Oracle Fusion Middleware on Kubernetes > Oracle WebCenter Content > Administration Guide > Set up a load balancer > NGINX

NGINX

This section provides information about how to install and configure the ingress-based NGINX load balancer to load balance Oracle WebCenter Content domain clusters. You can configure NGINX for non-SSL, SSL termination, and end-to-end SSL access of the application URL.

Follow these steps to set up NGINX as a load balancer for an Oracle WebCenter Content domain in a Kubernetes cluster:

See the official installation document for prerequisites.

Non-SSL and SSL termination
End-to-end SSL configuration

To get repository information, enter the following Helm commands:

  $ helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
  $ helm repo update

Non-SSL and SSL termination

Install the NGINX load balancer

Deploy the ingress-nginx controller by using Helm on the domain namespace:

 $ helm install nginx-ingress -n wccns \
        --set controller.service.type=NodePort \
        --set controller.admissionWebhooks.enabled=false \
          ingress-nginx/ingress-nginx

Click here to see the sample output.

Check the status of the deployed ingress controller:

$ kubectl --namespace wccns get services | grep ingress-nginx-controller

Sample output:

 nginx-ingress-ingress-nginx-controller    NodePort    10.97.189.122    <none>            80:30993/TCP,443:30232/TCP    7d2h

Configure NGINX to manage ingresses

Create an ingress for the domain in the domain namespace by using the sample Helm chart. Here path-based routing is used for ingress. Sample values for default configuration are shown in the file ${WORKDIR}/weblogic-kubernetes-operator/kubernetes/samples/charts/ingress-per-domain/values.yaml. By default, type is TRAEFIK, tls is Non-SSL, and domainType is wccinfra. These values can be overridden by passing values through the command line or can be edited in the sample file values.yaml. If needed, you can update the ingress YAML file to define more path rules (in section spec.rules.host.http.paths) based on the domain application URLs that need to be accessed. Update the template YAML file for the NGINX load balancer located at ${WORKDIR}/weblogic-kubernetes-operator/kubernetes/samples/charts/ingress-per-domain/templates/nginx-ingress.yaml

    $ cd ${WORKDIR}/weblogic-kubernetes-operator
    $ helm install wccinfra-nginx-ingress  kubernetes/samples/charts/ingress-per-domain \
        --namespace wccns \
        --values kubernetes/samples/charts/ingress-per-domain/values.yaml \
        --set "nginx.hostname=$(hostname -f)" \
        --set type=NGINX \
        --set tls=NONSSL

Sample output:

  NAME: wccinfra-nginx-ingress
  LAST DEPLOYED: Sun Feb  7 23:52:38 2021
  NAMESPACE: wccns
  STATUS: deployed
  REVISION: 1
  TEST SUITE: None

For secured access (SSL) to the Oracle WebCenter Content application, create a certificate and generate a Kubernetes secret:

 $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls1.key -out /tmp/tls1.crt -subj "/CN=*"
 $ kubectl -n wccns create secret tls domain1-tls-cert --key /tmp/tls1.key --cert /tmp/tls1.crt

Install ingress-per-domain using Helm for SSL configuration:

 $ cd ${WORKDIR}/weblogic-kubernetes-operator
 $ helm install wccinfra-nginx-ingress  kubernetes/samples/charts/ingress-per-domain \
     --namespace wccns \
     --values kubernetes/samples/charts/ingress-per-domain/values.yaml \
     --set "nginx.hostname=$(hostname -f)" \
     --set type=NGINX --set tls=SSL

Sample output:

 NAME: wccinfra-nginx-ingress
 LAST DEPLOYED: Mon Feb  8 00:01:13 2021
 NAMESPACE: wccns
 STATUS: deployed
 REVISION: 1
 TEST SUITE: None

For non-SSL access or SSL to the Oracle WebCenter Content application, get the details of the services by the ingress:
```
  $ kubectl describe ingress wccinfra-nginx  -n wccns
```

Click here to see the sample output of the services supported by the above deployed ingress.

Name:             wccinfra-nginx
Namespace:        wccns
Address:          10.97.189.122
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
  domain1-tls-cert terminates domain1.org
Rules:
  Host                                        Path  Backends
  ----                                        ----  --------
  domain1.org
                                              /console                 wccinfra-adminserver:7001 (10.244.0.58:7001)
                                              /em                      wccinfra-adminserver:7001 (10.244.0.58:7001)
                                              /servicebus              wccinfra-adminserver:7001 (10.244.0.58:7001)
                                              /cs                      wccinfra-cluster-ucm-cluster:16200 (10.244.0.60:16200,10.244.0.61:16200)
                                              /adfAuthentication       wccinfra-cluster-ucm-cluster:16200 (10.244.0.60:16200,10.244.0.61:16200)
                                              /ibr                     wccinfra-cluster-ibr-cluster:16250 (10.244.0.59:16250)
                                              /ibr/adfAuthentication   wccinfra-cluster-ibr-cluster:16250 (10.244.0.59:16250)
                                              /weblogic/ready          wccinfra-cluster-ucm-cluster:16200 (10.244.0.60:16200,10.244.0.61:16200)
Annotations:                                  kubernetes.io/ingress.class: nginx
                                              meta.helm.sh/release-name: wccinfra-nginx-ingress
                                              meta.helm.sh/release-namespace: wccns
                                              nginx.ingress.kubernetes.io/configuration-snippet:
                                                more_set_input_headers "X-Forwarded-Proto: https";
                                                more_set_input_headers "WL-Proxy-SSL: true";
                                              nginx.ingress.kubernetes.io/ingress.allow-http: false
Events:                                       <none>

