To prepare for Oracle HTTP Server (OHS) deployment in a Kubernetes environment, complete the following steps:
As per the Prerequisites a Kubernetes cluster should have already been configured.
Check that all the nodes in the Kubernetes cluster are running.
Run the following command on the master node to check the cluster and worker nodes are running:
$ kubectl get nodes,pods -n kube-system
The output will look similar to the following:
NAME STATUS ROLES AGE VERSION
node/worker-node1 Ready <none> 17h v1.28.3+3.el8
node/worker-node2 Ready <none> 17h v1.28.3+3.el8
node/master-node Ready control-plane,master 23h v1.28.3+3.el8
NAME READY STATUS RESTARTS AGE
pod/coredns-66bff467f8-fnhbq 1/1 Running 0 23h
pod/coredns-66bff467f8-xtc8k 1/1 Running 0 23h
pod/etcd-master 1/1 Running 0 21h
pod/kube-apiserver-master-node 1/1 Running 0 21h
pod/kube-controller-manager-master-node 1/1 Running 0 21h
pod/kube-flannel-ds-amd64-lxsfw 1/1 Running 0 17h
pod/kube-flannel-ds-amd64-pqrqr 1/1 Running 0 17h
pod/kube-flannel-ds-amd64-wj5nh 1/1 Running 0 17h
pod/kube-proxy-2kxv2 1/1 Running 0 17h
pod/kube-proxy-82vvj 1/1 Running 0 17h
pod/kube-proxy-nrgw9 1/1 Running 0 23h
pod/kube-scheduler-master 1/1 Running 0 21h
The OHS Kubernetes deployment requires access to an OHS container image. The image can be obtained in the following ways:
The prebuilt OHS October 2024 container image can be downloaded from Oracle Container Registry. This image is prebuilt by Oracle and includes Oracle HTTP Server 12.2.1.4.0, the October 2024 Patch Set Update (PSU) and other fixes released with the Critical Patch Update (CPU) program.
Note: Before using this image you must login to Oracle Container Registry, navigate to Middleware
> ohs_cpu
and accept the license agreement.
You can use this image in the following ways:
You can build your own OHS container image using the WebLogic Image Tool. This is recommended if you need to apply one off patches to a Prebuilt OHS container image. For more information about building your own container image with WebLogic Image Tool, see Create or update image.
You can use an image built with WebLogic Image Tool in the following ways:
Note: This documentation does not tell you how to pull or push the above images into a private container registry, or stage them on worker nodes. Details of this can be found in the Enterprise Deployment Guide.
In all the sections below, the commands are run from a server that has access to the Kubernetes cluster.
To deploy OHS you need to set up the code repository which provides sample deployment yaml files:
Create a directory to setup the source code.
$ mkdir <ohsscripts>
For example:
$ mkdir -p /OHSK8S/OHSscripts
Download the latest OHS deployment scripts from the OHS repository.
$ cd <ohsscripts>
$ git clone https://github.com/oracle/fmw-kubernetes.git
For example:
$ cd /OHSK8S/OHSscripts
$ git clone https://github.com/oracle/fmw-kubernetes.git
Set the $SCRIPTDIR
environment variable as follows:
$ export SCRIPTDIR=<ohsscripts>/fmw-kubernetes/OracleHTTPServer/kubernetes
For example:
$ export SCRIPTDIR=/OHSK8S/OHSscripts/fmw-kubernetes/OracleHTTPServer/kubernetes
Before you deploy OHS, you must prepare your OHS configuration files.
The steps below assume familiarity with on premises Oracle HTTP Server in terms of general configuration and use of Oracle WebGate.
Note: Administrators should be aware of the following:
webgateConf
and webgateWallet
directories. Similarly, if you do not want to copy files to htdocs
then you do not need to create the htdocs
directory.Make a directory to store your OHS configuration files:
mkdir -p <myohsfiles>
For example:
mkdir -p /OHSK8S/myOHSfiles
Set the $MYOHSFILES
environment variable as follows:
$ export MYOHSFILES=<myohsfiles>
For example:
$ export MYOHSFILES=/OHSK8S/myOHSfiles
Create the following directories for your OHS configuration:
mkdir -p $MYOHSFILES/ohsConfig/httpconf
mkdir -p $MYOHSFILES/ohsConfig/moduleconf
mkdir -p $MYOHSFILES/ohsConfig/htdocs
mkdir -p $MYOHSFILES/ohsConfig/htdocs/myapp
mkdir -p $MYOHSFILES/ohsConfig/webgate/config/wallet
mkdir -p $MYOHSFILES/ohsConfig/wallet/mywallet
Where:
httpconf
- contains any configuration files you want to configure that are usually found in the $OHS_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1
directory. For example httpd.conf
, ssl.conf
and mod_wl_ohs.conf
. The webgate.conf
does not need to be copied as this will get generated automatically if deploying with WebGate.moduleconf
- contains any additional config files, for example virtual host configuration files that you want to copy to the $OHS_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/moduleconf
folder in the container.htdocs
- contains any html files, or similar, that you want to copy to the $OHS_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/htdocs
folder in the container.htdocs/myapp
- myapp
is an example directory name that exists under htdocs
. If you need to copy any directories under htdocs
above, then create the directories you require.webgate/config
- contains the extracted WebGate configuration. For example, when you download the <agent>.zip
file from Oracle Access Management Console, you extract the zip file into this directory. If you are accessing OAM URL’s via SSL, this directory must also contain the Certificate Authority cacert.pem
file that signed the certificate of the OAM entry point. For example, if you will access OAM via a HTTPS Load Balancer URL, then cacert.pem
is the CA certificate that signed the load balancer certificate.webgate/config/wallet
- contains the contents of the wallet directory extracted from the <agent.zip>
file.wallet/mywallet
- If OHS is to be configured to use SSL, this directory contains the preconfigured OHS Wallet file cwallet.sso
.Note: Administrators should be aware of the following if configuring OHS for SSL:
cwallet.sso
only) are supported. For example, wallets created with orapki
using the -auto-login-only
option. Password protected wallets (ewallet.p12
) are not supported.ssl.conf
in $WORKDIR/ohsConfig/httpconf
and set the directory for SSLWallet
to: SSLWallet "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/wallet/mywallet"
.An example file system may contain the following:
ls -R $MYOHSFILES/ohsConfig
/OHSK8S/myOHSfiles/ohsConfig:
htdocs httpconf moduleconf wallet webgate
/OHSK8S/myOHSfiles/ohsConfig/htdocs:
myapp mypage.html
/OHSK8S/myOHSfiles/ohsConfig/htdocs/myapp:
index.html
/OHSK8S/myOHSfiles/ohsConfig/httpconf:
httpd.conf mod_wl_ohs.conf ssl.conf
/OHSK8S/myOHSfiles/ohsConfig/moduleconf:
vh.conf
/OHSK8S/myOHSfiles/ohsConfig/wallet:
mywallet
/OHSK8S/myOHSfiles/ohsConfig/wallet/mywallet:
cwallet.sso
/OHSK8S/myOHSfiles/ohsConfig/webgate:
config
/OHSK8S/myOHSfiles/ohsConfig/webgate/config:
cacert.pem cwallet.sso cwallet.sso.lck ObAccessClient.xml wallet
/OHSK8S/myOHSfiles/ohsConfig/webgate/config/wallet:
cwallet.sso cwallet.sso.lck
If your OHS deployment is configured to communicate with Oracle WebLogic Server, then you must set the WLDNSRefreshInterval
and WebLogicCluster
directives in your OHS configuration files appropriately.
In the file where your WLS location directives reside, you must set the following:
<IfModule weblogic_module>
WLDNSRefreshInterval 10
</IfModule>
For WebLogicCluster
, the values to set depend on whether the WLS is deployed on-premises, on the same Kubernetes cluster as OHS, or on a different Kubernetes cluster to OHS. The following sections explain how to set the values in each case.
If OHS is connecting to a WebLogic Server deployed in an on-premises configuration (non-Kubernetes), then set:
WebLogicCluster <APPHOST1>:<PORT>,<APPHOST2>:<PORT>
For example, if you were connecting to the WebLogic Server Administration Server port:
<Location /console>
WLSRequest ON
DynamicServerList OFF
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAMJSESSIONID
WebLogicCluster APPHOST1.example.com:7001,APPHOST2.example.com:7001
</Location>
If OHS is connecting to a WebLogic Server deployed on the same Kubernetes cluster, then set the following depending on your environment:
WebLogicHost <service_name>.<namespace>.svc.cluster.local
WebLogicPort <port>
or:
WebLogicCluster <service_name>.<namespace>.svc.cluster.local:<port>
Note: You can get the <service_name>
and <port>
by running kubectl get svc -n <namespace>
on your Kubernetes cluster.
The following shows an example when connecting to an Oracle Access Management (OAM) Administration Server cluster service and port:
<Location /console>
WLSRequest ON
DynamicServerList OFF
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAMJSESSIONID
WebLogicHost accessdomain-adminserver.oamns.svc.cluster.local
WebLogicPort 7001
</Location>
The following shows an example when connecting to an Oracle Access Management (OAM) Managed Server cluster service and port:
<Location /oam>
WLSRequest ON
DynamicServerList OFF
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAMJSESSIONID
WebLogicCluster accessdomain-cluster-oam-cluster.oamns.svc.cluster.local:14100
If OHS is connecting to a WebLogic Server deployed on a separate Kubernetes cluster, then set:
WebLogicCluster <K8S_WORKER_HOST1>:30777,<K8S_WORKER_HOST2>:30777,<K8S_WORKER_HOST3>:30777
Where <K8S_WORKER_HOSTX>
is your Kubernetes worker node hostname.domain
, and 30777
is the HTTP port of the ingress controller.
