NGINX

This section provides information about how to install and configure the ingress-based NGINX load balancer to load balance Oracle WebCenter Content domain clusters. You can configure NGINX for non-SSL, SSL termination, and end-to-end SSL access of the application URL.

Follow these steps to set up NGINX as a load balancer for an Oracle WebCenter Content domain in a Kubernetes cluster:

See the official installation document for prerequisites.

Contents

To get repository information, enter the following Helm commands:

  $ helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
  $ helm repo update

Non-SSL and SSL termination

Install the NGINX load balancer

  1. Deploy the ingress-nginx controller by using Helm on the domain namespace:

     $ helm install nginx-ingress -n wccns \
            --set controller.service.type=LoadBalancer \
            --set controller.admissionWebhooks.enabled=false \
              ingress-nginx/ingress-nginx 
    
    Click here to see the sample output.
  2. Check the status of the deployed ingress controller:

    Please note the EXTERNAL-IP of the nginx-controller service. This is the public IP address of the load balancer that you will use to access the WebLogic Server Administration Console and WebCenter Content URLs.

    Note: It may take a few minutes for the LoadBalancer IP(EXTERNAL-IP) to be available.

    $ kubectl --namespace wccns get services | grep ingress-nginx-controller
    

    Sample output:

    NAME                                   TYPE         CLUSTER-IP   EXTERNAL-IP     PORT(S)   
    nginx-ingress-ingress-nginx-controller LoadBalancer 10.96.180.215 144.24.xx.xx    80:31339/TCP,443:32278/TCP
    

    To print only the NGINX EXTERNAL-IP, execute this command:

    NGINX_PUBLIC_IP=`kubectl describe svc nginx-ingress-ingress-nginx-controller --namespace wccns | grep Ingress | awk '{print $3}'`
       
    $ echo $NGINX_PUBLIC_IP   
    144.24.xx.xx
    

    Verify the helm charts:

    $ helm list -A
    NAME          NAMESPACE REVISION  UPDATED      STATUS      CHART                APP VERSION
    nginx-ingress  wccns    1         2022-05-13  deployed   ingress-nginx-4.2.5   1.3.1
    

Configure NGINX to manage ingresses

  1. Create an ingress for the domain in the domain namespace by using the sample Helm chart. Here path-based routing is used for ingress. Sample values for default configuration are shown in the file ${WORKDIR}/charts/ingress-per-domain/values.yaml. By default, type is TRAEFIK, tls is Non-SSL, and domainType is wccinfra. These values can be overridden by passing values through the command line or can be edited in the sample file values.yaml. If needed, you can update the ingress YAML file to define more path rules (in section spec.rules.host.http.paths) based on the domain application URLs that need to be accessed. Update the template YAML file for the NGINX load balancer located at ${WORKDIR}/charts/ingress-per-domain/templates/nginx-ingress.yaml

    Install ingress-per-domain using Helm for non-SSL configuration:

    $ export LB_HOSTNAME=<NGINX load balancer DNS name>
       
    #OR leave it empty to point to NGINX load-balancer IP, by default
    $ export LB_HOSTNAME=''
    

    Note: Make sure that you specify DNS name to point to the NGINX load balancer hostname, or leave it empty to point to the NGINX load balancer IP.

     $ cd ${WORKDIR}
     $ helm install wccinfra-nginx-ingress charts/ingress-per-domain \
         --namespace wccns \
         --values charts/ingress-per-domain/values.yaml \
         --set "nginx.hostname=$LB_HOSTNAME" \
         --set type=NGINX \
         --set tls=NONSSL
    

    Sample output:

     NAME: wccinfra-nginx-ingress
     LAST DEPLOYED: Tue May 10 10:37:12 2022
     NAMESPACE: wccns
     STATUS: deployed
     REVISION: 1
     TEST SUITE: None
    

Create a certificate and generate a Kubernetes secret

  1. For secured access (SSL) to the Oracle WebCenter Content application, create a certificate:

     $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls1.key -out /tmp/tls1.crt -subj "/CN=<NGINX load balancer DNS name>"
    
     #OR use the following command if you chose to leave LB_HOSTNAME empty in the previous step
    	
     $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls1.key -out /tmp/tls1.crt -subj "/CN=*"
    

    Note: Make sure that you specify DNS name to point to the NGINX load balancer hostname.

