Skip to content

Add TLS support for multiple flow-aggregators within the same namespace #7540

New issue
New issue
Open
#7559
Open
Add TLS support for multiple flow-aggregators within the same namespace#7540
#7559
Labels
area/flow-visibilityIssues or PRs related to flow visibility support in Antreaarea/flow-visibility/aggregatorIssues or PRs related to Flow Aggregatorarea/flow-visibility/exporterIssues or PRs related to the Flow Exporter functions in the Agentkind/featureCategorizes issue or PR as related to a new feature.
@andrew-su

Description

@andrew-su
andrew-su
opened on Nov 5, 2025

Describe the problem/challenge you have
Running flow aggregator as multi replica in proxy mode will only allow TLS to one of the N replicas.

Describe the solution you'd like
Only one replica should modify any of the shared resource and the others react to the change and update themselves accordingly.

Anything else you would like to add?
The flow aggregator is regenerating the ca, client and server certs on startup so the last flow aggregator "wins" by clobbering the certs for the other Flow Aggregators. This expands beyond multi-replica FA in proxy mode, as additional deployments to the same namespace should work/function similarly. The CA should be shared amongst all FA replicas (regardless of same deployment or not).

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/flow-visibilityIssues or PRs related to flow visibility support in Antreaarea/flow-visibility/aggregatorIssues or PRs related to Flow Aggregatorarea/flow-visibility/exporterIssues or PRs related to the Flow Exporter functions in the Agentkind/featureCategorizes issue or PR as related to a new feature.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions