NGINX

To load balance Oracle WebCenter Portal domain clusters, you can install the ingress-based NGINX load balancer and configure NGINX for non-SSL, SSL termination, and end-to-end SSL access of the application URL. Follow these steps to set up NGINX as a load balancer for an Oracle WebCenter Portal domain in a Kubernetes cluster:

See the official installation document for prerequisites.

Non-SSL and SSL termination

To get repository information, enter the following Helm commands:

  $ helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
  $ helm repo update

Install the NGINX load balancer

  1. Deploy the ingress-nginx controller by using Helm on the domain namespace:

    $ helm install nginx-ingress ingress-nginx/ingress-nginx -n wcpns \
    --set controller.service.type=NodePort \
    --set controller.admissionWebhooks.enabled=false 
    
    Click here to see the sample output.
  2. Check the status of the deployed ingress controller:

    $ kubectl --namespace wcpns get services | grep ingress-nginx-controller
    

    Sample output:

    nginx-ingress-ingress-nginx-controller   NodePort       10.101.123.106   <none>        80:30305/TCP,443:31856/TCP   2m12s
    

Configure NGINX to manage ingresses

  1. Create an ingress for the domain in the domain namespace by using the sample Helm chart. Here path-based routing is used for ingress. Sample values for default configuration are shown in the file ${WORKDIR}/charts/ingress-per-domain/values.yaml. By default, type is TRAEFIK, tls is Non-SSL. You can override these values by passing values through the command line or edit them in the sample values.yaml file.

NOTE: This is not an exhaustive list of rules. You can enhance it based on the application URLs that need to be accessed externally.

If needed, you can update the ingress YAML file to define more path rules (in section spec.rules.host.http.paths) based on the domain application URLs that need to be accessed. Update the template YAML file for the NGINX load balancer located at ${WORKDIR}/charts/ingress-per-domain/templates/nginx-ingress.yaml You can add new path rules like shown below .

 - path: /NewPathRule
   backend:
     serviceName: 'Backend Service Name'
     servicePort: 'Backend Service Port'

 $ cd ${WORKDIR}
 $ helm install wcp-domain-nginx charts/ingress-per-domain \
     --namespace wcpns \
     --values charts/ingress-per-domain/values.yaml \
     --set "nginx.hostname=$(hostname -f)" \
     --set type=NGINX
 ```

 Sample output:
 ```bash
 NAME: wcp-domain-nginx
 LAST DEPLOYED: Fri Jul 24 09:34:03 2020
 NAMESPACE: wcpns
 STATUS: deployed
 REVISION: 1
 TEST SUITE: None
 ```
1. For secured access (SSL) to the Oracle WebCenter Portal application, create a certificate and generate a Kubernetes secret:

```bash
 $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls1.key -out /tmp/tls1.crt -subj "/CN=*"
 $ kubectl -n wcpns create secret tls wcp-domain-tls-cert --key /tmp/tls1.key --cert /tmp/tls1.crt
  1. Install ingress-per-domain using Helm for SSL configuration:

     $ cd ${WORKDIR}
     $ helm install wcp-domain-nginx  charts/ingress-per-domain \
         --namespace wcpns \
         --values charts/ingress-per-domain/values.yaml \
         --set "nginx.hostname=$(hostname -f)" \
         --set type=NGINX --set sslType=SSL
    
  2. For non-SSL access to the Oracle WebCenter Portal application, get the details of the services by the ingress:

     $ kubectl describe ingress wcp-domain-nginx -n wcpns
    
    Click here to see the sample output of the services supported by the above deployed ingress.
  3. For SSL access to the Oracle WebCenter Portal application, get the details of the services by the above deployed ingress:

     $ kubectl describe ingress wcp-domain-nginx -n wcpns
    
    Click here to see the sample output of the services supported by the above deployed ingress.

