Guide d'installation d'Automation Suite sur OpenShift

Dernière mise à jour 18 déc. 2024

Remplir les conditions préalables de Process Mining

Installation de cert-manager

L'installation de Dapr pour Process Mining nécessite cert-manager.

Pour installer Cert Manager via les opérateurs OpenShift, suivez les instructions détaillées dans Installation de l'opérateur cert-manager pour Red Hat OpenShift.

Pour vous assurer qu'ArgoCD peut créer un certificat à l'aide de cert-manager, vous devez fournir les autorisations nécessaires sur cert-manager à ArgoCD.

L'exemple suivant montre une configuration valide pour le rôle ArgoCD cert-manager :

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: argocd-cert-manager-role
  namespace: <uipath>
rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "issuers"]
    verbs: ["get", "create"]apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: argocd-cert-manager-role
  namespace: <uipath>
rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates", "issuers"]
    verbs: ["get", "create"]

To create the role binding for a dedicated ArgoCD instance, run the following command:

oc project <uipath>
oc create rolebinding argocd-cert-manager-binding --role=argocd-cert-manager-role \
  --serviceaccount=<argocd>:argocd-argocd-application-controlleroc project <uipath>
oc create rolebinding argocd-cert-manager-binding --role=argocd-cert-manager-role \
  --serviceaccount=<argocd>:argocd-argocd-application-controller

Pour créer la liaison de rôle pour une instance ArgoCD partagée, exécutez la commande suivante :

oc project <uipath>
oc create rolebinding gitops-cert-manager-binding --role=argocd-cert-manager-role \
  --serviceaccount=<openshift-gitops>:openshift-gitops-argocd-application-controlleroc project <uipath>
oc create rolebinding gitops-cert-manager-binding --role=argocd-cert-manager-role \
  --serviceaccount=<openshift-gitops>:openshift-gitops-argocd-application-controller

Installation de Dapr

Pour installer Dapr, procédez comme suit :

Create a cluster-level role so that ArgoCD can manage custom resource definitions and mutating webhooks. To create the role, take the following steps:

Enregistrez la configuration de rôle suivante sous forme de fichier YAML :

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
  name: manage-crds
rules:
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ['*']
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["mutatingwebhookconfigurations"]
    verbs: ['*']apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
  name: manage-crds
rules:
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ['*']
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["mutatingwebhookconfigurations"]
    verbs: ['*']

Appliquez la configuration en exécutant la commande suivante. Assurez-vous de remplacer l'espace réservé <file_name.yaml> par le nom réel du fichier YAML :
```
oc apply -f <file_name.yaml>oc apply -f <file_name.yaml>
```

Créez une liaison de rôle au niveau du cluster pour lier le rôle manage-crds au compte de service ArgoCD.

To create the role binding for a dedicated ArgoCD instance, use the following command:

oc create clusterrolebinding manage-crds-binding --clusterrole=manage-crds --serviceaccount=<argocd>:argocd-argocd-application-controlleroc create clusterrolebinding manage-crds-binding --clusterrole=manage-crds --serviceaccount=<argocd>:argocd-argocd-application-controller

Pour créer la liaison de rôle pour une instance ArgoCD partagée, utilisez la commande suivante :

oc create clusterrolebinding manage-crds-binding --clusterrole=manage-crds --serviceaccount=<openshift-gitops>:openshift-gitops-argocd-application-controlleroc create clusterrolebinding manage-crds-binding --clusterrole=manage-crds --serviceaccount=<openshift-gitops>:openshift-gitops-argocd-application-controller

Create a role so that ArgoCD can manage the Dapr components. To create the role, take the following steps:

Enregistrez la configuration de rôle suivante sous forme de fichier YAML :

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: dapr-creator
  namespace: <uipath>
rules:
  - apiGroups: ["dapr.io"]
    resources: ["components", "configurations", "resiliencies"]
    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: dapr-creator
  namespace: <uipath>
rules:
  - apiGroups: ["dapr.io"]
    resources: ["components", "configurations", "resiliencies"]
    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]

Appliquez la configuration en exécutant la commande suivante. Assurez-vous de remplacer l'espace réservé <file_name.yaml> par le nom réel du fichier YAML :
```
oc apply -f <file_name.yaml>oc apply -f <file_name.yaml>
```

Créez une liaison de rôle entre le rôle dapr-creator et le compte de service ArgoCD.

