NGINX

This section provides information about how to install and configure the ingress-based NGINX load balancer to load balance Oracle SOA Suite domain clusters. You can configure NGINX for non-SSL, SSL termination, and end-to-end SSL access of the application URL.

Follow these steps to set up NGINX as a load balancer for an Oracle SOA Suite domain in a Kubernetes cluster:

See the official installation document for prerequisites.

  1. Install the NGINX load balancer for non-SSL and SSL termination configuration
  2. Generate secret for SSL access
  3. Install NGINX load balancer for end-to-end SSL configuration
  4. Configure NGINX to manage ingresses
  5. Verify domain application URL access
  6. Uninstall NGINX ingress
  7. Uninstall NGINX

To get repository information, enter the following Helm commands:

  $ helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
  $ helm repo update

Install the NGINX load balancer for non-SSL and SSL termination configuration

  1. Deploy the ingress-nginx controller by using Helm on the domain namespace:

     $ helm install nginx-ingress -n soans \
        --set controller.service.type=NodePort \
        --set controller.admissionWebhooks.enabled=false \
        ingress-nginx/ingress-nginx
    Click here to see the sample output.

Generate secret for SSL access

  1. For secured access (SSL and E2ESSL) to the Oracle SOA Suite application, create a certificate and generate secrets:

     $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls1.key -out /tmp/tls1.crt -subj "/CN=domain1.org"
 $ kubectl -n soans create secret tls soainfra-tls-cert --key /tmp/tls1.key --cert /tmp/tls1.crt

    Note: The value of CN is the host on which this ingress is to be deployed and secret name should be <domainUID>-tls-cert.

Install NGINX load balancer for end-to-end SSL configuration

  1. Deploy the ingress-nginx controller by using Helm on the domain namespace:

     $ helm install nginx-ingress -n soans \
       --set controller.extraArgs.default-ssl-certificate=soans/soainfra-tls-cert \
       --set controller.service.type=NodePort \
       --set controller.admissionWebhooks.enabled=false \
       --set controller.extraArgs.enable-ssl-passthrough=true  \
        ingress-nginx/ingress-nginx
    Click here to see the sample output.

  2. Check the status of the deployed ingress controller:

    $ kubectl --namespace soans get services | grep ingress-nginx-controller

    Sample output:

     nginx-ingress-ingress-nginx-controller   NodePort    10.106.186.235   <none>        80:32125/TCP,443:31376/TCP   19m

Configure NGINX to manage ingresses

  1. Choose an appropriate LOADBALANCER_HOSTNAME for accessing the Oracle SOA Suite domain application URLs.

    $ export LOADBALANCER_HOSTNAME=<LOADBALANCER_HOSTNAME>

    For example, if you are executing the commands from a master node terminal, where the master hostname is LOADBALANCER_HOSTNAME:

    $ export LOADBALANCER_HOSTNAME=$(hostname -f)

  2. Create an ingress for the domain in the domain namespace by using the sample Helm chart. Here path-based routing is used for ingress. Sample values for default configuration are shown in the file ${WORKDIR}/charts/ingress-per-domain/values.yaml. By default, type is TRAEFIK , sslType is NONSSL, and domainType is soa. These values can be overridden by passing values through the command line or can be edited in the sample file values.yaml.
    If needed, you can update the ingress YAML file to define more path rules (in section spec.rules.host.http.paths) based on the domain application URLs that need to be accessed. Update the template YAML file for the NGINX load balancer located at ${WORKDIR}/charts/ingress-per-domain/templates/nginx-ingress.yaml.

    Note: See here for all the configuration parameters.

     $ cd ${WORKDIR}
 $ helm install soa-nginx-ingress  charts/ingress-per-domain \
     --namespace soans \
     --values charts/ingress-per-domain/values.yaml \
     --set "nginx.hostname=${LOADBALANCER_HOSTNAME}" \
     --set type=NGINX

    Sample output:

    NAME: soa-nginx-ingress
LAST DEPLOYED: Fri Jul 24 09:34:03 2020
NAMESPACE: soans
STATUS: deployed
REVISION: 1
TEST SUITE: None

  3. Install ingress-per-domain using Helm for SSL termination configuration:

     $ cd ${WORKDIR}
 $ helm install soa-nginx-ingress  charts/ingress-per-domain \
     --namespace soans \
     --values charts/ingress-per-domain/values.yaml \
     --set "nginx.hostname=${LOADBALANCER_HOSTNAME}" \
     --set type=NGINX --set sslType=SSL

    Sample output:

     NAME: soa-nginx-ingress
 LAST DEPLOYED: Fri Jul 24 09:34:03 2020
 NAMESPACE: soans
 STATUS: deployed
 REVISION: 1
 TEST SUITE: None

  4. Install ingress-per-domain using Helm for E2ESSL configuration.

    Note: To use the E2ESSL configuration, you must have created the Oracle SOA Suite domain with sslEnabled set to true. See Create Oracle SOA Suite domains.

