About the Resources in a Stack
Learn about the compute instances, load balancers, network, and other resources in a stack created by Oracle WebLogic Server for OKE for an Oracle WebLogic Server domain.
To obtain a list of associated resources created for a specific domain, see View the Cloud Resources for a Domain.
Compute Instances
Oracle WebLogic Server for OKE creates Oracle Cloud Infrastructure compute instances for your Oracle WebLogic Server domain and Kubernetes cluster.
In the Oracle Cloud Infrastructure Console, use the navigation menu and select Compute. Under the Compute group, click Instances. When you select the compartment you specified to use for Oracle WebLogic Server when you created the domain, you'll see the following compute instances provisioned for your domain and Kubernetes cluster:
- Bastion instance - Has the name
resourceprefix-bastion
- Administration instance - Has the name
resourceprefix-admin
- Two or more Kubernetes worker nodes - Each has the name
oke-generated-alphanumeric-string-n
Note: resourceprefix
is the resource name prefix you provided during stack creation. n
is the number 0
or 1
.
Network Resources
Oracle WebLogic Server for OKE creates several network resources such as route tables, security lists, and gateways for your Oracle WebLogic Server domain and Kubernetes cluster in Oracle Cloud Infrastructure.
Additional network resources are created if you specify a new virtual cloud network (VCN) or new subnets for an existing VCN during stack creation.
In the Oracle Cloud Infrastructure Console, click Networking and select a compartment to view network resources. For example, click Virtual Cloud Networks to view all the virtual cloud networks (VCN) created in a compartment. If you created a new VCN for your domain during stack creation you'll find the VCN and its related resources in the compartment you specified to use for network resources.
Your domain configuration determines the type and number of network resources created. With the exception of load balancers, the names of those network resources begin with the resource name prefix you provided during stack creation. For example, resourceprefix-admin
and resourceprefix-bastion
.
The following table provides a summary of the resources that can be created for your domain.
Resource Name | Type |
---|---|
resourceprefix-vcn |
WebLogic VCN (if create a new VCN) |
resourceprefix-lb |
Subnet for public and private load balancers |
resourceprefix-workers |
Private subnet for Kubernetes worker nodes |
resourceprefix-admin |
Private subnet for Kubernetes administration instance |
resourceprefix-fss |
Private subnet for file shared system |
resourceprefix-bastion |
Public subnet for bastion instance |
resourceprefix-admin-seclist |
Security list for the administration instance private subnet |
resourceprefix-pub-lb |
Security list for the load balancer public subnet |
resourceprefix-private-workers |
Security list for the worker nodes private subnet |
resourceprefix-fss-seclist |
Security list for the file shared system private subnet |
resourceprefix-bastion |
Security list for the bastion instance public subnet |
Default Security List for resourceprefix-vcn |
Default security list for the WebLogic VCN |
Default Route Table for resourceprefix-vcn |
Default route rules in the WebLogic VCN |
resourceprefix-nat-route |
Route rules table in the WebLogic VCN for NAT and service gateways |
resourceprefix-ig-route |
Route rules table in the WebLogic VCN for internet gateway |
resourceprefix-ig-gw |
Internet gateway in the WebLogic VCN |
Default DHCP Options for resourceprefix-vcn |
Default set of Dynamic Host Configuration Protocol (DHCP) options for the WebLogic VCN |
resourceprefix-nat-gateway-gw |
NAT gateway in the WebLogic VCN |
resourceprefix-service-gateway-gw |
Service gateway in the WebLogic VCN |
Load Balancers
Oracle WebLogic Server for OKE creates a public and a private load balancer for your Oracle WebLogic Server domain and Kubernetes cluster in Oracle Cloud Infrastructure.
In the Oracle Cloud Infrastructure Console, use the navigation menu under the Core Infrastructure group to go to Networking and click Load Balancers. When you select the compartment you specified to use for the stack when you created the domain, you'll see the load balancers provisioned for your WebLogic Server domain and Kubernetes cluster.
Unlike network resources, note that the names of load balancers created by Oracle WebLogic Server for
OKE do not begin with the resource name prefix you provided during stack creation. Oracle WebLogic Server for
OKE load balancer names are generated, hyphenated alphanumeric strings. For example, 1x1x1x1x-1x1x-1x1x-1x1x1x1x1x1x
.
The public load balancer distributes traffic across the managed servers in your domain, and is accessible from a single IP address. The public load balancer resource is provisioned with the following:
- A public IP address
- A backend set, which is identified by the name
TCP-443
. The backend set configures the load balancing policy. - A rule set, which has the name
wls_ssl_rule
. The request header ruleWL-PROXY-SSL
is defined in the rule set. - A listener named
HTTP-443
. The listener handles traffic on port 443 and uses SSL. - A certificate with the name
oke-ssl-secret
.
The private load balancer provides access to the WebLogic Server administration console and the Jenkins console. The private load balancer resource is provisioned with the following:
- A private IP address
- A backend set, which is identified by the name
TCP-80
. The backend set configures the load balancing policy. - A listener named
TCP-80
. The listener handles traffic on port 80.
Kubernetes Resources
Oracle WebLogic Server for OKE provisions a Kubernetes cluster with two worker nodes for your Oracle WebLogic Server domain in Oracle Cloud Infrastructure.
