Automation Suite
2021.10
False
- 概述
- 要求
- 安装
- 安装后
- 集群管理
- 监控和警示
- 迁移和升级
- 特定于产品的配置
- 审核日志查询
- MongoDB 监控仪表板
- Apps 用户的 MongoDB 证书续订
- 最佳实践和维护
- 故障排除
Apps 用户的 MongoDB 证书续订
Automation Suite 安装指南
上次更新日期 2024年4月19日
Apps 用户的 MongoDB 证书续订
MongoDB 使用两种类型的证书在 Automation Suite 集群中建立安全连接:
- CA 根证书
- TLS 证书
2021.10.3 之前 Automation Suite 版本的 MongoDB CA 证书仅有效期为 60 天。 由于没有自动续订流程,因此需要手动过程来更新证书。 请按照 手动证书更新 部分中的步骤续订证书。
注意: 手动更新的证书仅在 90 天内有效。 之后,必须再次手动更新证书。
对于 Automation Suite 版本 2021.10.4 及更高版本,有效期更新为三年。 对于 2021.10.4 及更高版本的全新安装,证书续订是自动的。
对于从版本 2021.10.3 及更早版本升级的环境,需要执行一些手动步骤。 请按照“ 证书轮换 ”部分中的步骤更新证书。
注意: 仅当您使用的是 2021.10.3 及更高版本的 Automation Suite 时,请按照此过程手动更新 MongoDB 证书。
此过程适用于在线环境。
先决条件
在开始此过程之前,请创建一个名为
mongo-cert-rotation-script.sh
的脚本文件,其中包含以下信息。
mongo-cert-rotation-script.sh
export KUBECONFIG=/etc/rancher/rke2/rke2.yaml PATH=$PATH:/var/lib/rancher/rke2/bin:/usr/local/bin
curl -sSL -o kubectl-cert-manager.tar.gz https://github.com/cert-manager/cert-manager/releases/download/v1.6.0/kubectl-cert_manager-linux-amd64.tar.gz
tar xzf kubectl-cert-manager.tar.gz
sudo mv kubectl-cert_manager /usr/local/bin
function update_additional_secrets() {
#extract updated pem file name
newPemFileName=$(kubectl -n mongodb get secret mongodb-replica-set-server-certificate-key -o json | jq -r '.data'| jq -r keys[0])
echo "New pem file name ${newPemFileName}"
#extract stale pem file name
oldPemFile=$(kubectl -n mongodb get secret mongodb-replica-set-config -o json | jq -r '.data."cluster-config.json"' | base64 -d | jq -r '.processes[0].args2_6.net.tls.certificateKeyFile')
oldPemFileName=$(basename "$oldPemFile")
echo "Stale pem file name ${oldPemFileName}"
if [[ "$oldPemFileName" != "$newPemFileName" ]]; then
echo "Pem file entries do not match. replacing"
#extract replica set secret cluser config json to file
kubectl -n mongodb get secret mongodb-replica-set-config -o json | jq -r '.data."cluster-config.json"' | base64 -d > /tmp/clusterConfig.json
#replace old pem file name with new in the json file
sed -i -e "s@$oldPemFileName@$newPemFileName@g" /tmp/clusterConfig.json
#encode the json
encodedUpdatedClusterConfig=$(jq -r '. | @base64 | "\)\)(.)"' /tmp/clusterConfig.json)
#patch replica set secret with updated cluster config
kubectl -n mongodb patch secret mongodb-replica-set-config --type='json' -p='[{"op" : "replace" ,"path" : "/data/cluster-config.json" ,"value" : "'"$encodedUpdatedClusterConfig"'"}]'
else
echo "Pem file entries match; not updating"
fi
}
function rotate_secrets(){
NAMESPACE="mongodb"
#shellcheck disable=SC2154
HOME_DIR=$(eval echo "~$whoami")
echo "extracting certs and secrets from relevant files"
#cleanup if the dir already exists
rm -rf "$HOME_DIR"/tmp/.certs || true
mkdir -p "$HOME_DIR"/tmp/.certs/
kubectl -n "$NAMESPACE" get secret/tls-ca-key-pair -o jsonpath='{.data.ca\)\).crt}' | base64 -d > "$HOME_DIR"/tmp/.certs/ca.crt
kubectl -n "$NAMESPACE" create configmap mongo-ca --from-file="$HOME_DIR/tmp/.certs/ca.crt" --dry-run=client -o yaml | kubectl apply -f -
kubectl -n mongodb label configmap mongo-ca config-discovery=yes 2>/dev/null || true
}
