Deploy Containerized Advanced Management Console on Kubernetes Environment

3 Deploy Containerized Advanced Management Console on Kubernetes Environment

Ensure that all prerequisites are met before you start the deployment.

Create a working directory on your Kubernetes controller machine (on the machine where helm package and kubectl of your cluster is configured). Place all the required artifacts such as helm package, custom-values.yaml file, jks files, and so on in this working directory. You can perform helm install, update, and uninstall, and kubectl create and delete from this working directory. See Helm Commands for the complete list of CLI commands for helm.

Follow these steps to deploy Containerized AMC on Kubernetes environment:

Configure the Database

Ensure that you have installed and configured MySQL or Oracle database; either on-premise or on DBaaS.

See Database Installation and Configuration for Advanced Management Console to setup and configure the database.

The DB service locator, name, and user credentials must be provided for WebLogic data source setup through AMC helm chart.

Deploy WebLogic Kubernetes Operator

Follow these steps to deploy WKO:

Add the WKO chart repository to the local cache by using the following command:

helm repo add weblogic-operator https://oracle.github.io/weblogic-kubernetes-operator/charts

Create namespaces for WKO deployment and AMC deployment. A WebLogic domain will be deployed in this namespace and it will be managed by WKO. Use the following commands to create the namespace:
```
kubectl create namespace <operator-namespace> 
kubectl create namespace <amc-namespace>
```
Example Command:
```
$ kubectl create namespace wko-ns
$ kubectl create namespace amc-ns
```

Install the WKO in the Operator's namespace <operator-namespace> by using the following command:

helm install <release-name> weblogic-operator/weblogic-operator \       
--set "domainNamespaces={<amc-namespace>}" \         
-n <operator-namespace>

Example Command:

$ helm install wko weblogic-operator/weblogic-operator \
--set "domainNamespaces={amc-ns}" \
-n wko-ns

You can verify the status of your installation using the following commands:

Verify if the operator’s pod is running. Note that it might take a while for the operator's pod to be up and running.

 kubectl get pods -n <operator-namespace> --watch

Example Command:

$ kubectl get pods -n wko-ns  --watch

Expected Output:


NAME                                 READY   STATUS    RESTARTS   AGE
weblogic-operator-75c85f5649-l6cbx   1/1     Running   0          107s

View the operator's pod log to verify if the operator is up and running:

 kubectl logs -n <operator-namespace> -c weblogic-operator deployments/weblogic-operator

Example Command:

$ kubectl logs -n wko-ns -c weblogic-operator deployments/weblogic-operator

Create Kubernetes Secrets and ConfigMap

A Secret is an object that contains sensitive data, such as passwords, tokens, or keys. A ConfigMap is an object that stores non-confidential data in key-value pairs.

Create Kubernetes Secrets

You can store and manage confidential information, such as passwords, authentication tokens, and ssh keys in Kubernetes Secret. Storing confidential information in a Secret is safer and more flexible than using them directly in a container image.

You can create Secrets to store user credentials, database connection information, LDAP server credentials, mail server configuration, and so on. Each Secret must have a unique name, which is updated in the custom-values.yaml file. The Secrets are referenced through this file during deployment.

Create Secrets as shown in the following example. The credentials and namespace depicted in the examples are sample values. These values might change based on your requirement.

# Create Secret for WLS Admin Credentials
$ kubectl create secret generic amc-wls-credentials \
--from-literal=username=weblogic \
--from-literal=password='Welcome@123' \
-n amc-ns

##Create Secret for Database Connection 
$ kubectl create secret generic amc-ds-credentials \
--from-literal=username=amc2 \
--from-literal=password='amc2' \
-n amc-ns

##Create Secret for mail session in Weblogic
$ kubectl create secret generic amc-mail-credentials \
--from-literal=username=first.last@example.com \
--from-literal=password='mailserverpassword' \
-n amc-ns

##Create Secret for connecting to LDAP server, LDAP Server integration from WLS
$ kubectl create secret generic amc-ldap-credentials \
--from-literal=password='AMC2Admin$' \
-n amc-ns

The Secret names are updated in the custom-values.yaml file. See the sample custom-values.yaml file.

Create a ConfigMap

ConfigMaps are useful for storing and sharing non-sensitive, unencrypted configuration information. It binds configuration files, command-line arguments, environment variables, port numbers, and other configuration artifacts.

