automation-suite

2024.10

true

Automation Suite on OpenShift Installation Guide

Last updated 11. Nov. 2024

Installing and configuring the service mesh

Automation Suite requires the Istio service mesh for ingress and networking.

Red Hat provides OpenShift Service Mesh, which relies on Istio internally.

The service mesh installation and configuration is a two-step process. Which of the steps you must perform depends on whether or not you can grant the Automation Suite installer admin privileges over your cluster. For details, see the following table:

Schritt	Admin privileges	No admin privileges
Step 1: Installing the service mesh	Required step	Required step
Step 2: Configuring Istio and installing the WASM plugin for routing	Step not required	Required step

Step 1: Installing the service mesh

To install OpenShift Service Mesh, follow the instructions in the OpenShift Service Mesh documentation.

Hinweis:

Automation Suite does not require applications such as Kiali and Jaeger. However, you can use them at your discretion.

UiPath® has no opinion on configuring the Service Mesh Operator to run on any node.

To create the OpenShift Service Mesh Control Plane, follow the instructions in the OpenShift Service Mesh Control Plane documentation. Make sure that you also take the following steps:

Install the new instance of the service mesh control plane in the <istio-system> namespace.
Use ClusterWide mode for the service mesh control plane. For MultiTenant mode, refer to point 3 on this page. The following block must be present under the spec section of the ServiceMeshControlPlane resource:
```
gateways:
    enabled: true
    openshiftRoute:
      enabled: true
  mode: ClusterWide  gateways:
    enabled: true
    openshiftRoute:
      enabled: true
  mode: ClusterWide
```
To disable the OpenShift route, refer to point 4 on this page.

You can use MultiTenant mode for the service mesh control plane. This scenario requires you to explicitly create a service mesh member roll, as shown in the following sample:

apiVersion: maistra.io/v1
kind: ServiceMeshMemberRoll
metadata:
  name: default
  namespace: <istio-system>
spec:
  members:
    - <uipath>apiVersion: maistra.io/v1
kind: ServiceMeshMemberRoll
metadata:
  name: default
  namespace: <istio-system>
spec:
  members:
    - <uipath>

You also have the option to disable the OpenShift route. However, this choice comes with the additional responsibility of manually creating a route for the FQDN. For manual route creation, see the following sample:

kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: uipath-route
  namespace: <istio-system>
  labels:
    app: istio-ingressgateway
    app.kubernetes.io/part-of: istio
    app.kubernetes.io/instance: <istio-system>
    maistra.io/owner-name: basic
    release: istio
    app.kubernetes.io/version: 2.6.1-1-1
    app.kubernetes.io/component: istio-ingress
    maistra-version: 2.6.1
    istio: ingressgateway
    app.kubernetes.io/managed-by: maistra-istio-operator
    maistra.io/owner: <istio-system>
    istio.io/rev: basic
    app.kubernetes.io/name: istio-ingress
spec:
  to:
    kind: Service
    name: istio-ingressgateway
  tls:
    termination: passthrough
    insecureEdgeTerminationPolicy: Redirect
  host: <fqdn>
  port:
    targetPort: https
  alternateBackends: []kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: uipath-route
  namespace: <istio-system>
  labels:
    app: istio-ingressgateway
    app.kubernetes.io/part-of: istio
    app.kubernetes.io/instance: <istio-system>
    maistra.io/owner-name: basic
    release: istio
    app.kubernetes.io/version: 2.6.1-1-1
    app.kubernetes.io/component: istio-ingress
    maistra-version: 2.6.1
    istio: ingressgateway
    app.kubernetes.io/managed-by: maistra-istio-operator
    maistra.io/owner: <istio-system>
    istio.io/rev: basic
    app.kubernetes.io/name: istio-ingress
spec:
  to:
    kind: Service
    name: istio-ingressgateway
  tls:
    termination: passthrough
    insecureEdgeTerminationPolicy: Redirect
  host: <fqdn>
  port:
    targetPort: https
  alternateBackends: []

Warning: Disabling the OpenShift route will lead to the following error when running the prerequisite checks:

