diff --git a/assets/icons/netscaler-cpx-with-ingress-controller.png b/assets/icons/netscaler-cpx-with-ingress-controller.png new file mode 100644 index 000000000..167e3d6a0 Binary files /dev/null and b/assets/icons/netscaler-cpx-with-ingress-controller.png differ diff --git a/assets/netscaler/netscaler-cpx-with-ingress-controller-2.1.4.tgz b/assets/netscaler/netscaler-cpx-with-ingress-controller-2.1.4.tgz new file mode 100644 index 000000000..74f26dcbe Binary files /dev/null and b/assets/netscaler/netscaler-cpx-with-ingress-controller-2.1.4.tgz differ diff --git a/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/Chart.yaml b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/Chart.yaml new file mode 100644 index 000000000..49fc603c2 --- /dev/null +++ b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/Chart.yaml @@ -0,0 +1,21 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NetScaler CPX with Ingress Controller + catalog.cattle.io/kube-version: '>=v1.16.0-0' + catalog.cattle.io/release-name: netscaler-cpx-with-ingress-controller +apiVersion: v2 +appVersion: 2.1.4 +description: A Helm chart for NetScaler CPX with NetScaler ingress Controller running + as sidecar. +home: https://www.netscaler.com +icon: file://assets/icons/netscaler-cpx-with-ingress-controller.png +kubeVersion: '>=v1.16.0-0' +maintainers: +- email: priyanka.sharma@cloud.com + name: priyankash-citrix +- email: subash.dangol@cloud.com + name: subashd +name: netscaler-cpx-with-ingress-controller +sources: +- https://github.com/netscaler/netscaler-k8s-ingress-controller +version: 2.1.4 diff --git a/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/README.md b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/README.md new file mode 100644 index 000000000..3fbef96a5 --- /dev/null +++ b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/README.md @@ -0,0 +1,747 @@ +# NetScaler CPX with NetScaler Ingress Controller running as sidecar. + +In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [NetScaler CPX](https://docs.netscaler.com/en-us/citrix-adc-cpx/cpx/) with NetScaler ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). The NetScaler CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar NetScaler ingress controller configures the NetScaler CPX. + +## TL;DR; + +### For Kubernetes + ``` + helm repo add netscaler https://netscaler.github.io/netscaler-helm-charts/ + + helm install netscaler-cpx-with-ingress-controller netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes + ``` + +### For OpenShift + + ``` + helm repo add netscaler https://netscaler.github.io/netscaler-helm-charts/ + + helm install netscaler-cpx-with-ingress-controller netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,openshift=true + ``` + +> **Important:** +> +> The "license.accept" is a mandatory argument and should be set to "yes" to accept the terms of the NetScaler license. + +> **NOTE:** +> +> The CRDs supported by NetScaler will be installed automatically with the installation of the Helm Charts if CRDs are not already available in the cluster. + +## Introduction +This Helm chart deploys a NetScaler CPX with NetScaler ingress controller as a sidecar in the [Kubernetes](https://kubernetes.io/) or in the [Openshift](https://www.openshift.com) cluster using the [Helm](https://helm.sh/) package manager. + +### Prerequisites + +- The [Kubernetes](https://kubernetes.io/) version should be 1.16 and above if using Kubernetes environment. +- The [Openshift](https://www.openshift.com) version 4.8 or later if using OpenShift platform. +- The [Helm](https://helm.sh/) version 3.x or later. You can follow instruction given [here](https://github.com/netscaler/netscaler-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. +- You have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator), if you want to view the metrics of the NetScaler CPX collected by the [metrics exporter](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics). +- Registration of NetScaler CPX in ADM: You may want to register your CPX in ADM for licensing or to obtain [servicegraph](https://docs.netscaler.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html). For this you will have to create a Kubernetes secret using ADM credentials and provide it while install the chart. Create a Kubernetes secret for the user name and password using the following command: + + ``` + kubectl create secret generic admlogin --from-literal=username= --from-literal=password= + ``` + +## Installing the Chart +Add the NetScaler Ingress Controller helm chart repository using command: + + ``` + helm repo add netscaler https://netscaler.github.io/netscaler-helm-charts/ + ``` + +### For Kubernetes: +#### 1. NetScaler CPX with NetScaler Ingress Controller running as side car. +To install the chart with the release name ``` my-release```: + + ``` + helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,ingressClass[0]= + ``` + +> **Note:** +> +> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. + +The command deploys NetScaler CPX with NetScaler ingress controller as a sidecar on the Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. + +#### 2. NetScaler CPX with NetScaler Ingress Controller and Exporter running as side car. +[Metrics exporter](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the NetScaler CPX and collects metrics from the NetScaler CPX instance. You can then [visualize these metrics](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/metrics/promotheus-grafana.html) using Prometheus Operator and Grafana. +> **Note:** +> +> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). + +Use the following command for this: + ``` + helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,ingressClass[0]=,exporter.required=true + ``` + +### For OpenShift: +Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: + + ``` + oc adm policy add-scc-to-user privileged system:serviceaccount:: + ``` + +#### 1. NetScaler CPX with NetScaler Ingress Controller running as side car. +To install the chart with the release name, `my-release`, use the following command: + ``` + helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,openshift=true + ``` + +#### 2. NetScaler CPX with NetScaler Ingress Controller and Exporter running as side car. +[Metrics exporter](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the NetScaler CPX and collects metrics from the NetScaler CPX instance. You can then [visualize these metrics](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/metrics/promotheus-grafana.html) using Prometheus Operator and Grafana. +> **Note:** +> +> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). + +Use the following command for this: + ``` + helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,openshift=true,exporter.required=true + ``` + +### Installed components + +The following components are installed: + +- [NetScaler CPX](https://docs.netscaler.com/en-us/citrix-adc-cpx/current-release/about) +- [NetScaler ingress controller](https://github.com/netscaler/netscaler-k8s-ingress-controller) (if enabled) +- [Exporter](https://github.com/netscaler/netscaler-adc-metrics-exporter) (if enabled) + + +### NetScaler CPX Service Annotations: + + The parameter `serviceAnnotations` can be used to annotate CPX service while installing NetScaler CPX using this helm chart. + For example, if CPX is getting deployed in Azure and an Azure Internal Load Balancer is required before CPX then the annotation `service.beta.kubernetes.io/azure-load-balancer-internal:True` can be set in CPX service using Helm command: + + ``` + helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,serviceAnnotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal=True + ``` + + or the same can be provided in [values.yaml](https://github.com/netscaler/netscaler-helm-charts/blob/master/netscaler-cpx-with-ingress-controller/values.yaml): + + ``` + license: + accept: yes + serviceAnnotations: + service.beta.kubernetes.io/azure-load-balancer-internal: True + ``` + + which can be used to install NetScaler CPX using Helm command: + + ``` + helm install my-release netscaler/netscaler-cpx-with-ingress-controller -f values.yaml + ``` + + To know more about service annotations supported by Kubernetes on various platforms please see [this](https://kubernetes.io/docs/concepts/services-networking/service/). + +### NetScaler CPX Service Ports: + + By default, port 80 and 443 of CPX service will exposed when CPX is installed using this helm chart. If it is required to expose any other ports in CPX service then the parameter `servicePorts` can be used for it. + For example, if port 9999 is required to be exposed then below helm command can be used for installing NetScaler CPX: + + ``` + helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,servicePorts[0].port=9999,servicePorts[0].protocol=TCP,servicePorts[0].name=https + ``` + + or the same can be provided in [values.yaml](https://github.com/netscaler/netscaler-helm-charts/blob/master/netscaler-cpx-with-ingress-controller/values.yaml): + + ``` + license: + accept: yes + servicePorts: + - port: 9090 + protocol: TCP + name: https + ``` + + which can be used to install NetScaler using Helm command: + + ``` + helm install my-release netscaler/netscaler-cpx-with-ingress-controller -f values.yaml + ``` + +> **Note:** If `servicePorts` parameters is used, only ports provided in this parameter will be exposed in CPX service. +> If you want to expose default ports 80 or 443, then you will need to explicity mention these also in this parameter. + +### Configuration for ServiceGraph: + If NetScaler CPX need to send data to the NetScaler ADM to bring up the servicegraph, then the below steps can be followed to install NetScaler CPX with ingress controller. NetScaler ingress controller configures NetScaler CPX with the configuration required for servicegraph. + + 1. Create secret using NetScaler Agent credentials, which will be used by NetScaler CPX to communicate with NetScaler ADM Agent: + + kubectl create secret generic admlogin --from-literal=username= --from-literal=password= + + 2. Deploy NetScaler CPX with NetScaler ingress controller using helm command: + + helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.distributedTracing.enable=true,analyticsConfig.endpoint.metrics.service=,ADMSettings.ADMIP=,ADMSettings.loginSecret= + +> **Note:** +> If container agent is being used here for NetScaler ADM, please provide `svcIP` of container agent in the `analyticsConfig.endpoint.metrics.service` parameter. + +## NetScaler CPX DaemonSet with NetScaler Ingress Controller as sidecar for BGP Advertisement + + The previous section of deploying CPX as a Deployment requires a Tier-1 Loadbalancer such as NetScaler VPX or cloud loadbalancers to route the traffic to CPX instances running in Kubernetes cluster, but you can also leverage BGP network fabric in your on-prem environemnt to route the traffic to CPX instances in a Kubernetes or Openshift cluster. you need to deploy CPX with NetScaler Ingress Controller as Daemonset to advertise the ExternalIPs of the K8s services of type LoadBalancer to your BGP Fabric. NetScaler CPX establishes a BGP peering session with your network routers, and uses that peering session to advertise the IP addresses of external cluster services. If your routers have ECMP capability, the traffic is load-balanced to multiple CPX instances by the upstream router, which in turn load-balances to actual application pods. When you deploy the NetScaler CPX with this mode, NetScaler CPX adds iptables rules for each service of type LoadBalancer on Kubernetes nodes. The traffic destined to the external IP address is routed to NetScaler CPX pods. You can also set the 'ingressIP' variable to an IP Address to advertise the External IP address for Ingress resources. Refer [documentation](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/network/bgp-enhancement.md) for complete details about BGP advertisement with CPX. + +### Download the chart +You can download the chart usimg `helm pull` command. +``` +helm repo add netscaler https://netscaler.github.io/netscaler-helm-charts/ +helm pull netscaler/netscaler-cpx-with-ingress-controller +tar -zxvf netscaler-cpx-with-ingress-controller-x.y.z.tgz +``` + +### Edit the BGP configuration in values.yaml +BGP configurations enables CPX to peer with neighbor routers for advertisting the routes for Service of Type LoadBalancer. NetScaler Ingress Controllers uses static IPs given in Service YAML or using an IPAM controller to allocate an External IP address, and same is advertisted to the neighbour router with the Gateway as Node IP. An example BGP configurations is given below. + +``` +# BGP configurations: local AS, remote AS and remote address is mandatory to provide. +bgpSettings: + required: true + bgpConfig: + - bgpRouter: + # Local AS number for BGP advertisement + localAS: + neighbor: + # Address of the nighbor router for BGP advertisement + - address: xx.xx.xx.xx + # Remote AS number + remoteAS: + advertisementInterval: 10 + ASOriginationInterval: 10 +``` +If the cluster spawns across multiple networks, you can also specify the NodeSelector to give different neighbors for different Cluster Nodes as shown below. + +``` +bgpSettings: + required: true + bgpConfig: + - nodeSelector: datacenter=ds1 + bgpRouter: + localAS: + neighbor: + - address: xx.xx.xx.xx + remoteAS: + advertisementInterval: 10 + ASOriginationInterval: 10 + - nodeSelector: datacenter=ds2 + bgpRouter: + localAS: + neighbor: + - address: yy.yy.yy.yy + remoteAS: + advertisementInterval: 10 + ASOriginationInterval: 10 +``` + +### Deploy the chart +#### For Kubernetes: +#### 1. NetScaler CPX DaemonSet with NetScaler Ingress Controller running as side car for BGP Advertisement. + + +To install the chart with the release name ``` my-release```: + + ``` + helm install my-release ./netscaler-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true + ``` +If you are running NetScaler IPAM for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in NetScaler Ingress Controller as show below: + + ``` + helm install my-release ./netscaler-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true + ``` +If you are using ingress resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. + + ``` + helm install my-release ./netscaler-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP= + ``` + +> **Note:** +> +> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. + +The command deploys NetScaler CPX Daemonset with NetScaler ingress controller as a sidecar on the Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. + +#### 2. NetScaler CPX with NetScaler Ingress Controller and Exporter running as side car for BGP Advertisement. +[Metrics exporter](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the NetScaler CPX and collects metrics from the NetScaler CPX instance. You can then [visualize these metrics](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/metrics/promotheus-grafana.html) using Prometheus Operator and Grafana. +> **Note:** +> +> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). + +Use the following command for this: + ``` + helm install my-release ./netscaler-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,exporter.required=true + ``` +If you are running NetScaler IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in NetScaler Ingress Controller as show below: + + ``` + helm install my-release ./netscaler-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,exporter.required=true + ``` +If you are using ingress resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. + + ``` + helm install my-release ./netscaler-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=, exporter.required=true + ``` + +#### For OpenShift: +Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: + + ``` + oc adm policy add-scc-to-user privileged system:serviceaccount:: + ``` + +#### 1. NetScaler CPX DaemonSet with NetScaler Ingress Controller running as side car for BGP Advertisement. +To install the chart with the release name, `my-release`, use the following command: + ``` + helm install my-release ./netscaler-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,openshift=true + ``` +If you are running NetScaler IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in NetScaler Ingress Controller as show below: + + ``` + helm install my-release ./netscaler-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,openshift=true + ``` + + If you are using ingress or Route resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. + + ``` + helm install my-release ./netscaler-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=,openshift=true + ``` + +#### 2. NetScaler CPX with NetScaler Ingress Controller and Exporter running as side car for BGP Advertisement. +[Metrics exporter](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the NetScaler CPX and collects metrics from the NetScaler CPX instance. You can then [visualize these metrics](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/metrics/promotheus-grafana.html) using Prometheus Operator and Grafana. +> **Note:** +> +> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). + +Use the following command for this: + ``` + helm install my-release ./netscaler-cpx-with-ingress-controller --set license.accept=yes,openshift=true,openshift=true,exporter.required=true + ``` +If you are running NetScaler IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in NetScaler Ingress Controller as show below: + + ``` + helm install my-release ./netscaler-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,openshift=true,exporter.required=true + ``` + +If you are using ingress or Route resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. + + ``` + helm install my-release ./netscaler-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=,openshift=true,exporter.required=true + ``` + +## CRDs configuration + +CRDs will be installed when we install NetScaler ingress controller via Helm automatically if CRDs are not installed in cluster already. If you wish to skip the CRD installation step, you can pass the --skip-crds flag. For more information about this option in Helm please see [this](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/). + +There are a few examples of how to use these CRDs, which are placed in the folder: [Example-CRDs](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds). Refer to them and install as needed, using the following command: +```kubectl create -f ``` + +### Details of the supported CRDs: + +#### authpolicies CRD: + +Authentication policies are used to enforce access restrictions to resources hosted by an application or an API server. + +NetScaler provides a Kubernetes CustomResourceDefinitions (CRDs) called the [Auth CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/crd/auth) that you can use with the NetScaler ingress controller to define authentication policies on the ingress NetScaler. + +Example file: [auth_example.