diff --git a/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/.helmignore b/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/.helmignore new file mode 100644 index 000000000..50af03172 --- /dev/null +++ b/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/Chart.yaml b/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/Chart.yaml new file mode 100644 index 000000000..2c0034daf --- /dev/null +++ b/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/Chart.yaml @@ -0,0 +1,22 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Citrix Adc Istio Ingress Gateway + catalog.cattle.io/release-name: citrix-adc-istio-ingress-gateway +apiVersion: v2 +appVersion: 1.11.0 +description: A Helm chart for Citrix ADC as Ingress Gateway installation in Istio + Service Mesh on Kubernetes platform +home: https://www.citrix.com +icon: https://raw.githubusercontent.com/citrix/citrix-xds-adaptor/master/docs/media/Citrix_Logo_Trademark.png +kubeVersion: '>=v1.16.0-0' +maintainers: +- email: dhiraj.gedam@citrix.com + name: dheerajng +- email: subash.dangol@citrix.com + name: subashd +- email: ajeeta.shaket@citrix.com + name: ajeetas +name: citrix-adc-istio-ingress-gateway +sources: +- https://github.com/citrix/citrix-xds-adaptor +version: 1.11.0 diff --git a/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/README.md b/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/README.md new file mode 100644 index 000000000..a27d5dd17 --- /dev/null +++ b/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/README.md @@ -0,0 +1,479 @@ +# Deploy Citrix ADC as an Ingress Gateway in Istio environment using Helm charts + +Citrix Application Delivery Controller (ADC) can be deployed as an Istio Ingress Gateway to control the ingress traffic to Istio service mesh. + +# Table of Contents +1. [TL; DR;](#tldr) +2. [Introduction](#introduction) +3. [Deploy Citrix ADC VPX or MPX as an Ingress Gateway](#deploy-citrix-adc-vpx-or-mpx-as-an-ingress-gateway) +4. [Deploy Citrix ADC CPX as an Ingress Gateway](#deploy-citrix-adc-cpx-as-an-ingress-gateway) +5. [Using Existing Certificates to deploy Citrix ADC as an Ingress Gateway](#using-existing-certificates-to-deploy-citrix-adc-as-an-ingress-gateway) +6. [Deploy Citrix ADC as an Ingress Gateway in multi cluster Istio Service mesh](#deploy-citrix-adc-as-a-multicluster-ingress-gateway) +7. [Segregating traffic with multiple Ingress Gateways](#segregating-traffic-with-multiple-ingress-gateways) +8. [Visualizing statistics of Citrix ADC Ingress Gateway with Metrics Exporter](#visualizing-statistics-of-citrix-adc-ingress-gateway-with-metrics-exporter) +9. [Exposing services running on non-HTTP ports](#exposing-services-running-on-non-http-ports) +10. [Generate Certificate for Ingress Gateway](#generate-certificate-for-ingress-gateway) +11. [Configure Third Party Service Account Tokens](#using-third-party-service-account-tokens) +12. [Citrix ADC CPX License Provisioning](#citrix-adc-cpx-license-provisioning) +13. [Service Graph configuration](#configuration-for-servicegraph) +14. [Citrix ADC as Ingress Gateway: a sample deployment](#citrix-adc-as-ingress-gateway-a-sample-deployment) +15. [Uninstalling the Helm chart](#uninstalling-the-helm-chart) +16. [Citrix ADC VPX/MPX Certificate Verification](#citrix-adc-vpx-or-mpx-certificate-verification) +17. [Configuration Parameters](#configuration-parameters) + + +## TL; DR; + +### To deploy Citrix ADC VPX or MPX as an Ingress Gateway: + + kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system + + helm repo add citrix https://citrix.github.io/citrix-helm-charts/ + + helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set ingressGateway.netscalerUrl=https://[:port] --set ingressGateway.vserverIP= --set secretName=nslogin + + + +### To deploy Citrix ADC CPX as an Ingress Gateway: + + helm repo add citrix https://citrix.github.io/citrix-helm-charts/ + + helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true + + +## Introduction + +This chart deploys Citrix ADC VPX, MPX, or CPX as an Ingress Gateway in the Istio service mesh using the Helm package manager. For detailed information on different deployment options, see [Deployment Architecture](https://github.com/citrix/citrix-istio-adaptor/blob/master/docs/istio-integration/architecture.md). + +### Compatibility Matrix between Citrix xDS-adaptor and Istio version + +Below table provides info about recommended Citrix xDS-Adaptor version to be used for various Istio versions. + +| Citrix xDS-Adaptor version | Istio version | +|----------------------------|---------------| +| quay.io/citrix/citrix-xds-adaptor:0.9.9 | Istio v1.10+ | +| quay.io/citrix/citrix-xds-adaptor:0.9.8 | Istio v1.8 to Istio v1.9 | +| quay.io/citrix/citrix-xds-adaptor:0.9.5 | Istio v1.6 | + +### Prerequisites + +The following prerequisites are required for deploying Citrix ADC as an Ingress Gateway in Istio service mesh: + +- Ensure that **Istio version 1.8 onwards** is installed +- Ensure that Helm with version 3.x is installed. Follow this [step](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. +- Ensure that your cluster Kubernetes version should be above 1.16 and the `admissionregistration.k8s.io/v1`, `admissionregistration.k8s.io/v1beta1` API is enabled + + You can verify the API by using the following command: + + kubectl api-versions | grep admissionregistration.k8s.io/v1 + + The following output indicates that the API is enabled: + + admissionregistration.k8s.io/v1 + admissionregistration.k8s.io/v1beta1 + +- **For deploying Citrix ADC VPX or MPX as an Ingress gateway:** + + Create a Kubernetes secret for the Citrix ADC user name and password using the following command: + + kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system + + +- **Create system user account for xDS-adaptor in Citrix ADC:** + + The Citrix ADC appliance needs to have system user account (non-default) with certain privileges so that `xDS-adaptor` can configure the Citrix ADC VPX or MPX appliance. Follow the instructions to create the system user account on Citrix ADC. + + Create a Kubernetes secret for the user name and password using the following command: + + ``` + kubectl create secret generic nslogin --from-literal=username='cxa' --from-literal=password='mypassword' + ``` + + The `xDS-adaptor` configures the Citrix ADC using a system user account of the Citrix ADC. The system user account should have certain privileges so that the xDS-adaptor has permissions configure the following on the Citrix ADC: + + - Add, Delete, or View Content Switching (CS) virtual server + - Configure CS policies and actions + - Configure Load Balancing (LB) virtual server + - Configure Service groups + - Cofigure SSl certkeys + - Configure routes + - Configure user monitors + - Add system file (for uploading SSL certkeys from Kubernetes) + - Configure Virtual IP address (VIP) + - Check the status of the Citrix ADC appliance + - Add, Delete or view authentication virtual server, policy, authaction + - Add, Delete or view Policy + - Add, Delete or view Responder policy, action, param + - Add, Delete or view Rewrite policy, action, param + - Add, Delete or view analytics profile + - Add, Delete or view DNS name server + - Add, Delete or view network netprofile + - Add, Delete or view Traffic Management Commands(sessionaction, session policy, sessionparameter) + + +> **Note:** +> +> The system user account would have privileges based on the command policy that you define. + + To create the system user account, do the following: + + 1. Log on to the Citrix ADC appliance. Perform the following: + 1. Use an SSH client, such as PuTTy, to open an SSH connection to the Citrix ADC appliance. + + 2. Log on to the appliance by using the administrator credentials. + + 2. Create the system user account using the following command: + + ``` + add system user + ``` + + For example: + + ``` + add system user cxa mypassword + ``` + + 3. Create a policy to provide required permissions to the system user account. Use the following command: + + ``` + add cmdpolicy cxa-policy ALLOW "((^\S+\s+cs\s+\S+)|(^\S+\s+lb\s+\S+)|(^\S+\s+service\s+\S+)|(^\S+\s+servicegroup\s+\S+)|(^stat\s+system)|(^show\s+ha)|(^\S+\s+ssl\s+certKey)|(^\S+\s+ssl)|(^\S+\s+route)|(^\S+\s+monitor)|(^show\s+ns\s+ip)|(^\S+\s+system\s+file)|)|(^\S+\s+aaa\s+\S+)|(^\S+\s+aaa\s+\S+\s+.*)|(^\S+\s+authentication\s+\S+)|(^\S+\s+authentication\s+\S+\s+.*)|(^\S+\s+policy\s+\S+)|(^\S+\s+policy\s+\S+\s+.*)|(^\S+\s+rewrite\s+\S+)|(^\S+\s+rewrite\s+\S+\s+.*)|(^\S+\s+analytics\s+\S+)|(^\S+\s+analytics\s+\S+\s+.*)|(^\S+\s+dns\s+\S+)|(^\S+\s+dns\s+\S+\s+.*)|(^\S+\s+netProfile)|(^\S+\s+netProfile\s+.*)|(^\S+\s+tm\s+\S+)|(^\S+\s+tm\s+\S+\s+.