Prerequisites to Create a Stack

Before you create a stack with Oracle WebLogic Server for OKE, you must complete one or more prerequisite tasks.

Some tasks are required for any type of Oracle WebLogic Server stack that you create with Oracle WebLogic Server for OKE. Other tasks are optional or only applicable for specific domain configurations.

Note:

Before you create a stack, you can estimate the cost of the resources and services to use in your instance. See Oracle Cloud Cost Estimator.

Understand Service Requirements

You require access to several Oracle Cloud Infrastructure services in order to use Oracle WebLogic Server for OKE.

  • Identity and Access Management (dynamic groups and policies)
  • Compute
  • Network
  • Block Storage
  • File Storage and Mount targets
  • Container Engine
  • Registry
  • Vault
  • Resource Manager
  • Load Balancing
  • Database (optional)
  • Cloud Shell (optional)
  • Tagging (optional)
To use Oracle WebLogic Server for OKE, you need at least the following limits available in your tenancy or region or availability domain as applicable:
  • 1 OKE Cluster
  • 4 Compute instances
  • 2 Load Balancers
  • 1 File System Service
  • 1 Mount Target

Check the service limits for these components in your Oracle Cloud Infrastructure tenancy and, if necessary, request a service limit increase. See Service Limits in the Oracle Cloud Infrastructure documentation.

Create a Compartment

Create compartments in Oracle Cloud Infrastructure for your Oracle WebLogic Server for OKE resources, or use existing compartments.

When you create a stack with Oracle WebLogic Server for OKE, by default the Kubernetes cluster, compute instances, networks, and load balancers are all created within a single compartment. You can, however, choose to use a separate compartment for the network resources that are created for the stack, including load balancers, virtual cloud network, subnets, security lists, route tables and gateways.

See Managing Compartments in the Oracle Cloud Infrastructure documentation.

Create Compartment Policies

If you are not an Oracle Cloud Infrastructure administrator, you must be given management access to resources in the compartment in which you want to create a stack using Oracle WebLogic Server for OKE.

Access to Oracle Cloud Infrastructure resources in a compartment is controlled through policies. Your Oracle Cloud Infrastructure user must have management access for Marketplace applications, Resource Manager stacks and jobs, Kubernetes clusters, compute instances, file systems, block storage volumes, load balancers, Key Management vaults and keys, and IAM policies. If you want Oracle WebLogic Server for OKE to create network resources for a stack, then you must also have management access for these network resources.

A sample policy is shown below:

Where, MyCompartment is the compartment in which you created the stack.

Allow group MyGroup to manage instance-family in compartment MyCompartment
Allow group MyGroup to manage orm-family in compartment MyCompartment
Allow group MyGroup to manage mount-targets in compartment MyCompartment
Allow group MyGroup to manage file-systems in compartment MyCompartment
Allow group MyGroup to manage export-sets in compartment MyCompartment
Allow group MyGroup to manage cluster-family in compartment MyCompartment
Allow group MyGroup to use subnets in compartment MyCompartment
Allow group MyGroup to use vnics in compartment MyCompartment
Allow group MyGroup to inspect compartments in compartment MyCompartment
Allow group MyGroup to read metrics in compartment MyCompartment
Allow group MyGroup to manage virtual-network-family in compartment MyCompartment

If you need to allow a user who is not an administrator to be able to create secrets with the passwords required during provisioning, make sure you grant manage access to the vaults, keys, and secret-family. For example:

Allow group MyGroup to manage vaults in compartment MyCompartment
Allow group MyGroup to manage keys in compartment MyCompartment
Allow group MyGroup to manage secret-family in compartment MyCompartment
If you need to allow a user who is not an administrator to use the secrets created by administrator, make sure you grant the following policy. For example:
Allow group MyGroup to inspect secrets in compartment id <Compartment OCID>
If you use a separate compartment for network resources, make sure you set up the appropriate policy for the network compartment. For example:
Allow group MyGroup to manage virtual-network-family in compartment MyNetworkCompartment
If you use a separate compartment for FSS resources, make sure you set up the appropriate policy for the FSS compartment. For example:
Allow group MyGroup to manage mount-targets in compartment MyFSScompartment
Allow group MyGroup to manage file-systems in compartment MyFSScompartment
Allow group MyGroup to manage export-sets in compartment MyFSScompartment

See Common Policies in the Oracle Cloud Infrastructure documentation.