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/auth_example.yaml) + +#### continuousdeployments CRD for canary: + +Canary release is a technique to reduce the risk of introducing a new software version in production by first rolling out the change to a small subset of users. After user validation, the application is rolled out to the larger set of users. NetScaler-Integrated [Canary Deployment solution](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/crd/canary) stitches together all components of continuous delivery (CD) and makes canary deployment easier for the application developers. + +#### httproutes and listeners CRDs for contentrouting: + +[Content Routing (CR)](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/crd/contentrouting) is the execution of defined rules that determine the placement and configuration of network traffic between users and web applications, based on the content being sent. For example, a pattern in the URL or header fields of the request. + +Example files: [HTTPRoute_crd.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/HTTPRoute_crd.yaml), [Listener_crd.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/Listener_crd.yaml) + +#### ratelimits CRD: + +In a Kubernetes deployment, you can [rate limit the requests](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/crd/ratelimit) to the resources on the back end server or services using rate limiting feature provided by the ingress NetScaler. + +Example files: [ratelimit-example1.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/ratelimit-example1.yaml), [ratelimit-example2.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/ratelimit-example2.yaml) + +#### vips CRD: + +NetScaler provides a CustomResourceDefinitions (CRD) called [VIP](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/crd/vip) for asynchronous communication between the IPAM controller and NetScaler ingress controller. + +The IPAM controller is provided by NetScaler for IP address management. It allocates IP address to the service from a defined IP address range. The NetScaler ingress controller configures the IP address allocated to the service as virtual IP (VIP) in NetScaler VPX. And, the service is exposed using the IP address. + +When a new service is created, the NetScaler ingress controller creates a CRD object for the service with an empty IP address field. The IPAM Controller listens to addition, deletion, or modification of the CRD and updates it with an IP address to the CRD. Once the CRD object is updated, the NetScaler ingress controller automatically configures NetScaler-specfic configuration in the tier-1 NetScaler VPX. + +#### rewritepolicies CRD: + +In kubernetes environment, to deploy specific layer 7 policies to handle scenarios such as, redirecting HTTP traffic to a specific URL, blocking a set of IP addresses to mitigate DDoS attacks, imposing HTTP to HTTPS and so on, requires you to add appropriate libraries within the microservices and manually configure the policies. Instead, you can use the [Rewrite and Responder features](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/crd/rewrite-policy/rewrite-responder-policies-deployment.yaml) provided by the Ingress NetScaler device to deploy these policies. + +Example files: [target-url-rewrite.yaml](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/simplified-deployment-usecases/CRDs/rewrite.md#url-manipulation) + +#### wafs CRD: + +[WAF CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/crds/waf.md) can be used to configure the web application firewall policies with the NetScaler ingress controller on the NetScaler VPX, MPX, SDX, and CPX. The WAF CRD enables communication between the NetScaler ingress controller and NetScaler for enforcing web application firewall policies. + +In a Kubernetes deployment, you can enforce a web application firewall policy to protect the server using the WAF CRD. For more information about web application firewall, see [Web application security](https://docs.netscaler.com/en-us/citrix-adc/current-release/application-firewall/introduction-to-citrix-web-app-firewall.html). + +Example files: [wafhtmlxsssql.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/wafhtmlxsssql.yaml) + +#### CORS CRD: + +[CORS CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/crds/cors.md) Cross-origin resource sharing (CORS) is a mechanism allows a web application running under one domain to securely access resources in another domain. You can configure CORS policies on NetScaler using NetScaler ingress controller to allow one domain (the origin domain) to call APIs in another domain. For more information, see the [cross-origin resource sharing CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/crds/cors.md) documentation. + +Example files: [cors-crd.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/corspolicy-example.yaml) + +#### APPQOE CRD: + +[APPQOE CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) When a NetScaler appliance receives an HTTP request and forwards it to a back-end server, sometimes there may be connection failures with the back-end server. You can configure the request-retry feature on NetScaler to forward the request to the next available server, instead of sending the reset to the client. Hence, the client saves round trip time when NetScaler initiates the same request to the next available service. +For more information, see the AppQoE support documentation. [Appqoe resource sharing CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) documentation. + +Example files: [appqoe-crd.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/appqoe_example.yaml) + +#### WILDCARDDNS CRD: + +[WILDCARDDNS CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) Wildcard DNS domains are used to handle requests for nonexistent domains and subdomains. In a zone, use wildcard domains to redirect queries for all nonexistent domains or subdomains to a particular server, instead of creating a separate Resource Record (RR) for each domain. The most common use of a wildcard DNS domain is to create a zone that can be used to forward mail from the internet to some other mail system. +For more information, see the Wild card DNS domains support documentation. [Wildcard DNS Entry CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) documentation. + +Example files: [wildcarddns-crd.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/wildcarddns-example.yaml) + +## NetScaler CPX servicetype LoadBalancer +NetScaler CPX can be installed with service having servicetype LoadBalancer. Following arguments can be used in the `helm install` command for the same: + +``` +helm install netscaler-cpx-with-ingress-controller netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,serviceType.loadBalancer.enabled=True +``` + +## NetScaler CPX servicetype NodePort +NetScaler CPX can be installed with service having servicetype Nodeport. Following arguments can be used in the `helm install` command for the same: + +``` +helm install netscaler-cpx-with-ingress-controller netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,serviceType.nodePort.enabled=True +``` + +Additionally, `serviceType.nodePort.httpPort` and `serviceType.nodePort.httpsPort` arguments can be used to select the nodePort for the CPX service for HTTP and HTTPS ports. + +### Tolerations + +Taints are applied on cluster nodes whereas tolerations are applied on pods. Tolerations enable pods to be scheduled on node with matching taints. For more information see [Taints and Tolerations in Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). + +Toleration can be applied to pod running NetScaler CPX and ingress controller containers using `tolerations` argument while deploying CPX+NSIC using helm chart. This argument takes list of tolerations that user need to apply on the CPX+NSIC pods. + +For example, following command can be used to apply toleration on the CPX+NSIC pod: + +``` +helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,tolerations[0].key=,tolerations[0].value=,tolerations[0].operator=,tolerations[0].effect= +``` + +Here tolerations[0].key, tolerations[0].value and tolerations[0].effect are the key, value and effect that was used while tainting the node. +Effect represents what should happen to the pod if the pod don't have any matching toleration. It can have values `NoSchedule`, `NoExecute` and `PreferNoSchedule`. +Operator represents the operation to be used for key and value comparison between taint and tolerations. It can have values `Exists` and `Equal`. The default value for operator is `Equal`. + +### Resource Quotas +There are various use-cases when resource quotas are configured on the Kubernetes cluster. If quota is enabled in a namespace for compute resources like cpu and memory, users must specify requests or limits for those values; otherwise, the quota system may reject pod creation. The resource quotas for the NSIC and CPX containers can be provided explicitly in the helm chart. + +To set requests and limits for the NSIC container, use the variables `nsic.resources.requests` and `nsic.resources.limits` respectively. +Similarly, to set requests and limits for the CPX container, use the variable `resources.requests` and `resources.limits` respectively. + +Below is an example of the helm command that configures + +A) For NSIC container: + + CPU request for 500milli CPUs + + CPU limit at 1000m + + Memory request for 512M + + Memory limit at 1000M + +B) For CPX container: + + CPU request for 250milli CPUs + + CPU limit at 500m + + Memory request for 256M + + Memory limit at 512M + +``` +helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes --set nsic.resources.requests.cpu=500m,nsic.resources.requests.memory=512Mi,nsic.resources.limits.cpu=1000m,nsic.resources.limits.memory=1000Mi --set resources.limits.cpu=500m,resources.limits.memory=512Mi,resources.requests.cpu=250m,resources.requests.memory=256Mi +``` + +### Analytics Configuration +#### Analytics Configuration required for ADM + +If NetScaler CPX needs to send data to the ADM for analytics purpose, then the below steps can be followed to install NetScaler CPX with ingress controller. NSIC configures the NetScaler CPX with the configuration required for analytics. + +1. Create secret using ADM Agent credentials, which will be used by NetScaler CPX to communicate with ADM Agent: + +``` +kubectl create secret generic admlogin --from-literal=username= --from-literal=password= +``` + +|Note: If you have installed container based `adm-agent` using [this](https://github.com/netscaler/netscaler-helm-charts/tree/master/adm-agent) helm chart, above step is not required, you just need to tag the namespace where the CPX is being deployed with `citrix-cpx=enabled`. + +2. Deploy NetScaler CPX with NSIC using helm command: + +``` +helm repo add netscaler https://netscaler.github.io/netscaler-helm-charts/ + +helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,analyticsConfig.required=true,analyticsConfig.distributedTracing.enable=true,analyticsConfig.endpoint.transactions.service=,ADMSettings.ADMIP=,ADMSettings.loginSecret=,analyticsConfig.transactions.enable=true,analyticsConfig.transactions.port=5557 +``` +|Note: For container based ADM agent, please provide the logstream service FQDN in `analyticsConfig.endpoint.transactions.service`. The `logstream` service will be running on port `5557`. + +#### Analytics Configuration required for NSOE + +If NetScaler CPX needs to send data to the NSOE for observability, then the below steps can be followed to install NetScaler CPX with ingress controller. NSIC configures NetScaler CPX with the configuration required. + +Deploy NetScaler CPX with NSIC using helm command: + +``` +helm repo add netscaler https://netscaler.github.io/netscaler-helm-charts/ + +helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.timeseries.port=5563,analyticsConfig.timeseries.metrics.mode=prometheus,analyticsConfig.transactions.enable=true,analyticsConfig.transactions.port=5557,analyticsConfig.distributedTracing.enable=true,analyticsConfig.endpoint.metrics.service=,analyticsConfig.endpoint.transactions.service= +``` + +#### Analytics Configuration required for export of metrics to Prometheus + +If NetScaler CPX needs to send data to Prometheus directly without an exporter resource in between, then the below steps can be followed to install NetScaler CPX with ingress controller. NSIC configures NetScaler CPX with the configuration required. + +1. Create secret to enable read-only access for a user, which will be required by NetScaler CPX to export metrics to Prometheus. + +``` +kubectl create secret generic prom-user --from-literal=username= --from-literal=password= +``` + +2. Deploy NetScaler CPX with NSIC using helm command: + +``` +helm repo add netscaler https://netscaler.github.io/netscaler-helm-charts/ + +helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,nsic.prometheusCredentialSecret=,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.timeseries.port=5563,analyticsConfig.timeseries.metrics.mode=prometheus,analyticsConfig.timeseries.metrics.enableNativeScrape=true +``` + +3. To setup Prometheus in order to scrape natively from NetScaler CPX pod, a new scrape job is required to be added under scrape_configs in the Prometheus [configuration](https://prometheus.io/docs/prometheus/latest/configuration/configuration/). For more details, check kubernetes_sd_config [here](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#kubernetes_sd_config). A sample of the Prometheus job is given below - + +``` + - job_name: 'kubernetes-cpx' + scheme: http + metrics_path: /nitro/v1/config/systemfile + params: + args: ['filename:metrics_prom_ns_analytics_time_series_profile.log,filelocation:/var/nslog'] + format: ['prometheus'] + basic_auth: + username: # Prometheus username set in nsic.prometheusCredentialSecret + password: # Prometheus password set in nsic.prometheusCredentialSecret + scrape_interval: 30s + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_netscaler_prometheus_scrape] + action: keep + regex: true + - source_labels: [__address__, __meta_kubernetes_pod_annotation_netscaler_prometheus_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: kubernetes_pod_name +``` + +> **Note:** +> +> For more details on Prometheus integration, please refer to [this](https://docs.netscaler.com/en-us/citrix-adc/current-release/observability/prometheus-integration) + +### NetScaler CPX License Provisioning +#### Bandwidth based licensing + +By default, CPX runs with 20 Mbps bandwidth called as [CPX Express](https://www.netscaler.com/platform/cpx-container). However, for better performance and production deployments, customer needs licensed CPX instances. [NetScaler ADM](https://docs.netscaler.com/en-us/citrix-application-delivery-management-service/) is used to check out licenses for NetScaler CPX. For more detail on CPX licensing please refer [this](https://docs.netscaler.com/en-us/citrix-adc-cpx/current-release/cpx-licensing.html). + +For provisioning licensing on NetScaler CPX, it is mandatory to provide License Server information to CPX. This can be done by setting **ADMSettings.licenseServerIP** as License Server IP. In addition to this, **ADMSettings.bandWidthLicense** needs to be set true and desired bandwidth capacity in Mbps should be set **ADMSettings.bandWidth**. +For example, to set 2Gbps as bandwidth capacity, below command can be used. + + ``` +helm repo add netscaler https://netscaler.github.io/netscaler-helm-charts/ + +helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes --set ADMSettings.licenseServerIP=,ADMSettings.bandWidthLicense=True --set ADMSettings.bandWidth=2000,ADMSettings.licenseEdition="ENTERPRISE" +``` + +#### vCPU based licensing + +For vCPU based licensing on NetScaler CPX, set `ADMSettings.vCPULicense` as True and `ADMSettings.cpxCores` with the number of cores that can be allocated for the CPX. + +``` +helm repo add netscaler https://netscaler.github.io/netscaler-helm-charts/ + +helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes --set ADMSettings.licenseServerIP=,ADMSettings.vCPULicense=True --set ADMSettings.cpxCores=4,ADMSettings.licenseEdition="ENTERPRISE" +``` + +### Bootup Configuration for NetScaler CPX +To add bootup config on NetScaler CPX, add commands below `cpxCommands` and `cpxShellCommands` in the values.yaml file. The commands will be executed in order. + +For e.g. to add `X-FORWARDED-PROTO` header in all request packets processed by the CPX, add below commands under `cpxCommands` in the `values.yaml` file. + +``` +cpxCommands: | + add rewrite action rw_act_x_forwarded_proto insert_http_header X-Forwarded-Proto "\"https\"" + add rewrite policy rw_pol_x_forwarded_proto CLIENT.SSL.IS_SSL rw_act_x_forwarded_proto + bind rewrite global rw_pol_x_forwarded_proto 10 -type REQ_OVERRIDE +``` + +Commands that needs to be executed in shell of CPX should be kept under `cpxShellCommands` in the `values.yaml` file. + +``` +cpxShellCommands: | + touch /etc/a.txt + echo "this is a" > /etc/a.txt + echo "this is the file" >> /etc/a.txt + ls >> /etc/a.txt +``` + +## Configuration +The following table lists the configurable parameters of the NetScaler CPX with NetScaler ingress controller as side car chart and their default values. + +| Parameters | Mandatory or Optional | Default value | Description | +| ---------- | --------------------- | ------------- | ----------- | +| license.accept | Mandatory | no | Set `yes` to accept the NetScaler ingress controller end user license agreement. | +| imageRegistry | Mandatory | `quay.io` | The NetScaler CPX image registry | +| imageRepository | Mandatory | `netscaler/netscaler-cpx` | The NetScaler CPX image repository | +| imageTag | Mandatory | `14.1-25.111` | The NetScaler CPX image tag | +| pullPolicy | Mandatory | IfNotPresent | The NetScaler CPX image pull policy. | +| daemonSet | Optional | False | Set this to true if NetScaler CPX needs to be deployed as DaemonSet. | +| hostName | Optional | N/A | This entity will be used to set Hostname of the CPX | +| nsic.imageRegistry | Mandatory | `quay.io` | The NetScaler ingress controller image registry | +| nsic.imageRepository | Mandatory | `netscaler/netscaler-k8s-ingress-controller` | The NetScaler ingress controller image repository | +| nsic.imageTag | Mandatory | `2.1.4` | The NetScaler ingress controller image tag | +| nsic.pullPolicy | Mandatory | IfNotPresent | The NetScaler ingress controller image pull policy. | +| nsic.required | Mandatory | true | NSIC to be run as sidecar with NetScaler CPX | +| nsic.enableLivenessProbe| Optional | True | Enable liveness probe settings for NetScaler Ingress Controller | +| nsic.enableReadinessProbe| Optional | True | Enable Readineess probe settings for NetScaler Ingress Controller | +| nsic.livenessProbe | Optional | N/A | Set livenessProbe settings for NSIC | +| nsic.readinessProbe | Optional | N/A | Set readinessProbe settings| +| nsic.resources | Optional | {} | CPU/Memory resource requests/limits for NetScaler Ingress Controller container | +| nsic.rbacRole | Optional | false | To deploy NSIC with RBAC Role set rbacRole=true; by default NSIC gets installed with RBAC ClusterRole(rbacRole=false)) | +| nsic.prometheusCredentialSecret | Optional | N/A | The secret key required to create read only user for native export of metrics using Prometheus. | +| imagePullSecrets | Optional | N/A | Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret please see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). | +| nameOverride | Optional | N/A | String to partially override deployment fullname template with a string (will prepend the release name) | +| fullNameOverride | Optional | N/A | String to fully override deployment fullname template with a string | +| resources | Optional | {} | CPU/Memory resource requests/limits for NetScaler CPX container | +| nitroReadTimeout | Optional | 20 | The nitro Read timeout in seconds, defaults to 20 | +| logLevel | Optional | INFO | The loglevel to control the logs generated by NSIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG, TRACE and NONE. For more information, see [Logging](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).