Platform release notes
These release notes describe recent changes to Harness Platform.
- Progressive deployment: Harness deploys changes to Harness SaaS clusters on a progressive basis. This means that the features described in these release notes may not be immediately available in your cluster. To identify the cluster that hosts your account, go to your Account Overview page in Harness. In the new UI, go to Account Settings, Account Details, General, Account Details, and then Platform Service Versions.
- Security advisories: Harness publishes security advisories for every release. Go to the Harness Trust Center to request access to the security advisories.
- More release notes: Go to Harness Release Notes to explore all Harness release notes, including module, delegate, Self-Managed Enterprise Edition, and FirstGen release notes.
Important feature change notice
This is a notification for a feature change aimed at enhancing your experience with Harness. Here's what you need to know:
-
Harness uses connectors to external secret managers (e.g. Google Secret Manager or Hashicorp Vault) to resolve/store secrets used by pipelines and elsewhere in the Harness platform. External secret manager connectors require configuration, including a means to authenticate to the external Secret Manager. On December 11, 2023, Harness added a restriction that users can only use Harness Built-in Secret Manager to store authentication credentials for access to the corresponding Secret Manager.
-
Continuity Assured: There is no impact on your existing pipelines. They remain compatible with the way secrets were referenced before this feature change. Note that this includes using an external secret manager other than the Harness Built-in Secret Manager to store the authentication secret.
Why did Harness make this change?
Our previous setup allowed configurations where credentials from one secret manager were stored within another, resulting in complexities that could be challenging to navigate. Moreover, these configurations might introduce vulnerabilities, posing potential security risks. For example, in a recent incident, our thread pool designated for secret manager resolution was exhausted.
Moving forward, we've implemented several validations, such as the disabling of self-references. Furthermore, with the introduction of the aforementioned restriction on secret managers, configurations is simpler to comprehend and maintain. This change aims to streamline the process, enhancing clarity and reducing potential security vulnerabilities.
Below is further explanation for each type of secret manager Harness currently supports and the changes associated with it.
-
Harness supports three authentication methods for AWS Key Management Service (KMS) and AWS Secrets Manager:
-
AWS Access Key: Access Key Id, Secrets Access Key, and AWS ARN need to be stored in Harness Built-in Secret Manager.
-
Assume IAM role on delegate: AWS ARN must be stored in Harness Built-in Secret Manager.
-
Assume Role using STS on delegate: AWS ARN must be stored in Harness Built-in Secret Manager.
-
-
Harness supports the following five authentication methods for Hashicorp Vault:
- AppRole secret IDs must be stored in the Harness Built-in Secret Manager.
- Token secret IDs must be stored in the Harness Built-in Secret Manager.
- AWS Auth secret IDs must be stored in the Harness Built-in Secret Manager.
- Vault Agent: Secret storage is not required in the Harness Built-in Secret Manager.
- Kubernetes Auth: Secret storage is not required in the Harness Built-in Secret Manager.
-
Harness supports two authentication methods for Azure Key Vault:
- With the credentials option, the Azure Authentication key must be stored in the Harness Built-in Secret Manager.
- With the credentials of a specific Harness Delegate option, secret storage is not required in Harness Built-in Secret Manager.
-
Harness supports only one authentication method for GCP Key Management Service, for which the GCP KMS Credentials file must be stored in the Harness Built-in Secret Manager.
-
Harness supports two authentication methods for GCP Secrets Manager:
- With the credentials option, the Google Secrets Manager Credentials File must be stored in the Harness Built-in Secret Manager.
- With the credentials of a specific Harness Delegate option, secret storage is not required in Harness Built-in Secret Manager.
-
For Custom Secrets Manager, if any secret is needed in the template as a variable, then it can only be stored in the Harness Built-in Secret Manager.
