v1.3.0

Version v1.3.0 released!

Changes

• Add support for generating AgentInjector configuration in Helm charts
• Add support for NodeJS ESM with the nodejs-esm agent type in AgentInjector configuration. This is supported for Node LTS versions >= 18.19.0
• Add beta support for Python with the python agent type in AgentInjector configuration
• Deprecate the nodejs-protect agent type

NOTE: nodejs-protect agent type is now deprecated with the release of the v5 NodeJS Agent. Please use the nodejs or nodejs-esm agent type in your AgentInjector configuration.

---

contrast/agent-operator:1.3.0
contrast/agent-operator@sha256:986a6c72dac503b723c08384d0bed7437c7bd7eeb23e742d1e3e22e36e959709

quay.io/contrast/agent-operator:1.3.0
quay.io/contrast/agent-operator@sha256:986a6c72dac503b723c08384d0bed7437c7bd7eeb23e742d1e3e22e36e959709

v1.2.0

Version v1.2.0 released!

Changes

• Upgraded project dependencies which included security fixes.
• Add support for Argo Rollouts

NOTE: If the operator is added a cluster with existing rollouts then those rollouts will need to be promoted for the pods to be fully injected.

contrast/agent-operator:1.2.0
contrast/agent-operator@sha256:27e054723225dfd303eb145623f9e6503cb678e55d74cb27a9909efd98efe987

quay.io/contrast/agent-operator:1.2.0
quay.io/contrast/agent-operator@sha256:27e054723225dfd303eb145623f9e6503cb678e55d74cb27a9909efd98efe987

v1.1.3

Version v1.1.3 released!

Changes

• Upgraded project dependencies which included security fixes.

---

contrast/agent-operator:1.1.3
contrast/agent-operator@sha256:1276bc81edfd09c30cdc9ba98f79558ee7236d81563c25d73c6db27bcce9ef4f

quay.io/contrast/agent-operator:1.1.3
quay.io/contrast/agent-operator@sha256:1276bc81edfd09c30cdc9ba98f79558ee7236d81563c25d73c6db27bcce9ef4f

v1.1.2

Version v1.1.2 released!

Changes

• Upgraded project dependencies which included security fixes.

---

contrast/agent-operator:1.1.2
contrast/agent-operator@sha256:f9b40e6f5b254b5c8dc8417fb945c2416cc0a0b9bcda437dc75ae77792cd0d51

quay.io/contrast/agent-operator:1.1.2
quay.io/contrast/agent-operator@sha256:f9b40e6f5b254b5c8dc8417fb945c2416cc0a0b9bcda437dc75ae77792cd0d51

v1.1.1

Version v1.1.1 released!

Changes

• Add support for imagePullSecrets in helm charts

contrast/agent-operator:1.1.1
contrast/agent-operator@sha256:d4881c24748ff24d6214453c71d51e85041bc8a605f93aaee31946590bbe759b

quay.io/contrast/agent-operator:1.1.1
quay.io/contrast/agent-operator@sha256:d4881c24748ff24d6214453c71d51e85041bc8a605f93aaee31946590bbe759b

v1.1.0

Version v1.1.0 released!

Changes

• Injected Init Containers now execute as Non-Root by default. This can be disabled by the CONTRAST_RUN_INIT_CONTAINER_AS_NON_ROOT=false flag.
• Node agent security logs will now be logged to the EmptyDir writable volume.
• Upgraded project dependencies which included security fixes.

contrast/agent-operator:1.1.0
contrast/agent-operator@sha256:b57413b9c1efeb3cf114e4c05b57362510b61251a5d9b6739847ef00d93cf47a

quay.io/contrast/agent-operator:1.1.0
quay.io/contrast/agent-operator@sha256:b57413b9c1efeb3cf114e4c05b57362510b61251a5d9b6739847ef00d93cf47a

v1.0.0

Version v1.0.0 released! This is the first operator version released as GA and is the accumulation of 9 months of efforts. We would like to thank our technical partners in their incredible feedback during our beta phase.

This release signifies our commitment in the stability of the operator API. No breaking changes will be introduced until the next major version, following our versioning documentation.

Changes

No changes since v0.16.0.

Upgrading from Beta

When applying this release on an existing beta installation, please ensure that the latest manifests are applied.

contrast/agent-operator:1.0.0
contrast/agent-operator@sha256:29bcfc6862507b96789fffbc968048bd245aa4bf0c6ae67fc5d9697bb89b63ff

quay.io/contrast/agent-operator:1.0.0
quay.io/contrast/agent-operator@sha256:29bcfc6862507b96789fffbc968048bd245aa4bf0c6ae67fc5d9697bb89b63ff

v0.16.0

Version v0.16.0 released!

This release contains optional manifest updates. It is recommended to update manifests in K8s v1.25+ clusters if using Pod Security Admission.