| +| jsonLog | Optional | false | Set this argument to true if log messages are required in JSON format | +| nsConfigDnsRec | Optional | false | To enable/disable DNS address Record addition in NetScaler through Ingress | +| nsSvcLbDnsRec | Optional | false | To enable/disable DNS address Record addition in NetScaler through Type Load Balancer Service | +| nsDnsNameserver | Optional | N/A | To add DNS Nameservers in NetScaler | +| optimizeEndpointBinding | Optional | false | To enable/disable binding of backend endpoints to servicegroup in a single API-call. Recommended when endpoints(pods) per application are large in number. Applicable only for NetScaler Version >=13.0-45.7 | +| defaultSSLCertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in NetScaler. | +| defaultSSLSNICertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default SNI certificate in NetScaler. | +| nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for NetScaler service group configurations. | +| cpxLicenseAggregator | Optional | N/A | IP/FQDN of the CPX License Aggregator if it is being used to license the CPX. | +| nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). | +| profileSslFrontend | Optional | N/A | Specify the frontend SSL profile. For Details see [Configuration using FRONTEND_SSL_PROFILE](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | +| profileTcpFrontend | Optional | N/A | Specify the frontend TCP profile. For Details see [Configuration using FRONTEND_TCP_PROFILE](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | +| profileHttpFrontend | Optional | N/A | Specify the frontend HTTP profile. For Details see [Configuration using FRONTEND_HTTP_PROFILE](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | +| logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for NetScaler observability exporter. | +| nsProtocol | Optional | http | Protocol http or https used for the communication between NetScaler Ingress Controller and CPX | +| nsEnableLabel | Optional | True | Set to true for plotting Servicegraph. Ensure `analyticsConfig` are set. | +| cpxBgpRouter | Optional | false| If set to true, this CPX is deployed as daemonset in BGP controller mode wherein BGP advertisements are done for attracting external traffic to Kubernetes clusters | +| replicaCount | Optional | 1 | Number of CPX-NSIC pods to be deployed. With `cpxBgpRouter : true`, replicaCount is 1 since CPX will be deployed as DaemonSet | +| nsIP | Optional | 192.168.1.2 | NSIP used by CPX for internal communication when run in Host mode, i.e when cpxBgpRouter is set to true. A /24 internal network is created in this IP range which is used for internal communications withing the network namespace. | +| nsGateway | Optional | 192.168.1.1 | Gateway used by CPX for internal communication when run in Host mode, i.e when cpxBgpRouter is set to true. If not specified, first IP in the nsIP network is used as gateway. It must be in same network as nsIP | +| bgpPort | Optional | 179 | BGP port used by CPX for BGP advertisement if cpxBgpRouter is set to true| +| ingressIP | Optional | N/A | External IP address to be used by ingress resources if not overriden by ingress.com/frontend-ip annotation in Ingress resources. This is also advertised to external routers when pxBgpRouter is set to true| +| entityPrefix | Optional | k8s | The prefix for the resources on the NetScaler CPX. | +| ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify NetScaler ingress controller to configure NetScaler associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here | +| setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 | +| updateIngressStatus | Optional | False | Set this argument if you want to update ingress status of the ingress resources exposed via CPX. This is only applicable if servicetype of CPX service is LoadBalancer. | +| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. | +| openshift | Optional | false | Set this argument if OpenShift environment is being used. | +| disableOpenshiftRoutes | false | By default Openshift routes are processed in openshift environment, this variable can be used to disable Ingress controller processing the openshift routes. | +| routeLabels | Optional | proxy in () | You can use this parameter to provide the route labels selectors to be used by NetScaler Ingress Controller for routeSharding in OpenShift cluster. | +| namespaceLabels | Optional | N/A | You can use this parameter to provide the namespace labels selectors to be used by NetScaler Ingress Controller for routeSharding in OpenShift cluster. | +| sslCertManagedByAWS | Optional | False | Set this argument if SSL certs used is managed by AWS while deploying NetScaler CPX in AWS. | +| nodeSelector.key | Optional | N/A | Node label key to be used for nodeSelector option for CPX-NSIC deployment. | +| nodeSelector.value | Optional | N/A | Node label value to be used for nodeSelector option in CPX-NSIC deployment. | +| podAnnotations | Optional | N/A | Map of annotations to add to the pods. | +| affinity | Optional | N/A | Affinity labels for pod assignment. | +| tolerations | Optional | N/A | Specify the tolerations for the CPX-NSIC deployment. | +| serviceType.loadBalancer.enabled | Optional | False | Set this argument if you want servicetype of CPX service to be LoadBalancer. | +| serviceType.nodePort.enabled | Optional | False | Set this argument if you want servicetype of CPX service to be NodePort. | +| serviceType.nodePort.httpPort | Optional | N/A | Specify the HTTP nodeport to be used for NodePort CPX service. | +| serviceType.nodePort.httpsPort | Optional | N/A | Specify the HTTPS nodeport to be used for NodePort CPX service. | +| serviceAnnotations | Optional | N/A | Dictionary of annotations to be used in CPX service. Key in this dictionary is the name of the annotation and Value is the required value of that annotation. For example, [see this](#netscaler-adc-cpx-service-annotations). | +| serviceSpec.externalTrafficPolicy | Optional | Cluster | Use this parameter to provide externalTrafficPolicy for CPX service of type LoadBalancer or NodePort. `serviceType.loadBalancer.enabled` or `serviceType.nodePort.enabled` should be set to `true` according to your use case for using this parameter. | +| serviceSpec.loadBalancerIP | Optional | N/A | Use this parameter to provide LoadBalancer IP to CPX service of type LoadBalancer. `serviceType.loadBalancer.enabled` should be set to `true` for using this parameter. | +| serviceSpec.loadBalancerSourceRanges | Optional | N/A | Provide the list of IP Address or range which should be allowed to access the Network Load Balancer. `serviceType.loadBalancer.enabled` should be set to `true` for using this parameter. For details, see [Network Load Balancer support on AWS](https://kubernetes.io/docs/concepts/services-networking/service/#aws-nlb-support). | +| servicePorts | Optional | N/A | List of port. Each element in this list is a dictionary that contains information about the port. For example, [see this](#netscaler-adc-cpx-service-ports). | +| ADMSettings.licenseServerIP | Optional | N/A | Provide the NetScaler Application Delivery Management (ADM) IP address to license NetScaler CPX. For more information, see [Licensing]( https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/licensing/). | +| ADMSettings.licenseServerPort | Optional | 27000 | NetScaler ADM port if non-default port is used. | +| ADMSettings.ADMIP | Optional | N/A | NetScaler Application Delivery Management (ADM) IP address. | +| ADMSettings.loginSecret | Optional | N/A | The secret key to login to the ADM. For information on how to create the secret keys, see [Prerequisites](#prerequistes). | +| ADMSettings.bandWidthLicense | Optional | False | Set to true if you want to use bandwidth based licensing for NetScaler CPX. | +| ADMSettings.bandWidth | Optional | 1000 | Desired bandwidth capacity to be set for NetScaler CPX in Mbps. | +| ADMSettings.vCPULicense | Optional | N/A | Set to true if you want to use vCPU based licensing for NetScaler CPX. | +| ADMSettings.licenseEdition| Optional | PLATINUM | License edition that can be Standard, Platinum and Enterprise . By default, Platinum is selected.| +| ADMSettings.cpxCores | Optional | 1 | Desired number of vCPU to be set for NetScaler CPX. | +| exporter.required | Optional | false | Use the argument if you want to run the [Exporter for NetScaler Stats](https://github.com/netscaler/netscaler-adc-metrics-exporter) along with NetScaler ingress controller to pull metrics for the NetScaler CPX| +| exporter.imageRegistry | Optional | `quay.io` | The Exporter for NetScaler Stats image registry | +| exporter.imageRepository | Optional | `netscaler/netscaler-adc-metrics-exporter` | The Exporter for NetScaler Stats image repository | +| exporter.imageTag | Optional | `1.4.9` | The Exporter for NetScaler Stats image tag | +| exporter.pullPolicy | Optional | IfNotPresent | The Exporter for NetScaler Stats image pull policy. | +| exporter.resources | Optional | {} | CPU/Memory resource requests/limits for Metrics exporter container | +| exporter.ports.containerPort | Optional | 8888 | The Exporter for NetScaler Stats container port. | +| exporter.serviceMonitorExtraLabels | Optional | | Extra labels for service monitor whem NetScaler-adc-metrics-exporter is enabled. | + analyticsConfig.required | Mandatory | false | Set this to true if you want to configure NetScaler to send metrics and transaction records to analytics service. | +| analyticsConfig.distributedTracing.enable | Optional | false | Set this value to true to enable OpenTracing in NetScaler. | +| analyticsConfig.distributedTracing.samplingrate | Optional | 100 | Specifies the OpenTracing sampling rate in percentage. | +| analyticsConfig.endpoint.metrics.service | Optional | N/A | Set this value as the IP address or DNS address of the analytics server. Format: servicename.namespace, servicename.namespace.svc.cluster.local, namespace/servicename *** This value replaces the analyticsConfig.endpoint.server value used earlier. *** | +| analyticsConfig.endpoint.transactions.service | Optional | N/A | Set this value as the IP address or service name with namespace of the analytics service deployed in k8s environment. Format: namespace/servicename *** This value replaces the analyticsConfig.endpoint.service value used earlier. *** | +| analyticsConfig.timeseries.port | Optional | 5563 | Specify the port used to expose analytics service for timeseries endpoint. | +| analyticsConfig.timeseries.metrics.enable | Optional | Set this value to true to enable sending metrics from NetScaler. | +| analyticsConfig.timeseries.metrics.mode | Optional | avro | Specifies the mode of metric endpoint. | +| analyticsConfig.timeseries.metrics.exportFrequency | Optional | 30 | Specifies the time interval for exporting time-series data. Possible values range from 30 to 300 seconds. | +| analyticsConfig.timeseries.metrics.schemaFile | Optional | schema.json | Specifies the name of a schema file with the required Netscaler counters to be added and configured for metricscollector to export. A reference schema file reference_schema.json with all the supported counters is also available under the path /var/metrics_conf/. This schema file can be used as a reference to build a custom list of counters. | +| analyticsConfig.timeseries.metrics.enableNativeScrape | Optional | false | Set this value to true for native export of metrics. | +| analyticsConfig.timeseries.auditlogs.enable | Optional | false | Set this value to true to export audit log data from NetScaler. | +| analyticsConfig.timeseries.events.enable | Optional | false | Set this value to true to export events from the NetScaler. | +| analyticsConfig.transactions.enable | Optional | false | Set this value to true to export transactions from NetScaler. | +| analyticsConfig.transactions.port | Optional | 5557 | Specify the port used to expose analytics service for transaction endpoint. | +| bgpSettings.required | Optional | false | Set this argument if you want to enable BGP configurations for exposing service of Type Loadbalancer through BGP fabric| +| bgpSettings.bgpConfig | Optional| N/A| This represents BGP configurations in YAML format. For the description about individual fields, please refer the [documentation](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/network/bgp-enhancement.md) | +| nsLbHashAlgo.required | Optional | false | Set this value to set the LB consistent hashing Algorithm | +| nsLbHashAlgo.hashFingers | Optional |256 | Specifies the number of fingers to be used for hashing algorithm. Possible values are from 1 to 1024, Default value is 256 | +| nsLbHashAlgo.hashAlgorithm | Optional | 'default' | Specifies the supported algorithm. Supported algorithms are "default", "jarh", "prac", Default value is 'default' | +| cpxCommands| Optional | N/A | This argument accepts user-provided NetScaler bootup config that is applied as soon as the CPX is instantiated. Please note that this is not a dynamic config, and any subsequent changes to the configmap don't reflect in the CPX config unless the pod is restarted. For more info, please refer the [documentation](https://docs.netscaler.com/en-us/citrix-adc-cpx/current-release/configure-cpx-kubernetes-using-configmaps.html). | +| cpxShellCommands| Optional | N/A | This argument accepts user-provided bootup config that is applied as soon as the CPX is instantiated. Please note that this is not a dynamic config, and any subsequent changes to the configmap don't reflect in the CPX config unless the pod is restarted. For more info, please refer the [documentation](https://docs.netscaler.com/en-us/citrix-adc-cpx/current-release/configure-cpx-kubernetes-using-configmaps.html). | +| enableStartupProbe | Optional | True | Enable startupProbe settings for CPX | +| enableLivenessProbe | Optional | True | Enable livenessProbe settings for CPX | +| startupProbe | Optional | N/A | Set startupProbe settings for CPX | +| livenessProbe | Optional | N/A | Set livenessProbe settings for CPX | + +> **Note:** +> +> If NetScaler ADM related information is not provided during installation, NetScaler CPX will come up with the default license. + +Alternatively, you can define a YAML file with the values for the parameters and pass the values while installing the chart. + +For example: + ``` + helm install netscaler-cpx-with-ingress-controller netscaler/netscaler-cpx-with-ingress-controller -f values.yaml + ``` + +> **Tip:** +> +> The [values.yaml](https://github.com/netscaler/netscaler-helm-charts/blob/master/netscaler-cpx-with-ingress-controller/values.yaml) contains the default values of the parameters. + +## Uninstalling the Chart +To uninstall/delete the ```my-release``` deployment: + ``` + helm delete my-release + ``` + +## Related documentation + +- [NetScaler CPX Documentation](https://docs.netscaler.com/en-us/citrix-adc-cpx/current-release/cpx-architecture-and-traffic-flow) +- [NetScaler ingress controller Documentation](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/) +- [NetScaler ingress controller GitHub](https://github.com/netscaler/netscaler-k8s-ingress-controller) +- [BGP advertisement for External IPs with CPX](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/network/bgp-enhancement.md) diff --git a/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/app-readme.md b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/app-readme.md new file mode 100644 index 000000000..6039d0e0c --- /dev/null +++ b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/app-readme.md @@ -0,0 +1,5 @@ +# NetScaler CPX with NetScaler Ingress Controller Running as Sidecar + +In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [NetScaler CPX](https://docs.netscaler.com/en-us/cpx.html) with NetScaler ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/). The NetScaler CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar NetScaler ingress controller configures the NetScaler CPX. + +This chart bootstraps deployment of NetScaler CPX with NetScaler Ingress Controller as sidecar. diff --git a/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/crds/crds.yaml b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/crds/crds.yaml new file mode 100644 index 000000000..02cda1e1a --- /dev/null +++ b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/crds/crds.yaml @@ -0,0 +1,2502 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: rewritepolicies.citrix.com +spec: + group: citrix.com + names: + kind: rewritepolicy + plural: rewritepolicies + singular: rewritepolicy + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: "Current Status of the CRD" + jsonPath: .status.state + - name: Message + type: string + description: "Status Message" + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + ingressclass: + type: string + description: "Ingress class, if not specified then all NetScaler Ingress Controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + rewrite-policies: + type: array + items: + type: object + properties: + servicenames: + description: 'Name of the services that needs to be binded to rewrite policy.' + type: array + items: + type: string + maxLength: 127 + goto-priority-expression: + description: 'Expression or other value specifying the next policy to be + evaluated if the current policy evaluates to TRUE. + Specify one of the following values: + * NEXT - Evaluate the policy with the next higher priority number. + * END - End policy evaluation. + Default value of goto-priority-expression: END' + type: string + maxLength: 1499 + logpackets: + type: object + description: 'Adds an audit message action. + The action specifies whether to log the message, and to which log.' + properties: + logexpression: + description: 'Default-syntax expression that