diff --git a/manifests/helm/build/templates/kustomization.yaml b/manifests/helm/build/templates/kustomization.yaml index 8cd6902a..67e8a6bf 100644 --- a/manifests/helm/build/templates/kustomization.yaml +++ b/manifests/helm/build/templates/kustomization.yaml @@ -1,5 +1,5 @@ namespace: >- - {{ .Values.namespace }} + {{ if not .Values.createNamespace }}{{.Release.Namespace}}{{else}}{{.Values.namespace}}{{end}} bases: - ../../../install/all/operator @@ -13,3 +13,4 @@ images: patchesStrategicMerge: - overlays/deployment.yaml + - overlays/namespace.yaml diff --git a/manifests/helm/build/templates/overlays/namespace.yaml b/manifests/helm/build/templates/overlays/namespace.yaml new file mode 100644 index 00000000..5371dc03 --- /dev/null +++ b/manifests/helm/build/templates/overlays/namespace.yaml @@ -0,0 +1,8 @@ +$patch: delete +kind: Namespace +apiVersion: v1 +metadata: + name: contrast-agent-operator + labels: + app.kubernetes.io/part-of: contrast-agent-operator + diff --git a/manifests/helm/crds/generated.yaml.tpl b/manifests/helm/crds/generated.yaml.tpl new file mode 100644 index 00000000..95baacb7 --- /dev/null +++ b/manifests/helm/crds/generated.yaml.tpl @@ -0,0 +1,9760 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConfiguration + listKind: AgentConfigurationList + plural: agentconfigurations + singular: agentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines are supported. + nullable: true + type: string + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConnection + listKind: AgentConnectionList + plural: agentconnections + singular: agentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentinjectors.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentInjector + listKind: AgentInjectorList + plural: agentinjectors + singular: agentinjector + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + configuration: + description: The configuration the injected agent will use. + nullable: true + properties: + name: + description: |- + The name of a AgentConfiguration resource. Must exist within the same namespace. + Defaults to the AgentConfiguration specified by a ClusterAgentConfiguration. + nullable: true + type: string + type: object + connection: + description: The connection the injected agent will use to communicate + with Contrast. + nullable: true + properties: + name: + description: |- + The name of AgentConnection resource. Must exist within the same namespace. + Defaults to the AgentConnection specified by a ClusterAgentConnection. + nullable: true + type: string + type: object + enabled: + description: |- + Is this agent injector enabled. + Defaults to 'true'. + type: boolean + image: + description: Overrides the default agent images. + properties: + name: + description: |- + The name of the injector image to use. + The default depends on the value of spec.type. + nullable: true + type: string + pullPolicy: + description: |- + The pull policy to use when fetching Contrast images. See Kubernetes imagePullPolicy for more information. + Defaults to "Always". + nullable: true + pattern: ^(Always|IfNotPresent|Never)$ + type: string + pullSecretName: + description: The name of a pull secret to append to the pod's + imagePullSecrets list. + nullable: true + type: string + registry: + description: |- + The fully qualified name of the registry to pull agent images from. This registry must be accessible by the pods being injected and the operator. + Defaults to the official Contrast container image registry. + nullable: true + type: string + type: object + selector: + description: |- + Select which Deployment/StatefulSet/DaemonSet pods are eligible for agent injection. + Under OpenShift, DeploymentConfig is also supported. + properties: + images: + description: |- + Container images to inject the agent into. Glob patterns are supported. + If empty (the default), selects all containers in Pod. + items: + type: string + type: array + labels: + description: |- + Deployment/StatefulSet/DaemonSet/DeploymentConfig labels whose pods are eligible for agent injection. + If empty (the default), selects all workloads in namespace. + items: + properties: + name: + description: |- + The name of the label to match. + Required. + type: string + value: + description: |- + The value of the label to match. Glob patterns are supported. + Required. + type: string + required: + - name + - value + type: object + type: array + type: object + type: + description: |- + The type of agent to inject. Can be one of ['dotnet-core', 'java', 'nodejs', 'nodejs-esm', 'php', 'python']. + Required. + pattern: ^(dotnet-core|dotnet|java|node|nodejs|node-esm|nodejs-esm|node-protect|nodejs-protect|php|personal-home-page|python|dummy)$ + type: string + version: + description: |- + The version of the agent to inject. The literal 'latest' will inject the latest version. Partial version matches are supported, e.g. '2' will select the version '2.1.0'. + Defaults to 'latest'. + nullable: true + pattern: ^(latest|(\d+(\.\d+){0,3}(-.+)?))$ + type: string + required: + - type + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConfiguration + listKind: ClusterAgentConfigurationList + plural: clusteragentconfigurations + singular: clusteragentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConfiguration template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConfiguration to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines + are supported. + nullable: true + type: string + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConnection + listKind: ClusterAgentConnectionList + plural: clusteragentconnections + singular: clusteragentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConnection template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConnection to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConfiguration + listKind: AgentConfigurationList + plural: agentconfigurations + singular: agentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines are supported. + nullable: true + type: string + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConnection + listKind: AgentConnectionList + plural: agentconnections + singular: agentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentinjectors.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentInjector + listKind: AgentInjectorList + plural: agentinjectors + singular: agentinjector + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + configuration: + description: The configuration the injected agent will use. + nullable: true + properties: + name: + description: |- + The name of a AgentConfiguration resource. Must exist within the same namespace. + Defaults to the AgentConfiguration specified by a ClusterAgentConfiguration. + nullable: true + type: string + type: object + connection: + description: The connection the injected agent will use to communicate + with Contrast. + nullable: true + properties: + name: + description: |- + The name of AgentConnection resource. Must exist within the same namespace. + Defaults to the AgentConnection specified by a ClusterAgentConnection. + nullable: true + type: string + type: object + enabled: + description: |- + Is this agent injector enabled. + Defaults to 'true'. + type: boolean + image: + description: Overrides the default agent images. + properties: + name: + description: |- + The name of the injector image to use. + The default depends on the value of spec.type. + nullable: true + type: string + pullPolicy: + description: |- + The pull policy to use when fetching Contrast images. See Kubernetes imagePullPolicy for more information. + Defaults to "Always". + nullable: true + pattern: ^(Always|IfNotPresent|Never)$ + type: string + pullSecretName: + description: The name of a pull secret to append to the pod's + imagePullSecrets list. + nullable: true + type: string + registry: + description: |- + The fully qualified name of the registry to pull agent images from. This registry must be accessible by the pods being injected and the operator. + Defaults to the official Contrast container image registry. + nullable: true + type: string + type: object + selector: + description: |- + Select which Deployment/StatefulSet/DaemonSet pods are eligible for agent injection. + Under OpenShift, DeploymentConfig is also supported. + properties: + images: + description: |- + Container images to inject the agent into. Glob patterns are supported. + If empty (the default), selects all containers in Pod. + items: + type: string + type: array + labels: + description: |- + Deployment/StatefulSet/DaemonSet/DeploymentConfig labels whose pods are eligible for agent injection. + If empty (the default), selects all workloads in namespace. + items: + properties: + name: + description: |- + The name of the label to match. + Required. + type: string + value: + description: |- + The value of the label to match. Glob patterns are supported. + Required. + type: string + required: + - name + - value + type: object + type: array + type: object + type: + description: |- + The type of agent to inject. Can be one of ['dotnet-core', 'java', 'nodejs', 'nodejs-esm', 'php', 'python']. + Required. + pattern: ^(dotnet-core|dotnet|java|node|nodejs|node-esm|nodejs-esm|node-protect|nodejs-protect|php|personal-home-page|python|dummy)$ + type: string + version: + description: |- + The version of the agent to inject. The literal 'latest' will inject the latest version. Partial version matches are supported, e.g. '2' will select the version '2.1.0'. + Defaults to 'latest'. + nullable: true + pattern: ^(latest|(\d+(\.\d+){0,3}(-.+)?))$ + type: string + required: + - type + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConfiguration + listKind: ClusterAgentConfigurationList + plural: clusteragentconfigurations + singular: clusteragentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConfiguration template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConfiguration to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines + are supported. + nullable: true + type: string + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConnection + listKind: ClusterAgentConnectionList + plural: clusteragentconnections + singular: clusteragentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConnection template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConnection to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConfiguration + listKind: AgentConfigurationList + plural: agentconfigurations + singular: agentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines are supported. + nullable: true + type: string + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConnection + listKind: AgentConnectionList + plural: agentconnections + singular: agentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentinjectors.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentInjector + listKind: AgentInjectorList + plural: agentinjectors + singular: agentinjector + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + configuration: + description: The configuration the injected agent will use. + nullable: true + properties: + name: + description: |- + The name of a AgentConfiguration resource. Must exist within the same namespace. + Defaults to the AgentConfiguration specified by a ClusterAgentConfiguration. + nullable: true + type: string + type: object + connection: + description: The connection the injected agent will use to communicate + with Contrast. + nullable: true + properties: + name: + description: |- + The name of AgentConnection resource. Must exist within the same namespace. + Defaults to the AgentConnection specified by a ClusterAgentConnection. + nullable: true + type: string + type: object + enabled: + description: |- + Is this agent injector enabled. + Defaults to 'true'. + type: boolean + image: + description: Overrides the default agent images. + properties: + name: + description: |- + The name of the injector image to use. + The default depends on the value of spec.type. + nullable: true + type: string + pullPolicy: + description: |- + The pull policy to use when fetching Contrast images. See Kubernetes imagePullPolicy for more information. + Defaults to "Always". + nullable: true + pattern: ^(Always|IfNotPresent|Never)$ + type: string + pullSecretName: + description: The name of a pull secret to append to the pod's + imagePullSecrets list. + nullable: true + type: string + registry: + description: |- + The fully qualified name of the registry to pull agent images from. This registry must be accessible by the pods being injected and the operator. + Defaults to the official Contrast container image registry. + nullable: true + type: string + type: object + selector: + description: |- + Select which Deployment/StatefulSet/DaemonSet pods are eligible for agent injection. + Under OpenShift, DeploymentConfig is also supported. + properties: + images: + description: |- + Container images to inject the agent into. Glob patterns are supported. + If empty (the default), selects all containers in Pod. + items: + type: string + type: array + labels: + description: |- + Deployment/StatefulSet/DaemonSet/DeploymentConfig labels whose pods are eligible for agent injection. + If empty (the default), selects all workloads in namespace. + items: + properties: + name: + description: |- + The name of the label to match. + Required. + type: string + value: + description: |- + The value of the label to match. Glob patterns are supported. + Required. + type: string + required: + - name + - value + type: object + type: array + type: object + type: + description: |- + The type of agent to inject. Can be one of ['dotnet-core', 'java', 'nodejs', 'nodejs-esm', 'php', 'python']. + Required. + pattern: ^(dotnet-core|dotnet|java|node|nodejs|node-esm|nodejs-esm|node-protect|nodejs-protect|php|personal-home-page|python|dummy)$ + type: string + version: + description: |- + The version of the agent to inject. The literal 'latest' will inject the latest version. Partial version matches are supported, e.g. '2' will select the version '2.1.0'. + Defaults to 'latest'. + nullable: true + pattern: ^(latest|(\d+(\.\d+){0,3}(-.+)?))$ + type: string + required: + - type + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConfiguration + listKind: ClusterAgentConfigurationList + plural: clusteragentconfigurations + singular: clusteragentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConfiguration template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConfiguration to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines + are supported. + nullable: true + type: string + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConnection + listKind: ClusterAgentConnectionList + plural: clusteragentconnections + singular: clusteragentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConnection template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConnection to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConfiguration + listKind: AgentConfigurationList + plural: agentconfigurations + singular: agentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines are supported. + nullable: true + type: string + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConnection + listKind: AgentConnectionList + plural: agentconnections + singular: agentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentinjectors.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentInjector + listKind: AgentInjectorList + plural: agentinjectors + singular: agentinjector + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + configuration: + description: The configuration the injected agent will use. + nullable: true + properties: + name: + description: |- + The name of a AgentConfiguration resource. Must exist within the same namespace. + Defaults to the AgentConfiguration specified by a ClusterAgentConfiguration. + nullable: true + type: string + type: object + connection: + description: The connection the injected agent will use to communicate + with Contrast. + nullable: true + properties: + name: + description: |- + The name of AgentConnection resource. Must exist within the same namespace. + Defaults to the AgentConnection specified by a ClusterAgentConnection. + nullable: true + type: string + type: object + enabled: + description: |- + Is this agent injector enabled. + Defaults to 'true'. + type: boolean + image: + description: Overrides the default agent images. + properties: + name: + description: |- + The name of the injector image to use. + The default depends on the value of spec.type. + nullable: true + type: string + pullPolicy: + description: |- + The pull policy to use when fetching Contrast images. See Kubernetes imagePullPolicy for more information. + Defaults to "Always". + nullable: true + pattern: ^(Always|IfNotPresent|Never)$ + type: string + pullSecretName: + description: The name of a pull secret to append to the pod's + imagePullSecrets list. + nullable: true + type: string + registry: + description: |- + The fully qualified name of the registry to pull agent images from. This registry must be accessible by the pods being injected and the operator. + Defaults to the official Contrast container image registry. + nullable: true + type: string + type: object + selector: + description: |- + Select which Deployment/StatefulSet/DaemonSet pods are eligible for agent injection. + Under OpenShift, DeploymentConfig is also supported. + properties: + images: + description: |- + Container images to inject the agent into. Glob patterns are supported. + If empty (the default), selects all containers in Pod. + items: + type: string + type: array + labels: + description: |- + Deployment/StatefulSet/DaemonSet/DeploymentConfig labels whose pods are eligible for agent injection. + If empty (the default), selects all workloads in namespace. + items: + properties: + name: + description: |- + The name of the label to match. + Required. + type: string + value: + description: |- + The value of the label to match. Glob patterns are supported. + Required. + type: string + required: + - name + - value + type: object + type: array + type: object + type: + description: |- + The type of agent to inject. Can be one of ['dotnet-core', 'java', 'nodejs', 'nodejs-esm', 'php', 'python']. + Required. + pattern: ^(dotnet-core|dotnet|java|node|nodejs|node-esm|nodejs-esm|node-protect|nodejs-protect|php|personal-home-page|python|dummy)$ + type: string + version: + description: |- + The version of the agent to inject. The literal 'latest' will inject the latest version. Partial version matches are supported, e.g. '2' will select the version '2.1.0'. + Defaults to 'latest'. + nullable: true + pattern: ^(latest|(\d+(\.\d+){0,3}(-.+)?))$ + type: string + required: + - type + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConfiguration + listKind: ClusterAgentConfigurationList + plural: clusteragentconfigurations + singular: clusteragentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConfiguration template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConfiguration to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines + are supported. + nullable: true + type: string + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConnection + listKind: ClusterAgentConnectionList + plural: clusteragentconnections + singular: clusteragentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConnection template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConnection to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConfiguration + listKind: AgentConfigurationList + plural: agentconfigurations + singular: agentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines are supported. + nullable: true + type: string + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConnection + listKind: AgentConnectionList + plural: agentconnections + singular: agentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentinjectors.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentInjector + listKind: AgentInjectorList + plural: agentinjectors + singular: agentinjector + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + configuration: + description: The configuration the injected agent will use. + nullable: true + properties: + name: + description: |- + The name of a AgentConfiguration resource. Must exist within the same namespace. + Defaults to the AgentConfiguration specified by a ClusterAgentConfiguration. + nullable: true + type: string + type: object + connection: + description: The connection the injected agent will use to communicate + with Contrast. + nullable: true + properties: + name: + description: |- + The name of AgentConnection resource. Must exist within the same namespace. + Defaults to the AgentConnection specified by a ClusterAgentConnection. + nullable: true + type: string + type: object + enabled: + description: |- + Is this agent injector enabled. + Defaults to 'true'. + type: boolean + image: + description: Overrides the default agent images. + properties: + name: + description: |- + The name of the injector image to use. + The default depends on the value of spec.type. + nullable: true + type: string + pullPolicy: + description: |- + The pull policy to use when fetching Contrast images. See Kubernetes imagePullPolicy for more information. + Defaults to "Always". + nullable: true + pattern: ^(Always|IfNotPresent|Never)$ + type: string + pullSecretName: + description: The name of a pull secret to append to the pod's + imagePullSecrets list. + nullable: true + type: string + registry: + description: |- + The fully qualified name of the registry to pull agent images from. This registry must be accessible by the pods being injected and the operator. + Defaults to the official Contrast container image registry. + nullable: true + type: string + type: object + selector: + description: |- + Select which Deployment/StatefulSet/DaemonSet pods are eligible for agent injection. + Under OpenShift, DeploymentConfig is also supported. + properties: + images: + description: |- + Container images to inject the agent into. Glob patterns are supported. + If empty (the default), selects all containers in Pod. + items: + type: string + type: array + labels: + description: |- + Deployment/StatefulSet/DaemonSet/DeploymentConfig labels whose pods are eligible for agent injection. + If empty (the default), selects all workloads in namespace. + items: + properties: + name: + description: |- + The name of the label to match. + Required. + type: string + value: + description: |- + The value of the label to match. Glob patterns are supported. + Required. + type: string + required: + - name + - value + type: object + type: array + type: object + type: + description: |- + The type of agent to inject. Can be one of ['dotnet-core', 'java', 'nodejs', 'nodejs-esm', 'php', 'python']. + Required. + pattern: ^(dotnet-core|dotnet|java|node|nodejs|node-esm|nodejs-esm|node-protect|nodejs-protect|php|personal-home-page|python|dummy)$ + type: string + version: + description: |- + The version of the agent to inject. The literal 'latest' will inject the latest version. Partial version matches are supported, e.g. '2' will select the version '2.1.0'. + Defaults to 'latest'. + nullable: true + pattern: ^(latest|(\d+(\.\d+){0,3}(-.+)?))$ + type: string + required: + - type + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConfiguration + listKind: ClusterAgentConfigurationList + plural: clusteragentconfigurations + singular: clusteragentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConfiguration template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConfiguration to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines + are supported. + nullable: true + type: string + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConnection + listKind: ClusterAgentConnectionList + plural: clusteragentconnections + singular: clusteragentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConnection template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConnection to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConfiguration + listKind: AgentConfigurationList + plural: agentconfigurations + singular: agentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines are supported. + nullable: true + type: string + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConnection + listKind: AgentConnectionList + plural: agentconnections + singular: agentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentinjectors.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentInjector + listKind: AgentInjectorList + plural: agentinjectors + singular: agentinjector + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + configuration: + description: The configuration the injected agent will use. + nullable: true + properties: + name: + description: |- + The name of a AgentConfiguration resource. Must exist within the same namespace. + Defaults to the AgentConfiguration specified by a ClusterAgentConfiguration. + nullable: true + type: string + type: object + connection: + description: The connection the injected agent will use to communicate + with Contrast. + nullable: true + properties: + name: + description: |- + The name of AgentConnection resource. Must exist within the same namespace. + Defaults to the AgentConnection specified by a ClusterAgentConnection. + nullable: true + type: string + type: object + enabled: + description: |- + Is this agent injector enabled. + Defaults to 'true'. + type: boolean + image: + description: Overrides the default agent images. + properties: + name: + description: |- + The name of the injector image to use. + The default depends on the value of spec.type. + nullable: true + type: string + pullPolicy: + description: |- + The pull policy to use when fetching Contrast images. See Kubernetes imagePullPolicy for more information. + Defaults to "Always". + nullable: true + pattern: ^(Always|IfNotPresent|Never)$ + type: string + pullSecretName: + description: The name of a pull secret to append to the pod's + imagePullSecrets list. + nullable: true + type: string + registry: + description: |- + The fully qualified name of the registry to pull agent images from. This registry must be accessible by the pods being injected and the operator. + Defaults to the official Contrast container image registry. + nullable: true + type: string + type: object + selector: + description: |- + Select which Deployment/StatefulSet/DaemonSet pods are eligible for agent injection. + Under OpenShift, DeploymentConfig is also supported. + properties: + images: + description: |- + Container images to inject the agent into. Glob patterns are supported. + If empty (the default), selects all containers in Pod. + items: + type: string + type: array + labels: + description: |- + Deployment/StatefulSet/DaemonSet/DeploymentConfig labels whose pods are eligible for agent injection. + If empty (the default), selects all workloads in namespace. + items: + properties: + name: + description: |- + The name of the label to match. + Required. + type: string + value: + description: |- + The value of the label to match. Glob patterns are supported. + Required. + type: string + required: + - name + - value + type: object + type: array + type: object + type: + description: |- + The type of agent to inject. Can be one of ['dotnet-core', 'java', 'nodejs', 'nodejs-esm', 'php', 'python']. + Required. + pattern: ^(dotnet-core|dotnet|java|node|nodejs|node-esm|nodejs-esm|node-protect|nodejs-protect|php|personal-home-page|python|dummy)$ + type: string + version: + description: |- + The version of the agent to inject. The literal 'latest' will inject the latest version. Partial version matches are supported, e.g. '2' will select the version '2.1.0'. + Defaults to 'latest'. + nullable: true + pattern: ^(latest|(\d+(\.\d+){0,3}(-.+)?))$ + type: string + required: + - type + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConfiguration + listKind: ClusterAgentConfigurationList + plural: clusteragentconfigurations + singular: clusteragentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConfiguration template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConfiguration to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines + are supported. + nullable: true + type: string + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConnection + listKind: ClusterAgentConnectionList + plural: clusteragentconnections + singular: clusteragentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConnection template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConnection to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConfiguration + listKind: AgentConfigurationList + plural: agentconfigurations + singular: agentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines are supported. + nullable: true + type: string + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConnection + listKind: AgentConnectionList + plural: agentconnections + singular: agentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentinjectors.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentInjector + listKind: AgentInjectorList + plural: agentinjectors + singular: agentinjector + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + configuration: + description: The configuration the injected agent will use. + nullable: true + properties: + name: + description: |- + The name of a AgentConfiguration resource. Must exist within the same namespace. + Defaults to the AgentConfiguration specified by a ClusterAgentConfiguration. + nullable: true + type: string + type: object + connection: + description: The connection the injected agent will use to communicate + with Contrast. + nullable: true + properties: + name: + description: |- + The name of AgentConnection resource. Must exist within the same namespace. + Defaults to the AgentConnection specified by a ClusterAgentConnection. + nullable: true + type: string + type: object + enabled: + description: |- + Is this agent injector enabled. + Defaults to 'true'. + type: boolean + image: + description: Overrides the default agent images. + properties: + name: + description: |- + The name of the injector image to use. + The default depends on the value of spec.type. + nullable: true + type: string + pullPolicy: + description: |- + The pull policy to use when fetching Contrast images. See Kubernetes imagePullPolicy for more information. + Defaults to "Always". + nullable: true + pattern: ^(Always|IfNotPresent|Never)$ + type: string + pullSecretName: + description: The name of a pull secret to append to the pod's + imagePullSecrets list. + nullable: true + type: string + registry: + description: |- + The fully qualified name of the registry to pull agent images from. This registry must be accessible by the pods being injected and the operator. + Defaults to the official Contrast container image registry. + nullable: true + type: string + type: object + selector: + description: |- + Select which Deployment/StatefulSet/DaemonSet pods are eligible for agent injection. + Under OpenShift, DeploymentConfig is also supported. + properties: + images: + description: |- + Container images to inject the agent into. Glob patterns are supported. + If empty (the default), selects all containers in Pod. + items: + type: string + type: array + labels: + description: |- + Deployment/StatefulSet/DaemonSet/DeploymentConfig labels whose pods are eligible for agent injection. + If empty (the default), selects all workloads in namespace. + items: + properties: + name: + description: |- + The name of the label to match. + Required. + type: string + value: + description: |- + The value of the label to match. Glob patterns are supported. + Required. + type: string + required: + - name + - value + type: object + type: array + type: object + type: + description: |- + The type of agent to inject. Can be one of ['dotnet-core', 'java', 'nodejs', 'nodejs-esm', 'php', 'python']. + Required. + pattern: ^(dotnet-core|dotnet|java|node|nodejs|node-esm|nodejs-esm|node-protect|nodejs-protect|php|personal-home-page|python|dummy)$ + type: string + version: + description: |- + The version of the agent to inject. The literal 'latest' will inject the latest version. Partial version matches are supported, e.g. '2' will select the version '2.1.0'. + Defaults to 'latest'. + nullable: true + pattern: ^(latest|(\d+(\.\d+){0,3}(-.+)?))$ + type: string + required: + - type + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConfiguration + listKind: ClusterAgentConfigurationList + plural: clusteragentconfigurations + singular: clusteragentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConfiguration template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConfiguration to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines + are supported. + nullable: true + type: string + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConnection + listKind: ClusterAgentConnectionList + plural: clusteragentconnections + singular: clusteragentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConnection template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConnection to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConfiguration + listKind: AgentConfigurationList + plural: agentconfigurations + singular: agentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines are supported. + nullable: true + type: string + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConnection + listKind: AgentConnectionList + plural: agentconnections + singular: agentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentinjectors.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentInjector + listKind: AgentInjectorList + plural: agentinjectors + singular: agentinjector + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + configuration: + description: The configuration the injected agent will use. + nullable: true + properties: + name: + description: |- + The name of a AgentConfiguration resource. Must exist within the same namespace. + Defaults to the AgentConfiguration specified by a ClusterAgentConfiguration. + nullable: true + type: string + type: object + connection: + description: The connection the injected agent will use to communicate + with Contrast. + nullable: true + properties: + name: + description: |- + The name of AgentConnection resource. Must exist within the same namespace. + Defaults to the AgentConnection specified by a ClusterAgentConnection. + nullable: true + type: string + type: object + enabled: + description: |- + Is this agent injector enabled. + Defaults to 'true'. + type: boolean + image: + description: Overrides the default agent images. + properties: + name: + description: |- + The name of the injector image to use. + The default depends on the value of spec.type. + nullable: true + type: string + pullPolicy: + description: |- + The pull policy to use when fetching Contrast images. See Kubernetes imagePullPolicy for more information. + Defaults to "Always". + nullable: true + pattern: ^(Always|IfNotPresent|Never)$ + type: string + pullSecretName: + description: The name of a pull secret to append to the pod's + imagePullSecrets list. + nullable: true + type: string + registry: + description: |- + The fully qualified name of the registry to pull agent images from. This registry must be accessible by the pods being injected and the operator. + Defaults to the official Contrast container image registry. + nullable: true + type: string + type: object + selector: + description: |- + Select which Deployment/StatefulSet/DaemonSet pods are eligible for agent injection. + Under OpenShift, DeploymentConfig is also supported. + properties: + images: + description: |- + Container images to inject the agent into. Glob patterns are supported. + If empty (the default), selects all containers in Pod. + items: + type: string + type: array + labels: + description: |- + Deployment/StatefulSet/DaemonSet/DeploymentConfig labels whose pods are eligible for agent injection. + If empty (the default), selects all workloads in namespace. + items: + properties: + name: + description: |- + The name of the label to match. + Required. + type: string + value: + description: |- + The value of the label to match. Glob patterns are supported. + Required. + type: string + required: + - name + - value + type: object + type: array + type: object + type: + description: |- + The type of agent to inject. Can be one of ['dotnet-core', 'java', 'nodejs', 'nodejs-esm', 'php', 'python']. + Required. + pattern: ^(dotnet-core|dotnet|java|node|nodejs|node-esm|nodejs-esm|node-protect|nodejs-protect|php|personal-home-page|python|dummy)$ + type: string + version: + description: |- + The version of the agent to inject. The literal 'latest' will inject the latest version. Partial version matches are supported, e.g. '2' will select the version '2.1.0'. + Defaults to 'latest'. + nullable: true + pattern: ^(latest|(\d+(\.\d+){0,3}(-.+)?))$ + type: string + required: + - type + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConfiguration + listKind: ClusterAgentConfigurationList + plural: clusteragentconfigurations + singular: clusteragentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConfiguration template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConfiguration to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines + are supported. + nullable: true + type: string + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConnection + listKind: ClusterAgentConnectionList + plural: clusteragentconnections + singular: clusteragentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConnection template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConnection to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConfiguration + listKind: AgentConfigurationList + plural: agentconfigurations + singular: agentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines are supported. + nullable: true + type: string + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConnection + listKind: AgentConnectionList + plural: agentconnections + singular: agentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentinjectors.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentInjector + listKind: AgentInjectorList + plural: agentinjectors + singular: agentinjector + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + configuration: + description: The configuration the injected agent will use. + nullable: true + properties: + name: + description: |- + The name of a AgentConfiguration resource. Must exist within the same namespace. + Defaults to the AgentConfiguration specified by a ClusterAgentConfiguration. + nullable: true + type: string + type: object + connection: + description: The connection the injected agent will use to communicate + with Contrast. + nullable: true + properties: + name: + description: |- + The name of AgentConnection resource. Must exist within the same namespace. + Defaults to the AgentConnection specified by a ClusterAgentConnection. + nullable: true + type: string + type: object + enabled: + description: |- + Is this agent injector enabled. + Defaults to 'true'. + type: boolean + image: + description: Overrides the default agent images. + properties: + name: + description: |- + The name of the injector image to use. + The default depends on the value of spec.type. + nullable: true + type: string + pullPolicy: + description: |- + The pull policy to use when fetching Contrast images. See Kubernetes imagePullPolicy for more information. + Defaults to "Always". + nullable: true + pattern: ^(Always|IfNotPresent|Never)$ + type: string + pullSecretName: + description: The name of a pull secret to append to the pod's + imagePullSecrets list. + nullable: true + type: string + registry: + description: |- + The fully qualified name of the registry to pull agent images from. This registry must be accessible by the pods being injected and the operator. + Defaults to the official Contrast container image registry. + nullable: true + type: string + type: object + selector: + description: |- + Select which Deployment/StatefulSet/DaemonSet pods are eligible for agent injection. + Under OpenShift, DeploymentConfig is also supported. + properties: + images: + description: |- + Container images to inject the agent into. Glob patterns are supported. + If empty (the default), selects all containers in Pod. + items: + type: string + type: array + labels: + description: |- + Deployment/StatefulSet/DaemonSet/DeploymentConfig labels whose pods are eligible for agent injection. + If empty (the default), selects all workloads in namespace. + items: + properties: + name: + description: |- + The name of the label to match. + Required. + type: string + value: + description: |- + The value of the label to match. Glob patterns are supported. + Required. + type: string + required: + - name + - value + type: object + type: array + type: object + type: + description: |- + The type of agent to inject. Can be one of ['dotnet-core', 'java', 'nodejs', 'nodejs-esm', 'php', 'python']. + Required. + pattern: ^(dotnet-core|dotnet|java|node|nodejs|node-esm|nodejs-esm|node-protect|nodejs-protect|php|personal-home-page|python|dummy)$ + type: string + version: + description: |- + The version of the agent to inject. The literal 'latest' will inject the latest version. Partial version matches are supported, e.g. '2' will select the version '2.1.0'. + Defaults to 'latest'. + nullable: true + pattern: ^(latest|(\d+(\.