When deploying a FlowCollector CR with an OpenTelemetry gRPC exporter that has TLS enabled, the NetObserv operator generates a volume name that violates RFC 1123 DNS label naming constraints, like Otel-export-0-ca. This prevents the FLP Deployment from being created when TLS is enabled on the OTLP exporter.
Observed Error:
netobserv-controller-manager-77dfd64cbd-ds7rc manager 2026-04-01T08:18:22.292Z INFO flp.monolith CREATING a new *v1.Deployment {"Namespace": "netobserv", "Name": "flowlogs-pipeline"}
netobserv-controller-manager-77dfd64cbd-ds7rc manager 2026-04-01T08:18:22.297Z INFO flp.monolith.narrowcache Invalidating cache entry {"name": "flowlogs-pipeline", "namespace": "netobserv"}
netobserv-controller-manager-77dfd64cbd-ds7rc manager 2026-04-01T08:18:22.297Z ERROR flp.monolith Failed to create new *v1.Deployment {"Namespace": "netobserv", "Name": "flowlogs-pipeline", "error": "Deployment.apps \"flowlogs-pipeline\" is invalid: [spec.template.spec.volumes[2].name: Invalid value: \"Otel-export-0-ca\": a lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character (e.g. 'my-name', or '123-abc', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?'), spec.template.spec.containers[0].volumeMounts[2].name: Not found: \"Otel-export-0-ca\"]"}
probable cause:
the operator's exporter name generation logic does not lowercase the exporter type name correctly before creating volume names. When the exporter type is OpenTelemetry, the resulting volume name seems to retain uppercase letters (?)
How to reproduce:
apiVersion: flows.netobserv.io/v1beta2
kind: FlowCollector
metadata:
name: cluster
spec:
namespace: netobserv
deploymentModel: Service
agent:
ebpf:
sampling: 5
processor:
logLevel: info
consolePlugin:
enable: false
loki:
enable: false
exporters:
- type: OpenTelemetry
openTelemetry:
targetHost: vector.example.svc.cluster.local
targetPort: 4317
protocol: grpc
logs:
enable: true
metrics:
enable: false
tls:
enable: true # <== issue triggered when TLS is enabled here
insecureSkipVerify: false
caCert:
type: configmap
name: service-ca
certFile: service-ca.crt
Disabling the above TLS setting omits the CA volume creation in the deployment and is our current workaround for the POC, however using non-TLS connections is of course against company policy...
Environment is a OpenShift 4.20 ROSA cluster.
When deploying a FlowCollector CR with an OpenTelemetry gRPC exporter that has TLS enabled, the NetObserv operator generates a volume name that violates RFC 1123 DNS label naming constraints, like
Otel-export-0-ca. This prevents the FLP Deployment from being created when TLS is enabled on the OTLP exporter.Observed Error:
probable cause:
the operator's exporter name generation logic does not lowercase the exporter type name correctly before creating volume names. When the exporter type is OpenTelemetry, the resulting volume name seems to retain uppercase letters (?)
How to reproduce:
Disabling the above TLS setting omits the CA volume creation in the deployment and is our current workaround for the POC, however using non-TLS connections is of course against company policy...
Environment is a OpenShift 4.20 ROSA cluster.