Verify non-SSL and SSL termination access

Non-SSL configuration

Verify that the Oracle WebCenter Content domain application URLs are accessible through the LOADBALANCER-Non-SSLPORT:

  http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/weblogic/ready
  http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/console
  http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/em
  http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/cs
  http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/ibr

SSL configuration

Verify that the Oracle WebCenter Content domain application URLs are accessible through the LOADBALANCER-SSLPORT:

  https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/weblogic/ready
  https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/console
  https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/em
  https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/cs
  https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/ibr

Uninstall the ingress

Uninstall and delete the ingress-nginx deployment:

  $ helm delete wccinfra-nginx -n wccns

End-to-end SSL configuration

Install the NGINX load balancer for End-to-end SSL

For secured access (SSL) to the Oracle WebCenter Content application, create a certificate and generate secrets:

 $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls1.key -out /tmp/tls1.crt -subj "/CN=*"
 $ kubectl -n wccns create secret tls domain1-tls-cert --key /tmp/tls1.key --cert /tmp/tls1.crt

Deploy the ingress-nginx controller by using Helm on the domain namespace:

 $ helm install nginx-ingress -n wccns \
 --set controller.extraArgs.default-ssl-certificate=wccns/domain1-tls-cert \
 --set controller.service.type=NodePort \
 --set controller.admissionWebhooks.enabled=false \
 --set controller.extraArgs.enable-ssl-passthrough=true \
 ingress-nginx/ingress-nginx

Click here to see the sample output.

Check the status of the deployed ingress controller:

 $ kubectl --namespace wccns get services | grep ingress-nginx-controller

Sample output:

  nginx-ingress-ingress-nginx-controller   NodePort    10.97.189.122    <none>            80:30993/TCP,443:30232/TCP    168m

Deploy tls to access UCM and IBR Managed Servers

Deploy tls to securely access the services. Only one application can be configured with ssl-passthrough. A sample tls file for NGINX is shown below for the service wccinfra-cluster-ucm-cluster and port 16201. All the applications running on port 16201 can be securely accessed through this ingress. For each backend service, create different ingresses as NGINX does not support multiple path/rules with annotation ssl-passthrough. That is, for wccinfra-cluster-ucm-cluster, wccinfra-cluster-ibr-cluster and wccinfra-adminserver, different ingresses must be created.
```
 $ cd ${WORKDIR}/weblogic-kubernetes-operator/kubernetes/samples/charts/ingress-per-domain/tls
```
Sample nginx-ucm-tls.yaml:
Click here to see the content of the file nginx-ucm-tls.yaml
```
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: wcc-ucm-ingress
  namespace: wccns
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
  tls:
  - hosts:
    - 'domain1.org'
    secretName: domain1-tls-cert
  rules:
  - host: 'domain1.org'
    http:
      paths:
      - path: 
        backend:
          serviceName: wccinfra-cluster-ucm-cluster
          servicePort: 16201
```
Note: host is the server on which this ingress is deployed.

Deploy the secured ingress:

$ cd ${WORKDIR}/weblogic-kubernetes-operator/kubernetes/samples/charts/ingress-per-domain/tls
$ kubectl create -f nginx-ucm-tls.yaml

Check the services supported by the ingress:

$ kubectl describe ingress wcc-ucm-ingress -n wccns

Click here check the services supported by the ingress.

Verify end-to-end SSL access

Verify that the Oracle WebCenter Content domain application URLs are accessible through the LOADBALANCER-SSLPORT:

   https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/cs

Deploy tls to access Administration Server

As ssl-passthrough in NGINX works on the clusterIP of the backing service instead of individual endpoints, you must expose adminserver service created by the operator with clusterIP.

For example:

a. Get the name of Administration Server service:

  $ kubectl get svc -n wccns | grep wccinfra-adminserver

Sample output:

  wccinfra-adminserver  ClusterIP   None  <none>   7001/TCP,7002/TCP  7

b. Expose the Administration Server service wccinfra-adminserver and use the new service name wccinfra-adminserver-nginx-ssl:

 $ kubectl expose svc wccinfra-adminserver -n wccns --name=wccinfra-adminserver-nginx-ssl --port=7002

c. Deploy the secured ingress:

Sample nginx-admin-tls.yaml:

Click here to see the content of the file nginx-admin-tls.yaml

Note: host is the server on which this ingress is deployed.

 $ cd ${WORKDIR}/weblogic-kubernetes-operator/kubernetes/samples/charts/ingress-per-domain/tls
 $ kubectl create -f nginx-admin-tls.yaml

Verify end-to-end SSL access

Verify that the Oracle WebCenter Content Administration Server URL is accessible through the LOADBALANCER-SSLPORT:

   https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/console

Uninstall ingress-nginx tls

  $ cd weblogic-kubernetes-operator/kubernetes/samples/charts/ingress-per-domain/tls
  $ kubectl  delete -f nginx-ucm-tls.yaml