To load balance Oracle WebCenter Portal domain clusters, you can install the ingress-based NGINX load balancer and configure NGINX for non-SSL, SSL termination, and end-to-end SSL access of the application URL. Follow these steps to set up NGINX as a load balancer for an Oracle WebCenter Portal domain in a Kubernetes cluster:
See the official installation document for prerequisites.
To get repository information, enter the following Helm commands:
$ helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
$ helm repo update
Deploy the ingress-nginx
controller by using Helm on the domain namespace:
$ helm install nginx-ingress ingress-nginx/ingress-nginx -n wcpns \
--set controller.service.type=NodePort \
--set controller.admissionWebhooks.enabled=false
Check the status of the deployed ingress controller:
$ kubectl --namespace wcpns get services | grep ingress-nginx-controller
Sample output:
nginx-ingress-ingress-nginx-controller NodePort 10.101.123.106 <none> 80:30305/TCP,443:31856/TCP 2m12s
${WORKDIR}/charts/ingress-per-domain/values.yaml
. By default, type
is TRAEFIK
, tls
is Non-SSL
. You can override these values by passing values through the command line or edit them in the sample values.yaml
file.NOTE: This is not an exhaustive list of rules. You can enhance it based on the application URLs that need to be accessed externally.
If needed, you can update the ingress YAML file to define more path rules (in section spec.rules.host.http.paths
) based on the domain application URLs that need to be accessed. Update the template YAML file for the NGINX load balancer located at ${WORKDIR}/charts/ingress-per-domain/templates/nginx-ingress.yaml
You can add new path rules like shown below .
- path: /NewPathRule
backend:
serviceName: 'Backend Service Name'
servicePort: 'Backend Service Port'
$ cd ${WORKDIR}
$ helm install wcp-domain-nginx charts/ingress-per-domain \
--namespace wcpns \
--values charts/ingress-per-domain/values.yaml \
--set "nginx.hostname=$(hostname -f)" \
--set type=NGINX
```
Sample output:
```bash
NAME: wcp-domain-nginx
LAST DEPLOYED: Fri Jul 24 09:34:03 2020
NAMESPACE: wcpns
STATUS: deployed
REVISION: 1
TEST SUITE: None
```
1. For secured access (SSL) to the Oracle WebCenter Portal application, create a certificate and generate a Kubernetes secret:
```bash
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls1.key -out /tmp/tls1.crt -subj "/CN=*"
$ kubectl -n wcpns create secret tls wcp-domain-tls-cert --key /tmp/tls1.key --cert /tmp/tls1.crt
Install ingress-per-domain
using Helm for SSL configuration:
$ cd ${WORKDIR}
$ helm install wcp-domain-nginx charts/ingress-per-domain \
--namespace wcpns \
--values charts/ingress-per-domain/values.yaml \
--set "nginx.hostname=$(hostname -f)" \
--set type=NGINX --set sslType=SSL
For non-SSL access to the Oracle WebCenter Portal application, get the details of the services by the ingress:
$ kubectl describe ingress wcp-domain-nginx -n wcpns
For SSL access to the Oracle WebCenter Portal application, get the details of the services by the above deployed ingress:
$ kubectl describe ingress wcp-domain-nginx -n wcpns
Verify that the Oracle WebCenter Portal domain application URLs are accessible through the nginx NodePort LOADBALANCER-NODEPORT
30305
:
http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-NODEPORT}/console
http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-NODEPORT}/em
http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-NODEPORT}/webcenter
http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-NODEPORT}/rsscrawl
http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-NODEPORT}/rest
http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-NODEPORT}/webcenterhelp
http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-NODEPORT}/wsrp-tools
http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-NODEPORT}/portalTools
Uninstall and delete the ingress-nginx
deployment:
$ helm delete wcp-domain-nginx -n wcpns
$ helm delete nginx-ingress -n wcpns
For secured access (SSL) to the Oracle WebCenter Portal application, create a certificate and generate secrets:
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls1.key -out /tmp/tls1.crt -subj "/CN=domain1.org"
$ kubectl -n wcpns create secret tls wcp-domain-tls-cert --key /tmp/tls1.key --cert /tmp/tls1.crt
Note: The value of
CN
is the host on which this ingress is to be deployed.
Deploy the ingress-nginx controller by using Helm on the domain namespace:
$ helm install nginx-ingress -n wcpns \
--set controller.extraArgs.default-ssl-certificate=wcpns/wcp-domain-tls-cert \
--set controller.service.type=NodePort \
--set controller.admissionWebhooks.enabled=false \
--set controller.extraArgs.enable-ssl-passthrough=true \
ingress-nginx/ingress-nginx
Check the status of the deployed ingress controller:
$ kubectl --namespace wcpns get services | grep ingress-nginx-controller
Sample output:
nginx-ingress-ingress-nginx-controller NodePort 10.96.177.215 <none> 80:32748/TCP,443:31940/TCP 23s
Deploy tls to securely access the services. Only one application can be configured with ssl-passthrough
. A sample tls file for NGINX is shown below for the service wcp-domain-cluster-wcp-cluster
and port 8889
. All the applications running on port 8889
can be securely accessed through this ingress.
For each backend service, create different ingresses, as NGINX does not support multiple paths or rules with annotation ssl-passthrough
. For example, for wcp-domain-adminserver
and wcp-domain-cluster-wcp-cluster,
different ingresses must be created.
As ssl-passthrough
in NGINX works on the clusterIP of the backing service instead of individual endpoints, you must expose wcp-domain-cluster-wcp-cluster
created by the operator with clusterIP.
For example:
a. Get the name of wcp-domain cluster service:
$ kubectl get svc -n wcpns | grep wcp-domain-cluster-wcp-cluster
Sample output:
wcp-domain-cluster-wcp-cluster ClusterIP 10.102.128.124 <none> 8888/TCP,8889/TCP 62m
Deploy the secured ingress:
$ cd ${WORKDIR}/charts/ingress-per-domain/tls
$ kubectl create -f nginx-tls.yaml
Note: The default
nginx-tls.yaml
contains the backend for WebCenter Portal service with domainUIDwcp-domain
. You need to create similar tls configuration YAML files separately for each backend service.
Note: Host is the server on which this ingress is deployed.
Check the services supported by the ingress:
$ kubectl describe ingress wcpns-ingress -n wcpns
Verify that the Oracle WebCenter Portal domain application URLs are accessible through the LOADBALANCER-SSLPORT
30233
:
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/webcenter
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/rsscrawl
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/webcenterhelp
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/rest
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/wsrp-tools
https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/portalTools
$ cd ${WORKDIR}/charts/ingress-per-domain/tls
$ kubectl delete -f nginx-tls.yaml
$ helm delete nginx-ingress -n wcpns