Automation Suite
2023.10
False
- 概述
- 要求
- 安装
- 先决条件检查
- 下载安装包
- uipathctl cluster
- uipathctl 集群维护
- uipathctl cluster maintenance disable
- uipathctl cluster maintenance enable
- uipathctl cluster maintenance is-enabled
- uipathctl cluster migration
- uipathctl cluster migration export
- uipathctl cluster migration import
- uipathctl cluster migration run
- uipathctl 集群升级
- uipathctl 配置
- uipathctl config add-host-admin
- uipathctl config additional-ca-certificates
- uipathctl config additional-ca-certificates get
- uipathctl config additional-ca-certificates update
- uipathctl 配置警示
- uipathctl configalerts add-email
- uipathctl config alerts remove-email
- uipathctl config alerts update-email
- uipathctl config argocd
- uipathctl config argocd ca-certificates
- uipathctl config argocd ca-certificates get
- uipathctl config argocd ca-certificates update
- uipathctl config argocd generate-dex-config
- uipathctl config argocd generate-rbac
- uipathctl config argocd registry
- uipathctl config argocd registry get
- uipathctl config argocd registry update
- uipathctl config enable-basic-auth
- uipathctl config Orchestrator
- uipathctl config Orchestrator get-config
- uipathctl config orchestrator update-config
- uipathctl config saml-certificates get
- uipathctl config saml-certificates rotate
- uipathctl config saml-certificates update
- uipathctl config tls-certificates
- uipathctl config tls-certificates get
- uipathctl config tls-certificates update
- uipathctl config token-signing-certificates
- uipathctl config token-signing-certificates get
- uipathctl config token-signing-certificates rotate
- uipathctl config token-signing-certificates update
- uipathctl 运行状况
- uipathctl 运行状况捆绑包
- uipathctl 运行状况检查
- uipathctl health diagnose
- uipathctl health test
- uipathctl 清单
- uipathctl manifest apply
- uipathctl manifest diff
- uipathctl manifest get
- uipathctl manifest get-revision
- uipathctl manifest list-applications
- uipathctl manifest list-revisions
- uipathctl manifest render
- uipathctl 先决条件
- uipathctl prereq create
- uipathctl prereq run
- uipathctl 资源
- uipathctl 资源报告
- uipathctl 快照
- uipathctl 快照备份
- uipathctl snapshot backup create
- uipathctl snapshot backup disable
- uipathctl snapshot backup enable
- uipathctl snapshot delete
- uipathctl snapshot list
- uipathctl snapshot restore
- uipathctl snapshot restore create
- uipathctl snapshot restore delete
- uipathctl snapshot restore history
- uipathctl snapshot restore logs
- uipathctl 版本
- 安装后
- 迁移和升级
- 监控和警示
- 集群管理
- 特定于产品的配置
- 故障排除
EKS/AKS 上的 Automation Suite 安装指南
上次更新日期 2024年4月19日
管理证书
重要提示:
安装流程会代表您生成自签名证书。 安装完成后,应立即将其替换为由受信任的证书颁发机构 (CA) 签名的证书。
您可以使用
uipathctl
CLI 工具在安装后更新证书。 有关详细信息,请参阅 uipathctl 文档。
要生成 CSR 和私钥,请运行以下命令:
# copy the machine openssl configuration locally
cp /etc/pki/tls/openssl.cnf ./openssl.tmp.cnf
# Replace the [AUTOMATION_SUITE_FQDN] value. For example, "automationsuite.corp.com"
AS_FQDN=[AUTOMATION_SUITE_FQDN]
cat >> ./openssl.tmp.cnf <<EOF
[SAN]
subjectAltName=DNS:$AS_FQDN,DNS:alm.$AS_FQDN,DNS:monitoring.$AS_FQDN,DNS:registry.$AS_FQDN,DNS:objectstore.$AS_FQDN,DNS:insights.$AS_FQDN
EOF
# create the certificate request
openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout server.key -subj "/C=xx/ST=xx/O=xx/OU=xx/CN=$AS_FQDN" -reqexts SAN -config openssl.tmp.cnf -out ${AS_FQDN}.csr
# copy the machine openssl configuration locally
cp /etc/pki/tls/openssl.cnf ./openssl.tmp.cnf
# Replace the [AUTOMATION_SUITE_FQDN] value. For example, "automationsuite.corp.com"
AS_FQDN=[AUTOMATION_SUITE_FQDN]
cat >> ./openssl.tmp.cnf <<EOF
[SAN]
subjectAltName=DNS:$AS_FQDN,DNS:alm.$AS_FQDN,DNS:monitoring.$AS_FQDN,DNS:registry.$AS_FQDN,DNS:objectstore.$AS_FQDN,DNS:insights.$AS_FQDN
EOF
# create the certificate request
openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout server.key -subj "/C=xx/ST=xx/O=xx/OU=xx/CN=$AS_FQDN" -reqexts SAN -config openssl.tmp.cnf -out ${AS_FQDN}.csr
