Skip to main content

Agent Operator minimum configuration

All configuration of the operator is handled through the use of Kubernetes native configuration entities defined by custom resource definitions (CRDs). The CRDs are deployed with the operator and define how to interact with the operator's configuration entities.

Tooling such as Visual Studio Code's Kubernetes extension can aid in creating syntactically correct entities in your cluster.

The full schema is documented in the Agent Operator configuration. This section only covers the minimal setup required and may not cover all situations.

Minimum configuration

For a minimum setup, 3 manifests are required.

  1. First, a standard Kubernetes Secret contains the necessary connection keys to authenticate to your Contrast server instance. The Secret must be deployed into the same namespace as the ClusterAgentConnection entity. You can find your agent keys under find the agent keys.

    apiVersion: v1
kind: Secret
metadata:
  name: default-agent-connection-secret
  namespace: contrast-agent-operator
type: Opaque
stringData:
  apiKey: TODO
  serviceKey: TODO
  userName: TODO

  2. Second, a ClusterAgentConnection configuration entity. The ClusterAgentConnection provides the default connection settings for agents within the cluster and maps to the above mentioned Secret containing connection authentication keys. For security, ClusterAgentConnection entities must be deployed into the same namespace as the operator to be used. This example assumes that the default namespace contrast-agent-operator hasn't been customized.

    apiVersion: agents.contrastsecurity.com/v1beta1
kind: ClusterAgentConnection
metadata:
  name: default-agent-connection
  namespace: contrast-agent-operator
spec:
  template:
    spec:
      url: https://app.contrastsecurity.com/Contrast
      apiKey:
        secretName: default-agent-connection-secret
        secretKey: apiKey
      serviceKey:
        secretName: default-agent-connection-secret
        secretKey: serviceKey
      userName:
        secretName: default-agent-connection-secret
        secretKey: userName

  3. Finally, a AgentInjector configuration entity. The AgentInjector selects workloads eligible for automatic injection using workload labels e.g. metadata.labels within the namespace in which the AgentInjector is deployed.

    apiVersion: agents.contrastsecurity.com/v1beta1
kind: AgentInjector
metadata:
  name: dotnet-hello-world
  namespace: default
spec:
  type: dotnet-core
  selector:
    labels:
      - name: app
        value: dotnet-hello-world

    In this example manifest, the Contrast Agent Operator will automatically inject the .NET Contrast agent into workloads (e.g. Deployments, DeploymentConfigs, etc.) that have the label app=dotnet-hello-world in the namespace default.

See also

In this section: