This section provides information about how to install and configure the ingress-based Traefik load balancer (version 2.2.1 or later for production deployments) to load balance Oracle SOA Suite domain clusters. You can configure Traefik for non-SSL, SSL termination, and end-to-end SSL access of the application URL.
Follow these steps to set up Traefik as a load balancer for an Oracle SOA Suite domain in a Kubernetes cluster:
Use Helm to install the Traefik (ingress-based) load balancer.
Use the values.yaml file in the sample but set kubernetes.namespaces specifically.
$ cd ${WORKDIR}
$ kubectl create namespace traefik
$ helm repo add traefik https://containous.github.io/traefik-helm-chart
Sample output:
"traefik" has been added to your repositories
Install Traefik:
$ helm install traefik traefik/traefik \
--namespace traefik \
--values charts/traefik/values.yaml \
--set "kubernetes.namespaces={traefik}" \
--set "service.type=NodePort" --wait
A sample values.yaml for deployment of Traefik 2.2.x:
image:
name: traefik
tag: 2.2.8
pullPolicy: IfNotPresent
ingressRoute:
dashboard:
enabled: true
# Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
annotations: {}
# Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
labels: {}
providers:
kubernetesCRD:
enabled: true
kubernetesIngress:
enabled: true
# IP used for Kubernetes Ingress endpoints
ports:
traefik:
port: 9000
expose: true
# The exposed port for this service
exposedPort: 9000
# The port protocol (TCP/UDP)
protocol: TCP
web:
port: 8000
# hostPort: 8000
expose: true
exposedPort: 30305
nodePort: 30305
# The port protocol (TCP/UDP)
protocol: TCP
# Use nodeport if set. This is useful if you have configured Traefik in a
# LoadBalancer
# nodePort: 32080
# Port Redirections
# Added in 2.2, you can make permanent redirects via entrypoints.
# https://docs.traefik.io/routing/entrypoints/#redirection
# redirectTo: websecure
websecure:
port: 8443
# # hostPort: 8443
expose: true
exposedPort: 30443
# The port protocol (TCP/UDP)
protocol: TCP
nodePort: 30443
Verify the Traefik status and find the port number of the SSL and non-SSL services:
$ kubectl get all -n traefik
Access the Traefik dashboard through the URL http://$(hostname -f):31288, with the HTTP host traefik.example.com:
$ curl -H "host: $(hostname -f)" http://$(hostname -f):31288/dashboard/
Note: Make sure that you specify a fully qualified node name for
$(hostname -f)
Configure Traefik to manage ingresses created in this namespace, where traefik is the Traefik namespace and soans is the namespace of the domain:
$ helm upgrade traefik traefik/traefik --namespace traefik --reuse-values \
--set "kubernetes.namespaces={traefik,soans}"
Create an ingress for the domain in the domain namespace by using the sample Helm chart. Here path-based routing is used for ingress.
Sample values for default configuration are shown in the file ${WORKDIR}/charts/ingress-per-domain/values.yaml.
By default, type is TRAEFIK, sslType is NONSSL, and domainType is soa. These values can be overridden by passing values through the command line or can be edited in the sample file values.yaml based on the type of configuration (NONSSL, SSL, and E2ESSL).
If needed, you can update the ingress YAML file to define more path rules (in section spec.rules.host.http.paths) based on the domain application URLs that need to be accessed. The template YAML file for the Traefik (ingress-based) load balancer is located at ${WORKDIR}/charts/ingress-per-domain/templates/traefik-ingress.yaml.
Note: See here for all the configuration parameters.
Install ingress-per-domain using Helm for NONSSL configuration:
$ cd ${WORKDIR}
$ helm install soa-traefik-ingress \
charts/ingress-per-domain \
--namespace soans \
--values charts/ingress-per-domain/values.yaml \
--set "traefik.hostname=$(hostname -f)"
Sample output:
NAME: soa-traefik-ingress
LAST DEPLOYED: Mon Jul 20 11:44:13 2020
NAMESPACE: soans
STATUS: deployed
REVISION: 1
TEST SUITE: None
For secured access (SSL termination and E2ESSL) to the Oracle SOA Suite application, create a certificate, and generate a Kubernetes secret:
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls1.key -out /tmp/tls1.crt -subj "/CN=*"
$ kubectl -n soans create secret tls soainfra-tls-cert --key /tmp/tls1.key --cert /tmp/tls1.crt
Create the Traefik TLSStore custom resource.
In case of SSL termination, Traefik should be configured to use the user-defined SSL certificate. If the user-defined SSL certificate is not configured, Traefik will create a default SSL certificate. To configure a user-defined SSL certificate for Traefik, use the TLSStore custom resource. The Kubernetes secret created with the SSL certificate should be referenced in the TLSStore object. Run the following command to create the TLSStore:
$ cat <<EOF | kubectl apply -f -
apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
name: default
namespace: soans
spec:
defaultCertificate:
secretName: soainfra-tls-cert
EOF
Install ingress-per-domain using Helm for SSL configuration.