You can use a ConfigMap to override any environment-specific configuration.

The WLS for Containerized AMC is configured with default Demo Identity and Demo Trust keystore certificates. During deployment, if you want to overwrite the default configuration, use Custom Identity and Java Standard Trust method. For detailed steps, see Configure Keystores. However, you must have a valid Identity keystore to overwrite the default configuration.

Create a ConfigMap to add a keystore file as shown in the following example. Change the values based on your requirement.

# For Reusing existing JKS or Overriding default JKS Certificate
$ kubectl create configmap amc-keystore --from-file=<path>/amckeystore.jks -n amc-ns

Provide the details of the ConfigMap and the file name in custom-values.yaml file. You can also create a Secret for the passwords associated with keystore and alias, and update the secret name in custom-values.yaml file.

Example Command:

$ kubectl create secret generic amc-jks-credentials \
--from-literal=password='keystore_password' \
-n amc-ns

Configure AMC Helm Chart

Ensure to download the AMC Helm Chart from GitHub. The Kubernetes manifest resources including the domain resource file as required by the WKO is packaged as Helm chart.

The Kubernetes manifest resources including the domain resource file as required by the WKO is packaged as a Helm chart. Ensure that you download the AMC Helm Chart from GitHub and then install it from the local path. The configuration parameters that are required to deploy the Containerized AMC are part of the default values.yaml included in the AMC Helm Chart.

Configurable Parameters

Default values are configured in the AMC Helm Chart.

You can download the Helm Chart from GitHub.

The table provides the default values that are configured in the AMC Helm Chart.