\d+){0,3}(-.+)?))$ + type: string + required: + - type + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConfiguration + listKind: ClusterAgentConfigurationList + plural: clusteragentconfigurations + singular: clusteragentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConfiguration template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConfiguration to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines + are supported. + nullable: true + type: string + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConnection + listKind: ClusterAgentConnectionList + plural: clusteragentconnections + singular: clusteragentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConnection template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConnection to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConfiguration + listKind: AgentConfigurationList + plural: agentconfigurations + singular: agentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines are supported. + nullable: true + type: string + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConnection + listKind: AgentConnectionList + plural: agentconnections + singular: agentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentinjectors.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentInjector + listKind: AgentInjectorList + plural: agentinjectors + singular: agentinjector + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + configuration: + description: The configuration the injected agent will use. + nullable: true + properties: + name: + description: |- + The name of a AgentConfiguration resource. Must exist within the same namespace. + Defaults to the AgentConfiguration specified by a ClusterAgentConfiguration. + nullable: true + type: string + type: object + connection: + description: The connection the injected agent will use to communicate + with Contrast. + nullable: true + properties: + name: + description: |- + The name of AgentConnection resource. Must exist within the same namespace. + Defaults to the AgentConnection specified by a ClusterAgentConnection. + nullable: true + type: string + type: object + enabled: + description: |- + Is this agent injector enabled. + Defaults to 'true'. + type: boolean + image: + description: Overrides the default agent images. + properties: + name: + description: |- + The name of the injector image to use. + The default depends on the value of spec.type. + nullable: true + type: string + pullPolicy: + description: |- + The pull policy to use when fetching Contrast images. See Kubernetes imagePullPolicy for more information. + Defaults to "Always". + nullable: true + pattern: ^(Always|IfNotPresent|Never)$ + type: string + pullSecretName: + description: The name of a pull secret to append to the pod's + imagePullSecrets list. + nullable: true + type: string + registry: + description: |- + The fully qualified name of the registry to pull agent images from. This registry must be accessible by the pods being injected and the operator. + Defaults to the official Contrast container image registry. + nullable: true + type: string + type: object + selector: + description: |- + Select which Deployment/StatefulSet/DaemonSet pods are eligible for agent injection. + Under OpenShift, DeploymentConfig is also supported. + properties: + images: + description: |- + Container images to inject the agent into. Glob patterns are supported. + If empty (the default), selects all containers in Pod. + items: + type: string + type: array + labels: + description: |- + Deployment/StatefulSet/DaemonSet/DeploymentConfig labels whose pods are eligible for agent injection. + If empty (the default), selects all workloads in namespace. + items: + properties: + name: + description: |- + The name of the label to match. + Required. + type: string + value: + description: |- + The value of the label to match. Glob patterns are supported. + Required. + type: string + required: + - name + - value + type: object + type: array + type: object + type: + description: |- + The type of agent to inject. Can be one of ['dotnet-core', 'java', 'nodejs', 'nodejs-esm', 'php', 'python']. + Required. + pattern: ^(dotnet-core|dotnet|java|node|nodejs|node-esm|nodejs-esm|node-protect|nodejs-protect|php|personal-home-page|python|dummy)$ + type: string + version: + description: |- + The version of the agent to inject. The literal 'latest' will inject the latest version. Partial version matches are supported, e.g. '2' will select the version '2.1.0'. + Defaults to 'latest'. + nullable: true + pattern: ^(latest|(\d+(\.\d+){0,3}(-.+)?))$ + type: string + required: + - type + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConfiguration + listKind: ClusterAgentConfigurationList + plural: clusteragentconfigurations + singular: clusteragentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConfiguration template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConfiguration to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines + are supported. + nullable: true + type: string + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConnection + listKind: ClusterAgentConnectionList + plural: clusteragentconnections + singular: clusteragentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConnection template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConnection to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConfiguration + listKind: AgentConfigurationList + plural: agentconfigurations + singular: agentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines are supported. + nullable: true + type: string + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConnection + listKind: AgentConnectionList + plural: agentconnections + singular: agentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentinjectors.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentInjector + listKind: AgentInjectorList + plural: agentinjectors + singular: agentinjector + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + configuration: + description: The configuration the injected agent will use. + nullable: true + properties: + name: + description: |- + The name of a AgentConfiguration resource. Must exist within the same namespace. + Defaults to the AgentConfiguration specified by a ClusterAgentConfiguration. + nullable: true + type: string + type: object + connection: + description: The connection the injected agent will use to communicate + with Contrast. + nullable: true + properties: + name: + description: |- + The name of AgentConnection resource. Must exist within the same namespace. + Defaults to the AgentConnection specified by a ClusterAgentConnection. + nullable: true + type: string + type: object + enabled: + description: |- + Is this agent injector enabled. + Defaults to 'true'. + type: boolean + image: + description: Overrides the default agent images. + properties: + name: + description: |- + The name of the injector image to use. + The default depends on the value of spec.type. + nullable: true + type: string + pullPolicy: + description: |- + The pull policy to use when fetching Contrast images. See Kubernetes imagePullPolicy for more information. + Defaults to "Always". + nullable: true + pattern: ^(Always|IfNotPresent|Never)$ + type: string + pullSecretName: + description: The name of a pull secret to append to the pod's + imagePullSecrets list. + nullable: true + type: string + registry: + description: |- + The fully qualified name of the registry to pull agent images from. This registry must be accessible by the pods being injected and the operator. + Defaults to the official Contrast container image registry. + nullable: true + type: string + type: object + selector: + description: |- + Select which Deployment/StatefulSet/DaemonSet pods are eligible for agent injection. + Under OpenShift, DeploymentConfig is also supported. + properties: + images: + description: |- + Container images to inject the agent into. Glob patterns are supported. + If empty (the default), selects all containers in Pod. + items: + type: string + type: array + labels: + description: |- + Deployment/StatefulSet/DaemonSet/DeploymentConfig labels whose pods are eligible for agent injection. + If empty (the default), selects all workloads in namespace. + items: + properties: + name: + description: |- + The name of the label to match. + Required. + type: string + value: + description: |- + The value of the label to match. Glob patterns are supported. + Required. + type: string + required: + - name + - value + type: object + type: array + type: object + type: + description: |- + The type of agent to inject. Can be one of ['dotnet-core', 'java', 'nodejs', 'nodejs-esm', 'php', 'python']. + Required. + pattern: ^(dotnet-core|dotnet|java|node|nodejs|node-esm|nodejs-esm|node-protect|nodejs-protect|php|personal-home-page|python|dummy)$ + type: string + version: + description: |- + The version of the agent to inject. The literal 'latest' will inject the latest version. Partial version matches are supported, e.g. '2' will select the version '2.1.0'. + Defaults to 'latest'. + nullable: true + pattern: ^(latest|(\d+(\.\d+){0,3}(-.+)?))