Meeting the Process Mining prerequisites

Installing cert-manager

The Dapr installation for Process Mining requires cert-manager.

To install Cert Manager via OpenShift Operators, follow the instructions in Installing the cert-manager Operator for Red Hat OpenShift.

To make sure that ArgoCD can create a certificate using cert-manager, you must provide the necessary permissions on cert-manager to ArgoCD.

The following sample shows a valid configuration for the ArgoCD cert-manager role:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: argocd-cert-manager-role
  namespace: <uipath>
rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "issuers"]
    verbs: ["get", "create"]apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: argocd-cert-manager-role
  namespace: <uipath>
rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "issuers"]
    verbs: ["get", "create"]

To create the role binding for a dedicated ArgoCD instance, run the following command:

oc project <uipath>
oc create rolebinding argocd-cert-manager-binding --role=argocd-cert-manager-role \
  --serviceaccount=<uipath>:argocd-argocd-application-controlleroc project <uipath>
oc create rolebinding argocd-cert-manager-binding --role=argocd-cert-manager-role \
  --serviceaccount=<uipath>:argocd-argocd-application-controller

To create the role binding for a shared ArgoCD instance, run the following command:

oc project <uipath>
oc create rolebinding gitops-cert-manager-binding --role=argocd-cert-manager-role \
  --serviceaccount=<openshift-gitops>:openshift-gitops-argocd-application-controlleroc project <uipath>
oc create rolebinding gitops-cert-manager-binding --role=argocd-cert-manager-role \
  --serviceaccount=<openshift-gitops>:openshift-gitops-argocd-application-controller

Installing Dapr

To install Dapr, take the following steps:

Create a cluster-level role so that ArgoCD can manage custom resource definitions and mutating webhooks:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
  name: manage-crds
rules:
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ['*']
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["mutatingwebhookconfigurations"]
    verbs: ['*']apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
  name: manage-crds
rules:
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ['*']
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["mutatingwebhookconfigurations"]
    verbs: ['*']

Create a cluster-level role binding to bind the manage-crds role to the ArgoCD service account.

To create the role binding for a dedicated ArgoCD instance, use the following command:

oc create clusterrolebinding manage-crds-binding --clusterrole=manage-crds --serviceaccount=<uipath>:argocd-argocd-application-controlleroc create clusterrolebinding manage-crds-binding --clusterrole=manage-crds --serviceaccount=<uipath>:argocd-argocd-application-controller

To create the role binding for a shared ArgoCD instance, use the following command:

oc create clusterrolebinding manage-crds-binding --clusterrole=manage-crds --serviceaccount=<openshift-gitops>:openshift-gitops-argocd-application-controlleroc create clusterrolebinding manage-crds-binding --clusterrole=manage-crds --serviceaccount=<openshift-gitops>:openshift-gitops-argocd-application-controller

Create a role so that ArgoCD can manage the Dapr components:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: dapr-creator
  namespace: <uipath>
rules:
  - apiGroups: ["dapr.io"]
    resources: ["components", "configurations", "resiliencies"]
    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: dapr-creator
  namespace: <uipath>
rules:
  - apiGroups: ["dapr.io"]
    resources: ["components", "configurations", "resiliencies"]
    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]

Create a role binding between the dapr-creator role and the ArgoCD service account.

To create the role binding for a dedicated ArgoCD instance, use the following command:

oc project <uipath>
oc create rolebinding dapr-creator-binding --role=dapr-creator --serviceaccount=<uipath>:argocd-argocd-application-controlleroc project <uipath>
oc create rolebinding dapr-creator-binding --role=dapr-creator --serviceaccount=<uipath>:argocd-argocd-application-controller

To create the role binding for a shared ArgoCD instance, use the following command:

oc project <uipath>
oc create rolebinding gitops-dapr-creator-binding --role=dapr-creator --serviceaccount=<openshift-gitops>:openshift-gitops-argocd-application-controlleroc project <uipath>
oc create rolebinding gitops-dapr-creator-binding --role=dapr-creator --serviceaccount=<openshift-gitops>:openshift-gitops-argocd-application-controller