In the Oracle Cloud Infrastructure Console, use the navigation menu and select Developer Services. Under the Containers group, click Kubernetes Clusters. When you select the compartment you specified to use for the stack, you'll see the Kubernetes cluster provisioned for your WebLogic Server domain.
The cluster and node resource names are as follows:
-
The Kubernetes cluster name begins with the resource name prefix you provided during stack creation. For example,
resourceprefix-cluster
. -
There are two node pools named
resourceprefix-non-wls-np-1
andresourceprefix-wls-np-1
, with one or more worker nodes for each node pool - The worker nodes are compute instances with the names
oke-generated-alphanumeric-string-0
andoke-generated-alphanumeric-string-1
.
File System Resources
Oracle WebLogic Server for OKE creates a shared file system that is made available through a mount target.
In the Oracle Cloud Infrastructure Console, use the navigation menu and select Storage. Under the File Storage group, click File Systems or Mount Targets. When you select the compartment you specified to use during stack creation, you'll see the resources created for the shared file system and mount target:
resourceprefix-fss
resourceprefix-mntTarget
Note that both resource names begin with the resource name prefix you provided during stack creation.
Registry Resources
During stack creation, Oracle WebLogic Server for OKE pushes a default image to the registry. The default image is used to provision the WebLogic Server and Jenkins pods for your domain.
After the stack is created, you can use Kubernetes in the administration compute instance to apply any changes you make to the default image.
In the Oracle Cloud Infrastructure Console, use the navigation menu under and select Developer Services. Under the Containers group, click Container Registry. The registry resources for your domain begin with the resource name prefix you provided during stack creation.
The list of registry resources provisioned include:
resourceprefix/infra/cisystem-jenkins-controller
resourceprefix/infra/cisystem-jenkins-agent
resourceprefix/infra/nginx-ingress-controller
resourceprefix/infra/oraclelinux
resourceprefix/infra/weblogic-kubernetes-operator
resourceprefix/domainname/wls-domain-base
resourceprefix/domainname/wls-domain-base/releasenumber
domainname
is the default domain name or the name you provided during stack creation. releasenumber
is the stack's WebLogic Server release.
Identity Resources for Dynamic Group and Root Policies
Oracle WebLogic Server for OKE creates a dynamic group and one policy for your domain when you create a stack.
The dynamic group and root-level (tenancy) policy allows compute instances in the domain to access:
- Keys and secrets in Oracle Cloud Infrastructure Vault
- The database wallet if you're using an Oracle Autonomous Database to contain the required infrastructure schemas for a JRF-enabled domain
The name of the dynamic group and root-level policy are:
servicename-admin-instance-principal-group
(dynamic group)servicename-osms-instance-principal-group
servicename-oke-policy
Where servicename
is the resource name prefix you provided during stack creation.
For a single compartment, the matching rule created in the dynamic group is:
instance.compartment.id='ocid1.compartment.oc1..alongstring'
The rule states that all instances created in the compartment (identified by the compartment OCID) are members of the dynamic group.
The osms
policy has the following statement:
Allow dynamic-group servicename
-osms-instance-principal-group
to use osms-managed-instances in tenancy
oke-policy
policy at the root level (tenancy) has the following
statements that are scoped to the compartent IDs, resource IDs, or both compartment and
resource IDs:
Allow dynamic-group servicename-admin-instance-principal-group to use dynamic-groups in tenancy where target.group.id = <dynamic_group_ocid>
Allow dynamic-group servicename-admin-instance-principal-group to manage all-resources in compartment id <stack_compartment_ocid>
Allow service oke to read app-catalog-listing in compartment id <stack_compartment_ocid>
Allow dynamic-group servicename-admin-instance-principal-group to read secret-bundles in tenancy where target.secret.id = <OCID for OCIR token secret>
Allow dynamic-group servicename-admin-instance-principal-group to read secret-bundles in tenancy where target.secret.id = <OCID for weblogic admin password secret>
Allow dynamic-group servicename-admin-instance-principal-group to read secret-bundles in tenancy where target.secret.id = <OCID for database password secret>
This policy applies if you create a domain that includes the Java Required Files (JRF) components.
Allow dynamic-group servicename-admin-instance-principal-group to use autonomous-transaction-processing-family in compartment ATP_Database_Compartment
This policy applies if you create a domain that includes the Java Required Files (JRF) components with ATP database.
Allow dynamic-group servicename-admin-instance-principal-group to use keys in tenancy where target.key.id = <oke_encryption_key_ocid>
This policy applies if cluster encryption is selected.
Identity Resources for Oracle Identity Cloud Service
If you configure your domain to use Oracle Identity Cloud Service for authentication, Oracle WebLogic Server for OKE provisions additional resources in Oracle Identity Cloud Service to support the domain. These resources are created on the Oracle Identity Cloud Service server.
These resources are not components of the stack, and so they are not visible in Resource Manager. In addition, they are not deleted automatically when you destroy the stack.
The names of the Oracle Identity Cloud Service resources have the following formats:
servicename_confidential_idcs_app_timestamp
- Confidential Applicationservicename_enterprise_idcs_app_timestamp
- Enterprise Applicationservicename_app_gateway_timestamp
- App Gateway
Where:
servicename
is the resource name prefix you provided during stack creation.timestamp
is the date and time on which the stack was created. For example,2021-02-20T21:46:21.288662