Oracle Fusion Middleware on Kubernetes > Oracle WebCenter Portal > Administration Guide > Set up a load balancer > Traefik

Traefik

To load balance Oracle WebCenter Portal domain clusters, you can install the ingress-based Traefik load balancer (version 2.2.1 or later for production deployments) and configure it for non-SSL, SSL termination, and end-to-end SSL access of the application URL. Follow these steps to set up Traefik as a load balancer for an Oracle WebCenter Portal domain in a Kubernetes cluster:

Non-SSL and SSL termination
End-to-end SSL configuration

Non-SSL and SSL termination

Install the Traefik (ingress-based) load balancer

Use Helm to install the Traefik (ingress-based) load balancer. You can use the following values.yaml sample file and set kubernetes.namespaces as required.

 $ cd ${WORKDIR}
 $ kubectl create namespace traefik
 $ helm repo add traefik https://containous.github.io/traefik-helm-chart

Sample output:

 "traefik" has been added to your repositories

Install Traefik:

 $ helm install traefik  traefik/traefik \
      --namespace traefik \
      --values charts/traefik/values.yaml \
      --set  "kubernetes.namespaces={traefik}" \
      --set "service.type=NodePort" --wait

Click here to see the sample output.

A sample values.yaml for deployment of Traefik 2.2.x looks like this:

image:
   name: traefik
   tag: 2.2.8
   pullPolicy: IfNotPresent
ingressRoute:
  dashboard:
     enabled: true
     annotations: {}
     labels: {}
providers:
  kubernetesCRD:
     enabled: true
  kubernetesIngress:
     enabled: true
ports:
  traefik:
     port: 9000
     expose: true
     exposedPort: 9000
     protocol: TCP
  web:
     port: 8000
     expose: true
     exposedPort: 30305
     nodePort: 30305
     protocol: TCP
  websecure:
     port: 8443
     expose: true
     exposedPort: 30443
     protocol: TCP
     nodePort: 30443

Verify the Traefik status and find the port number of the SSL and non-SSL services:

 $ kubectl get all -n traefik

Click here to see the sample output.

Access the Traefik dashboard through the URL http://$(hostname -f):30070, with the HTTP host traefik.example.com:
```
$ curl -H "host: $(hostname -f)" http://$(hostname -f):30070/dashboard/
```
Note: Make sure that you specify a fully qualified node name for $(hostname -f)

Configure Traefik to manage ingresses

Configure Traefik to manage ingresses created in this namespace. In the following sample, traefik is the Traefik namespace and wcpns is the namespace of the domain:

$ helm upgrade traefik traefik/traefik \
--reuse-values \
--namespace traefik \
--set "kubernetes.namespaces={traefik,wcpns}" \
--wait

Click here to see the sample output.

Create an ingress for the domain

Create an ingress for the domain in the domain namespace by using the sample Helm chart. Here path-based routing is used for ingress. Sample values for default configuration are shown in the file ${WORKDIR}/charts/ingress-per-domain/values.yaml. By default, type is TRAEFIK , tls is Non-SSL. You can override these values by passing values through the command line or edit them in the sample values.yaml file based on the type of configuration (non-SSL or SSL).

NOTE: This is not an exhaustive list of rules. You can enhance it based on the application URLs that need to be accessed externally.

If needed, you can update the ingress YAML file to define more path rules (in section spec.rules.host.http.paths) based on the domain application URLs that need to be accessed. The template YAML file for the Traefik (ingress-based) load balancer is located at ${WORKDIR}/charts/ingress-per-domain/templates/traefik-ingress.yaml You can add new path rules like shown below .

 - path: /NewPathRule
   backend:
     serviceName: 'Backend Service Name'
     servicePort: 'Backend Service Port'

Install ingress-per-domain using Helm for non-SSL configuration:

 $ cd ${WORKDIR}
 $ helm install wcp-traefik-ingress  \
     charts/ingress-per-domain \
     --namespace wcpns \
     --values charts/ingress-per-domain/values.yaml \
     --set "traefik.hostname=$(hostname -f)"

Sample output:

  NAME: wcp-traefik-ingress
  LAST DEPLOYED: Mon Jul 20 11:44:13 2020
  NAMESPACE: wcpns
  STATUS: deployed
  REVISION: 1
  TEST SUITE: None

For secured access (SSL) to the Oracle WebCenter Portal application, create a certificate and generate a Kubernetes secret:

 $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls1.key -out /tmp/tls1.crt -subj "/CN=*"
 $ kubectl -n wcpns create secret tls wcp-domain-tls-cert --key /tmp/tls1.key --cert /tmp/tls1.crt

Note: The value of CN is the host on which this ingress is to be deployed.