PREVIOUS_REVISION=$(kubectl -n mongodb get cert cert-manager-tls-certificate -o json | jq -r '.status.revision')
echo "Previous Version"
echo $PREVIOUS_REVISION
kubectl cert-manager renew --namespace=mongodb --all
sleep 60
CURRENT_REVISION=$(kubectl -n mongodb get cert cert-manager-tls-certificate -o json | jq -r '.status.revision')
echo "Current Version"
echo $CURRENT_REVISION
#Validate if Cert gets renewed
if [[ "${PREVIOUS_REVISION}" != "${CURRENT_REVISION}" ]]; then
echo "Cert Renewal Successful. Previous Revision: $PREVIOUS_REVISION Current Revision: $CURRENT_REVISION"
echo "Rotating secrets"
rotate_secrets
echo "Secrets rotated"
echo "Updating additional secrets"
update_additional_secrets
echo "Additional secrets updated"
echo "Rolling restart mongodb replica set"
kubectl rollout restart sts mongodb-replica-set -n mongodb
echo "Mongodb replica successfully Restarted"
echo "Rolling restart apps server"
kubectl rollout restart -n uipath deployment apps-server
echo "Apps server successfully restarted"
echo "Rolling restart apps-wsserver"
kubectl rollout restart -n uipath deployment apps-wsserver
echo "Apps wsserver successfully restarted"
else
echo "Cert Renewal UnSuccessful. Previous Revision: $PREVIOUS_REVISION Current Revision: $CURRENT_REVISION"
fi
rm -rf /usr/local/bin/kubectl-cert_manager
export KUBECONFIG=/etc/rancher/rke2/rke2.yaml PATH=$PATH:/var/lib/rancher/rke2/bin:/usr/local/bin
curl -sSL -o kubectl-cert-manager.tar.gz https://github.com/cert-manager/cert-manager/releases/download/v1.6.0/kubectl-cert_manager-linux-amd64.tar.gz
tar xzf kubectl-cert-manager.tar.gz
sudo mv kubectl-cert_manager /usr/local/bin
function update_additional_secrets() {
#extract updated pem file name
newPemFileName=$(kubectl -n mongodb get secret mongodb-replica-set-server-certificate-key -o json | jq -r '.data'| jq -r keys[0])
echo "New pem file name ${newPemFileName}"
#extract stale pem file name
oldPemFile=$(kubectl -n mongodb get secret mongodb-replica-set-config -o json | jq -r '.data."cluster-config.json"' | base64 -d | jq -r '.processes[0].args2_6.net.tls.certificateKeyFile')
oldPemFileName=$(basename "$oldPemFile")
echo "Stale pem file name ${oldPemFileName}"
if [[ "$oldPemFileName" != "$newPemFileName" ]]; then
echo "Pem file entries do not match. replacing"
#extract replica set secret cluser config json to file
kubectl -n mongodb get secret mongodb-replica-set-config -o json | jq -r '.data."cluster-config.json"' | base64 -d > /tmp/clusterConfig.json
#replace old pem file name with new in the json file
sed -i -e "s@$oldPemFileName@$newPemFileName@g" /tmp/clusterConfig.json
#encode the json
encodedUpdatedClusterConfig=$(jq -r '. | @base64 | "\)\)(.)"' /tmp/clusterConfig.json)
#patch replica set secret with updated cluster config
kubectl -n mongodb patch secret mongodb-replica-set-config --type='json' -p='[{"op" : "replace" ,"path" : "/data/cluster-config.json" ,"value" : "'"$encodedUpdatedClusterConfig"'"}]'
else
echo "Pem file entries match; not updating"
fi
}
function rotate_secrets(){
NAMESPACE="mongodb"
#shellcheck disable=SC2154
HOME_DIR=$(eval echo "~$whoami")
echo "extracting certs and secrets from relevant files"
