automation-suite
2024.10
true
UiPath logo, featuring letters U and I in white
Automation Suite on OpenShift Installation Guide
Last updated Nov 11, 2024

Installing and configuring the GitOps tool

Note:
Before proceeding with the OpenShift GitOps Operator installation and configuration, you must install OpenShift Service Mesh and provide all the required permissions to the uipathadmin service account.

You can deploy Automation Suite using either an OpenShift GitOps Operator instance dedicated to the UiPath® applications or a shared OpenShift GitOps Operator instance, if it is already installed and available on your cluster.

We recommend using a dedicated OpenShift GitOps Operator instance to install the Automation Suite applications. This method requires minimum permissions to the other namespaces and cluster resources.

For installation and access instructions, see the following sections:

Provisioning a dedicated GitOps instance

To provision a dedicated OpenShift GitOps Operator instance, take the following steps:
  1. Create the <uipath> namespace:
    oc get namespace <uipath> || oc new-project <uipath>
oc <project> uipathoc get namespace <uipath> || oc new-project <uipath>
oc <project> uipath
  2. Install the OpenShift GitOps Operator by following the instructions in Installing OpenShift GitOps.
  3. Create a new ArgoCD instance by following the instructions in Setting up a new ArgoCD instance.
    Note: In the spec section described in Enabling replicas for Argo CD server and repo server, you must add the following line: 
    server.route.enabled: trueserver.route.enabled: true
  4. Patch the ArgoCD deployment:
    oc -n <uipath> patch deployment argocd-server \
  -p '{"spec":{"template":{"metadata":{"labels":{"maistra.io/expose-route":"true"}}}}}'oc -n <uipath> patch deployment argocd-server \
  -p '{"spec":{"template":{"metadata":{"labels":{"maistra.io/expose-route":"true"}}}}}'
  5. Create a role so that ArgoCD can manage limit ranges:
    kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: limit-range-manager
  namespace: <uipath>
rules:
  - apiGroups: ["*"]
    resources: ["limitranges"]
    verbs: ["get", "watch", "list", "patch", "update", "create"]kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: limit-range-manager
  namespace: <uipath>
rules:
  - apiGroups: ["*"]
    resources: ["limitranges"]
    verbs: ["get", "watch", "list", "patch", "update", "create"]
  6. Bind the limit-range-manager role to the argocd service account:
    oc -n <uipath> create rolebinding limit-range-manager-binding --role=limit-range-manager --serviceaccount=<uipath>:argocd-argocd-application-controlleroc -n <uipath> create rolebinding limit-range-manager-binding --role=limit-range-manager --serviceaccount=<uipath>:argocd-argocd-application-controller
  7. If you enabled either Process Mining - Dapr or Automation Suite Robots, you must enable cluster-wide mode for ArgoCD by taking the following steps:
    1. In <openshift-gitops>, edit the openshift-gitops-operator subscription resource to include the following environment variable:
      ARGOCD_CLUSTER_CONFIG_NAMESPACES: <uipath>ARGOCD_CLUSTER_CONFIG_NAMESPACES: <uipath>
  8. If you enable either Process Mining - Dapr or Automation Suite Robots, you must ensure that the ArgoCD instance can manage the <uipath> namespace:
    oc label namespace <uipath> argocd.argoproj.io/managed-by=<argocd_namespace>oc label namespace <uipath> argocd.argoproj.io/managed-by=<argocd_namespace>
    After you apply the configuration, restart the ArgoCD application-controler (statefulset) and server (deployment).

Accessing the dedicated ArgoCD instance

To access ArgoCD, take the following steps:

  1. Get the host URL:
    oc get routes argocd-server -n <uipath> -o jsonpath={.spec.host}; echooc get routes argocd-server -n <uipath> -o jsonpath={.spec.host}; echo
  2. To log in, use admin as the username and run the following command to get the password:
    oc -n <uipath> get secrets argocd-cluster \
  -o "jsonpath={.data['admin\.password']}" | base64 -d; echooc -n <uipath> get secrets argocd-cluster \
  -o "jsonpath={.data['admin\.password']}" | base64 -d; echo

Configuring the private Helm repository and certificates in ArgoCD

To configure the Helm repository in ArgoCD, take the following steps:
  1. Log into ArgoCD.
  2. Navigate to Settings > Repositories > +CONNECT REPO.
  3. Use VIA HTTPS for the connection method.
  4. Select Helm as the type.
  5. Provide a name.
  6. Choose default as the project.
  7. Provide the repository URL, username, password, and certificate info.
  8. Enable the OCI checkbox.
  9. Click Connect.
  10. Make sure that the connection status is Successful.