❌ [ISTIO_SERVICEMESH_VALIDATION_URL_ACCESS] error accessing the url. unexpected status code: 503 ❌ [ISTIO_SERVICEMESH_VALIDATION_URL_ACCESS] error accessing the url. unexpected status code: 503

Installing a specific version of OpenShift Service Mesh

Use a YAML file to install a specific version of OpenShift Service Mesh (OSSM). The following example file installs OSSM version 2.4.5:

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: servicemeshoperator
  namespace: openshift-operators
spec:
  channel: stable
  installPlanApproval: Manual
  name: servicemeshoperator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  startingCSV: servicemeshoperator.v2.4.5apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: servicemeshoperator
  namespace: openshift-operators
spec:
  channel: stable
  installPlanApproval: Manual
  name: servicemeshoperator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  startingCSV: servicemeshoperator.v2.4.5

If you plan to install a different OSSM version, replace servicemeshoperator.v2.4.5 with the correct value for your version in the YAML file. For example, to install OSSM version 2.5.0, enter servicemeshoperator.v2.5.0.

To install OSSM, run the following command:

oc apply -f <yaml>oc apply -f <yaml>

Replace the <yaml> placeholder in the sample command with the name of your YAML file.

Important: After you install OSSM, you must manually approve the installation.

In the OpenShift console, go to Operators > Installed Operators > Servicemeshoperator > 1 requires approval > Preview Install Plan > Approve.

Providing the Istio configuration

To provide the Istio configuration, you must set the following parameters in the input.json file:

"ingress": {
  "gateway_selector": {
    "istio": "ingressgateway"
  },
  "ingress_gateway_secret": "istio-ingressgateway-certs",
  "namespace": "<istio-system>"
},"ingress": {
  "gateway_selector": {
    "istio": "ingressgateway"
  },
  "ingress_gateway_secret": "istio-ingressgateway-certs",
  "namespace": "<istio-system>"
},

For more information on the Istio configuration parameters, see the following table:

Parameter	Wert
`ingress.gateway_selector.istio`	Standardwert: `ingressgateway` If you have changed the value, then use the following command to get the right value: `oc -n <istio-system> get deploy istio-ingressgateway -o jsonpath="{.metadata.labels.istio}"; echo`oc -n <istio-system> get deploy istio-ingressgateway -o jsonpath="{.metadata.labels.istio}"; echo
`ingress.ingress_gateway_secret`	The name of the secret that contains the certificate files. The default value is `istio-ingressgateway-certs`.
`ingress.namespace`	The namespace where you have installed the service mesh.

Step 2: Configuring Istio and installing the WASM plugin for routing

Wichtig:

This step requires admin privileges for installation in the Istio namespace.

There are two ways to perform the installation:

If you cannot provide the permissions that the Automation Suite installer requires, then you must perform this step before the Automation Suite installation.
During the Automation Suite installation. This method requires the Kubeconfig file that you use during the Automation Suite installation to have the necessary permissions. To review the permissions, refer to the Granting installation permissions section. If you can provide all the necessary permissions, then skip this step.

To configure Istio and install the WASM plugin for routing, take the following steps:

Create an imagepullsecret in the namespace where you installed the service mesh. To create the imagepullsecret, use your typical workflow or take the following steps:

registry= <registry_url> #provide the registry where the UiPath images are hosted
username= <user_name> #provide the username which will be used for the authentication
password= <password> #provide the password which will be used for the authentication
namespace= <namespace> #namespace where you want to create a secret

oc create secret docker-registry uipathpullsecret --namespace=${namespace} \
  --docker-server=${registry} --docker-username=${username} \
  --docker-password=${password} --dry-run=client -o yaml \
  | oc apply -f -registry= <registry_url> #provide the registry where the UiPath images are hosted
username= <user_name> #provide the username which will be used for the authentication
password= <password> #provide the password which will be used for the authentication
namespace= <namespace> #namespace where you want to create a secret

oc create secret docker-registry uipathpullsecret --namespace=${namespace} \
  --docker-server=${registry} --docker-username=${username} \
  --docker-password=${password} --dry-run=client -o yaml \
  | oc apply -f -

