- Overview
- Requirements
- Installation
- Post-installation
- Cluster administration
- Monitoring and alerting
- Migration and upgrade
- Product-specific configuration
- Best practices and maintenance
- Troubleshooting
- How to Troubleshoot Services During Installation
- How to Uninstall the Cluster
- How to clean up offline artifacts to improve disk space
- How to disable TLS 1.0 and 1.1
- How to enable Istio logging
- How to manually clean up logs
- How to clean up old logs stored in the sf-logs bucket
- How to debug failed Automation Suite installations
- How to disable TX checksum offloading
- Unable to run an offline installation on RHEL 8.4 OS
- Error in Downloading the Bundle
- Offline installation fails because of missing binary
- Certificate issue in offline installation
- SQL connection string validation error
- Failure After Certificate Update
- Automation Suite Requires Backlog_wait_time to Be Set 1
- Cannot Log in After Migration
- Setting a timeout interval for the management portals
- Update the underlying directory connections
- Kinit: Cannot Find KDC for Realm <AD Domain> While Getting Initial Credentials
- Kinit: Keytab Contains No Suitable Keys for *** While Getting Initial Credentials
- GSSAPI Operation Failed With Error: An Invalid Status Code Was Supplied (Client's Credentials Have Been Revoked).
- Login Failed for User <ADDOMAIN><aduser>. Reason: The Account Is Disabled.
- Alarm Received for Failed Kerberos-tgt-update Job
- SSPI Provider: Server Not Found in Kerberos Database
- Failure to get the sandbox image
- Pods not showing in ArgoCD UI
- Redis Probe Failure
- RKE2 Server Fails to Start
- Secret Not Found in UiPath Namespace
- ArgoCD goes into progressing state after first installation
- Unexpected Inconsistency; Run Fsck Manually
- Missing Self-heal-operator and Sf-k8-utils Repo
- Degraded MongoDB or Business Applications After Cluster Restore
- Unhealthy Services After Cluster Restore or Rollback
- Using the Automation Suite Diagnostics Tool
- Using the Automation Suite support bundle
- Exploring Logs
Automation Suite Installation Guide
Pre-migration steps
To ensure you successfully migrate a standalone platform installation to Automation Suite, make sure to take the steps described in the following sections. The pre-migration steps are mandatory.
Make sure to save the following Identity Server configuration data:
.pfx
certificates to sign OAuth tokens. If you use your own tokens in the standalone deployment, you need to convert them to .pfx
and update them in the Automation Suite cluster’s corresponding secret(s).
kubectl edit secret identity-token-signing-certificate -n uipath
.
kubectl edit secret identity-saml-certificates -n uipath
.
Save the following Identity Server application settings:
DatabaseProtectionSettings
fromappsetting.production.json
in/identity
folder of the standalone deployment.DatabaseProtectionSettings.EncryptionKey2021
setting is used to encrypt sensitive data at rest. You must replicate this value in the Automation Suite deployment in the post-migration phase:kubectl edit secret identity-generated-secrets -n uipath
.
For each tenant from the standalone deployment, create an organization-tenant pair in the Automation Suite environment.
Example: If in standalone Orchestrator you have a tenant named Tenant1, in Automation Suite, you need to create an organization Tenant1 and a tenant within that organization also named Tenant1. Once you create the tenant, make sure the Orchestrator service is enabled for that tenant.
Save the following information for further usage:
- The connection string to the Orchestrator database in the standalone deployment;
- The connection string to the AutomationSuite_Platform database in the Automation Suite deployment;
- The tenant name(s) from the standalone deployment; you can look it up in the Orchestrator UI or using the
TenancyName
column in Orchestrator’s tenant table; - Insights connection string.
To migrate Orchestrator from standalone to Automation Suite, you must gather settings and various files from the standalone installation and apply them to the Automation Suite installation.
While only part of the settings are configurable at installation time, all of them should be available for post-install configuration.
- To configure settings at installation time, add them in the
cluster_config.json
file; - Updating the settings after the installation completes depends on what the setting scope is and if a feature is available for configuration from app-of-apps parameters or not.
uipath
bucket under orchestrator/plugins/nlog
or orchestrator/plugins/securestore
.