Create an image pull secret in the <uipath> namespace. To create the image pull secret, you can use your typical workflow or take the following steps:

registry= <registry_url> #provide the registry where the UiPath images are hosted
username= <user_name> #provide the username which will be used for the authentication
password= <password> #provide the password which will be used for the authentication
namespace= <namespace> #namespace where you want to create a secret
oc create secret docker-registry uipathpullsecret --namespace=${namespace} \
  --docker-server=${registry} --docker-username=${username} \
  --docker-password=${password} --dry-run=client -o yaml \
  | oc apply -f -registry= <registry_url> #provide the registry where the UiPath images are hosted
username= <user_name> #provide the username which will be used for the authentication
password= <password> #provide the password which will be used for the authentication
namespace= <namespace> #namespace where you want to create a secret
oc create secret docker-registry uipathpullsecret --namespace=${namespace} \
  --docker-server=${registry} --docker-username=${username} \
  --docker-password=${password} --dry-run=client -o yaml \
  | oc apply -f -

Create the Argo application using the following YAML file:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: dapr
  namespace: <argo_namespace>
spec:
  destination:
    namespace: <uipath_namespace>
    server: https://kubernetes.default.svc
  ignoreDifferences:
  - jsonPointers:
    - /data
    - /stringData
    - /metadata
    kind: Secret
  - group: apiextensions.k8s.io
    jsonPointers:
    - /spec/conversion
    kind: CustomResourceDefinition
  - group: admissionregistration.k8s.io
    jsonPointers:
    - /webhooks
    kind: MutatingWebhookConfiguration
  project: <project_name>
  source:
    chart: helm/dapr
    helm:
      valueFiles:
      - values.yaml
      values: |
        global:
          registry: <target-registry>/daprio
          imagePullSecrets: uipathpullsecret
          mtls:
            enabled: true
          prometheus:
            enabled: false
          logAsJson: true
          actors:
            enabled: false
          ha:
            enabled: false
            replicaCount: 1
          rbac:
            namespaced: true
          seccompProfile: RuntimeDefault
        dapr_dashboard:
          enabled: false
        dapr_operator:
          watchInterval: 1m
          resources:
            requests:
              cpu: 100m
              memory: 100Mi
            limits:
              cpu: "1"
              memory: 200Mi
          watchNamespace: <uipath_namespace>
          deploymentAnnotations:
            sidecar.istio.io/inject: "false"
        dapr_sidecar_injector:
          allowedServiceAccounts: <uipath_namespace>:default
          resources:
            requests:
              cpu: 100m
              memory: 30Mi
            limits:
              cpu: "1"
              memory: 100Mi
          sidecarDropALLCapabilities: true
          deploymentAnnotations:
            sidecar.istio.io/inject: "false"
        dapr_sentry:
          resources:
            requests:
              cpu: 100m
              memory: 30Mi
            limits:
              cpu: "1"
              memory: 100Mi
          deploymentAnnotations:
            sidecar.istio.io/inject: "false"
        dapr_rbac:
          secretReader:
            enabled: false
          createClusterScopedObjects: true
    repoURL: <target-registry>
    targetRevision: <dapr-version>
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    retry:
      backoff:
        duration: 10s
        factor: 2
        maxDuration: 1m
      limit: 1000
    syncOptions:
    - CreateNamespace=true
    - RespectIgnoreDifferences=trueapiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: dapr
  namespace: <argo_namespace>
spec:
  destination:
    namespace: <uipath_namespace>
    server: https://kubernetes.default.svc
  ignoreDifferences:
  - jsonPointers:
    - /data
    - /stringData
    - /metadata
    kind: Secret
  - group: apiextensions.k8s.io
    jsonPointers:
    - /spec/conversion
    kind: CustomResourceDefinition
  - group: admissionregistration.k8s.io
    jsonPointers:
    - /webhooks
    kind: MutatingWebhookConfiguration
  project: <project_name>
  source:
    chart: helm/dapr
    helm:
      valueFiles:
      - values.yaml
      values: |
        global:
          registry: <target-registry>/daprio
          imagePullSecrets: uipathpullsecret
          mtls:
            enabled: true
          prometheus:
            enabled: false
          logAsJson: true
          actors:
            enabled: false
          ha:
            enabled: false
            replicaCount: 1
          rbac:
            namespaced: true
          seccompProfile: RuntimeDefault
        dapr_dashboard:
          enabled: false
        dapr_operator:
          watchInterval: 1m
          resources:
            requests:
              cpu: 100m
              memory: 100Mi
            limits:
              cpu: "1"
              memory: 200Mi
          watchNamespace: <uipath_namespace>
          deploymentAnnotations:
            sidecar.istio.io/inject: "false"
        dapr_sidecar_injector:
          allowedServiceAccounts: <uipath_namespace>:default
          resources:
            requests:
              cpu: 100m
              memory: 30Mi
            limits:
              cpu: "1"
              memory: 100Mi
          sidecarDropALLCapabilities: true
          deploymentAnnotations:
            sidecar.istio.io/inject: "false"
        dapr_sentry:
          resources:
            requests:
              cpu: 100m
              memory: 30Mi
            limits:
              cpu: "1"
              memory: 100Mi
          deploymentAnnotations:
            sidecar.istio.io/inject: "false"
        dapr_rbac:
          secretReader:
            enabled: false
          createClusterScopedObjects: true
    repoURL: <target-registry>
    targetRevision: <dapr-version>
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    retry:
      backoff:
        duration: 10s
        factor: 2
        maxDuration: 1m
      limit: 1000
    syncOptions:
    - CreateNamespace=true
    - RespectIgnoreDifferences=true

