automation-suite
2022.4
false
- Overview
- Requirements
- Installation
- Post-installation
- Cluster administration
- Managing products
- Managing the cluster in ArgoCD
- Setting up the external NFS server
- Automated: Enabling the Backup on the Cluster
- Automated: Disabling the Backup on the Cluster
- Automated, Online: Restoring the Cluster
- Automated, Offline: Restoring the Cluster
- Manual: Enabling the Backup on the Cluster
- Manual: Disabling the Backup on the Cluster
- Manual, Online: Restoring the Cluster
- Manual, Offline: Restoring the Cluster
- Additional configuration
- Migrating objectstore from persistent volume to raw disks
- Monitoring and alerting
- Migration and upgrade
- Migration options
- Step 1: Moving the Identity organization data from standalone to Automation Suite
- Step 2: Restoring the standalone product database
- Step 3: Backing up the platform database in Automation Suite
- Step 4: Merging organizations in Automation Suite
- Step 5: Updating the migrated product connection strings
- Step 6: Migrating standalone Insights
- Step 7: Deleting the default tenant
- B) Single tenant migration
- Product-specific configuration
- Best practices and maintenance
- Troubleshooting
- How to Troubleshoot Services During Installation
- How to Uninstall the Cluster
- How to clean up offline artifacts to improve disk space
- How to clear Redis data
- How to enable Istio logging
- How to manually clean up logs
- How to clean up old logs stored in the sf-logs bucket
- How to disable streaming logs for AI Center
- How to debug failed Automation Suite installations
- How to delete images from the old installer after upgrade
- How to automatically clean up Longhorn snapshots
- How to disable TX checksum offloading
- How to address weak ciphers in TLS 1.2
- Unable to run an offline installation on RHEL 8.4 OS
- Error in Downloading the Bundle
- Offline installation fails because of missing binary
- Certificate issue in offline installation
- First installation fails during Longhorn setup
- SQL connection string validation error
- Prerequisite check for selinux iscsid module fails
- Azure disk not marked as SSD
- Failure After Certificate Update
- Automation Suite not working after OS upgrade
- Automation Suite Requires Backlog_wait_time to Be Set 1
- Volume unable to mount due to not being ready for workloads
- RKE2 fails during installation and upgrade
- Failure to upload or download data in objectstore
- PVC resize does not heal Ceph
- Failure to Resize Objectstore PVC
- Rook Ceph or Looker pod stuck in Init state
- StatefulSet volume attachment error
- Failure to create persistent volumes
- Storage reclamation patch
- Backup failed due to TooManySnapshots error
- All Longhorn replicas are faulted
- Setting a timeout interval for the management portals
- Update the underlying directory connections
- Cannot Log in After Migration
- Kinit: Cannot Find KDC for Realm <AD Domain> While Getting Initial Credentials
- Kinit: Keytab Contains No Suitable Keys for *** While Getting Initial Credentials
- GSSAPI Operation Failed With Error: An Invalid Status Code Was Supplied (Client's Credentials Have Been Revoked).
- Alarm Received for Failed Kerberos-tgt-update Job
- SSPI Provider: Server Not Found in Kerberos Database
- Login Failed for User <ADDOMAIN><aduser>. Reason: The Account Is Disabled.
- ArgoCD login failed
- Failure to get the sandbox image
- Pods not showing in ArgoCD UI
- Redis Probe Failure
- RKE2 Server Fails to Start
- Secret Not Found in UiPath Namespace
- After the Initial Install, ArgoCD App Went Into Progressing State
- MongoDB pods in CrashLoopBackOff or pending PVC provisioning after deletion
- Unexpected Inconsistency; Run Fsck Manually
- Degraded MongoDB or Business Applications After Cluster Restore
- Missing Self-heal-operator and Sf-k8-utils Repo
- Unhealthy Services After Cluster Restore or Rollback
- RabbitMQ pod stuck in CrashLoopBackOff
- Prometheus in CrashloopBackoff state with out-of-memory (OOM) error
- Missing Ceph-rook metrics from monitoring dashboards
- Pods cannot communicate with FQDN in a proxy environment
- Using the Automation Suite Diagnostics Tool
- Using the Automation Suite Support Bundle Tool
- Exploring Logs
Automation Suite Installation Guide
Last updated Nov 4, 2024
Configuring the cluster
The
configureUiPathAS.sh script helps you control and manage Automation Suite. The tool comes with the installation bundle and is available in the
main installer folder. configureUiPathAS.sh is currently capable of performing only a few operations.
