err error) {
+	if changed = flagSet.Changed(httpsTLSCertFilePathFlagName); !changed {
+		value, err = "", nil
+		return
+	}
+	value, err = flagSet.GetString(httpsTLSCertFilePathFlagName)
+	return
 }
 
-func getHttpsTLSKeyFilePath(flagSet *pflag.FlagSet) (string, error) {
-	return flagSet.GetString(httpsTLSKeyFilePathFlagName)
+func getHttpsTLSKeyFilePath(flagSet *pflag.FlagSet) (value string, changed bool, err error) {
+	if changed = flagSet.Changed(httpsTLSKeyFilePathFlagName); !changed {
+		value, err = "", nil
+		return
+	}
+	value, err = flagSet.GetString(httpsTLSKeyFilePathFlagName)
+	return
 }
diff --git a/cmd/otel-allocator/config/flags_test.go b/cmd/otel-allocator/config/flags_test.go
@@ -77,13 +77,19 @@ func TestFlagGetters(t *testing.T) {
 			name:          "HttpsServer",
 			flagArgs:      []string{"--" + httpsEnabledFlagName, "true"},
 			expectedValue: true,
-			getterFunc:    func(fs *pflag.FlagSet) (interface{}, error) { return getHttpsEnabled(fs) },
+			getterFunc: func(fs *pflag.FlagSet) (interface{}, error) {
+				value, _, err := getHttpsEnabled(fs)
+				return value, err
+			},
 		},
 		{
 			name:          "HttpsServerKey",
 			flagArgs:      []string{"--" + httpsTLSKeyFilePathFlagName, "/path/to/tls.key"},
 			expectedValue: "/path/to/tls.key",
-			getterFunc:    func(fs *pflag.FlagSet) (interface{}, error) { return getHttpsTLSKeyFilePath(fs) },
+			getterFunc: func(fs *pflag.FlagSet) (interface{}, error) {
+				value, _, err := getHttpsTLSKeyFilePath(fs)
+				return value, err
+			},
 		},
 	}
 

diff --git a/cmd/otel-allocator/config/testdata/config_test.yaml b/cmd/otel-allocator/config/testdata/config_test.yaml
@@ -7,6 +7,7 @@ prometheus_cr:
   scrape_interval: 60s
 https:
   enabled: true
+  listen_addr: :8443
   ca_file_path: /path/to/ca.pem
   tls_cert_file_path: /path/to/cert.pem
   tls_key_file_path: /path/to/key.pem