Configure an Ingress for OID

  1. Introduction

  2. Install NGINX

    a. Configure the repository

    b. Create a namespace

    c. Install NGINX using helm

  3. Access to interfaces through ingress

    a. Using LDAP utilities

    b. Validate access using LDAP utilities

    c. Validate OID using Oracle Directory Services Manager

Introduction

The instructions below explain how to set up NGINX as an ingress for OID.

By default the ingress configuration only supports HTTP and HTTPS ports. To allow LDAP and LDAPS communication over TCP, configuration is required at the ingress controller/implementation level.

Install NGINX

Use Helm to install NGINX.

Configure the repository

  1. Add the Helm chart repository for installing NGINX using the following command:

    $ helm repo add stable https://kubernetes.github.io/ingress-nginx
    

    The output will look similar to the following:

    "stable" has been added to your repositories
    
  2. Update the repository using the following command:

    $ helm repo update
    

    The output will look similar to the following:

    Hang tight while we grab the latest from your chart repositories...
    ...Successfully got an update from the "stable" chart repository
    Update Complete. Happy Helming!
    

Create a namespace

  1. Create a Kubernetes namespace for NGINX:

    $ kubectl create namespace <namespace>
    

    For example:

    $ kubectl create namespace mynginx
    

    The output will look similar to the following:

    namespace/mynginx created
    

Install NGINX using helm

  1. Create a $WORKDIR/kubernetes/helm/nginx-ingress-values-override.yaml that contains the following:

    Note: The configuration below:

    • Assumes you have oid installed with value oid as a deployment/release name in the namespace oidns. If using a different deployment name and/or namespace change appropriately.
    • Deploys an ingress using NodePort. If using an external loadbalancer, change the configuration accordingly. For more details about NGINX configuration see: NGINX Ingress Controller.
    # Configuration for additional TCP ports to be exposed through Ingress
    # Format for each port would be like:
    # <PortNumber>: <Namespace>/<Service>
    tcp:
      # Map 1389 TCP port to LBR LDAP service to get requests handled through any available POD/Endpoint serving LDAP Port
      3060: oidns/oid-lbr-ldap:3060
      # Map 1636 TCP port to LBR LDAP service to get requests handled through any available POD/Endpoint serving LDAPS Port
      3131: oidns/oid-lbr-ldap:3131
      3061: oidns/oidhost1:3060
      3130: oidns/oidhost1:3131
      3062: oidns/oidhost2:3060
      3132: oidns/oidhost2:3131
      3063: oidns/oidhost3:3060
      3133: oidns/oidhost3:3131
      3064: oidns/oidhost4:3060
      3134: oidns/oidhost4:3131
      3065: oidns/oidhost5:3060
      3135: oidns/oidhost5:3131
    controller:
      admissionWebhooks:
        enabled: false
      extraArgs:
        # The secret referred to by this flag contains the default certificate to be used when accessing the catch-all server.
        # If this flag is not provided NGINX will use a self-signed certificate.
        # If the TLS Secret is in different namespace, name can be mentioned as <namespace>/<tlsSecretName>
        default-ssl-certificate: oidns/oid-tls-cert
      service:
        # controller service external IP addresses
        # externalIPs:
        #   - < External IP Address >
        # To configure Ingress Controller Service as LoadBalancer type of Service
        # Based on the Kubernetes configuration, External LoadBalancer would be linked to the Ingress Controller Service
        type: NodePort
        # Configuration for NodePort to be used for Ports exposed through Ingress
        # If NodePorts are not defied/configured, Node Port would be assigend automatically by Kubernetes
        # These NodePorts are helpful while accessing services directly through Ingress and without having External Load Balancer.
        # nodePorts:
          # For HTTP Interface exposed through LoadBalancer/Ingress
          # http: 30080
          # For HTTPS Interface exposed through LoadBalancer/Ingress
          # https: 30443
          #tcp:
            # For LDAP Interface
            # 3060: 31389
            # For LDAPS Interface
            # 3131: 31636
    
  2. To install and configure NGINX Ingress issue the following command:

    $ helm install --namespace <namespace> \
    --values nginx-ingress-values-override.yaml \
    lbr-nginx stable/ingress-nginx \
    --set controller.admissionWebhooks.enabled=false
    

    Where:

    • lbr-nginx is your deployment name
    • stable/ingress-nginx is the chart reference

    For example:

    $ helm install --namespace mynginx \
    --values nginx-ingress-values-override.yaml \
    lbr-nginx stable/ingress-nginx \
    --set controller.admissionWebhooks.enabled=false
    

    The output will look similar to the following:

    NAME: lbr-nginx
    LAST DEPLOYED: Wed Mar 16 16:49:35 2022
    NAMESPACE: mynginx
    STATUS: deployed
    REVISION: 1
    TEST SUITE: None
    NOTES:
    The ingress-nginx controller has been installed.
    It may take a few minutes for the LoadBalancer IP to be available.
    You can watch the status by running 'kubectl --namespace mynginx get services -o wide -w lbr-nginx-ingress-nginx-controller'
    