Deprecation notice
The following deprecated API endpoints are longer supported:
- [GET | PUT | POST | DELETE] api/resourcegroup/{identifier}
- POST api/resourcegroup/filter
- GET api/resourcegroup
January 2024
Version 1.22.3
New features and enhancements
-
Removed the unused
org.redisson:redisson
library dependency from the delegate. (PL-42485, ZD-53588, ZD-53760) -
Deletion of SCIM-managed user groups was not allowed. (PL-39439, ZD-53340)
You can now delete SCIM-managed user groups via the delete API for user groups.
infoHarness does not currently support the ability to delete SCIM-managed user groups in the UI.
Fixed issues
-
K8S_WATCH
perpetual tasks remainedTASK_ASSIGNED
despite being assigned to non-existent delegates. (PL-43973)This issue was fixed by implementing a CronJob to reset perpetual tasks associated with invalid delegates, ensuring proper handling of Kubernetes events.
This item is available with Harness Platform version 1.22.3 and does not require a new delegate version. For information about Harness Delegate features that require a specific delegate version, go to the Delegate release notes.
-
Running
terraform apply
for an existing SSO-linked user group resulted in an empty user list. (PL-43763, ZD-55505)This issue has been resolved. Now, when the user group payload is SSO-linked, the existing users are maintained as is, and the users list in the payload is ignored.
- In cases where the existing user group is SSO-linked and needs to be overridden and delinked in the update payload, the existing users will be replaced with the users list provided in the payload.
-
The
platform-service
was not publishing the response count metric. (PL-43123)This has been resolved, and the
platform-service
will now consistently publish the response count metrics.
Version 1.21.5
Fixed issues
- Tooltips in the left navigation were incorrectly displayed behind the stage execution details panel. Now, tooltips are visible on the Execution page. (PL-43993)
- Fixed the ACL list roles API to correctly display
HarnessManaged
,CreatedAt
, andLastModifiedAt
date fields, ensuring accurate role management data in responses. (PL-43952) - Multi-select dropdowns would reset to the top after each selection. This issue is fixed for all multi-select dropdowns unless explicitly specified by the user. (PL-43925)
- When editing user group data, member data was not added as expected. Now, the user group data related to the user group members is not lost when the user group is updated. (PL-43855, ZD-55944)
- Fixed an issue where searching for user groups containing special characters resulted in a 500 error due to invalid regex patterns in the search term. Now, the
usergroup
list API validates regex patterns and provides a clear error message for invalid search terms. (PL-43761) - The Azure endpoints were not being set based on the Azure environment selected. This led to Azure connectors working correctly only for Azure public cloud and not for other variants of Azure cloud (like Azure Gov, Azure China, and so on). Now, the correct Azure resource manager endpoint will be chosen based on the environment selected in the connector. (PL-43333, ZD-54717)
Version 1.20.9
New features and enhancements
-
Configure an absolute session timeout for your account (PL-43587)
A new Absolute Session Timeout (in minutes) setting is available on the Authentication page. When the Absolute Session Timeout (in minutes) is set, users will be logged out of their account after the configured timeout, regardless of any activity.
The default absolute session timeout is 0, which means that it is not set. You can set this to a maximum of 4320 minutes (3 days). The field automatically converts the minutes you enter to higher units of time, and displays the result under the field. For example, if you enter 1440, the UI shows 1 day below the field.
noteWhen both the session inactivity timeout and the absolute session timeout are set, the condition that is met first will be honored.
-
You can now toggle between the legacy UI navigation and the new navigation by enabling the feature flag
CDS_NAV_PREFS
for your account. (PL-43772)
Early access features
-
Grant public access to Harness pipelines (PL-43499)
You can now grant public access to Harness pipelines. New settings on the Authentication page and in pipeline Advanced Options allow you to grant public access to pipeline executions.
When you activate the Allow public resources authentication setting, you can then enable public view for your pipelines by setting the Mark this pipeline for public view option in the pipeline's Advanced Options.