Table 3-1 AMC Helm Chart Configurable Values

Configuration Keys	Sub-Keys (if any)	Description	Default (if any)	Mandatory or Optional	Accepted Range of Values
`namespace`		Kubernetes namespace that the AMC domain should be a part of.	amc	Mandatory
`domain`		Domain name for the WebLogic Kubernetes Operator to manage.	`amc-domain`	Optional
`image`	`repo`	Repository hosting the AMC container image.	None	Mandatory
	`tag`	Tag for the AMC container image.	None	Mandatory
	`pullPolicy`	Policy for image pull.	`IfNotPresent`	Optional	Always, IfNotPresent,Never
	`pullSecrets`	For image pull authentication with container registry hosting the AMC container image.	None	Optional
`weblogicCredentials`	`secretsName`	Name of the Kubernetes Secret containing the credentials for WebLogic server.	`<domain-name>-weblogic-credentials`	Depends on the option selected	Either of these scenarios: (a): User creates a Kubernetes secret containing `username` and `password` as keys in the same namespace beforehand. The name of the secret is passed against `secretsName` field (b): User provides plain text input against `username` and `password` fields. The Kubernetes secret is auto generated by Helm chart. Name of the secret can be optionally passed by the user. If not, the default value would be of the form `<domain-name>-weblogic-credentials`
	`username`	Username to be used for WebLogic admin server.	None	Depends on the option selected
	`password`	Password to be used for WebLogic admin server.	None	Depends on the option selected
`weblogicSSLCertificateOverride`	`enabled`	Enable to override the default SSL certificate used by WebLogic server.	`false`	Optional
	`configmapName`	The ConfigMap should be created from the `jks` file in the AMC namespace beforehand. The name should be updated against this field.		Mandatory, if enabled
	`keystore: filename`	The name of the `jks` file used to create the configuration map.		Mandatory, if enabled
	`keystore:secretsName`	Name of the Kubernetes Secret containing the keystore password.	`<domain-name>-weblogic-keystore-credentials`	Depends on the option selected	Either of these scenarios: (a): User creates a Kubernetes secret containing `password` as key in the same namespace beforehand. The name of the secret is passed against `secretsName` field. (b): User provides plain text input against `password` field. The Kubernetes secret is auto generated by Helm chart. Name of the secret can be optionally passed by the user. If not, the default value would be of the form `<domain-name>-weblogic-keystore-credentials`.
	`keystore:password`	Plain text password for keystore.		Depends on the option selected
	`keystorealias:alias`	Name of the alias in the `jks`.		Mandatory, if enabled
	`keystorealias:secretsName`	Name of the Kubernetes Secret containing the keystore alias password.	`<domain-name>-weblogic-keystorealias-credentials`	Depends on the option selected	Either of these Scenarios: (a): User creates a Kubernetes secret containing `password` as key in the same namespace beforehand. The name of the secret is passed against `secretsName` field. (b): User provides plain text input against `password` field. The Kubernetes secret is auto generated by Helm chart. Name of the secret can be optionally passed by the user. If not, the default value would be of the form `<domain-name>-weblogic-keystorealias-credentials`.
	`keystorealias:password`		Depends on the option selected
`replicaCount`		Number of managed server pods to spin up. Note:Automatic scaling of managed servers is not yet supported.	2	Mandatory	2 to 10
`restartVersion`		An increment in this value forces domain restart and introspect on upgrade of deployment.	1	Optional
`extraEnv`	`JAVA_OPTIONS`	Java Options(for memory, proxy, and so on) to be applied to WebLogic containers.	`-Xmx2g-Xms512m - Dweblogic.StdoutDebugEnabled=false`	Optional
`extraEnv`	`USER_MEM_ARGS`	User memory arguments to be supplied to WebLogic containers.	`-XX:+UseContainerSupport`	Optional
`resources`	`limits`	Set the Kubernetes resource limit for CPU or Memory on the WebLogic containers.	`3Gi` for admin server memory and `5Gi` for managed server memory	Optional
`resources`	`requests`	Set the Kubernetes resource request for CPU or Memory on the WebLogic containers.	`1Gi` for both admin and managed server memory	Optional
`isVersionUpgrade`		Set to true for AMC version upgrades.	`false`	Optional
`database`	`type`	Type of database.	`mysql`	Mandatory	mysql, oracle
	`name`	Name of the database.	`amc2`	Mandatory
	`credentials.secretsName`	Name of Kubernetes Secret containing the credentials for database connection.	`<domain-name>-datasource-credentials`	Depends on the option selected	Either of these scenarios: (a): User creates a Kubernetes secret containing `username` and `password` as keys in the same namespace beforehand. The name of the secret is passed against `secretsName` field. (b): User provides plain text input against `username` and `password` fields. The Kubernetes secret is auto generated by Helm chart. Name of the secret can be optionally passed by the user. If not, the default value would be of the form `<domain-name>-datasource-credentials`.
	`credentials.username`	Username for the database connection.	None	Depends on the option selected
	`credentials.password`	Password for the database connection.	None	Depends on the option selected
	`host`	Hostname where the Database instance is running.	None	Mandatory
	`port`	Port number of the database instance is running on.	3306	Mandatory
	`isOracle11`	To be enabled if using Oracle 11g as Database for AMC.	`false`	Optional
	`use_cj_driver_mysql8`	Enables the usage of `com.mysql.cj.jdbc.Driver`.	`false`	Optional	To be enabled only if using MySQL8 and WLS 12.2.1.4
`nodePort`	`enabled`	Set to `true` to enable NodePort service.	`false`	Optional
	`adminserver`	Port number exposing WebLogic admin server interface for access outside cluster using Kubernetes NodePort service.	Random port assignment	Optional
	`managedserver`	Port number exposing AMC interface for access outside cluster using Kubernetes NodePort service.	Random port assignment	Optional
`loadBalancer`	`enabled`	Set to `true` to enable LoadBalancer service. Note:Once the LoadBalancer service is enabled for the Containerized AMC, it is persisted even on disabling the option. This is done on purpose to retain the assigned external IP address. Ensure that this service is not deleted inadvertently, else this will lead to AMC services being inaccessible. Note:If only LoadBalancer service is enabled in the `custom-values.yaml` file, the WebLogic admin server console will not be accessible. If there is a need to access the Weblogic admin server console, enable the NodePort service as well.	`false`	Optional
	`port`	Port number exposing AMC interface for access outside cluster using Kubernetes LoadBalancer service.	8002	Mandatory, if enabled
	`annotations`	Annotations for the LoadBalancer service.	None	Optional
`mailServer`	`enabled`	Set to `true` to enable Mail Server configuration.	`false`	Optional
	`properties`	Settings for the mail server.	None	Mandatory, if enabled
	`credentials.secretsName`	Name of Kubernetes Secret containing the credentials for mailserver connection.	`<domain-name>-mailserver-credentials`	Depends on the option selected	Either of these scenarios: (a): User creates a Kubernetes secret containing `username` and `password` as keys in the same namespace beforehand. The name of the secret is passed against `secretsName` field. (b): User provides plain text input against `username` and `password` fields. The Kubernetes secret is auto generated by Helm chart. Name of the secret can be optionally passed by the user. If not, the default value would be of the form `<domain-name>-mailserver-credentials`.
	`credentials.username`	Username for the Mail Server connection.	None	Depends on the option selected
	`credentials.password`	Password for the Mail Server connection.	None	Depends on the option selected
`ldap`	`enabled`	Set to `true` to enable LDAP Server configuration.	`false`	Optional
	`credentials.secretsName`	Name of Kubernetes Secret containing the credential for LDAP connection.	`<domain-name>-ldap-credentials`	Depends on the option selected	Either of these scenarios: (a): User creates a Kubernetes secret containing `password` as key in the same namespace beforehand. The name of the secret is passed against `secretsName` field. (b): User provides plain text input against `password` field. The Kubernetes secret is auto generated by Helm chart. Name of the secret can be optionally passed by the user. If not, the default value would be of the form `<domain-name>-ldap-credentials`.
	`credentials.password`	Password for the LDAP Server connection.	None	Depends on the option selected
	`host`	Host name of LDAP server.	None	Mandatory, if enabled
	`port`	Port number for LDAP service.	389	Optional
	`enableSSL`	Set to `true` to use SSL for LDAP.	`false`	Optional
	`principal`	LDAP principal	None	Mandatory, if enabled
	`userbaseDN`	Base domain name (DN) for user.	None	Mandatory, if enabled
	`groupbaseDN`	Base domain name (DN) for group.	None	Mandatory, if enabled

