7.2.6 Deploying the WDT OIG Domain

You must modify the Oracle Identity Governance (OIG) domain.yaml and deploy the OIG domain using the build image created.

Modify the OIG domain.yaml

  1. Edit the $WORKDIR/yaml/domain.yaml and update the %DOMAIN_CREATION_IMAGE% with the previously generated image name:

    Note:

    %DOMAIN_CREATION_IMAGE% takes the format of <REPOSITORY>:<TAG>.
    domain:
             # Domain | DomainAndRCU
             createIfNotExists: DomainAndRCU
             # Image containing WDT installer and Model files.
             domainCreationImages:
                 - image: '%DOMAIN_CREATION_IMAGE%'
             domainType: OIG
    
    For example:
    domain:
            # Domain | DomainAndRCU
            createIfNotExists: DomainAndRCU
            # Image containing WDT installer and Model files.
            domainCreationImages:
                - image: 'container-registry.example.com/mytenancy/idm:oig-aux-generic-v1'
            domainType: OIG
    
  2. In circumstances where you may be pulling the OIG product container image from Oracle Container Registry, and then the domain image from a private registry, you must first create a secret (privatecred) for the private registry. For example:
    kubectl create secret docker-registry "privatecred" --docker-server=container-registry.example.com \
    --docker-username="user@example.com" \
    --docker-password=password --docker-email=user@example.com \
    --namespace=oigns
    
    Then specify both secrets for imagePullSecrets in the domain.yaml. For example:
     ...
    spec:
      # The WebLogic Domain Home
      domainHome: /u01/oracle/user_projects/domains/governancedomain
    
      # The domain home source type
      # Set to PersistentVolume for domain-in-pv, Image for domain-in-image, or FromModel for model-in-image
      domainHomeSourceType: PersistentVolume
    
      # The WebLogic Server image that the Operator uses to start the domain
      image: "container-registry.oracle.com/middleware/oig_cpu:14.1.2.1.0-jdk17-ol8-<YYMMDD>"
    
      # imagePullPolicy defaults to "Always" if image version is :latest
      imagePullPolicy: IfNotPresent
    
      imagePullSecrets:
      - name: orclcred
      - name: privatecred
      # Identify which Secret contains the WebLogic Admin credentials
    ...
    
    For more information about the configuration parameters in domain.yaml, see Domain Resources.
A sample domain.yaml is shown below:
 # Copyright (c) 2024, Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 #
 # This is an example of how to define an OIG Domain. For details about the fields in domain specification, refer https://oracle.github.io/weblogic-kubernetes-operator/managing-domains/domain-resource/
 #
 apiVersion: "weblogic.oracle/v9"
 kind: Domain
 metadata:
   name: governancedomain
   namespace: oigns
   labels:
      weblogic.domainUID: governancedomain
 spec:
   # The WebLogic Domain Home
   domainHome: /u01/oracle/user_projects/domains/governancedomain

   # The domain home source type
   # Set to PersistentVolume for domain-in-pv, Image for domain-in-image, or FromModel for model-in-image
   domainHomeSourceType: PersistentVolume

   # The WebLogic Server image that the Operator uses to start the domain
   image: "container-registry.oracle.com/middleware/oig_cpu:14.1.2.1.0-jdk17-ol8-<YYMMDD>"

   # imagePullPolicy defaults to "Always" if image version is :latest
   imagePullPolicy: IfNotPresent

   # Add additional secret name if you are using a different registry for domain creation image.
   # Identify which Secret contains the credentials for pulling an image
   imagePullSecrets:
   - name: orclcred
   - name: privatecred
   # Identify which Secret contains the WebLogic Admin credentials
   webLogicCredentialsSecret:
      name: governancedomain-weblogic-credentials

   # Whether to include the server out file into the pod's stdout, default is true
   includeServerOutInPodLog: true

   # Whether to enable log home
   logHomeEnabled: true

   # Whether to write HTTP access log file to log home
   httpAccessLogInLogHome: true

   # The in-pod location for domain log, server logs, server out, introspector out, and Node Manager log files
   logHome: /u01/oracle/user_projects/domains/logs/governancedomain
   # An (optional) in-pod location for data storage of default and custom file stores.
   # If not specified or the value is either not set or empty (e.g. dataHome: "") then the
   # data storage directories are determined from the WebLogic domain home configuration.
   dataHome: ""