Pipeline executions for pipelines marked for public view will be accessible without the need to authenticate in Harness. You can share pipeline execution URLs, which include console logs for the pipeline steps.
For more information, go to Allow public access to pipeline executions.
This is behind the feature flag
PL_ALLOW_TO_SET_PUBLIC_ACCESS
. -
Allowlist verification for delegate registration (PL-42471)
noteCurrently, allowlist verification for delegate registration is behind the feature flag
PL_ENFORCE_DELEGATE_REGISTRATION_ALLOWLIST
. Contact Harness Support to enable the feature.Without this feature flag enabled, delegates with an immutable image type can register without allowlist verification. With this feature flag enabled, delegates with an immutable image type can register if their IP/CIDR address is included in the allowed list received by Harness Manager. The IP address/CIDR should be that of the delegate or the last proxy between the delegate and Harness Manager in the case of a proxy.
Harness Manager verifies registration requests by matching the IP address against an approved list and allows or denies registration accordingly. For more information, go to Add and manage IP allowlists.
This item requires Harness Delegate version 24.01.82108. For information about features that require a specific delegate version, go to the Delegate release notes.
Fixed issues
-
Intermittent errors occurred when pulling secrets from a Custom Secret Manager. (PL-43193, ZD-54236, ZD-54555, ZD-55919)
This issue has been resolved by adding a timeout (in seconds) to fetch secrets from a custom provider in the Custom Secret Manager settings. The process interrupts and fails when it takes longer than the configured timeout to fetch the secret. The default value is 20 seconds.
This item requires Harness Delegate version 24.01.82108. For information about features that require a specific delegate version, go to the Delegate release notes.
Version 1.19.6
New features and enhancements
- Upgraded MinIO to
bitnami/minio:2023.10.7-debian-11-r2
. (PL-42019)
Early access
Allowlist verification for delegate registration (PL-42471)
Currently, allowlist verification for delegate registration is behind the feature flag PL_ENFORCE_DELEGATE_REGISTRATION_ALLOWLIST
. Contact Harness Support to enable the feature.
Without this feature flag enabled, delegates with an immutable image type can register without allowlist verification.
With this feature flag enabled, delegates with an immutable image type can register if their IP/CIDR address is included in the allowed list received by Harness Manager.
The IP address/CIDR should be that of the delegate or the last proxy between the delegate and Harness Manager in the case of a proxy.
Harness Manager verifies registration requests by matching the IP address against an approved list and allows or denies registration accordingly. For more information, go to Add and manage IP allowlists.
Fixed issues
-
The delegate was rejecting tasks due to an issue where the CPU and memory calculation wasn't showing the latest usage value. This was caused by the dynamic request handling feature that rejects tasks if the CPU and memory usage exceeds a certain threshold. The pods weren't scaled by HPA because the CPU and memory usage within the pods was within the limit. (PL-42600, ZD-54025, ZD-54324)
Harness improved the CPU/Memory calculation algorithm, resolving the issue.
This item is available with Harness Platform version 1.19.6 and does not require a new delegate version. For information about Harness Delegate features that require a specific delegate version, go to the Delegate release notes.
-
In the Add new Encrypted Text dialog, the Regions list for Google Secrets Manager integration included unsupported values.(PL-43575, ZD-55268)
This issue has been resolved and the Regions list has been updated with the correct GCP regions.
-
When Harness user groups were created during SCIM sync, dots were not converted to underscores in Harness for user group IDs. (PL-43576, ZD-55266)
This issue has been resolved. Now, SCIM group names that contain dots are converted to underscores in Harness for group identifiers. For example, a SCIM group named "abc.xyz" is created as follows:
UserGroupIdentifier: "abc_xyz"
UserGroupName: "abc.xyz"
-
Perpetual tasks weren't assigned after a delegate restart. (PL-43646, ZD-55426, ZD-55572)
Fixed race condition where a perpetual task was assigned at the same time as the delegate abruptly shutting down due to a pod restart.