The following table provides further information on replacing the placeholders in the YAML file with adequate values for the respective parameters:

Paramètre	Espace réservé	Description
`namespace`	`<argo_namespace>`	Use `<uipath>` for a dedicated ArgoCD instance. Use `<openshift-gitops>` for a shared ArgoCD instance.
`namespace` `watchNamespace`	`<uipath_namespace>`	Namespace for Automation Suite
`project`	`<project_name>`	For a dedicated ArgoCD instance, use `default` . For a shared ArgoCD instance, use the name of the project created for Automation Suite.
`registry` `repoURL`	`<target-registry>`	Helm chart registry
`targetRevision`	`<dapr-version>`	Version of the Dapr Helm chart from the `versions.json` file

Remarque :

If you update the FQDN post-installation, you must delete and recreate the Dapr application by taking the following steps:

In the ArgoCD UI, navigate to Dapr > Delete.
Install Dapr again by following all the steps in this section.

Generating the application YAML file via Bash script

You can also use the following Bash script to generate the application YAML file:

#!/bin/bash

echo "Enter the namespace of argocd applications"
read argocd_namespace

echo "Enter the name of uipath namespace"
read uipath_namespace


if [[ "${argocd_namespace}" == "openshift-gitops" ]]; then
  echo "Enter the argocd project name"
  read project
else
  project="default"
fi

echo "Enter the registry fqdn"
read registry_fqdn

echo "Enter the DAPR helm chart version"
read dapr_version

echo "-------------------- SUMMARY --------------------"
echo "Argocd Application namespace : $argocd_namespace"
echo "Uipath namespace             : $uipath_namespace"
echo "Argocd Project name          : $project"
echo "Helm registry FQDN           : $registry_fqdn"
echo "DAPR Version                 : $dapr_version"

echo "------------- Application yaml file-------------"

echo -n "apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: dapr
  namespace: $argocd_namespace
spec:
  destination:
    namespace: $uipath_namespace
    server: https://kubernetes.default.svc
  ignoreDifferences:
  - jsonPointers:
    - /data
    - /stringData
    - /metadata
    kind: Secret
  - group: apiextensions.k8s.io
    jsonPointers:
    - /spec/conversion
    kind: CustomResourceDefinition
  - group: admissionregistration.k8s.io
    jsonPointers:
    - /webhooks
    kind: MutatingWebhookConfiguration
  project: $project
  source:
    chart: helm/dapr
    helm:
      valueFiles:
      - values.yaml
      values: |
        global:
          registry: $registry_fqdn/daprio
          imagePullSecrets: uipathpullsecret
          mtls:
            enabled: true
          prometheus:
            enabled: false
          logAsJson: true
          actors:
            enabled: false
          ha:
            enabled: false
            replicaCount: 1
          rbac:
            namespaced: true
          seccompProfile: RuntimeDefault
        dapr_dashboard:
          enabled: false
        dapr_operator:
          watchInterval: 1m
          resources:
            requests:
              cpu: 100m
              memory: 100Mi
            limits:
              cpu: "1"
              memory: 200Mi
          watchNamespace: $uipath_namespace
          deploymentAnnotations:
            sidecar.istio.io/inject: "false"
        dapr_sidecar_injector:
          allowedServiceAccounts: $uipath_namespace:default
          resources:
            requests:
              cpu: 100m
              memory: 30Mi
            limits:
              cpu: "1"
              memory: 100Mi
          sidecarDropALLCapabilities: true
          deploymentAnnotations:
            sidecar.istio.io/inject: "false"
        dapr_sentry:
          resources:
            requests:
              cpu: 100m
              memory: 30Mi
            limits:
              cpu: "1"
              memory: 100Mi
          deploymentAnnotations:
            sidecar.istio.io/inject: "false"
        dapr_rbac:
          secretReader:
            enabled: false
          createClusterScopedObjects: true
    repoURL: $registry_fqdn
    targetRevision: $dapr_version
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    retry:
      backoff:
        duration: 10s
        factor: 2
        maxDuration: 1m
      limit: 1000
    syncOptions:
    - CreateNamespace=true
    - RespectIgnoreDifferences=true#!/bin/bash