   # serverStartPolicy legal values are "Never, "IfNeeded", or "AdminOnly"
   # This determines which WebLogic Servers the Operator will start up when it discovers this Domain
   # - "Never" will not start any server in the domain
   # - "AdminOnly" will start up only the administration server (no managed servers will be started)
   # - "IfNeeded" will start all non-clustered servers, including the administration server and clustered servers up to the replica count
   serverStartPolicy: IfNeeded

   serverPod:
      initContainers:
         #DO NOT CHANGE THE NAME OF THIS INIT CONTAINER
         - name: compat-connector-init
           # OIG Product image, same as spec.image mentioned above
           image: "container-registry.oracle.com/middleware/oig_cpu:14.1.2.1.0-jdk17-ol8-<YYMMDD>"
           imagePullPolicy: IfNotPresent
           command: [ "/bin/bash", "-c", "mkdir -p  /u01/oracle/user_projects/domains/ConnectorDefaultDirectory", "mkdir -p  /u01/oracle/user_projects/domains/wdt-logs"]
           volumeMounts:
              - mountPath: /u01/oracle/user_projects
                 name: weblogic-domain-storage-volume
      # a mandatory list of environment variable to be set on the servers
      env:
      - name: JAVA_OPTIONS
         value: -Dweblogic.StdoutDebugEnabled=false
      - name: USER_MEM_ARGS
         value: "-Djava.security.egd=file:/dev/./urandom -Xms256m -Xmx1024m "
      - name: WLSDEPLOY_LOG_DIRECTORY
         value: "/u01/oracle/user_projects/domains/wdt-logs"
      - name: FRONTENDHOST
         value: example.com
      - name: FRONTENDPORT
         value: "14000"
      - name: WLSDEPLOY_PROPERTIES
         value: "-Dwdt.config.disable.rcu.drop.schema=true"
      envFrom:
      - secretRef:
           name: governancedomain-rcu-credentials
      volumes:
      - name: weblogic-domain-storage-volume
         persistentVolumeClaim:
           claimName: governancedomain-domain-pvc
      volumeMounts:
      - mountPath: /u01/oracle/user_projects
         name: weblogic-domain-storage-volume

   # adminServer is used to configure the desired behavior for starting the administration server.
   adminServer:
      # adminService:
      #   channels:
      # The Admin Server's NodePort
      #    - channelName: default
      #      nodePort: 30701
      # Uncomment to export the T3Channel as a service
      #    - channelName: T3Channel
      serverPod:
         # an (optional) list of environment variable to be set on the admin servers
         env:
         - name: USER_MEM_ARGS
           value: "-Djava.security.egd=file:/dev/./urandom -Xms512m -Xmx1024m "

   configuration:
         secrets: [ governancedomain-rcu-credentials ]
         initializeDomainOnPV:
           persistentVolume:
              metadata:
                   name: governancedomain-domain-pv
              spec:
                 storageClassName: governancedomain-domain-storage-class
                 capacity:
              # Total storage allocated to the persistent storage.
                      storage: 10Gi
              # Reclaim policy of the persistent storage
              # # The valid values are: 'Retain', 'Delete', and 'Recycle'
                 persistentVolumeReclaimPolicy: Retain
              # Persistent volume type for the persistent storage.
              # # The value must be 'hostPath' or 'nfs'.
              # # If using 'nfs', server must be specified.
                 nfs:
                   server: mynfsserver
                 # hostPath:
                   path: "/scratch/shared/governancedomain"
           persistentVolumeClaim:
              metadata:
                   name: governancedomain-domain-pvc
              spec:
                 storageClassName: governancedomain-domain-storage-class
                 resources:
                      requests:
                           storage: 10Gi
                 volumeName: governancedomain-domain-pv
           domain:
                 # Domain | DomainAndRCU
                 createIfNotExists: DomainAndRCU
                 # Image containing WDT installer and Model files.
                 domainCreationImages:
                      - image: 'container-registry.example.com/mytenancy/idm:oig-aux-generic-v1'
                 domainType: OIG
   # References to Cluster resources that describe the lifecycle options for all
   # the Managed Server members of a WebLogic cluster, including Java
   # options, environment variables, additional Pod content, and the ability to
   # explicitly start, stop, or restart cluster members. The Cluster resource
   # must describe a cluster that already exists in the WebLogic domain
   # configuration.
   clusters:
   - name: governancedomain-oim-cluster
   - name: governancedomain-soa-cluster