This item is available with Harness Platform version 1.19.6 and does not require a new delegate version. For information about Harness Delegate features that require a specific delegate version, go to the Delegate release notes.
Version 1.17.8
New features and enhancements
- Upgraded the
yq
library from version 4.35.2 to 4.40.5. (PL-42548)
Fixed issues
-
For user groups provisioned from SCIM to Harness, for the corresponding user groups created in Harness, the user group
identifier
is derived from the display name of the user group in the SCIM provider. Harness replaces.
(dots) and-
(dashes) with an_
(underscore). All other special characters (#
,?
,%
, and so on) and spaces are removed. Leading digits0
through9
and$
are also removed. (PL-42535, ZD-53830, ZD-55294)All special characters except
.
,-
, and non-leading$
and digits0
through9
are removed.Example 1: For a user group in SCIM with the name
Harness.Group?Next#Gen-First
, the user group created in Harness will have theidentifier
:Harness_GroupNextGen_First
.Example 2: For a user group in SCIM with the name
123#One.$Two.$Three.123
, the user group created in Harness will have theidentifier
:One_$Two_$Three_123
.The existing behavior of
.
and-
changed to_
has been retained.The name of the corresponding user group created in Harness will retain the special symbols as present in the user group of the SCIM provider. Example: For a user group in SCIM with the name
Harness.Group?Next#Gen-First
, the user group created in Harness will have the samename
:Harness.Group?Next#Gen-First
.This item requires Harness Delegate version 23.12.82000. For information about features that require a specific delegate version, go to the Delegate release notes.
Previous releases
2023 releases
2023 releases
December 2023
Version 1.16.6
New features and enhancements
-
Upgraded Janino to version 3.1.11. (PL-43320, ZD-54505)
-
Upgraded
ch.qos.logback
from version 1.2.11 to 1.2.13. (PL-43260) -
Upgraded YamlBeans to version 1.17. (PL-42905, ZD-51149, ZD-53760, ZD-53919)
Fixed issues
-
The role assignment list API was returning incorrect role assignments. This problem occurred because of the use of a regex query to match the scope for role assignments. The issue specifically affected projects or organizations under the same account that had overlapping project or organization identifiers, particularly when the filter INCLUDED_CHILD_SCOPES was used. This issue has been addressed and corrected. (PL-39051)
-
Execution links were not available in pipeline failure Slack notifications. (PL-42974, ZD-53195)
This issue has been resolved. Now, in Slack notifications, the "Node status" keyword, such as "failed," is a hyperlink that provides direct access to the associated node execution URL.
-
Added RBAC checks to the delegate list API. Now, only delegates for which users have permission are shown in the list on the Delegates page. (PL-42268, ZD-52174)
This item is available with Harness Platform version 1.16.6 and does not require a new delegate version. For information about Harness Delegate features that require a specific delegate version, go to the Delegate release notes.
Version 81820
New features and enhancements
- The LDAP configuration wizard now includes a Delegates Setup step, allowing you to select delegates and ensuring that all LDAP delegate tasks go to a particular delegate. (PL-28202)
Fixed issues
-
There was an issue with the filtering of items that had tags on the delegate list page. This was resolved by adding an implicit tag before filtering the items in the UI. (PL-42743)
This item requires Harness Delegate version 23.12.81803. For information about features that require a specific delegate version, go to the Delegate release notes.
-
When the feature flag
PL_NO_EMAIL_FOR_SAML_ACCOUNT_INVITES
is enabled and a new user was added on the Account Access Control: Users page, the following message was displayed: "Invitation sent successfully", even though the user was added to the list. (PL-42860)This issue has been resolved, and the UI now displays "User added successfully".
This item requires Harness Delegate version 23.12.81803. For information about features that require a specific delegate version, go to the Delegate release notes.