Create Root Policies

Certain root-level policies must exist in order to use Oracle WebLogic Server for OKE.

Identity and Access Management (IAM) policies let you control what type of access a group of users has and to which specific resources. Your Oracle Cloud Infrastructure administrator sets up the groups, compartments, and policies. Most IAM policies are set at the compartment level, while some are at the tenancy (root) level:

  • Delegate IAM tasks, including the creation of dynamic groups
  • Use the Cloud Shell to quickly run the Oracle Cloud Infrastructure command line interface (CLI)
  • Inspect tag namespaces and apply defined tags from those namespaces to cloud resources

The following sample root policy grants other relevant permissions to a group of users who are not administrators:

Allow group MyGroup to inspect tenancies in tenancy
Allow group MyGroup to use tag-namespaces in tenancy

Create an Auth Token

In order for Oracle WebLogic Server for OKE to push and pull container images to and from Oracle Cloud Infrastructure Registry, you must provide an auth token.

Oracle WebLogic Server for OKE can access the registry as the same user that creates a stack, or as a different user.

Every user in Oracle Cloud Infrastructure can be associated with up to two auth tokens. You can create a new auth token for a user with access to Oracle Cloud Infrastructure Registry, or use an existing auth token. When creating an auth token, be sure copy the token string immediately. You can't retrieve it again later using the console.

See Managing User Credentials in the Oracle Cloud Infrastructure documentation.

Create an Encryption Key

Create an encryption key in Oracle Cloud Infrastructure Vault. This will allow you to encrypt the passwords required for Oracle WebLogic Server for OKE.

Oracle WebLogic Server for OKE uses a single key to decrypt all passwords for a single stack.

Create an SSH Key

Create a secure shell (SSH) key pair so that you can access the compute instances in your Oracle WebLogic Server instances.

A key pair consists of a public key and a corresponding private key. When you create a stack using Oracle WebLogic Server for OKE, you specify the public key. You then access the compute instances from an SSH client using the private key.

On a UNIX or UNIX-like platform, use the ssh-keygen utility. For example:

ssh-keygen -b 2048 -t rsa -f mykey
cat mykey.pub

On a Windows platform, you can use the PuTTY Key Generator utility. See Creating a Key Pair in the Oracle Cloud Infrastructure documentation.

Create a Virtual Cloud Network

Oracle WebLogic Server for OKE can create a Virtual Cloud Network (VCN) in Oracle Cloud Infrastructure for a new Oracle WebLogic Server instance, or you can create your own VCN before creating a stack.

A VCN includes one or more subnets, route tables, security lists, gateways, and DHCP options.

By default subnets are public. Any resources assigned to a private subnet cannot be directly accessed from outside of Oracle Cloud. We recommend that you use private subnets for the Kubernetes cluster, administration compute instance, and file system.

If you create a VCN before creating a stack, then the VCN must meet the following requirements:

  • The VCN must use DNS for hostnames.
  • The VCN must include an Internet gateway.
  • If you want to create a public subnet for the stack, then the VCN must include a route table that directs traffic to the Internet gateway.
  • The VCN must include a service gateway so that resources in private subnets can access other cloud services like Key Management, Oracle Cloud Infrastructure Registry, and Oracle Autonomous Database.
  • If you want to create a private subnet for the stack, then the VCN must include a route table that directs traffic to the service gateway.
  • If you want resources in private subnets to access services outside of Oracle Cloud, then the VCN must include a Network Address Translation (NAT) gateway.
  • If your VCN includes a NAT gateway and you want to create a private subnet for the stack, then the VCN must include a route table that directs traffic to the NAT gateway.