  2. Generate a Kubernetes secret:

    $ kubectl -n wccns create secret tls domain1-tls-cert --key /tmp/tls1.key --cert /tmp/tls1.crt 
    

Install Ingress for SSL termination configuration

  1. Install ingress-per-domain using Helm for SSL configuration:

     $ cd ${WORKDIR}
     $ helm install wccinfra-nginx-ingress charts/ingress-per-domain \
         --namespace wccns \
         --values charts/ingress-per-domain/values.yaml \
         --set "nginx.hostname=$LB_HOSTNAME" \
         --set "nginx.hostnameorip=$NGINX_PUBLIC_IP" \
         --set type=NGINX --set tls=SSL
    

    Sample output:

     NAME: wccinfra-nginx-ingress
     LAST DEPLOYED: Tue May 10 10:37:12 2022
     NAMESPACE: wccns
     STATUS: deployed
     REVISION: 1
     TEST SUITE: None
    
  2. For non-SSL access or SSL to the Oracle WebCenter Content application, get the details of the services by the ingress:

      $ kubectl describe ingress wccinfra-nginx  -n wccns
    
    Click here to see the sample output of the services supported by the above deployed ingress.

End-to-End SSL configuration

Install the NGINX load balancer for end-to-end SSL

  1. For secured access (SSL) to the Oracle WebCenter Content application, create a certificate and generate secrets: click here

  2. Deploy the ingress-nginx controller by using Helm on the domain namespace:

    helm install nginx-ingress -n wccns \
    --set controller.extraArgs.default-ssl-certificate=wccns/domain1-tls-cert \
    --set controller.service.type=LoadBalancer \
    --set controller.admissionWebhooks.enabled=false \
    --set controller.extraArgs.enable-ssl-passthrough=true \
    ingress-nginx/ingress-nginx	 
    

    `

    Click here to see the sample output.

  3. Check the status of the deployed ingress controller:

     $ kubectl --namespace wccns get services | grep ingress-nginx-controller
    

    Sample output:

    NAME                                   TYPE         CLUSTER-IP   EXTERNAL-IP     PORT(S)   
    nginx-ingress-ingress-nginx-controller LoadBalancer 10.96.180.215 144.24.xx.xx    80:31339/TCP,443:32278/TCP
    

    To print only the NGINX EXTERNAL-IP, execute this command:

    NGINX_PUBLIC_IP=`kubectl describe svc nginx-ingress-ingress-nginx-controller --namespace wccns | grep Ingress | awk '{print $3}'`
       
    $ echo $NGINX_PUBLIC_IP   
    144.24.xx.xx
    

Deploy tls to access individual Managed Servers

  1. Deploy tls to securely access the services. Only one application can be configured with ssl-passthrough. A sample tls file for NGINX is shown below for the service wccinfra-cluster-ucm-cluster and port 16201. All the applications running on port 16201 can be securely accessed through this ingress. For each backend service, create different ingresses as NGINX does not support multiple path/rules with annotation ssl-passthrough. That is, for wccinfra-cluster-ucm-cluster, wccinfra-cluster-ibr-cluster, wccinfra-cluster-ipm-cluster, wccinfra-cluster-capture-cluster, wccinfra-cluster-wccadf-cluster and wccinfra-adminserver, different ingresses must be created.

    Note: There is a limitation with load-balancer in end-to-end SSL configuration - accessing multiple types of servers (different Managed Servers and/or Administration Server) at the same time, is currently not supported. we can access only one managed server at a time.

    $ cd ${WORKDIR}/charts/ingress-per-domain/tls
    

Sample nginx-ucm-tls.yaml:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: wcc-ucm-ingress
  namespace: wccns
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
  tls:
  - hosts:
    - '$NGINX_PUBLIC_IP'
    secretName: domain1-tls-cert
  rules:
  - host: '<NGINX load balancer DNS name>'
    http:
      paths:
      - path:
        pathType: ImplementationSpecific
        backend:
          service:
            name: wccinfra-cluster-ucm-cluster
            port:
              number: 16201

Note: Make sure that you specify DNS name to point to the NGINX load balancer hostname.