Version 81709
Fixed issues
A GET
request to the List projects API for projects that weren't available in Harness returned a 400 RESOURCE_NOT_FOUND_EXCEPTION
response instead of a 404 ENTITY_NOT_FOUND
. (PL-42417)
The List projects API now returns a 404 ENTITY_NOT_FOUND
response for projects that aren't found in Harness.
-
When a permission was removed from the
permissions.yml
file or marked as inactive, the permission was deleted from managed roles, but not from custom roles. (PL-30826)This issue has been resolved. The role matching filter criteria used to remove permissions from both custom and managed roles has been updated.
-
The Name (Z->A, 9->0) sort option on the Projects page didn't display projects in the correct order. (PL-32066)
The UI now uses case-insensitive sorting when it lists projects on the Projects page.
-
In UAT, with SAML set up but not enabled, when users logged out, Harness redirected to Okta, not
uat.harness.io
. (PL-32445)This issue is fixed. The SAML logout URL is now only used when SAML is enabled for an account.
-
Harness removed the
delegate-service
from the default delegate YAML init container. (PL-37616)This item is available with Harness Platform version 81709 and does not require a new delegate version. For information about Harness Delegate features that require a specific delegate version, go to the Delegate release notes.
-
The delegate list API returned a 403 error response for users that didn't have view permission for the delegate. (PL-39630)
The message now specifies that the user is not authorized because view permission is not granted for the delegate.
This item is available with Harness Platform version 81709 and does not require a new delegate version. For information about Harness Delegate features that require a specific delegate version, go to the Delegate release notes.
-
The UI didn't allow you to set Projects or Organizations role permissions for custom resource groups. (PL-39825, ZD-46075, ZD-49912)
You can now select Projects and Organizations as resources in custom resource groups.
-
When creating projects through APIs, Harness didn't treat the organization identifier as case-insensitive, which resulted in duplicate entries. (PL-40897, ZD-49840)
This issue is fixed by making the organization identifier in project creation APIs case-insensitive.
-
When you deleted a default secret manager, the Harness built-in secret manager would not automatically become the new default manager. (PL-41077)
This issue has been resolved. Now, when you delete a default secret manager, the Harness built-in secret manager is automatically set as the default.
-
Previously, if you had a Reference Text type of secret pre-selected for a SSH secret key, you could only update the key through YAML and not in the UI. The UI only displayed the File Secret type. Now, the UI has a Secret type dropdown in the Create or Select an Existing Secret dialog that allows you to choose the Secret type (File or Text). (PL-41507, ZD-47600, ZD-51334)
-
When you deleted a default secret manager, the Harness built-in secret manager would not automatically become the new default manager. (PL-42458, PL-42824, ZD-53500, ZD-53662, ZD-54099, ZD-54126)
This issue has been resolved. Now, when you delete a default secret manager, the Harness built-in secret manager is automatically set as the default for all scopes.
-
The Email (Z->A, 9->0) sort option on the Access Control: Users page didn't display variables in the correct order. (PL-42825)
The UI now uses case-insensitive sorting when it lists emails on the Access Control: Users page.
-
The Name (Z->A, 9->0) sort option on the Account Variables page didn't display variables in the correct order. (PL-42842)
The UI now uses case-insensitive sorting when it lists variables on the Account Variables page.
-
API key descriptions for service accounts didn't display in the UI on the user Profile page or on the Account Access Control Service Accounts page. (PL-42846)
-
Harness updated the command under Create your own YAML from a Kubernetes manifest template for the Kubernetes Manifest option on the New Delegate page. The curl command has been removed and replaced with the
git clone https://github.com/harness/delegate-kubernetes-manifest.git
command. (PL-42850)This item is available with Harness Platform version 81709 and does not require a new delegate version. For information about Harness Delegate features that require a specific delegate version, go to the Delegate release notes.