To create the role binding for a dedicated ArgoCD instance, use the following command:

oc project <uipath>
oc create rolebinding dapr-creator-binding --role=dapr-creator --serviceaccount=<argocd>:argocd-argocd-application-controlleroc project <uipath>
oc create rolebinding dapr-creator-binding --role=dapr-creator --serviceaccount=<argocd>:argocd-argocd-application-controller

Pour créer la liaison de rôle pour une instance ArgoCD partagée, utilisez la commande suivante :

oc project <uipath>
oc create rolebinding gitops-dapr-creator-binding --role=dapr-creator --serviceaccount=<openshift-gitops>:openshift-gitops-argocd-application-controlleroc project <uipath>
oc create rolebinding gitops-dapr-creator-binding --role=dapr-creator --serviceaccount=<openshift-gitops>:openshift-gitops-argocd-application-controller

Créez une clé secrète d'extraction d'image dans l'espace de noms <uipath> . Pour créer la clé secrète d’extraction de l’image, vous pouvez utiliser votre workflow standard ou suivre les étapes suivantes :

registry= <registry_url> #provide the registry where the UiPath images are hosted
username= <user_name> #provide the username which will be used for the authentication
password= <password> #provide the password which will be used for the authentication
namespace= <namespace> #namespace where you want to create a secret
oc create secret docker-registry uipathpullsecret --namespace=${namespace} \
  --docker-server=${registry} --docker-username=${username} \
  --docker-password=${password} --dry-run=client -o yaml \
  | oc apply -f -registry= <registry_url> #provide the registry where the UiPath images are hosted
username= <user_name> #provide the username which will be used for the authentication
password= <password> #provide the password which will be used for the authentication
namespace= <namespace> #namespace where you want to create a secret
oc create secret docker-registry uipathpullsecret --namespace=${namespace} \
  --docker-server=${registry} --docker-username=${username} \
  --docker-password=${password} --dry-run=client -o yaml \
  | oc apply -f -

Créez l'application Argo en utilisant le fichier YAML suivant :

