|
| 1 | +--- |
| 2 | +title: "Use Port Forwarding" |
| 3 | +date: 2019-02-23T17:39:15-05:00 |
| 4 | +draft: false |
| 5 | +weight: 4 |
| 6 | +description: "You can use Port Forwarding to access the Administration console and WLST." |
| 7 | +--- |
| 8 | + |
| 9 | + |
| 10 | +Beginning with operator version 4.0.0, you can use the `kubectl port-forward` command to allow external access to the WebLogic Administration Console and WLST access to manage a domain running in Kubernetes. You can use this method to access the Administration console locally or connect using WLST for investigating the issues without exposing them to the public internet. See [port-forward](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#port-forward) in the Kubernetes reference documentation for `kubectl port-forward` usage and examples. |
| 11 | + |
| 12 | +The operator automatically adds the required network channels with a 'localhost' address for each existing admin protocol capable port to enable this access. See [Additional network channels created for kubectl port-forward](#additional-network-channels-created-for-kubectl-port-forward) for network channels created by the operator. You can disable this behavior by setting the `domain.spec.adminServer.adminChannelPortForwardingEnabled` attribute in the domain resource to `false`. Run the `kubectl explain domain.spec.adminServer.adminChannelPortForwardingEnabled` command or see in the domain resource [schema](https://github.com/oracle/weblogic-kubernetes-operator/blob/main/documentation/domains/Domain.md) for more details. |
| 13 | + |
| 14 | +#### Forward a local port to an administration port on the Administration Server Pod |
| 15 | +The `kubectl port-forward` command allows using the resource type/name to select a matching pod to port forward to. You also need to define the local and remote port numbers: |
| 16 | + |
| 17 | +``` |
| 18 | +kubectl port-forward TYPE/NAME [options] LOCAL_PORT:REMOTE_PORT |
| 19 | +``` |
| 20 | + |
| 21 | +For the WebLogic Administration Console access, you need to forward a local port (on the machine where `port-forward` command is run) to the Administration Server Pod. For example, if you have a WebLogic domain with UID `domain1` running in namespace `mynamespace` and the Administration Server name is `admin-server` with non-SSL listen port 7001, then you can run the below command to forward a local port (port 32015 in this example) to the admin port (port 7001 in this example) of the Administration Server Pod. In this scenario, the Kubernetes API listens on local port 32015 and forwards data to port 7001 on the Administration Server Pod. |
| 22 | + |
| 23 | +```shell |
| 24 | +kubectl port-forward pods/domain1-admin-server -n mynamespace 32015:7001 |
| 25 | +``` |
| 26 | +or |
| 27 | + |
| 28 | +```shell |
| 29 | +kubectl port-forward service/domain1-admin-server -n mynamespace 32015:7001 |
| 30 | +``` |
| 31 | +The output is similar to this: |
| 32 | + |
| 33 | +``` |
| 34 | +Forwarding from 127.0.0.1:32015 -> 7001 |
| 35 | +``` |
| 36 | + |
| 37 | +You can access the Administration console at `http://localhost:32015/console` URL on the machine where the above 'kubectl port-forward' command is run and you can use WLST to connect to `t3://localhost:32015` as shown below: |
| 38 | + |
| 39 | +```shell |
| 40 | +$ ~/wls/oracle_common/common/bin/wlst.sh |
| 41 | +``` |
| 42 | +``` |
| 43 | +Initializing WebLogic Scripting Tool (WLST) ... |
| 44 | +
|
| 45 | +Welcome to WebLogic Server Administration Scripting Shell |
| 46 | +
|
| 47 | +Type help() for help on available commands |
| 48 | +
|
| 49 | +wls:/offline> connect('weblogic','*password*','t3://localhost:32015') |
| 50 | +Connecting to t3://localhost:32015 with userid weblogic ... |
| 51 | +Successfully connected to Admin Server "admin-server" that belongs to domain "base_domain". |
| 52 | +
|
| 53 | +Warning: An insecure protocol was used to connect to the server. |
| 54 | +To ensure on-the-wire security, the SSL port or Admin port should be used instead. |
| 55 | +
|
| 56 | +wls:/base_domain/serverConfig/> exit() |
| 57 | +``` |
| 58 | + |
| 59 | +If the WebLogic administration port is enabled on the Administration Server, then you will need to forward the local port to the Administration port. In this case, the Administration Console access will require using `https` protocol and WLST access will require using `t3s` protocol. Similarly, when the SSL port is enabled, using the SSL port requires using the `https` and `t3s` protocol for Console and WLST access respectively. |
| 60 | + |
| 61 | +{{% notice note %}} |
| 62 | +A port-forward session ends once the Pod instance fails or restarts. You can rerun the same command to establish a new port forwarding session and resume forwarding. |