#cleanup if the dir already exists
rm -rf "$HOME_DIR"/tmp/.certs || true
mkdir -p "$HOME_DIR"/tmp/.certs/
kubectl -n "$NAMESPACE" get secret/tls-ca-key-pair -o jsonpath='{.data.ca\)\).crt}' | base64 -d > "$HOME_DIR"/tmp/.certs/ca.crt
kubectl -n "$NAMESPACE" create configmap mongo-ca --from-file="$HOME_DIR/tmp/.certs/ca.crt" --dry-run=client -o yaml | kubectl apply -f -
kubectl -n mongodb label configmap mongo-ca config-discovery=yes 2>/dev/null || true
}
PREVIOUS_REVISION=$(kubectl -n mongodb get cert cert-manager-tls-certificate -o json | jq -r '.status.revision')
echo "Previous Version"
echo $PREVIOUS_REVISION
kubectl cert-manager renew --namespace=mongodb --all
sleep 60
CURRENT_REVISION=$(kubectl -n mongodb get cert cert-manager-tls-certificate -o json | jq -r '.status.revision')
echo "Current Version"
echo $CURRENT_REVISION
#Validate if Cert gets renewed
if [[ "${PREVIOUS_REVISION}" != "${CURRENT_REVISION}" ]]; then
echo "Cert Renewal Successful. Previous Revision: $PREVIOUS_REVISION Current Revision: $CURRENT_REVISION"
echo "Rotating secrets"
rotate_secrets
echo "Secrets rotated"
echo "Updating additional secrets"
update_additional_secrets
echo "Additional secrets updated"
echo "Rolling restart mongodb replica set"
kubectl rollout restart sts mongodb-replica-set -n mongodb
echo "Mongodb replica successfully Restarted"
echo "Rolling restart apps server"
kubectl rollout restart -n uipath deployment apps-server
echo "Apps server successfully restarted"
echo "Rolling restart apps-wsserver"
kubectl rollout restart -n uipath deployment apps-wsserver
echo "Apps wsserver successfully restarted"
else
echo "Cert Renewal UnSuccessful. Previous Revision: $PREVIOUS_REVISION Current Revision: $CURRENT_REVISION"
fi
rm -rf /usr/local/bin/kubectl-cert_manager
程序
此过程适用于离线 (airpgapped) 环境。
先决条件
在开始此过程之前,请创建一个名为
mongo-cert-rotation-script.sh
的脚本文件,其中包含以下信息。
mongo-airgap-cert-rotation-script.sh
export KUBECONFIG=/etc/rancher/rke2/rke2.yaml PATH=$PATH:/var/lib/rancher/rke2/bin:/usr/local/bin
tar xzf kubectl-cert-manager.tar.gz
sudo mv kubectl-cert_manager /usr/local/bin
function update_additional_secrets() {
#extract updated pem file name
newPemFileName=$(kubectl -n mongodb get secret mongodb-replica-set-server-certificate-key -o json | jq -r '.data'| jq -r keys[0])
echo "New pem file name ${newPemFileName}"
#extract stale pem file name
oldPemFile=$(kubectl -n mongodb get secret mongodb-replica-set-config -o json | jq -r '.data."cluster-config.json"' | base64 -d | jq -r '.processes[0].args2_6.net.tls.certificateKeyFile')
oldPemFileName=$(basename "$oldPemFile")
echo "Stale pem file name ${oldPemFileName}"
if [[ "$oldPemFileName" != "$newPemFileName" ]]; then
echo "Pem file entries do not match. replacing"
#extract replica set secret cluser config json to file
kubectl -n mongodb get secret mongodb-replica-set-config -o json | jq -r '.data."cluster-config.json"' | base64 -d > /tmp/clusterConfig.json
#replace old pem file name with new in the json file
sed -i -e "s@$oldPemFileName@$newPemFileName@g" /tmp/clusterConfig.json
#encode the json