To view more information about
configureUiPathAS.sh, run:
sudo ./configureUiPathAS.sh --helpsudo ./configureUiPathAS.sh --helpYou should see the following output:
configureUiPathAS.sh controls and manage UiPath Automation Suites
Usage:
configureUiPathAS.sh [command]
configureUiPathAS.sh [flags]
Available Commands:
config Manage cluster configuration
tls-cert Manage tls and server certificate
additional-ca-certs Manage additional ca certificates
identity Manage identity service
objectstore Manage objectstore
registry Manage registry
monitoring Manage monitoring
rabbitmq Manage rabbitmq
mongodb Manage mongo
node Manage k8s nodes
enable-maintenance-mode Enables maintenance mode on the Cluster
disable-maintenance-mode Disables maintenance mode on the Cluster
is-maintenance-enabled Checks if maintenance mode is enabled on the Cluster
resume-scheduled-backups Resumes the paused scheduled backups
verify-volumes-backup Verify if all volumes are backed up
Flags:
-h|--help Display help
***************************************************************************************```configureUiPathAS.sh controls and manage UiPath Automation Suites
Usage:
configureUiPathAS.sh [command]
configureUiPathAS.sh [flags]
Available Commands:
config Manage cluster configuration
tls-cert Manage tls and server certificate
additional-ca-certs Manage additional ca certificates
identity Manage identity service
objectstore Manage objectstore
registry Manage registry
monitoring Manage monitoring
rabbitmq Manage rabbitmq
mongodb Manage mongo
node Manage k8s nodes
enable-maintenance-mode Enables maintenance mode on the Cluster
disable-maintenance-mode Disables maintenance mode on the Cluster
is-maintenance-enabled Checks if maintenance mode is enabled on the Cluster
resume-scheduled-backups Resumes the paused scheduled backups
verify-volumes-backup Verify if all volumes are backed up
Flags:
-h|--help Display help
***************************************************************************************```You can use the
configureUiPathAS.sh script to manage the following components in the Automation Suite cluster:
- Server Certificate - Manage tls and server certificate (update and get the certificate)
- Additional CA Certificates - Manage additional CA certificates such as SQL server certificates, proxy server certificates, etc.
- Identity service - Manage identity service configurations such as token signing certificate, SAML certificates, Kerberos and Windows authentication, etc.
- Objectstore - Manage ceph objectstore (currently only supporting resizing of ceph pvc/storage)
- Registry - Manage docker registry (currently only supporting resizing of registry pvc/storage)
- Monitoring - Manage rancher server (currently only supporting resizing of rancher server pvc/storage)
- RabbitMQ - Manage rabbitmq message queue (currently only supporting resizing of rabbitmq pvc/storage)
- MongoDB - Manage mongodb datastore (currently only supporting resizing of mongodb pvc/storage and certificate management)
To update the connection string or credentials to the SQL Server, directly edit the
cluster_config.json file on the primary the server node. You can directly edit the SQL fields (sql.username, sql.password, and sql.server_url) in the file based on what you need to update.
After updating the file, rerun the interactive installation wizard on the same machine with the updated config as the parameter. You only need to rerun the installation on the primary server.
To update the common Kerberos Auth configuration, take the following steps:
- Run the following command:
./configureUiPathAS.sh identity kerberos-auth global-config update --enabled [kerberos-enabled] --adDomain [ad-domain] --username [default-ad-username] --keytab [default-ad-user-keytab] --lifetime [ticketLifeTimeInHour]./configureUiPathAS.sh identity kerberos-auth global-config update --enabled [kerberos-enabled] --adDomain [ad-domain] --username [default-ad-username] --keytab [default-ad-user-keytab] --lifetime [ticketLifeTimeInHour]Note:- To manually generate the keytab file, see Setting up Kerberos authentication.
- The AD domain controller has the Maximum lifetime for user ticket Kerberos setting inside the Default Domain Policy. Make sure the ticket lifetime configured here is not longer than the setting on the domain controller.
Console output success
Updating kerberos auth.....Success!
If you wish to utilize SQL Integrated Auth using Kerberos,
please update the SQL connection string to enable Integrated Auth.
For more info on kerberos auth, <link>Updating kerberos auth.....Success!
If you wish to utilize SQL Integrated Auth using Kerberos,
please update the SQL connection string to enable Integrated Auth.
For more info on kerberos auth, <link>Console output failure
Updating kerberos auth.....Failed!
Please provide valid kerberos auth configuration values.Updating kerberos auth.....Failed!
