In this demo, we begin with the default setup of WebFOCUS CE 1.2.0 (WF 9.2), and proceed to assign a Fully Qualified Domain Name (FQDN) to the host running this WF-CE setup. We then install an ingress controller to allow access to the Application Server via standard port 80, rather than the default port 31080. The video concludes with installing an SSL Certificate to secure the Application Server's endpoint with TLS.
High-level steps :
- - Begin by deploying the standard configuration of WebFOCUS CE as provided.
- - Ensure that the setup is accessible via Port 31080, which is the default port.
- - Deploy an Ingress controller and create an Ingress resource within the webfocus namespace to facilitate access over Port 80.
- - Incorporate a secret containing a TLS/SSL certificate into the webfocus namespace and modify the Ingress resource to utilize this secret for secure connections.
- - Access the WebFOCUS configuration securely over HTTPS (Port 443).
-
- (Optional) Consider deactivating Port 31080 to prevent access through the unsecured port.
Quote
- This topic delves into advanced aspects of WebFOCUS CE.
- The content presupposes that you possess a moderate level of familiarity with Kubernetes and its core components.
- The procedures outlined are applicable to any service available within Kubernetes, not exclusively to the WebFOCUS Service.
- There are few diffrent options to deploy NGINX ingress controller - for more information follow this page https://www.nginx.com/products/nginx-ingress-controller/
Out-of-the-box setup :
Once the WebFOCUS CE setup completes deploying all components - you should be able to access the WF App server using port 31080
QuoteYou can also use "nc" command to see if you can acces port 31080 or not like
:~/ingress$ nc -zv 10.241.1.29 31080
Connection to 10.241.1.29 31080 port [tcp/*] succeeded!In this example WF CE is installed on machine that has IP address of 10.241.1.29
If the above succeeds, you can also access the WebFOCUS App server GUI over the browser by going to the URL: http://x.1.10.96:31080
Install NGINX ingress controller.
In the previous topic, we saw we have to access WebFOCUS using port 31080; what if we want to just access it over port 80 or not provide a port at all?
For that, we need to install an Ingress controller in the K8s cluster; in this case, we will use NGINX.
Let's install the Ingress controller in the kubernetes cluster - you can use the commands below.
# Lable all Nodes to allow Ingress controller to run kubectl label nodes --all ingress-ready=true # Install NGINX Ingress controller that will attach Controller POD to port 80 and 443 on Node kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml # Wait for all Ingress controller pods to come up kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=90s
After the Ingress controller is running, if you run the nc
command again to see if Port 80 is open or not
nc -zv x.1.10.96 80
If the above command succeeds, we know NGINX ingress is running fine on port 80 - now the next thing we need to do is create an Ingress Object in the webfocus namespace so we can access WebFOCUS on port 80
Now onwards, we're going to access the above Machine with its FQDN name - in this example, it is wfce02.ibi.systems
- we assume you have something similar in your case; if not, ask your system admin to configure FQDN for your VM/Machine.
So, in our case, if I re-run the above command as
# Use nc to check if port 80 is open now nc -zv wfce02.ibi.systems 80 >> Connection to wfce02.ibi.systems (x.241.1.29) 80 port [tcp/http] succeeded!
In the above, we assume the FQDN name "wfce02.ibi.systems" points to the correct IP of the machine where WF CE is running ( in this case, IP x.241.1.29)
If the "nc" command returns with success, we are good to go to the next step
Create Ingress Object in webfocus namespace
Save the text below as an "appserver-ingress.yaml" file; as you can see, we are now using the FQDN of wfce02.ibi.systems to set up Ingress rules.
This file also assumes your WF-CE setup is running in Namespace "webfocus."