The Kubernetes secret name should be updated in the template file.
The template file also contains the following annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.middlewares: soans-wls-proxy-ssl@kubernetescrd
The entry point for SSL termination access and the Middleware name should be updated in the annotation. The Middleware name should be in the form <namespace>-<middleware name>@kubernetescrd.
$ cd ${WORKDIR}
$ helm install soa-traefik-ingress \
charts/ingress-per-domain \
--namespace soans \
--values charts/ingress-per-domain/values.yaml \
--set "traefik.hostname=$(hostname -f)" \
--set sslType=SSL
Sample output:
NAME: soa-traefik-ingress
LAST DEPLOYED: Mon Jul 20 11:44:13 2020
NAMESPACE: soans
STATUS: deployed
REVISION: 1
TEST SUITE: None
Install ingress-per-domain using Helm for E2ESSL configuration.
$ cd ${WORKDIR}
$ helm install soa-traefik-ingress \
charts/ingress-per-domain \
--namespace soans \
--values charts/ingress-per-domain/values.yaml \
--set sslType=E2ESSL
Sample output:
NAME: soa-traefik-ingress
LAST DEPLOYED: Fri Apr 9 09:47:27 2021
NAMESPACE: soans
STATUS: deployed
REVISION: 1
TEST SUITE: None
For NONSSL access to the Oracle SOA Suite application, get the details of the services by the ingress:
$ kubectl describe ingress soainfra-traefik -n soans
For SSL access to the Oracle SOA Suite application, get the details of the services by the above deployed ingress:
$ kubectl describe ingress soainfra-traefik -n soans
For E2ESSL access to the Oracle SOA Suite application, get the details of the services by the above deployed ingress:
$ kubectl describe IngressRouteTCP soainfra-traefik -n soans
To confirm that the load balancer noticed the new ingress and is successfully routing to the domain server pods, you can send a request to the URL for the “WebLogic ReadyApp framework”, which should return an HTTP 200 status code, as follows:
$ curl -v http://${LOADBALANCER_HOSTNAME}:${LOADBALANCER_PORT}/weblogic/ready
* Trying 149.87.129.203...
> GET http://${LOADBALANCER_HOSTNAME}:${LOADBALANCER_PORT}/weblogic/ready HTTP/1.1
> User-Agent: curl/7.29.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> host: $(hostname -f)
>
< HTTP/1.1 200 OK
< Date: Sat, 14 Mar 2020 08:35:03 GMT
< Vary: Accept-Encoding
< Content-Length: 0
< Proxy-Connection: Keep-Alive
<
* Connection #0 to host localhost left intact
After setting up the Traefik (ingress-based) load balancer, verify that the domain application URLs are accessible through the non-SSL load balancer port 30305 for HTTP access. The sample URLs for Oracle SOA Suite domain of type soa are:
http://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/weblogic/ready
http://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/console
http://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/em
http://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/soa-infra
http://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/soa/composer
http://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/integration/worklistapp
After setting up the Traefik (ingress-based) load balancer, verify that the domain applications are accessible through the SSL load balancer port 30443 for HTTPS access. The sample URLs for Oracle SOA Suite domain of type soa are:
https://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-SSLPORT}/weblogic/ready
https://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-SSLPORT}/console
https://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-SSLPORT}/em
https://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-SSLPORT}/soa-infra
https://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-SSLPORT}/soa/composer
https://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-SSLPORT}/integration/worklistapp
After setting up the Traefik (ingress-based) load balancer, verify that the domain applications are accessible through the SSL load balancer port 30443 for HTTPS access.
To access the application URLs from the browser, update /etc/hosts on the browser host (in Windows, C:\Windows\System32\Drivers\etc\hosts) with the entries below
X.X.X.X admin.org
X.X.X.X soa.org
X.X.X.X osb.org
Note: The value of X.X.X.X is the host ipaddress on which this ingress is deployed.
Note: If you are behind any corporate proxy, make sure to update the browser proxy settings appropriately to access the host names updated
/etc/hostsfile.
The sample URLs for Oracle SOA Suite domain of type soa are:
https://admin.org:${LOADBALANCER-SSLPORT}/weblogic/ready
https://admin.org:${LOADBALANCER-SSLPORT}/console
https://admin.org:${LOADBALANCER-SSLPORT}/em
https://soa.org:${LOADBALANCER-SSLPORT}/soa-infra
https://soa.org:${LOADBALANCER-SSLPORT}/soa/composer
https://soa.org:${LOADBALANCER-SSLPORT}/integration/worklistapp
Uninstall and delete the ingress deployment:
$ helm delete soa-traefik-ingress -n soans
$ helm delete traefik -n traefik