Voyager

Voyager/HAProxy is a popular ingress-based load balancer for production environments. This section provides information about how to install and configure Voyager/HAProxy to load balance Oracle SOA Suite domain clusters. You can configure Voyager for non-SSL, SSL termination, and end-to-end SSL access of the application URL.

Follow these steps to set up Voyager as a load balancer for an Oracle SOA Suite domain in a Kubernetes cluster:

Non-SSL and SSL termination

Install the Voyager load balancer
  1. Add the AppsCode chart repository:

    $ helm repo add appscode https://charts.appscode.com/stable/
    $ helm repo update
    
  2. Verify that the chart repository has been added:

    $ helm search repo appscode/voyager
    

    NOTE: After updating the Helm repository, the Voyager version listed may be newer that the one appearing here. Check with the Voyager site for the latest supported versions.

  3. Install the Voyager operator:

    NOTE: The Voyager version used for the install should match the version found with helm search.

    $ kubectl create ns voyager
    $ helm install voyager-operator appscode/voyager --version 10.0.0 \
      --namespace voyager \
      --set cloudProvider=baremetal \
      --set apiserver.enableValidatingWebhook=false
    

    Wait until the Voyager operator is running.

  4. Check the status of the Voyager operator:

    $ kubectl get all -n voyager
    
    Click here to see the sample output.

    See the official installation document for more details.

  5. Update the Voyager operator

    After the Voyager operator is installed and running, upgrade the Voyager operator using the helm upgrade command, where voyager is the Voyager namespace and soans is the namespace of the domain.

      $ helm upgrade voyager-operator appscode/voyager --namespace voyager
    
    Click here to see the sample output.
Configure Voyager to manage ingresses
  1. Create an ingress for the domain in the domain namespace by using the sample Helm chart. Here path-based routing is used for ingress. Sample values for default configuration are shown in the file ${WORKDIR}/weblogic-kubernetes-operator/kubernetes/samples/charts/ingress-per-domain/values.yaml. By default, type is TRAEFIK , tls is Non-SSL, and domainType is soa. These values can be overridden by passing values through the command line or can be edited on the sample file values.yaml.

    If needed, you can update the ingress yaml file to define more path rules (in the spec.rules.host.http.paths section) based on the domain application URLs that need to be accessed. You need to update the template yaml file for the Voyager (ingress-based) load balancer located at ${WORKDIR}/weblogic-kubernetes-operator/kubernetes/samples/charts/ingress-per-domain/templates/voyager-ingress.yaml

     $ cd ${WORKDIR}/weblogic-kubernetes-operator
     $ helm install soa-voyager-ingress kubernetes/samples/charts/ingress-per-domain \
         --namespace soans \
         --values kubernetes/samples/charts/ingress-per-domain/values.yaml \
         --set type=VOYAGER
    
    Click here to check the output of the ingress per domain
  2. To secure access (SSL) to the Oracle SOA Suite application, create a certificate and generate secrets:

     $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls1.key -out /tmp/tls1.crt -subj "/CN=*"
     $ kubectl -n soans create secret tls domain1-tls-cert --key /tmp/tls1.key --cert /tmp/tls1.crt
    
  3. Deploy ingress-per-domain using Helm for SSL configuration.

    If needed, you can update the ingress yaml file to define more path rules (in the spec.rules.host.http.paths section) based on the domain application URLs that need to be accessed. You need to update the template yaml file for the Voyager (ingress-based) load balancer located at ${WORKDIR}/weblogic-kubernetes-operator/kubernetes/samples/charts/ingress-per-domain/templates/voyager-ingress.yaml

     $ cd ${WORKDIR}/weblogic-kubernetes-operator
     $ helm install soa-voyager-ingress kubernetes/samples/charts/ingress-per-domain \
         --namespace soans  \
         --values kubernetes/samples/charts/ingress-per-domain/values.yaml \
         --set type=VOYAGER \
         --set tls=SSL
    
    Click here to see the sample output of the above Commnad.
  4. For non-SSL access to the Oracle SOA Suite application, get the details of the services deployed by the above ingress:

    $ kubectl describe ingress.voyager.appscode.com/soainfra-voyager -n soans
    
    Click here to see the sample output of the services supported by the above deployed ingress.
  5. For SSL access to the Oracle SOA Suite application, get the details of the services by the above deployed ingress:

