UiPath Documentation
automation-suite
2024.10
false
UiPath logo, featuring letters U and I in white

Automation Suite on OpenShift installation guide

Last updated Mar 26, 2026

Installing and configuring the GitOps tool

Note:

Before proceeding with the OpenShift GitOps Operator installation and configuration, you must install OpenShift Service Mesh and provide all the required permissions to the uipathadmin service account.

You can deploy Automation Suite using either an OpenShift GitOps Operator instance dedicated to the UiPath® applications or a shared OpenShift GitOps Operator instance, if it is already installed and available on your cluster.

We recommend using a dedicated OpenShift GitOps Operator instance to install the Automation Suite applications. This method requires minimum permissions to the other namespaces and cluster resources.

For installation and access instructions, see the following sections:

Provisioning a dedicated GitOps instance

Note:

We recommend using a namespace that is different from <uipath> for ArgoCD.

If you use Openshift GitOps version 1.15 or higher and install a dedicated instance of ArgoCD within the <uipath> namespace, the ArgoCD UI will not be accessible due to the network policies in the <uipath> namespace added by the Service Mesh Control Plane. To address this, you must add a network policy, as shown in the following example, to allow the ingress pods to reach the ArgoCD-server pods in the <uipath> namespace.

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-argocd
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: argocd-server
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              network.openshift.io/policy-group: ingress
  policyTypes:
    - Ingress
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-argocd
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: argocd-server
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              network.openshift.io/policy-group: ingress
  policyTypes:
    - Ingress

To provision a dedicated OpenShift GitOps Operator instance, take the following steps:

  1. If the <argocd> namespace does not already exist, run the following commands to create it:

    oc get namespace <argocd> || oc new-project <argocd>
oc project <argocd>
oc get namespace <argocd> || oc new-project <argocd>
oc project <argocd>

  2. Install the OpenShift GitOps Operator by following the instructions in Installing OpenShift GitOps.

  3. Create a new ArgoCD instance by following the instructions in Setting up a new ArgoCD instance.

    Note:

    In the spec section described in Enabling replicas for Argo CD server and repo server, you must add the following line:

    server.route.enabled: true
server.route.enabled: true

  4. Patch the ArgoCD deployment:

    oc -n <argocd> patch deployment argocd-server \
  -p '{"spec":{"template":{"metadata":{"labels":{"maistra.io/expose-route":"true"}}}}}'
oc -n <argocd> patch deployment argocd-server \
  -p '{"spec":{"template":{"metadata":{"labels":{"maistra.io/expose-route":"true"}}}}}'

  5. Create a role so that ArgoCD can manage limit ranges. To create the role, take the following steps:

    1. Save the following role configuration as a YAML file: 
      kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: limit-range-manager
  namespace: <uipath>
rules:
  - apiGroups: ["*"]
    resources: ["limitranges"]
    verbs: ["get", "watch", "list", "patch", "update", "create"]
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: limit-range-manager
  namespace: <uipath>
rules:
  - apiGroups: ["*"]
    resources: ["limitranges"]
    verbs: ["get", "watch", "list", "patch", "update", "create"]
    2. Apply the configuration by running the following command. Make sure to replace the <file_name.yaml> placeholder with the actual name of the YAML file: 
      oc apply -f <file_name.yaml>
oc apply -f <file_name.yaml>

  6. Bind the limit-range-manager role to the argocd service account:

    oc -n <uipath> create rolebinding limit-range-manager-binding --role=limit-range-manager --serviceaccount=<argocd>:argocd-argocd-application-controller
oc -n <uipath> create rolebinding limit-range-manager-binding --role=limit-range-manager --serviceaccount=<argocd>:argocd-argocd-application-controller

  7. If you enabled either Process Mining - Dapr or Automation Suite Robots, you must enable cluster-wide mode for ArgoCD by taking the following steps:

    1. In <openshift-gitops>, edit the openshift-gitops-operator subscription resource to include the following environment variable: 
      ARGOCD_CLUSTER_CONFIG_NAMESPACES: <argocd>
ARGOCD_CLUSTER_CONFIG_NAMESPACES: <argocd>
    2. Follow the instructions in Using an Argo CD instance to manage cluster-scoped resources.

  8. You must ensure that the ArgoCD instance can manage the <uipath> namespace if the <uipath> namespace is not the same as the <argocd> namespace:

    oc label namespace <uipath> argocd.argoproj.io/managed-by=<argocd>
oc label namespace <uipath> argocd.argoproj.io/managed-by=<argocd>

    After you apply the configuration, restart the ArgoCD application-controler (statefulset) and server (deployment).

  9. You must perform the following steps only if the <uipath> namespace is not the same as the <argocd> namespace.

    Create a role to manage the applications in the <argocd> namespace. To create the role, take the following steps:

    1. Save the following role configuration as a YAML file: 
      apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: uipath-application-manager
  namespace: <argocd>
rules:
- apiGroups:
  - argoproj.io
  resources:
  - applications
  verbs:
  - "*"
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: uipath-application-manager
  namespace: <argocd>
rules:
- apiGroups:
  - argoproj.io
  resources:
  - applications
  verbs:
  - "*"
    2. Apply the configuration by running the following command. Make sure to replace the <file_name.yaml> placeholder with the actual name of the YAML file: 
      oc apply -f <file_name.yaml>
oc apply -f <file_name.yaml>

  10. Bind the uipath-application-manager role to the uipathadmin service account:

    oc project <argocd>
oc create rolebinding uipath-application-manager \
  --role=uipath-application-manager --serviceaccount=<uipath>:uipathadmin
oc project <argocd>
oc create rolebinding uipath-application-manager \
  --role=uipath-application-manager --serviceaccount=<uipath>:uipathadmin

  11. Create a role so that the uipathadmin service account can create and edit the secret in the <argocd> namespace. The ArgoCD application requires this role to update the Helm secret. To create the role, take the following steps:

    1. Save the following role configuration as a YAML file: 
      apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: argo-secret-role
  namespace: <argocd>
rules:
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["roles", "rolebindings"]
    verbs: ["*"]
  - apiGroups: ["*"]
    resources: ["secrets"]
    verbs: ["get", "watch", "list", "patch", "update", "create"]
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: argo-secret-role
  namespace: <argocd>
rules:
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["roles", "rolebindings"]
    verbs: ["*"]
  - apiGroups: ["*"]
    resources: ["secrets"]
    verbs: ["get", "watch", "list", "patch", "update", "create"]
    2. Apply the configuration by running the following command. Make sure to replace the <file_name.yaml> placeholder with the actual name of the YAML file: 
      oc apply -f <file_name.yaml>
oc apply -f <file_name.yaml>

  12. Bind the argo-secret-role role to the uipathadmin service account:

    oc project <argocd>
oc create rolebinding secret-binding \
  --role=argo-secret-role --serviceaccount=<uipath>:uipathadmin
oc project <argocd>
oc create rolebinding secret-binding \
  --role=argo-secret-role --serviceaccount=<uipath>:uipathadmin

  13. Bind the namespace-reader role in the <argocd> namespace to the uipathadmin service account:

    oc project <argocd>
oc create rolebinding namespace-reader-rolebinding \
  --clusterrole=namespace-reader-clusterrole --serviceaccount=<uipath>:uipathadmin
oc project <argocd>
oc create rolebinding namespace-reader-rolebinding \
  --clusterrole=namespace-reader-clusterrole --serviceaccount=<uipath>:uipathadmin

Accessing the dedicated ArgoCD instance

To access ArgoCD, take the following steps:

  1. Get the host URL: 
    oc get routes argocd-server -n <argocd> -o jsonpath={.spec.host}; echo
oc get routes argocd-server -n <argocd> -o jsonpath={.spec.host}; echo
  2. To log in, use admin as the username and run the following command to get the password: 
    oc -n <argocd> get secrets argocd-cluster \
  -o "jsonpath={.data['admin\.password']}" | base64 -d; echo
oc -n <argocd> get secrets argocd-cluster \
  -o "jsonpath={.data['admin\.password']}" | base64 -d; echo

Configuring the private Helm repository and certificates in ArgoCD

To configure the Helm repository in ArgoCD, take the following steps:

  1. Log in to ArgoCD.
  2. Navigate to Settings > Repositories > +CONNECT REPO.
  3. Use VIA HTTPS for the connection method.
  4. Select Helm as the type.
  5. Provide a name.
  6. Choose default as the project.
  7. Provide the repository URL, username, password, and certificate info.
    Important:

    When adding the TLS client certificate on the +CONNECT REPO page, the TLS client certificate key becomes a mandatory field. To configure the registry certificate without the TLS client certificate key, take the following steps:

    1. Navigate to Settings > Repository certificates and known hosts > +ADD TLS CERTIFICATE.
    2. Add the repository name and TLS certificate in PEM format.
  8. Enable the OCI checkbox.
  9. Select Connect.
  10. Make sure that the connection status is Successful.

Configuring a shared GitOps instance

If your platform team has not already provisioned the shared OpenShift GitOps Operator instance, take the following installation and configuration steps:

  1. Create the <uipath> namespace:

    oc get namespace <uipath> || oc new-project <uipath>
oc project <uipath>
oc get namespace <uipath> || oc new-project <uipath>
oc project <uipath>

  2. Install the OpenShift GitOps Operator by following the instructions in Installing OpenShift GitOps. This installation comes with the default ArgoCD instance, named openshift-gitops, in the <openshift-gitops> namespace.