encodedUpdatedClusterConfig=$(jq -r '. | @base64 | "\)\)(.)"' /tmp/clusterConfig.json)
#patch replica set secret with updated cluster config
kubectl -n mongodb patch secret mongodb-replica-set-config --type='json' -p='[{"op" : "replace" ,"path" : "/data/cluster-config.json" ,"value" : "'"$encodedUpdatedClusterConfig"'"}]'
else
echo "Pem file entries match; not updating"
fi
}
function rotate_secrets(){
NAMESPACE="mongodb"
#shellcheck disable=SC2154
HOME_DIR=$(eval echo "~$whoami")
echo "extracting certs and secrets from relevant files"
#cleanup if the dir already exists
rm -rf "$HOME_DIR"/tmp/.certs || true
mkdir -p "$HOME_DIR"/tmp/.certs/
kubectl -n "$NAMESPACE" get secret/tls-ca-key-pair -o jsonpath='{.data.ca\)\).crt}' | base64 -d > "$HOME_DIR"/tmp/.certs/ca.crt
kubectl -n "$NAMESPACE" create configmap mongo-ca --from-file="$HOME_DIR/tmp/.certs/ca.crt" --dry-run=client -o yaml | kubectl apply -f -
kubectl -n mongodb label configmap mongo-ca config-discovery=yes 2>/dev/null || true
}
PREVIOUS_REVISION=$(kubectl -n mongodb get cert cert-manager-tls-certificate -o json | jq -r '.status.revision')
echo "Previous Version"
echo $PREVIOUS_REVISION
kubectl cert-manager renew --namespace=mongodb --all
sleep 60
CURRENT_REVISION=$(kubectl -n mongodb get cert cert-manager-tls-certificate -o json | jq -r '.status.revision')
echo "Current Version"
echo $CURRENT_REVISION
#Validate if Cert gets renewed
if [[ "${PREVIOUS_REVISION}" != "${CURRENT_REVISION}" ]]; then
echo "Cert Renewal Successful. Previous Revision: $PREVIOUS_REVISION Current Revision: $CURRENT_REVISION"
echo "Rotating secrets"
rotate_secrets
echo "Secrets rotated"
echo "Updating additional secrets"
update_additional_secrets
echo "Additional secrets updated"
echo "Rolling restart mongodb replica set"
kubectl rollout restart sts mongodb-replica-set -n mongodb
echo "Mongodb replica successfully Restarted"
echo "Rolling restart apps server"
kubectl rollout restart -n uipath deployment apps-server
echo "Apps server successfully restarted"
echo "Rolling restart apps-wsserver"
kubectl rollout restart -n uipath deployment apps-wsserver
echo "Apps wsserver successfully restarted"
else
echo "Cert Renewal UnSuccessful. Previous Revision: $PREVIOUS_REVISION Current Revision: $CURRENT_REVISION"
fi
rm -rf /usr/local/bin/kubectl-cert_manager
export KUBECONFIG=/etc/rancher/rke2/rke2.yaml PATH=$PATH:/var/lib/rancher/rke2/bin:/usr/local/bin
tar xzf kubectl-cert-manager.tar.gz
sudo mv kubectl-cert_manager /usr/local/bin
function update_additional_secrets() {
#extract updated pem file name
newPemFileName=$(kubectl -n mongodb get secret mongodb-replica-set-server-certificate-key -o json | jq -r '.data'| jq -r keys[0])
echo "New pem file name ${newPemFileName}"
#extract stale pem file name
oldPemFile=$(kubectl -n mongodb get secret mongodb-replica-set-config -o json | jq -r '.data."cluster-config.json"' | base64 -d | jq -r '.processes[0].args2_6.net.tls.certificateKeyFile')
oldPemFileName=$(basename "$oldPemFile")
echo "Stale pem file name ${oldPemFileName}"
if [[ "$oldPemFileName" != "$newPemFileName" ]]; then
echo "Pem file entries do not match. replacing"
