open-telemetry · Horiodino · Apr 16, 2026 · Apr 16, 2026 · Apr 17, 2026 · Apr 20, 2026
@@ -0,0 +1,17 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
+component: target allocator
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: "Added a configurable mTLS option to the Target Allocator, allowing users to enable or disable mutual TLS via CRD instead of relying on a feature flag."
+
+# One or more tracking issues related to the change
+issues: [4915]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
+
@@ -96,7 +96,7 @@ jobs:
         - group: e2e-metadata-filters
           setup: "add-operator-arg OPERATOR_ARG='--annotations-filter=.*filter.out --annotations-filter=config.*.gke.io.* --labels-filter=.*filter.out' prepare-e2e"
         - group: e2e-ta-collector-mtls
-          setup: "add-operator-arg OPERATOR_ARG='--feature-gates=operator.targetallocator.mtls' add-certmanager-permissions prepare-e2e"
+          setup: "add-certmanager-permissions prepare-e2e"
         - group: e2e-automatic-rbac
           setup: "add-rbac-permissions-to-operator prepare-e2e"
 

@@ -237,6 +237,21 @@ type TargetAllocatorEmbedded struct {
 	// +kubebuilder:default:="30s"
 	// +kubebuilder:validation:Format:=duration
 	CollectorTargetReloadInterval *metav1.Duration `json:"collectorTargetReloadInterval,omitempty"`
+
+	// Mtls defines the mTLS configuration for the target allocator. If enabled, the target allocator will communicate with the collector over mTLS.
+	// +optional
+	Mtls *TargetAllocatorMTLS `json:"mtls,omitempty"`
+}
+
+type TargetAllocatorMTLS struct {
+	// Enabled indicates whether to enable mTLS between the target allocator and the collector.
+	// +optional
+	Enabled bool `json:"enabled,omitempty"`
+	// UseCertManager defines whether cert-manager should be used to provision certificates for mTLS.
+	// Defaults to true.
+	// +optional
+	// +kubebuilder:default:=true
+	UseCertManager *bool `json:"useCertManager,omitempty"`
 }
 
 // Probe defines the OpenTelemetry's pod probe config.

@@ -8186,6 +8186,14 @@ spec:
                     type: string
                   image:
                     type: string
+                  mtls:
+                    properties:
+                      enabled:
+                        type: boolean
+                      useCertManager:
+                        default: true
+                        type: boolean
+                    type: object
                   nodeSelector:
                     additionalProperties:
                       type: string

@@ -99,7 +99,7 @@ metadata:
     categories: Logging & Tracing,Monitoring,Observability
     certified: "false"
     containerImage: ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator
-    createdAt: "2026-05-07T09:37:09Z"
+    createdAt: "2026-05-11T07:23:00Z"
     description: Provides the OpenTelemetry components, including the Collector
     operators.operatorframework.io/builder: operator-sdk-v1.29.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3

@@ -8185,6 +8185,14 @@ spec:
                     type: string
                   image:
                     type: string
+                  mtls:
+                    properties:
+                      enabled:
+                        type: boolean
+                      useCertManager:
+                        default: true
+                        type: boolean
+                    type: object
                   nodeSelector:
                     additionalProperties:
                       type: string

@@ -421,7 +421,9 @@ Prerequisites:
           - delete
         ```
 
-- Enable the `operator.targetallocator.mtls` feature gate in the operator's deployment. 
+* Configure mTLS by setting `spec.mtls.enabled: true` on the `TargetAllocator` CR.
+* If you create the allocator from an `OpenTelemetryCollector`, set `spec.targetAllocator.mtls.enabled: true` there instead; the operator forwards it into the generated `TargetAllocator` resource.
+* `useCertManager` defaults to `true`, so cert-manager will provision the serving and client certificates unless you explicitly disable it.
 
 
 

@@ -8172,6 +8172,14 @@ spec:
                     type: string
                   image:
                     type: string
+                  mtls:
+                    properties:
+                      enabled:
+                        type: boolean
+                      useCertManager:
+                        default: true
+                        type: boolean
+                    type: object
                   nodeSelector:
                     additionalProperties:
                       type: string

@@ -32251,6 +32251,13 @@ The default is relabel-config.<br/>
           Image indicates the container image to use for the OpenTelemetry TargetAllocator.<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b><a href="#opentelemetrycollectorspectargetallocatormtls">mtls</a></b></td>
+        <td>object</td>
+        <td>
+          Mtls defines the mTLS configuration for the target allocator. If enabled, the target allocator will communicate with the collector over mTLS.<br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td><b>nodeSelector</b></td>
         <td>map[string]string</td>
@@ -34306,6 +34313,43 @@ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/nam
 </table>
 
