1.57.0 — 30th May
Traceable Platform agent 1.57.0 provides the following:
Updates
Restricted Kubernetes Cluster Roles for Injector
Reduced the permissions required by the injector to only the necessary Kubernetes resources and actions. This enhances security by following the principle of least privilege, ensuring the injector has access only to the resources it needs.
Configurable Timeout for ext_cap
Service Calls
Introduced a configurable timeout for external capability (ext_cap
) service calls, allowing users to set a maximum time (in milliseconds) for responses. If the timeout is exceeded, the decision-making process bypasses the ext_cap
call, improving system resilience and preventing delays from propagating through the system.
Configurable Content Type Capture in Ingress NGINX Controller
Added support to configure the content types (such as JSON, gRPC, and XML) that the Ingress NGINX controller captures for analysis. This can be modified using:
injector.nginxCpp.config.captureContentTypes
(Helm)njector.nginx_cpp.config.capture_content_types
(Terraform)
Install Script: Added Cleanup for Envoy Proxy During Uninstallation
The install.sh
script now includes cleanup for the Envoy proxy component when uninstalling TPA, ensuring no leftover processes or files remain.
Install Script: Preserve Custom package_url
When Installing HTTP Proxy
The install.sh
script has been enhanced to retain an existing package_url
value when installing the HTTP proxy, ensuring user-defined configurations are not overwritten.
AWS Traffic Mirroring CloudFormation Template: Added Tag Prefix Option
Introduced a TagPrefix
parameter in the AWS CloudFormation template. When provided, this value will be added as a prefix to all AWS tags generated during deployment.
Helm: Added loadBalancerIP
Configuration
Users can now specify the loadBalancerIP
in the Helm configuration when deploying TPA as a LoadBalancer service, providing better control over load balancer provisioning.
Helm: Support for Different port
and targetPort
When Using LoadBalancer Service Type
Added support for configuring different values for port
and targetPort
in Kubernetes LoadBalancer services. This allows scenarios where the external TLS port differs from the internal agent port (e.g., port: 5443
with targetPort: 5442
).
Helm: Support for Base64-Encoded TLS Certificates
Introduced new Helm values to configure base64-encoded TLS certificates directly in the chart:
tlsPrivateCertificatesAsString.rootCAB64
tlsPrivateCertificatesAsString.certB64
tlsPrivateCertificatesAsString.keyB64
This enables dynamic TLS certificate injection during deployments (e.g., via pipelines), complementing existing support for TLS secrets and files.
Updated Traffic Mirroring for VM, GCP, and AWS to Use Mirroring Agent
The Mirroring Agent has entirely replaced the Suricata-based agent for traffic mirroring in VM, GCP, and AWS environments. This ensures a consistent, streamlined approach for all mirroring use cases.
Do Not Run ModSecurity on Response Headers and Body
To improve performance, ModSecurity will now skip processing response headers and body, focusing analysis solely on request data.
Resolved Issues
Race Condition in AWS VPC Mirroring Provisioning Script
Resolved a race condition in the AWS VPC Mirroring provisioning script that caused package management locks and installation failures.
Incorrect Example Configurations for Deleting in GCP Mirroring
Corrected the example configurations for deleting resources in GCP Mirroring to prevent user errors during cleanup.
Removed imageCredentials.envoyRegistrySuffix
Helm Value
The imageCredentials.envoyRegistrySuffix
Helm value has been removed. The grpcToHttp.image
value should now be used to specify the Envoy image.
1.56.0 — 29th April
Traceable’s Platform Agent 1.56.0 release provides the following:
Updates
Configurable Injector Webhook Domain
You can now set a custom domain name for the injector's MutatingWebhookConfiguration
using the new injectorWebhookDomain
Helm parameter.
This enhancement helps users who deploy TPA with private TLS certificates avoid certificate validation errors caused by Kubernetes service DNS resolution.
It removes the need to modify private certificates, making secure deployments easier and more flexible.
Updated NGINX C++ Agent Version to v0.1.91
The NGINX agent has been updated to version 0.1.91, incorporating the latest improvements and stability enhancements.
Updated eBPF Tracer Version to v1.22.0
The eBPF tracer component has been upgraded to version 1.22.0, improving performance and internal fixes.
Added ebpfCustomSpanAttributes
Helm Value
You can now configure ebpfCustomSpanAttributes
in Helm to define key-value pairs that will be added as span attributes to all spans captured by the eBPF tracer.
This allows for enhanced observability and context tagging in your tracing data.