#extract replica set secret cluser config json to file
kubectl -n mongodb get secret mongodb-replica-set-config -o json | jq -r '.data."cluster-config.json"' | base64 -d > /tmp/clusterConfig.json
#replace old pem file name with new in the json file
sed -i -e "s@$oldPemFileName@$newPemFileName@g" /tmp/clusterConfig.json
#encode the json
encodedUpdatedClusterConfig=$(jq -r '. | @base64 | "\)\)(.)"' /tmp/clusterConfig.json)
#patch replica set secret with updated cluster config
kubectl -n mongodb patch secret mongodb-replica-set-config --type='json' -p='[{"op" : "replace" ,"path" : "/data/cluster-config.json" ,"value" : "'"$encodedUpdatedClusterConfig"'"}]'
else
echo "Pem file entries match; not updating"
fi
}
function rotate_secrets(){
NAMESPACE="mongodb"
#shellcheck disable=SC2154
HOME_DIR=$(eval echo "~$whoami")
echo "extracting certs and secrets from relevant files"
#cleanup if the dir already exists
rm -rf "$HOME_DIR"/tmp/.certs || true
mkdir -p "$HOME_DIR"/tmp/.certs/
kubectl -n "$NAMESPACE" get secret/tls-ca-key-pair -o jsonpath='{.data.ca\)\).crt}' | base64 -d > "$HOME_DIR"/tmp/.certs/ca.crt
kubectl -n "$NAMESPACE" create configmap mongo-ca --from-file="$HOME_DIR/tmp/.certs/ca.crt" --dry-run=client -o yaml | kubectl apply -f -
kubectl -n mongodb label configmap mongo-ca config-discovery=yes 2>/dev/null || true
}
PREVIOUS_REVISION=$(kubectl -n mongodb get cert cert-manager-tls-certificate -o json | jq -r '.status.revision')
echo "Previous Version"
echo $PREVIOUS_REVISION
kubectl cert-manager renew --namespace=mongodb --all
sleep 60
CURRENT_REVISION=$(kubectl -n mongodb get cert cert-manager-tls-certificate -o json | jq -r '.status.revision')
echo "Current Version"
echo $CURRENT_REVISION
#Validate if Cert gets renewed
if [[ "${PREVIOUS_REVISION}" != "${CURRENT_REVISION}" ]]; then
echo "Cert Renewal Successful. Previous Revision: $PREVIOUS_REVISION Current Revision: $CURRENT_REVISION"
echo "Rotating secrets"
rotate_secrets
echo "Secrets rotated"
echo "Updating additional secrets"
update_additional_secrets
echo "Additional secrets updated"
echo "Rolling restart mongodb replica set"
kubectl rollout restart sts mongodb-replica-set -n mongodb
echo "Mongodb replica successfully Restarted"
echo "Rolling restart apps server"
kubectl rollout restart -n uipath deployment apps-server
echo "Apps server successfully restarted"
echo "Rolling restart apps-wsserver"
kubectl rollout restart -n uipath deployment apps-wsserver
echo "Apps wsserver successfully restarted"
else
echo "Cert Renewal UnSuccessful. Previous Revision: $PREVIOUS_REVISION Current Revision: $CURRENT_REVISION"
fi
rm -rf /usr/local/bin/kubectl-cert_manager
程序
-
通过运行以下命令,在系统上下载
kubectl-cert-manager.tar
文件:curl -sSL -o kubectl-cert-manager.tar.gz https://github.com/cert-manager/cert-manager/releases/download/v1.6.0/kubectl-cert_manager-linux-amd64.tar.gz
curl -sSL -o kubectl-cert-manager.tar.gz https://github.com/cert-manager/cert-manager/releases/download/v1.6.0/kubectl-cert_manager-linux-amd64.tar.gz -
通过运行以下命令,将证书管理器二进制文件复制到虚拟机节点:
scp <path-to-kubectl-cert-manager> <username>@<node-fqdn>:~
scp <path-to-kubectl-cert-manager> <username>@<node-fqdn>:~ -
通过运行以下命令,将先决条件中的脚本 (
mongo-airgap-cert-rotation-script.sh
) 复制到虚拟机节点:scp <path-to-mongo-airgap-cert-rotation> <username>@<node-fqdn>:~
scp <path-to-mongo-airgap-cert-rotation> <username>@<node-fqdn>:~ -
使用 SSH 连接到计算机。
ssh <username>@<node-fqdn>
ssh <username>@<node-fqdn> -
通过运行以下命令,将
kubectl-cert-manager.tar
文件复制到安装程序目录:mv /home/<username>/kubectl-cert_manager.tar.gz <installer-dir>
mv /home/<username>/kubectl-cert_manager.tar.gz <installer-dir> - 通过运行以下命令,将
mongo-airgap-cert-rotation-script.sh
脚本复制到安装程序目录:
注意: 确保
mongo-airgap-cert-rotation-script.sh
和 kubectl-cert-manager.tar
文件位于同一路径。
mv /home/<username>/mongo-airgap-cert-rotation-script.sh <installer-dir>
cd <installer-dir>
mv /home/<username>/mongo-airgap-cert-rotation-script.sh <installer-dir>
cd <installer-dir>
7. 通过运行以下命令,检查当前的到期日期和续订日期。 查找
notBefore
和 notAfter
字段。
export KUBECONFIG=/etc/rancher/rke2/rke2.yaml PATH=$PATH:/var/lib/rancher/rke2/bin:/usr/local/bin
kubectl -n mongodb describe certs
export KUBECONFIG=/etc/rancher/rke2/rke2.yaml PATH=$PATH:/var/lib/rancher/rke2/bin:/usr/local/bin
kubectl -n mongodb describe certs
8. 使用以下命令运行脚本:
chmod u+x mongo-airgap-cert-rotation-script.sh
./mongo-airgap-cert-rotation-script.sh
chmod u+x mongo-airgap-cert-rotation-script.sh
./mongo-airgap-cert-rotation-script.sh
9. 通过运行以下命令检查调新的到期日期和续订日期。查找
notBefore
和 notAfter
字段。
kubectl -n mongodb describe certs
kubectl -n mongodb describe certs
检查证书有效性时,系统将显示以下日期:
Not After
- 这是证书有效期的到期日期和时间。
Not Before
- 这是证书有效期的开始日期和时间。
Renewal Time
- 这是建议的手动续订证书的日期和时间。
例如:
Certificate 1 in the file
Name: cert-manager-tls-certificate
Namespace: mongodb
Not After: 2023-03-08T23:19:49Z
Not Before: 2022-03-08T23:19:49Z
Renewal Time: 2023-02-06T23:19:49Z
Certificate 1 in the file
Name: cert-manager-tls-certificate
Namespace: mongodb
Not After: 2023-03-08T23:19:49Z
Not Before: 2022-03-08T23:19:49Z
Renewal Time: 2023-02-06T23:19:49Z
注意: 仅当您从 Automation Suite 升级到 2021.10.3(含)到更高版本(至少为 2021.10.4)时,才能按照此过程手动更新 MongoDB 证书。
-
通过 SSH 连接到虚拟机节点。
ssh <username>@<node-fqdn>
ssh <username>@<node-fqdn> -
通过运行以下命令担任超级用户角色。
sudo su
sudo su -
通过运行以下命令,转到安装(对于全新安装)或升级(对于升级的环境)目录。
cd <Installation/Upgrade Directory>
cd <Installation/Upgrade Directory> -
将下面的
rotate-cert.sh
脚本复制到安装目录。./configureUiPathAS.sh mongodb rotate-certificate kubectl -n mongodb get secret/tls-ca-key-pair -o jsonpath='{.data.ca\)\).crt}' | base64 -d > /tmp/.certs/ca.crt kubectl -n mongodb create configmap mongo-ca --from-file="/tmp/.certs/ca.crt" --dry-run=client -o yaml | kubectl replace -f - kubectl rollout restart sts mongodb-replica-set -n mongodb
./configureUiPathAS.sh mongodb rotate-certificate kubectl -n mongodb get secret/tls-ca-key-pair -o jsonpath='{.data.ca\)\).crt}' | base64 -d > /tmp/.certs/ca.crt kubectl -n mongodb create configmap mongo-ca --from-file="/tmp/.certs/ca.crt" --dry-run=client -o yaml | kubectl replace -f - kubectl rollout restart sts mongodb-replica-set -n mongodb -
使用以下命令运行证书轮换脚本。
chmod u+x rotate-cert.sh ./rotate-cert.sh
chmod u+x rotate-cert.sh ./rotate-cert.sh
证书轮换脚本大约需要 5 到 10 分钟才能完成。 脚本生成的新证书自创建之日起三年内有效,并根据上述时间线自动续订。