This section provides information about how to install and configure the ingress-based NGINX load balancer to load balance Oracle SOA Suite domain clusters. You can configure NGINX for non-SSL, SSL termination, and end-to-end SSL access of the application URL.
Follow these steps to set up NGINX as a load balancer for an Oracle SOA Suite domain in a Kubernetes cluster:
See the official installation document for prerequisites.
To get repository information, enter the following Helm commands:
$ helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
$ helm repo update
Deploy the ingress-nginx
controller by using Helm on the domain namespace:
$ helm install nginx-ingress -n soans \
--set controller.service.type=NodePort \
--set controller.admissionWebhooks.enabled=false \
ingress-nginx/ingress-nginx
Check the status of the deployed ingress controller:
$ kubectl --namespace soans get services | grep ingress-nginx-controller
Sample output:
nginx-ingress-ingress-nginx-controller NodePort 10.106.186.235 <none> 80:32125/TCP,443:31376/TCP 19m
Create an ingress for the domain in the domain namespace by using the sample Helm chart. Here path-based routing is used for ingress. Sample values for default configuration are shown in the file ${WORKDIR}/weblogic-kubernetes-operator/kubernetes/samples/charts/ingress-per-domain/values.yaml
. By default, type
is TRAEFIK
, tls
is Non-SSL
, and domainType
is soa
. These values can be overridden by passing values through the command line or can be edited in the sample file values.yaml
. If needed, you can update the ingress YAML file to define more path rules (in section spec.rules.host.http.paths
) based on the domain application URLs that need to be accessed. Update the template YAML file for the NGINX load balancer located at ${WORKDIR}/weblogic-kubernetes-operator/kubernetes/samples/charts/ingress-per-domain/templates/nginx-ingress.yaml
$ cd ${WORKDIR}/weblogic-kubernetes-operator
$ helm install soa-nginx-ingress kubernetes/samples/charts/ingress-per-domain \
--namespace soans \
--values kubernetes/samples/charts/ingress-per-domain/values.yaml \
--set "nginx.hostname=$(hostname -f)" \
--set type=NGINX
Sample output:
NAME: soa-nginx-ingress
LAST DEPLOYED: Fri Jul 24 09:34:03 2020
NAMESPACE: soans
STATUS: deployed
REVISION: 1
TEST SUITE: None
For secured access (SSL) to the Oracle SOA Suite application, create a certificate and generate a Kubernetes secret:
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls1.key -out /tmp/tls1.crt -subj "/CN=domain1.org"
$ kubectl -n soans create secret tls domain1-tls-cert --key /tmp/tls1.key --cert /tmp/tls1.crt
Note: Value of CN is the hostname on which this ingress is to be deployed.
Install ingress-per-domain
using Helm for SSL configuration:
$ cd ${WORKDIR}/weblogic-kubernetes-operator
$ helm install soa-nginx-ingress kubernetes/samples/charts/ingress-per-domain \
--namespace soans \
--values kubernetes/samples/charts/ingress-per-domain/values.yaml \
--set "nginx.hostname=$(hostname -f)" \
--set type=NGINX --set tls=SSL
Sample output:
NAME: soa-nginx-ingress
LAST DEPLOYED: Fri Jul 24 09:34:03 2020
NAMESPACE: soans
STATUS: deployed
REVISION: 1
TEST SUITE: None
For non-SSL access to the Oracle SOA Suite application, get the details of the services by the ingress:
$ kubectl describe ingress soainfra-nginx -n soans
For SSL access to the Oracle SOA Suite application, get the details of the services by the above deployed ingress:
$ kubectl describe ingress soainfra-nginx -n soans
Verify that the Oracle SOA Suite domain application URLs are accessible through the LOADBALANCER-Non-SSLPORT
30017
:
http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/weblogic/ready
http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/console
http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/em
http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/soa-infra
http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/soa/composer
http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/integration/worklistapp
Verify that the Oracle SOA Suite domain application URLs are accessible through the LOADBALANCER-SSLPORT
30233
:
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/weblogic/ready
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/console
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/em
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/soa-infra
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/soa/composer
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/integration/worklistapp
Uninstall and delete the ingress-nginx
deployment:
$ helm delete soa-nginx-ingress -n soans
For secured access (SSL) to the Oracle SOA Suite application, create a certificate and generate secrets:
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls1.key -out /tmp/tls1.crt -subj "/CN=domain1.org"
$ kubectl -n soans create secret tls domain1-tls-cert --key /tmp/tls1.key --cert /tmp/tls1.crt
Note: The value of
CN
is the host on which this ingress is to be deployed.