Kubernetes Compatibility for eBPF Tracer Pods
The node-role.kubernetes.io/master
label is now added only for Kubernetes versions earlier than 1.20.
This prevents deprecation warnings and ensures smoother Helm deployments on newer Kubernetes clusters.
Override eBPF Environment with ebpfEnvironment
Helm Value
Introduced a new Helm value ebpfEnvironment
that allows you to set an environment different from the main TPA instance for the eBPF tracer.
Useful when the tracer should be logically separated or reported under a distinct environment.
Systemd Task Limits Configuration in install.sh
The install script now supports additional flags:
--set-tasks-accounting
: Enables systemd'sTasksAccounting
for TPA.--tpa-max-tasks <MAX_TASKS>
: Sets a custom maximum task limit for TPA.
These options provide greater control over process limits and are especially helpful in resource-constrained VM environments.
Expanded Environment Variable-Based Configuration Override
You can now override boolean and array-type configuration values using environment variables prefixed with TA_OVERRIDE_CONFIG
.
This extends the existing support for overriding scalar values and allows for more dynamic deployments.
CloudFormation Support for Base64-Encoded Configuration Override
Added a new parameter TraceableConfigOverrideBase64
in the AWS CloudFormation template.
This allows users to supply a base64-encoded YAML string to override the TPA configuration during stack creation.
Custom Installation Paths in Windows Install Script
The Windows installation script now supports three new options:
InstallDir
DataDir
TempDir
These allow full control over where the agent is installed and where its data is stored.
Custom Envoy Registry Support for gRPC to HTTP Proxy
Added a new Helm value envoyRegistrySuffix
to support pulling the envoy
image from a custom registry path.
This enables seamless integration with private or mirrored registries by aligning with enterprise image-pull policies.
Resolved Issues
Fixed TPA Crash Due to Coraza WAF WASM Error
Resolved an issue causing TPA to crash with the error wasm error: invalid table access
, seen primarily on RHEL 9.5 and Fedora systems.
TME Containers Now Properly Terminate on Pod Deletion
Fixed an issue where TME containers injected into ingress gateway pods were not being terminated when the gateway pod was deleted.
Terraform Provisioner: Reload Script Now Created Conditionally
Fixed a bug in the AWS traffic mirroring Terraform provisioner where the reload-refresh-token.sh
script was being created unconditionally due to a faulty boolean check.
1.55.1 — 2nd April
Traceable’s Platform Agent 1.55.1 release provides the following:
Update
Removed deprecated Kubernetes label beta.kubernetes.io/os
for compatibility with GKE
To ensure successful Helm deployments on Kubernetes versions 1.14 and above (including GKE), support for the deprecated beta.kubernetes.io/os
label has been removed.
1.55.0 — 31st March
Traceable’s Platform Agent 1.55.0 release provides the following:
Updates
Upgraded OpenTelemetry Collector to v0.120.0
Ensures compatibility with the latest OpenTelemetry features and improvements.
Multi-environment support for Apigee Syslog Server
You can now configure the Apigee Syslog integration to support multiple environments.
New Helm configuration options for Kubernetes service customization
Added support to set service labels and annotations.
Added support to set
externalTrafficPolicy: Local
.
These enhancements make it easier to configure TPA services when using aLoadBalancer
service type in cloud environments like EKS or AKS.
Freeze apt
and yum
upgrades for Traceable packages installed via install.sh
Marking packages on hold prevents accidental overwriting of configurations. Traceable packages will now only update through the install script.
Upgraded Java agent version in injector to v1.1.15
Restart logic optimized for Kubernetes deployments
The agent and tracer deployments will now only restart if:
The config map changes, or
TLS or injector is enabled and self-signed certificates are generated during Helm install or upgrade.
Enhanced User Attribution Rules
Added support for projecting entire JWT claims using
UrlProjector
.Introduced
AttributeStringAppend
, similar toAttributeArrayAppend
, for rule building.
HAProxy improvement
Blocked users will receive an event ID in the response for easier tracking.
Resolved Issues
Fixed: Span ID not shown in response body for blocked requests
Blocked responses now correctly include the trace's spanID
.
Security Fixes
Upgraded
expr-lang/expr
to v1.17.0 to resolve a high-severity vulnerability (GHSA-93mq-9ffx-83m2).Upgraded
golang.org/x/net
to v0.37.0 to fix a medium-severity vulnerability (GHSA-qxp5-gwg8-xv66).Addressed high-severity vulnerabilities in
golang-jwt/jwt/v4
andjwt/v5
by upgrading to the latest versions.Resolved a medium-severity vulnerability in
coraza-waf
by upgrading to v3.3.3.Fixed OAuth2 library vulnerability (CVE-2025-22868).