您的 IT 团队使用获取的值生成签名证书。 生成的私钥保留在本地。
要查看有关更新 TLS 证书的更多信息,请运行以下命令:
uipathctl config update-tls-certificates --help
uipathctl config update-tls-certificates --help
输出:
************************************************************************************
Manage tls certificates
Usage:
uipathctl config tls-certificates [flags]
uipathctl config tls-certificates [command]
Available Commands:
get Get the current tls certificates
update Update tls certificates
Flags:
-h, --help help for tls-certificates
Global Flags:
--context string name of the kubeconfig context to use
--kubeconfig string kubectl configuration file (default: ~/.kube/config)
--log-format string log format. one of [text,json] (default "text")
--log-level string set log level. one of [trace,debug,info,error] (default "error")
-q, --quiet suppress all output except for errors and warnings
--timeout duration timeout of the command (default 1h0m0s)
************************************************************************************
************************************************************************************
Manage tls certificates
Usage:
uipathctl config tls-certificates [flags]
uipathctl config tls-certificates [command]
Available Commands:
get Get the current tls certificates
update Update tls certificates
Flags:
-h, --help help for tls-certificates
Global Flags:
--context string name of the kubeconfig context to use
--kubeconfig string kubectl configuration file (default: ~/.kube/config)
--log-format string log format. one of [text,json] (default "text")
--log-level string set log level. one of [trace,debug,info,error] (default "error")
-q, --quiet suppress all output except for errors and warnings
--timeout duration timeout of the command (default 1h0m0s)
************************************************************************************
证书在 Istio 级别存储为密码。 您可以在
istio-system
命名空间中的 istio-ingressgateway-certs
名称下找到证书。
请参阅以下列表中的证书文件:
-
服务器 TLS 证书存储为
tls.crt
-
作为
tls.key
的服务器 TLS 私钥 -
CA 捆绑包存储为
ca.crt
您可以使用以下命令验证密码:
kubectl -n istio-system get secrets istio-ingressgateway-certs -o yaml
kubectl -n istio-system get secrets istio-ingressgateway-certs -o yaml
证书也存储在 UiPath 命名空间中。这适用于需要证书信息以信任传入调用的所有 UiPath™ 产品。有关详细信息,请参阅了解与证书相关的容器架构。
重要提示:
在更新服务器证书之前,您必须解密证书密钥。 跳过解密步骤将导致错误。
要解密证书密钥,请运行以下命令:
# replace /path/to/encrypted/cert/key to absolute file path of key
# replace /path/to/decrypt/cert/key to store decrypt key
# Once prompted, please entry the passphrase or password to decrypt the key
openssl rsa -in /path/to/encrypted/cert/key -out /path/to/decrypt/cert/key
# replace /path/to/encrypted/cert/key to absolute file path of key
# replace /path/to/decrypt/cert/key to store decrypt key
# Once prompted, please entry the passphrase or password to decrypt the key
openssl rsa -in /path/to/encrypted/cert/key -out /path/to/decrypt/cert/key
要更新证书,请运行以下
uipathctl
命令。 您需要三个证书文件中每个文件的路径。 所有证书文件均应采用 pem
格式。
-
证书颁发机构捆绑包 - 此捆绑包应仅包含用于签署 TLS 服务器证书的链证书。 链限制为最多 9 个证书。
-
服务器证书 - 公共服务器证书
-
私钥 - 服务器证书的私钥
uipathctl config tls-certificates update --cert server.crt --cacert ca.crt --key server.key
uipathctl config tls-certificates update --cert server.crt --cacert ca.crt --key server.key
要查看有关其他 CA 证书的更多信息,请运行以下命令:
uipathctl config additional-ca-certificates --help
uipathctl config additional-ca-certificates --help
输出:
***************************************************************************************
Manage additional ca certificates
Usage:
uipathctl config additional-ca-certificates [flags]
uipathctl config additional-ca-certificates [command]
Available Commands:
get Get the current additional ca certificates
update Update additional ca certificates
Flags:
-h, --help help for additional-ca-certificates
Global Flags:
--context string name of the kubeconfig context to use
--kubeconfig string kubectl configuration file (default: ~/.kube/config)