Deploy Containerized Advanced Management Console

Ensure WKO is deployed successfully before proceeding with the AMC deployment.

Follow these steps to deploy the Containerized AMC:

Create the AMC container image using WIT and distribute the container image to all Kubernetes cluster nodes. See Create the AMC Container Image.

Clone the AMC repository from GitHub:

git clone https://github.com/oracle/helm-charts.git

Create the AMC helm chart package:
```
helm package helm-charts/java-amc/
```
The helm package command will create the java-amc-1.0.0.tgz file.

Configure the deployment parameters. See Configurable Parameters. You can override the configurable parameters based on your requirement and save as custom-values.yaml file in the working directory.

Find below the sample custom-values.yaml file for creating an AMC Domain in a Weblogic dynamic cluster with two managed servers. In this example, the AMC domain is deployed into a Kubernetes namespace amc-ns, on an OKE Kubernetes cluster in OCI. The WebLogic domain is integrated with an Oracle DBaas 19c on OCI, Mail Server, LDAP server, and uses an external Identity JKS file. Both the NodePort and LoadBalancer (OCI LoadBalancer) are enabled for the deployment, that is the WebLogic Admin Server can be accessed as a NodePort Service and the AMC WebUI can be accessed either through an OCI LoadBalancer or a NodePort Service.

Note:

Ensure that the parameters in the custom-values.yaml file is indented properly to avoid execution error.

namespace: amc-ns
domain: amc-domain
replicaCount: 2
isVersionUpgrade: false 
extraEnv:
  adminServer:
    JAVA_OPTIONS: "-Xmx2g -Xms512m"
    USER_MEM_ARGS: ""
  managedServer:
    JAVA_OPTIONS: "-Xmx4g -Xms1g -Dhttps.proxyHost=proxy.example.com -Dhttps.proxyPort=80 -Dhttp.proxyHost=proxy.example.com -Dhttp.proxyPort=80"
    USER_MEM_ARGS: ""
resources:
  adminServer:
    limits:
      memory: "2Gi"
    requests:
      memory: "1Gi"
  managedServer:
    limits:
      memory: "5Gi"
    requests:
      memory: "1Gi"

image:
  repo: amc2u20
  tag: latest
  pullPolicy: IfNotPresent
  

weblogicCredentials:
  secretsName: amc-wls-credentials 

weblogicSSLCertificateOverride:
  enabled: true
  configmapName: amc-keystore
  keystore:
    filename: amckeystore.jks
    secretsName: amc-jks-credentials
  keystorealias:
    alias: amctest
    secretsName: amc-jks-credentials

database:
  type: oracle
  name: amc2
  credentials:
    secretsName: amc-ds-credentials
  host: dbaas.s4.example.com
  port: 1521