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: dapr
  namespace: <argo_namespace>
spec:
  destination:
    namespace: <uipath_namespace>
    server: https://kubernetes.default.svc
  ignoreDifferences:
  - jsonPointers:
    - /data
    - /stringData
    - /metadata
    kind: Secret
  - group: apiextensions.k8s.io
    jsonPointers:
    - /spec/conversion
    kind: CustomResourceDefinition
  - group: admissionregistration.k8s.io
    jsonPointers:
    - /webhooks
    kind: MutatingWebhookConfiguration
  project: <project_name>
  source:
    chart: helm/dapr
    helm:
      valueFiles:
      - values.yaml
      values: |
        global:
          registry: <target-registry>/daprio
          imagePullSecrets: uipathpullsecret
          mtls:
            enabled: true
          prometheus:
            enabled: false
          logAsJson: true
          actors:
            enabled: false
          ha:
            enabled: false
            replicaCount: 1
          rbac:
            namespaced: true
          seccompProfile: RuntimeDefault
        dapr_dashboard:
          enabled: false
        dapr_operator:
          watchInterval: 1m
          resources:
            requests:
              cpu: 100m
              memory: 100Mi
            limits:
              cpu: "1"
              memory: 200Mi
          watchNamespace: <uipath_namespace>
          deploymentAnnotations:
            sidecar.istio.io/inject: "false"
        dapr_sidecar_injector:
          allowedServiceAccounts: <uipath_namespace>:default
          resources:
            requests:
              cpu: 100m
              memory: 30Mi
            limits:
              cpu: "1"
              memory: 100Mi
          sidecarDropALLCapabilities: true
          deploymentAnnotations:
            sidecar.istio.io/inject: "false"
        dapr_sentry:
          resources:
            requests:
              cpu: 100m
              memory: 30Mi
            limits:
              cpu: "1"
              memory: 100Mi
          deploymentAnnotations:
            sidecar.istio.io/inject: "false"
        dapr_rbac:
          secretReader:
            enabled: false
          createClusterScopedObjects: true
    repoURL: <target-registry>
    targetRevision: <dapr-version>
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    retry:
      backoff:
        duration: 10s
        factor: 2
        maxDuration: 1m
      limit: 1000
    syncOptions:
    - CreateNamespace=true
    - RespectIgnoreDifferences=trueapiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: dapr
  namespace: <argo_namespace>
spec:
  destination:
    namespace: <uipath_namespace>
    server: https://kubernetes.default.svc
  ignoreDifferences:
  - jsonPointers:
    - /data
    - /stringData
    - /metadata
    kind: Secret
  - group: apiextensions.k8s.io
    jsonPointers:
    - /spec/conversion
    kind: CustomResourceDefinition
  - group: admissionregistration.k8s.io
    jsonPointers:
    - /webhooks
    kind: MutatingWebhookConfiguration
  project: <project_name>
  source:
    chart: helm/dapr
    helm:
      valueFiles:
      - values.yaml
      values: |
        global:
          registry: <target-registry>/daprio
          imagePullSecrets: uipathpullsecret
          mtls:
            enabled: true
          prometheus:
            enabled: false
          logAsJson: true
          actors:
            enabled: false
          ha:
            enabled: false
            replicaCount: 1
          rbac:
            namespaced: true
          seccompProfile: RuntimeDefault
        dapr_dashboard:
          enabled: false
        dapr_operator:
          watchInterval: 1m
          resources:
            requests:
              cpu: 100m
              memory: 100Mi
            limits:
              cpu: "1"
              memory: 200Mi
          watchNamespace: <uipath_namespace>
          deploymentAnnotations:
            sidecar.istio.io/inject: "false"
        dapr_sidecar_injector:
          allowedServiceAccounts: <uipath_namespace>:default
          resources:
            requests:
              cpu: 100m
              memory: 30Mi
            limits:
              cpu: "1"
              memory: 100Mi
          sidecarDropALLCapabilities: true
          deploymentAnnotations:
            sidecar.istio.io/inject: "false"
        dapr_sentry:
          resources:
            requests:
              cpu: 100m
              memory: 30Mi
            limits:
              cpu: "1"
              memory: 100Mi
          deploymentAnnotations:
            sidecar.istio.io/inject: "false"
        dapr_rbac:
          secretReader:
            enabled: false
          createClusterScopedObjects: true
    repoURL: <target-registry>
    targetRevision: <dapr-version>
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    retry:
      backoff:
        duration: 10s
        factor: 2
        maxDuration: 1m
      limit: 1000
    syncOptions:
    - CreateNamespace=true
    - RespectIgnoreDifferences=true

Le tableau suivant fournit d'autres informations sur le remplacement des espaces réservés dans le fichier YAML par des valeurs adéquates pour les paramètres respectifs :

Paramètre	Espace réservé	Description
`namespace`	`<argo_namespace>`	Utilisez `<argocd>` pour une instance ArgoCD dédiée. Utilisez `<openshift-gitops>` pour une instance ArgoCD partagée.
`namespace` `watchNamespace`	`<uipath_namespace>`	Espace de noms pour Automation Suite
`project`	`<project_name>`	Pour une instance ArgoCD dédiée, utilisez `default` . Pour une instance ArgoCD partagée, utilisez le nom du projet créé pour Automation Suite.
`registry` `repoURL`	`<target-registry>`	Registre de graphiques Helm
`targetRevision`	`<dapr-version>`	Version du graphique Helm Dapr du fichier `versions.json`

Remarque :

Si vous mettez à jour le nom de domaine complet après l'installation, vous devez supprimer et recréer l'application Dapr en procédant comme suit :

Dans l'interface utilisateur ArgoCD, accédez à Dapr > Supprimer (Delete).
Réinstallez Dapr en suivant toutes les étapes de cette section.