Create the Traefik TLSStore custom resource.

In case of SSL termination, Traefik should be configured to use the user-defined SSL certificate. If the user-defined SSL certificate is not configured, Traefik creates a default SSL certificate. To configure a user-defined SSL certificate for Traefik, use the TLSStore custom resource. The Kubernetes secret created with the SSL certificate should be referenced in the TLSStore object. Run the following command to create the TLSStore:
```
$ cat <<EOF | kubectl apply -f -
apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
  name: default
  namespace: wcpns
spec:
  defaultCertificate:
    secretName:  wcp-domain-tls-cert   
EOF
```

Install ingress-per-domain using Helm for SSL configuration.

The Kubernetes secret name should be updated in the template file.

The template file also contains the following annotations:

 traefik.ingress.kubernetes.io/router.entrypoints: websecure
 traefik.ingress.kubernetes.io/router.tls: "true"
 traefik.ingress.kubernetes.io/router.middlewares: wcpns-wls-proxy-ssl@kubernetescrd

The entry point for SSL access and the Middleware name should be updated in the annotation. The Middleware name should be in the form <namespace>-<middleware name>@kubernetescrd.

 $ cd ${WORKDIR}
 $ helm install wcp-traefik-ingress  \
     charts/ingress-per-domain \
     --namespace wcpns \
     --values charts/ingress-per-domain/values.yaml \
     --set "traefik.hostname=$(hostname -f)" \
     --set sslType=SSL

Sample output:

  NAME: wcp-traefik-ingress
  LAST DEPLOYED: Mon Jul 20 11:44:13 2020
  NAMESPACE: wcpns
  STATUS: deployed
  REVISION: 1
  TEST SUITE: None

For non-SSL access to the Oracle WebCenter Portal application, get the details of the services by the ingress:

  $ kubectl describe ingress wcp-domain-traefik -n wcpns

Click here to see all services supported by the above deployed ingress.

For SSL access to the Oracle WebCenter Portal application, get the details of the services by the above deployed ingress:

 $ kubectl describe ingress wcp-domain-traefik -n wcpns

Click here to see all services supported by the above deployed ingress.

Name:             wcp-domain-traefik
Namespace:        wcpns
Address:
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
 wcp-domain-tls-cert terminates www.example.com
Rules:
 Host                                          Path  Backends
 ----                                          ----  --------
 www.example.com
                                               /webcenter   wcp-domain-cluster-wcp-cluster:8888 (10.244.0.52:8888,10.244.0.53:8888)
                                               /console     wcp-domain-adminserver:7001 (10.244.0.51:7001)
                                               /rsscrawl    wcp-domain-cluster-wcp-cluster:8888 (10.244.0.52:8888,10.244.0.53:8888)
                                               /rest        wcp-domain-cluster-wcp-cluster:8888 (10.244.0.52:8888,10.244.0.53:8888)
                                               /webcenterhelp    wcp-domain-cluster-wcp-cluster:8888 (10.244.0.52:8888,10.244.0.53:8888)
                                               /em          wcp-domain-adminserver:7001 (10.244.0.51:7001)
                                               /wsrp-tools     wcp-domain-cluster-wcportlet-cluster:8889 (10.244.0.52:8889,10.244.0.53:8889)
                                               /portalTools    wcp-domain-cluster-wcportlet-cluster:8889 (10.244.0.52:8889,10.244.0.53:8889)
Annotations:                                    kubernetes.io/ingress.class: traefik
                                               meta.helm.sh/release-name: wcp-traefik-ingress
                                               meta.helm.sh/release-namespace: wcpns
                                               traefik.ingress.kubernetes.io/router.entrypoints: websecure
                                               traefik.ingress.kubernetes.io/router.middlewares: wcpns-wls-proxy-ssl@kubernetescrd
                                               traefik.ingress.kubernetes.io/router.tls: true
Events:                                         <none>

To confirm that the load balancer noticed the new ingress and is successfully routing to the domain server pods, you can send a request to the URL for the WebLogic ReadyApp framework, which should return an HTTP 200 status code, as follows:

 $ curl -v http://${LOADBALANCER_HOSTNAME}:${LOADBALANCER_PORT}/weblogic/ready
 *   Trying 149.87.129.203...
 > GET http://${LOADBALANCER_HOSTNAME}:${LOADBALANCER_PORT}/weblogic/ready HTTP/1.1
 > User-Agent: curl/7.29.0
 > Accept: */*
 > Proxy-Connection: Keep-Alive
 > host: $(hostname -f)
 >
 < HTTP/1.1 200 OK
 < Date: Sat, 14 Mar 2020 08:35:03 GMT
 < Vary: Accept-Encoding
 < Content-Length: 0
 < Proxy-Connection: Keep-Alive
 <
 * Connection #0 to host localhost left intact

