Platform agent

Prev Next

1.57.0 — 30th May

Traceable Platform agent 1.57.0 provides the following:

Updates

Restricted Kubernetes Cluster Roles for Injector

Reduced the permissions required by the injector to only the necessary Kubernetes resources and actions. This enhances security by following the principle of least privilege, ensuring the injector has access only to the resources it needs.

Configurable Timeout for ext_cap Service Calls

Introduced a configurable timeout for external capability (ext_cap) service calls, allowing users to set a maximum time (in milliseconds) for responses. If the timeout is exceeded, the decision-making process bypasses the ext_cap call, improving system resilience and preventing delays from propagating through the system.

Configurable Content Type Capture in Ingress NGINX Controller

Added support to configure the content types (such as JSON, gRPC, and XML) that the Ingress NGINX controller captures for analysis. This can be modified using:

  • injector.nginxCpp.config.captureContentTypes (Helm)

  • njector.nginx_cpp.config.capture_content_types (Terraform)

Install Script: Added Cleanup for Envoy Proxy During Uninstallation

The install.sh script now includes cleanup for the Envoy proxy component when uninstalling TPA, ensuring no leftover processes or files remain.

Install Script: Preserve Custom package_url When Installing HTTP Proxy

The install.sh script has been enhanced to retain an existing package_url value when installing the HTTP proxy, ensuring user-defined configurations are not overwritten.

AWS Traffic Mirroring CloudFormation Template: Added Tag Prefix Option

Introduced a TagPrefix parameter in the AWS CloudFormation template. When provided, this value will be added as a prefix to all AWS tags generated during deployment.

Helm: Added loadBalancerIP Configuration

Users can now specify the loadBalancerIP in the Helm configuration when deploying TPA as a LoadBalancer service, providing better control over load balancer provisioning.

Helm: Support for Different port and targetPort When Using LoadBalancer Service Type

Added support for configuring different values for port and targetPort in Kubernetes LoadBalancer services. This allows scenarios where the external TLS port differs from the internal agent port (e.g., port: 5443 with targetPort: 5442).

Helm: Support for Base64-Encoded TLS Certificates

Introduced new Helm values to configure base64-encoded TLS certificates directly in the chart:

  • tlsPrivateCertificatesAsString.rootCAB64

  • tlsPrivateCertificatesAsString.certB64

  • tlsPrivateCertificatesAsString.keyB64
    This enables dynamic TLS certificate injection during deployments (e.g., via pipelines), complementing existing support for TLS secrets and files.

Updated Traffic Mirroring for VM, GCP, and AWS to Use Mirroring Agent

The Mirroring Agent has entirely replaced the Suricata-based agent for traffic mirroring in VM, GCP, and AWS environments. This ensures a consistent, streamlined approach for all mirroring use cases.

Do Not Run ModSecurity on Response Headers and Body

To improve performance, ModSecurity will now skip processing response headers and body, focusing analysis solely on request data.


Resolved Issues

Race Condition in AWS VPC Mirroring Provisioning Script

Resolved a race condition in the AWS VPC Mirroring provisioning script that caused package management locks and installation failures.

Incorrect Example Configurations for Deleting in GCP Mirroring

Corrected the example configurations for deleting resources in GCP Mirroring to prevent user errors during cleanup.

Removed imageCredentials.envoyRegistrySuffix Helm Value

The imageCredentials.envoyRegistrySuffix Helm value has been removed. The grpcToHttp.image value should now be used to specify the Envoy image.


1.56.0 — 29th April

Traceable’s Platform Agent 1.56.0 release provides the following:

Updates

Configurable Injector Webhook Domain

You can now set a custom domain name for the injector's MutatingWebhookConfiguration using the new injectorWebhookDomain Helm parameter.
This enhancement helps users who deploy TPA with private TLS certificates avoid certificate validation errors caused by Kubernetes service DNS resolution.
It removes the need to modify private certificates, making secure deployments easier and more flexible.

Updated NGINX C++ Agent Version to v0.1.91

The NGINX agent has been updated to version 0.1.91, incorporating the latest improvements and stability enhancements.

Updated eBPF Tracer Version to v1.22.0

The eBPF tracer component has been upgraded to version 1.22.0, improving performance and internal fixes.

Added ebpfCustomSpanAttributes Helm Value

You can now configure ebpfCustomSpanAttributes in Helm to define key-value pairs that will be added as span attributes to all spans captured by the eBPF tracer.
This allows for enhanced observability and context tagging in your tracing data.

Kubernetes Compatibility for eBPF Tracer Pods

The node-role.kubernetes.io/master label is now added only for Kubernetes versions earlier than 1.20.
This prevents deprecation warnings and ensures smoother Helm deployments on newer Kubernetes clusters.