Génération du fichier d'application YAML via le script Bash

Vous pouvez également utiliser le script Bash suivant pour générer le fichier YAML de l'application :

#!/bin/bash

echo "Enter the namespace of argocd applications"
read argocd_namespace

echo "Enter the name of uipath namespace"
read uipath_namespace


if [[ "${argocd_namespace}" == "openshift-gitops" ]]; then
  echo "Enter the argocd project name"
  read project
else
  project="default"
fi

echo "Enter the registry fqdn"
read registry_fqdn

echo "Enter the DAPR helm chart version"
read dapr_version

echo "-------------------- SUMMARY --------------------"
echo "Argocd Application namespace : $argocd_namespace"
echo "Uipath namespace             : $uipath_namespace"
echo "Argocd Project name          : $project"
echo "Helm registry FQDN           : $registry_fqdn"
echo "DAPR Version                 : $dapr_version"

echo "------------- Application yaml file-------------"

echo -n "apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: dapr
  namespace: $argocd_namespace
spec:
  destination:
    namespace: $uipath_namespace
    server: https://kubernetes.default.svc
  ignoreDifferences:
  - jsonPointers:
    - /data
    - /stringData
    - /metadata
    kind: Secret
  - group: apiextensions.k8s.io
    jsonPointers:
    - /spec/conversion
    kind: CustomResourceDefinition
  - group: admissionregistration.k8s.io
    jsonPointers:
    - /webhooks
    kind: MutatingWebhookConfiguration
  project: $project
  source:
    chart: helm/dapr
    helm:
      valueFiles:
      - values.yaml
      values: |
        global:
          registry: $registry_fqdn/daprio
          imagePullSecrets: uipathpullsecret
          mtls:
            enabled: true
          prometheus:
            enabled: false
          logAsJson: true
          actors:
            enabled: false
          ha:
            enabled: false
            replicaCount: 1
          rbac:
            namespaced: true
          seccompProfile: RuntimeDefault
        dapr_dashboard:
          enabled: false
        dapr_operator:
          watchInterval: 1m
          resources:
            requests:
              cpu: 100m
              memory: 100Mi
            limits:
              cpu: "1"
              memory: 200Mi
          watchNamespace: $uipath_namespace
          deploymentAnnotations:
            sidecar.istio.io/inject: "false"
        dapr_sidecar_injector:
          allowedServiceAccounts: $uipath_namespace:default
          resources:
            requests:
              cpu: 100m
              memory: 30Mi
            limits:
              cpu: "1"
              memory: 100Mi
          sidecarDropALLCapabilities: true
          deploymentAnnotations:
            sidecar.istio.io/inject: "false"
        dapr_sentry:
          resources:
            requests:
              cpu: 100m
              memory: 30Mi
            limits:
              cpu: "1"
              memory: 100Mi
          deploymentAnnotations:
            sidecar.istio.io/inject: "false"
        dapr_rbac:
          secretReader:
            enabled: false
          createClusterScopedObjects: true
    repoURL: $registry_fqdn
    targetRevision: $dapr_version
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    retry:
      backoff:
        duration: 10s
        factor: 2
        maxDuration: 1m
      limit: 1000
    syncOptions:
    - CreateNamespace=true
    - RespectIgnoreDifferences=true"#!/bin/bash

echo "Enter the namespace of argocd applications"
read argocd_namespace

echo "Enter the name of uipath namespace"
read uipath_namespace


if [[ "${argocd_namespace}" == "openshift-gitops" ]]; then
  echo "Enter the argocd project name"
  read project
else
  project="default"
fi