defines the format and content of the log message.' + type: string + maxLength: 7991 + loglevel: + description: 'Audit log level, which specifies the severity level of the log message being generated.' + type: string + enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] + required: [logexpression, loglevel] + rewrite-policy: + type: object + properties: + rewrite-criteria: + description: 'Expression against which traffic is evaluated.' + type: string + maxLength: 1299 + default-action: + description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). + An UNDEF event indicates an internal error condition.' + type: string + maxLength: 77 + enum: ['NOREWRITE', 'RESET', 'DROP'] + operation: + description: 'Type of user-defined rewrite action.' + type: string + enum: ["noop", "delete", "insert_http_header", "delete_http_header", + "corrupt_http_header", "insert_before", "insert_after", "replace", + "replace_http_res", "delete_all", "replace_all", "insert_before_all", + "insert_after_all", "clientless_vpn_encode", "clientless_vpn_encode_all", + "clientless_vpn_decode", "clientless_vpn_decode_all", "insert_sip_header", + "delete_sip_header", "corrupt_sip_header", "replace_sip_res", "replace_diameter_header_field", + "replace_dns_header_field", "replace_dns_answer_section"] + target: + description: 'Default syntax expression that specifies which part of the request or response to rewrite.' + type: string + maxLength: 1229 + modify-expression: + description: 'Default syntax expression that specifies the content to insert into the request + or response at the specified location, or that replaces the specified string.' + type: string + maxLength: 7991 + multiple-occurence-modify: + description: 'Search facility that is used to match multiple strings in the request or response.' + type: string + maxLength: 171 + additional-multiple-occurence-modify: + description: 'Specify additional criteria to refine the results of the search. + Always starts with the "extend(m,n)" operation, where "m" specifies number of bytes to the left of selected data + and "n" specifies number of bytes to the right of selected data. + You can use refineSearch only on body expressions, and only when rewrite-criteria is any one of this: + INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL.' + type: string + maxLength: 1299 + direction: + description: 'Bind point to which to bind the policy.' + type: string + enum: ["REQUEST","RESPONSE"] + comment: + description: 'Any comments to preserve information about this rewrite policy.' + type: string + maxLength: 255 + required: [rewrite-criteria, operation, target, direction] + required: [rewrite-policy] + + responder-policies: + type: array + items: + type: object + properties: + servicenames: + description: 'Name of the services that needs to be binded to responder policy.' + type: array + items: + type: string + maxLength: 127 + goto-priority-expression: + description: 'Expression or other value specifying the next policy to be + evaluated if the current policy evaluates to TRUE. + Specify one of the following values: + * NEXT - Evaluate the policy with the next higher priority number. + * END - End policy evaluation. + Default value of goto-priority-expression: END' + type: string + maxLength: 1499 + logpackets: + type: object + description: 'Adds an audit message action. + The action specifies whether to log the message, and to which log.' + properties: + logexpression: + description: 'Default-syntax expression that defines the format and content of the log message.' + type: string + maxLength: 7991 + loglevel: + description: 'Audit log level, which specifies the severity level of the log message being generated.' + type: string + enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", + "NOTICE", "INFORMATIONAL", "DEBUG"] + required: [logexpression, loglevel] + responder-policy: + type: object + properties: + redirect: + type: object + description: 'Use this option when you want to Redirect the request when request matches to policy.' + properties: + url: + description: 'URL on which you want to redirect the request.' + type: string + maxLength: 7991 + redirect-status-code: + description: 'HTTP response status code, for example 200, 302, 404, etc.' + type: integer + minimum: 100 + maximum: 599 + redirect-reason: + description: 'Expression specifying the reason for redirecting the request.' + type: string + maxLength: 7991 + required: [url] + respondwith: + type: object + description: 'Use this parameter when you want to respond to the request when request matches to policy.' + properties: + http-payload-string: + description: 'Expression that you want to sent as response to the request.' + type: string + maxLength: 7991 + required: [http-payload-string] + noop: + type: string + description: 'Use this option when you want to send the request to the protected server instead of + responding to it when request matches to policy.' + properties: + target: + description: 'Default syntax expression that specifies to perform noop operation on' + type: string + maxLength: 1229 + reset: + type: string + description: 'Use this option when you want to Reset the client connection by closing it when request matches to policy.' + properties: + drop: + type: string + description: 'Use this option when you want to drop the request without sending a response to the user when request matches to policy.' + properties: + respond-criteria: + description: 'Default syntax expression that the policy uses to determine whether to respond to the specified request.' + type: string + maxLength: 1299 + default-action: + description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). + An UNDEF event indicates an internal error condition.' + type: string + maxLength: 77 + enum: ['NOOP', 'RESET', 'DROP'] + comment: + description: 'Any comments to preserve information about this responder policy.' + type: string + maxLength: 255 + required: [respond-criteria] + oneOf: [required: [redirect], required: [respondwith], required: [noop], required: [reset], required: [drop]] + required: [responder-policy] + + dataset: + type: array + items: + type: object + properties: + name: + description: 'Name of the dataset.' + type: string + maxLength: 32 + type: + description: 'Type of value to bind to the dataset.' + type: string + enum: ["ipv4", "number", "ipv6", "ulong", "double", "mac"] + comment: + description: 'Any comments to preserve information about this dataset.' + type: string + maxLength: 255 + values: + description: 'Value of the specified type that is associated with this dataset.' + type: array + items: + type: string + required: [name, type, values] + + patset: + type: array + items: + type: object + properties: + name: + description: 'Name of the Patset.' + type: string + maxLength: 32 + comment: + description: 'Any comments to preserve information about this patset.' + type: string + maxLength: 255 + values: + description: 'String of characters that constitutes a pattern and is associated with this patset.' + type: array + items: + type: string + required: [name, values] + + stringmap: + type: array + items: + type: object + properties: + name: + description: 'Name of the Stringmap.' + type: string + maxLength: 32 + comment: + description: 'Any comments to preserve information about this stringmap.' + type: string + maxLength: 255 + values: + description: 'List of (key,value) pairs to be bound to this string map.' + type: array + items: + type: object + properties: + key: + description: 'Character string constituting the key to be bound to this string map.' + type: string + maxLength: 2047 + value: + description: 'Character string constituting the value associated with the key.' + type: string + maxLength: 2047 + required: [name, values] + + httpcallout_policy: + type: array + items: + type: object + properties: + name: + description: 'httpcallout name' + type: string + maxLength: 32 + server_ip: + description: 'IP Address of the server(callout agent) to which the callout is sent.' + type: string + server_port: + description: 'Port of the server(callout agent) to which the callout is sent.' + type: integer + minimum: 1 + maximum: 65535 + http_method: + description: |+ + 'Method used in the HTTP request that this callout sends. + Default http method is GET' + type: string + enum: ['GET', 'POST'] + host_expr: + description: |+ + 'String expression to configure the Host header. Can contain a literal value + (for example, 10.101.10.11) or a derived value (for example, http.req.header("Host")). + The literal value can be an IP address or a fully qualified domain name. Mutually + exclusive with the full HTTP request expression.' + type: string + maxLength: 255 + url_stem_expr: + description: |+ + 'String expression for generating the URL stem. Can contain a literal string + (for example, "/mysite/index.html") or an expression that derives the value + (for example, http.req.url).' + type: string + maxLength: 8191 + headers: + type: array + description: |+ + 'One or more headers to insert into the HTTP request. Each header is represented by + name and expr, where expr is an expression that is evaluated at runtime to provide + the value for the named header. You can configure a maximum of eight headers for + an HTTP callout.' + items: + type: object + properties: + name: + description: 'header name' + type: string + expr: + description: 'header expression' + type: string + parameters: + type: array + description: |+ + 'One or more query parameters to insert into the HTTP request URL (for a GET request) + or into the request body (for a POST request). Each parameter is represented by + name and expr, where expr is an expression that is evaluated at run time to provide + the value for the named parameter (name=value). The parameter values are URL encoded.' + items: + type: object + properties: + name: + description: 'parameter name' + type: string + expr: + description: 'parameter expression' + type: string + body_expr: + description: |+ + 'An advanced string expression for generating the body of the request. + The expression can contain a literal string or an expression that derives + the value (for example, client.ip.src).' + type: string + full_req_expr: + description: |+ + 'Exact HTTP request, in the form of an expression, which the NetScaler sends + to the callout agent. The request expression is constrained by the feature + for which the callout is used. For example, an HTTP.RES expression cannot be + used in a request-time policy bank or in a TCP content switching policy bank.' + type: string + scheme: + description: |+ + 'Type of scheme for the callout server. + Default scheme is HTTP' + type: string + enum: ['HTTP', 'HTTPS'] + cache_for_secs: + description: |+ + 'Duration, in seconds, for which the callout response is cached. + The cached responses are stored in an integrated caching content + group named "calloutContentGroup". If no duration is configured, + the callout responses will not be cached unless normal caching + configuration is used to cache them. This parameter takes precedence over any + normal caching configuration that would otherwise apply to these responses.' + type: integer + minimum: 1 + maximum: 31536000 + return_type: + description: |+ + 'Type of data that the target callout agent returns in response to the callout + Available settings function as follows: + * TEXT - Treat the returned value as a text string. + * NUM - Treat the returned value as a number. + * BOOL - Treat the returned value as a Boolean value.' + type: string + enum: ['TEXT', 'NUM', 'BOOL'] + result_expr: + description: |+ + 'Expression that extracts the callout results from the response sent by the HTTP callout + agent. Must be a response based expression, that is, it must begin with HTTP.RES. The + operations in this expression must match the return type. For example, if you configure + a return type of TEXT, the result expression must be a text based expression. If the + return type is NUM, the result expression (resultExpr) must return a numeric value, + as in the following example: http.res.body(10000).length.' + type: string + maxLength: 8191 + comment: + description: 'Any comments to preserve information about this HTTP callout.' + type: string + maxLength: 255 + allOf: + - properties: + required: [name, server_ip, server_port] + - properties: + oneOf: + - properties: + required: [full_req_expr] + - properties: + anyOf: + - properties: + required: [http_method] + - properties: + required: [host_expr] + - properties: + required: [url_stem_expr] + - properties: + required: [headers] + - properties: + required: [parameters] + - properties: + required: [body_expr] + anyOf: [required: [rewrite-policies], required: [responder-policies]] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ratelimits.citrix.com +spec: + group: citrix.com + names: + kind: ratelimit + plural: ratelimits + singular: ratelimit + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: "Current Status of the CRD" + jsonPath: .status.state + - name: Message + type: string + description: "Status Message" + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + ingressclass: + type: string + description: "Ingress class, if not specified then all NetScaler Ingress Controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + servicenames: + description: 'Name of the services to which the ratelimit policies are applied.' + type: array + items: + type: string + maxLength: 127 + selector_keys: + type: object + description: 'Traffic match criteria to which apply above rate-limit/throttling. All keys are applied as AND condition. If no keys are specified, rate-limit applies at service level' + properties: + basic: + type: object + description: "Basic traffic stream selection criteria to which to apply the ratelimit" + properties: + path: + type: array + description: "api resource path prefix match. e.g. /api/v1/products" + items: + type: string + method: + type: array + items: + type: string + enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] + header_name: + description: "HTTP header that identifies the unique API client for e.g. X-apikey" + type: string + per_client_ip: + description: "Setting this applies the throttling limit to each unique Client IP address accessing the API resource" + type: boolean + req_threshold: + description: 'Max requests per timeslice units to be allowed' + type: integer + timeslice: + description: 'Timeslice in miliseconds in multiple of 10. Defaults to 1000 miliseconds' + type: integer + limittype: + description: "Burst mode or smooth. Defaults to smooth limittype if not specified" + type: string + enum: ['BURSTY','SMOOTH'] + throttle_action: + type: string + enum: ['DROP', 'RESET','REDIRECT', 'RESPOND'] + description: "Drop will drop the requests exceeding limits, RESET will reset the client connection, Redirect will redirect to specified URL, respond will respond with 429 'Exceeded allowed rate of requests'" + redirect_url: + type: string + description: "Redirect-URL" + logpackets: + type: object + description: 'Adds an audit message action. The action specifies whether to log the message, and to which log.' + properties: + logexpression: + description: 'Default-syntax expression that defines the format and content of the log message.' + type: string + maxLength: 7991 + loglevel: + description: 'Audit log level, which specifies the severity level of the log message being generated.' + type: string + enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] + required: [logexpression, loglevel] + required: [req_threshold] +--- +#Sample CRD instance + +#apiVersion: citrix.com/v1 +#description: VIP for apache service +#kind: vip +#metadata: +# name: service-apache +# namespace: default +#spec: +# description: VIP for the apache Service +# ipaddress: 10.99.98.90 +# kind: service +# name: apache + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: vips.citrix.com +spec: + group: citrix.com + names: + kind: vip + plural: vips + singular: vip + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .spec.ipaddress + name: VIP + type: string + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + ipaddress: + type: string + name: + type: string + kind: + type: string + enum: ["service", "ingress"] + description: + type: string + range-name: + type: string +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: authpolicies.citrix.com +spec: + group: citrix.com + names: + kind: authpolicy + plural: authpolicies + singular: authpolicy + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: 'Current Status of the CRD' + jsonPath: .status.state + - name: Message + type: string + description: 'Status Message' + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + ingressclass: + type: string + description: "Ingress class, if not specified then all NetScaler Ingress Controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + servicenames: + description: |+ + 'Name of the services for which the policies applied' + type: array + items: + type: string + maxLength: 63 + authentication_mechanism: + type: object + description: |+ + 'Authentication mechanism. Options: using forms or using request header. + Default is Authentication using request header, when no option is specified' + properties: + using_request_header: + description: |+ + 'Enable user authentication using request header. Use when the credentials + or api keys are passed in a header. For example, when using Basic, Digest, + Bearer authentication or api keys. + When authentication using forms is provided, this is set to OFF' + + type: string + using_forms: + type: object + description: 'Enables authentication using forms. Use with user/web authentication.' + properties: + authentication_host: + description: |+ + 'Fully qualified domain name (FQDN) for authentication. + This FQDN should be unique and should resolve to frontend IP of + NetScaler with Ingress/service type LoadBalancer (or) vip of Listener CRD' + type: string + maxLength: 255 + authentication_host_cert: + description: |+ + 'Name of the SSL certificate to be used with authentication_host. + This certificate is mandatory while using_forms' + type: object + properties: + tls_secret: + type: string + description: 'Name of the Kubernetes Secret of type tls referring to Certificate' + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + preconfigured: + type: string + maxLength: 63 + description: |+ + 'Preconfigured SSL certkey name on NetScaler with the + certificate and key already added on NetScaler' + oneOf: + - properties: + required: [tls_secret] + - properties: + required: [preconfigured] + ingress_name: + description: |+ + 'Ingress name for which the authentication using forms + is applicable.' + type: string + maxLength: 63 + lb_service_name: + description: |+ + 'Service of type LoadBalancer for which the authentication using forms + is applicable.' + type: string + maxLength: 63 + listener_name: + description: |+ + 'Listener CRD name for which the authentication using forms is applicable.' + type: string + maxLength: 63 + vip: + description: |+ + 'Frontend IP of ingress for which the authentication + using forms is applicable. This refers to frontend-ip provided + with Ingress. It is suggested to use vip, if more than one Ingress + resource use the same frontend-ip' + type: string + required: [authentication_host, authentication_host_cert] + oneOf: + - properties: + required: [ingress_name] + - properties: + required: [lb_service_name] + - properties: + required: [listener_name] + - properties: + required: [vip] + oneOf: + - properties: + using_request_header: + enum: ['ON'] + required: [using_request_header] + - properties: + required: [using_forms] + + authentication_providers: + description: |+ + 'Authentication Configuration for required authentication providers/schemes. + One or more of these can be created' + type: array + items: + description: 'Create config for a single authentication provider of a particular type' + type: object + properties: + name: + description: 'Name for this provider, has to be unique, referenced by authentication policies' + type: string + maxLength: 127 + + oauth: + description: 'Authentication provided by external oAuth provider' + type: object + properties: + issuer: + description: 'Identity of the server whose tokens are to be accepted' + type: string + maxLength: 127 + audience: + description: 'Audience for which token sent by Authorization server is applicable' + type: array + items: + type: string + maxLength: 127 + jwks_uri: + description: |+ + 'URL of the endpoint that contains JWKs (Json Web Key) for + JWT (Json Web Token) verification' + type: string + maxLength: 127 + introspect_url: + description: ' URL of the introspection server' + type: string + maxLength: 127 + client_credentials: + description: |+ + 'secrets object that contains Client Id and secret as known + to Introspection server' + type: string + maxLength: 253 + token_in_hdr: + description: |+ + 'custom header name where token is present, + default is Authorization header' + type: array + items: + type: string + maxLength: 127 + maxItems: 2 + token_in_param: + description: 'query parameter name where token is present' + type: array + items: + type: string + maxLength: 127 + maxItems: 2 + signature_algorithms: + description: 'list of allowed signature algorithms, by default HS256, RS256, RS512 are allowed' + type: array + items: + type: string + enum: ['HS256', 'RS256', 'RS512'] + claims_to_save: + description: 'list of claims to be saved, used to create authorization policies' + type: array + items: + type: string + maxLength: 127 + metadata_url: + description: 'URL used to get OAUTH/OIDC provider metadata' + type: string + maxLength: 255 + user_field: + description: |+ + 'Attribute in the token from which username should be extracted. + by default, NetScaler looks at email attribute for user id' + type: string + maxLength: 127 + default_group: + description: |+ + 'group assigned to the request if authentication succeeds, + this is in addition to any extracted groups from token' + type: string + maxLength: 63 + grant_type: + description: 'used to specify the type of flow to the token end point, defaults to CODE' + type: array + items: + type: string + enum: ['CODE','PASSWORD'] + pkce: + description: 'specify whether to enable Proof Key Code Exchange, defaults to ENABLED' + type: string + enum: ['ENABLED', 'DISABLED'] + token_ep_auth_method: + description: |+ + 'authentication method to be used with token end point, + defaults to client_secret_post' + type: string + enum: ['client_secret_post', 'client_secret_jwt'] + + anyOf: + - properties: + required : [jwks_uri] + - properties: + required : [introspect_url, client_credentials] + - properties: + required : [metadata_url] + + ldap: + description: 'LDAP authentication provider' + type: object + properties: + server_ip: + description: 'IP address assigned to the LDAP server' + type: string + server_name: + description: 'LDAP server name as a FQDN' + type: string + maxLength: 127 + server_port: + description: 'Port on which the LDAP server accepts connections. Default is 389' + type: integer + minimum: 1 + maximum: 65535 + base: + description: |+ + 'Base (node) from which to start LDAP searches. If the LDAP server is + running locally, the default value of base is dc=netscaler, dc=com' + type: string + maxLength: 127 + server_login_credentials: + description: |+ + 'Kubernetes secret object providing credentials to login to LDAP server, + The secret data should have username and password' + type: string + login_name: + description: |+ + 'LDAP login name attribute. The NetScaler uses the LDAP login name + to query external LDAP servers or Active Directories' + type: string + maxLength: 127 + security_type: + description: |+ + 'Type of security used for communications between the NetScaler + and the LDAP server. Default is TLS' + type: string + enum: ['PLAINTEXT', 'TLS', 'SSL'] + validate_server_cert: + description: 'Validate LDAP Server certs. Default is NO' + type: string + enum: ['YES', 'NO'] + hostname: + description: |+ + 'Hostname for the LDAP server. If validate_server_cert is ON, + this must be the host name on the certificate from the LDAP + A hostname mismatch will cause a connection failure' + type: string + maxLength: 127 + sub_attribute_name: + description: 'LDAP group sub-attribute name. Used for group extraction from the LDAP server.' + type: string + maxLength: 31 + group_attribute_name: + description: 'LDAP group attribute name. Used for group extraction on the LDAP server.' + type: string + maxLength: 31 + search_filter: + description: |+ + 'String to be combined with the default LDAP user search string to form the + search value. For example, if the search filter "vpnallowed=true" is combined + with the LDAP login name "samaccount" and the user-supplied username is "bob", + the result is the LDAP search string ""(&(vpnallowed=true)(samaccount=bob)"" + (Be sure to enclose the search string in two sets of double quotation marks)' + type: string + maxLength: 255 + auth_timeout: + description: |+ + 'Number of seconds the NetScaler waits for a response from the server + Default is 3' + type: integer + minimum: 1 + maximum: 4294967295 + password_change: + description: 'Allow password change requests. Default is DISABLED' + type: string + enum: ['ENABLED', 'DISABLED'] + attributes_to_save: + description: |+ + 'List of attribute names separated by comma which needs to be fetched + from LDAP server and stored as key-value pair for the session on NetScaler' + type: string + maxLength: 2047 + oneOf: + - properties: + required: [server_ip] + - properties: + required: [server_name] + + saml: + description: |+ + 'SAML authentication provider. + Currently SAML is supported only with authentication mechanism using forms' + type: object + properties: + metadata_url: + description: 'URL is used for obtaining saml metadata.' + type: string + maxLength: 255 + metadata_refresh_interval: + description: |+ + 'Interval in minutes for fetching metadata from specified metadata URL. + Default is 36000' + type: integer + minimum: 1 + maximum: 4294967295 + signing_cert: + description: 'SSL certificate to sign requests from SP to IDP' + type: object + properties: + tls_secret: + type: string + description: 'Name of the Kubernetes Secret of type tls referring to Certificate' + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + preconfigured: + type: string + maxLength: 63 + description: |+ + 'Preconfigured SSL certkey name on NetScaler with the + certificate and key already added on NetScaler' + oneOf: + - properties: + required: [tls_secret] + - properties: + required: [preconfigured] + audience: + description: 'Audience for which assertion sent by IdP is applicable' + type: string + maxLength: 127 + issuer_name: + description: 'The name to be used in requests sent from SP to IDP to identify NetScaler' + type: string + maxLength: 63 + binding: + description: 'Specifies the transport mechanism of saml message. Default is POST' + type: string + enum: ['REDIRECT', 'POST', 'ARTIFACT'] + artifact_resolution_service_url: + description: 'URL of the Artifact Resolution Service on IdP' + type: string + maxLength: 255 + logout_binding: + description: 'Specifies the transport mechanism of saml logout. Default is POST' + type: string + enum: ['REDIRECT', 'POST'] + reject_unsigned_assertion: + description: |+ + 'Reject unsigned SAML assertions. ON, rejects assertion without signature. + STRICT ensure that both Response and Assertion are signed. Default is ON' + type: string + enum: ['ON', 'OFF', 'STRICT'] + user_field: + description: 'SAML user ID, as given in the SAML assertion' + type: string + maxLength: 63 + default_authentication_group: + description: |+ + 'This is the default group that is chosen when the authentication + succeeds in addition to extracted groups' + type: string + maxLength: 63 + skew_time: + description: |+ + 'Allowed clock skew in number of minutes on an incoming assertion. + Default is 5' + type: integer + minimum: 1 + attributes_to_save: + description: |+ + 'List of attribute names separated by comma which needs to be extracted + and stored as key-value pair for the session on NetScaler' + type: string + maxLength: 2047 + required: + - metadata_url + + basic_local_db: + type: object + description: |+ + 'Basic HTTP authentication supported by NetScaler, user data in local DB of NetScaler. + Users needs to be added on NetScaler' + properties: + use_local_auth: + description: 'Use NetScaler authentication' + type: string + enum: ['YES'] + + required: + - name + + authentication_policies: + description: 'Authentication policies' + type: array + items: + type: object + description: 'Authentication policy' + properties: + resource: + type: object + description: 'endpoint/resource selection criteria' + properties: + path: + description: 'api resource path e.g. /products. ' + type: array + items: + type: string + maxLength: 511 + method: + type: array + items: + type: string + enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] + required: + - path + expression: + description: 'NetScaler syntax expression for authentication' + type: string + maxLength: 1229 + provider: + description: 'name of the authentication provider for the policy, empty if no authentication required' + type: array + items: + type: string + maxLength: 127 + maxItems: 1 + oneOf: + - required: [resource, provider] + - required: [expression, provider] + + authorization_policies: + description: 'Authorization policies' + type: array + items: + type: object + description: 'Authorization policy' + properties: + resource: + type: object + description: 'endpoint/resource selection criteria' + properties: + path: + description: 'api resource path e.g. /products. ' + type: array + items: + type: string + maxLength: 511 + method: + description: ' http method' + type: array + items: + type: string + enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] + claims: + description: 'authorization scopes required for selected resource saved as claims or attributes' + type: array + items: + type: object + properties: + name: + description: 'name of the claim/attribute to check' + type: string + maxLength: 127 + values: + description: 'list of claim values required for the request' + type: array + items: + type: string + maxLength: 127 + minItems: 1 + required: + - name + - values + required: + - claims + expression: + description: 'NetScaler syntax expression for authorization' + type: string + maxLength: 1229 + oneOf: + - required: [resource] + - required: [expression] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: listeners.citrix.com +spec: + group: citrix.com + names: + kind: Listener + plural: listeners + singular: listener + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + required: [spec] + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + required: [protocol] + properties: + ingressclass: + type: string + description: "Ingress class, if not specified then all NetScaler Ingress Controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + multicluster: + description: "The setting of this indicates that the VIP/csvserver IP address is shared by multiple netscaler ingress controllers on the VPX/MPX. For CPX, this field is not applicable" + type: boolean + protocol: + type: string + enum: ["udp", "tcp", "https", "http"] + description: "Protocol for this listener" + vip: + type: string + description: "VIP address, Optional for CPX, required for Tier-1 deployments" + secondaryVips: + type: array + description: "An array of Secondary VIPs. All the VIPs will be part of an ipset" + minItems: 1 + items: + type: string + redirectPort: + type: integer + minimum: 1 + maximum: 65535 + description: "Port from which http traffic should be redirected to https" + port: + type: integer + minimum: 1 + maximum: 65535 + certificates: + type: array + description: "certificates attached to the endpoints - Not applicable for HTTP" + minItems: 1 + items: + type: object + properties: + preconfigured: + type: string + description: "Preconfigured Certificate name on NetScaler " + secret: + type: object + description: "Kuberentes secret object" + required: [name] + properties: + name: + type: string + description: "name of the Kubernetes Secret object where Cert is located" + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + namespace: + type: string + description: "Namespace of the kubernetes secret object; Default is same namespace where the Listener object is located" + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + default: + type: boolean + description: "Only one of the certificate can be marked as default which will be presented if none of the cert matches with the hostname" + oneOf: + - required: ["preconfigured"] + - required: ["secret"] + policies: + type: object + description: "Policies attached to the Listener" + properties: + httpprofile: + type: object + description: "HTTP profile configurations for the Listener, HTTP level configurations" + properties: + preconfigured: + type: string + description: "Preconfigured or Built-in HTTP profile name" + config: + type: object + description: "HTTP profile configuration for the listener. For individual fields, refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/ns/nshttpprofile Name field is auto populated" + additionalProperties: + type: string + oneOf: + - required: ["preconfigured"] + - required: ["config"] + tcpprofile: + type: object + description: "TCP level configurations, uses ns tcpprofile of NetScaler" + properties: + preconfigured: + description: "Preconfigured or Built-in TCP profile name" + type: string + config: + type: object + description: "TCPprofile configurations for the listener. For individual fields refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/ns/nstcpprofile ; Name field is auto populated" + additionalProperties: + type: string + oneOf: + - required: ["preconfigured"] + - required: ["config"] + csvserverConfig: + type: object + description: "CS Vserver configuration for the listener" + additionalProperties: + type: string + sslprofile: + type: object + description: "SSL profile configuration" + properties: + preconfigured: + type: string + description: "SSL profile which is preconfigured in NetScaler. Ciphers bound to the profile is not overriden" + config: + description: "NetScaler frontend SSL profile configurations. Refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/ssl/sslprofile.html for all configurations; Name field is auto generated" + type: object + additionalProperties: + type: string + oneOf: + - required: ["preconfigured"] + - required: ["config"] + sslciphers: + type: array + description: "List of ciphers to be bound to the ssl profile for the listener. Priority is as per the order in the list. A cipher suite, predefined cipher group or User created cipher group can be mentioned" + minItems: 1 + items: + type: string + description: "Cipher suite, cipher group name" + analyticsprofile: + type: object + description: "Analytics profile configuration" + properties: + preconfigured: + type: array + description: "Preconfigured Analytics profile that needs to be bound to the vserver" + minItems: 1 + items: + type: string + description: "Name of the analytics profile preconfigured that will be bound to the Vserver" + config: + type: array + description: "An array of analytics to be enabled" + minItems: 1 + items: + type: object + description: "Anlytics to be enabled" + required: ['type'] + properties: + type: + description: "Analytics profile to be enabled, you can enable one or more of the webinsight, tcpinsight, securityinsight, videoinsight, hdxinsight, gatewayinsight, timeseries, lsninsight, botinsight " + type: string + enum: ["webinsight", "tcpinsight", "securityinsight", "videoinsight", "hdxinsight", "gatewayinsight", "timeseries", "lsninsight", "botinsight"] + parameters: + type: object + description: "Additional parameters for analytics profile. Please refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/analytics/analyticsprofile/" + additionalProperties: + type: string + oneOf: + - required: ["preconfigured"] + - required: ["config"] + routes: + type: array + description: "List of route objects attached to the listener" + minItems: 1 + items: + type: object + properties: + name: + type: string + description: "Name of the HTTPRoute object" + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + namespace: + type: string + description: "Namespace of the HTTPRoute object" + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + labelSelector: + description: "Labels key value pair, if the route carries the same labels, it is automatically attached" + type: object + additionalProperties: + type: string + oneOf: + - required: [name, namespace] + - required: [labelSelector] + defaultAction: + type: object + description: "Default action for the listener: One of Backend or Redirect" + properties: + backend: + type: object + oneOf: + - required: [kube] + properties: + kube: + type: object + required: [service, port] + properties: + service: + description: "Name of the backend service" + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + port: + description: "Service port" + type: integer + minimum: 1 + maximum: 65535 + namespace: + description: "Service namespace" + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + backendConfig: + description: "General backend service options" + type: object + properties: + secure_backend: + description: "Use Secure communications to the backends" + type: boolean + lbConfig: + description: "NetScaler LB vserver configurations for the backend. Refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/lb/lbvserver.html for all configurations" + type: object + additionalProperties: + type: string + servicegroupConfig: + description: "NetScaler service group configurations for the backend; Refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/basic/servicegroup.html for all configurations" + type: object + additionalProperties: + type: string + redirect: + type: object + oneOf: + - required: [targetExpression] + - required: [hostRedirect] + - required: [httpsRedirect] + properties: + httpsRedirect: + description: "Change the scheme from http to https keeping URL intact" + type: boolean + hostRedirect: + description: "Host name specified is used for redirection with URL intact" + type: string + targetExpression: + description: "A target can be specified using NetScaler policy expression" + type: string + responseCode: + description: "Default response code is 302, which can be customised using this attribute" + type: integer + minimum: 100 + maximum: 599 + oneOf: + - required: ["backend"] + - required: ["redirect"] + subresources: + # status enables the status subresource. + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: httproutes.citrix.com +spec: + group: citrix.com + names: + kind: HTTPRoute + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + required: [rules] + properties: + ingressclass: + type: string + description: "Ingress class, if not specified then all NetScaler Ingress Controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + hostname: + type: array + description: "List of domain names that share the same route, default is '*'" + minItems: 1 + items: + type: string + description: "Domain name" + rules: + type: array + description: "List Content routing rules with an action defined" + minItems: 1 + items: + type: object + required: [name, action] + properties: + name: + type: string + description: "A name to represent the rule, this is used as an identifier in content routing policy name in NetScaler" + minLength: 1 + maxLength: 20 + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + match: + type: array + description: "List of rules with same action" + minItems: 1 + items: + type: object + anyOf: + - required: [path] + - required: [headers] + - required: [cookies] + - required: [queryParams] + - required: [method] + - required: [policyExpression] + properties: + path: + type: object + description: "URL Path based content routing" + properties: + prefix: + type: string + description: "URL path matches the prefix expression" + exact: + type: string + description: "URL Path must match exact path" + regex: + type: string + description: "PCRE based regex expression for path matching" + headers: + type: array + description: "List of header for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" + minItems: 1 + items: + type: object + description: "Header details for content routing, Check for existence of a header or header name-value match" + properties: + headerName: + type: object + description: "Header name based content routing, Here existence of header is used for routing" + properties: + exact: + type: string + description: "Header Name - treated as exact must exist" + contains: + type: string + description: "Header Name - A header must exist that contain the string the name" + regex: + type: string + description: "header Name - treated as PCRE regex expression" + not: + type: boolean + description: "Default False, if present, rules are inverted. I.e header name must not exist" + oneOf: + - required: [exact] + - required: [contains] + - required: [regex] + headerValue: + type: object + description: "Header Name and Value based match" + properties: + name: + type: string + description: "Header name that must match the value" + exact: + type: string + description: "Header value - treated as exact" + contains: + type: string + description: "Header value - treated as contains" + regex: + type: string + description: "header value - treated as PCRE regex expression" + not: + type: boolean + description: "Default False, if present, rules are inverted. I.e header if present must not match the value" + oneOf: + - required: [name, exact] + - required: [name, contains] + - required: [name, regex] + queryParams: + type: array + description: "List of Query parameters for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" + minItems: 1 + items: + type: object + description: "Query parameters Name and Value based match" + properties: + name: + type: string + description: "Query name that must match the value. If no value is specified, matches with any value" + exact: + type: string + description: "Query value - Exact match" + contains: + type: string + description: "Query value - value must have the string(substring)" + regex: + type: string + description: "Query value - Value must match this regex patterm" + not: + type: boolean + description: "Default False, if present, rules are inverted. I.e query if present must not match the value" + anyOf: + - required: [name] + - oneOf: + - required: [name, exact] + - required: [name, contains] + - required: [name, regex] + cookies: + type: array + description: "List of Cookie params for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" + minItems: 1 + items: + type: object + description: "Cookie based routing" + properties: + name: + type: string + description: "cookie name that must match the value. If no value specified, it matches with any value" + exact: + type: string + description: "cookie value - treated as exact" + contains: + type: string + description: "cookie value - treated as substring" + regex: + type: string + description: "cookie value - treated as PCRE regex expression" + not: + type: boolean + description: "Default False, if present, rules are inverted. I.e cookie if present must not match the value" + anyOf: + - required: [name] + - oneOf: + - required: [name, exact] + - required: [name, contains] + - required: [name, regex] + method: + type: string + description: "HTTP method for content routing eg: POST, PUT, DELETE etc" + policyExpression: + type: string + description: "NetScaler policy expressions; refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/policy/policyexpression.html" + action: + type: object + description: "Action for the matched rule" + properties: + backend: + type: object + oneOf: + - required: [kube] + properties: + kube: + type: object + required: [service, port] + properties: + service: + description: "Name of the backend service" + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + port: + description: "Service port" + type: integer + minimum: 1 + maximum: 65535 + backendConfig: + type: object + description: "General backend service options" + properties: + secureBackend: + description: "Use Secure communications to the backends" + type: boolean + lbConfig: + description: "NetScaler LB vserver configurations for the backend. Refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/lb/lbvserver.html for all configurations" + type: object + additionalProperties: + type: string + servicegroupConfig: + description: "NetScaler service group configurations for the backend; Refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/basic/servicegroup.html for all configurations" + type: object + additionalProperties: + type: string + redirect: + type: object + oneOf: + - required: [targetExpression] + - required: [hostRedirect] + - required: [httpsRedirect] + properties: + httpsRedirect: + description: "Change the scheme from http to https keeping URL intact" + type: boolean + hostRedirect: + description: "Host name specified is used for redirection with URL intact" + type: string + targetExpression: + description: "A target can be specified using NetScaler policy expression" + type: string + responseCode: + description: "Default response code is 302, which can be customised using this attribute" + type: integer + minimum: 100 + maximum: 599 + oneOf: + - required: ["backend"] + - required: ["redirect"] + subresources: + # status enables the status subresource. + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + # name must match the spec fields below, and be in the form: . + name: continuousdeployments.citrix.com +spec: + group: citrix.com + names: + kind: continuousdeployment + plural: continuousdeployments + singular: continuousdeployment + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + cronSpec: + type: integer + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: wafs.citrix.com +spec: + group: citrix.com + names: + kind: waf + plural: wafs + singular: waf + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: "Current Status of the CRD" + jsonPath: .status.state + - name: Message + type: string + description: "Status Message" + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + ingressclass: + type: string + description: "Ingress class, if not specified then all NetScaler Ingress Controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + servicenames: + description: 'Name of the services to which the waf policies are applied.' + type: array + items: + type: string + maxLength: 127 + application_type: + description: 'Type of applications to protect' + type: array + items: + type: string + enum: ['HTML', 'JSON', 'XML'] + signatures: + description: 'Location of external signature file' + type: string + redirect_url: + description: 'When a URL is blocked/down, redirect_url represents the alternate URL where the client requests should be sent.' + type: string + html_error_object: + description: 'Location of customized error page to respond when html or common violation are hit' + type: string + xml_error_object: + description: 'Location of customized error page to respond when xml violations are hit' + type: string + json_error_object: + description: 'Location of customized error page to respond when json violations are hit' + type: string + ip_reputation: + type: object + x-kubernetes-preserve-unknown-fields: true + description: 'Enabling IP reputation feature' + target: + description: 'To control what traffic to be inspected by Web Application Firewall. If you do not provide the target, everything will be inspected by default' + type: object + properties: + path: + type: array + description: "List of http urls to inspect" + items: + type: string + description: "URL path" + method: + type: array + description: "List of http methods to inspect" + items: + type: string + enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] + header: + type: array + description: "List of http headers to inspect" + items: + type: string + description: "header name" + security_checks: + description: 'To enable/disable application firewall security checks' + type: object + properties: + common: + type: object + x-kubernetes-preserve-unknown-fields: true + html: + type: object + x-kubernetes-preserve-unknown-fields: true + json: + type: object + x-kubernetes-preserve-unknown-fields: true + xml: + type: object + x-kubernetes-preserve-unknown-fields: true + settings: + description: 'To fine tune application firewall security checks default settings' + type: object + properties: + common: + type: object + x-kubernetes-preserve-unknown-fields: true + html: + type: object + x-kubernetes-preserve-unknown-fields: true + json: + type: object + x-kubernetes-preserve-unknown-fields: true + xml: + type: object + x-kubernetes-preserve-unknown-fields: true + relaxations: + description: 'Section which contains relaxation rules for known traffic and false positives' + type: object + properties: + common: + type: object + x-kubernetes-preserve-unknown-fields: true + html: + type: object + x-kubernetes-preserve-unknown-fields: true + json: + type: object + x-kubernetes-preserve-unknown-fields: true + xml: + type: object + x-kubernetes-preserve-unknown-fields: true + enforcements: + description: 'Section which contains enforcement or restriction rules' + type: object + properties: + common: + type: object + x-kubernetes-preserve-unknown-fields: true + html: + type: object + x-kubernetes-preserve-unknown-fields: true + json: + type: object + x-kubernetes-preserve-unknown-fields: true + xml: + type: object + x-kubernetes-preserve-unknown-fields: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: bots.citrix.com +spec: + group: citrix.com + names: + kind: bot + plural: bots + singular: bot + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: "Current Status of the CRD" + jsonPath: .status.state + - name: Message + type: string + description: "Status Message" + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + ingressclass: + type: string + description: "Ingress class, if not specified then all NetScaler Ingress Controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + servicenames: + description: 'Name of the services to which the bot policies are applied.' + type: array + items: + type: string + maxLength: 127 + signatures: + description: 'Location of external bot signature file' + type: string + redirect_url: + description: 'url to redirect when bot violation is hit' + type: string + target: + description: 'To control what traffic to be inspected by BOT. If you do not provide the target, everything will be inspected by default' + type: object + properties: + path: + type: array + description: "List of http urls to inspect" + items: + type: string + description: "URL path" + method: + type: array + description: "List of http methods to inspect" + items: + type: string + enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] + header: + type: array + description: "List of http headers to inspect" + items: + type: string + description: "header name" + security_checks: + description: 'To enable/disable bot ecurity checks' + type: object + properties: + allow_list: + type: string + enum: ['ON', 'OFF'] + block_list: + type: string + enum: ['ON', 'OFF'] + device_fingerprint: + type: string + enum: ['ON', 'OFF'] + device_fingerprint_action: + type: object + x-kubernetes-preserve-unknown-fields: true + headless_browser: + type: string + enum: ['ON','OFF'] + reputation: + type: string + enum: ['ON', 'OFF'] + ratelimit: + type: string + enum: ['ON', 'OFF'] + tps: + type: string + enum: ['ON', 'OFF'] + trap: + type: object + x-kubernetes-preserve-unknown-fields: true + bindings: + description: 'Section which contains binding rules for bot security checks' + type: object + properties: + allow_list: + type: array + items: + type: object + properties: + subnet: + type: object + x-kubernetes-preserve-unknown-fields: true + ip: + type: object + x-kubernetes-preserve-unknown-fields: true + ipv6: + type: object + x-kubernetes-preserve-unknown-fields: true + ipv6_subnet: + type: object + x-kubernetes-preserve-unknown-fields: true + expression: + type: object + x-kubernetes-preserve-unknown-fields: true + + block_list: + type: array + items: + type: object + properties: + subnet: + type: object + x-kubernetes-preserve-unknown-fields: true + ip: + type: object + x-kubernetes-preserve-unknown-fields: true + ipv6: + type: object + x-kubernetes-preserve-unknown-fields: true + ipv6_subnet: + type: object + x-kubernetes-preserve-unknown-fields: true + expression: + type: object + x-kubernetes-preserve-unknown-fields: true + ratelimit: + type: array + items: + type: object + properties: + url: + type: object + x-kubernetes-preserve-unknown-fields: true + ip: + type: object + x-kubernetes-preserve-unknown-fields: true + cookie: + type: object + x-kubernetes-preserve-unknown-fields: true + geolocation: + type: object + x-kubernetes-preserve-unknown-fields: true + reputation: + type: object + x-kubernetes-preserve-unknown-fields: true + captcha: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + logexp: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + kbmexpr: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + tps: + type: object + properties: + geolocation: + type: object + x-kubernetes-preserve-unknown-fields: true + host: + type: object + x-kubernetes-preserve-unknown-fields: true + ip: + type: object + x-kubernetes-preserve-unknown-fields: true + url: + type: object + x-kubernetes-preserve-unknown-fields: true + trapinsertion: + type: object + x-kubernetes-preserve-unknown-fields: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: apigatewaypolicies.citrix.com +spec: + group: citrix.com + names: + kind: apigatewaypolicy + plural: apigatewaypolicies + singular: apigatewaypolicy + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + additionalPrinterColumns: + - name: Status + type: string + description: "Current Status of the CRD" + jsonPath: .status.state + - name: Message + type: string + description: "Status Message" + jsonPath: .status.status_message + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + api_definition: + type: object + properties: + repository: + type: string + branch: + type: string + oas_secret_ref: + type: string + files: + type: array + items: + type: string + maxLength: 127 + api_proxy: + type: object + properties: + ipaddress: + type: string + port: + type: integer + protocol: + type: string + secret: + type: string + policies: + type: array + items: + type: object + properties: + name: + type: string + selector: + type: array + items: + type: object + properties: + tags: + type: array + items: + type: string + api: + type: string + method: + type: array + items: + type: string + maxLength: 127 + upstream: + type: object + properties: + service: + type: string + port: + type: integer + policy_bindings: + type: object + properties: + ratelimit: + type: object + properties: + name: + type: string + waf: + type: object + properties: + name: + type: string + rewritepolicy: + type: object + properties: + name: + type: string + bot: + type: object + properties: + name: + type: string + aaa: + type: array + items: + type: object + properties: + crd_name: + type: string + mappings: + type: array + items: + type: object + properties: + petstore_auth: + type: string + api_key: + type: string +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: corspolicies.citrix.com +spec: + group: citrix.com + names: + kind: corspolicy + plural: corspolicies + singular: corspolicy + shortNames: + - cp + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: 'Current Status of the CRD' + jsonPath: .status.state + - name: Message + type: string + description: 'Status Message' + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + ingressclass: + type: string + description: "Ingress class, if not specified then all NetScaler Ingress Controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + servicenames: + description: 'The list of Kubernetes services to which you want to apply the cors policies.' + type: array + items: + type: string + maxLength: 63 + allow_origin: + description: 'Represents list of allowed origins, it is used to screen the “origin” in the cors pre flight request' + type: array + items: + type: string + maxLength: 2083 + allow_methods: + description: 'Indicates which methods are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Methods in the pre-flight cors response.' + type: array + items: + type: string + maxLength: 127 + allow_headers: + description: 'Indicates which headers are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Headers in the pre-flight cors response.' + type: array + items: + type: string + maxLength: 127 + max_age: + description: 'Indicates the number of