Subscribe

UiPath AI Center

UiPath AI Center

Incoming requests


AI Center uses the following paths to process incoming requests:

  • /ai-app
  • /ai-helper
  • /ai-pkmanager
  • /ai-deployer
  • /ai-trainer
  • /ai-appmanager
  • /mlskills
  • /public/mlskills
  • /du_/dm
  • /dm/api/session

Ingress configurations


AI Center supports two types of ingress configuration:

  • Istio Ingress Controller
  • Non-Istio Ingress Controller

Istio Ingress Controller

In this case, UiPath's K8s virtual services are used within the designated namespace to route requests.
Make sure that these paths do not conflict with their existing routes on same "hosts" configuration and gateway.

Required parameters (Istio)

Input parameter

Required

Description

Default value

global.ingressHost

Yes

Host-name or IP:port comination for ingress to cluster/load balancer without scheme
Example: 192.168.1.1:31390

global.policyGatewayName

No

Istio gateway name to be used to target virtual services on.
Example: istio-system/aicenter-gateway

istio-system/aicenter-gateway

global.ingress.hosts

No

Hosts attribute set on the corresponding gateway

"*"

Installation

Required permissions for installation
## This file lists the permissions required for installation of istio-proxy

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: istio-proxy-install-clusterrole
  labels:
    app: istiod
rules:
  # auto-detect installed CRD definitions
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["list", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingressclasses", "ingresses"]
    verbs: ["list", "watch"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["validatingwebhookconfigurations"]
    verbs: ["list", "get", "watch"]
  - apiGroups: ["authentication.k8s.io"]
    resources: ["tokenreviews"]
    verbs: ["list", "create"]
  - apiGroups: [""]
    resources: ["pods", "endpoints", "secrets", "services", "namespaces", "nodes", "configmaps"]
    verbs: ["list", "watch"]
  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
    verbs: ["list", "watch"]
    resources: ["*"]
  ## Required only for installation/uninstallation
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["clusterrolebindings", "clusterroles"]
    verbs: ["get", "create", "list", "update", "delete"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "create", "delete"]
  - apiGroups: ["authentication.k8s.io"]
    resources: ["tokenreviews"]
    verbs: ["delete"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: istio-proxy-install-role
  namespace: uipath
rules:
  - apiGroups: ["networking.istio.io"]
    resources: ["gateways"]
    verbs: ["create", "list", "watch", "update"]

  - apiGroups: ["networking.istio.io"]
    resources: ["*"]
    verbs: ["get"]

  # required for CA's namespace controller
  - apiGroups: [""]
    resources: ["configmaps", "secrets", "services", "serviceaccounts"]
    verbs: ["create", "get", "list", "watch", "update", "delete"]

  - apiGroups: ["apps"]
    resources: ["replicasets"]
    verbs: ["get", "list", "watch"]

  - apiGroups: [""]
    resources: ["endpoints", "pods", "services"]
    verbs: ["get", "list", "watch"]

  # Required only for installation/uninstallation
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["rolebindings", "roles"]
    verbs: ["get", "create", "watch", "list", "delete", "update"]

  - apiGroups: ["autoscaling"]
    resources: ["horizontalpodautoscalers" ]
    verbs: [ "get", "list", "watch", "create", "delete", "update"]

  - apiGroups: ["policy"]
    resources: ["poddisruptionbudgets"]
    verbs: [ "get", "list", "watch", "create", "delete", "update"]

  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: [ "get", "list", "watch", "create", "delete", "update"]

  - apiGroups: ["networking.istio.io"]
    resources: ["gateways"]
    verbs: ["delete"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: istio-proxy-install-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: istio-proxy-install-clusterrole
subjects:
  - kind: ServiceAccount
    name: istio-proxy-install
    namespace: uipath

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: istio-proxy-install-rolebinding
  namespace: uipath
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: istio-proxy-install-role
subjects:
  - kind: ServiceAccount
    name: istio-proxy-install
    namespace: uipath

---

apiVersion: v1
kind: ServiceAccount
imagePullSecrets:
  - name: aicenter-registry-secrets
metadata:
    name: istio-proxy-install
    namespace: uipath

For istio-proxy installation, follow the steps below:

  1. Download the zip file from here.
  2. Unzip the downloaded file.
  3. There are two ways in which the installation can be done. Depending on your configuration, follow one of the sub-steps below:
    3.1. Provide the values directly in the file
    To install in non-HA mode, provide the value directly in the aicenter-istio-v21.10.0/values.yaml file and run the command below:
helm upgrade --force --wait --debug --timeout 300s --install aicenter-istio aicenter-istio-v21.10.0 --namespace uipath -f aicenter-istio-v21.10.0/values.yaml

To install in HA mode, provide the values directly in the aicenter-v21.10.0/values-ha.yaml file and run the command below:

helm upgrade --force --wait --debug --timeout 300s --install aicenter-istio aicenter-istio-v21.10.0 --namespace uipath -f aicenter-istio-v21.10.0/values-ha.yaml

3.2. Set the values in the helm command directly.
To do so, run the command below:

helm upgrade --force --wait --debug --timeout 300s --install aicenter-istio aicenter-istio-v21.10.0 --namespace uipath \
    --set global.hub="uipath.azurecr.io/aicenter" \
    --set global.imagePullSecrets="{aicenter-registry-secrets}"
helm upgrade --force --wait --debug --timeout 300s --install aicenter-istio aicenter-istio-v21.10.0 --namespace uipath \
    --set global.hub="uipath.azurecr.io/aicenter" \
    --set global.imagePullSecrets="{aicenter-registry-secrets}" \
    -f aicenter-istio-v21.10.0/values-ha.yaml

This is used for any other K8s Ingress Controller, such as NGINX or Contour.
In this case, a local Istio proxy is deployed in the designated UiPath namespace that will only be accessible over Cluster IP, ensuring all traffic gets routed through the cluster's existing Ingress.

Sample NGINX Ingress path
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: aicenter-ingress
spec:
  rules:
  - http:
      paths:
      - path: /ai-app
        pathType: Prefix
        backend:
          service:
            name: istio-ingressgateway
            port:
              number: 80
      - path: /ai-helper
        pathType: Prefix
        backend:
          service:
            name: istio-ingressgateway
            port:
              number: 80
      - path: /ai-pkgmanager
        pathType: Prefix
        backend:
          service:
            name: istio-ingressgateway
            port:
              number: 80
      - path: /ai-deployer
        pathType: Prefix
        backend:
          service:
            name: istio-ingressgateway
            port:
              number: 80
      - path: /ai-trainer
        pathType: Prefix
        backend:
          service:
            name: istio-ingressgateway
            port:
              number: 80
      - path: /ai-appmanager
        pathType: Prefix
        backend:
          service:
            name: istio-ingressgateway
            port:
              number: 80
      - path: /mlskills
        pathType: Prefix
        backend:
          service:
            name: istio-ingressgateway
            port:
              number: 80
      - path: /public/mlskills
        pathType: Prefix
        backend:
          service:
            name: istio-ingressgateway
            port:
              number: 80
      - path: /du_
        pathType: Prefix
        backend:
          service:
            name: istio-ingressgateway
            port:
              number: 80
      - path: /dm
        pathType: Prefix
        backend:
          service:
            name: istio-ingressgateway
            port:
              number: 80

📘

Note

  1. Istio proxy installation/uninstallation/upgrade requires cluster-admin privileges.
  2. Istio proxy working also requires cluster-admin privileges on some resources.

Make sure to add all relevant policies on their ingress controller to route traffic to the local UiPath proxy.

Updated 15 days ago

Ingress


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.