Configuring a shared GitOps instance

If your platform team has not already provisioned the shared OpenShift GitOps Operator instance, take the following installation and configuration steps:
  1. Create the <uipath> namespace:
    oc get namespace <uipath> || oc new-project <uipath>
oc project <uipath>oc get namespace <uipath> || oc new-project <uipath>
oc project <uipath>
  2. Install the OpenShift GitOps Operator by following the instructions in Installing OpenShift GitOps. This installation comes with the default ArgoCD instance, named openshift-gitops, in the <openshift-gitops> namespace.
  3. Enable cluster-wide mode for ArgoCD by taking the following steps:
    1. In <openshift-gitops>, edit the openshift-gitops-operator subscription resource to include the following environment variable:
      ARGOCD_CLUSTER_CONFIG_NAMESPACES: <openshift-gitops>ARGOCD_CLUSTER_CONFIG_NAMESPACES: <openshift-gitops>
  4. Make sure that the openshift-gitops ArgoCD instance can manage the <uipath> namespace:
    oc label namespace <uipath> argocd.argoproj.io/managed-by=openshift-gitopsoc label namespace <uipath> argocd.argoproj.io/managed-by=openshift-gitops
    After you apply the configuration, restart the ArgoCD openshift-gitops-application-controller (statefulset) and openshift-gitops-server (deployment).
  5. Patch the ArgoCD deployment:
    oc -n <uipath> patch deployment argocd-server 
  -p '{"spec":{"template":{"metadata":{"labels":{"maistra.io/expose-route":"true"}}}}}'oc -n <uipath> patch deployment argocd-server 
  -p '{"spec":{"template":{"metadata":{"labels":{"maistra.io/expose-route":"true"}}}}}'
  6. Create an ArgoCD project for the UiPath® application:
    apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: uipath
  namespace: <openshift-gitops>
spec:
  description: Appproject to managed and deploy uipath applications
  clusterResourceWhitelist:
    - group: '*'
      kind: '*'
  destinations:
    - namespace: <uipath>
      server: https://kubernetes.default.svc
    - namespace: <istio-system>
      server: https://kubernetes.default.svc
  sourceNamespaces:
    - <openshift-gitops>
  sourceRepos:
    - '*'apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: uipath
  namespace: <openshift-gitops>
spec:
  description: Appproject to managed and deploy uipath applications
  clusterResourceWhitelist:
    - group: '*'
      kind: '*'
  destinations:
    - namespace: <uipath>
      server: https://kubernetes.default.svc
    - namespace: <istio-system>
      server: https://kubernetes.default.svc
  sourceNamespaces:
    - <openshift-gitops>
  sourceRepos:
    - '*'
  7. Create a role so that ArgoCD can manage limit ranges:
    kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: limit-range-manager
  namespace: <uipath>
rules:
  - apiGroups: ["*"]
    resources: ["limitranges"]
    verbs: ["get", "watch", "list", "patch", "update", "create"]kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: limit-range-manager
  namespace: <uipath>
rules:
  - apiGroups: ["*"]
    resources: ["limitranges"]
    verbs: ["get", "watch", "list", "patch", "update", "create"]
  8. Bind the limit-range-manager role to the argocd service account:
    oc -n <uipath> create rolebinding limit-range-manager-binding --role=limit-range-manager --serviceaccount=<openshift-gitops>:openshift-gitops-argocd-application-controlleroc -n <uipath> create rolebinding limit-range-manager-binding --role=limit-range-manager --serviceaccount=<openshift-gitops>:openshift-gitops-argocd-application-controller
  9. Create a role to manage the applications in the <openshift-gitops> namespace:
    apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: uipath-application-manager
  namespace: <openshift-gitops>
rules:
- apiGroups:
  - argoproj.io
  resources:
  - applications
  verbs:
  - "*"apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: uipath-application-manager
  namespace: <openshift-gitops>
rules:
- apiGroups:
  - argoproj.io
  resources:
  - applications
  verbs:
  - "*"
  10. Bind the uipath-application-manager role to the uipathadmin service account:
    oc project <openshift-gitops>
oc create rolebinding uipath-application-manager \
  --role=uipath-application-manager --serviceaccount=<uipath>:uipathadminoc project <openshift-gitops>
oc create rolebinding uipath-application-manager \
  --role=uipath-application-manager --serviceaccount=<uipath>:uipathadmin
  11. Create a role so that ArgoCD can create and edit the secret in the <openshift-gitops> namespace. The ArgoCD application requires this role to update the Helm secret. The following sample shows a valid configuration for the role:
    apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: argo-secret-role
  namespace: <openshift-gitops>
rules:
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["roles", "rolebindings"]
    verbs: ["*"]
  - apiGroups: ["*"]
    resources: ["secrets"]
    verbs: ["get", "watch", "list", "patch", "update", "create"]apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: argo-secret-role
  namespace: <openshift-gitops>
rules:
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["roles", "rolebindings"]
    verbs: ["*"]
  - apiGroups: ["*"]
    resources: ["secrets"]
    verbs: ["get", "watch", "list", "patch", "update", "create"]
  12. Bind the argo-secret-role role to the uipathadmin service account:
    oc project <openshift-gitops>
oc create rolebinding secret-binding \
  --role=argo-secret-role --serviceaccount=<uipath>:uipathadminoc project <openshift-gitops>
oc create rolebinding secret-binding \
  --role=argo-secret-role --serviceaccount=<uipath>:uipathadmin
  13. Bind the namespace-reader role in the <openshift-gitops> namespace to the uipathadmin service account:
    oc project <openshift-gitops>
oc create rolebinding namespace-reader-rolebinding \
  --clusterrole=namespace-reader-clusterrole --serviceaccount=<uipath>:uipathadminoc project <openshift-gitops>
oc create rolebinding namespace-reader-rolebinding \
  --clusterrole=namespace-reader-clusterrole --serviceaccount=<uipath>:uipathadmin
In addition to completing the steps to configure the shared ArgoCD instance for the Automation Suite installation, you must add the following parameters to the input.json file:
"argocd": {
    "project": "<uipath>"
  },  "argocd": {
    "project": "<uipath>"
  },