Deploy the ingress-nginx controller by using Helm on the domain namespace:
$ helm install nginx-ingress -n soans \
--set controller.extraArgs.default-ssl-certificate=soans/domain1-tls-cert \
--set controller.service.type=NodePort \
--set controller.admissionWebhooks.enabled=false \
--set controller.extraArgs.enable-ssl-passthrough=true \
ingress-nginx/ingress-nginx
Check the status of the deployed ingress controller:
$ kubectl --namespace soans get services | grep ingress-nginx-controller
Sample output:
nginx-ingress-ingress-nginx-controller NodePort 10.96.177.215 <none> 80:32748/TCP,443:31940/TCP 23s
Deploy tls to securely access the services. Only one application can be configured with ssl-passthrough
. A sample tls file for NGINX is shown below for the service soainfra-cluster-soa-cluster
and port 8002
. All the applications running on port 8002
can be securely accessed through this ingress.
For each backend service, create different ingresses, as NGINX does not support multiple paths or rules with annotation ssl-passthrough
. For example, for soainfra-adminserver-nginx-ssl
, soainfra-cluster-soa-cluster
, and soainfra-cluster-osb-cluster
, different ingresses must be created.
As ssl-passthrough
in NGINX works on the clusterIP of the backing service instead of individual endpoints, you must expose adminserver service
created by the operator with clusterIP.
For example:
a. Get the name of Administration Server service:
$ kubectl get svc -n soans | grep soainfra-adminserver
Sample output:
soainfra-adminserver ClusterIP None <none> 7001/TCP,7002/TCP 1s
b. Expose the Administration Server service soainfra-adminserver
and use the new service name soainfra-adminserver-nginx-ssl
:
$ kubectl expose svc soainfra-adminserver -n soans --name=soainfra-adminserver-nginx-ssl --port=7002
See the sample backend services for domainUID soainfra
:
# Backend for Oracle SOA Suite service with domainUID "soainfra"
backend:
serviceName: soainfra-cluster-soa-cluster
servicePort: 8002
# Backend for Oracle Service Bus service with domainUID "soainfra"
backend:
serviceName: soainfra-cluster-osb-cluster
servicePort: 9002
# Backend for Administration Server service with domainUID "soainfra"
backend:
serviceName: soainfra-adminserver-nginx-ssl
servicePort: 7002
Deploy the secured ingress:
$ cd ${WORKDIR}/weblogic-kubernetes-operator/kubernetes/samples/charts/ingress-per-domain/tls
$ kubectl create -f nginx-tls.yaml
Note: The default
nginx-tls.yaml
contains the backend for Oracle SOA Suite service with domainUIDsoainfra
. You need to create similar tls configuration YAML files separately for each backend service.
Note: host is the server on which this ingress is deployed.
Check the services supported by the ingress:
$ kubectl describe ingress soang-ingress -n soans
Verify that the Oracle SOA Suite domain application URLs are accessible through the LOADBALANCER-SSLPORT
30233
:
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/soa-infra
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/soa/composer
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/integration/worklistapp
$ cd weblogic-kubernetes-operator/kubernetes/samples/charts/ingress-per-domain/tls
$ kubectl delete -f nginx-tls.yaml