Agent Operator minimum configuration
All configuration of the operator is handled through the use of Kubernetes native configuration entities defined by custom resource definitions (CRDs). The CRDs are deployed with the operator and define how to interact with the operator's configuration entities.
Tooling such as Visual Studio Code's Kubernetes extension can aid in creating syntactically correct entities in your cluster.
The full schema is documented in the Agent Operator configuration. This section only covers the minimal setup required and may not cover all situations.
Minimum configuration
For a minimum setup, 3 manifests are required.
First, a standard Kubernetes Secret contains the necessary connection keys to authenticate to your Contrast server instance. The Secret must be deployed into the same namespace as the ClusterAgentConnection entity. You can find your agent keys under find the agent keys.
apiVersion: v1 kind: Secret metadata: name: default-agent-connection-secret namespace: contrast-agent-operator type: Opaque stringData: apiKey: TODO serviceKey: TODO userName: TODO
Second, a ClusterAgentConnection configuration entity. The ClusterAgentConnection provides the default connection settings for agents within the cluster and maps to the above mentioned Secret containing connection authentication keys. For security, ClusterAgentConnection entities must be deployed into the same namespace as the operator to be used. This example assumes that the default namespace
contrast-agent-operator
hasn't been customized.apiVersion: agents.contrastsecurity.com/v1beta1 kind: ClusterAgentConnection metadata: name: default-agent-connection namespace: contrast-agent-operator spec: template: spec: url: https://app.contrastsecurity.com/Contrast apiKey: secretName: default-agent-connection-secret secretKey: apiKey serviceKey: secretName: default-agent-connection-secret secretKey: serviceKey userName: secretName: default-agent-connection-secret secretKey: userName
Finally, a AgentInjector configuration entity. The AgentInjector selects workloads eligible for automatic injection using workload labels e.g.
metadata.labels
within the namespace in which the AgentInjector is deployed.apiVersion: agents.contrastsecurity.com/v1beta1 kind: AgentInjector metadata: name: dotnet-hello-world namespace: default spec: type: dotnet-core selector: labels: - name: app value: dotnet-hello-world
In this example manifest, the Contrast Agent Operator will automatically inject the .NET Contrast agent into workloads (e.g. Deployments, DeploymentConfigs, etc.) that have the label
app=dotnet-hello-world
in the namespace default.