You can add custom configuration as follows:
- by editing the application parameters in ArgoCD (parameter overrides);
- by editing the files inside the Kubernetes ConfigMap
orchestrator-customconfig
from the namespaceuipath
.
web.config
settings do not have an equivalent or are implemented in Automation Suite using other mechanisms.
The options that you do need to configure are the following:
security.requestFiltering.requestLimits.maxAllowedContentLength
security.requestFiltering.requestLimits.maxAllowedContentLength
Note the value of this setting for later use. Decide if you need to configure it in Automation Suite. Its default value is 300MiB.
appSettings
or secureAppSettings
section of the UiPath.Orchestrator.dll.config
configuration file. You can add custom appSettings
and secureAppSettings
to the orchestrator-customconfig
config map.
UiPath.Orchestrator.dll.config
configuration file's appSettings
section, identify any modified or added settings. Save these settings in a .json
file, so they are available in later steps.
You can decrypt any protected app configuration section with Orchestrator CLI protected-configuration option. You only need to use the settings you have changed or added and are still relevant in Automation Suite.
appSettings.custom.json
file as shown in the following example:
{
"ExampleSetting.Enabled": true,
"ExampleSetting.Type": "BasicExample",
"ExampleSetting.Count": 3
}
{
"ExampleSetting.Enabled": true,
"ExampleSetting.Type": "BasicExample",
"ExampleSetting.Count": 3
}
Decide what you need for the storage migration and if your current storage configuration stays the same or if you would instead let Automation Suite manage the storage for you. Automation Suite offers the option to store the blobs in Ceph, which can be used in all Orchestrator pods. In the case of a migration, you must copy the existing files to the current blob storage.
s3cmd
, you can copy the data to Orchestrator. If you use Ceph, then no other configuration is required, as this is the default
option.
Storage.Location
key. Since Automation Suite runs on Linux machines, you cannot rely on integrated authentication for accessing the network
share, so you need the credentials of an account that can access it.
Storage.Location
and Storage.Type
settings to the appSettings.custom.json
.
You can do the following customizations to NLog:
- change existing targets
- add new targets
- add NLog extensions
Review the NLog section of the configuration file, and build the NLog custom configuration. To enable robot logs storage in Elasticsearch, you can provide the username, password, and URI as Automation Suite parameters, and the target are configured automatically. To enable custom scenarios for robot logs, you need to configure the target manually.
If NLog extensions are needed, create a folder containing all the extensions and their dependencies.
nlogextensions
. By default, Orchestrator loads the following extensions, so you do not need to include them in the folder or the NLog configuration:
NLog.Targets.ElasticSearch
UiPath.Orchestrator.Logs.Elasticsearch
Microsoft.ApplicationInsights.NLogTarget
NLog.Extensions.AzureEventHub
NLog.Targets.ElasticSearch
UiPath.Orchestrator.Logs.Elasticsearch
Microsoft.ApplicationInsights.NLogTarget
NLog.Extensions.AzureEventHub
nlog.custom.config
file containing the standard sections: extensions, targets and rules.
assemblyFile
, and the path of the assembly relative to the nlogextensions
folder.
/opt/app-root/app/nlog.config.json
location.