-
The Kubernetes Manifest YAML on the New Delegate page didn't include the
DELEGATE_TOKEN
. (PL-42858)Fixed the generate Kubernetes YAML API for default delegates with a revoked token. The delegate YAML now includes the next active token.
-
The AIDA option wasn't visible in the UI on the Account Resources: Delegates page when you selected Delegate Configurations. (PL-42896)
This issue has been resolved by updating the page styling. Harness removed width to prevent page overflow.
-
Fixed the replica count on the New Delegate modal. (PL-42912)
-
Fixed the Helm default values.yaml link on the New Delegate modal. (PL-42917)
-
The IP Allowlist page had a default value of 30 IPs per page. The IP Allowlist page list now has a value of 20 IPs per page. (PL-42934)
-
The error message displayed when a user attempted to delete a Harness managed role was unclear. (PL-43032)
The error message now displays Cannot delete the role
<roleIdentifier>
as it is managed by Harness.
November 2023
Version 81612
New features and enhancements
-
Upgraded the
org.eclipse.jetty_jetty-http
,jetty-io
,jetty-util
, andjetty-continuation
libraries to 9.4.53.v20231009 to resolve CVE CVE-2023-36478. (PL-42288, PL-42560) -
Added a Purge Secrets option to the Azure Key Vault Details dialog. This option is selected by default and purges deleted secrets instead of soft deleting them. (PL-41738)
Fixed issues
-
The UI didn't display the latest version for GSM secrets. (PL-38526)
-
Slack Webhook URLs didn't save successfully for user group notifications. (PL-42284, ZD-52494)
-
When shutdown is initiated, delegates will continue sending heartbeats until all tasks are completed, ensuring all running tasks return a response before shutting down. (PL-42171)
This item requires Harness Delegate version 23.11.81601. For information about features that require a specific delegate version, go to the Delegate release notes.
-
There was an issue with Harness not properly handling delegate reconnects, which affected delegate metrics. During a disconnect, Harness would mark
delegate_connected
as 0, but after a reconnect, it failed to increment thedelegate_connected
to 1. (PL-42431, ZD-52829, ZD-53399, ZD-53878)This issue has been resolved, and now Harness increments the
delegate_connected
to 1 during reconnection. As a result, theio_harness_custom_metric_delegate_connected
andio_harness_custom_metric_task_failed
metrics are now accurately reported.This item requires Harness Delegate version 23.11.81601. For information about features that require a specific delegate version, go to the Delegate release notes.
-
Fixed the following issues:
- The delegate Stackdriver logger didn't work if the delegate token was base64-encoded format.
- When the
DELEGATE_TYPE
wasKUBERNETES
and the delegate wasn't deployed in Kubernetes, the delegate failed to start. (PL-42452)
This item requires Harness Delegate version 23.11.81601. For information about features that require a specific delegate version, go to the Delegate release notes.
Version 81502
New features and enhancements
-
Upgraded
io.netty:netty*
to version 4.1.100.final to address vulnerabilities. (PL-41905, ZD-50403, ZD-52222, ZD-53107) -
Upgraded Redis to 6.2.14-alpine to address potential vulnerabilities. (PL-42228)
-
Delegate logs formatting is updated to allow you to view stack traces in their native format. (PL-41467)
Fixed issues
-
The YAML builder didn't allow you to create secrets when there wasn't an existing secret.
This issue is fixed. You can now create secrets using YAML even if no previous secret exists. (PL-42148, ZD-52583)
-
On the User Group Details page, there was an issue where removing a user (let's say User A) from the user group and immediately adding another user (let's say User B) would result in User A being added back automatically. This was happening because cached data was not being cleaned up properly from the UI. (PL-42341)
This issue has been fixed. If you first remove User A and then add User B, only User B will show up as the final addition in this two-step process.
-
While managing roles, it was not possible to search for resource groups beyond the first 100 initially fetched. Now, the UI allows searching for resource groups that are present beyond the initial page size limit. (PL-42343, ZD-53209)