For example:
<Location /console>
WLSRequest ON
DynamicServerList OFF
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAMJSESSIONID
WebLogicCluster K8_WORKER_HOST1.example.com:30777,K8_WORKER_HOST2.example.com:30777,K8_WORKER_HOST3.example.com:30777
</Location>
Run the following command to create a namespace for the OHS:
$ kubectl create namespace <namespace>
For example:
$ kubectl create namespace ohsns
The output will look similar to the following:
namespace/ohsns created
Note: Before following this section, make sure you have created the directories and files as per Prepare your OHS configuration files.
Run the following commands to create the required configmaps for the OHS directories and files created in Prepare your OHS configuration files.
cd $MYOHSFILES
kubectl create cm -n ohsns ohs-config --from-file=ohsConfig/moduleconf
kubectl create cm -n ohsns ohs-httpd --from-file=ohsConfig/httpconf
kubectl create cm -n ohsns ohs-htdocs --from-file=ohsConfig/htdocs
kubectl create cm -n ohsns ohs-myapp --from-file=ohsConfig/htdocs/myapp
kubectl create cm -n ohsns webgate-config --from-file=ohsConfig/webgate/config
kubectl create cm -n ohsns webgate-wallet --from-file=ohsConfig/webgate/config/wallet
kubectl create cm -n ohsns ohs-wallet --from-file=ohsConfig/wallet/mywallet
Note: Only create the configmaps for directories that you want to copy to OHS.
In this section you create a secret that stores the credentials for the container registry where the OHS image is stored.
If you are not using a container registry and have loaded the images on each of the worker nodes, then there is no need to create the registry secret.
Run the following command to create the secret:
$ kubectl create secret docker-registry "regcred" --docker-server=<CONTAINER_REGISTRY> \
--docker-username="<USER_NAME>" \
--docker-password=<PASSWORD> --docker-email=<EMAIL_ID> \
--namespace=<domain_namespace>
For example, if using Oracle Container Registry:
$ kubectl create secret docker-registry "regcred" --docker-server=container-registry.oracle.com \
--docker-username="user@example.com" \
--docker-password=password --docker-email=user@example.com \
--namespace=ohsns
Replace <USER_NAME>
and <PASSWORD>
with the credentials for the registry with the following caveats:
If using Oracle Container Registry to pull the OHS container image, this is the username and password used to login to Oracle Container Registry. Before you can use this image you must login to Oracle Container Registry , navigate to Middleware
> ohs_cpu
and accept the license agreement.
If using your own container registry to store the OHS container image, this is the username and password (or token) for your container registry.
The output will look similar to the following:
secret/regcred created
In this section you create a secret that stores the credentials for the OHS domain.
Run the following command to create the secret:
$ kubectl create secret generic ohs-secret -n <namespace> --from-literal=username=weblogic --from-literal=password='<password>'
For example:
$ kubectl create secret generic ohs-secret -n ohsns --from-literal=username=weblogic --from-literal=password='<password>`
Replace <password>
with a password of your choice.
The output will look similar to the following:
secret/ohs-secret created
In this section you prepare the ohs.yaml
file ready for OHS deployment.
Copy of the sample yaml files to $MYOHSFILES
:
$ cd $MYOHSFILES
$ cp $SCRIPTDIR/*.yaml .
Edit the $MYOHSFILES/ohs.yaml
and change the following parameters to match your installation:
Note:
<NAMESPACE>
to your namespace, for example ohsns
.<IMAGE_NAME>
to the correct image tag on Oracle Container Registry. If you are using your own container registry for the image, you will need to change the image
location appropriately. If your own container registry is open, you do not need the imagePullSecrets
.htdocs
then remove the ohs-htdocs
configMap. If you are not deploying webgate then remove the webgate-config
and webgate-wallet
configMaps, and so forth.htdocs
, then add the additional entries in that match the configmap and directory names.DEPLOY_WG
to true
or false
depending on whether webgate is to be deployed.<WALLET_NAME>
to the wallet directory created under ohsConfig/webgate/config/wallet
, for example mywallet
.initialDelaySeconds
may need to be changed to 10 on slower systems. See, Issues with LivenessProbe.You are now ready to create the OHS container, see Create the OHS Container and Nodeport.