--log-format string log format. one of [text,json] (default "text")
--log-level string set log level. one of [trace,debug,info,error] (default "error")
-q, --quiet suppress all output except for errors and warnings
--timeout duration timeout of the command (default 1h0m0s)
***************************************************************************************
***************************************************************************************
Manage additional ca certificates
Usage:
uipathctl config additional-ca-certificates [flags]
uipathctl config additional-ca-certificates [command]
Available Commands:
get Get the current additional ca certificates
update Update additional ca certificates
Flags:
-h, --help help for additional-ca-certificates
Global Flags:
--context string name of the kubeconfig context to use
--kubeconfig string kubectl configuration file (default: ~/.kube/config)
--log-format string log format. one of [text,json] (default "text")
--log-level string set log level. one of [trace,debug,info,error] (default "error")
-q, --quiet suppress all output except for errors and warnings
--timeout duration timeout of the command (default 1h0m0s)
***************************************************************************************
此命令可帮助您更新或替换现有的已配置 CA 证书。
uipathctl config additional-ca-certificates update --cacert additional_ca.crt
uipathctl config additional-ca-certificates update --cacert additional_ca.crt
备注:
上面的命令将新证书添加到现有证书列表中。如果要替换以前配置的所有证书,请确保在末尾附加
--replace
。
CA 证书捆绑包文件应为有效的
.pem
格式,并且可以包含多个证书。
要查看有关身份令牌签名证书的更多信息,请运行以下命令:
uipathctl config token-signing-certificates --help
uipathctl config token-signing-certificates --help
输出:
************************************************************************************
Manage token signing certificates
Usage:
uipathctl config token-signing-certificates [flags]
uipathctl config token-signing-certificates [command]
Available Commands:
get Get the current token signing certificate
rotate Rotate token signing certificates
update Update future token signing certificate
Flags:
-h, --help help for token-signing-certificates
Global Flags:
--context string name of the kubeconfig context to use
--kubeconfig string kubectl configuration file (default: ~/.kube/config)
--log-format string log format. one of [text,json] (default "text")
--log-level string set log level. one of [trace,debug,info,error] (default "error")
-q, --quiet suppress all output except for errors and warnings
--timeout duration timeout of the command (default 1h0m0s)
************************************************************************************
************************************************************************************
Manage token signing certificates
Usage:
uipathctl config token-signing-certificates [flags]
uipathctl config token-signing-certificates [command]
Available Commands:
get Get the current token signing certificate
rotate Rotate token signing certificates
update Update future token signing certificate
Flags:
-h, --help help for token-signing-certificates
Global Flags:
--context string name of the kubeconfig context to use
--kubeconfig string kubectl configuration file (default: ~/.kube/config)
--log-format string log format. one of [text,json] (default "text")
--log-level string set log level. one of [trace,debug,info,error] (default "error")
-q, --quiet suppress all output except for errors and warnings
--timeout duration timeout of the command (default 1h0m0s)
************************************************************************************
要上传新证书以对令牌进行签名,请运行以下命令:
备注:
以下命令不会替换现有令牌签名证书。
确保您提供的证书采用
.pem
格式。
uipathctl config token-signing-certificates update --cert server.crt --key server.key
uipathctl config token-signing-certificates update --cert server.crt --key server.key
要轮换旧证书或将其替换为新证书,请运行以下命令:
uipathctl config token-signing-certificates rotate
uipathctl config token-signing-certificates rotate