     $ cd ${WORKDIR}
 $ helm install soa-nginx-ingress  charts/ingress-per-domain \
     --namespace soans \
     --values charts/ingress-per-domain/values.yaml \
     --set type=NGINX --set sslType=E2ESSL

    Sample output:

     NAME: soa-nginx-ingress
 LAST DEPLOYED: Fri Jul 24 09:34:03 2020
 NAMESPACE: soans
 STATUS: deployed
 REVISION: 1
 TEST SUITE: None

  5. For NONSSL access to the Oracle SOA Suite application, get the details of the services by the ingress:

    $ kubectl describe ingress soainfra-nginx -n soans
    Click here to see the sample output of the services supported by the above deployed ingress.

  6. For SSL access to the Oracle SOA Suite application, get the details of the services by the above deployed ingress:

     $ kubectl describe ingress soainfra-nginx -n soans
    Click here to see the sample output of the services supported by the above deployed ingress.

  7. For E2ESSL access to the Oracle SOA Suite application, get the details of the services by the above deployed ingress:

     $  kubectl describe ingress  soainfra-nginx-e2essl -n soans
    Click here to see the sample output of the services supported by the above deployed ingress.

Verify domain application URL access

NONSSL configuration

  • Get the LOADBALANCER_NON_SSLPORT NodePort of NGINX using the command:

    $ LOADBALANCER_NON_SSLPORT=$(kubectl --namespace soans  get services -o jsonpath="{.spec.ports[0].nodePort}" nginx-ingress-ingress-nginx-controller)
$ echo ${LOADBALANCER_NON_SSLPORT}

  • Verify that the Oracle SOA Suite domain application URLs are accessible through the LOADBALANCER_NON_SSLPORT:

    http://${LOADBALANCER_HOSTNAME}:${LOADBALANCER_NON_SSLPORT}/weblogic/ready
http://${LOADBALANCER_HOSTNAME}:${LOADBALANCER_NON_SSLPORT}/console
http://${LOADBALANCER_HOSTNAME}:${LOADBALANCER_NON_SSLPORT}/em
http://${LOADBALANCER_HOSTNAME}:${LOADBALANCER_NON_SSLPORT}/soa-infra
http://${LOADBALANCER_HOSTNAME}:${LOADBALANCER_NON_SSLPORT}/soa/composer
http://${LOADBALANCER_HOSTNAME}:${LOADBALANCER_NON_SSLPORT}/integration/worklistapp
SSL configuration

  • Get the LOADBALANCER_SSLPORT NodePort of NGINX using the command:

    $ LOADBALANCER_SSLPORT=$(kubectl --namespace soans  get services -o jsonpath="{.spec.ports[1].nodePort}" nginx-ingress-ingress-nginx-controller)
$ echo ${LOADBALANCER_SSLPORT}

  • Verify that the Oracle SOA Suite domain application URLs are accessible through the LOADBALANCER_SSLPORT:

    https://${LOADBALANCER_HOSTNAME}:${LOADBALANCER_SSLPORT}/weblogic/ready
https://${LOADBALANCER_HOSTNAME}:${LOADBALANCER_SSLPORT}/console
https://${LOADBALANCER_HOSTNAME}:${LOADBALANCER_SSLPORT}/em
https://${LOADBALANCER_HOSTNAME}:${LOADBALANCER_SSLPORT}/soa-infra
https://${LOADBALANCER_HOSTNAME}:${LOADBALANCER_SSLPORT}/soa/composer
https://${LOADBALANCER_HOSTNAME}:${LOADBALANCER_SSLPORT}/integration/worklistapp
E2ESSL configuration

  • To access the SOA Suite domain application URLs from a remote browser, update the browser host config file /etc/hosts (In Windows, C:\Windows\System32\Drivers\etc\hosts) with the IP address of the host on which the ingress is deployed with below entries:

    X.X.X.X  admin.domain.org
X.X.X.X  soa.domain.org
X.X.X.X  osb.domain.org

    Note:

    • The value of X.X.X.X is the host IP address on which this ingress is deployed.
    • If you are behind any corporate proxy, make sure to update the browser proxy settings appropriately to access the host names updated /etc/hosts file.

  • Get the LOADBALANCER_SSLPORT NodePort of NGINX using the command:

    $ LOADBALANCER_SSLPORT=$(kubectl --namespace soans  get services -o jsonpath="{.spec.ports[1].nodePort}" nginx-ingress-ingress-nginx-controller)
$ echo ${LOADBALANCER_SSLPORT}

  • Verify that the Oracle SOA Suite domain application URLs are accessible through LOADBALANCER_SSLPORT:

    https://admin.org:${LOADBALANCER_SSLPORT}/weblogic/ready
https://admin.org:${LOADBALANCER_SSLPORT}/console
https://admin.org:${LOADBALANCER_SSLPORT}/em
https://soa.org:${LOADBALANCER_SSLPORT}/soa-infra
https://soa.org:${LOADBALANCER_SSLPORT}/soa/composer
https://soa.org:${LOADBALANCER_SSLPORT}/integration/worklistapp

Note: This is the default host name. If you have updated the host name in values.yaml, then use the updated values.

Uninstall NGINX ingress

Uninstall and delete the ingress-nginx deployment:

$ helm delete soa-nginx-ingress  -n soans

Uninstall NGINX

$ helm delete nginx-ingress -n soans