seconds (5 by default) the information provided by the `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` headers can be cached. This variable will be used to set Access-Control-Max-Age in the pre-flight cors response.' + type: integer + allow_credentials: + description: 'Indicates whether the response can be shared when the request’s credentials mode is "include". This variable will be set to Access-Control-Allow-Credentials in the rewrite action.' + type: boolean + required: [servicenames, allow_origin, allow_methods, allow_headers] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: appqoepolicies.citrix.com +spec: + group: citrix.com + names: + kind: appqoepolicy + plural: appqoepolicies + singular: appqoepolicy + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: "Current Status of the CRD" + jsonPath: .status.state + - name: Message + type: string + description: "Status Message" + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + appqoe-policies: + type: array + items: + type: object + properties: + servicenames: + description: 'Name of the services that needs to be binded to appqoe policy.' + type: array + items: + type: string + maxLength: 127 + appqoe-policy: + type: object + properties: + operation-retry: + type: object + properties: + on-reset: + description: "To set Retry on Connection Reset or Not" + type: string + enum: ['YES','NO'] + on-timeout: + description: "Time in milliseconds for retry" + type: integer + minimum: 30 + maximum: 2000 + number-of-retries: + description: "To set number of retries" + type: integer + minimum: 1 + maximum: 7 + required: [operation-retry] + appqoe-criteria: + description: 'Expression against which traffic is evaluated.' + type: string + maxLength: 1299 + direction: + description: 'Bind point to which to bind the policy.' + type: string + enum: ["REQUEST","RESPONSE"] + required: [appqoe-criteria, operation-retry] + required: [appqoe-policy] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: wildcarddnsentries.citrix.com +spec: + group: citrix.com + names: + kind: wildcarddnsentry + plural: wildcarddnsentries + singular: wildcarddnsentry + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: Current Status of the CRD + jsonPath: .status.state + - name: Message + type: string + description: Status Message + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + zone: + type: object + description: DNS configuration for a zone + properties: + domain: + type: string + description: Domain name + dnsaddrec: + type: object + description: DNS Address record + properties: + domain-ip: + type: string + description: IPv4 addresses to assign to the domain name + ttl: + type: integer + description: >- + TTL is the time for which the record must be cached + by DNS proxies + dnsaaaarec: + type: object + description: DNS AAAA record + properties: + domain-ip: + type: string + description: IPv6 addresses to assign to the domain name + ttl: + type: integer + description: >- + TTL is the time for which the record must be cached + by DNS proxies + soarec: + type: object + description: SOA record + properties: + origin-server: + type: string + description: Origin server domain + contact: + type: string + description: Admin contact + serial: + type: integer + description: >- + The secondary server uses this parameter to + determine whether it requires a zone transfer from + the primary server. + refresh: + type: integer + description: >- + Time, in seconds, for which a secondary server must + wait between successive checks on the value of the + serial number. + retry: + type: integer + description: >- + Time, in seconds, between retries if a secondary server's + attempt to contact the primary server for a zone refresh fails. + expire: + type: integer + description: >- + Time, in seconds, after which the zone data on a secondary + nameserver can no longer be considered authoritative because + all refresh and retry attempts made during the period have failed." + nsrec: + type: object + description: Name server record + properties: + nameserver: + type: string + description: Host name of the name server to add to the domain. + ttl: + type: integer + description: >- + Time to Live (TTL), in seconds, for the record. TTL + is the time for which the record must be cached by + DNS proxies. The specified TTL is applied to all the + resource records that are of the same record type + and belong to the specified domain name +--- diff --git a/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/templates/NOTES.txt b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/templates/NOTES.txt new file mode 100644 index 000000000..bccfdf69a --- /dev/null +++ b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/templates/NOTES.txt @@ -0,0 +1,14 @@ +Thank you for installing {{ .Chart.Name }}. + +Your release is named {{ .Release.Name }}. + + +To learn more about the release, try: + + $ helm status {{ .Release.Name }} + $ helm get {{ .Release.Name }} + + +To delete : + helm delete {{ .Release.Name }} + diff --git a/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/templates/_helpers.tpl b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/templates/_helpers.tpl new file mode 100644 index 000000000..efd154b27 --- /dev/null +++ b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/templates/_helpers.tpl @@ -0,0 +1,93 @@ +{{- define "netscaler-cpx-ingress-controller.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "netscaler-cpx-ingress-controller.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "cpxservice.fullname" -}} +{{- $name := default .Chart.Name "cpx-service" .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "cpxexporter.fullname" -}} +{{- $name := default .Chart.Name "exporter" .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "cpxservicemonitor.fullname" -}} +{{- $name := default .Chart.Name "netscaler-adc-cpx-servicemonitor" .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "cpxservicemonitorlabel" -}} +{{- $name := default .Chart.Name "netscaler-adc-cpx-svcmon" .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "cpxconfigmap.fullname" -}} +{{- $name := default .Chart.Name "cpx-nsic-configmap" .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "bootupconfigmap.fullname" -}} +{{- $name := default .Chart.Name "cpx-bootup-configmap" .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "netscaler-cpx-ingress-controller.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "netscaler-cpx-ingress-controller.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "netscaler-cpx-ingress-controller.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/templates/configmap.yaml b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/templates/configmap.yaml new file mode 100644 index 000000000..bdb8fab9e --- /dev/null +++ b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/templates/configmap.yaml @@ -0,0 +1,110 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "cpxconfigmap.fullname" . }} + namespace: {{ .Release.Namespace }} +data: + LOGLEVEL: {{ .Values.logLevel | quote | lower }} + JSONLOG: {{ .Values.jsonLog | quote | lower }} +{{- if eq (upper .Values.nsProtocol) "HTTPS" }} + NS_PROTOCOL: "https" +{{- if .Values.cpxBgpRouter }} + NS_PORT: "9443" +{{- else }} + NS_PORT: "443" +{{- end }} +{{- else }} + NS_PROTOCOL: "http" +{{- if .Values.cpxBgpRouter }} + NS_PORT: "9080" +{{- else }} + NS_PORT: "80" +{{- end }} +{{- end }} +{{- if .Values.analyticsConfig.required }} + NS_ENABLE_LABELS: {{ .Values.nsEnableLabel | quote }} +{{- end }} +{{- if ne (upper .Values.nsHTTP2ServerSide) "OFF" }} + NS_HTTP2_SERVER_SIDE: {{ .Values.nsHTTP2ServerSide | quote }} +{{- end }} +{{- if ne (toString .Values.nsCookieVersion) "0" }} + NS_COOKIE_VERSION: {{ .Values.nsCookieVersion | quote }} +{{- end }} +{{- if .Values.nsDnsNameserver }} + NS_DNS_NAMESERVER: {{ .Values.nsDnsNameserver }} +{{- end }} + +{{- if .Values.analyticsConfig.required }} + NS_ANALYTICS_CONFIG: | + distributed_tracing: + enable: {{ .Values.analyticsConfig.distributedTracing.enable | quote }} + samplingrate: {{ .Values.analyticsConfig.distributedTracing.samplingrate }} + endpoint: + {{- if not .Values.analyticsConfig.timeseries.metrics.enableNativeScrape }} + metrics: + service: {{ .Values.analyticsConfig.endpoint.metrics.service | quote }} + {{- end }} + transactions: + service: {{ .Values.analyticsConfig.endpoint.transactions.service | quote }} + timeseries: + port: {{ .Values.analyticsConfig.timeseries.port }} + metrics: + enable: {{ .Values.analyticsConfig.timeseries.metrics.enable | quote }} + mode: {{ .Values.analyticsConfig.timeseries.metrics.mode | quote }} + export_frequency: {{ .Values.analyticsConfig.timeseries.metrics.exportFrequency }} + schema_file: {{ .Values.analyticsConfig.timeseries.metrics.schemaFile | quote }} + enable_native_scrape: {{ .Values.analyticsConfig.timeseries.metrics.enableNativeScrape | quote }} + auditlogs: + enable: {{ .Values.analyticsConfig.timeseries.auditlogs.enable | quote }} + events: + enable: {{ .Values.analyticsConfig.timeseries.events.enable | quote }} + transactions: + enable: {{ .Values.analyticsConfig.transactions.enable | quote }} + port: {{ .Values.analyticsConfig.transactions.port }} +{{- end }} + +{{- if .Values.cpxBgpRouter }} +{{- if .Values.bgpSettings.required }} + NS_BGP_CONFIG: | +{{- with .Values.bgpSettings.bgpConfig }} + bgpConfig: +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +{{- end }} + +{{- if .Values.nsLbHashAlgo.required }} + NS_LB_HASH_ALGO: | + hashFingers: {{ .Values.nsLbHashAlgo.hashFingers }} + hashAlgorithm: {{ .Values.nsLbHashAlgo.hashAlgorithm | quote }} +{{- end }} + +{{- if .Values.profileSslFrontend }} + FRONTEND_SSL_PROFILE: | + {{- toYaml .Values.profileSslFrontend | nindent 4 }} +{{- end }} + +{{- if .Values.profileTcpFrontend }} + FRONTEND_TCP_PROFILE: | + {{- toYaml .Values.profileTcpFrontend | nindent 4 }} +{{- end }} + +{{- if .Values.profileHttpFrontend }} + FRONTEND_HTTP_PROFILE: | + {{- toYaml .Values.profileHttpFrontend | nindent 4 }} +{{- end }} + +--- + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "bootupconfigmap.fullname" . }} + namespace: {{ .Release.Namespace }} +data: + cpx.conf: | + #NetScaler commands + {{- .Values.cpxCommands | nindent 6 -}} + #Shell commands + {{- .Values.cpxShellCommands | nindent 6 -}} + # end of file diff --git a/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/templates/deployment.yaml b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/templates/deployment.yaml new file mode 100644 index 000000000..c5f10349f --- /dev/null +++ b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/templates/deployment.yaml @@ -0,0 +1,480 @@ +apiVersion: apps/v1 +{{- if or .Values.cpxBgpRouter .Values.daemonSet }} +kind: DaemonSet +{{- else }} +kind: Deployment +{{- end }} +metadata: + name: {{ include "netscaler-cpx-ingress-controller.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + app: {{ include "netscaler-cpx-ingress-controller.fullname" . }} +{{- if not ( or .Values.cpxBgpRouter .Values.daemonSet ) }} + replicas: {{ .Values.replicaCount }} +{{- end }} + template: + metadata: + name: {{ include "netscaler-cpx-ingress-controller.fullname" . }} + labels: + app: {{ include "netscaler-cpx-ingress-controller.fullname" . }} + adc: "citrix" + annotations: +{{- if .Values.analyticsConfig.timeseries.metrics.enableNativeScrape }} + netscaler.prometheus/scrape: "true" + netscaler.prometheus/port: {{ .Values.mgmtHttpPort | quote }} +{{- end }} +{{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} +{{- end }} + spec: + serviceAccountName: {{ include "netscaler-cpx-ingress-controller.serviceAccountName" . }} +{{- if .Values.cpxBgpRouter }} + hostNetwork: true +{{- end }} +{{- if .Values.hostName }} + hostname: {{ .Values.hostName }}-{{ .Release.Namespace }} +{{- end }} + containers: + - name: cpx-ingress + image: "{{ tpl .Values.image . }}" + imagePullPolicy: {{ .Values.pullPolicy }} + tty: true + securityContext: + privileged: true + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace +{{- if .Values.cpxLicenseAggregator }} + - name: "CLA" + value: {{ .Values.cpxLicenseAggregator | quote }} +{{- else if .Values.ADMSettings.licenseServerIP }} + - name: "LS_IP" + value: {{ .Values.ADMSettings.licenseServerIP | quote }} + - name: "LS_PORT" + value: {{ .Values.ADMSettings.licenseServerPort | quote }} +{{- end }} + - name: "EULA" + value: "{{ .Values.license.accept }}" + - name: "KUBERNETES_TASK_ID" + value: "" +{{- if not .Values.cpxBgpRouter }} + - name: "MGMT_HTTP_PORT" + value: {{ .Values.mgmtHttpPort | quote }} + - name: "MGMT_HTTPS_PORT" + value: {{ .Values.mgmtHttpsPort | quote }} +{{- end }} +{{- if .Values.cpxBgpRouter }} + - name: NS_NETMODE + value: HOST +{{- if .Values.nsIP }} + - name: "NS_IP" + value: "{{ .Values.nsIP }}" +{{- end }} +{{- if .Values.nsGateway }} + - name: "NS_GATEWAY" + value: "{{ .Values.nsGateway }}" +{{- end }} +{{- end }} +{{- if .Values.ADMSettings.ADMIP }} + - name: "NS_MGMT_SERVER" + value: {{ .Values.ADMSettings.ADMIP | quote }} + - name: "NS_HTTP_PORT" + value: {{ .Values.mgmtHttpPort | quote }} + - name: "NS_HTTPS_PORT" + value: {{ .Values.mgmtHttpsPort | quote }} +{{- end }} +##Need to set env var BANDWIDTH in order to provide Bandwidth license to NetScaler CPX from ADM or CPX License Aggregator +{{- if or .Values.ADMSettings.licenseServerIP .Values.cpxLicenseAggregator }} +{{- if .Values.ADMSettings.bandWidthLicense }} + - name: "BANDWIDTH" + value: {{ .Values.ADMSettings.bandWidth | quote }} +{{- end }} +##for multiple-PE support, need to set CPX_CORES +{{- if or .Values.ADMSettings.vCPULicense .Values.ADMSettings.bandWidthLicense }} + - name: "CPX_CORES" + value: {{ .Values.ADMSettings.cpxCores | default 1 | quote }} + - name: "EDITION" + value: {{ .Values.ADMSettings.licenseEdition }} +{{- end }} +{{- if .Values.ADMSettings.platform }} + - name: "CPX_CORES" + value: {{ .Values.ADMSettings.cpxCores | default 1 | quote }} + - name: "PLATFORM" + value: "CP1000" +{{- end }} +{{- end }} +{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }} + - name: NS_MGMT_USER + valueFrom: + secretKeyRef: + name: {{ required "Provide Secret for ADM/LicenseServer credentials" .Values.ADMSettings.loginSecret }} + key: username + - name: NS_MGMT_PASS + valueFrom: + secretKeyRef: + name: {{ required "Provide Secret for ADM/LicenseServer credentials" .Values.ADMSettings.loginSecret }} + key: password +{{- end }} +{{- if .Values.exporter.required }} + - name: "METRICS_EXPORTER_PORT" + value: {{ .Values.exporter.ports.containerPort | quote }} +{{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - mountPath: /var/deviceinfo + name: shared-data + - mountPath: /cpx/ + name: cpx-volume + - mountPath: /cpx/conf + name: cpx-volume-conf + - mountPath: /cpx/bootup_conf + name: bootupconfig-volume +{{- if .Values.enableStartupProbe }} + startupProbe: + {{- toYaml .Values.startupProbe | nindent 12 }} +{{- end }} +{{- if .Values.enableLivenessProbe }} + livenessProbe: + {{- toYaml .Values.livenessProbe | nindent 12 }} +{{- end }} +{{- if .Values.nsic.required }} + # Add nsic as a sidecar + - name: nsic + image: "{{ tpl .Values.nsic.image . }}" + imagePullPolicy: {{ .Values.nsic.pullPolicy }} + env: +{{- if .Values.nsic.enableLivenessProbe }} + - name: "LIVENESS_FILE_PATH" + value: '/tmp/liveness_path.log' +{{- end }} +{{- if .Values.analyticsConfig.timeseries.metrics.enableNativeScrape }} + - name: "PROM_USER" + valueFrom: + secretKeyRef: + name: {{ required "Provide Secret for read only user for native Prometheus mode" .Values.nsic.prometheusCredentialSecret }} + key: username + - name: "PROM_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ required "Provide Secret for read only user for native Prometheus mode" .Values.nsic.prometheusCredentialSecret }} + key: password +{{- end }} + - name: "EULA" + value: "{{ .Values.license.accept }}" +{{- if .Values.cpxBgpRouter }} + - name: "NS_IP" + value: {{ .Values.nsIP | default "192.168.1.2" | quote }} +{{- else }} + - name: "NS_IP" + value: "127.0.0.1" +{{- end }} +{{- if .Values.rbacRole }} + - name: "SCOPE" + value: "local" +{{- end }} + - name: "NS_APPS_NAME_PREFIX" + value: {{ .Values.entityPrefix | default "k8s"| quote }} + - name: "NS_DEPLOYMENT_MODE" + value: "SIDECAR" +{{- if and .Values.openshift .Values.routeLabels }} + - name: "ROUTE_LABELS" + value: {{ .Values.routeLabels | quote}} +{{- end }} +{{- if and .Values.openshift .Values.namespaceLabels }} + - name: "NAMESPACE_LABELS" + value: {{ .Values.namespaceLabels | quote }} +{{- end }} +{{- if .Values.openshift }} + - name: "PLATFORM" + value: "OPENSHIFT" +{{- else }} + - name: "PLATFORM" + value: "KUBERNETES" +{{- end }} +{{- if .Values.cpxBgpRouter }} +{{- if eq (upper .Values.nsProtocol) "HTTPS" }} + - name: NS_PROTOCOL + value: HTTPS + - name: NS_PORT + value: "9443" +{{- else }} + - name: NS_PROTOCOL + value: HTTP + - name: NS_PORT + value: "9080" +{{- end }} +{{- if .Values.bgpPort }} + - name: "BGP_PORT" + value: {{ .Values.bgpPort | quote }} +{{- end }} +{{- end }} + - name: "NS_ENABLE_MONITORING" + value: "YES" +{{- if .Values.logProxy }} + - name: "NS_LOGPROXY" + value: {{ .Values.logProxy | quote }} +{{- end }} +{{- if .Values.ingressIP }} + - name: "NS_VIP" + value: {{ .Values.ingressIP | quote }} +{{- end }} +{{- if .Values.nitroReadTimeout }} + - name: "NS_NITRO_READ_TIMEOUT" + value: "{{ .Values.nitroReadTimeout }}" +{{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName +{{- if .Values.kubernetesURL }} + - name: "kubernetes_url" + value: "{{ .Values.kubernetesURL }}" +{{- end }} +{{- if .Values.disableOpenshiftRoutes }} + - name: "DISABLE_OPENSHIFT_ROUTES" + value: "{{ .Values.disableOpenshiftRoutes }}" +{{- end }} +{{- if .Values.nsConfigDnsRec }} + - name: "NS_CONFIG_DNS_REC" + value: "{{ .Values.nsConfigDnsRec }}" +{{- end }} +{{- if .Values.nsSvcLbDnsRec }} + - name: "NS_SVC_LB_DNS_REC" + value: "{{ .Values.nsSvcLbDnsRec }}" +{{- end }} +{{- if .Values.optimizeEndpointBinding }} + - name: "OPTIMIZE_ENDPOINT_BINDING" + value: "{{ .Values.optimizeEndpointBinding }}" +{{- end }} +{{- if .Values.cpxBgpRouter }} + securityContext: + runAsUser: 0 + capabilities: + add: + - NET_ADMIN +{{- end }} + args: + - --configmap + {{ .Release.Namespace }}/{{ include "cpxconfigmap.fullname" . }} +{{- if .Values.ipam }} + - --ipam + citrix-ipam-controller +{{- end }} +{{- if .Values.disableAPIServerCertVerify }} + - --disable-apiserver-cert-verify + {{ .Values.disableAPIServerCertVerify }} +{{- end }} +{{- if .Values.cpxBgpRouter }} + - --deployment-type + kube-bgp-router +{{- end }} +{{- if .Values.ingressClass }} + - --ingress-classes +{{- range .Values.ingressClass}} + {{.