Improvements

• Added logging of non-default options to aid in diagnostics.
• Added the ability to detect when SAN's, specified via CONTRAST_WEBHOOK_HOSTS are modified so that new TLS certificates may be generated.
• Removed superfluous case-sensitivity in TLS certificate SAN's generation.
• Improved handling of namespaces of different cases.
• Improved logging when Secrets are referenced, but with incorrect casing.

Bug Fixes

• Upgraded project dependencies which included security fixes.
• Due to a bug in the Helm chart, TLS certificates may be incorrectly generated. This was fixed in v0.15.1, but upgrading could leave the operator in an invalid state. The operator will now correct these problems upon upgrading.

Internal Changes

• Removed the feature flag CONTRAST_USE_SLOW_COMPARER. First introduced in v0.11.0 defaulting False, no regressions have been reported since.

contrast/agent-operator:0.16.0
contrast/agent-operator@sha256:0c82e963c1578923d12625823415c4960f419e232cceb703bb814b0ee4d370ba

quay.io/contrast/agent-operator:0.16.0
quay.io/contrast/agent-operator@sha256:0c82e963c1578923d12625823415c4960f419e232cceb703bb814b0ee4d370ba

v0.15.1

Version v0.15.1 released!

This release may cause injected resources to shift after upgrading the operator.

Improvements

• Improved the error message when an AgentInjector is ignored due to a missing AgentConnection.

Bug Fixes

• Fixed incorrect TLS certificate generation when installing the operator using Helm and defaults. If webhook communication is failing, please re-install the helm chart (ensure the contrast-agent-operator namespace is deleted).

contrast/agent-operator:0.15.1
contrast/agent-operator@sha256:5bc8b7102e1fbb84851451b8636af97379cc228c33900fcd31384ef7e69a75c4

quay.io/contrast/agent-operator:0.15.1
quay.io/contrast/agent-operator@sha256:5bc8b7102e1fbb84851451b8636af97379cc228c33900fcd31384ef7e69a75c4

v0.15.0

Version v0.15.0 released!

This release contains optional manifest changes. This release may cause injected resources to shift after upgrading the operator.

Improvements

• When AgentInjectors do not map to any known entities, the operator will now emit a log message, as this may be an undesired state.
• Improved documentation defined in the CRD's.
• Improved handling of failures during TLS webhook secret generation.
• Injected Init Containers now drop all non-essential capabilities/permissions.
• Injected Init Containers now define resource requests/limits.
• Injected Init Containers now can execute as Non-Root. This behavior can be forced by the new CONTRAST_RUN_INIT_CONTAINER_AS_NON_ROOT=true flag. The operator will enable this feature-flag by default in a future release. Note that this feature requires the support of the injected agent images, required versions are defined below.
• The operator's installation manifests no longer forces a container UID, reducing installation friction in OpenShift.
• Within K8s clusters, the operator now officially supports executing and injecting pods that have the Restricted policy applied (if CONTRAST_RUN_INIT_CONTAINER_AS_NON_ROOT=true is set). This feature requires K8s v1.25. Pod Security Policies, deprecated in K8s v1.21, are not supported.
• Within OpenShift clusters, the operator now officially supports executing and injecting pods that have the restricted SCC policy applied. Note that in some OpenShift versions where setting the seccomp policy is disallowed, the CONTRAST_SUPPRESS_SECCOMP_PROFILE=true flag must be set.

Bug Fixes

• Bug and security updates to our dependencies.
• During generation/updates of templated entities, the K8s API server could return an invalid result. If this occurred during the creation of a new entities, the operator could be left in an invalid state preventing a retry from occurring. The only work-around was to restart the operator. This has been fixed.
• During pod deletions, the operator could return a new mutation patch that was empty. This would cause an error to be emitted by the API server "webhook returned response.patchType but not response.patch". This has been fixed.
• When an explicit AgentConfiguration was specified in an AgentInjector, but did not exist in the same namespace, the operator wouldn't mark the AgentInjector as invalid. This state is now correctly handled and is logged.

Breaking Changes

• The operator will now consider missing explicitly AgentConfiguration specified in an AgentInjector as invalid (previously, the missing AgentConfiguration was ignored).
• If CONTRAST_RUN_INIT_CONTAINER_AS_NON_ROOT=true is specified, previous container images will no-longer work. The minimum versions are specified in the table below:

Type	Minimum Version
dotnet-core	2.4.4
java	4.11.0
nodejs	4.30.0
nodejs-protect	5.2.0
php	1.8.0

contrast/agent-operator:0.15.0
contrast/agent-operator@sha256:daa571d6c3c0c61369686fb9798bb69b91289573b2b02776b1b0f8b8f5316b58

quay.io/contrast/agent-operator:0.15.0
quay.io/contrast/agent-operator@sha256:daa571d6c3c0c61369686fb9798bb69b91289573b2b02776b1b0f8b8f5316b58