About the Resources in a Stack
Learn about the compute instances, load balancers, network, and other resources in a stack created by Oracle WebLogic Server for OKE for an Oracle WebLogic Server domain.
To obtain a list of associated resources created for a specific stack, see View the Cloud Resources for a Stack.
Compute Instances
Oracle WebLogic Server for OKE creates Oracle Cloud Infrastructure compute instances for your Oracle WebLogic Server domain and Kubernetes cluster.
In the Oracle Cloud Infrastructure Console, use the navigation menu and select Compute. Under the Compute group, click Instances. When you select the compartment you specified to use for Oracle WebLogic Server when you created the stack, you'll see the following compute instances provisioned for your stack and Kubernetes cluster:
- Bastion instance - Has the name
resourceprefix-bastion
- Administration instance - Has the name
resourceprefix-admin
- A Kubernetes worker node - Has the name
oke-generated-alphanumeric-string-n
Note: resourceprefix
is the resource name prefix you provided during stack creation. n
is the number 0
or 1
.
Network Resources
Oracle WebLogic Server for OKE creates several network resources such as route tables, security lists, and gateways for your Oracle WebLogic Server stack and Kubernetes cluster in Oracle Cloud Infrastructure.
Additional network resources are created if you specify a new virtual cloud network (VCN) or new subnets for an existing VCN during stack creation.
In the Oracle Cloud Infrastructure Console, click Networking and select a compartment to view network resources. For example, click Virtual Cloud Networks to view all the virtual cloud networks (VCN) created in a compartment. If you created a new VCN for your stack during stack creation you'll find the VCN and its related resources in the compartment you specified to use for network resources.
Your stack configuration determines the type and number of network resources created. With the exception of load balancers, the names of those network resources begin with the resource name prefix you provided during stack creation. For example, resourceprefix-admin
and resourceprefix-bastion
.
The following table provides a summary of the resources that can be created for your domain.
Resource Name | Type |
---|---|
resourceprefix-vcn |
WebLogic VCN (if create a new VCN) |
resourceprefix-lb |
Subnet for public and private load balancers |
resourceprefix-workers |
Private subnet for Kubernetes worker nodes |
resourceprefix-admin |
Private subnet for Kubernetes administration instance |
resourceprefix-fss |
Private subnet for file shared system |
resourceprefix-bastion |
Public subnet for bastion instance |
resourceprefix-admin-seclist |
Security list for the administration instance private subnet |
resourceprefix-pub-lb |
Security list for the load balancer public subnet |
resourceprefix-private-workers |
Security list for the worker nodes private subnet |
resourceprefix-fss-seclist |
Security list for the file shared system private subnet |
resourceprefix-bastion |
Security list for the bastion instance public subnet |
Default Security List for resourceprefix-vcn |
Default security list for the WebLogic VCN |
Default Route Table for resourceprefix-vcn |
Default route rules in the WebLogic VCN |
resourceprefix-nat-route |
Route rules table in the WebLogic VCN for NAT and service gateways |
resourceprefix-ig-route |
Route rules table in the WebLogic VCN for internet gateway |
resourceprefix-ig-gw |
Internet gateway in the WebLogic VCN |
Default DHCP Options for resourceprefix-vcn |
Default set of Dynamic Host Configuration Protocol (DHCP) options for the WebLogic VCN |
resourceprefix-nat-gateway-gw |
NAT gateway in the WebLogic VCN |
resourceprefix-service-gateway-gw |
Service gateway in the WebLogic VCN |
Load Balancers
Oracle WebLogic Server for OKE creates a private load balancer for your Oracle WebLogic Server stack and Kubernetes cluster in Oracle Cloud Infrastructure.
Private load balancer is provisioned when you create a stack.
In the Oracle Cloud Infrastructure Console, use the navigation menu under the Core Infrastructure group to go to Networking and click Load Balancers. When you select the compartment you specified to use for the stack, you'll see the private load balancer provisioned for your WebLogic Server stack and Kubernetes cluster.
Unlike network resources, note that the names of load balancers created by Oracle WebLogic Server for
OKE do not begin with the resource name prefix you provided during stack creation. Oracle WebLogic Server for
OKE load balancer names are generated, hyphenated alphanumeric strings. For example, 1x1x1x1x-1x1x-1x1x-1x1x1x1x1x1x
.
