From 1cfc139c647e896d02e2187f1c98c53cd96650b5 Mon Sep 17 00:00:00 2001 From: Morgan Creekmore Date: Wed, 5 Nov 2025 17:10:15 -0600 Subject: [PATCH] Add global setting for enabling agents logging to stdout --- manifests/helm/templates/operator/deployment.yaml.tpl | 2 ++ manifests/helm/values.schema.json | 9 +++++++++ manifests/helm/values.schema.yaml | 8 ++++++-- manifests/helm/values.yaml | 2 ++ .../Core/Reactions/Injecting/Patching/PodPatcher.cs | 5 +++++ src/Contrast.K8s.AgentOperator/Modules/OptionsModule.cs | 6 +++++- .../Options/OperatorOptions.cs | 1 + 7 files changed, 30 insertions(+), 3 deletions(-) diff --git a/manifests/helm/templates/operator/deployment.yaml.tpl b/manifests/helm/templates/operator/deployment.yaml.tpl index 232b4be8..245df3e3 100644 --- a/manifests/helm/templates/operator/deployment.yaml.tpl +++ b/manifests/helm/templates/operator/deployment.yaml.tpl @@ -100,6 +100,8 @@ spec: value: '{{ .Values.operator.webhookConfiguration }}' - name: CONTRAST_ENABLE_EARLY_CHAINING value: '{{ .Values.operator.enableEarlyChaining }}' + - name: CONTRAST_ENABLE_AGENT_STDOUT + value: '{{ .Values.operator.enableAgentStdout }}' - name: CONTRAST_INSTALL_SOURCE value: helm - name: CONTRAST_INITCONTAINER_CPU_REQUEST diff --git a/manifests/helm/values.schema.json b/manifests/helm/values.schema.json index d92f99ac..281d3e2c 100644 --- a/manifests/helm/values.schema.json +++ b/manifests/helm/values.schema.json @@ -322,6 +322,7 @@ "type": "object", "properties": { "annotations": { + "description": "Deployment Annotations for the operator deployment.", "type": "object" }, "defaultRegistry": { @@ -329,6 +330,11 @@ "default": "contrast", "type": "string" }, + "enableAgentStdout": { + "description": "Globally enable agents logging to stdout", + "default": false, + "type": "boolean" + }, "enableEarlyChaining": { "description": "Enable early chaining. Should only be enabled if you are using a dotnet-core AgentInjector and DynaKube is used in classicStack mode.", "default": false, @@ -419,12 +425,15 @@ } }, "labels": { + "description": "Deployment Labels for the operator deployment.", "type": "object" }, "podAnnotations": { + "description": "Pod Annotations for the operator pod(s).", "type": "object" }, "podLabels": { + "description": "Pod Labels for the operator pod(s).", "type": "object" }, "replicas": { diff --git a/manifests/helm/values.schema.yaml b/manifests/helm/values.schema.yaml index ef2a6a43..d05bcd56 100644 --- a/manifests/helm/values.schema.yaml +++ b/manifests/helm/values.schema.yaml @@ -45,11 +45,15 @@ operator: webhookConfiguration: # @schema type:[string];default:contrast-web-hook-configuration # -- Enable early chaining. Should only be enabled if you are using a dotnet-core AgentInjector and DynaKube is used in classicStack mode. enableEarlyChaining: # @schema type:[boolean];default:false - # Metadata for the operator deployment. + # -- Globally enable agents logging to stdout + enableAgentStdout: # @schema type:[boolean];default:false + # -- Deployment Labels for the operator deployment. labels: {} + # -- Deployment Annotations for the operator deployment. annotations: {} - # Metadata for the operator pod(s). + # -- Pod Labels for the operator pod(s). podLabels: {} + # -- Pod Annotations for the operator pod(s). podAnnotations: {} # -- SecurityContext for operator pod. securityContext: {} diff --git a/manifests/helm/values.yaml b/manifests/helm/values.yaml index a3c73af9..fd86d704 100644 --- a/manifests/helm/values.yaml +++ b/manifests/helm/values.yaml @@ -46,6 +46,8 @@ operator: webhookConfiguration: contrast-web-hook-configuration # Enable early chaining. Should only be enabled if you are using a dotnet-core AgentInjector and DynaKube is used in classicStack mode. enableEarlyChaining: false + # Globally enable agents logging to stdout + enableAgentStdout: false # Metadata for the operator deployment. labels: {} annotations: {} diff --git a/src/Contrast.K8s.AgentOperator/Core/Reactions/Injecting/Patching/PodPatcher.cs b/src/Contrast.K8s.AgentOperator/Core/Reactions/Injecting/Patching/PodPatcher.cs index 0086c730..032c2179 100644 --- a/src/Contrast.K8s.AgentOperator/Core/Reactions/Injecting/Patching/PodPatcher.cs +++ b/src/Contrast.K8s.AgentOperator/Core/Reactions/Injecting/Patching/PodPatcher.cs @@ -298,6 +298,11 @@ private IEnumerable GenerateEnvVars(PatchingContext context, V1Pod pod yield return new V1EnvVar("CONTRAST_MOUNT_AGENT_PATH", agentMountPath); yield return new V1EnvVar("CONTRAST_MOUNT_WRITABLE_PATH", writableMountPath); + if (_operatorOptions.EnableAgentStdout) + { + yield return new V1EnvVar("CONTRAST__AGENT__LOGGER__STDOUT", "true"); + } + if (connection.TeamServerUri != null) { yield return new V1EnvVar("CONTRAST__API__URL", connection.TeamServerUri); diff --git a/src/Contrast.K8s.AgentOperator/Modules/OptionsModule.cs b/src/Contrast.K8s.AgentOperator/Modules/OptionsModule.cs index 94196cc6..4fc52d66 100644 --- a/src/Contrast.K8s.AgentOperator/Modules/OptionsModule.cs +++ b/src/Contrast.K8s.AgentOperator/Modules/OptionsModule.cs @@ -65,12 +65,15 @@ protected override void Load(ContainerBuilder builder) } // Users may override this on a per AgentConfiguration bases via the InitContainer override field. - var runInitContainersAsNonRoot = GetEnvironmentOptionFlag(logger, "CONTRAST_RUN_INIT_CONTAINER_AS_NON_ROOT", "run-init-container-as-non-root", true); ; + var runInitContainersAsNonRoot = GetEnvironmentOptionFlag(logger, "CONTRAST_RUN_INIT_CONTAINER_AS_NON_ROOT", "run-init-container-as-non-root", true); // This is needed for OpenShift < 4.11 (Assumed per the change log, unable to test at the time of writing). // See: https://github.com/openshift/cluster-kube-apiserver-operator/issues/1325 var suppressSeccompProfile = GetEnvironmentOptionFlag(logger, "CONTRAST_SUPPRESS_SECCOMP_PROFILE", "suppress-seccomp-profile", false); + // Users may override this on a per AgentConfiguration bases in the yaml section with the key agent.logger.stdout + var enableAgentStdout = GetEnvironmentOptionFlag(logger, "CONTRAST_ENABLE_AGENT_STDOUT", "enable-agent-stdout", false); + // A value from 0-100 to denote how many options the operator should purposely fail in. // The goal is to test and correctly handle a non-perfect cluster. var chaosPercent = 0; @@ -90,6 +93,7 @@ protected override void Load(ContainerBuilder builder) eventQueueMergeWindowSeconds, runInitContainersAsNonRoot, suppressSeccompProfile, + enableAgentStdout, chaosPercent / 100m); }).SingleInstance(); diff --git a/src/Contrast.K8s.AgentOperator/Options/OperatorOptions.cs b/src/Contrast.K8s.AgentOperator/Options/OperatorOptions.cs index 98652984..e611456e 100644 --- a/src/Contrast.K8s.AgentOperator/Options/OperatorOptions.cs +++ b/src/Contrast.K8s.AgentOperator/Options/OperatorOptions.cs @@ -12,5 +12,6 @@ public record OperatorOptions(string Namespace, int EventQueueMergeWindowSeconds, bool RunInitContainersAsNonRoot, bool SuppressSeccompProfile, + bool EnableAgentStdout, decimal ChaosRatio, string FieldManagerName = "agents.contrastsecurity.com");