    An example Ingress that makes use of the controller:
    
      apiVersion: networking.k8s.io/v1beta1
      kind: Ingress
      metadata:
        annotations:
          kubernetes.io/ingress.class: nginx
        name: example
        namespace: foo
      spec:
        rules:
          - host: www.example.com
            http:
              paths:
                - backend:
                    serviceName: exampleService
                    servicePort: 80
                  path: /
        # This section is only required if TLS is to be enabled for the Ingress
        tls:
            - hosts:
                - www.example.com
              secretName: example-tls
    
    If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:
    
      apiVersion: v1
      kind: Secret
      metadata:
        name: example-tls
        namespace: foo
      data:
        tls.crt: <base64 encoded cert>
        tls.key: <base64 encoded key>
      type: kubernetes.io/tls
    

Access to interfaces through ingress

To view the ports for the ingress run the following command:

$ kubectl get all -n mynginx

The output will look similar to the following:

NAME                                         TYPE       CLUSTER-IP    EXTERNAL-IP   PORT(S)                                                                                                                                                                                                          AGE
service/lbr-nginx-ingress-nginx-controller   NodePort   10.97.43.76   <none>        80:30096/TCP,443:31581/TCP,3060:31862/TCP,3061:30271/TCP,3062:31507/TCP,3063:30673/TCP,3064:31562/TCP,3065:30294/TCP,3130:31220/TCP,3131:30127/TCP,3132:31969/TCP,3133:32649/TCP,3134:32042/TCP,3135:30408/TCP   71s

NAME                                                 READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/lbr-nginx-ingress-nginx-controller   1/1     1            1           71s

NAME                                                           DESIRED   CURRENT   READY   AGE
replicaset.apps/lbr-nginx-ingress-nginx-controller-d5577cfd7   1         1         1       71s

Using LDAP utilities

To use Oracle LDAP utilities such as ldapbind, ldapsearch, ldapmodify etc. you can either:

  • Run the LDAP commands from an OID installation outside the Kubernetes cluster. This requires access to an On-Premises OID installation oustide the Kubernetes cluster.

  • Run the LDAP commands from inside the OID Kubernetes pod. Execute the following command to enter the pod:

    $ kubectl exec -ti <pod> -n <namespace> -- bash
    

    For example:

    $ kubectl exec -ti oidhost1 -n oidns -- bash
    

    This will take you into a bash session in the pod:

    [oracle@oidhost1 oracle]$    
    

    Inside the container navigate to /u01/oracle/bin to view the LDAP utilties:

    [oracle@oidhost1 oracle]$ cd /u01/oracle/bin
    [oracle@oidhost1 bin]$ ls ldap*
    ldapadd  ldapaddmt  ldapbind  ldapcompare  ldapdelete  ldapmoddn  ldapmodify  ldapmodifymt  ldapsearch
    

    Note: For commands that require an ldif file, copy the file into the <persistent_volume>/oud_user_projects directory:

    $ cp file.ldif <peristent_volume>/oid_user_projects
    

    For example:

    $ cp file.ldif /scratch/shared/oid_user_projects
    

    The file can then be viewed inside the pod:

    [oracle@oidhost1 bin]$ cd /u01/oracle/user_projects
    [oracle@oidhost1 user_projects]$ ls *.ldif
    file.ldif
    

Validate access using LDAP utilities

  1. Use an LDAP client such as ldapbind to connect to the OID service. In the example below ldapbind is used from inside the OID Kubernetes pod:

    [oracle@oidhost1 bin]$ ldapbind -D cn=orcladmin -w <password> -h <hostname_ingress> -p 31862
    

    where:

    • -p 31862 : is the port mapping to the LDAP port 3060 (3060:31862) from the earlier kubectl command
    • -h <hostname_ingress> : is the hostname where the ingress is running

    The output should look similar to the following:

    bind successful
    

Validate OID using Oracle Directory Services Manager

  1. Access the Oracle WebLogic Server Administration Console and Oracle Directory Services Manager (ODSM) via a browser using the service port which maps to HTTPS port 443. In this example the port is 31581 (443:31581) from the earlier kubectl command.
  • Oracle WebLogic Server Administration Console : https://<hostname_ingress>:31581/console.

    When prompted, enter the username and password which corresponds to [adminUser] and [adminPassword] passed in Create OID instances.

  • Oracle Directory Services Manager : https://<hostname_ingress>:31851/odsm.

    Select Create a New Connection and, when prompted, enter the following values.

    • Server: <hostname_ingress>
    • Port: Ingress mapped port for LDAP or LDAPS, in the example above 3060:31862/TCP or 3131:30127/TCP, namely LDAP:31862, LDAPS:30127
    • SSL Enabled: select if accessing LDAPS.
    • User Name: cn=orcladmin
    • Password: value of orcladminPassword passed in Create OID instances