The private load balancer provides access to the WebLogic Server administration console and the Jenkins console. The private load balancer resource is provisioned with the following:
- A private IP address
- A backend set, which is identified by the name
TCP-80
. The backend set configures the load balancing policy. - A listener named
TCP-80
. The listener handles traffic on port 80.
Kubernetes Resources
Oracle WebLogic Server for OKE provisions a Kubernetes cluster for your Oracle WebLogic Server stack in Oracle Cloud Infrastructure.
- Sign in to the Oracle Cloud Infrastructure Console.
- Click the navigation menu and select Developer Services.
- Under the Containers group, click Kubernetes Clusters.
- Select the compartment you specified to use for the stack.
The cluster and node resource names are as follows:
-
The Kubernetes cluster name begins with the resource name prefix you provided during stack creation. For example,
resourceprefix-cluster
. -
A node pool named
resourceprefix-non-wls-np
, with one or more worker nodes for each node pool - The worker nodes are compute instances with the names
oke-generated-alphanumeric-string-0
andoke-generated-alphanumeric-string-1
.
File System Resources
Oracle WebLogic Server for OKE creates a shared file system that is made available through a mount target.
In the Oracle Cloud Infrastructure Console, use the navigation menu and select Storage. Under the File Storage group, click File Systems or Mount Targets. When you select the compartment you specified to use during stack creation, you'll see the resources created for the shared file system and mount target:
resourceprefix-fss
resourceprefix-mntTarget
Note that both resource names begin with the resource name prefix you provided during stack creation.
Registry Resources
During stack creation, Oracle WebLogic Server for OKE pushes a default image to the registry. The default image is used to provision the WebLogic Server and Jenkins pods for your domain.
After the stack is created, you can use Kubernetes in the administration compute instance to apply any changes you make to the default image.
In the Oracle Cloud Infrastructure Console, use the navigation menu and select Developer Services. Under the Containers and Artifacts group, click Container Registry, and then select the required Compartment. The registry resources for your stack begin with the resource name prefix you provided during stack creation.
The list of registry resources provisioned include:
resourceprefix/infra/cisystem-jenkins-controller
resourceprefix/infra/cisystem-jenkins-agent
resourceprefix/infra/nginx-ingress-controller
resourceprefix/infra/oraclelinux
resourceprefix/infra/weblogic-kubernetes-operator
resourceprefix/wls-base-image/12214
Identity Resources for Dynamic Group and Root Policies
Oracle WebLogic Server for OKE creates a dynamic group and one policy for your domain when you create a stack.
The dynamic group and root-level (tenancy) policy allows compute instances in the domain to access keys and secrets in Oracle Cloud Infrastructure Vault.
The name of the dynamic group and root-level policy are:
servicename-admin-instance-principal-group
(dynamic group)servicename-oke-encryption-key-principal-group
servicename-oke-policy
Where servicename
is the resource name prefix you
provided during stack creation.
For a single compartment, the matching rule created in the dynamic group is:
instance.compartment.id='ocid1.compartment.oc1..alongstring'
The rule states that all instances created in the compartment (identified by the compartment OCID) are members of the dynamic group.
The osms
policy has the following statement:
Allow dynamic-group
servicename
-admin-instance-principal-group
to use
osms-managed-instances in tenancy
oke-policy
policy at the root level (tenancy) has the
following statements that are scoped to the compartent IDs, resource IDs, or both
compartment and resource IDs:
Allow dynamic-group servicename-admin-instance-principal-group to use dynamic-groups in tenancy where target.group.id = <dynamic_group_ocid>
Allow dynamic-group servicename-admin-instance-principal-group to manage all-resources in compartment id <stack_compartment_ocid>
Allow service oke to read app-catalog-listing in compartment id <stack_compartment_ocid>
Allow dynamic-group servicename-admin-instance-principal-group to read secret-bundles in tenancy where target.secret.id = <OCID for OCIR token secret>
Allow dynamic-group servicename-admin-instance-principal-group to use vnics in compartment id <network_compartment_ocid>
Allow dynamic-group servicename-admin-instance-principal-group to inspect instance-family in compartment id <network_compartment_ocid>
Allow dynamic-group servicename-admin-instance-principal-group to use subnets in compartment id <network_compartment_ocid>
Allow dynamic-group servicename-admin-instance-principal-group to use keys in tenancy where target.key.id = <oke_encryption_key_ocid>
This policy applies if cluster encryption is selected.