  1. Deploy the secured ingress:

    $ cd ${WORKDIR}/charts/ingress-per-domain/tls
    $ kubectl create -f nginx-ucm-tls.yaml
    
  2. Check the services supported by the ingress:

    $ kubectl describe ingress wcc-ucm-ingress -n wccns
    
    Click here check the services supported by the ingress.

Deploy tls to access Administration Server

  1. As ssl-passthrough in NGINX works on the clusterIP of the backing service instead of individual endpoints, you must expose adminserver service created by the WebLogic Kubernetes Operator with clusterIP.

    For example:

    a. Get the name of Administration Server service:

      $ kubectl get svc -n wccns | grep wccinfra-adminserver
    

    Sample output:

      wccinfra-adminserver  ClusterIP   None  <none>   7001/TCP,7002/TCP  7
    

    b. Expose the Administration Server service wccinfra-adminserver and use the new service name wccinfra-adminserver-nginx-ssl:

     $ kubectl expose svc wccinfra-adminserver -n wccns --name=wccinfra-adminserver-nginx-ssl --port=7002
    

    c. Deploy the secured ingress:

Sample nginx-admin-tls.yaml:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: wcc-admin-ingress
  namespace: wccns
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
  tls:
  - hosts:
    - '$NGINX_PUBLIC_IP'
    secretName: domain1-tls-cert
  rules:
  - host: '<NGINX load balancer DNS name>'
    http:
      paths:
      - path:
        pathType: ImplementationSpecific
        backend:
          service:
            name: wccinfra-adminserver-nginx-ssl
            port:
              number: 7002	

Note: Make sure that you specify DNS name to point to the NGINX load balancer hostname.

$ cd ${WORKDIR}/charts/ingress-per-domain/tls
$ kubectl create -f nginx-admin-tls.yaml

Uninstall ingress-nginx tls

$ cd ${WORKDIR}/charts/ingress-per-domain/tls
$ kubectl delete -f nginx-ucm-tls.yaml

Create Oracle WebCenter Content domain

With the load-balancer configured, please create your domain by following the instructions documented in Create Oracle WebCenter Content domains, before verifying domain application URL access.

Verify domain application URL access

Verify Non-SSL access

Verify that the Oracle WebCenter Content domain application URLs are accessible through the LOADBALANCER-HOSTNAME:

  http://${LOADBALANCER-HOSTNAME}/weblogic/ready
  http://${LOADBALANCER-HOSTNAME}/console
  http://${LOADBALANCER-HOSTNAME}/em
  http://${LOADBALANCER-HOSTNAME}/cs
  http://${LOADBALANCER-HOSTNAME}/ibr
  http://${LOADBALANCER_HOSTNAME}/imaging
  http://${LOADBALANCER_HOSTNAME}/dc-console
  http://${LOADBALANCER_HOSTNAME}/wcc  

Verify SSL termination and end-to-end SSL access

Verify that the Oracle WebCenter Content domain application URLs are accessible through the LOADBALANCER-HOSTNAME:

  https://${LOADBALANCER-HOSTNAME}/weblogic/ready
  https://${LOADBALANCER-HOSTNAME}/console
  https://${LOADBALANCER-HOSTNAME}/em
  https://${LOADBALANCER-HOSTNAME}/cs
  https://${LOADBALANCER-HOSTNAME}/ibr
  https://${LOADBALANCER_HOSTNAME}/imaging
  https://${LOADBALANCER_HOSTNAME}/dc-console
  https://${LOADBALANCER_HOSTNAME}/wcc

Uninstall the NGINX

Uninstall and delete the ingress-nginx deployment:

//Uninstall and delete the `ingress-nginx` deployment
$ helm delete wccinfra-nginx-ingress -n wccns

//Uninstall NGINX
$ helm delete nginx-ingress -n wccns