  3. Enable cluster-wide mode for ArgoCD by taking the following steps:

    1. In <openshift-gitops>, edit the openshift-gitops-operator subscription resource to include the following environment variable: 
      ARGOCD_CLUSTER_CONFIG_NAMESPACES: <openshift-gitops>
ARGOCD_CLUSTER_CONFIG_NAMESPACES: <openshift-gitops>
    2. Follow the instructions in Using an ArgoCD instance to manage cluster-scoped resources.

  4. Make sure that the openshift-gitops ArgoCD instance can manage the <uipath> namespace:

    oc label namespace <uipath> argocd.argoproj.io/managed-by=openshift-gitops
oc label namespace <uipath> argocd.argoproj.io/managed-by=openshift-gitops

    After you apply the configuration, restart the ArgoCD openshift-gitops-application-controller (statefulset) and openshift-gitops-server (deployment).

  5. Patch the ArgoCD deployment:

    oc -n <uipath> patch deployment argocd-server 
  -p '{"spec":{"template":{"metadata":{"labels":{"maistra.io/expose-route":"true"}}}}}'
oc -n <uipath> patch deployment argocd-server 
  -p '{"spec":{"template":{"metadata":{"labels":{"maistra.io/expose-route":"true"}}}}}'

  6. Create an ArgoCD project for the UiPath® application:

    apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: uipath
  namespace: <openshift-gitops>
spec:
  description: Appproject to managed and deploy uipath applications
  clusterResourceWhitelist:
    - group: '*'
      kind: '*'
  destinations:
    - namespace: <uipath>
      server: https://kubernetes.default.svc
    - namespace: <istio-system>
      server: https://kubernetes.default.svc
  sourceNamespaces:
    - <openshift-gitops>
  sourceRepos:
    - '*'
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: uipath
  namespace: <openshift-gitops>
spec:
  description: Appproject to managed and deploy uipath applications
  clusterResourceWhitelist:
    - group: '*'
      kind: '*'
  destinations:
    - namespace: <uipath>
      server: https://kubernetes.default.svc
    - namespace: <istio-system>
      server: https://kubernetes.default.svc
  sourceNamespaces:
    - <openshift-gitops>
  sourceRepos:
    - '*'

  7. Create a role so that ArgoCD can manage limit ranges. To create the role, take the following steps:

    1. Save the following role configuration as a YAML file: 
      kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: limit-range-manager
  namespace: <uipath>
rules:
  - apiGroups: ["*"]
    resources: ["limitranges"]
    verbs: ["get", "watch", "list", "patch", "update", "create"]
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: limit-range-manager
  namespace: <uipath>
rules:
  - apiGroups: ["*"]
    resources: ["limitranges"]
    verbs: ["get", "watch", "list", "patch", "update", "create"]
    2. Apply the configuration by running the following command. Make sure to replace the <file_name.yaml> placeholder with the actual name of the YAML file: 
      oc apply -f <file_name.yaml>
oc apply -f <file_name.yaml>

  8. Bind the limit-range-manager role to the argocd service account:

    oc -n <uipath> create rolebinding limit-range-manager-binding --role=limit-range-manager --serviceaccount=<openshift-gitops>:openshift-gitops-argocd-application-controller
oc -n <uipath> create rolebinding limit-range-manager-binding --role=limit-range-manager --serviceaccount=<openshift-gitops>:openshift-gitops-argocd-application-controller

  9. Create a role to manage the applications in the <openshift-gitops> namespace:

    apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: uipath-application-manager
  namespace: <openshift-gitops>
rules:
- apiGroups:
  - argoproj.io
  resources:
  - applications
  verbs:
  - "*"
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: uipath-application-manager
  namespace: <openshift-gitops>
rules:
- apiGroups:
  - argoproj.io
  resources:
  - applications
  verbs:
  - "*"

  10. Bind the uipath-application-manager role to the uipathadmin service account:

    oc project <openshift-gitops>
oc create rolebinding uipath-application-manager \
  --role=uipath-application-manager --serviceaccount=<uipath>:uipathadmin
oc project <openshift-gitops>
oc create rolebinding uipath-application-manager \
  --role=uipath-application-manager --serviceaccount=<uipath>:uipathadmin