If you use an existing VCN for a stack, and also choose for Oracle WebLogic Server for OKE to create new subnets for the stack, then Oracle WebLogic Server for OKE will also create the required route tables in the VCN.

If you use an existing VCN and existing subnets in Oracle WebLogic Server for OKE, you can certify the existing network setup using helper scripts. See Validate Existing Network Setup and Script File To Validate Network Setup.

See these topics in the Oracle Cloud Infrastructure documentation:

Create a Subnet for the Kubernetes Cluster

Oracle WebLogic Server for OKE can create a subnet for the Kubernetes cluster that hosts your Oracle WebLogic Server instance, or you can create your own subnet before creating a stack.

A subnet is a component of a Virtual Cloud Network (VCN). When you create a stack with Oracle WebLogic Server for OKE, the worker nodes in the Kubernetes cluster are assigned to a subnet. We recommend that you use a private subnet for the Kubernetes cluster.

By default subnets span an entire region in Oracle Cloud Infrastructure. Alternatively, you can create multiple subnets that are each specific to one availability domain (AD) in a region. Oracle WebLogic Server for OKE supports both regional and AD-scoped subnets.

If you want to use an existing subnet for the Kubernetes cluster when creating a stack, the subnet must meet the following requirements:

  • The subnet must use DNS for hostnames.
  • The subnet must have a security list that enables inbound access to the SSH port (22) from the subnet that you plan to use for the administration compute instance.
  • The subnet must have a security list that enables inbound access to all ports from the subnet that you plan to use for the load balancer.
  • The subnet must have a security list that enables outbound access to the NFS port (2049) on the file system subnet.

If you use an existing subnet, you can specify the subnet compartment that is different than the VCN compartment.

Network security groups are an alternative to security lists. After creating a stack with an existing subnet, you can update the compute instances and assign them to a security group that has the required rules (inbound access to port 22, and so on).

If you use an existing subnet, you can certify the existing network setup using helper scripts. See Validate Existing Network Setup and Script File To Validate Network Setup.

See VCNs and Subnets and Network Resource Configuration for Cluster Creation and Deployment in the Oracle Cloud Infrastructure documentation.

Create a Subnet for the Administration Host

Oracle WebLogic Server for OKE can create a subnet for your stack's administration compute instance, or you can create your own subnet before creating a stack.

A subnet is a component of a Virtual Cloud Network (VCN). When you create a stack with Oracle WebLogic Server for OKE, the administration compute instance is assigned to a subnet. We recommend that you use a private subnet.

By default subnets span an entire region in Oracle Cloud Infrastructure. Alternatively, you can create multiple subnets that are each specific to one availability domain (AD) in a region. Oracle WebLogic Server for OKE supports both regional and AD-scoped subnets.

If you want to use an existing subnet for the administration compute instance when creating a stack, the subnet must meet the following requirements:

  • The subnet must use DNS for hostnames.
  • The subnet must have a security list that enables inbound access to the SSH port (22) from the subnet that you plan to use for the bastion compute instance.
  • The subnet must have a security list that enables outbound access to the SSH port (22) on the subnet that you plan to use for the Kubernetes cluster.
  • The subnet must have a security list that enables outbound access to the WebLogic administration server ports (by default, 7001 and 7002) on the subnet that you plan to use for the Kubernetes cluster.
  • The subnet must have a security list that enables outbound access to the NFS port (2049) on the file system subnet.

If you use an existing subnet, you can specify the subnet compartment that is different than the VCN compartment.

Network security groups are an alternative to security lists. After creating a stack with an existing subnet, you can update the compute instances and assign them to a security group that has the required rules (inbound access to port 22, and so on).

If you use an existing subnet, you can certify the existing network setup using helper scripts. See Validate Existing Network Setup and Script File To Validate Network Setup.