1.54.0 — 26th February
Traceable’s Platform Agent 1.54.0 release provides the following:
Updates
Agent token authentication for TME-based agents
Introduced the ability to enable authentication using an agent token for TME-based agents.
The Traceable Platform Agent (TPA) now performs agent token-based authorization, rejecting incoming requests with an invalid
traceableai-agent-token
header.Initial requests may be dropped as authentication occurs asynchronously, a behavior currently implemented only in ext_cap.
Configuration Parameters
Config File | Helm | Terraform | Value |
---|---|---|---|
|
|
| Maximum number of tokens tracked by TPA |
|
|
|
|
Use OpenTelemetry connector for processor pipeline management
Updated the processing pipeline to use the OpenTelemetry (OTel) connector for managing multiple environments.
Put libtraceable logs under the log directory
libtraceable
logs are now correctly placed under the designated log directory when a custom log path is specified.Previously, logs were not being created under the configured directory, leading to issues in environments using mounted log directories for scalability.
Example of the custom install command
./install.sh tpa-only -e ${var.environmentname} -s ${var.servicename} \
--raw-token ${var.token} --no-download --install-dir /tpa/install \
--log-dir /tpa/log --data-dir /tpa/data --otlp-file-storage-dir /tpa/otlp
The --log-dir
flag ensures that logs are stored correctly in the designated directory.
Update Agent Attributes Processor
Implemented new features in the agent attributes processor, enhancing attribute management and processing capabilities.
Security Updates
Updated dependencies to address Go vulnerabilities (
GHSA-29wx-vh33-7x7r
), improving the security of the platform agent.
Networking and Load Balancer Improvements
Single Kubernetes Service Mode on Port 5442
Introduced a single service mode in Kubernetes, allowing Cloud Environments to expose TPA through a single service, reducing excessive port exposure and minimizing the number of listeners on load balancers.
This setup creates a single listener on the load balancer instead of exposing multiple ports.
Configurable Service Definitions
The service definition is now configurable, allowing users to specify additional properties like NodePort.
Ability to populate SpanID in blocked messages for req_cap Endpoint in ext_cap
Added the SpanID in the blocked message for requests blocked by
req_cap
in ext_cap.
Configuration Update Considerations
As part of this release, the configuration structure has changed due to the new OTel connector.
This update is automatically handled when upgrading via Helm, Terraform, or the install script, ensuring a seamless transition.
Users upgrading manually with an old configuration file may need to adjust their settings to align with the updated structure.
Direct upgrades using RPM/DPKG packages are discouraged, as they require manual configuration updates to reflect these changes.
1.53.1 — 21st February
Traceable’s Platform Agent 1.53.1 release provides the following:
Update
Cluster-wide TPA Naming Enhancement:
Introduced a new
clusterName
value in Helm and acluster_name
variable in Terraform.This configuration ensures that TPA is named as
clustername.namespace.deployment
, resulting in a unified TPA representation in the UI.Only a single TPA will be shown in the UI for all pods within the same deployment.
This update simplifies the visibility and management of TPAs across deployments.
1.53.0 — 31st January
Traceable’s Platform Agent 1.53.0 release provides the following:
Updates
Increased MaxLength for TraceableRefreshToken in CloudFormation Template
The maximum length forTraceableRefreshToken
is now 4096 characters, resolving issues with longer tokens in on-prem installations.Pod and Container Security Context Support
Security context configurations are now supported for both pods and containers, enhancing the security of TPA and sidecar deployments. For more information, see Security Context for Platform agent.Topology Spread Constraints, Pod Disruption Budget, and Affinity Enhancements
New options for pod affinity, anti-affinity, topology spread constraints, and pod disruption budgets provide greater flexibility for Kubernetes deployments. For more information, see Helm and Terraform values.Kubernetes Resource Definitions for grpc-to-http Envoy Container
Added Kubernetes resource configurations for the grpc-to-http envoy container, now available in Helm and Terraform. For more information, see Helm and Terraform valuesBlocked Spans in span_remover Processor
Blocked spans are no longer sampled, ensuring more efficient span processing.Removal of Deprecated Processors
Simplified the codebase by removing thepiifilter
anduser attribution
processors.ECS CloudFormation Templates: Configurable Service Discovery
Made service discovery configurable in ECS CloudFormation templates to prevent conflicts with hosted zones in Route53 during multiple deployments in the same account.