nodePort:
  enabled: true
  adminserver: 30720
  managedserver: 30721

loadBalancer:
  enabled: true
  port: 6503
  annotations: 
    service.beta.kubernetes.io/oci-load-balancer-internal: "true"
    service.beta.kubernetes.io/oci-load-balancer-subnet1: "ocid1.subnet.oc1.<country.region.xyz>"

mailServer:
  enabled: true
  properties:
    mail.smtp.host: mail.example.com
    mail.transport.protocol: smtp
    mail.smtp.auth: true
    mail.smtp.ssl.enable: true
    mail.debug: true
  credentials:
    secretsName: amc-mail-credentials

ldap:
  enabled: true
  credentials:
    secretsName: amc-ldap-credentials 
  host: ldap.example.com
  port: 389
  enableSSL: false
  principal: cn=amc,dc=example,dc=com
  userbaseDN: ou=users,ou=amc,dc=example,dc=com
  groupbaseDN: ou=groups,ou=amc,dc=example,dc=com

Install the Containerized AMC container image that you have created, using the following commands:
- To validate the configured parameters through a dry run:
```
helm install <release-name> <path to amc helm package> \
 --values custom-values.yaml  -n <amc-namespace> --dry-run
```
  Example Command:
```
$ helm install amc  ./java-amc-1.0.0.tgz \
--values custom-values.yaml -n amc-ns  --dry-run
```
  Note:
  Helm is not allowed connections to the Kubernetes API server during a dry run and thus cannot determine the presence of secrets. Ignore this warning One or more secrets specified are not present in this namespace, if any, during dry run.
- Install the chart, thus deploying the Containerized AMC:
```
helm install <release-name> <path to amc helm package> \
--values custom-values.yaml -n <amc-namespace>
```
  Example Command:
```
$ helm install amc  ./java-amc-1.0.0.tgz \ 
--values custom-values.yaml -n amc-ns 
```

The installation might take a while to complete. You can track the status of the installation using the following commands:

kubectl get events -n <amc-namespace> --watch
kubectl get all -n <amc-namespace> -o wide

Example Commands:

$ kubectl get events -n amc-ns --watch
$ kubectl get all -n amc-ns -o wide

You should see the details about Pods and Services, and the server status as Running after sometime.

Access the Containerized AMC

You can access Containerized AMC using the NodePort service or the LoadBalancer service or both, depending on the configuration in the custom-values.yaml.

After you deploy the AMC on Kubernetes environment and verify the status of deployment using the command kubectl get all -n amc-ns, the complete node and server information is displayed. The following is an example output:

Figure 3-1 Server Details

The details of the servers and nodes, including internal and external ports are displayed.

Access Containerized AMC using LoadBalancer Service

In the LoadBalancer service type, note down the external IP and port number. You can use the values to create the URL to access Containerized AMC. Considering the example, the URL to access the Containerized AMC will be https://203.0.113.10:6503/amcwebui/login.html.

Access Containerized AMC using NodePort Service

In the NodePort service type, you can create URLs of the Admin Server and AMC Server using any of the Kubernetes node IP addresses/host name and the external port number mapped against respective NodePort services.

Admin Server: http://<kubernetes-node>:30720/console/login/LoginForm.jsp
AMC Server: https://<kubernetes-node>:30721/amcwebui/login.html

Run the following command to retrieve the Kubernetes node IP addresses:

kubectl get nodes -o wide

You can login using the credentials provided in the custom-values.yaml file.

Note:

It is recommended to access the Containerized AMC using LoadBalancer service rather than NodePort service.
If only LoadBalancer service is enabled in the custom-values.yaml file, the WebLogic admin server console will not be accessible. If there is a need to access the admin server console, enable the NodePort service as well.

Initialize the Containerized AMC

During initialization, the host name (or host IP) has to be provided. This host name (or host IP) is to be used by all agents to communicate with the server.

By default, the AMC initialization wizard fetches the server host name from the CN (common name) of SSL certificate. However, the CN name might not be the valid server host name for Containerized AMC. Hence, during initialization, provide a valid server host name to access Containerized AMC. Also, ensure that you don't have to change the host name (or host IP) once you specify.

For example, as shown in the following screen shot, the host name is fetched from SSL certificate by default. This is not a valid host name. You need to provide a valid host name or IP for the Containerized AMC to communicate with the server.

Figure 3-2 Initializing Containerized AMC