Pull the helm chart to a local directory, <uipath-istio-configure>:

helm pull oci://<docker-registry>/helm/istio-configure --version <istio-configure-version> \
--untar --untardir <uipath-istio-configure>helm pull oci://<docker-registry>/helm/istio-configure --version <istio-configure-version> \
--untar --untardir <uipath-istio-configure>

The following example shows the command after you replace the placeholders with actual values:

helm pull oci://registry.mycompany.com/helm/istio-configure --version 2024.10.0 \
--untar --untardir uipath-istio-configurehelm pull oci://registry.mycompany.com/helm/istio-configure --version 2024.10.0 \
--untar --untardir uipath-istio-configure

Create a parameter values file to apply during the Helm installation of istio-configure. Use the following sample as a template for the file and the replace the <fqdn>, <pullsecret>, <registry>, and <uipath_namespace> placeholders with appropriate values.:

fqdn: <fqdn>    #the FQDN of the Automation Suite
gateway:
  selector:
    istio: ingressgateway
global:
  imagePullSecret:
    name: <pullsecret>    #name of pull secret which you had create earlier
minProtocolVersion: TLSV1_2   #TLS versions
uipath:
  registry: <registry>    #registry url without the protocol 
uipathServiceNamespace: <uipath_namespace>   #namespace where the uipath application is deployed
patchIstioService: false
wasm:
  image:
    pullSecret: <pullsecret>    #name of pull secret which you had create earlier
    registry: oci://<registry>   #registry url without the protocolfqdn: <fqdn>    #the FQDN of the Automation Suite
gateway:
  selector:
    istio: ingressgateway
global:
  imagePullSecret:
    name: <pullsecret>    #name of pull secret which you had create earlier
minProtocolVersion: TLSV1_2   #TLS versions
uipath:
  registry: <registry>    #registry url without the protocol 
uipathServiceNamespace: <uipath_namespace>   #namespace where the uipath application is deployed
patchIstioService: false
wasm:
  image:
    pullSecret: <pullsecret>    #name of pull secret which you had create earlier
    registry: oci://<registry>   #registry url without the protocol

Install istio-configure in the Istio namespace, using Helm. In the following command, replace the <istio_namespace> placeholder with the namespace where Istio is installed, and the <path_to_the_values_yaml> with the location of the YAML file containing the parameter values:

helm upgrade --debug --install --wait custom-istio-configure \
  uipath-istio-configure/istio-configure --version 2024.10.0 \
  --namespace <istio_namespace> -f <path_to_the_values.yaml>helm upgrade --debug --install --wait custom-istio-configure \
  uipath-istio-configure/istio-configure --version 2024.10.0 \
  --namespace <istio_namespace> -f <path_to_the_values.yaml>

If you use a registry that is not signed by a known authority, you must add the WASM_INSECURE_REGISTRIES environment variable to the istio-ingressgateway deployment, so that Istio can pull the image that the WASM plugin uses. To add the environment variable, run the following command:

oc -n <istio-system> patch deployment istio-ingressgateway --type="json" --patch='[{"op":"add", "path": "/spec/template/spec/containers/0/env/-", "value": {"name": "WASM_INSECURE_REGISTRIES", "value": "customer-registry.com"}}]'oc -n <istio-system> patch deployment istio-ingressgateway --type="json" --patch='[{"op":"add", "path": "/spec/template/spec/containers/0/env/-", "value": {"name": "WASM_INSECURE_REGISTRIES", "value": "customer-registry.com"}}]'

Add istio-configure to the exclude_components section in your input.json file.
Create certificate secrets using the name provided in ingress.ingress_gateway_secret within the <istio-system> namespace.

Hinweis:

If you update the FQDN post-installation, one of the following scenarios applies:

If you grant the Automation Suite installer admin privileges and you did not add the istio-configure component to the exclude_components list in your input.json file, you do not need to perform any additional step.
If you do not grant the Automation Suite installer admin privileges and you added the istio-configure component to the exclude_components list in your input.json file, you must take the following steps:
1. Update the parameter values file mentioned in Point 3 with the new FQDN.
2. Repeat all the steps for configuring Istio and installing the WASM plugin for routing.