echo "Enter the registry fqdn"
read registry_fqdn

echo "Enter the DAPR helm chart version"
read dapr_version

echo "-------------------- SUMMARY --------------------"
echo "Argocd Application namespace : $argocd_namespace"
echo "Uipath namespace             : $uipath_namespace"
echo "Argocd Project name          : $project"
echo "Helm registry FQDN           : $registry_fqdn"
echo "DAPR Version                 : $dapr_version"

echo "------------- Application yaml file-------------"

echo -n "apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: dapr
  namespace: $argocd_namespace
spec:
  destination:
    namespace: $uipath_namespace
    server: https://kubernetes.default.svc
  ignoreDifferences:
  - jsonPointers:
    - /data
    - /stringData
    - /metadata
    kind: Secret
  - group: apiextensions.k8s.io
    jsonPointers:
    - /spec/conversion
    kind: CustomResourceDefinition
  - group: admissionregistration.k8s.io
    jsonPointers:
    - /webhooks
    kind: MutatingWebhookConfiguration
  project: $project
  source:
    chart: helm/dapr
    helm:
      valueFiles:
      - values.yaml
      values: |
        global:
          registry: $registry_fqdn/daprio
          imagePullSecrets: uipathpullsecret
          mtls:
            enabled: true
          prometheus:
            enabled: false
          logAsJson: true
          actors:
            enabled: false
          ha:
            enabled: false
            replicaCount: 1
          rbac:
            namespaced: true
          seccompProfile: RuntimeDefault
        dapr_dashboard:
          enabled: false
        dapr_operator:
          watchInterval: 1m
          resources:
            requests:
              cpu: 100m
              memory: 100Mi
            limits:
              cpu: "1"
              memory: 200Mi
          watchNamespace: $uipath_namespace
          deploymentAnnotations:
            sidecar.istio.io/inject: "false"
        dapr_sidecar_injector:
          allowedServiceAccounts: $uipath_namespace:default
          resources:
            requests:
              cpu: 100m
              memory: 30Mi
            limits:
              cpu: "1"
              memory: 100Mi
          sidecarDropALLCapabilities: true
          deploymentAnnotations:
            sidecar.istio.io/inject: "false"
        dapr_sentry:
          resources:
            requests:
              cpu: 100m
              memory: 30Mi
            limits:
              cpu: "1"
              memory: 100Mi
          deploymentAnnotations:
            sidecar.istio.io/inject: "false"
        dapr_rbac:
          secretReader:
            enabled: false
          createClusterScopedObjects: true
    repoURL: $registry_fqdn
    targetRevision: $dapr_version
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    retry:
      backoff:
        duration: 10s
        factor: 2
        maxDuration: 1m
      limit: 1000
    syncOptions:
    - CreateNamespace=true
    - RespectIgnoreDifferences=true"

Configuration de Airflow

ArgoCD requiert le rôle suivant lors de l'installation de Airflow :

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: anyuid-role
  namespace: <uipath>
rules:
  - apiGroups: ["security.openshift.io"]
    resources: ["securitycontextconstraints"]
    resourceNames: ["anyuid"]
    verbs: ["use"]apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: anyuid-role
  namespace: <uipath>
rules:
  - apiGroups: ["security.openshift.io"]
    resources: ["securitycontextconstraints"]
    resourceNames: ["anyuid"]
    verbs: ["use"]

Pour créer la liaison de rôle pour une instance ArgoCD dédiée, exécutez la commande suivante :

oc create rolebinding argocd-anyuid-binding --role=anyuid-role \
  --serviceaccount=<argocd>:argocd-argocd-application-controller -n <uipath>oc create rolebinding argocd-anyuid-binding --role=anyuid-role \
  --serviceaccount=<argocd>:argocd-argocd-application-controller -n <uipath>