Verify non-SSL and SSL termination access

Verify that the Oracle WebCenter Portal domain application URLs are accessible through the nginx NodePort LOADBALANCER-NODEPORT 30305:

  http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-NODEPORT}/console
  http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-NODEPORT}/em
  http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-NODEPORT}/webcenter
  http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-NODEPORT}/rsscrawl
  http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-NODEPORT}/rest
  http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-NODEPORT}/webcenterhelp
  http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-NODEPORT}/wsrp-tools     
  http://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-NODEPORT}/portalTools    

Uninstall the ingress

Uninstall and delete the ingress-nginx deployment:

  $ helm delete   wcp-domain-nginx -n wcpns
  $  helm delete nginx-ingress -n wcpns

End-to-end SSL configuration

Install the NGINX load balancer for End-to-end SSL

  1. For secured access (SSL) to the Oracle WebCenter Portal application, create a certificate and generate secrets:

     $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls1.key -out /tmp/tls1.crt -subj "/CN=domain1.org"
     $ kubectl -n wcpns create secret tls wcp-domain-tls-cert --key /tmp/tls1.key --cert /tmp/tls1.crt
    

    Note: The value of CN is the host on which this ingress is to be deployed.

  2. Deploy the ingress-nginx controller by using Helm on the domain namespace:

     $ helm install nginx-ingress -n wcpns \
           --set controller.extraArgs.default-ssl-certificate=wcpns/wcp-domain-tls-cert \
           --set controller.service.type=NodePort \
           --set controller.admissionWebhooks.enabled=false \
           --set controller.extraArgs.enable-ssl-passthrough=true  \
            ingress-nginx/ingress-nginx
    
    Click here to see the sample output.
  3. Check the status of the deployed ingress controller:

     $ kubectl --namespace wcpns get services | grep ingress-nginx-controller
    

    Sample output:

      nginx-ingress-ingress-nginx-controller   NodePort    10.96.177.215    <none>        80:32748/TCP,443:31940/TCP   23s
    

Deploy tls to access services

  1. Deploy tls to securely access the services. Only one application can be configured with ssl-passthrough. A sample tls file for NGINX is shown below for the service wcp-domain-cluster-wcp-cluster and port 8889. All the applications running on port 8889 can be securely accessed through this ingress.

  2. For each backend service, create different ingresses, as NGINX does not support multiple paths or rules with annotation ssl-passthrough. For example, for wcp-domain-adminserver and wcp-domain-cluster-wcp-cluster, different ingresses must be created.

  3. As ssl-passthrough in NGINX works on the clusterIP of the backing service instead of individual endpoints, you must expose wcp-domain-cluster-wcp-cluster created by the operator with clusterIP.

    For example:
    a. Get the name of wcp-domain cluster service:

      $ kubectl get svc  -n wcpns | grep  wcp-domain-cluster-wcp-cluster 
    

    Sample output:

        wcp-domain-cluster-wcp-cluster           ClusterIP   10.102.128.124   <none>        8888/TCP,8889/TCP            62m
    
  4. Deploy the secured ingress:

    $ cd ${WORKDIR}/charts/ingress-per-domain/tls
    $ kubectl create -f nginx-tls.yaml
    

    Note: The default nginx-tls.yaml contains the backend for WebCenter Portal service with domainUID wcp-domain. You need to create similar tls configuration YAML files separately for each backend service.

    Click here to check the content of the file nginx-tls.yaml

    Note: Host is the server on which this ingress is deployed.

  5. Check the services supported by the ingress:

    $ kubectl describe ingress  wcpns-ingress -n wcpns
    

Verify end-to-end SSL access

Verify that the Oracle WebCenter Portal domain application URLs are accessible through the LOADBALANCER-SSLPORT 30233:

  https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/webcenter
  https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/rsscrawl
  https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/webcenterhelp
  https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/rest
  https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/wsrp-tools     
  https://${LOADBALANCER-HOSTNAME}:${LOADBALANCER-SSLPORT}/portalTools

Uninstall ingress-nginx tls

  $ cd ${WORKDIR}/charts/ingress-per-domain/tls
  $ kubectl  delete -f nginx-tls.yaml
  $ helm delete nginx-ingress -n wcpns