Linux 版 Automation Suite 安装指南

上次更新日期 2025年11月6日

为 ArgoCD 启用 SSO

概述

要启用 SSO 身份验证，必须使用 uipathctl 命令行工具。

准备配置文件

在为 ArgoCD 启用 SSO 之前，您必须生成 RBAC 文件和 Dex 配置文件。

RBAC 文件

RBAC 文件包含访问规则。

有关内置角色定义的详细信息，请参阅 ArgoCD 文档。

有关 ArgoCD 帐户类型及其权限的详细信息，请参阅在 ArgoCD 中管理集群。

我们建议在定义组时使用这些角色，但您可以创建自己的权限集。

配置 RBAC 文件

通过运行以下命令，创建名为 policy.csv 的文件：
```
uipathctl config argocd generate-rbacuipathctl config argocd generate-rbac
```

将以下内容添加到 policy.csv 文件中并保存：

p, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-syncp, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync

通过将以下行附加到 policy.csv RBAC 文件，将 RBAC 组与内置管理员角色和 UiPath™ argocdro 只读角色相关联：

g, <your_ldap_readonly_group_name>, role:uipath-sync
g, <your_ldap_admin_group_name>, role:adming, <your_ldap_readonly_group_name>, role:uipath-sync
g, <your_ldap_admin_group_name>, role:admin

保存更新的policy.csv RBAC 文件。

示例：

如果 ArgoCD 管理员的 LDAP 组是管理员，而 ArgoCD 只读用户的 LDAP 组是读取者，则 RBAC 文件应类似于以下示例：

p, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:adminp, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:admin

对于更高级的用例，以下示例显示了默认的 RBAC 文件：

# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>

p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow

p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow

g, role:admin, role:readonly
g, admin, role:admin# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>

p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow

p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow

g, role:admin, role:readonly
g, admin, role:admin

Dex 配置文件

Dex 配置文件包含为 ArgoCD 配置 SSO 所需的参数。

注意：如果您已拥有 LDAP 连接器文件 (ldap_connector.yaml)，请跳至“为 ArgoCD 启用 SSO”。

要通过 LDAP 配置 SSO，请执行以下步骤：

通过运行以下命令生成 LDAP 模板文件。将在运行命令的目录中生成连接器模板文件。
```
uipathctl config argocd generate-dex-config -t ldapuipathctl config argocd generate-dex-config -t ldap
```

复制从---开始的输出，并将其另存为ldap_connector.yaml 。

ArgoCD 配置文件示例：

---
connectors:
  - type: ldap
    # Required field for connector id.
    id: ldap
    # Required field for connector name.
    name: OpenLDAP
    config:
      host: openldap:389
      insecureNoSSL: true
      startTLS: false
      bindDN: cn=admin,dc=example,dc=org
      bindPW: adminpassword
      usernamePrompt: Email Address
      userSearch:
        baseDN: ou=People,dc=example,dc=org
        filter: "(objectClass=person)"
        username: mail
        idAttr: DN
        emailAttr: mail
        nameAttr: cn
      # Group search queries for groups given a user entry.
      groupSearch:
        baseDN: ou=Groups,dc=example,dc=org
        filter: "(objectClass=groupOfNames)"
        userMatchers:
          - userAttr: DN
            groupAttr: member
        nameAttr: cn---
connectors:
  - type: ldap
    # Required field for connector id.
    id: ldap
    # Required field for connector name.
    name: OpenLDAP
    config:
      host: openldap:389
      insecureNoSSL: true
      startTLS: false
      bindDN: cn=admin,dc=example,dc=org
      bindPW: adminpassword
      usernamePrompt: Email Address
      userSearch:
        baseDN: ou=People,dc=example,dc=org
        filter: "(objectClass=person)"
        username: mail
        idAttr: DN
        emailAttr: mail
        nameAttr: cn
      # Group search queries for groups given a user entry.
      groupSearch:
        baseDN: ou=Groups,dc=example,dc=org
        filter: "(objectClass=groupOfNames)"
        userMatchers:
          - userAttr: DN
            groupAttr: member
        nameAttr: cn

Active Directory LDAP 连接器文件示例：

---
connectors:
- id: ldap
  name: ActiveDirectory
  type: ldap
  config:
    bindDN: cn=admin,cn=Users,dc=example,dc=local
    bindPW: "<admins's password>"
    groupSearch:
      baseDN: dc=example,dc=local
      filter: "(objectClass=group)"
      nameAttr: cn
      userMatchers:
        - userAttr: distinguishedName
          groupAttr: member
    host: "ldaphost:389"
    insecureNoSSL: true
    insecureSkipVerify: true
    startTLS: false
    userSearch:
      baseDN: cn=Users,dc=example,dc=local
      emailAttr: userPrincipalName
      filter: (objectClass=person)
      idAttr: DN
      nameAttr: cn
      username: userPrincipalName
    usernamePrompt: Email Address---
connectors:
- id: ldap
  name: ActiveDirectory
  type: ldap
  config:
    bindDN: cn=admin,cn=Users,dc=example,dc=local
    bindPW: "<admins's password>"
    groupSearch:
      baseDN: dc=example,dc=local
      filter: "(objectClass=group)"
      nameAttr: cn
      userMatchers:
        - userAttr: distinguishedName
          groupAttr: member
    host: "ldaphost:389"
    insecureNoSSL: true
    insecureSkipVerify: true
    startTLS: false
    userSearch:
      baseDN: cn=Users,dc=example,dc=local
      emailAttr: userPrincipalName
      filter: (objectClass=person)
      idAttr: DN
      nameAttr: cn
      username: userPrincipalName
    usernamePrompt: Email Address

使用所需信息更新 LDAP 连接器文件并保存。我们建议使用 LDAPS。

为 ArgoCD 启用 SSO

准备好 RBAC 和 Dex 配置文件后，您可以为 ArgoCD 启用 SSO：

使用以下cluster_config.json 参数更新文件：
1. fabric.argocd_dex_config_file - 输入先前创建的 Dex 配置文件的路径。
2. fabric.argocd_rbac_config_file - 输入先前创建的 RBAC 文件的路径。

通过运行以下命令，创建安装共享组件所需的先决条件：

./bin/uipathctl prereq create /opt/UiPathAutomationSuite/cluster_config.json --versions versions/helm-charts.json./bin/uipathctl prereq create /opt/UiPathAutomationSuite/cluster_config.json --versions versions/helm-charts.json

通过运行以下命令，验证共享组件安装所需的先决条件：

./bin/uipathctl prereq run /opt/UiPathAutomationSuite/cluster_config.json --versions versions/helm-charts.json./bin/uipathctl prereq run /opt/UiPathAutomationSuite/cluster_config.json --versions versions/helm-charts.json

重新运行安装程序：

./bin/uipathctl manifest apply /opt/UiPathAutomationSuite/cluster_config.json --versions versions/helm-charts.json./bin/uipathctl manifest apply /opt/UiPathAutomationSuite/cluster_config.json --versions versions/helm-charts.json