   # The number of managed servers to start for unlisted clusters
   # replicas: 1

 ---
 # This is an example of how to define a Cluster resource.
 apiVersion: weblogic.oracle/v1
 kind: Cluster
 metadata:
   name: governancedomain-oim-cluster
   namespace: oigns
 spec:
   clusterName: oim_cluster
   serverService:
      precreateService: true
   replicas: 0
   serverPod:
      env:
      - name: USER_MEM_ARGS
         value: "-Djava.security.egd=file:/dev/./urandom -Xms8192m -Xmx8192m  "
      resources:
         limits:
           cpu: "2"
           memory: "8Gi"
         requests:
           cpu: "1000m"
           memory: "4Gi"


 ---
 # This is an example of how to define a Cluster resource.
 apiVersion: weblogic.oracle/v1
 kind: Cluster
 metadata:
   name: governancedomain-soa-cluster
   namespace: oigns
 spec:
   clusterName: soa_cluster
   serverService:
      precreateService: true
   replicas: 1
   serverPod:
      env:
      - name: USER_MEM_ARGS
         value: "-Xms8192m -Xmx8192m "
      resources:
         limits:
           cpu: "1"
           memory: "10Gi"
         requests:
           cpu: "1000m"
           memory:  "4Gi"
 

Optional WDT Models ConfigMap

If required, you can provide a Kubernetes ConfigMap with additional WDT models and WDT variables files as supplements, or overrides, to those in domainCreationImages.

For example in the output/weblogic-domains/governancedomain/domain.yaml:
      domain:
          ...
          domainCreationImages:
              ...
          domainCreationConfigMap: mymodel-domain-configmap

The files inside domainCreationConfigMap must have file extensions, .yaml, .properties, or .zip.

To create a configmap run the following commands:
cd $WORKDIR/kubernetes/create-oim-domain/domain-home-on-pv/wdt-utils
./create-configmap.sh -n oigns -d governancedomain -c mymodel-domain-configmap -f wdt_models/mymodel.yaml

For more information on the usage of additional configuration, see Optional WDT models ConfigMap.

Deploying the OIG Domain

Deploy the OIG domain using the domain.yaml:
  1. Run the following command to create OIG domain resources:
    kubectl create -f $WORKDIR/yaml/domain.yaml
    The following steps will be performed by WebLogic Kubernetes Operator:
    • Run the introspector job.
    • The introspection job will create the RCU Schemas.
    • The introspector job pod will create the domain on PV using the model provided in the domain creation image.
    • The introspector job pod will execute OIG offline configuration actions post successful creation of domain via WDT.
    • Brings up the Administration Server, and the SOA Managed Server (soa_server1).
    The output will look similar to the following:
    domain.weblogic.oracle/governancedomain created
    cluster.weblogic.oracle/governancedomain-oim-cluster created
    cluster.weblogic.oracle/governancedomain-soa-cluster created
    
    Whilst the domain creation is running, you can run the following command to monitor the progress:
    kubectl get pods -n <domain_namespace> -w
    

    Note:

    The -w flag allows you watch the status of the pods as they change.

    For example:

    kubectl get pods -n oigns -w
    
    You can also tail the logs for the pods by running:
    kubectl logs -f <pod> -n oigns
    

    Note:

    WDT specific logs can be found in <persistent_volume>/domains/wdt-logs.
  2. Once everything is started you should see the Administration Server and SOA server are running:
    NAME                           READY   STATUS    RESTARTS   AGE
    governancedomain-adminserver   1/1     Running   0          13m
    governancedomain-soa-server1   1/1     Running   0          10m
    

    Note:

    Depending on the speed of your cluster, it can take around 25 minutes for all the pods to be in READY 1/1 state.

    If there are any failures, follow Domain creation failure with WDT models in Known Issues.

  3. Start the OIM server by running the following command:
    kubectl patch cluster -n <domain_namespace> <domainUID>-oim-cluster --type=merge -p '{"spec":{"replicas":1}}'
    
    For example:
    kubectl patch cluster -n oigns governancedomain-oim-cluster --type=merge -p '{"spec":{"replicas":1}}'
    
    The output will look similar to the following:
     cluster.weblogic.oracle/governancedomain-oim-cluster patched
    
  4. Run the following command to view the status of the OIM server:
    kubectl get pods -n <domain_namespace> -w
    
    For example:
    kubectl get pods -n oigns -w
    
    Once the OIM server is running, the output will look similar to the following:
    NAME                           READY   STATUS    RESTARTS   AGE
    governancedomain-adminserver   1/1     Running   0          16m
    governancedomain-soa-server1   1/1     Running   0          13m
    governancedomain-oim-server1   1/1     Running   0          5m22s

If there are any failures, follow Domain creation failure with WDT models in Known Issues.