NGINX

This section provides information about how to install and configure the ingress-based NGINX load balancer to load balance Oracle SOA Suite domain clusters. You can configure NGINX for non-SSL, SSL termination, and end-to-end SSL access of the application URL.

Follow these steps to set up NGINX as a load balancer for an Oracle SOA Suite domain in a Kubernetes cluster:

See the official installation document for prerequisites.

  1. Install the NGINX load balancer for non-SSL and SSL termination configuration
  2. Generate secret for SSL access
  3. Install NGINX load balancer for end-to-end SSL configuration
  4. Configure NGINX to manage ingresses
  5. Verify domain application URL access
  6. Uninstall NGINX ingress
  7. Uninstall NGINX

To get repository information, enter the following Helm commands:

  $ helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
  $ helm repo update

Install the NGINX load balancer for non-SSL and SSL termination configuration

  1. Deploy the ingress-nginx controller by using Helm on the domain namespace:

    For Kubernetes versions up to v1.18.x:

     $ helm install nginx-ingress -n soans \
            --version=3.34.0 \
            --set controller.service.type=NodePort \
            --set controller.admissionWebhooks.enabled=false \
        ingress-nginx/ingress-nginx
    

    For Kubernetes versions v1.19.x+ onwards (NGINX version 4.0.6+):

     $ helm install nginx-ingress -n soans \
            --set controller.service.type=NodePort \
            --set controller.admissionWebhooks.enabled=false \
            ingress-nginx/ingress-nginx
    
    Click here to see the sample output.

Generate secret for SSL access

  1. For secured access (SSL and E2ESSL) to the Oracle SOA Suite application, create a certificate and generate secrets:

     $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls1.key -out /tmp/tls1.crt -subj "/CN=domain1.org"
     $ kubectl -n soans create secret tls domain1-tls-cert --key /tmp/tls1.key --cert /tmp/tls1.crt
    

    Note: The value of CN is the host on which this ingress is to be deployed.

Install NGINX load balancer for end-to-end SSL configuration

  1. Deploy the ingress-nginx controller by using Helm on the domain namespace:

    For Kubernetes versions up to v1.18.x:

     $ helm install nginx-ingress -n soans \
           --version=3.34.0 \
           --set controller.extraArgs.default-ssl-certificate=soans/domain1-tls-cert \
           --set controller.service.type=NodePort \
           --set controller.admissionWebhooks.enabled=false \
           --set controller.extraArgs.enable-ssl-passthrough=true  \
            ingress-nginx/ingress-nginx
    

    For Kubernetes versions v1.19.x+ onwards (NGINX version 4.0.6+):

     $ helm install nginx-ingress -n soans \
           --set controller.extraArgs.default-ssl-certificate=soans/domain1-tls-cert \
           --set controller.service.type=NodePort \
           --set controller.admissionWebhooks.enabled=false \
           --set controller.extraArgs.enable-ssl-passthrough=true  \
            ingress-nginx/ingress-nginx
    
    Click here to see the sample output.
  2. Check the status of the deployed ingress controller:

    $ kubectl --namespace soans get services | grep ingress-nginx-controller
    

    Sample output:

     nginx-ingress-ingress-nginx-controller   NodePort    10.106.186.235   <none>        80:32125/TCP,443:31376/TCP   19m
    

Configure NGINX to manage ingresses

  1. Create an ingress for the domain in the domain namespace by using the sample Helm chart. Here path-based routing is used for ingress. Sample values for default configuration are shown in the file ${WORKDIR}/charts/ingress-per-domain/values.yaml. By default, type is TRAEFIK , sslType is NONSSL, and domainType is soa. These values can be overridden by passing values through the command line or can be edited in the sample file values.yaml.
    If needed, you can update the ingress YAML file to define more path rules (in section spec.rules.host.http.paths) based on the domain application URLs that need to be accessed. Update the template YAML file for the NGINX load balancer located at ${WORKDIR}/charts/ingress-per-domain/templates/nginx-ingress.yaml.

    Note: See here for all the configuration parameters.