nlog.custom.config
file that writes logs to Azure Blob:
{ "NLog": {
"extensions": [
{ "assemblyFile": "NLog.Extensions.AzureBlobStorage.dll" }
],
"targets": {
"azureBlob": {
"type": "AzureBlobStorage",
"connectionString": "DefaultEndpointsProtocol=https;AccountName=test;AccountKey=key;EndpointSuffix=core.windows.net",
"container": "orchestratorlogs",
"blobName": "${date:format=yyyy-MM-dd hh.mm}",
"layout": {
"type": "JsonLayout",
"includeAllProperties": true,
"Attributes": [
{"name": "ts","layout": "${longdate}"},
{"name": "level","layout": "${level:upperCase=true}"},
{"name": "logger","layout": "${logger}"},
{"name": "message","layout": "${message}"},
{"name": "exception","layout": "${onexception:${ui-pretty-exception}}"}
]
}
}
},
"rules": { "70_Final": { "writeTo": "stdout,azureBlob" } }
}
}
{ "NLog": {
"extensions": [
{ "assemblyFile": "NLog.Extensions.AzureBlobStorage.dll" }
],
"targets": {
"azureBlob": {
"type": "AzureBlobStorage",
"connectionString": "DefaultEndpointsProtocol=https;AccountName=test;AccountKey=key;EndpointSuffix=core.windows.net",
"container": "orchestratorlogs",
"blobName": "${date:format=yyyy-MM-dd hh.mm}",
"layout": {
"type": "JsonLayout",
"includeAllProperties": true,
"Attributes": [
{"name": "ts","layout": "${longdate}"},
{"name": "level","layout": "${level:upperCase=true}"},
{"name": "logger","layout": "${logger}"},
{"name": "message","layout": "${message}"},
{"name": "exception","layout": "${onexception:${ui-pretty-exception}}"}
]
}
}
},
"rules": { "70_Final": { "writeTo": "stdout,azureBlob" } }
}
}
70_final
with 20_robot_primary
in the above example .
nlogextensions
is copied in the object store in the well known plugins location. The Orchestrator Configurator Tool can automatically do
that while also updating the NLog configuration. The script automatically changes nlog.custom.config
to prefix each assemblyFile from the extensions array with /var/orchestrator/plugins/nlog/
if not already prefixed.
You can migrate custom plugins for credentials stores to Automation Suite. To do that, update the configuration in the config map, and copy the plugins assemblies to the corresponding object store bucket.
- The plugins must work on Linux.
- The plugins must not write to any storage, apart from
/tmp
.
The following credential stores plugins automatically are deployed to Orchestrator in Automation Suite:
UiPath.Orchestrator.AzureKeyVault.SecureStore.dll
-
UiPath.Orchestrator.SecureStore.CyberArkCCP.dll
securestoreplugins
.
appSettings.custom.json
file as follows:
-
to disable default plugins, add the config
Plugins.SecureStores.Default
with an empty string value inappSettings.custom.json
; -
add all custom plugins to the
Plugins.SecureStores
setting, separated by;
inappSettings.custom.json
; -
add any custom plugin settings as follows:
Plugins.SecureStores.<<FriendlyName>>.<<SettingName>>
.
securestoreplugins
plugin folder is copied in the object store in the well known plugins location.
Plugins.SecureStores
are loaded from this folder.
Plugins.SecureStore.Default
are loaded from the plugins folder in the Orchestrator app folder.
By default, at installation time, Orchestrator generates an Encryption Key to be used for the sensitive information in the database. You must migrate this key if you want to reuse a database on a new Orchestrator deployment.
secureAppSettings
section of the configuration, retrieve the value of EncryptionKey
and store it safely for later use.
The encryption key certificate is installed in the Windows certificate store. You must provide the certificate to the Automation Suite environment so that it becomes available to the Orchestrator pods.
CertificatesStoreLocation
and Azure.KeyVault.CertificateThumbprint
settings are no longer required in Automation Suite, but you can use the CertificatePassword
if needed.
Take the following steps:
- Review the appSettings and obtain the
AzureKeyVault.*
settings. - Store the
Azure.KeyVault.VaultAddress
,Azure.KeyVault.ClientId
, andAzure.KeyVault.DirectoryId
for later use. - Retrieve the certificate, and if necessary, the certificate password.
- Step 1: Saving the Identity Server configuration data
- Host administrator username and password
- Token signing certificates
- SAML certificates
- Identity Server application settings
- Export certificates
- Step 2: Creating organization-tenant pairs
- Step 3: Saving the connection strings and tenant names
- Step 4: Preparing Orchestrator
- Migration overview
- Preparing web.config
- Preparing appSettings
- Preparing Storage
- Preparing NLog
- Preparing credential stores
- Preparing the encryption key
- Preparing encryption key per tenant