     $ kubectl describe ingress.voyager.appscode.com/soainfra-voyager -n soans
    
    Click here to see all the services configured by the above deployed ingress.
  6. To confirm that the load balancer noticed the new ingress and is successfully routing to the domain’s server pods, you can send a request to the URL for the “WebLogic ReadyApp framework” which should return a HTTP 200 status code, as follows:

    $ curl -v http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-PORT}/weblogic/ready
    * About to connect() to localhost port 30305 (#0)
    * Trying 127.0.0.1...
    * Connected to localhost (127.0.0.1) port 30305 (#0)
    > GET /weblogic/ready HTTP/1.1
    > User-Agent: curl/7.29.0
    > Accept: */*
    > host: *****.com
    >
    < HTTP/1.1 200 OK
    < Content-Length: 0
    < Date: Thu, 12 Mar 2020 10:16:43 GMT
    < Vary: Accept-Encoding
    <
    * Connection #0 to host localhost left intact
    
Verify Non-SSL and SSL access

After setting up the Voyager (ingress-based) load balancer, verify that the Oracle SOA Suite domain applications are accessible through the load balancer port 30305 (both SSL and non-SSL). The application URLs for Oracle SOA Suite domain of type soa are:

Note: Port 30305 is the LOADBALANCER-Non-SSLPORT and LOADBALANCER-SSLPORT.

Non-SSL configuration
 http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/weblogic/ready
 http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/console
 http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/em
 http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/soa-infra
 http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/soa/composer
 http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/integration/worklistapp
SSL configuration
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/weblogic/ready
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/console
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/em
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/soa-infra
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/soa/composer
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/integration/worklistapp
Uninstalling the chart

To uninstall and delete the my-ingress deployment, enter the following command:

 $ helm delete soa-voyager-ingress -n soans

End-to-end SSL configuration

Install Voyager load balancer for end-to-end SSL

Install the Voyager load balancer as described here.

  1. Check the status of the Voyager operator.

     $ kubectl get all -n voyager
    

    Sample output:

      NAME                                   READY   STATUS    RESTARTS   AGE
      pod/voyager-operator-b84f95f8f-4szhl   1/1     Running   0          43h
    
      NAME                         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)             AGE
      service/voyager-operator   ClusterIP   10.107.201.155   <none>        443/TCP,56791/TCP   43h
    
      NAME                               READY   UP-TO-DATE   AVAILABLE   AGE
      deployment.apps/voyager-operator   1/1     1            1           43h
    
      NAME                                         DESIRED   CURRENT   READY   AGE
      replicaset.apps/voyager-operator-b84f95f8f   1         1         1       43h
    
  2. For secured access (SSL) to the Oracle SOA Suite application, create a certificate and generate Kuberentes secrets:

     $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls1.key -out /tmp/tls1.crt -subj "/CN=*"
     $ kubectl -n soans create secret tls domain1-tls-cert --key /tmp/tls1.key --cert /tmp/tls1.crt
    
Deploy tls to access services
  1. Deploy tls to securely access the services. Only one application can be configured with ssl-passthrough. A sample tls file for Voyager is shown below for the service soainfra-cluster-soa-cluster and port 8002. All the applications running on port 8002 can be securely accessed through this ingress. For each backend service, create different ingresses as Voyager does not support multiple path/rules with annotation ssl-passthrough (that is, for soainfra-cluster-soa-cluster and soainfra-cluster-osb-cluster different ingresses should be created).

     $ cd ${WORKDIR}/weblogic-kubernetes-operator/kubernetes/samples/charts/ingress-per-domain/tls
    
    Click here to see the content of the file voyager-tls.yaml
     $ kubectl create -f voyager-tls.yaml
    
    Click here to see the services supported by the ingress
Verify end-to-end SSL access

Verify that the Oracle SOA Suite domain application URLs are accessible through the SSLPORT 31443:

https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/soa-infra
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/soa/composer
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/integration/worklistapp
Uninstall the Voyager tls
 $ cd ${WORKDIR}/weblogic-kubernetes-operator/kubernetes/samples/charts/ingress-per-domain/tls
 $ kubectl  delete -f voyager-tls.yaml