     $ cd ${WORKDIR}
     $ helm install soa-nginx-ingress  charts/ingress-per-domain \
         --namespace soans \
         --values charts/ingress-per-domain/values.yaml \
         --set "nginx.hostname=$(hostname -f)" \
         --set type=NGINX
    

    Sample output:

    NAME: soa-nginx-ingress
    LAST DEPLOYED: Fri Jul 24 09:34:03 2020
    NAMESPACE: soans
    STATUS: deployed
    REVISION: 1
    TEST SUITE: None
    
  2. Install ingress-per-domain using Helm for SSL termination configuration:

     $ cd ${WORKDIR}
     $ helm install soa-nginx-ingress  charts/ingress-per-domain \
         --namespace soans \
         --values charts/ingress-per-domain/values.yaml \
         --set "nginx.hostname=$(hostname -f)" \
         --set type=NGINX --set sslType=SSL
    

    Sample output:

     NAME: soa-nginx-ingress
     LAST DEPLOYED: Fri Jul 24 09:34:03 2020
     NAMESPACE: soans
     STATUS: deployed
     REVISION: 1
     TEST SUITE: None
    
  3. Install ingress-per-domain using Helm for E2ESSL configuration.

     $ cd ${WORKDIR}
     $ helm install soa-nginx-ingress  charts/ingress-per-domain \
         --namespace soans \
         --values charts/ingress-per-domain/values.yaml \
         --set type=NGINX --set sslType=E2ESSL
    

    Sample output:

     NAME: soa-nginx-ingress
     LAST DEPLOYED: Fri Jul 24 09:34:03 2020
     NAMESPACE: soans
     STATUS: deployed
     REVISION: 1
     TEST SUITE: None
    
  4. For NONSSL access to the Oracle SOA Suite application, get the details of the services by the ingress:

    $ kubectl describe ingress soainfra-nginx -n soans
    
    Click here to see the sample output of the services supported by the above deployed ingress.
  5. For SSL access to the Oracle SOA Suite application, get the details of the services by the above deployed ingress:

     $ kubectl describe ingress soainfra-nginx -n soans
    
    Click here to see the sample output of the services supported by the above deployed ingress.
  6. For E2ESSL access to the Oracle SOA Suite application, get the details of the services by the above deployed ingress:

     $  kubectl describe ingress  soainfra-nginx-e2essl -n soans
    
    Click here to see the sample output of the services supported by the above deployed ingress.

Verify domain application URL access

NONSSL configuration

Verify that the Oracle SOA Suite domain application URLs are accessible through the LOADBALANCER-Non-SSLPORT 32125:

  http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/weblogic/ready
  http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/console
  http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/em
  http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/soa-infra
  http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/soa/composer
  http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/integration/worklistapp
SSL configuration

Verify that the Oracle SOA Suite domain application URLs are accessible through the LOADBALANCER-SSLPORT 30233:

  https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/weblogic/ready
  https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/console
  https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/em
  https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/soa-infra
  https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/soa/composer
  https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/integration/worklistapp
E2ESSL configuration

Before accessing the SOA Suite domain application URLs, update the system host config file with the IP address of the host on which the ingress is deployed.

  • To access the application URLs from the browser, update /etc/hosts on the browser host (in Windows, C:\Windows\System32\Drivers\etc\hosts) with the entries below

    X.X.X.X  admin.org
    X.X.X.X  soa.org
    X.X.X.X  osb.org
    

    Note: The value of X.X.X.X is the host IP address on which this ingress is deployed.

    Note: If you are behind any corporate proxy, make sure to update the browser proxy settings appropriately to access the host names updated /etc/hosts file.

Verify that the Oracle SOA Suite domain application URLs are accessible through LOADBALANCER-E2ESSLPORT 30233:

https://admin.org:${LOADBALANCER-SSLPORT}/weblogic/ready
https://admin.org:${LOADBALANCER-SSLPORT}/console
https://admin.org:${LOADBALANCER-SSLPORT}/em
https://soa.org:${LOADBALANCER-SSLPORT}/soa-infra
https://soa.org:${LOADBALANCER-SSLPORT}/soa/composer
https://soa.org:${LOADBALANCER-SSLPORT}/integration/worklistapp

Note: This is the default host name. If you have updated the host name in value.yaml, then use the updated values.

Uninstall NGINX ingress

Uninstall and delete the ingress-nginx deployment:

$ helm delete soa-nginx-ingress  -n soans

Uninstall NGINX

$ helm delete nginx-ingress -n soans