Skip to main content

Harness GitOps Agent with self-signed certificates

Harness Self-Managed Enterprise Edition supports self-signed certificates. This topic describes how to install and configure Harness GitOps Agent to connect to Self-Managed Harness using self-signed certificates.

In this topic we will do the following:

  • Create a secret.
  • Modify the GitOps Agent YAML.

Create the secret

  1. Copy the following YAML to your editor.

    apiVersion: v1  
    kind: Secret
    name: addcerts
    namespace: {agent-namespace}
    type: Opaque
    ca.bundle: |
    -----END CERTIFICATE-------
    -----END CERTIFICATE-------
  2. Add your certificates to the ca.bundle field.

The XXXXXXXXXXXXXXXXXXXXXXXXXXX placeholder indicates the position for the certificate body. Enclose each certificate in BEGIN CERTIFICATE and END CERTIFICATE comments.

Here's one way to get the certificate using openssl:

openssl s_client -servername NAME -connect HOST:PORT  

For example,

openssl s_client -servername -connect
  1. Update the namespace to the respective namespace where the agent is installed.

  2. Save the file as addcerts.yaml. Then apply the manifest to your cluster.

    kubectl apply -f addcerts.yaml -n {agent-namespace}

Modify the GitOps Agent YAML

  1. Open the gitops-agent.yml file in your editor.

  2. In the { GitopsAgentName }-agent ConfigMap, set the value of GITOPS_SERVICE_HTTP_TLS_ENABLED config to true.


    For accounts with the GITOPS_AGENT_HELM_V2 feature flag enabled, the ConfigMap name would be gitops-agent. Contact Harness Support to enable this feature flag.

  3. Save and apply the modified manifest:

    kubectl apply -f gitops-agent.yml -n {agent-namespace}