open-telemetry · swiatekm · Oct 20, 2025 · Sep 19, 2025 · Sep 20, 2025 · Sep 22, 2025
@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: bug_fix
+
+# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
+component: target allocator
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add missing TA ownership watches to cert-manager Certificate and Issuer
+
+# One or more tracking issues related to the change
+issues: [4368]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
@@ -610,7 +610,7 @@ CHAINSAW_VERSION ?= v0.2.13
 GOTESTSUM_VERSION ?= v1.13.0
 
 .PHONY: install-tools
-install-tools: kustomize golangci-lint kind controller-gen envtest crdoc operator-sdk chainsaw gotestsum
+install-tools: kustomize golangci-lint kind controller-gen envtest crdoc operator-sdk chainsaw gotestsum cmctl
 
 .PHONY: kustomize
 kustomize: ## Download kustomize locally if necessary.

@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"slices"
 
+	cmv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	"github.com/go-logr/logr"
 	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	appsv1 "k8s.io/api/apps/v1"
@@ -28,11 +29,13 @@ import (
 
 	"github.com/open-telemetry/opentelemetry-operator/apis/v1alpha1"
 	"github.com/open-telemetry/opentelemetry-operator/apis/v1beta1"
+	"github.com/open-telemetry/opentelemetry-operator/internal/autodetect/certmanager"
 	"github.com/open-telemetry/opentelemetry-operator/internal/autodetect/prometheus"
 	"github.com/open-telemetry/opentelemetry-operator/internal/config"
 	"github.com/open-telemetry/opentelemetry-operator/internal/manifests/targetallocator"
 	taStatus "github.com/open-telemetry/opentelemetry-operator/internal/status/targetallocator"
 	"github.com/open-telemetry/opentelemetry-operator/pkg/constants"
+	"github.com/open-telemetry/opentelemetry-operator/pkg/featuregate"
 )
 
 // TargetAllocatorReconciler reconciles a TargetAllocator object.
@@ -195,6 +198,11 @@ func (r *TargetAllocatorReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		ctrlBuilder.Owns(&monitoringv1.PodMonitor{})
 	}
 
+	if r.config.CertManagerAvailability == certmanager.Available && featuregate.EnableTargetAllocatorMTLS.IsEnabled() {
+		ctrlBuilder.Owns(&cmv1.Certificate{})
+		ctrlBuilder.Owns(&cmv1.Issuer{})
+	}
+
 	// watch collectors which have embedded Target Allocator enabled
 	// we need to do this separately from collector reconciliation, as changes to Config will not lead to changes
 	// in the TargetAllocator CR

@@ -60,6 +60,7 @@ rules:
   resources:
   - servicemonitors
   - podmonitors
+  - scrapeconfigs
   verbs:
   - get
   - watch

@@ -0,0 +1,29 @@
+# Certificate renewal triggered by cmctl in the test.
+# Testing that the ownership watcher fix allows TA to work with renewed certificates
+# WITHOUT requiring manual Secret deletion
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: check-ta-after-cert-renewal
+status:
+  succeeded: 1
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: prometheus-cr-ta-server-cert
+status:
+  conditions:
+  - type: Ready
+    status: "True"
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: prometheus-cr-targetallocator
+spec:
+  replicas: 1
+status:
+  readyReplicas: 1
+  replicas: 1
@@ -0,0 +1,42 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: check-ta-after-cert-renewal
+spec:
+  template:
+    spec:
+      restartPolicy: OnFailure
+      containers:
+        - name: check-ta
+          image: curlimages/curl
+          volumeMounts:
+            - name: tls-secret
+              mountPath: /etc/tls
+              readOnly: true
+          args:
+            - /bin/sh
+            - -c
+            - |
+              # Certificate renewal was triggered by the patch command in chainsaw
+              # The ownership watcher fix should ensure the controller gets notified
+              # and the TA continues serving with the renewed certificate
+              sleep 10
+
+              # Test that TA is still serving over HTTPS with renewed certificates
+              # WITHOUT requiring manual Secret deletion
+              curl -s \
+                --cert /etc/tls/tls.crt \
+                --key /etc/tls/tls.key \
+                --cacert /etc/tls/ca.crt \
+                https://prometheus-cr-targetallocator:443
+
+              # Also test that scrape_configs endpoint is working
+              curl -s \
+                --cert /etc/tls/tls.crt \
+                --key /etc/tls/tls.key \
+                --cacert /etc/tls/ca.crt \
+                https://prometheus-cr-targetallocator:443/scrape_configs
+      volumes:
+        - name: tls-secret
+          secret:
+            secretName: prometheus-cr-ta-client-cert
@@ -31,4 +31,21 @@ spec:
         file: 02-assert.yaml
     catch:
     - podLogs:
-        selector: app.kubernetes.io/managed-by=opentelemetry-operator
+        selector: app.kubernetes.io/managed-by=opentelemetry-operator
+  - name: step-03
+    try:
+    - command:
+        entrypoint: bash
+        args:
+          - -c
+          - "$(git rev-parse --show-toplevel)/bin/cmctl renew prometheus-cr-ta-server-cert -n ${NAMESPACE}"
+    - sleep:
+        duration: 30s
+    - apply:
+        template: true
+        file: 03-install.yaml
+    - assert:
+        file: 03-assert.yaml
+    catch:
+    - podLogs:
+        selector: app.kubernetes.io/managed-by=opentelemetry-operator