External RMI Tunneling with Traefik (#2384)

* External RMI Tunneling with Traefik

Co-authored-by: [email protected] <[email protected]>
Co-authored-by: [email protected] <[email protected]>

Author: 3 people

integration-tests/src/test/java/oracle/weblogic/domain/ClusterService.java

@@ -89,6 +89,11 @@ public void setAnnotations(Map<String, String> annotations) {
     this.annotations = annotations;
   }
 
+  public ClusterService sessionAffinity(String sessionAffinity) {
+    this.sessionAffinity = sessionAffinity;
+    return this;
+  }
+
   public String getSessionAffinity() {
     return sessionAffinity;
   }

integration-tests/src/test/java/oracle/weblogic/kubernetes/ItExternalRmiTunneling.java

@@ -143,6 +143,8 @@ public interface TestConstants {
 
   public static final String K8S_NODEPORT_HOST = Optional.ofNullable(System.getenv("K8S_NODEPORT_HOST"))
         .orElse(assertDoesNotThrow(() -> InetAddress.getLocalHost().getHostAddress()));
+  public static final String K8S_NODEPORT_HOSTNAME = Optional.ofNullable(System.getenv("K8S_NODEPORT_HOSTNAME"))
+        .orElse(assertDoesNotThrow(() -> InetAddress.getLocalHost().getHostName()));
   public static final String RESULTS_BASE = System.getenv().getOrDefault("RESULT_ROOT",
       System.getProperty("java.io.tmpdir") + "/it-testsresults");
 

integration-tests/src/test/java/oracle/weblogic/kubernetes/TestConstants.java

@@ -0,0 +1,31 @@
+# Copyright (c) 2021, Oracle Corporation and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+# https://kubernetes.github.io/ingress-nginx/examples/
+
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: ngnix-tls-tunneling
+  namespace: DOMAIN_NS
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/affinity: "cookie"
+    nginx.ingress.kubernetes.io/session-cookie-name: "JSESSIONID"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      more_clear_input_headers "WL-Proxy-Client-IP" "WL-Proxy-SSL";
+      more_set_input_headers "X-Forwarded-Proto: https";
+      more_set_input_headers "WL-Proxy-SSL: true";
+    nginx.ingress.kubernetes.io/ingress.allow-http: "false"
+spec:
+  tls:
+  - hosts:
+    - 'INGRESS_HOST'
+    secretName: TLS_CERT
+  rules:
+  - host: 'INGRESS_HOST' 
+    http:
+      paths:
+      - path: 
+        backend:
+          serviceName: DOMAIN_UID-cluster-CLUSTER
+          servicePort: 8877

integration-tests/src/test/resources/tunneling/nginx.tls.tunneling.template.yaml

@@ -0,0 +1,22 @@
+# Copyright (c) 2021, Oracle Corporation and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+# https://kubernetes.github.io/ingress-nginx/examples/
+
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/affinity: cookie
+    nginx.ingress.kubernetes.io/session-cookie-name: "JSESSIONID"
+  labels:
+  name: ngnix-tunneling
+  namespace: DOMAIN_NS
+spec:
+  rules:
+  - host: 
+    http:
+      paths:
+      - backend:
+          serviceName: DOMAIN_UID-cluster-CLUSTER
+          servicePort: 7788

integration-tests/src/test/resources/tunneling/nginx.tunneling.template.yaml

@@ -0,0 +1,55 @@
+# Copyright (c) 2021, Oracle Corporation and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  annotations:
+    kubernetes.io/ingress.class: traefik
+  name: traefik-tls-tunneling
+  namespace: DOMAIN_NS
+spec:
+  entryPoints: 
+   - websecure
+  routes:
+  - kind: Rule
+    match: Host(`INGRESS_HOST`)
+    middlewares:
+    - name: tls-middleware
+      namespace: DOMAIN_NS
+    services:
+    - kind: Service
+      name: DOMAIN_UID-cluster-CLUSTER
+      namespace: DOMAIN_NS
+      port: 8877
+      sticky:
+        cookie:
+          httpOnly: true
+  tls: {}
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: tls-middleware
+  namespace: DOMAIN_NS
+spec:
+  headers:
+    customRequestHeaders:
+      X-Custom-Request-Header: "" # Removes
+      X-Forwarded-For: "" # Removes
+      WL-Proxy-Client-IP: "" # Removes
+      WL-Proxy-SSL: "" # Removes
+      WL-Proxy-SSL: "true" # Adds
+    sslRedirect: true
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSStore
+metadata:
+  name: default
+  namespace: DOMAIN_NS
+spec:
+  defaultCertificate:
+    secretName: TLS_CERT 
+

integration-tests/src/test/resources/tunneling/traefik.tls.tunneling.template.yaml

@@ -0,0 +1,23 @@
+# Copyright (c) 2021, Oracle Corporation and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  annotations:
+    kubernetes.io/ingress.class: traefik
+  name: traefik-tunneling
+  namespace: DOMAIN_NS
+spec:
+  entryPoints: [] 
+  routes:
+  - kind: Rule
+    match: Host(`INGRESS_HOST`)
+    services:
+    - kind: Service
+      name: DOMAIN_UID-cluster-CLUSTER
+      namespace: DOMAIN_NS
+      port: 7788
+      sticky:
+            cookie:
+              httpOnly: true