| 63 | +{{% /notice %}} |
| 64 | + |
| 65 | +{{% notice note %}} |
| 66 | +If the local (forwarded) port number is not the same as the Administration port number, then the WLST access will not work by default and you will see below `BEA-000572` RJVM error in the administration server logs. You can add `-Dweblogic.rjvm.enableprotocolswitch=true` argument to the command line JAVA_OPTIONS for the Administration Server to enable this access. Refer to [MOS 'Doc 860340.1'](https://support.oracle.com/rs?type=doc&id=860340.1) for more information on this switch. |
| 67 | +```text |
| 68 | +<Aug 30, 2021 9:33:24,753 PM GMT> <Error> <RJVM> <BEA-000572> <The server rejected a connection attempt JVMMessage from: '-2661445766084484528C:xx.xx.xx.xxR:-5905806878036317188S:domain1-admin-server:domain1:admin-server' to: '0B:xx.xx.xx.xx:[-1,-1,32015,-1,-1,-1,-1]' cmd: 'CMD_IDENTIFY_REQUEST', QOS: '102', responseId: '-1', invokableId: '-1', flags: 'JVMIDs Sent, TX Context Not Sent, 0x1', abbrev offset: '114' probably due to an incorrect firewall configuration or administrative command.></pre> |
| 69 | +``` |
| 70 | +{{% /notice %}} |
| 71 | + |
| 72 | +#### Specify Local IP Address for Port Forwarding |
| 73 | +You can use the `--address` option of the `kubectl port-forward` command to listen on the localhost using the defined IP address. The `--address` option only accepts IP addresses or localhost (comma-separated) as a value. See `kubectl port-forward -h` for help and examples. |
| 74 | + |
| 75 | +Below is an example command that uses a defined IP address. |
| 76 | + |
| 77 | +```shell |
| 78 | +kubectl port-forward --address my-ip-address pods/domain1-admin-server -n mynamespace 32015:7001 |
| 79 | +``` |
| 80 | +The Administration console can be accessed at `http://my-ip-address:32015/console` URL after running the above command. |
| 81 | + |
| 82 | +#### Optionally let kubectl choose the local port |
| 83 | +If you don't need a specific local port, then you can let kubectl choose and allocate the local port, with the below syntax: |
| 84 | + |
| 85 | +```shell |
| 86 | +kubectl port-forward pods/domain1-admin-server -n mynamespace :7001 |
| 87 | +``` |
| 88 | +The kubectl tool finds a local port number that is not in use. The output is similar to: |
| 89 | + |
| 90 | +``` |
| 91 | +Forwarding from 127.0.0.1:63753 -> 7001 |
| 92 | +``` |
| 93 | +In this example, the Administration console is accessible using `http://localhost:63753/console` URL. |
| 94 | + |
| 95 | +#### Additional network channels created for `kubectl port-forward` |
| 96 | +When the Administrative channel port forwarding is enabled (default), the operator automatically adds the following network channels using configuration overrides during introspection for 'kubectl port-forward'. Set the `domain.spec.adminServer.adminChannelPortForwardingEnabled` attribute in the domain resource to `false` if you want to disable this behavior. |
| 97 | + |
| 98 | +For domains with default channel using non-SSL traffic: |
| 99 | +Name | Listen Address | Port | Protocol |
| 100 | +--- | --- | --- | --- |
| 101 | +internal-t3 | localhost | Server listening port | t3 |
| 102 | + |
| 103 | +For domains with default channel for non-SSL traffic and default secure channel for SSL traffic: |
| 104 | +Name | Listen Address | Port | Protocol |
| 105 | +--- | --- | --- | --- |
| 106 | +internal-t3 | localhost | Server listening port | t3 |
| 107 | +internal-t3s | localhost | Server SSL listening port | t3s |
| 108 | + |
| 109 | +If the WebLogic administration port is enabled on the Administration Server: |
| 110 | +Name | Listen Address | Port | Protocol |
| 111 | +--- | --- | --- | --- |
| 112 | +internal-admin | localhost | WebLogic administration port | admin |
| 113 | + |
| 114 | +If a custom admin channel is configured on the Administration Server: |
| 115 | +Name | Listen Address | Port | Protocol |
| 116 | +--- | --- | --- | --- |
| 117 | +internal-admin | localhost | Custom administration port | admin |
| 118 | + |
| 119 | +**NOTE:** The additional network channels are created only for the Administration Server (and not for the managed servers). |
| 120 | + |
| 121 | +#### Istio Enabled Domains |
| 122 | +For the Istio enabled domains, the operator already adds a network channel with localhost listen address. Hence additional network channels are not created for `kubectl port-forward` when Istio support is enabled. See [How Istio-enabled domains differ from regular domains]({{< relref "/userguide/istio/istio#how-istio-enabled-domains-differ-from-regular-domains" >}}) for more details. |
| 123 | + |
0 commit comments