 
+### OpenTelemetryCollector.spec.targetAllocator.mtls
+<sup><sup>[↩ Parent](#opentelemetrycollectorspectargetallocator-1)</sup></sup>
+
+
+
+Mtls defines the mTLS configuration for the target allocator. If enabled, the target allocator will communicate with the collector over mTLS.
+
+<table>
+    <thead>
+        <tr>
+            <th>Name</th>
+            <th>Type</th>
+            <th>Description</th>
+            <th>Required</th>
+        </tr>
+    </thead>
+    <tbody><tr>
+        <td><b>enabled</b></td>
+        <td>boolean</td>
+        <td>
+          Enabled indicates whether to enable mTLS between the target allocator and the collector.<br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
+        <td><b>useCertManager</b></td>
+        <td>boolean</td>
+        <td>
+          UseCertManager defines whether cert-manager should be used to provision certificates for mTLS.
+Defaults to true.<br/>
+          <br/>
+            <i>Default</i>: true<br/>
+        </td>
+        <td>false</td>
+      </tr></tbody>
+</table>
+
+
 ### OpenTelemetryCollector.spec.targetAllocator.observability
 <sup><sup>[↩ Parent](#opentelemetrycollectorspectargetallocator-1)</sup></sup>
 

@@ -30,7 +30,6 @@ import (
 	"github.com/open-telemetry/opentelemetry-operator/internal/manifests/collector"
 	"github.com/open-telemetry/opentelemetry-operator/internal/manifests/manifestutils"
 	"github.com/open-telemetry/opentelemetry-operator/internal/manifests/targetallocator"
-	"github.com/open-telemetry/opentelemetry-operator/pkg/featuregate"
 )
 
 var (
@@ -2850,6 +2849,9 @@ prometheus_cr:
 						Name:      "test",
 						Namespace: "test",
 						Labels:    nil,
+						Annotations: map[string]string{
+							"opentelemetry.io/ta-mtls-enabled": "true",
+						},
 					},
 					Spec: v1alpha1.TargetAllocatorSpec{
 						FilterStrategy: v1beta1.TargetAllocatorFilterStrategyRelabelConfig,
@@ -2864,6 +2866,12 @@ prometheus_cr:
 						Namespace: "test",
 					},
 					Spec: v1beta1.OpenTelemetryCollectorSpec{
+						TargetAllocator: v1beta1.TargetAllocatorEmbedded{
+							Enabled: true,
+							Mtls: &v1beta1.TargetAllocatorMTLS{
+								Enabled: true,
+							},
+						},
 						Config: v1beta1.Config{
 							Receivers: v1beta1.AnyConfig{
 								Object: map[string]any{
@@ -2914,7 +2922,9 @@ prometheus_cr:
 							"app.kubernetes.io/part-of":    "opentelemetry",
 							"app.kubernetes.io/version":    "latest",
 						},
-						Annotations: nil,
+						Annotations: map[string]string{
+							"opentelemetry.io/ta-mtls-enabled": "true",
+						},
 					},
 					Data: map[string]string{
 						"targetallocator.yaml": `allocation_strategy: consistent-hashing
@@ -2992,6 +3002,7 @@ prometheus_cr:
 								},
 								Annotations: map[string]string{
 									"opentelemetry-targetallocator-config/hash": "02ef308f21c5312c388985bd8ca91246d1df7a3a5031135ec176f3c975e2fa37",
+									"opentelemetry.io/ta-mtls-enabled":          "true",
 								},
 							},
 							Spec: corev1.PodSpec{
@@ -3115,6 +3126,9 @@ prometheus_cr:
 							"app.kubernetes.io/part-of":    "opentelemetry",
 							"app.kubernetes.io/version":    "latest",
 						},
+						Annotations: map[string]string{
+							"opentelemetry.io/ta-mtls-enabled": "true",
+						},
 					},
 				},
 				&corev1.Service{
@@ -3168,6 +3182,7 @@ prometheus_cr:
 						},
 						Annotations: map[string]string{
 							"opentelemetry-targetallocator-config/hash": "02ef308f21c5312c388985bd8ca91246d1df7a3a5031135ec176f3c975e2fa37",
+							"opentelemetry.io/ta-mtls-enabled":          "true",
 						},
 					},
 					Spec: policyV1.PodDisruptionBudgetSpec{
@@ -3337,7 +3352,6 @@ prometheus_cr:
 				TargetAllocatorConfigMapEntry: "targetallocator.yaml",
 				CollectorConfigMapEntry:       "collector.yaml",
 			},
-			featuregates: []*colfeaturegate.Gate{featuregate.EnableTargetAllocatorMTLS},
 		},
 	}
 	for _, tt := range tests {

@@ -35,7 +35,6 @@ import (
 	"github.com/open-telemetry/opentelemetry-operator/internal/manifests/targetallocator"
 	taStatus "github.com/open-telemetry/opentelemetry-operator/internal/status/targetallocator"
 	"github.com/open-telemetry/opentelemetry-operator/pkg/constants"
-	"github.com/open-telemetry/opentelemetry-operator/pkg/featuregate"
 )
 
 // TargetAllocatorReconciler reconciles a TargetAllocator object.
@@ -200,7 +199,7 @@ func (r *TargetAllocatorReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		ctrlBuilder.Owns(&monitoringv1.PodMonitor{})
 	}
 
-	if r.config.CertManagerAvailability == certmanager.Available && featuregate.EnableTargetAllocatorMTLS.IsEnabled() {
+	if r.config.CertManagerAvailability == certmanager.Available {
 		ctrlBuilder.Owns(&cmv1.Certificate{})
 		ctrlBuilder.Owns(&cmv1.Issuer{})
 	}

