Feature Requests

This is a request to have the ability to use Kubernetes secrets as a secret store for Harness pipelines. Automatic discovery of Kubernetes secrets that have a specific annotation would be great as it would allow for less terraform use on the platform. The objective of this is to be able to use something like External Secrets Operator to connect to many different secret stores that may be used in a target cluster and simply just observe the secrets that we need to in an allowed namespace.

Current Behavior: API /postExecuteStages: Can execute a specific stage. Requires sending the entire runtimeInputYaml payload. This defeats the purpose of InputSets, since all inputs must still be manually provided. API /postPipelineExecuteWithInputSetList: Accepts only inputSetReferences and stageIdentifiers. Always executes the entire pipeline, even if a stageIdentifier is specified. Not designed for stage-level execution. The Ask: Trigger only a specific stage in a pipeline. Reference an existing InputSet for runtime inputs. Avoid rebuilding and passing the full runtimeInputYaml. Example Goal: Instead of sending: runtimeInputYaml: | pipeline: identifier: my_pipeline stages: - stage: identifier: my_stage spec: service: identifier: my_service The customer wants to run: { "stageIdentifiers": ["my_stage"], "inputSetReferences": ["my_input_set"] } … and have the execution resolve inputs automatically from the InputSet. Impact: Current behavior creates overhead for customers with complex pipelines and existing InputSets. Inconsistent with the intended value of InputSets (avoiding re-supplying inputs). Forces additional scripting/automation outside of Harness to generate runtimeInputYaml. Proposed Enhancement: Extend /postExecuteStages to support inputSetReferences directly (along with stageIdentifiers). Allow execution of a single stage using only the InputSet, without requiring the full runtime YAML.

Summary: We’ve observed significant performance degradation in Harness.io dashboards when applying filters, particularly due to the large volume of data being queried. To address this, we propose an enhancement that introduces a feature flag to scope filter options based on user visibility—determined by their roles and assigned resource groups. Details & Justification: Improved User Experience Filtering large datasets currently results in slow dashboard performance, which negatively impacts usability and responsiveness. By limiting filter options to only relevant data, users can interact with dashboards more efficiently. Security and Compliance Alignment Presenting all filter options regardless of access may inadvertently expose metadata about resources users shouldn’t be aware of. Restricting filter visibility supports a least privilege model and aligns with internal security and compliance standards. Scalability and Future-Proofing As data volumes continue to grow, the current filter mechanism will become increasingly inefficient. Implementing scoped filters now will help ensure the dashboard experience remains performant and scalable. Suggested Implementation Approach A configurable feature flag could be introduced to enable scoped filters based on user roles and resource groups. This would allow organizations to opt-in without disrupting existing dashboard configurations.

When a user does not have access to a data in dashboards due to data scope, it just appears like widget doesn't load. It would be ideal if it would load with some form of message that says the user does not have access to data for the tile. Otherwise, a user does not know they don't have access or if the dashboard is broken.

Often when using harness formatted variables (<+ variable>) the autocomplete is very helpful to get the exact value you want. it would be nice to have secret names autocomplete when using <+secrets.getValue("...")> format.

I want to use a variable from an input set to parameterize the URL used in a connector. Say we have a justification to create isolated helm repos with multiple charts in them and create a new helm repo for each 'version' we publish - maintaining isolation of the multiple charts that work together. AKA in artifactory we may have: artifactory-repo/<version-number>/charts/index.yaml , where the version increases with each release and therefore a new helm repo is created each time. Currently there is no way for me to use a variable in the URL of the connectors to pull the helm charts (no way to update the version number in the path of the URL), which would force us to create a new connector with each version we create. This is rather cumbersome when all we want is the version number to change in the URL. Is there any way you can enable the use of variables in a connector URL?

Currently, the Users page under Account Settings → Access Control lists all users and their assigned roles. However, there is no way to filter users by role type (e.g., Account Admin, Viewer, Developer). This limitation makes it difficult to quickly identify which users hold specific roles, particularly high-privilege ones like Account Admin. Problem / Impact: From a compliance and security perspective, organizations are required to regularly review and audit users with elevated privileges (e.g., Account Admins). Without role-based filtering, admins must manually scroll through the entire user list or click into each individual profile to review role bindings. This increases the risk of missing privileged users and makes compliance audits more time-consuming and error-prone. Proposed Solution: Add filtering (and ideally sorting) functionality on the Users page to allow admins to quickly: Filter users by role type (e.g., "Account Admin") Optionally, export a filtered list of users with their role assignments for audit purposes Business Value: Simplifies compliance and audit workflows by making it easy to identify and review privileged users Improves security visibility by reducing the risk of overlooked high-privilege accounts Saves administrative time by eliminating manual checks across multiple users

I would like to use DCM automation to add certificates to AWS Certificate manager. We use Harness and Terraform to deploy applications to AWS. I would like to automate the creation and renewal of certificates so that we don't have a production outage when certificates expire and reduce manual intervention.

Managing OIDC providers is a critical capability for enabling Single Sign-On (SSO), enforcing fine‑grained access control, and ensuring seamless identity federation within Harness. At present, the Harness Terraform/OpenTofu provider lacks a first‑class resource for OIDC providers. As a result, configuration must be done through manual, undocumented API calls or ad‑hoc automation, which increases operational risk and limits scalability. Adding native Terraform/OpenTofu support would allow OIDC configuration to be managed declaratively, consistently, and securely as part of an infrastructure-as-code workflow. we also opened an Github issue for this here: https://github.com/harness/terraform-provider-harness/issues/1290

We have all pipelines under single project only. I want ability to club together pipelines under a folder/directory which serve same purpose for better organisation and usability. Creating different projects for each individual use-cases is not feasible.