Configure delegate proxy settings
All delegates include proxy settings you can use to change how the delegate connects to the Harness Manager.
By default, the Harness Delegate uses HTTP and HTTPS in its Proxy Scheme settings.
Kubernetes delegate proxy settings
The proxy settings are in the harness-delegate.yaml
file:
...
- name: PROXY_HOST
value: ""
- name: PROXY_PORT
value: ""
- name: PROXY_SCHEME
value: ""
- name: NO_PROXY
value: ""
- name: PROXY_MANAGER
value: "true"
- name: PROXY_USER
valueFrom:
secretKeyRef:
name: doc-example-proxy
key: PROXY_USER
- name: PROXY_PASSWORD
valueFrom:
secretKeyRef:
name: doc-example-proxy
key: PROXY_PASSWORD
...
The PROXY_MANAGER
setting determines whether the delegate bypasses proxy settings to reach the Harness Manager in the cloud. If you want to bypass, enter false
.
In-Cluster Kubernetes delegate with proxy
If an in-cluster Kubernetes delegate has a proxy configured, then NO_PROXY
must contain the cluster master IP. This enables the delegate to skip the proxy for in-cluster connections.
Sample Docker delegate installation script with a proxy scheme
The following script installs a Docker delegate with an HTTP proxy scheme.
docker run --cpus=1 --memory=2g \
-e DELEGATE_NAME=docker-delegate \
-e RUNNER_URL=https://<YOUR_RUNNER_URL> \
-e DELEGATE_TAGS=macos-amd64 \
-e PROXY_HOST=YOUR_PROXY_HOST_IP \
-e PROXY_PORT=YOUR_PROXY_PORT \
-e PROXY_SCHEME=http \
-e NEXT_GEN="true" \
-e DELEGATE_TYPE="DOCKER" \
-e ACCOUNT_ID=YOUR_ACCOUNT_ID \
-e DELEGATE_TOKEN=YOUR_DELEGATE_TOKEN \
-e LOG_STREAMING_SERVICE_URL=https://<YOUR_LOG_STREAMING_SERVICE_URL> \
-e MANAGER_HOST_AND_PORT=https://<YOUR_MANAGER_HOST_AND_PORT>/delegate:23.09.80505
Subnet masks not supported
You cannot use delegate proxy settings to specify the Cluster Service Network CIDR notation and make the delegate bypass the proxy to talk to the Kubernetes API.
Harness does not allow any methods of representing a subnet mask.
The mask should be set in the cluster itself. For example:
kubectl -n default get service kubernetes -o json | jq -r '.spec.clusterIP'
Harness supports mTLS authentication on a case-by-case basis. Contact Harness Support to enable it.