$ + type: string + required: + - type + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConfiguration + listKind: ClusterAgentConfigurationList + plural: clusteragentconfigurations + singular: clusteragentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConfiguration template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConfiguration to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines + are supported. + nullable: true + type: string + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConnection + listKind: ClusterAgentConnectionList + plural: clusteragentconnections + singular: clusteragentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConnection template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConnection to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConfiguration + listKind: AgentConfigurationList + plural: agentconfigurations + singular: agentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines are supported. + nullable: true + type: string + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConnection + listKind: AgentConnectionList + plural: agentconnections + singular: agentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentinjectors.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentInjector + listKind: AgentInjectorList + plural: agentinjectors + singular: agentinjector + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + configuration: + description: The configuration the injected agent will use. + nullable: true + properties: + name: + description: |- + The name of a AgentConfiguration resource. Must exist within the same namespace. + Defaults to the AgentConfiguration specified by a ClusterAgentConfiguration. + nullable: true + type: string + type: object + connection: + description: The connection the injected agent will use to communicate + with Contrast. + nullable: true + properties: + name: + description: |- + The name of AgentConnection resource. Must exist within the same namespace. + Defaults to the AgentConnection specified by a ClusterAgentConnection. + nullable: true + type: string + type: object + enabled: + description: |- + Is this agent injector enabled. + Defaults to 'true'. + type: boolean + image: + description: Overrides the default agent images. + properties: + name: + description: |- + The name of the injector image to use. + The default depends on the value of spec.type. + nullable: true + type: string + pullPolicy: + description: |- + The pull policy to use when fetching Contrast images. See Kubernetes imagePullPolicy for more information. + Defaults to "Always". + nullable: true + pattern: ^(Always|IfNotPresent|Never)$ + type: string + pullSecretName: + description: The name of a pull secret to append to the pod's + imagePullSecrets list. + nullable: true + type: string + registry: + description: |- + The fully qualified name of the registry to pull agent images from. This registry must be accessible by the pods being injected and the operator. + Defaults to the official Contrast container image registry. + nullable: true + type: string + type: object + selector: + description: |- + Select which Deployment/StatefulSet/DaemonSet pods are eligible for agent injection. + Under OpenShift, DeploymentConfig is also supported. + properties: + images: + description: |- + Container images to inject the agent into. Glob patterns are supported. + If empty (the default), selects all containers in Pod. + items: + type: string + type: array + labels: + description: |- + Deployment/StatefulSet/DaemonSet/DeploymentConfig labels whose pods are eligible for agent injection. + If empty (the default), selects all workloads in namespace. + items: + properties: + name: + description: |- + The name of the label to match. + Required. + type: string + value: + description: |- + The value of the label to match. Glob patterns are supported. + Required. + type: string + required: + - name + - value + type: object + type: array + type: object + type: + description: |- + The type of agent to inject. Can be one of ['dotnet-core', 'java', 'nodejs', 'nodejs-esm', 'php', 'python']. + Required. + pattern: ^(dotnet-core|dotnet|java|node|nodejs|node-esm|nodejs-esm|node-protect|nodejs-protect|php|personal-home-page|python|dummy)$ + type: string + version: + description: |- + The version of the agent to inject. The literal 'latest' will inject the latest version. Partial version matches are supported, e.g. '2' will select the version '2.1.0'. + Defaults to 'latest'. + nullable: true + pattern: ^(latest|(\d+(\.\d+){0,3}(-.+)?))$ + type: string + required: + - type + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConfiguration + listKind: ClusterAgentConfigurationList + plural: clusteragentconfigurations + singular: clusteragentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConfiguration template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConfiguration to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines + are supported. + nullable: true + type: string + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConnection + listKind: ClusterAgentConnectionList + plural: clusteragentconnections + singular: clusteragentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConnection template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConnection to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConfiguration + listKind: AgentConfigurationList + plural: agentconfigurations + singular: agentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines are supported. + nullable: true + type: string + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConnection + listKind: AgentConnectionList + plural: agentconnections + singular: agentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentinjectors.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentInjector + listKind: AgentInjectorList + plural: agentinjectors + singular: agentinjector + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + configuration: + description: The configuration the injected agent will use. + nullable: true + properties: + name: + description: |- + The name of a AgentConfiguration resource. Must exist within the same namespace. + Defaults to the AgentConfiguration specified by a ClusterAgentConfiguration. + nullable: true + type: string + type: object + connection: + description: The connection the injected agent will use to communicate + with Contrast. + nullable: true + properties: + name: + description: |- + The name of AgentConnection resource. Must exist within the same namespace. + Defaults to the AgentConnection specified by a ClusterAgentConnection. + nullable: true + type: string + type: object + enabled: + description: |- + Is this agent injector enabled. + Defaults to 'true'. + type: boolean + image: + description: Overrides the default agent images. + properties: + name: + description: |- + The name of the injector image to use. + The default depends on the value of spec.type. + nullable: true + type: string + pullPolicy: + description: |- + The pull policy to use when fetching Contrast images. See Kubernetes imagePullPolicy for more information. + Defaults to "Always". + nullable: true + pattern: ^(Always|IfNotPresent|Never)$ + type: string + pullSecretName: + description: The name of a pull secret to append to the pod's + imagePullSecrets list. + nullable: true + type: string + registry: + description: |- + The fully qualified name of the registry to pull agent images from. This registry must be accessible by the pods being injected and the operator. + Defaults to the official Contrast container image registry. + nullable: true + type: string + type: object + selector: + description: |- + Select which Deployment/StatefulSet/DaemonSet pods are eligible for agent injection. + Under OpenShift, DeploymentConfig is also supported. + properties: + images: + description: |- + Container images to inject the agent into. Glob patterns are supported. + If empty (the default), selects all containers in Pod. + items: + type: string + type: array + labels: + description: |- + Deployment/StatefulSet/DaemonSet/DeploymentConfig labels whose pods are eligible for agent injection. + If empty (the default), selects all workloads in namespace. + items: + properties: + name: + description: |- + The name of the label to match. + Required. + type: string + value: + description: |- + The value of the label to match. Glob patterns are supported. + Required. + type: string + required: + - name + - value + type: object + type: array + type: object + type: + description: |- + The type of agent to inject. Can be one of ['dotnet-core', 'java', 'nodejs', 'nodejs-esm', 'php', 'python']. + Required. + pattern: ^(dotnet-core|dotnet|java|node|nodejs|node-esm|nodejs-esm|node-protect|nodejs-protect|php|personal-home-page|python|dummy)$ + type: string + version: + description: |- + The version of the agent to inject. The literal 'latest' will inject the latest version. Partial version matches are supported, e.g. '2' will select the version '2.1.0'. + Defaults to 'latest'. + nullable: true + pattern: ^(latest|(\d+(\.\d+){0,3}(-.+)?))$ + type: string + required: + - type + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConfiguration + listKind: ClusterAgentConfigurationList + plural: clusteragentconfigurations + singular: clusteragentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConfiguration template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConfiguration to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines + are supported. + nullable: true + type: string + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConnection + listKind: ClusterAgentConnectionList + plural: clusteragentconnections + singular: clusteragentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConnection template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConnection to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConfiguration + listKind: AgentConfigurationList + plural: agentconfigurations + singular: agentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines are supported. + nullable: true + type: string + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConnection + listKind: AgentConnectionList + plural: agentconnections + singular: agentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentinjectors.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentInjector + listKind: AgentInjectorList + plural: agentinjectors + singular: agentinjector + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + configuration: + description: The configuration the injected agent will use. + nullable: true + properties: + name: + description: |- + The name of a AgentConfiguration resource. Must exist within the same namespace. + Defaults to the AgentConfiguration specified by a ClusterAgentConfiguration. + nullable: true + type: string + type: object + connection: + description: The connection the injected agent will use to communicate + with Contrast. + nullable: true + properties: + name: + description: |- + The name of AgentConnection resource. Must exist within the same namespace. + Defaults to the AgentConnection specified by a ClusterAgentConnection. + nullable: true + type: string + type: object + enabled: + description: |- + Is this agent injector enabled. + Defaults to 'true'. + type: boolean + image: + description: Overrides the default agent images. + properties: + name: + description: |- + The name of the injector image to use. + The default depends on the value of spec.type. + nullable: true + type: string + pullPolicy: + description: |- + The pull policy to use when fetching Contrast images. See Kubernetes imagePullPolicy for more information. + Defaults to "Always". + nullable: true + pattern: ^(Always|IfNotPresent|Never)$ + type: string + pullSecretName: + description: The name of a pull secret to append to the pod's + imagePullSecrets list. + nullable: true + type: string + registry: + description: |- + The fully qualified name of the registry to pull agent images from. This registry must be accessible by the pods being injected and the operator. + Defaults to the official Contrast container image registry. + nullable: true + type: string + type: object + selector: + description: |- + Select which Deployment/StatefulSet/DaemonSet pods are eligible for agent injection. + Under OpenShift, DeploymentConfig is also supported. + properties: + images: + description: |- + Container images to inject the agent into. Glob patterns are supported. + If empty (the default), selects all containers in Pod. + items: + type: string + type: array + labels: + description: |- + Deployment/StatefulSet/DaemonSet/DeploymentConfig labels whose pods are eligible for agent injection. + If empty (the default), selects all workloads in namespace. + items: + properties: + name: + description: |- + The name of the label to match. + Required. + type: string + value: + description: |- + The value of the label to match. Glob patterns are supported. + Required. + type: string + required: + - name + - value + type: object + type: array + type: object + type: + description: |- + The type of agent to inject. Can be one of ['dotnet-core', 'java', 'nodejs', 'nodejs-esm', 'php', 'python']. + Required. + pattern: ^(dotnet-core|dotnet|java|node|nodejs|node-esm|nodejs-esm|node-protect|nodejs-protect|php|personal-home-page|python|dummy)$ + type: string + version: + description: |- + The version of the agent to inject. The literal 'latest' will inject the latest version. Partial version matches are supported, e.g. '2' will select the version '2.1.0'. + Defaults to 'latest'. + nullable: true + pattern: ^(latest|(\d+(\.\d+){0,3}(-.+)?))$ + type: string + required: + - type + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConfiguration + listKind: ClusterAgentConfigurationList + plural: clusteragentconfigurations + singular: clusteragentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConfiguration template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConfiguration to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines + are supported. + nullable: true + type: string + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConnection + listKind: ClusterAgentConnectionList + plural: clusteragentconnections + singular: clusteragentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConnection template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConnection to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConfiguration + listKind: AgentConfigurationList + plural: agentconfigurations + singular: agentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines are supported. + nullable: true + type: string + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConnection + listKind: AgentConnectionList + plural: agentconnections + singular: agentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentinjectors.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentInjector + listKind: AgentInjectorList + plural: agentinjectors + singular: agentinjector + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + configuration: + description: The configuration the injected agent will use. + nullable: true + properties: + name: + description: |- + The name of a AgentConfiguration resource. Must exist within the same namespace. + Defaults to the AgentConfiguration specified by a ClusterAgentConfiguration. + nullable: true + type: string + type: object + connection: + description: The connection the injected agent will use to communicate + with Contrast. + nullable: true + properties: + name: + description: |- + The name of AgentConnection resource. Must exist within the same namespace. + Defaults to the AgentConnection specified by a ClusterAgentConnection. + nullable: true + type: string + type: object + enabled: + description: |- + Is this agent injector enabled. + Defaults to 'true'. + type: boolean + image: + description: Overrides the default agent images. + properties: + name: + description: |- + The name of the injector image to use. + The default depends on the value of spec.type. + nullable: true + type: string + pullPolicy: + description: |- + The pull policy to use when fetching Contrast images. See Kubernetes imagePullPolicy for more information. + Defaults to "Always". + nullable: true + pattern: ^(Always|IfNotPresent|Never)$ + type: string + pullSecretName: + description: The name of a pull secret to append to the pod's + imagePullSecrets list. + nullable: true + type: string + registry: + description: |- + The fully qualified name of the registry to pull agent images from. This registry must be accessible by the pods being injected and the operator. + Defaults to the official Contrast container image registry. + nullable: true + type: string + type: object + selector: + description: |- + Select which Deployment/StatefulSet/DaemonSet pods are eligible for agent injection. + Under OpenShift, DeploymentConfig is also supported. + properties: + images: + description: |- + Container images to inject the agent into. Glob patterns are supported. + If empty (the default), selects all containers in Pod. + items: + type: string + type: array + labels: + description: |- + Deployment/StatefulSet/DaemonSet/DeploymentConfig labels whose pods are eligible for agent injection. + If empty (the default), selects all workloads in namespace. + items: + properties: + name: + description: |- + The name of the label to match. + Required. + type: string + value: + description: |- + The value of the label to match. Glob patterns are supported. + Required. + type: string + required: + - name + - value + type: object + type: array + type: object + type: + description: |- + The type of agent to inject. Can be one of ['dotnet-core', 'java', 'nodejs', 'nodejs-esm', 'php', 'python']. + Required. + pattern: ^(dotnet-core|dotnet|java|node|nodejs|node-esm|nodejs-esm|node-protect|nodejs-protect|php|personal-home-page|python|dummy)$ + type: string + version: + description: |- + The version of the agent to inject. The literal 'latest' will inject the latest version. Partial version matches are supported, e.g. '2' will select the version '2.1.0'. + Defaults to 'latest'. + nullable: true + pattern: ^(latest|(\d+(\.\d+){0,3}(-.+)?))$ + type: string + required: + - type + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConfiguration + listKind: ClusterAgentConfigurationList + plural: clusteragentconfigurations + singular: clusteragentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConfiguration template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConfiguration to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines + are supported. + nullable: true + type: string + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConnection + listKind: ClusterAgentConnectionList + plural: clusteragentconnections + singular: clusteragentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConnection template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConnection to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConfiguration + listKind: AgentConfigurationList + plural: agentconfigurations + singular: agentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines are supported. + nullable: true + type: string + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentConnection + listKind: AgentConnectionList + plural: agentconnections + singular: agentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: agentinjectors.