}} +{{- end }} +{{- end }} +{{- if .Values.defaultSSLCertSecret }} + - --default-ssl-certificate + {{ .Release.Namespace }}/{{ .Values.defaultSSLCertSecret }} +{{- end }} +{{- if .Values.defaultSSLSNICertSecret }} + - --default-ssl-sni-certificate + {{ .Release.Namespace }}/{{ .Values.defaultSSLSNICertSecret }} +{{- end }} +{{- if .Values.updateIngressStatus }} +{{- if .Values.cpxBgpRouter }} + - --update-ingress-status + yes +{{- else }} + - --cpx-service + {{ .Release.Namespace }}/{{ include "cpxservice.fullname" . }} +{{- end }} +{{- end }} + volumeMounts: + - mountPath: /var/deviceinfo + name: shared-data +{{- if .Values.nsic.enableReadinessProbe }} + readinessProbe: + {{- toYaml .Values.nsic.readinessProbe | nindent 12 }} +{{- end }} +{{- if .Values.nsic.enableLivenessProbe }} + livenessProbe: + {{- toYaml .Values.nsic.livenessProbe | nindent 12 }} +{{- end }} + resources: + {{- toYaml .Values.nsic.resources | nindent 12 }} +{{- end }} +{{- if .Values.exporter.required }} + - name: exporter + image: "{{ tpl .Values.exporter.image . }}" + imagePullPolicy: {{ .Values.exporter.pullPolicy }} + args: + - "--secure=no" +{{- if .Values.cpxBgpRouter }} + - --target-nsip={{ .Values.nsIP | default "192.168.1.2" }}:9080 +{{- else }} + - "--target-nsip=127.0.0.1" +{{- end }} + - "--port={{ .Values.exporter.ports.containerPort }}" + env: + - name: "NS_DEPLOYMENT_MODE" + value: "SIDECAR" + securityContext: + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /var/deviceinfo + name: shared-data + resources: + {{- toYaml .Values.exporter.resources | nindent 12 }} +{{- end }} + volumes: + - name: shared-data + emptyDir: {} + - name: cpx-volume + emptyDir: {} + - name: cpx-volume-conf + emptyDir: {} + - name: bootupconfig-volume + configMap: + name: {{ include "bootupconfigmap.fullname" . }} +{{- if and .Values.nodeSelector.key .Values.nodeSelector.value }} + nodeSelector: + {{ .Values.nodeSelector.key }}: {{ .Values.nodeSelector.value }} +{{- end }} +{{- if .Values.tolerations }} + tolerations: {{ .Values.tolerations | toYaml | nindent 8 }} +{{- end }} +{{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} +{{- end }} + +--- +{{- if .Values.cpxBgpRouter }} +{{- if .Values.exporter.required }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "cpxexporter.fullname" . }} + labels: + app: {{ include "cpxexporter.fullname" . }} + service-type: {{ include "cpxservicemonitorlabel" . }} +spec: + type: ClusterIP + ports: + - port: {{ .Values.exporter.ports.containerPort }} + targetPort: {{ .Values.exporter.ports.containerPort }} + name: exporter-port + selector: + app: {{ include "netscaler-cpx-ingress-controller.fullname" . }} +{{- end }} +{{- else }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "cpxservice.fullname" . }} + labels: + app: cpx-service + service-type: {{ include "cpxservicemonitorlabel" . }} +{{- if .Values.serviceAnnotations }} + annotations: +{{- with .Values.serviceAnnotations }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +spec: +{{- if or .Values.serviceType.loadBalancer.enabled ( and (.Values.updateIngressStatus) (not .Values.cpxBgpRouter)) }} + externalTrafficPolicy: {{ .Values.serviceSpec.externalTrafficPolicy }} + type: LoadBalancer +{{- if .Values.serviceSpec.loadBalancerIP }} + loadBalancerIP: {{ .Values.serviceSpec.loadBalancerIP }} +{{- end }} +{{- else if .Values.serviceType.nodePort.enabled }} + type: NodePort + externalTrafficPolicy: {{ .Values.serviceSpec.externalTrafficPolicy }} +{{- end }} +{{- if and .Values.serviceType.loadBalancer.enabled .Values.serviceSpec.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{- range .Values.serviceSpec.loadBalancerSourceRanges}} + - {{.}} +{{- end }} +{{- end }} + ports: +{{- if .Values.servicePorts }} +{{- with .Values.servicePorts }} +{{ toYaml . | indent 2 }} +{{- end }} +{{- else }} + - port: 80 + protocol: TCP + name: http +{{- if and .Values.serviceType.nodePort.enabled .Values.serviceType.nodePort.httpPort }} + nodePort: {{ .Values.serviceType.nodePort.httpPort }} +{{- end }} + - port: 443 + protocol: TCP + name: https +{{- if and .Values.serviceType.nodePort.enabled .Values.serviceType.nodePort.httpsPort }} + nodePort: {{ .Values.serviceType.nodePort.httpsPort}} +{{- end }} +{{- end }} +{{- if .Values.exporter.required }} + - port: {{ .Values.exporter.ports.containerPort }} + targetPort: {{ .Values.exporter.ports.containerPort }} + name: exporter-port +{{- end }} + selector: + app: {{ include "netscaler-cpx-ingress-controller.fullname" . }} +{{- end }} + +--- + +{{- if .Values.exporter.required }} + +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "cpxservicemonitor.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + servicemonitor: netscaler-cpx + {{- with .Values.exporter.serviceMonitorExtraLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + endpoints: + - interval: 30s + port: exporter-port + selector: + matchLabels: + service-type: {{ include "cpxservicemonitorlabel" . }} + namespaceSelector: + matchNames: + - monitoring + - default + - {{ .Release.Namespace }} + +{{- end }} diff --git a/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/templates/ingressclass.yaml b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/templates/ingressclass.yaml new file mode 100644 index 000000000..d75537b79 --- /dev/null +++ b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/templates/ingressclass.yaml @@ -0,0 +1,18 @@ +{{- $default := .Values.setAsDefaultIngressClass -}} +{{- if semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.GitVersion }} +{{- if .Values.ingressClass }} +{{- range .Values.ingressClass }} +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: {{ . | quote }} +{{- if $default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: + controller: citrix.com/ingress-controller +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/templates/rbac.yaml b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/templates/rbac.yaml new file mode 100644 index 000000000..b2e4ebe71 --- /dev/null +++ b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/templates/rbac.yaml @@ -0,0 +1,106 @@ +{{- if not .Values.rbacRole }} +kind: ClusterRole +{{- else }} +kind: Role +{{- end }} +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "netscaler-cpx-ingress-controller.serviceAccountName" . }} +{{- if .Values.rbacRole }} + namespace: {{ .Release.Namespace }} +{{- end }} +rules: + - apiGroups: [""] +{{- if .Values.openshift }} + resources: ["endpoints", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"] +{{- else }} + resources: ["endpoints", "pods", "secrets", "routes", "nodes", "namespaces", "configmaps", "services"] +{{- end }} + verbs: ["get", "list", "watch"] + # services/status is needed to update the loadbalancer IP in service status for integrating + # service of type LoadBalancer with external-dns + - apiGroups: [""] + resources: ["services/status"] + verbs: ["patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions","networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["patch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "list", "watch"] + - apiGroups: ["citrix.com"] + resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"] + verbs: ["get", "list", "watch", "create", "delete", "patch"] + - apiGroups: ["citrix.com"] + resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"] + verbs: ["patch"] + - apiGroups: ["citrix.com"] + resources: ["vips"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["crd.projectcalico.org"] + resources: ["ipamblocks"] + verbs: ["get", "list", "watch"] +{{- if .Values.openshift }} + - apiGroups: ["route.openshift.io"] + resources: ["routes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["network.openshift.io"] + resources: ["hostsubnets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["config.openshift.io"] + resources: ["networks"] + verbs: ["get", "list"] +{{- end }} + +--- + +{{- if not .Values.rbacRole }} +kind: ClusterRoleBinding +{{- else }} +kind: RoleBinding +{{- end }} +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "netscaler-cpx-ingress-controller.serviceAccountName" . }} +{{- if .Values.rbacRole }} + namespace: {{ .Release.Namespace }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io +{{- if not .Values.rbacRole }} + kind: ClusterRole +{{- else }} + kind: Role +{{- end }} + name: {{ include "netscaler-cpx-ingress-controller.serviceAccountName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "netscaler-cpx-ingress-controller.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "netscaler-cpx-ingress-controller.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- if .Values.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.imagePullSecrets }} +- name: {{.}} +{{- end }} +{{- end }} + diff --git a/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/values.yaml b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/values.yaml new file mode 100644 index 000000000..3e292b3ac --- /dev/null +++ b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.1.4/values.yaml @@ -0,0 +1,308 @@ +# Default values for netscaler-cpx-with-ingress-controller. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# NetScaler CPX config details +imageRegistry: quay.io +imageRepository: netscaler/netscaler-cpx +imageTag: 14.1-25.111 +image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}" +pullPolicy: IfNotPresent +imagePullSecrets: [] +daemonSet: False +nameOverride: "" +replicaCount: 1 +fullnameOverride: "" +mgmtHttpPort: 9080 +mgmtHttpsPort: 9443 +openshift: false +nsHTTP2ServerSide: "OFF" +nsCookieVersion: "0" +nsConfigDnsRec: false +nsSvcLbDnsRec: false +nsDnsNameserver: "" +nsEnableLabel: true +optimizeEndpointBinding: false +routeLabels: "" +namespaceLabels: "" +hostName: "" + +# Service Type LoadBalancer and ingress support with CPX through BGP advertisement +# If you enable this, CPX is run as DaemonSet. Please edit the bgpSettings for configuring +# BGP neighbors for propgation of external IPs. +cpxBgpRouter: false + +# If cpxBgpRouter is true, then this is the NSIP used by CPX for internal communication +nsIP: 192.168.1.2 + +# If cpxBgpRouter is true, then this is the Gateway used by CPX for internal communication +nsGateway: 192.168.1.1 + +# Protocol used for communication between NetScaler Ingress Controller sidecar and NetScaler CPX +nsProtocol: http + +# External IP for ingress resource when bgpRouter is set to True +ingressIP: "" + +# If IPAM controller is used for auto allocation of the external IP for service of type LoadBalancer, set this option to true +ipam: False + +# Enable RBAC role (so called local role), by default NSIC deployed with ClusterRole. +# below variable to deploy NSIC with RBAC role, only ingress service supported with this config +rbacRole: False + +# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True +disableAPIServerCertVerify: False + +cpxLicenseAggregator: "" + +sslCertManagedByAWS: False + +nodeSelector: + key: "" + value: "" +tolerations: [] + +serviceType: + loadBalancer: + enabled: False + nodePort: + enabled: False + httpPort: "" + httpsPort: "" + +serviceAnnotations: {} + +serviceSpec: + externalTrafficPolicy: "Cluster" + loadBalancerIP: "" + loadBalancerSourceRanges: [] + +servicePorts: [] + +# NetScaler Ingress Controller config details +nsic: + imageRegistry: quay.io + imageRepository: netscaler/netscaler-k8s-ingress-controller + imageTag: 2.1.4 + image: "{{ .Values.nsic.imageRegistry }}/{{ .Values.nsic.imageRepository }}:{{ .Values.nsic.imageTag }}" + pullPolicy: IfNotPresent + required: true + resources: + requests: + cpu: 32m + memory: 128Mi + # Following values depends on no of ingresses configured by Ingress Controllers, so it is + # advised to test with maximum no of ingresses to set these values. + # limits: + # cpu: 1000m + # memory: 1000Mi + limits: {} + # Following values depends on no of ingresses configured by Ingress Controllers, so it is + # advised to test with maximum no of ingresses to set these values. + # limits: + # cpu: 1000m + # memory: 1000Mi + prometheusCredentialSecret: "" # K8s Secret Name for read only user creation for native Prometheus support + enableLivenessProbe: True + livenessProbe: + exec: + command: + - /bin/sh + - -c + - | + FILE_PATH="$LIVENESS_FILE_PATH" + [ -f "$FILE_PATH" ] && [ $(( $(date +%s) - $(stat -c %Y "$FILE_PATH") )) -lt 60 ] && exit 0 || exit 1 + initialDelaySeconds: 30 + periodSeconds: 60 + + enableReadinessProbe: True + readinessProbe: + exec: + command: + - cat + - /tmp/readiness + initialDelaySeconds: 50 + periodSeconds: 60 + failureThreshold: 3 + successThreshold: 1 + +entityPrefix: "" +license: + accept: no +ingressClass: [] +setAsDefaultIngressClass: False +# nitroReadTimeout is timeout value in seconds for nitro api read timeout(default is 20) +nitroReadTimeout: 20 +logLevel: INFO +jsonLog: false +defaultSSLCertSecret: "" +defaultSSLSNICertSecret: "" +updateIngressStatus: False +logProxy: "" +kubernetesURL: "" +disableOpenshiftRoutes: false +profileSslFrontend: {} + # preconfigured: my_ssl_profile + # OR + # config: + # tls13: 'ENABLED' + # hsts: 'ENABLED' +profileHttpFrontend: {} + # preconfigured: my_http_profile + # OR + # config: + # dropinvalreqs: 'ENABLED' + # websocket: 'ENABLED' +profileTcpFrontend: {} + # preconfigured: my_tcp_profile + # OR + # config: + # sack: 'ENABLED' + # nagle: 'ENABLED' + + +# NetScaler ADM/License Server config details +ADMSettings: + licenseServerIP: + licenseServerPort: 27000 + ADMIP: "" + loginSecret: "" + bandWidthLicense: false + bandWidth: 1000 #bandwidth value shoule be in Mbps + vCPULicense: false + cpxCores: 1 + platform: false + licenseEdition: PLATINUM + +# Exporter config details +exporter: + required: false + imageRegistry: quay.io + imageRepository: netscaler/netscaler-adc-metrics-exporter + imageTag: 1.4.9 + image: "{{ .Values.exporter.imageRegistry }}/{{ .Values.exporter.imageRepository }}:{{ .Values.exporter.imageTag }}" + pullPolicy: IfNotPresent + ports: + containerPort: 8888 + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + serviceMonitorExtraLabels: {} + +# Config required to be done by NetScaler Ingress Controller for sending metrics to NetScaler Observability Exporter +analyticsConfig: + required: false + distributedTracing: + enable: false + samplingrate: 100 + endpoint: + metrics: + service: "" + transactions: + service: "" + timeseries: + port: 5563 + metrics: + enable: false + mode: 'avro' + exportFrequency: 30 + schemaFile: schema.json + enableNativeScrape: false + auditlogs: + enable: false + events: + enable: false + transactions: + enable: false + port: 5557 + +# BGP configurations: local AS, remote AS and remote address is mandatory to provide. Please do the approrpiate changes with respect to your environment +bgpSettings: + # When bgpConfig is configured correctly, set the required to true for the configuration to be applied. + required: false + bgpConfig: + - bgpRouter: + # Local AS number for BGP advertisement + localAS: 100 + neighbor: + # Address of the nighbor router for BGP advertisement + - address: "" + # Remote AS number + remoteAS: 100 + advertisementInterval: 10 + ASOriginationInterval: 10 + +bgpPort: 179 + +nsLbHashAlgo: + required: false + hashFingers: 256 + hashAlgorithm: 'DEFAULT' + +# Specifies whether a ServiceAccount should be created +serviceAccount: + create: true + # The name of the ServiceAccount to use. + # If not set and `create` is true, a name is generated using the fullname template + # name: + +podAnnotations: {} + +# This is the resource for CPX container. +resources: + requests: + cpu: 128m + memory: 500Mi + limits: {} + # limits: + # cpu: 500m + # memory: 512Mi + +affinity: {} + +enableStartupProbe: True +startupProbe: + initialDelaySeconds: 30 + periodSeconds: 5 + failureThreshold: 20 + successThreshold: 1 + exec: + command: + - /bin/ping + - -c 1 + - 192.0.0.1 + +enableLivenessProbe: True +livenessProbe: + exec: + command: + - ls + - /tmp/cpx_started + periodSeconds: 5 + failureThreshold: 3 + successThreshold: 1 + + + +# cpxCommands: to provide global config to be applied in CPX. The commands will be executed in order. For e.g. +# add rewrite action rw_act_x_forwarded_proto insert_http_header X-Forwarded-Proto "\"https\"" +# add rewrite policy rw_pol_x_forwarded_proto CLIENT.SSL.IS_SSL rw_act_x_forwarded_proto +# bind rewrite global rw_pol_x_forwarded_proto 10 -type REQ_OVERRIDE +cpxCommands: | + + +# cpxShellCommands: to provide commands that need to be executed in shell of CPX. For e.g. +# touch /etc/a.txt +# echo "this is a" > /etc/a.txt +# echo "this is the file" >> /etc/a.txt +# ls >> /etc/a.txt +cpxShellCommands: | diff --git a/index.yaml b/index.yaml index 58d37fb01..3b530775c 100644 --- a/index.yaml +++ b/index.yaml @@ -28264,6 +28264,32 @@ entries: urls: - assets/nats/nats-0.19.15.tgz version: 0.19.15 + netscaler-cpx-with-ingress-controller: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NetScaler CPX with Ingress Controller + catalog.cattle.io/kube-version: '>=v1.16.0-0' + catalog.cattle.io/release-name: netscaler-cpx-with-ingress-controller + apiVersion: v2 + appVersion: 2.1.4 + created: "2024-10-07T17:40:07.012410149-06:00" + description: A Helm chart for NetScaler CPX with NetScaler ingress Controller + running as sidecar. + digest: d4dabbbe76495af8bc84f5a2dcc9d7dcd4c209edd2972303c713138dd4415c47 + home: https://www.netscaler.com + icon: file://assets/icons/netscaler-cpx-with-ingress-controller.png + kubeVersion: '>=v1.16.0-0' + maintainers: + - email: priyanka.sharma@cloud.com + name: priyankash-citrix + - email: subash.dangol@cloud.com + name: subashd + name: netscaler-cpx-with-ingress-controller + sources: + - https://github.com/netscaler/netscaler-k8s-ingress-controller + urls: + - assets/netscaler/netscaler-cpx-with-ingress-controller-2.1.4.tgz + version: 2.1.4 netscaler-ingress-controller: - annotations: catalog.cattle.io/certified: partner @@ -44395,4 +44421,4 @@ entries: urls: - assets/netfoundry/ziti-host-1.5.1.tgz version: 1.5.1 -generated: "2024-10-07T17:08:55.519103105-06:00" +generated: "2024-10-07T17:40:03.648191257-06:00" diff --git a/packages/netscaler/netscaler-cpx-with-ingress-controller/overlay/app-readme.md b/packages/netscaler/netscaler-cpx-with-ingress-controller/overlay/app-readme.md new file mode 100644 index 000000000..6039d0e0c --- /dev/null +++ b/packages/netscaler/netscaler-cpx-with-ingress-controller/overlay/app-readme.md @@ -0,0 +1,5 @@ +# NetScaler CPX with NetScaler Ingress Controller Running as Sidecar + +In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [NetScaler CPX](https://docs.netscaler.com/en-us/cpx.html) with NetScaler ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/). The NetScaler CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar NetScaler ingress controller configures the NetScaler CPX. + +This chart bootstraps deployment of NetScaler CPX with NetScaler Ingress Controller as sidecar. diff --git a/packages/netscaler/netscaler-cpx-with-ingress-controller/upstream.yaml b/packages/netscaler/netscaler-cpx-with-ingress-controller/upstream.yaml new file mode 100644 index 000000000..7f7b0ef39 --- /dev/null +++ b/packages/netscaler/netscaler-cpx-with-ingress-controller/upstream.yaml @@ -0,0 +1,4 @@ +DisplayName: NetScaler CPX with Ingress Controller +HelmChart: netscaler-cpx-with-ingress-controller +HelmRepo: https://netscaler.github.io/netscaler-helm-charts +Vendor: NetScaler