@@ -9,14 +9,12 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	"github.com/open-telemetry/opentelemetry-operator/internal/autodetect/certmanager"
 	"github.com/open-telemetry/opentelemetry-operator/internal/components"
 	"github.com/open-telemetry/opentelemetry-operator/internal/manifests"
 	"github.com/open-telemetry/opentelemetry-operator/internal/manifests/manifestutils"
 	ta "github.com/open-telemetry/opentelemetry-operator/internal/manifests/targetallocator/adapters"
 	"github.com/open-telemetry/opentelemetry-operator/internal/naming"
 	"github.com/open-telemetry/opentelemetry-operator/pkg/constants"
-	"github.com/open-telemetry/opentelemetry-operator/pkg/featuregate"
 )
 
 func ConfigMap(params manifests.Params) (*corev1.ConfigMap, error) {
@@ -49,7 +47,7 @@ func ConfigMap(params manifests.Params) (*corev1.ConfigMap, error) {
 
 	replaceCfgOpts := []ta.TAOption{}
 
-	if otelCol.Spec.TargetAllocator.Enabled && params.Config.CertManagerAvailability == certmanager.Available && featuregate.EnableTargetAllocatorMTLS.IsEnabled() {
+	if isTAMTLSEnabledWithCertManager(params.Config, *otelCol) {
 		replaceCfgOpts = append(replaceCfgOpts, ta.WithTLSConfig(
 			filepath.Join(constants.TACollectorTLSDirPath, constants.TACollectorCAFileName),
 			filepath.Join(constants.TACollectorTLSDirPath, constants.TACollectorTLSCertFileName),

@@ -8,15 +8,14 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	colfg "go.opentelemetry.io/collector/featuregate"
 
+	"github.com/open-telemetry/opentelemetry-operator/apis/v1beta1"
 	"github.com/open-telemetry/opentelemetry-operator/internal/autodetect/certmanager"
 	"github.com/open-telemetry/opentelemetry-operator/internal/autodetect/openshift"
 	"github.com/open-telemetry/opentelemetry-operator/internal/autodetect/prometheus"
 	"github.com/open-telemetry/opentelemetry-operator/internal/config"
 	"github.com/open-telemetry/opentelemetry-operator/internal/manifests/manifestutils"
 	"github.com/open-telemetry/opentelemetry-operator/internal/naming"
-	"github.com/open-telemetry/opentelemetry-operator/pkg/featuregate"
 )
 
 func TestDesiredConfigMap(t *testing.T) {
@@ -150,9 +149,6 @@ service:
 			CertManagerAvailability:     certmanager.Available,
 		})
 		require.NoError(t, err)
-		flgs := featuregate.Flags(colfg.GlobalRegistry())
-		err = flgs.Parse([]string{"--feature-gates=operator.targetallocator.mtls"})
-		require.NoError(t, err)
 
 		hash, _ := manifestutils.GetConfigMapSHA(param.OtelCol.Spec.Config)
 		expectedName := naming.ConfigMap("test", hash)
@@ -162,6 +158,7 @@ service:
 		expectedLables["app.kubernetes.io/version"] = "latest"
 
 		param.OtelCol.Spec.TargetAllocator.Enabled = true
+		param.OtelCol.Spec.TargetAllocator.Mtls = &v1beta1.TargetAllocatorMTLS{Enabled: true}
 		actual, err := ConfigMap(param)
 
 		assert.NoError(t, err)
@@ -210,10 +207,7 @@ service:
 			CertManagerAvailability:     certmanager.Available,
 		})
 		require.NoError(t, err)
-		flgs := featuregate.Flags(colfg.GlobalRegistry())
-		err = flgs.Parse([]string{"--feature-gates=operator.targetallocator.mtls"})
 		param.TargetAllocator = nil
-		require.NoError(t, err)
 
 		hash, _ := manifestutils.GetConfigMapSHA(param.OtelCol.Spec.Config)
 		expectedName := naming.ConfigMap("test", hash)

@@ -15,7 +15,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation"
 
 	"github.com/open-telemetry/opentelemetry-operator/apis/v1beta1"
-	"github.com/open-telemetry/opentelemetry-operator/internal/autodetect/certmanager"
 	"github.com/open-telemetry/opentelemetry-operator/internal/config"
 	"github.com/open-telemetry/opentelemetry-operator/internal/naming"
 	"github.com/open-telemetry/opentelemetry-operator/pkg/constants"
@@ -62,7 +61,7 @@ func Container(cfg config.Config, logger logr.Logger, otelcol v1beta1.OpenTeleme
 			})
 	}
 
-	if otelcol.Spec.TargetAllocator.Enabled && cfg.CertManagerAvailability == certmanager.Available && featuregate.EnableTargetAllocatorMTLS.IsEnabled() {
+	if isTAMTLSEnabledWithCertManager(cfg, otelcol) {
 		volumeMounts = append(volumeMounts,
 			corev1.VolumeMount{
 				Name:      naming.TAClientCertificate(otelcol.Name),