Override eBPF Environment with ebpfEnvironment Helm Value

Introduced a new Helm value ebpfEnvironment that allows you to set an environment different from the main TPA instance for the eBPF tracer.
Useful when the tracer should be logically separated or reported under a distinct environment.

Systemd Task Limits Configuration in install.sh

The install script now supports additional flags:

  • --set-tasks-accounting: Enables systemd's TasksAccounting for TPA.

  • --tpa-max-tasks <MAX_TASKS>: Sets a custom maximum task limit for TPA.
    These options provide greater control over process limits and are especially helpful in resource-constrained VM environments.

Expanded Environment Variable-Based Configuration Override

You can now override boolean and array-type configuration values using environment variables prefixed with TA_OVERRIDE_CONFIG.
This extends the existing support for overriding scalar values and allows for more dynamic deployments.

CloudFormation Support for Base64-Encoded Configuration Override

Added a new parameter TraceableConfigOverrideBase64 in the AWS CloudFormation template.
This allows users to supply a base64-encoded YAML string to override the TPA configuration during stack creation.

Custom Installation Paths in Windows Install Script

The Windows installation script now supports three new options:

  • InstallDir

  • DataDir

  • TempDir
    These allow full control over where the agent is installed and where its data is stored.

Custom Envoy Registry Support for gRPC to HTTP Proxy

Added a new Helm value envoyRegistrySuffix to support pulling the envoy image from a custom registry path.
This enables seamless integration with private or mirrored registries by aligning with enterprise image-pull policies.


Resolved Issues

Fixed TPA Crash Due to Coraza WAF WASM Error

Resolved an issue causing TPA to crash with the error wasm error: invalid table access, seen primarily on RHEL 9.5 and Fedora systems.

TME Containers Now Properly Terminate on Pod Deletion

Fixed an issue where TME containers injected into ingress gateway pods were not being terminated when the gateway pod was deleted.

Terraform Provisioner: Reload Script Now Created Conditionally

Fixed a bug in the AWS traffic mirroring Terraform provisioner where the reload-refresh-token.sh script was being created unconditionally due to a faulty boolean check.


1.55.1 — 2nd April

Traceable’s Platform Agent 1.55.1 release provides the following:

Update

Removed deprecated Kubernetes label beta.kubernetes.io/os for compatibility with GKE

To ensure successful Helm deployments on Kubernetes versions 1.14 and above (including GKE), support for the deprecated beta.kubernetes.io/os label has been removed.


1.55.0 — 31st March

Traceable’s Platform Agent 1.55.0 release provides the following:

Updates

Upgraded OpenTelemetry Collector to v0.120.0

Ensures compatibility with the latest OpenTelemetry features and improvements.

Multi-environment support for Apigee Syslog Server

You can now configure the Apigee Syslog integration to support multiple environments.

New Helm configuration options for Kubernetes service customization

  • Added support to set service labels and annotations.

  • Added support to set externalTrafficPolicy: Local.
    These enhancements make it easier to configure TPA services when using a LoadBalancer service type in cloud environments like EKS or AKS.

Freeze apt and yum upgrades for Traceable packages installed via install.sh

Marking packages on hold prevents accidental overwriting of configurations. Traceable packages will now only update through the install script.

Upgraded Java agent version in injector to v1.1.15

Restart logic optimized for Kubernetes deployments

The agent and tracer deployments will now only restart if:

  • The config map changes, or

  • TLS or injector is enabled and self-signed certificates are generated during Helm install or upgrade.

Enhanced User Attribution Rules

  • Added support for projecting entire JWT claims using UrlProjector.

  • Introduced AttributeStringAppend, similar to AttributeArrayAppend, for rule building.

HAProxy improvement

Blocked users will receive an event ID in the response for easier tracking.

Resolved Issues

Fixed: Span ID not shown in response body for blocked requests

Blocked responses now correctly include the trace's spanID.

Security Fixes

  • Upgraded expr-lang/expr to v1.17.0 to resolve a high-severity vulnerability (GHSA-93mq-9ffx-83m2).

  • Upgraded golang.org/x/net to v0.37.0 to fix a medium-severity vulnerability (GHSA-qxp5-gwg8-xv66).

  • Addressed high-severity vulnerabilities in golang-jwt/jwt/v4 and jwt/v5 by upgrading to the latest versions.

  • Resolved a medium-severity vulnerability in coraza-waf by upgrading to v3.3.3.

  • Fixed OAuth2 library vulnerability (CVE-2025-22868).


