Harness recommends that you use the Harness Delegate minimal image (
yy.mm.xxxxx.minimal) when you set up the Harness Platform for production use. This image has been thoroughly scanned and is free of any high or critical vulnerabilities. Users focused on security tend to prefer this option.
However, the minimal delegate image lacks some binaries that are required for Continuous Delivery (CD) steps to function properly and remain vulnerability-free from third-party tools. Consequently, using the minimal delegate image requires you to configure your delegates and install necessary binaries. For information on delegate types, go to Delegate image types.
The Harness Delegate minimal image (
yy.mm.xxxxx.minimal) is a lighter, more secure version of the default Harness Delegate image. Its main purpose is to provide an enhanced security profile for users, especially those who prioritize their systems' security. The Harness Delegate minimal images includes the following features.
Security Scanned: The image undergoes rigorous scanning processes to ensure that it is devoid of any high-risk or critical vulnerabilities. This makes it an optimal choice for organizations or users who have stringent security requirements.
Limited Binaries: Unlike the standard delegate, the minimal image does not include all of the default binaries. While this contributes to its lightweight nature and security, it also means that users have additional responsibilities. They must manually configure and add any necessary binaries to make their setup functional.
User Responsibilities: Because the minimal delegate image is devoid of the default binaries, users are in charge of tailoring it to their needs. This includes installing specific binaries essential for their CD steps. This level of control also allows users to maintain an updated environment. By installing the latest versions of necessary binaries, they can ensure that the delegate remains free from potential vulnerabilities found in outdated third-party tools.
Preferred by Security-Conscious Users: Due to its clean security slate, many users who prioritize system security gravitate towards the minimal delegate image. By starting with a minimal setup and adding only what is necessary, they can maintain a tighter control over the software and tools present, thus minimizing potential security risks.
This tutorial shows you how to build and set up a minimal delegate image (
yy.mm.xxxxx.minimal) for Harness CD.
Prepare the delegate
Prepare your Dockerfile. For more information and instructions, go to Build custom delegate images with third-party tools.
Set up Docker locally to be able to build in multiple architectures. For more information, go to How to build x86 Docker images on an M1 Mac.
Build and push
docker buildx build --platform linux/amd64 --output type=docker .
docker image ls
docker tag 34594c2f0882 harness/delegate:yy.mm.xxxxx.harness.custom.x86.v4
docker push harness/delegate:yy.mm.xxxxx.harness.custom.x86.v4
Update your delegate image in the manifest with the tag from the image you pushed in previous step. For more information, go to Modify the delegate manifest.
Example delegate Dockerfile
RUN microdnf install -y \
# Install OpenSSL
RUN microdnf install openssl
# Install Kubectl
RUN mkdir /opt/harness-delegate/tools && cd /opt/harness-delegate/tools \
&& curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" \
&& chmod +x kubectl
# Install GoTemplate
RUN mkdir /opt/harness-delegate/client-tools/go-template \
&& mkdir /opt/harness-delegate/client-tools/go-template/v0.4.4 \
&& curl -s -L -o /opt/harness-delegate/client-tools/go-template/v0.4.4/go-template https://app.harness.io/public/shared/tools/go-template/release/v0.4.4/bin/linux/amd64/go-template \
&& chmod 755 /opt/harness-delegate/client-tools/go-template/v0.4.4/go-template
# Install Helm
RUN curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
# Install Terraform
RUN microdnf install yum && yum install -y yum-utils
RUN yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo \
&& microdnf install -y terraform
# Install Terragrunt
RUN cd /opt/harness-delegate/tools && curl -L "https://github.com/gruntwork-io/terragrunt/releases/download/v0.34.1/terragrunt_linux_amd64" -o terragrunt\
&& chmod +x terragrunt
In this example, we have installed Terraform, Terragrunt, Kubernetes, Helm, and Go Template. These are the minimum capabilities required to use these steps in Harness.
|Terraform||The Terraform binary performs all Terraform steps. For more information, go to Provision with the Terraform Apply step.|
|Terragrunt||The Terragrunt binary performs all Terragrunt steps. This binary requires the installation of the Terraform binary. For more information, go to Terragrunt provisioning.|
|Kubernetes (kubectl)||Harness uses this client tool to perform various Kubernetes activities during deployment. You can install the latest version, and Harness will be able to deploy with it. For more information, go to the Kubernetes deployments overview.|
|Helm||Harness uses this client tool to perform Helm deployments. You can install the latest version, and Harness will be able to deploy with it. For more information, go to the Helm deployments overview.|
|Go Template||Harness uses this binary to render Harness expressions and values into the |
Example minimal delegate Kubernetes YAML
The following Kubernetes
minimal-delegate.yaml file creates the minimal delegate resource on the cluster.
- kind: ServiceAccount
# If delegate needs to use a proxy, please follow instructions available in the documentation
- image: foobar/org:custom-delegate
- containerPort: 8080
- name: JAVA_OPTS
- name: ACCOUNT_ID
- name: MANAGER_HOST_AND_PORT
- name: DEPLOY_MODE
- name: DELEGATE_NAME
- name: DELEGATE_TYPE
- name: DELEGATE_NAMESPACE
- name: INIT_SCRIPT
- name: DELEGATE_DESCRIPTION
- name: DELEGATE_TAGS
- name: NEXT_GEN
- name: CLIENT_TOOLS_DOWNLOAD_DISABLED
- name: LOG_STREAMING_SERVICE_URL
- port: 8080
Run the following to apply it on the cluster.
kubectl apply -f minimal-delegate.yaml
Run your pipelines to validate the delegate image. Harness steps will use the installed tooling on the delegate to perform the deployment.