Note: make changes as needed before you apply it
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.io/ingress.class: nginx meta.helm.sh/release-name: appserver meta.helm.sh/release-namespace: webfocus nginx.ingress.kubernetes.io/affinity: cookie nginx.ingress.kubernetes.io/affinity-mode: persistent nginx.ingress.kubernetes.io/app-root: /webfocus nginx.ingress.kubernetes.io/client-body-buffer-size: 64k nginx.ingress.kubernetes.io/force-ssl-redirect: "false" nginx.ingress.kubernetes.io/proxy-body-size: 200m nginx.ingress.kubernetes.io/proxy-connect-timeout: "300" nginx.ingress.kubernetes.io/proxy-read-timeout: "300" nginx.ingress.kubernetes.io/rewrite-target: / nginx.ingress.kubernetes.io/session-cookie-change-on-failure: "true" nginx.ingress.kubernetes.io/session-cookie-expires: "28800" nginx.ingress.kubernetes.io/session-cookie-max-age: "28800" nginx.ingress.kubernetes.io/session-cookie-name: sticknesscookie nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0 labels: app.kubernetes.io/instance: appserver app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: appserver app.kubernetes.io/version: "1.0" helm.sh/chart: appserver-0.1.0 name: appserver namespace: webfocus spec: rules: - host: wfce02.ibi.systems http: paths: - backend: service: name: appserver port: name: port8080 path: / pathType: ImplementationSpecific
Apply the above file to the step
Quotekubectl apply -f appserver-ingress.yaml
This should create an Ingress rule in the ingress controller that sends any HTTP request incoming on port 80 with the HTTP Host header set to "wfce02.ibi.systems" - I will forward that request to the kubernetes service named "appserver" over port 8080.
Now you should be able to access the WebFOCUS App server GUI via the URL: http://wfce02.ibi.systems
Securing endpoint with SSL
As you can see, the above URL is http://
that is not secure - we want to enable SSL so that we can access WebFOCUS GUI over SSL - such as URLs starting with https://
For this, we need to get certificates generated for our FQDN - in the above case 'wfce02.ibi.systems'; typically, you will get two PEM files - one named "privkey.pem" and the other "fullchain.pem"
You can inspect the "fullchain.pem" file to see if it is indeed issued for the FQDN you use (a wild card is also okay). For this, you will need the OpenSSL tool installed on your machine.
Quote# Command is openssl x509 -in fullchain.pem -text -noout | grep -E "Subject:|DNS:"
:~
/ingress
$ openssl x509 -
in
fullchain.pem -text -noout |
grep
-E
"Subject:|DNS:"
Subject: CN = wfce02.ibi.systems
DNS:wfce02.ibi.systems
You will need two files—one with the key file and the other with a certificate file. First, we create a Kubernetes secret with these two files in the same 'webfocus' namespace.
Quotekubectl create secret tls wfce02-ibi-tls --cert=fullchain.pem --key=privkey.pem -n webfocus
Once the secret has been created, the only thing left to do is to update the Ingress object in the webfocus namespace to use this secret to enable TLS/SSL.
Now, let's update the appserver-ingress.yaml file to use this secret (wfce02-ibi-tls ) that we created above
Add the below lines at the end.
Quotetls:
- hosts:
- wfce02.ibi.systems
secretName: wfce02-ibi-tls
Re-apply this file to the cluster - this will update the ingress object to now support SSL (port 443)
Quotekubectl apply -f appserver-ingress.yaml
If all goes as expected - now you should be able to access WebFOCUS over HTTPS - https://wfce02.ibi.systems
(Optional) Disable Port 31080 port
Since we now have a secure way to access the WebFOCUS App server over SSL - we don't need to access the App server over port 31080 - so edit the service for the App server and change it from NodePort to Cluster IP type of service.
At the beginning of this demo, we saw that we could access the WebFOCUS App server GUI over port 31080 - but now that is unnecessary as we can access the App server over secure port 443.
So it makes sense to disable port 31080 - for that, we need to change appserver - Service (svc) to type ClusterIP from NodePort - below command to do that.
Quote# List appserver service before we change
:~
/ingress
$ kubectl get svc -n webfocus appserver
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
appserver NodePort 10.110.175.224 <none> 8080:31080
/TCP
19h
# Change appserver service from NodePort to ClusterIP
:~
/ingress
$ kubectl patch svc appserver -n webfocus -p
'{"spec": {"type": "ClusterIP", "nodePort": null}}'
service
/appserver
patched
# List appserver service again to see it is of type ClusterIP and port 31080 is gone
:~
/ingress
$ kubectl get svc -n webfocus appserver
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
appserver ClusterIP 10.110.175.224 <none> 8080
/TCP
19h
- 1
Recommended Comments
There are no comments to display.