1.54.0 — 26th February

Traceable’s Platform Agent 1.54.0 release provides the following:

Updates

Agent token authentication for TME-based agents

  • Introduced the ability to enable authentication using an agent token for TME-based agents.

  • The Traceable Platform Agent (TPA) now performs agent token-based authorization, rejecting incoming requests with an invalid traceableai-agent-token header.

  • Initial requests may be dropped as authentication occurs asynchronously, a behavior currently implemented only in ext_cap.

Configuration Parameters

Config File

Helm

Terraform

Value

global.remote.max_tokens

remoteMaxTokens

remote_max_tokens

Maximum number of tokens tracked by TPA

ext_cap.auth.enabled

extCapAuth.enabled

ext_cap_auth.enabled

true (Enable agent token authentication)

Use OpenTelemetry connector for processor pipeline management

  • Updated the processing pipeline to use the OpenTelemetry (OTel) connector for managing multiple environments.

Put libtraceable logs under the log directory

  • libtraceable logs are now correctly placed under the designated log directory when a custom log path is specified.

  • Previously, logs were not being created under the configured directory, leading to issues in environments using mounted log directories for scalability.

Example of the custom install command

./install.sh tpa-only -e ${var.environmentname} -s ${var.servicename} \
--raw-token ${var.token} --no-download --install-dir /tpa/install \
--log-dir /tpa/log --data-dir /tpa/data --otlp-file-storage-dir /tpa/otlp

The --log-dir flag ensures that logs are stored correctly in the designated directory.

Update Agent Attributes Processor

  • Implemented new features in the agent attributes processor, enhancing attribute management and processing capabilities.

Security Updates

  • Updated dependencies to address Go vulnerabilities (GHSA-29wx-vh33-7x7r), improving the security of the platform agent.

Networking and Load Balancer Improvements

Single Kubernetes Service Mode on Port 5442

  • Introduced a single service mode in Kubernetes, allowing Cloud Environments to expose TPA through a single service, reducing excessive port exposure and minimizing the number of listeners on load balancers.

  • This setup creates a single listener on the load balancer instead of exposing multiple ports.

Configurable Service Definitions

  • The service definition is now configurable, allowing users to specify additional properties like NodePort.

Ability to populate SpanID in blocked messages for req_cap Endpoint in ext_cap

  • Added the SpanID in the blocked message for requests blocked by req_cap in ext_cap.

Configuration Update Considerations

  • As part of this release, the configuration structure has changed due to the new OTel connector.

  • This update is automatically handled when upgrading via Helm, Terraform, or the install script, ensuring a seamless transition.

  • Users upgrading manually with an old configuration file may need to adjust their settings to align with the updated structure.

  • Direct upgrades using RPM/DPKG packages are discouraged, as they require manual configuration updates to reflect these changes.


1.53.1 — 21st February

Traceable’s Platform Agent 1.53.1 release provides the following:

Update

  • Cluster-wide TPA Naming Enhancement:

    • Introduced a new clusterName value in Helm and a cluster_name variable in Terraform.

    • This configuration ensures that TPA is named as clustername.namespace.deployment, resulting in a unified TPA representation in the UI.

    • Only a single TPA will be shown in the UI for all pods within the same deployment.

This update simplifies the visibility and management of TPAs across deployments.


1.53.0 — 31st January

Traceable’s Platform Agent 1.53.0 release provides the following:

Updates

  • Increased MaxLength for TraceableRefreshToken in CloudFormation Template
    The maximum length for TraceableRefreshToken is now 4096 characters, resolving issues with longer tokens in on-prem installations.

  • Pod and Container Security Context Support
    Security context configurations are now supported for both pods and containers, enhancing the security of TPA and sidecar deployments. For more information, see Security Context for Platform agent.

  • Topology Spread Constraints, Pod Disruption Budget, and Affinity Enhancements
    New options for pod affinity, anti-affinity, topology spread constraints, and pod disruption budgets provide greater flexibility for Kubernetes deployments. For more information, see Helm and Terraform values.

  • Kubernetes Resource Definitions for grpc-to-http Envoy Container
    Added Kubernetes resource configurations for the grpc-to-http envoy container, now available in Helm and Terraform. For more information, see Helm and Terraform values

  • Blocked Spans in span_remover Processor
    Blocked spans are no longer sampled, ensuring more efficient span processing.

  • Removal of Deprecated Processors
    Simplified the codebase by removing the piifilter and user attribution processors.

  • ECS CloudFormation Templates: Configurable Service Discovery
    Made service discovery configurable in ECS CloudFormation templates to prevent conflicts with hosted zones in Route53 during multiple deployments in the same account.