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: AgentInjector + listKind: AgentInjectorList + plural: agentinjectors + singular: agentinjector + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + configuration: + description: The configuration the injected agent will use. + nullable: true + properties: + name: + description: |- + The name of a AgentConfiguration resource. Must exist within the same namespace. + Defaults to the AgentConfiguration specified by a ClusterAgentConfiguration. + nullable: true + type: string + type: object + connection: + description: The connection the injected agent will use to communicate + with Contrast. + nullable: true + properties: + name: + description: |- + The name of AgentConnection resource. Must exist within the same namespace. + Defaults to the AgentConnection specified by a ClusterAgentConnection. + nullable: true + type: string + type: object + enabled: + description: |- + Is this agent injector enabled. + Defaults to 'true'. + type: boolean + image: + description: Overrides the default agent images. + properties: + name: + description: |- + The name of the injector image to use. + The default depends on the value of spec.type. + nullable: true + type: string + pullPolicy: + description: |- + The pull policy to use when fetching Contrast images. See Kubernetes imagePullPolicy for more information. + Defaults to "Always". + nullable: true + pattern: ^(Always|IfNotPresent|Never)$ + type: string + pullSecretName: + description: The name of a pull secret to append to the pod's + imagePullSecrets list. + nullable: true + type: string + registry: + description: |- + The fully qualified name of the registry to pull agent images from. This registry must be accessible by the pods being injected and the operator. + Defaults to the official Contrast container image registry. + nullable: true + type: string + type: object + selector: + description: |- + Select which Deployment/StatefulSet/DaemonSet pods are eligible for agent injection. + Under OpenShift, DeploymentConfig is also supported. + properties: + images: + description: |- + Container images to inject the agent into. Glob patterns are supported. + If empty (the default), selects all containers in Pod. + items: + type: string + type: array + labels: + description: |- + Deployment/StatefulSet/DaemonSet/DeploymentConfig labels whose pods are eligible for agent injection. + If empty (the default), selects all workloads in namespace. + items: + properties: + name: + description: |- + The name of the label to match. + Required. + type: string + value: + description: |- + The value of the label to match. Glob patterns are supported. + Required. + type: string + required: + - name + - value + type: object + type: array + type: object + type: + description: |- + The type of agent to inject. Can be one of ['dotnet-core', 'java', 'nodejs', 'nodejs-esm', 'php', 'python']. + Required. + pattern: ^(dotnet-core|dotnet|java|node|nodejs|node-esm|nodejs-esm|node-protect|nodejs-protect|php|personal-home-page|python|dummy)$ + type: string + version: + description: |- + The version of the agent to inject. The literal 'latest' will inject the latest version. Partial version matches are supported, e.g. '2' will select the version '2.1.0'. + Defaults to 'latest'. + nullable: true + pattern: ^(latest|(\d+(\.\d+){0,3}(-.+)?))$ + type: string + required: + - type + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconfigurations.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConfiguration + listKind: ClusterAgentConfigurationList + plural: clusteragentconfigurations + singular: clusteragentconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConfiguration template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConfiguration to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + initContainer: + description: |- + Optional spec to apply to the Contrast InitContainer. + If not specified, reasonable defaults are used. + nullable: true + properties: + securityContext: + description: |- + SecurityContext defines the security options the container should be run with. + If set, the fields of SecurityContext override the equivalent fields of + PodSecurityContext. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + format: int64 + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + format: int64 + nullable: true + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + type: string + type: object + type: object + type: object + suppressDefaultApplicationName: + description: |- + If false, automatically set the Contrast application name on injected workloads (the workload name), + rather than use the default (generated by the agent). + Defaults to false. + nullable: true + type: boolean + suppressDefaultServerName: + description: |- + If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), + rather than use the default (normally the pod name). + Defaults to false. + nullable: true + type: boolean + yaml: + description: The contrast_security.yaml file. Multiple lines + are supported. + nullable: true + type: string + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/part-of: contrast-agent-operator + name: clusteragentconnections.agents.contrastsecurity.com +spec: + group: agents.contrastsecurity.com + names: + kind: ClusterAgentConnection + listKind: ClusterAgentConnectionList + plural: clusteragentconnections + singular: clusteragentconnection + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: Specification of the kubernetes object. + properties: + namespaces: + description: |- + The namespaces to apply this AgentConnection template to. Glob syntax is supported. + Optional, defaults to selecting all namespaces. + items: + type: string + type: array + template: + description: |- + The default AgentConnection to apply to the namespaces selected by 'spec.namespaces'. + Required. + nullable: true + properties: + apiVersion: + type: string + kind: + type: string + metadata: + description: The metadata of the kubernetes object. + type: object + spec: + description: Specification of the kubernetes object. + properties: + apiKey: + description: The API Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + serviceKey: + description: The Service Key to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + url: + description: |- + The URL of the Contrast server. + Defaults to 'https://app.contrastsecurity.com/Contrast'. + nullable: true + type: string + userName: + description: The User Name to use for this connection. + properties: + secretKey: + description: |- + The key in the secret to access the value for. Must exist in the same namespace as the AgentConnection. + Required. + type: string + secretName: + description: |- + The name of the secret to reference. Must exist in the same namespace as the AgentConnection. + Required. + type: string + required: + - secretName + - secretKey + type: object + required: + - apiKey + - serviceKey + - userName + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true diff --git a/manifests/helm/templates/NOTES.txt b/manifests/helm/templates/NOTES.txt index 5d1b4fb0..7da0a1b0 100644 --- a/manifests/helm/templates/NOTES.txt +++ b/manifests/helm/templates/NOTES.txt @@ -1,5 +1,9 @@ {{ .Chart.Name }} chart version {{ .Chart.Version }} deployed! +{{ if .Values.createNamespace }} +⚠️ WARNING: Creating Namespaces via Helm Chart is deprecated and will be removed in a future release. + Pls use helm --create-namespace flag instead.️ {{ end }} + {{- if .Values.agentInjectors.enabled }} ✅ {{ len .Values.agentInjectors.injectors }} {{ len .Values.agentInjectors.injectors | plural "injector" "injectors" }} {{ len .Values.agentInjectors.injectors | plural "has" "have" }} been deployed to {{ len .Values.agentInjectors.namespaces | plural "namespace" "namespaces" }}: {{ join ", " .Values.agentInjectors.namespaces}} To use with your workloads: @@ -50,4 +54,4 @@ 📄 More documentation: https://docs.contrastsecurity.com/en/agent-operator.html -🙋 Get support: https://support.contrastsecurity.com / support@contrastsecurity.com \ No newline at end of file +🙋 Get support: https://support.contrastsecurity.com / support@contrastsecurity.com diff --git a/manifests/helm/templates/cluster-defaults.yaml.tpl b/manifests/helm/templates/cluster-defaults.yaml.tpl index 5b270476..7c781e34 100644 --- a/manifests/helm/templates/cluster-defaults.yaml.tpl +++ b/manifests/helm/templates/cluster-defaults.yaml.tpl @@ -4,7 +4,7 @@ kind: ClusterAgentConfiguration metadata: name: default-agent-configuration namespace: >- - {{ .Values.namespace }} + {{ if not .Values.createNamespace }}{{.Release.Namespace}}{{else}}{{.Values.namespace}}{{end}} spec: template: spec: @@ -16,7 +16,7 @@ kind: ClusterAgentConnection metadata: name: default-agent-connection namespace: >- - {{ .Values.namespace }} + {{ if not .Values.createNamespace }}{{.Release.Namespace}}{{else}}{{.Values.namespace}}{{end}} spec: template: spec: @@ -38,7 +38,7 @@ kind: Secret metadata: name: default-agent-connection-secret namespace: >- - {{ .Values.namespace }} + {{ if not .Values.createNamespace }}{{.Release.Namespace}}{{else}}{{.Values.namespace}}{{end}} type: Opaque stringData: apiKey: >- diff --git a/manifests/helm/templates/image-pull-secrets.yaml.tpl b/manifests/helm/templates/image-pull-secrets.yaml.tpl index 9876c970..ae255c6f 100644 --- a/manifests/helm/templates/image-pull-secrets.yaml.tpl +++ b/manifests/helm/templates/image-pull-secrets.yaml.tpl @@ -9,7 +9,7 @@ kind: Secret metadata: name: {{ .Values.imageCredentials.pullSecretName }} namespace: >- - {{ .Values.namespace }} + {{ if not .Values.createNamespace }}{{.Release.Namespace}}{{else}}{{.Values.Namespace}}{{end}} type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: {{ template "imagePullSecret" . }} diff --git a/manifests/helm/templates/namespace.depricated.yaml b/manifests/helm/templates/namespace.depricated.yaml new file mode 100644 index 00000000..af619d3b --- /dev/null +++ b/manifests/helm/templates/namespace.depricated.yaml @@ -0,0 +1,10 @@ +## This resource is deprecated and will be removed in a future release. +## Pls use helm --create-namespace flag instead. +{{- if .Values.createNamespace }} +kind: Namespace +apiVersion: v1 +metadata: + name: {{ .Values.namespace }} + labels: + app.kubernetes.io/part-of: contrast-agent-operator +{{- end -}} diff --git a/manifests/helm/values.yaml b/manifests/helm/values.yaml index 3285b647..57babac2 100644 --- a/manifests/helm/values.yaml +++ b/manifests/helm/values.yaml @@ -1,5 +1,6 @@ -# Release.Namespace is ignored. The operator must be created in a separate namespace. +# Specifing a namespace here is depricated and will be removed in a future release. Please use helm --namespace / --create-namespace instead. namespace: contrast-agent-operator +createNamespace: true image: registry: contrast repository: agent-operator @@ -62,7 +63,7 @@ clusterDefaults: # Name of a secret to retrieve the cluster-wide connection details from. # The secret should contain keys named apiKey, serviceKey and userName. # Leave blank if you want the chart to create a secret using the subsequent apiKeyValue, serviceKeyValue and userNameValue values. - existingSecret: + existingSecret: # Required if existingSecret is not set. The API Key from the Contrast UI. apiKeyValue: # Required if existingSecret is not set. The Service Key from the Contrast UI.