Updating AI Fabric Certificate

Single-node

During installation you have the choice between using your own certificate or just skip that step and use a self-signed certificate. If you need to change certificate afterward here are the steps to follow.

First, make sure that you have certificate with you, you will need the SSL file and private key as two separated files.

The next step is to connect to AI Fabric linux machine and run the following command

kubectl -n default annotate secret kotsadm-tls acceptAnonymousUploads=1kubectl -n default annotate secret kotsadm-tls acceptAnonymousUploads=1

Important: Adding this annotation will temporarily create a vulnerability for an attacker to maliciously upload TLS certificates. Once TLS certificates have been uploaded then the vulnerability is closed again.

Then you need to restart kurl proxy server. To do that first retrieve the name of this proxy server using this command:

kubectl get pods -A | grep kurl-proxy | awk '{print $2}'kubectl get pods -A | grep kurl-proxy | awk '{print $2}'

This will output the name of the kurl proxy server that should look like kurl-proxy-kotsadm-XXX. So the next step is to delete this pod (it will automaticaly be restarted).

kubectl delete pods kurl-proxy-kotsadm-XXXkubectl delete pods kurl-proxy-kotsadm-XXX

You can check if pod is restarted by running get pods command:

kubectl get podskubectl get pods

Next to the pod, you should see 1/1 and Running.

Once it's ready you can remove configmap:

kubectl -n aifabric delete configmap is-client-configkubectl -n aifabric delete configmap is-client-config

Then connect to KotsAdmin UI, remember Url should be something like https://<aif-machine>:8800/tls. The page wil let you upload the new certificate (and if needed change associated domain name):.

Click Upload & continue button and then go to config page. Change HostIP/FQDN if needed, generate a fresh access token and then click on save and once preflight check are done click on deploy to redeploy AI Fabric application. Once installed new certificate will be used by AI Fabric.

Once AI Fabric is redeployed, run this command for change to take effect:

kubectl -n istio-system rollout restart deployment istio-ingressgatewaykubectl -n istio-system rollout restart deployment istio-ingressgateway

Important: Remember that if you change the FQDN of AI Fabric, you will need to modify Orchestrator web config again with this new FQDN.

Multi-node AKS

Starting with 20.10.2 certificates are handled automatically using cert manager by our installer but if you first installed 20.10.1 your certificate may expire at some point in order to remediate that you need to follow the steps described below, start by downloading and opening new installer bundle (we are not doing new bundle installation):

curl -O https://download.uipath.com/aifabric/online-installer/v2020.10.2/aifabric-installer-v20.10.2.tar.gz
tar -xvf aifabric-installer-v20.10.2.tar.gz
cd ./aifabric-installer-v20.10.2/infra/azure/aks-armcurl -O https://download.uipath.com/aifabric/online-installer/v2020.10.2/aifabric-installer-v20.10.2.tar.gz
tar -xvf aifabric-installer-v20.10.2.tar.gz
cd ./aifabric-installer-v20.10.2/infra/azure/aks-arm

Then create script file update_cert.sh like this

USER_EMAIL=<enter certificate owner email here>
sed -i "s/email.address@org.com/$USER_EMAIL/g" cert-manager-crd/letsencrypt-clusterissuer.yaml
INGRESS_HOST=$(kubectl -n istio-system get svc istio-ingressgateway -o json | jq -r ".status.loadBalancer.ingress[0].ip")
IP_NAME="$(az network public-ip list --query "[?ipAddress=='$INGRESS_HOST']|[0].name" | sed 's/"//g')"
INGRESS_DOMAIN="$(az network public-ip list --query "[?ipAddress=='$INGRESS_HOST']|[0].dnsSettings.fqdn" | sed 's/"//g')"
sed "s/{{INGRESS_DOMAIN}}/${INGRESS_DOMAIN}/g" cert-manager-crd/letsencrypt-istiocert.yaml > cert-manager-crd/letsencrypt-istiocert-temp.yaml
kubectl apply -f cert-manager-crd/letsencrypt-clusterissuer.yaml
kubectl apply -f cert-manager-crd/letsencrypt-istiocert-temp.yaml
kubectl -n istio-system \)\)
  patch gateway istio-autogenerated-k8s-ingress --type=json \)\)
  -p='[{"op": "replace", "path": "/spec/servers/1/tls", "value": {"credentialName": "aifabric-ingressgateway-certs", "mode": "SIMPLE", "privateKey": "sds", "serverCertificate": "sds"}}]'
kubectl -n istio-system rollout restart deployment istio-ingressgatewayUSER_EMAIL=<enter certificate owner email here>
sed -i "s/email.address@org.com/$USER_EMAIL/g" cert-manager-crd/letsencrypt-clusterissuer.yaml
INGRESS_HOST=$(kubectl -n istio-system get svc istio-ingressgateway -o json | jq -r ".status.loadBalancer.ingress[0].ip")
IP_NAME="$(az network public-ip list --query "[?ipAddress=='$INGRESS_HOST']|[0].name" | sed 's/"//g')"
INGRESS_DOMAIN="$(az network public-ip list --query "[?ipAddress=='$INGRESS_HOST']|[0].dnsSettings.fqdn" | sed 's/"//g')"
sed "s/{{INGRESS_DOMAIN}}/${INGRESS_DOMAIN}/g" cert-manager-crd/letsencrypt-istiocert.yaml > cert-manager-crd/letsencrypt-istiocert-temp.yaml
kubectl apply -f cert-manager-crd/letsencrypt-clusterissuer.yaml
kubectl apply -f cert-manager-crd/letsencrypt-istiocert-temp.yaml
kubectl -n istio-system \)\)
  patch gateway istio-autogenerated-k8s-ingress --type=json \)\)
  -p='[{"op": "replace", "path": "/spec/servers/1/tls", "value": {"credentialName": "aifabric-ingressgateway-certs", "mode": "SIMPLE", "privateKey": "sds", "serverCertificate": "sds"}}]'
kubectl -n istio-system rollout restart deployment istio-ingressgateway