Launching an Immutable Delegate

Installation Steps

Immutable delegate can be installed like any other delegate.

There are 2 options:

  1. Enable feature flag USE_IMMUTABLE_DELEGATE - If this flag is enabled, Harness UI will generate appropriate immutable delegate yaml. This also means that once enabled the standard installation will stop providing the older YAMLs for delegates but the existing delegate will continue to work.

  2. Use the Sample YAML (listed at the bottom of page) to install the immutable delegate.

    1. Use latest available immutable delegate image from the public dockerhub repo

    2. Replace <delegate name> with the name of delegate

    3. Replace <account id> with Harness account id

    4. MANAGER_HOST_AND_PORT: <https://app.harness.io OR https://app.harness.io/gratis> - Based on whether the customer is in Prod1 or Prod2.

    5. LOG_STREAMING_SERVICE_URL - https://app.harness.io/log-service/ OR https://app.harness.io/gratis/log-service/ Based on whether the customer is in Prod1 or Prod2

    6. ACCOUNT_SECRET: Provide Base64 encoded value

Sample Delegate YAML

apiVersion: v1
kind: Namespace
metadata:
  name: harness-delegate-ng

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: harness-delegate-ng-cluster-admin
subjects:
  - kind: ServiceAccount
    name: default
    namespace: harness-delegate-ng
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

---

apiVersion: v1
kind: Secret
metadata:
  name: immutable-delegate-account-token
  namespace: harness-delegate-ng
type: Opaque
data:
  ACCOUNT_SECRET: <base64 encoded value for account secret>

---

# If delegate needs to use a proxy, please follow instructions available in the documentation
# https://ngdocs.harness.io/article/5ww21ewdt8-configure-delegate-proxy-settings

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    harness.io/name: <delegate name>
  name: <delegate name>
  namespace: harness-delegate-ng
spec:
  replicas: 2
  selector:
    matchLabels:
      harness.io/name: <delegate name>
  template:
    metadata:
      labels:
        harness.io/name: <delegate name>
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "3460"
        prometheus.io/path: "/api/metrics"
    spec:
      terminationGracePeriodSeconds: 600
      restartPolicy: Always
      containers:
      - image: <immutable delegate image>
        imagePullPolicy: Always
        name: delegate
        ports:
          - containerPort: 8080
        resources:
          limits:
            cpu: "0.5"
            memory: "2048Mi"
          requests:
            cpu: "0.5"
            memory: "2048Mi"
        livenessProbe:
          httpGet:
            path: /api/health
            port: 3460
            scheme: HTTP
          initialDelaySeconds: 120
          periodSeconds: 10
          failureThreshold: 2
        envFrom:
        - secretRef:
            name: immutable-delegate-account-token
        env:
        - name: JAVA_OPTS
          value: "-Xms64M"
        - name: ACCOUNT_ID
          value: <account id>
        - name: MANAGER_HOST_AND_PORT
          value: <https://app.harness.io OR https://app.harness.io/gratis>
        - name: DEPLOY_MODE
          value: KUBERNETES
        - name: DELEGATE_NAME
          value: <delegate name>
        - name: DELEGATE_TYPE
          value: "KUBERNETES"
        - name: DELEGATE_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: INIT_SCRIPT
          value: ""
        - name: DELEGATE_DESCRIPTION
          value: ""
        - name: DELEGATE_TAGS
          value: ""
        - name: DELEGATE_ORG_IDENTIFIER
          value: ""
        - name: DELEGATE_PROJECT_IDENTIFIER
          value: ""
        - name: NEXT_GEN
          value: "true"
        - name: CLIENT_TOOLS_DOWNLOAD_DISABLED
          value: "true"
        - name: LOG_STREAMING_SERVICE_URL
          value: "https://app.harness.io/log-service/ OR https://app.harness.io/gratis/log-service/"

---

apiVersion: v1
kind: Service
metadata:
  name: delegate-service
  namespace: harness-delegate-ng
spec:
  type: ClusterIP
  selector:
    harness.io/name: <delegate name>
  ports:
    - port: 8080

Sample Upgrader YAML (Optional)

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: upgrader-cronjob
  namespace: harness-delegate-ng
rules:
  - apiGroups: ["batch", "apps", "extensions"]
    resources: ["cronjobs"]
    verbs: ["get", "list", "watch", "update", "patch"]
  - apiGroups: ["extensions", "apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "watch", "create", "update", "patch"]

---

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: <delegate name>-upgrader-cronjob
  namespace: harness-delegate-ng
subjects:
  - kind: ServiceAccount
    name: upgrader-cronjob-sa
    namespace: harness-delegate-ng
roleRef:
  kind: Role
  name: upgrader-cronjob
  apiGroup: ""

---

apiVersion: v1
kind: ServiceAccount
metadata:
  name: upgrader-cronjob-sa
  namespace: harness-delegate-ng

---

apiVersion: v1
kind: Secret
metadata:
  name: <delegate name>-upgrader-token
  namespace: harness-delegate-ng
type: Opaque
data:
  UPGRADER_TOKEN: "<base64 encoded value for account secret>"

---

apiVersion: v1
kind: ConfigMap
metadata:
  name: <delegate name>-upgrader-config
  namespace: harness-delegate-ng
data:
  config.yaml: |
    mode: Delegate
    dryRun: false
    workloadName: <delegate name>
    namespace: harness-delegate-ng
    containerName: delegate
    delegateConfig:
      accountId: <account id>
      managerHost: <https://app.harness.io OR https://app.harness.io/gratis>

---

apiVersion: batch/v1beta1
kind: CronJob
metadata:
  labels:
    harness.io/name: <delegate name>-upgrader-job
  name: <delegate name>-upgrader-job
  namespace: harness-delegate-ng
spec:
  schedule: "0 */1 * * *"
  concurrencyPolicy: Forbid
  startingDeadlineSeconds: 20
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: upgrader-cronjob-sa
          restartPolicy: Never
          containers:
          - image: harness/upgrader:latest
            name: upgrader
            imagePullPolicy: Always
            envFrom:
            - secretRef:
                name: <delegate name>-upgrader-token
            volumeMounts:
              - name: config-volume
                mountPath: /etc/config
          volumes:
            - name: config-volume
              configMap:
                name: <delegate name>-upgrader-config

FAQ’s around Immutable delegate: A quick insight on immutable delegates

1 Like