See VCNs and Subnets in the Oracle Cloud Infrastructure documentation.

Create a Subnet for the Bastion Host

Oracle WebLogic Server for OKE can create a public subnet in Oracle Cloud Infrastructure for the bastion compute instance that is used to access your private Oracle WebLogic Server instance, or you can create your own subnet before creating a stack.

A subnet is a component of a Virtual Cloud Network (VCN). When you create a stack in Oracle WebLogic Server for OKE, we recommend that you use a private subnet for the Kubernetes cluster and the administration compute instance. Because these resources can not be directly accessed from outside of Oracle Cloud, Oracle WebLogic Server for OKE creates a bastion compute instance on a public subnet.

By default subnets span an entire region in Oracle Cloud Infrastructure. Alternatively, you can create subnets that are specific to one availability domain (AD) in a region. Oracle WebLogic Server for OKE supports both regional and AD-scoped subnets.

If you want to use an existing subnet for the bastion compute instance when creating a stack, then the subnet must meet the following requirements:

  • The subnet must use DNS for hostnames.
  • The subnet must be public.
  • The subnet must have a security list that enables inbound access to the SSH port (22).
  • The subnet must have a security list that enables outbound access to the SSH port (22) on the subnet that you plan to use for the administration compute instance.

If you use an existing subnet, you can specify the subnet compartment that is different than the VCN compartment.

Network security groups are an alternative to security lists. After creating a stack with an existing subnet, you can update the bastion compute instance and assign it to a security group that has the required rules (inbound access to port 22, and so on).

If you use an existing subnet, you can certify the existing network setup using helper scripts. See Validate Existing Network Setup and Script File To Validate Network Setup.

See VCNs and Subnets in the Oracle Cloud Infrastructure documentation.

Create a Subnet for the Load Balancer

Oracle WebLogic Server for OKE can create a subnet for the load balancer that is used to access an Oracle WebLogic Server instance, or you can create your own subnet before creating a stack.

A subnet is a component of a Virtual Cloud Network (VCN). When you create a stack, Oracle WebLogic Server for OKE creates a private load balancer and assigns them to a public subnet. The private load balancer is used to access the WebLogic Server administration console and the Jenkins console. It is not assigned a public IP address from the subnet.

By default subnets span an entire region in Oracle Cloud Infrastructure. Alternatively, you can create subnets that are specific to one availability domain (AD) in a region. Oracle WebLogic Server for OKE supports both regional and AD-scoped subnets.

If you want to use an existing subnet for the load balancer when creating a stack, then the subnet must meet the following requirements:

  • The subnet must use DNS for hostnames.
  • The subnet can be public or private.
  • The subnet must have a security list that enables inbound access to ports 80 and 443.
  • The subnet must have a security list that enables outbound access to the WebLogic administration server ports (by default, 7001 and 7002) on the subnet that you plan to use for the Kubernetes cluster.
  • The subnet must have a security list that enables outbound access to the WebLogic managed server ports (by default, 7003 and 7004) on the subnet that you plan to use for the Kubernetes cluster.
  • The subnet must have a security list that enables outbound access to the Jenkins port (80) on the subnet that you plan to use for the Kubernetes cluster.
If you use an existing subnet, you can specify the subnet compartment that is different than the VCN compartment.

Network security groups are an alternative to security lists. After creating a stack with an existing subnet, you can update the load balancer and assign it to a security group that has the required rules (inbound access to port 80, and so on).

If you use an existing subnet, you can certify the existing network setup using helper scripts. See Validate Existing Network Setup and Script File To Validate Network Setup.

See VCNs and Subnets in the Oracle Cloud Infrastructure documentation.

Create a Subnet for the File System

Oracle WebLogic Server for OKE can create a subnet for the shared file system that you use to manage your Oracle WebLogic Server instance, or you can create your own subnet before creating a stack.