Accessing the shared ArgoCD instance

To access ArgoCD, take the following steps:

  1. Get the host URL by running the following commands:
    oc get routes openshift-gitops-server -n openshift-gitops -o jsonpath={.spec.host}; echooc get routes openshift-gitops-server -n openshift-gitops -o jsonpath={.spec.host}; echo
  2. To log in, use admin as the username and run the following command to get the password:
    oc -n <openshift-gitops> get secrets openshift-gitops-cluster \
  -o "jsonpath={.data['admin\.password']}" | base64 -d; echooc -n <openshift-gitops> get secrets openshift-gitops-cluster \
  -o "jsonpath={.data['admin\.password']}" | base64 -d; echo

Configuring the private Helm repository and certificates in ArgoCD

To configure the Helm repository in ArgoCD, take the following steps:
  1. Log into ArgoCD.
  2. Navigate to Settings > Repositories > +CONNECT REPO.
  3. Use VIA HTTPS for the connection method.
  4. Select Helm as the type.
  5. Provide a name.
  6. Choose uipath as the project. uipath is the name of the ArgoCD project you created for the UiPath® application.
  7. Provide the repository URL, username, password, and certificate info.
  8. Enable the OCI checkbox.
  9. Click Connect.
  10. Make sure that the connection status is Successful.

Was this page helpful?

Support and Services
Get The Help You Need
UiPath Academy
Learning RPA - Automation Courses
UiPath Forum
UiPath Community Forum
Uipath Logo White
Trust and Security
Terms of Use
Privacy Policy
Cookies Policy
© 2005-2024 UiPath. All rights reserved.