This section provides information about how to install and configure the ingress-based NGINX load balancer to load balance Oracle WebCenter Content domain clusters. You can configure NGINX for non-SSL, SSL termination, and end-to-end SSL access of the application URL.
Follow these steps to set up NGINX as a load balancer for an Oracle WebCenter Content domain in a Kubernetes cluster:
See the official installation document for prerequisites.
To get repository information, enter the following Helm commands:
$ helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
$ helm repo update
Deploy the ingress-nginx
controller by using Helm on the domain namespace:
For Kubernetes versions up to v1.18.x:
$ helm install nginx-ingress -n wccns \
--version=3.34.0 \
--set controller.service.type=NodePort \
--set controller.admissionWebhooks.enabled=false \
ingress-nginx/ingress-nginx
Check the status of the deployed ingress controller:
$ kubectl --namespace wccns get services | grep ingress-nginx-controller
Sample output:
nginx-ingress-ingress-nginx-controller NodePort 10.97.189.122 <none> 80:30993/TCP,443:30232/TCP 7d2h
${WORKDIR}/weblogic-kubernetes-operator/kubernetes/samples/charts/ingress-per-domain/values.yaml
. By default, type
is TRAEFIK
, tls
is Non-SSL
, and domainType
is wccinfra
. These values can be overridden by passing values through the command line or can be edited in the sample file values.yaml
. If needed, you can update the ingress YAML file to define more path rules (in section spec.rules.host.http.paths
) based on the domain application URLs that need to be accessed. Update the template YAML file for the NGINX load balancer located at ${WORKDIR}/weblogic-kubernetes-operator/kubernetes/samples/charts/ingress-per-domain/templates/nginx-ingress.yaml
$ cd ${WORKDIR}/weblogic-kubernetes-operator
$ helm install wccinfra-nginx-ingress kubernetes/samples/charts/ingress-per-domain \
--namespace wccns \
--values kubernetes/samples/charts/ingress-per-domain/values.yaml \
--set "nginx.hostname=$(hostname -f)" \
--set type=NGINX \
--set tls=NONSSL
Sample output:
NAME: wccinfra-nginx-ingress
LAST DEPLOYED: Sun Feb 7 23:52:38 2021
NAMESPACE: wccns
STATUS: deployed
REVISION: 1
TEST SUITE: None
For secured access (SSL) to the Oracle WebCenter Content application, create a certificate and generate a Kubernetes secret:
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls1.key -out /tmp/tls1.crt -subj "/CN=*"
$ kubectl -n wccns create secret tls domain1-tls-cert --key /tmp/tls1.key --cert /tmp/tls1.crt
Install ingress-per-domain
using Helm for SSL configuration:
$ cd ${WORKDIR}/weblogic-kubernetes-operator
$ helm install wccinfra-nginx-ingress kubernetes/samples/charts/ingress-per-domain \
--namespace wccns \
--values kubernetes/samples/charts/ingress-per-domain/values.yaml \
--set "nginx.hostname=$(hostname -f)" \
--set type=NGINX --set tls=SSL
Sample output:
NAME: wccinfra-nginx-ingress
LAST DEPLOYED: Mon Feb 8 00:01:13 2021
NAMESPACE: wccns
STATUS: deployed
REVISION: 1
TEST SUITE: None
For non-SSL access or SSL to the Oracle WebCenter Content application, get the details of the services by the ingress:
$ kubectl describe ingress wccinfra-nginx -n wccns
Verify that the Oracle WebCenter Content domain application URLs are accessible through the LOADBALANCER-Non-SSLPORT
:
http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/weblogic/ready
http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/console
http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/em
http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/cs
http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/ibr
Verify that the Oracle WebCenter Content domain application URLs are accessible through the LOADBALANCER-SSLPORT
:
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/weblogic/ready
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/console
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/em
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/cs
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/ibr
Uninstall and delete the ingress-nginx
deployment:
$ helm delete wccinfra-nginx -n wccns
For secured access (SSL) to the Oracle WebCenter Content application, create a certificate and generate secrets:
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls1.key -out /tmp/tls1.crt -subj "/CN=*"
$ kubectl -n wccns create secret tls domain1-tls-cert --key /tmp/tls1.key --cert /tmp/tls1.crt
Deploy the ingress-nginx controller by using Helm on the domain namespace:
For Kubernetes versions up to v1.18.x:
$ helm install nginx-ingress -n wccns \
--version=3.34.0 \
--set controller.extraArgs.default-ssl-certificate=wccns/domain1-tls-cert \
--set controller.service.type=NodePort \
--set controller.admissionWebhooks.enabled=false \
--set controller.extraArgs.enable-ssl-passthrough=true \
ingress-nginx/ingress-nginx
Check the status of the deployed ingress controller:
$ kubectl --namespace wccns get services | grep ingress-nginx-controller
Sample output:
nginx-ingress-ingress-nginx-controller NodePort 10.97.189.122 <none> 80:30993/TCP,443:30232/TCP 168m
Deploy tls to securely access the services. Only one application can be configured with ssl-passthrough
. A sample tls file for NGINX is shown below for the service wccinfra-cluster-ucm-cluster
and port 16201
. All the applications running on port 16201
can be securely accessed through this ingress. For each backend service, create different ingresses as NGINX does not support multiple path/rules with annotation ssl-passthrough
. That is, for wccinfra-cluster-ucm-cluster
, wccinfra-cluster-ibr-cluster
and wccinfra-adminserver
, different ingresses must be created.
$ cd ${WORKDIR}/weblogic-kubernetes-operator/kubernetes/samples/charts/ingress-per-domain/tls
Sample nginx-ucm-tls.yaml:
Note: host is the server on which this ingress is deployed.
Deploy the secured ingress:
$ cd ${WORKDIR}/weblogic-kubernetes-operator/kubernetes/samples/charts/ingress-per-domain/tls
$ kubectl create -f nginx-ucm-tls.yaml
Check the services supported by the ingress:
$ kubectl describe ingress wcc-ucm-ingress -n wccns
Verify that the Oracle WebCenter Content domain application URLs are accessible through the LOADBALANCER-SSLPORT
:
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/cs
As ssl-passthrough
in NGINX works on the clusterIP of the backing service instead of individual endpoints, you must expose adminserver service
created by the WebLogic Kubernetes Operator with clusterIP.
For example:
a. Get the name of Administration Server service:
$ kubectl get svc -n wccns | grep wccinfra-adminserver
Sample output:
wccinfra-adminserver ClusterIP None <none> 7001/TCP,7002/TCP 7
b. Expose the Administration Server service wccinfra-adminserver
and use the new service name wccinfra-adminserver-nginx-ssl
:
$ kubectl expose svc wccinfra-adminserver -n wccns --name=wccinfra-adminserver-nginx-ssl --port=7002
c. Deploy the secured ingress:
Sample nginx-admin-tls.yaml:
Note: host is the server on which this ingress is deployed.
$ cd ${WORKDIR}/weblogic-kubernetes-operator/kubernetes/samples/charts/ingress-per-domain/tls
$ kubectl create -f nginx-admin-tls.yaml
Verify that the Oracle WebCenter Content Administration Server URL is accessible through the LOADBALANCER-SSLPORT
:
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/console
$ cd weblogic-kubernetes-operator/kubernetes/samples/charts/ingress-per-domain/tls
$ kubectl delete -f nginx-ucm-tls.yaml