Verify domain application URL access

For non-SSL configuration

After setting up the Traefik (ingress-based) load balancer, verify that the domain application URLs are accessible through the non-SSL load balancer port 30305 for HTTP access. The sample URLs for Oracle WebCenter Portal domain are:

    http://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/webcenter
    http://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/console
    http://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/em
    http://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/rsscrawl
    http://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/rest
    http://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/webcenterhelp
    http://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/wsrp-tools
    http://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-Non-SSLPORT}/portalTools

For SSL configuration

After setting up the Traefik (ingress-based) load balancer, verify that the domain applications are accessible through the SSL load balancer port 30443 for HTTPS access. The sample URLs for Oracle WebCenter Portal domain are:

    https://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-SSLPORT}/webcenter
    https://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-SSLPORT}/console
    https://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-SSLPORT}/em
    https://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-SSLPORT}/rsscrawl
    https://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-SSLPORT}/rest
    https://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-SSLPORT}/webcenterhelp
    https://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-SSLPORT}/wsrp-tools
    https://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-SSLPORT}/portalTools

Uninstall the Traefik ingress

Uninstall and delete the ingress deployment:

$ helm delete wcp-traefik-ingress  -n wcpns

End-to-end SSL configuration

Install the Traefik load balancer for end-to-end SSL

Use Helm to install the Traefik (ingress-based) load balancer. You can use the values.yaml sample file and set kubernetes.namespaces as required.

 $ cd ${WORKDIR}
 $ kubectl create namespace traefik
 $ helm repo add traefik https://containous.github.io/traefik-helm-chart

Sample output:

 "traefik" has been added to your repositories

Install Traefik:

$ helm install traefik  traefik/traefik \
 --namespace traefik \
 --values charts/traefik/values.yaml \
 --set  "kubernetes.namespaces={traefik}" \
 --set "service.type=NodePort" --wait

Click here to see the sample output.

Verify the Traefik operator status and find the port number of the SSL and non-SSL services:

 $ kubectl get all -n traefik

Click here to see the sample output.

Access the Traefik dashboard through the URL http://$(hostname -f):31288, with the HTTP host traefik.example.com:
```
$ curl -H "host: $(hostname -f)" http://$(hostname -f):31288/dashboard/
```
Note: Make sure that you specify a fully qualified node name for $(hostname -f).

Configure Traefik to manage the domain

Configure Traefik to manage the domain application service created in this namespace. In the following sample, traefik is the Traefik namespace and wcpns is the namespace of the domain:

$ helm upgrade traefik traefik/traefik --namespace traefik --reuse-values \
--set "kubernetes.namespaces={traefik,wcpns}"

Click here to see the sample output.

Release "traefik" has been upgraded. Happy Helming!
NAME: traefik
LAST DEPLOYED: Sun Sep 13 21:32:12 2020
NAMESPACE: traefik
STATUS: deployed
REVISION: 2
TEST SUITE: None

Create IngressRouteTCP

For each backend service, create different ingresses, as Traefik does not support multiple paths or rules with annotation ssl-passthrough. For example, for wcp-domain-adminserver and wcp-domain-cluster-wcp-cluster, different ingresses must be created.

To enable SSL passthrough in Traefik, you can configure a TCP router. A sample YAML for IngressRouteTCP is available at ${WORKDIR}/charts/ingress-per-domain/tls/traefik-tls.yaml. The following should be updated in traefik-tls.yaml:

The service name and the SSL port should be updated in the services.
The load balancer host name should be updated in the HostSNI rule.

Sample traefik-tls.yaml:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: wcp-domain-cluster-routetcp
  namespace: wcpns
spec:
  entryPoints:
    - websecure
  routes:
  - match: HostSNI(`${LOADBALANCER_HOSTNAME}`)
    services:
    - name: wcp-domain-cluster-wcp-cluster
      port: 8888
      weight: 3
      TerminationDelay: 400
  tls:
    passthrough: true

Create the IngressRouteTCP:
```
$ kubectl apply -f traefik-tls.yaml
```

Verify end-to-end SSL access

Verify the access to application URLs exposed through the configured service. The configured WCP cluster service enables you to access the following WCP domain URLs:

https://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-SSLPORT}/webcenter
https://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-SSLPORT}/rsscrawl
https://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-SSLPORT}/rest
https://${LOADBALANCER_HOSTNAME}:${LOADBALANCER-SSLPORT}/webcenterhelp

Uninstall Traefik

$ helm delete traefik -n traefik
$ cd ${WORKDIR}/charts/ingress-per-domain/tls
$ kubectl delete -f traefik-tls.yaml