  11. Create a role so that ArgoCD can create and edit the secret in the <openshift-gitops> namespace. The ArgoCD application requires this role to update the Helm secret. The following sample shows a valid configuration for the role:

    apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: argo-secret-role
  namespace: <openshift-gitops>
rules:
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["roles", "rolebindings"]
    verbs: ["*"]
  - apiGroups: ["*"]
    resources: ["secrets"]
    verbs: ["get", "watch", "list", "patch", "update", "create"]
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: argo-secret-role
  namespace: <openshift-gitops>
rules:
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["roles", "rolebindings"]
    verbs: ["*"]
  - apiGroups: ["*"]
    resources: ["secrets"]
    verbs: ["get", "watch", "list", "patch", "update", "create"]

  12. Bind the argo-secret-role role to the uipathadmin service account:

    oc project <openshift-gitops>
oc create rolebinding secret-binding \
  --role=argo-secret-role --serviceaccount=<uipath>:uipathadmin
oc project <openshift-gitops>
oc create rolebinding secret-binding \
  --role=argo-secret-role --serviceaccount=<uipath>:uipathadmin

  13. Bind the namespace-reader role in the <openshift-gitops> namespace to the uipathadmin service account:

    oc project <openshift-gitops>
oc create rolebinding namespace-reader-rolebinding \
  --clusterrole=namespace-reader-clusterrole --serviceaccount=<uipath>:uipathadmin
oc project <openshift-gitops>
oc create rolebinding namespace-reader-rolebinding \
  --clusterrole=namespace-reader-clusterrole --serviceaccount=<uipath>:uipathadmin

In addition to completing the steps to configure the shared ArgoCD instance for the Automation Suite installation, you must add the following parameters to the input.json file:

  "argocd": {
    "project": "<uipath>"
  },
  "argocd": {
    "project": "<uipath>"
  },

Accessing the shared ArgoCD instance

To access ArgoCD, take the following steps:

  1. Get the host URL by running the following commands: 
    oc get routes openshift-gitops-server -n <openshift-gitops> -o jsonpath={.spec.host}; echo
oc get routes openshift-gitops-server -n <openshift-gitops> -o jsonpath={.spec.host}; echo
  2. To log in, use admin as the username and run the following command to get the password: 
    oc -n <openshift-gitops> get secrets openshift-gitops-cluster \
  -o "jsonpath={.data['admin\.password']}" | base64 -d; echo
oc -n <openshift-gitops> get secrets openshift-gitops-cluster \
  -o "jsonpath={.data['admin\.password']}" | base64 -d; echo

Configuring the private Helm repository and certificates in ArgoCD

To configure the Helm repository in ArgoCD, take the following steps:

  1. Log in to ArgoCD.
  2. Navigate to Settings > Repositories > +CONNECT REPO.
  3. Use VIA HTTPS for the connection method.
  4. Select Helm as the type.
  5. Provide a name.
  6. Choose uipath as the project. uipath is the name of the ArgoCD project you created for the UiPath® application.
  7. Provide the repository URL, username, password, and certificate info.
    Important:

    When adding the TLS client certificate on the +CONNECT REPO page, the TLS client certificate key becomes a mandatory field. To configure the registry certificate without the TLS client certificate key, take the following steps:

    1. Navigate to Settings > Repository certificates and known hosts > +ADD TLS CERTIFICATE.
    2. Add the repository name and TLS certificate in PEM format.
  8. Enable the OCI checkbox.
  9. Select Connect.
  10. Make sure that the connection status is Successful.

Configuring ArgoCD for multiple installations in a single cluster

To configure ArgoCD for multiple Automation Suite installations in a single OpenShift cluster, follow these steps:

  1. Check if all the services of ArgoCD are up and running. You can run the following command to monitor all the pods: 
    oc get pods -n <argocd>
oc get pods -n <argocd>
  2. Once all services are up and running, you can use the following command sequentially to patch ArgoCD's permissions. This allows ArgoCD to manage different application namespaces where Automation Suite is installed: 
    oc patch appprojects.argoproj.io default -n <argocd> --type='merge' -p '{"spec": {"sourceNamespaces": ["*"]}}'
oc patch configmaps argocd-cmd-params-cm -n <argocd> --type='merge' -p '{"data": {"application.namespaces": "*"}}'
oc rollout restart -n <argocd> deployment argocd-server
oc rollout restart -n <argocd> statefulset argocd-application-controller
oc patch appprojects.argoproj.io default -n <argocd> --type='merge' -p '{"spec": {"sourceNamespaces": ["*"]}}'
oc patch configmaps argocd-cmd-params-cm -n <argocd> --type='merge' -p '{"data": {"application.namespaces": "*"}}'
oc rollout restart -n <argocd> deployment argocd-server
oc rollout restart -n <argocd> statefulset argocd-application-controller

Was this page helpful?

Connect

Need help? Support

Want to learn? UiPath Academy

Have questions? UiPath Forum

Stay updated