Configure SSL Certificate for a Load Balancer
If you add an SSL certificate manually using the Oracle Cloud Infrastructure console to the load balancer created in Oracle WebLogic Server for OKE, when you update the domain using the update domain job, the certificate you configured in the console is reverted to the default certificate.
update_lb_ssl_cert.sh
script located in
/u01/scripts/utils
in the administration instance. After
configuring the load balancer, you can verify the SSL certificate configuration. See
Verify SSL Certificate Configuration.
Note:
For stacks created prior to 22.3.1 (July, 2022), before you configure SSL certificate for the load balancer, you must create theupdate_lb_ssl_cert.sh
script and
copy the script in the administration instance. See Script File to Update SSL Certificate for Load Balancer.
Perform the following steps to configure SSL certificate for the load balancer:
- Access the administration compute instance for your stack.
- Store the SSL certificate and private key in the administration
instance.
For example, you can store the SSL certificate and private key in the
/tmp/tls.crt
and/tmp/tls.key
location in the administration instance. - Navigate to
/u01/scripts/utils
directory, and set execute permission to theupdate_lb_ssl_cert.sh
file.chmod +x update_lb_ssl_cert.sh
- Run the following command:
./update_lb_ssl_cert.sh -d <WebLogic_ Domain_Name> -s <Kubernetes_Secret_Name> -k <SSL_Certificate_Key_File> -c <SSL_Certificate_File>
Example:
./update_lb_ssl_cert.sh -d domain1 -s lbsslcert -k tls.key -c tls.cert
- After the load balancer is updated with the certificates,
delete the
tls.key
andtls.cert
.For example, if your SSL certificate file is located in/tmp
directory, run the following command to delete the certificate:rm /tmp/tls.cert
Verify SSL Certificate Configuration
Perform the following steps to verify the SSL certificate configuration:
- Run the following command to verify that the
tls
secret field was updated to the secret name you provided in the script:kubectl describe svc -n wlsoke-ingress-nginx <domain_name>-lb-external | grep tls-secret
Example:
kubectl describe svc -n wlsoke-ingress-nginx domain1-lb-external | grep tls-secret
The command output looks like:
service.beta.kubernetes.io/oci-load-balancer-tls-secret: lbsslcert
- Access the Oracle Cloud Infrastructure console.
- From the navigation menu
, click Networking and then click Load Balancers.
- Select the Compartment that contains your stack.
- Click the name of the load balancer.
- Under Resources, click Listeners. The list of listeners is displayed.
- Click the Actions icon (
) associated with the listener set and click Edit.
- Check if the Certificate Name is the same as the secret name that you provided in the script in step 4.
- Run the update domain job and repeat steps
3 through 8 to verify if the SSL certification is retained for load
balancer.
See Defining Kubernetes Services of Type LoadBalancer in Oracle Cloud Infrastructure documentation.