A subnet is a component of a Virtual Cloud Network (VCN). When you create a stack with Oracle WebLogic Server for OKE, the file system is assigned to a subnet. We recommend that you use a private subnet for the file system.

By default subnets span an entire region in Oracle Cloud Infrastructure. Alternatively, you can create multiple subnets that are each specific to one availability domain (AD) in a region. Oracle WebLogic Server for OKE supports both regional and AD-scoped subnets.

If you want to use an existing subnet for the file system when creating a stack, the subnet must meet the following requirements:

  • The subnet must use DNS for hostnames.
  • The subnet must have a security list that enables inbound access to the NFS port (2049) from the private subnet that you plan to use for the Kubernetes cluster.
  • The subnet must have a security list that enables inbound access to the NFS port from the private subnet that you plan to use for the administration compute instance.

If you use an existing subnet, you can specify the subnet compartment that is different than the VCN compartment.

Network security groups are an alternative to security lists. After creating a stack with an existing subnet, you can update the file system and assign it to a security group that has the required rules (inbound access to port 2049, and so on).

If you use an existing subnet, you can certify the existing network setup using helper scripts. See Validate Existing Network Setup and Script File To Validate Network Setup.

See VCNs and Subnets in the Oracle Cloud Infrastructure documentation.

Validate Existing Network Setup

You can use helper scripts from the Oracle Cloud Infrastructure Cloud shell to certify the existing network setup (existing VCN and existing WebLogic Server subnet) in Oracle WebLogic Server for OKE. See Using Cloud Shell in Oracle Cloud Infrastructure documentation.

The helper scripts perform the following validations and functions:

  • Validates if the service gateway or the NAT gateway is created for the administration instance private subnet and the worker nodes private subnets.

  • Validates if internet gateway is created for public bastion, file shared system and load balancer subnets.

  • Checks if port 22 in WebLogic Server Subnet is open for access to the CIDR of the bastion instance subnet or bastion host IP.

  • Checks if the private subnet for the Oracle WebLogic Server compute instances using the service gateway route rule has All <Region> Services In Oracle Services Network as the destination.

  • Checks if the existing subnet for the load balancer has a security list that enables inbound access to ports 80 and 443.

  • Validates if all protocols are open in private subnet for Kubernetes worker node for the Worker CIDR range.

  • Validates if all protocols are open in private subnet for Kubernetes worker node for the VCN CIDR range.

  • Validates if the file shared system has a security list that enables outbound access to ports 111 and 2048 (both TCP and UDP).

  • Validates if the database port is accessible from WebLogic Server subnets.

Using the Validation Script

You can run the helper scripts to perform validations for existing private subnets, existing public subnets, and existing VCN peered subnets.

You must run the commands on the validation script file to check the existing network setup. For example, in this case, let's run the commands on the validation script file named validateoke.sh. See Script File To Validate Network Setup to create the validateoke.sh file.
  1. Set execute permission to the validateoke.sh file.

    chmod +x validateoke.sh

  2. Run the validateoke.sh command.

    ./validateoke.sh [OPTIONS]

    The following table lists the options that can be used with the validateoke.sh comand.
    Parameter Description
    Short Form Long Form  
    -b --bastionsubnet Bastion Subnet OCID
    -a --adminsubnet Administration Host Subnet OCID
    -w --workersubnet Worker Subnet OCID
    -f --fsssubnet File Shared System Subnet OCID
    -l --lbsubnet Load Balancer Subnet OCID
    -i --bastionipcidr Bastion Host IP CIDR

    The bastion host IP CIDR must have /32 suffix.

    - --debug Runs script in BASH debug mode (set -x)
    -h --help Displays help and exits
    - --version Displays output version information and exits
  3. Run the following command prior to creating a stack:
    ./validateoke.sh -b <Bastion Subnet OCID> -a <Administration Host Subnet OCID> -w <Worker Subnet OCID>  -f <File Shared System Subnet OCID> -l <Load Balancer Subnet OCID>