Agent installation guide
This guide offers examples for deploying Contrast Security agents in Kubernetes environments. We encourage you to take this guide, make it your own, and distribute it to teams who need to instrument applications this way.
The main portion of the guide details the most popular methods customers use to instrument applications deployed to Kubernetes or its derivatives.
You will do the following in this guide:
- Create Kubernetes Secret
- Configure agents using Secrets
- Modify deployment to load Contrast configurations
- Deploy applications to Kubernetes
This guide assumes you have:
- Some familiarity with DevOps practices and how Kubernetes works
- The information needed to connect a Contrast agent for the language you use to the Contrast dashboard: Install an agent
- The Contrast agent is already installed within the container image. See our language-specific deployment guides for more information on installing Contrast in containers:
.NET Core with Docker [link here]
Java with Docker [link here]
Node.js with Docker [link here]
Python with Docker [link here]
Ruby with Docker [link here]
These instructions will guide you through creating a Contrast configuration using Kubernetes secrets and how to get that configuration into a container via a Kubernetes deployment spec.
1. Create Kubernetes Secret
For sensitive credentials, such as the Contrast agent API keys, you should use Kubernetes Secrets. Contrast uses a YAML file to store configuration settings, including the credentials. In this guide, we will store credentials and configuration settings all within a single Secret for convenience. This could also be done separately with both a ConfigMap and a Secret.
There are two options for creating a Kubernetes Secret:
- Option 1: Manually create a Secret object
- Option 2: Automatically create a Secret object in the pipeline
Option 1: Manually create a Secret object
Download the contrast_security.yaml file from the Contrast console. This should contain values similar to the following:
You can also add any other application or agent-specific configuration information to the contrast_security.yaml file, as described in the Docker deployment guides. Then you can run the following command to create the Secret:
$ kubectl create secret generic contrast-security --from-file=./contrast_security.yaml
Option 2: Automatically create a Secret object in the pipeline
First, define the Secret in code by creating the file below. Use your deployment tool to find and replace template variables. You can store the Secret using the following definition:
Then, create the Secret from this file by running the following command:
$ kubectl apply -f <secret_filename>
2. Create Kubernetes Deployment
After the Secret object is created, you can leverage it other places within Kubernetes, such as deployment. For example, we can mount the Secret as a volume within the container, which makes the contrast_security.yaml file available. Specify the location of this file via the CONTRAST__CONFIG__PATH environment variable to inform the agent of the mounted config.
Apply the deployment using the following command:
$ kubectl apply -f <deployment_filename>
- How do I display the configuration of the Secret object after I’ve created it?
To check the contents of the Secret, run the following command:
$ kubectl get secret contrast-security -o yaml
This will give output something like this, where the data is base64 encoded:
You can copy the data section and decode manually, or run the following to output just the data within the secret and base64 decode it:
$ kubectl get secret contrast-security -o=custom-columns=':data.contrast_security\.yaml' | base64 -d
The output will look something like this: