- 概述
- 要求
- 安装
- 先决条件检查
- 下载安装包
- uipathctl cluster
- uipathctl 集群维护
- uipathctl cluster maintenance disable
- uipathctl cluster maintenance enable
- uipathctl cluster maintenance is-enabled
- uipathctl cluster migration
- uipathctl cluster migration export
- uipathctl cluster migration import
- uipathctl cluster migration run
- uipathctl 集群升级
- uipathctl 配置
- uipathctl config add-host-admin
- uipathctl config additional-ca-certificates
- uipathctl config additional-ca-certificates get
- uipathctl config additional-ca-certificates update
- uipathctl 配置警示
- uipathctl configalerts add-email
- uipathctl config alerts remove-email
- uipathctl config alerts update-email
- uipathctl config argocd
- uipathctl config argocd ca-certificates
- uipathctl config argocd ca-certificates get
- uipathctl config argocd ca-certificates update
- uipathctl config argocd generate-dex-config
- uipathctl config argocd generate-rbac
- uipathctl config argocd registry
- uipathctl config argocd registry get
- uipathctl config argocd registry update
- uipathctl config enable-basic-auth
- uipathctl config Orchestrator
- uipathctl config Orchestrator get-config
- uipathctl config orchestrator update-config
- uipathctl config saml-certificates get
- uipathctl config saml-certificates rotate
- uipathctl config saml-certificates update
- uipathctl config tls-certificates
- uipathctl config tls-certificates get
- uipathctl config tls-certificates update
- uipathctl config token-signing-certificates
- uipathctl config token-signing-certificates get
- uipathctl config token-signing-certificates rotate
- uipathctl config token-signing-certificates update
- uipathctl 运行状况
- uipathctl 运行状况捆绑包
- uipathctl 运行状况检查
- uipathctl health diagnose
- uipathctl health test
- uipathctl 清单
- uipathctl manifest apply
- uipathctl manifest diff
- uipathctl manifest get
- uipathctl manifest get-revision
- uipathctl manifest list-applications
- uipathctl manifest list-revisions
- uipathctl manifest render
- uipathctl 先决条件
- uipathctl prereq create
- uipathctl prereq run
- uipathctl 资源
- uipathctl 资源报告
- uipathctl 快照
- uipathctl 快照备份
- uipathctl snapshot backup create
- uipathctl snapshot backup disable
- uipathctl snapshot backup enable
- uipathctl snapshot delete
- uipathctl snapshot list
- uipathctl snapshot restore
- uipathctl snapshot restore create
- uipathctl snapshot restore delete
- uipathctl snapshot restore history
- uipathctl snapshot restore logs
- uipathctl 版本
- 安装后
- 迁移和升级
- 监控和警示
- 集群管理
- 特定于产品的配置
- 故障排除
在 ArgoCD 中管理集群
ArgoCD 是用于 Kubernetes 的声明性 GitOps 持续交付工具。它被设计为 Kubernetes 控制器,可持续监控正在运行的 UiPath™ 应用程序,并根据 Docker 注册表中指定的所需目标状态检查当前状态。有关更多详细信息,请参阅 ArgoCD 文档。
管理员可以通过简单的用户界面或 CLI 概览集群、配置、应用程序状态和运行状况。 ArgoCD 附带自己的开源捆绑 Redis,该 Redis 支持 HA 和非 HA 配置。
Automation Suite 在以下场景中使用 ArgoCD:
- 安装和升级 Fabric 组件和核心 UiPath™ 服务。
- 在指定目标环境中自动部署所需的应用程序状态。 ArgoCD 遵循 GitOps 模式,即使用 Git/helm 存储库作为定义所需应用程序状态的事实来源。
- 跟踪安装状态。 如果安装在特定点失败,并且您在一段时间后继续安装,则 ArgoCD 将跳过已同步的所有步骤,并从失败点继续。
- 对应用程序进行自我修复。 如果您错误地删除了任何对象,则清单将自动同步。
您可以在以下 只读场景中使用 ArgoCD 帐户:
- 在一个简单的界面中可视化所有应用程序、Pod 和服务;
- 监控所有应用程序、Pod 和服务的运行状况;
- 快速识别部署中的问题;
- 正在重新同步集群中的应用程序。
您可以在以下高级场景中使用 ArgoCD 管理员帐户:
- 更改参数仅用于调试目的;例如,禁用自我修复;
- 删除 Pod;
- 故障排除;
- 管理 Orchestrator 自定义配置;例如,为每个租户设置加密密钥;
- 更新数据库连接字符串;
- 正在同步应用程序。
注意:在删除或更改用户界面上的高级配置之前,请务必参阅适当的 UiPath™ 文档。
ArgoCD 支持两种身份验证方法:
- 用户名和密码 – 默认身份验证方法;
- SSO – 推荐的身份验证方法。您可以在安装后启用 SSO 身份验证。有关说明,请参阅为 ArgoCD 启用 SSO。
在为 ArgoCD 启用 SSO 之前,您必须生成 RBAC 文件。
RBAC 文件
RBAC 文件包含访问规则。
有关内置角色定义的详细信息,请参阅 ArgoCD 文档。
有关 ArgoCD 帐户类型及其权限的详细信息,请参阅在 ArgoCD 中管理集群。
我们建议在定义组时使用这些角色,但您可以创建自己的权限集。
配置 RBAC 文件
示例:
如果 ArgoCD 管理员的 LDAP 组是管理员,而 ArgoCD 只读用户的 LDAP 组是读取者,则 RBAC 文件应类似于以下示例:
p, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:admin
p, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:admin
对于更高级的用例,以下示例显示了默认的 RBAC 文件:
# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>
p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow
p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow
g, role:admin, role:readonly
g, admin, role:admin
# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>
p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow
p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow
g, role:admin, role:readonly
g, admin, role:admin
准备好 RBAC 文件后,您可以为 ArgoCD 启用 SSO:
-
将以下行添加到 input.json 文件中:
{ "fabric": { "argocd_rbac_config_file": "/path/to/policy.csv" } }
{ "fabric": { "argocd_rbac_config_file": "/path/to/policy.csv" } } - 通过运行
以下命令应用配置:
uipathctl manifest apply input.json --versions versions.json
uipathctl manifest apply input.json --versions versions.json