Please provide valid kerberos auth configuration values.To update the AD username and/or AD user’s keytab for a specific service, take the following step:
Run the following command:
./configureUiPathAS.sh identity kerberos-auth service-config update --sg [service-group] --username [new-ad-username] --keytab [new-ad-user-keytab]./configureUiPathAS.sh identity kerberos-auth service-config update --sg [service-group] --username [new-ad-username] --keytab [new-ad-user-keytab]The following Service Groups are available (case-sensitive):
orchestratorplatformdiscoverygrouptestmanagerautomationopsaicenterdocumentunderstandinginsights-
dataserviceNote: To manually generate the keytab file, see Setting up Kerberos authentication.
Console output success
Updating kerberos config for <service-group> service group.....Success!
If you want to enable sql integrated auth for the <service-group> service goup,
please update the service's sql connection string. For more info on kerberos auth, <link>Updating kerberos config for <service-group> service group.....Success!
If you want to enable sql integrated auth for the <service-group> service goup,
please update the service's sql connection string. For more info on kerberos auth, <link>Console output failure
Updating kerberos config for <service-group> service group.....Failed!
Please provided a valid kerberos auth configuration values.
For more info on kerberos auth, <link>Updating kerberos config for <service-group> service group.....Failed!
Please provided a valid kerberos auth configuration values.
For more info on kerberos auth, <link>One system administrator is created in Automation Suite by default with the username admin on the host organization.
If access to the host organization is lost - for example, if the password for the system administrator is lost or the only users with system administrator accounts leave the company - there is a tool to add or restore a system administrator.
This script does not work if the SQL connection string parameter "Integrated Security=true" exists for platform services.
./configureUiPathAS.sh identity add-host-admin --username [new-admin-username] --email [new-admin-email] --password [new-admin-password]./configureUiPathAS.sh identity add-host-admin --username [new-admin-username] --email [new-admin-email] --password [new-admin-password]--usernameis a required field.--passwordis required only if the new administrator uses basic authentication to login.--emailis optional unless your external identity provider requires it (for example, Google matches by email, not username).
There are a few important notes about how the administrator is created or restored:
- New administrators cannot have the same username or email as an existing administrator. If you use the same username or email as an existing administrator, the existing administrator is updated. This is useful if you want to change the password.
- If an administrator was deleted and you use the same username or email for a new user, the deleted administrator will be restored instead of creating a new one. The password field is not overwritten in this case. An exceptional case is if multiple administrators were deleted with the same username or email, which results in a new administrator being created.
- If any of the external identity providers configured on the host are forced, that imposes restrictions on the parameters.
For instance, if Windows AD is forced, the username must be in the form
user@domain. If Google is forced, then email is required. - When logging in to a new administrator account for the first time, the password must be changed.
Organization and system administrators may be unable to log in due to an issue with their configured Azure Active Directory
or other external identity provider. Organization administrators may be locked out because the
Disable basic authentication flag is checked in the Authentication Settings. Organization and system administrators may be locked out because an external
identity provider was configured as force/exclusive. This tool will try to re-enable basic authentication for an organization.
This script does not work if the SQL connection string parameter
Integrated Security=true exists for platform services.
./configureUiPathAS.sh identity enable-basic-auth --orgname [org-name]./configureUiPathAS.sh identity enable-basic-auth --orgname [org-name]Note:
--orgname is a required field. If basic authentication is restricted at the host level, set the orgname to host.
The Istio ingress gateway configured in Automation Suite for routing, communicating between the services, and more uses TLS to secure the exchanges. To prevent any security threats, deprecated TLS protocol version are disabled by default.
Only TLS version 1.2 and above are currently supported, and if you use a previous version, it is recommended that you upgrade. However, it is still possible to connect using a previous TLS version, but you must first enable it on the Automation Suite server.
Important: TLS 1.0 and 1.1 are deprecated, and enabling these versions can pose a security risk. You are strongly recommended to upgrade
to TLS 1.2 or above instead of enabling lower versions on the server.
To enable an unsupported TLS version, take one of the following steps:
-
To enable support for TLS 1.0 and above, run the following command:
kubectl -n istio-system patch gateway main-gateway --type=json \ -p='[{ "op": "replace", "path": "/spec/servers/0/tls/minProtocolVersion", "value": "TLSV1_0"}]'kubectl -n istio-system patch gateway main-gateway --type=json \ -p='[{ "op": "replace", "path": "/spec/servers/0/tls/minProtocolVersion", "value": "TLSV1_0"}]' -
To enable support for TLS 1.1 and above, run the following command:
kubectl -n istio-system patch gateway main-gateway --type=json \ -p='[{ "op": "replace", "path": "/spec/servers/0/tls/minProtocolVersion", "value": "TLSV1_1"}]'kubectl -n istio-system patch gateway main-gateway --type=json \ -p='[{ "op": "replace", "path": "/spec/servers/0/tls/minProtocolVersion", "value": "TLSV1_1"}]'