echo "Enter the namespace of argocd applications"
read argocd_namespace

echo "Enter the name of uipath namespace"
read uipath_namespace


if [[ "${argocd_namespace}" == "openshift-gitops" ]]; then
  echo "Enter the argocd project name"
  read project
else
  project="default"
fi

echo "Enter the registry fqdn"
read registry_fqdn

echo "Enter the DAPR helm chart version"
read dapr_version

echo "-------------------- SUMMARY --------------------"
echo "Argocd Application namespace : $argocd_namespace"
echo "Uipath namespace             : $uipath_namespace"
echo "Argocd Project name          : $project"
echo "Helm registry FQDN           : $registry_fqdn"
echo "DAPR Version                 : $dapr_version"

echo "------------- Application yaml file-------------"

echo -n "apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: dapr
  namespace: $argocd_namespace
spec:
  destination:
    namespace: $uipath_namespace
    server: https://kubernetes.default.svc
  ignoreDifferences:
  - jsonPointers:
    - /data
    - /stringData
    - /metadata
    kind: Secret
  - group: apiextensions.k8s.io
    jsonPointers:
    - /spec/conversion
    kind: CustomResourceDefinition
  - group: admissionregistration.k8s.io
    jsonPointers:
    - /webhooks
    kind: MutatingWebhookConfiguration
  project: $project
  source:
    chart: helm/dapr
    helm:
      valueFiles:
      - values.yaml
      values: |
        global:
          registry: $registry_fqdn/daprio
          imagePullSecrets: uipathpullsecret
          mtls:
            enabled: true
          prometheus:
            enabled: false
          logAsJson: true
          actors:
            enabled: false
          ha:
            enabled: false
            replicaCount: 1
          rbac:
            namespaced: true
          seccompProfile: RuntimeDefault
        dapr_dashboard:
          enabled: false
        dapr_operator:
          watchInterval: 1m
          resources:
            requests:
              cpu: 100m
              memory: 100Mi
            limits:
              cpu: "1"
              memory: 200Mi
          watchNamespace: $uipath_namespace
          deploymentAnnotations:
            sidecar.istio.io/inject: "false"
        dapr_sidecar_injector:
          allowedServiceAccounts: $uipath_namespace:default
          resources:
            requests:
              cpu: 100m
              memory: 30Mi
            limits:
              cpu: "1"
              memory: 100Mi
          sidecarDropALLCapabilities: true
          deploymentAnnotations:
            sidecar.istio.io/inject: "false"
        dapr_sentry:
          resources:
            requests:
              cpu: 100m
              memory: 30Mi
            limits:
              cpu: "1"
              memory: 100Mi
          deploymentAnnotations:
            sidecar.istio.io/inject: "false"
        dapr_rbac:
          secretReader:
            enabled: false
          createClusterScopedObjects: true
    repoURL: $registry_fqdn
    targetRevision: $dapr_version
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    retry:
      backoff:
        duration: 10s
        factor: 2
        maxDuration: 1m
      limit: 1000
    syncOptions:
    - CreateNamespace=true
    - RespectIgnoreDifferences=true

Configuring Airflow

ArgoCD requires the following role during the Airflow installation:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: anyuid-role
  namespace: <uipath>
rules:
  - apiGroups: ["security.openshift.io"]
    resources: ["securitycontextconstraints"]
    resourceNames: ["anyuid"]
    verbs: ["use"]apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: anyuid-role
  namespace: <uipath>
rules:
  - apiGroups: ["security.openshift.io"]
    resources: ["securitycontextconstraints"]
    resourceNames: ["anyuid"]
    verbs: ["use"]

To create the role binding for a dedicated ArgoCD instance, run the following command:

oc create rolebinding argocd-anyuid-binding --role=anyuid-role \
  --serviceaccount=<uipath>:argocd-argocd-application-controller -n <uipath>oc create rolebinding argocd-anyuid-binding --role=anyuid-role \
  --serviceaccount=<uipath>:argocd-argocd-application-controller -n <uipath>