*)" + ``` + + 4. Bind the policy to the system user account using the following command: + + ``` + bind system user cxa cxa-policy 0 + ``` + +- **Registration of Citrix ADC CPX in ADM** + +Create a secret for ADM username and password + + kubectl create secret generic admlogin --from-literal=username= --from-literal=password= -n citrix-system + +- **Important Note:** For deploying Citrix ADC VPX or MPX as ingress gateway, you should establish the connectivity between Citrix ADC VPX or MPX and cluster nodes. This connectivity can be established by configuring routes on Citrix ADC as mentioned [here](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) or by deploying [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller). + + +## Deploy Citrix ADC VPX or MPX as an Ingress Gateway + + To deploy Citrix ADC VPX or MPX as an Ingress Gateway in the Istio service mesh, do the following step. In this example, release name is specified as `citrix-adc-istio-ingress-gateway` and namespace as `citrix-system`. + + kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system + + helm repo add citrix https://citrix.github.io/citrix-helm-charts/ + + helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP= --set secretName=nslogin + +## Deploy Citrix ADC CPX as an Ingress Gateway + + To deploy Citrix ADC CPX as an Ingress Gateway, do the following step. In this example, release name is specified as `my-release` and namespace is used as `citrix-system`. + + helm repo add citrix https://citrix.github.io/citrix-helm-charts/ + + helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true + + +## Deploy Citrix ADC as an Ingress Gateway in multi cluster Istio Service mesh + +To deploy **Citrix ADC VPX/MPX as an Ingress Gateway** in multi cluster Istio Service mesh, carry out below steps. +``` +helm repo add citrix https://citrix.github.io/citrix-helm-charts/ + +helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP= --set ingressGateway.multiClusterIngress=true +``` + +To deploy **Citrix ADC CPX as an Ingress Gateway** in multi cluster Istio Service mesh, carry out below steps. +``` +helm repo add citrix https://citrix.github.io/citrix-helm-charts/ + +helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true --set ingressGateway.multiClusterIngress=true + +``` + +By default, port 15443 of the Citrix ADC will be used to handle all the inter-cluster traffic coming to services deployed in local cluster. These services are exposed using `*.global` domain. +To modify the default 15443 port and "global" domain, use _ingressGateway.multiClusterListenerPort_ and _ingressGateway.multiClusterSvcDomain_ options of helm chart. + +For example, to use port 25443 and _mydomain_ as the service domain to expose local cluster deployed services to services in remote clusters. + +``` + +helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP= --set ingressGateway.multiClusterIngress=true --set ingressGateway.multiClusterListenerPort=25443 --set ingressGateway.multiClusterSvcDomain=mydomain + +``` + +Follow [this](https://github.com/citrix/citrix-helm-charts/tree/master/examples/citrix-adc-ingress-in-multicluster-istio/README.md) as a sample example to deploy Citrix ADC as Ingress gateway in multi-cluster Istio service mesh. + +## Using Existing Certificates to deploy Citrix ADC as an Ingress Gateway + +You may want to use the existing certificate and key for authenticating access to an application using Citrix ADC Ingress Gateway. In that case, you can create a Kubernetes secret from the existing certificate and key. You can mount the Kubernetes secret as data volumes in Citrix ADC Ingress Gateway. + +To create a Kubernetes secret using an existing key named `test_key.pem` and a certificate named `test.pem`, use the following command: + + kubectl create -n citrix-system secret tls citrix-ingressgateway-certs --key test_key.pem --cert test.pem + +Note: Ensure that Kubernetes secret is created in the same namespace where Citrix ADC Ingress Gateway is deployed. + +To deploy Citrix ADC VPX or MPX with secret volume, do the following step: + + kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system + + helm repo add citrix https://citrix.github.io/citrix-helm-charts/ + + helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP=,ingressGateway.secretVolumes[0].name=test-ingressgateway-certs,ingressGateway.secretVolumes[0].secretName=test-ingressgateway-certs,ingressGateway.secretVolumes[0].mountPath=/etc/istio/test-ingressgateway-certs + +To deploy Citrix ADC CPX with secret volume, do the following step: + + helm repo add citrix https://citrix.github.io/citrix-helm-charts/ + + helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true,ingressGateway.secretVolumes[0].name=test-ingressgateway-certs,ingressGateway.secretVolumes[0].secretName=test-ingressgateway-certs,ingressGateway.secretVolumes[0].mountPath=/etc/istio/test-ingressgateway-certs + +## Segregating traffic with multiple Ingress Gateways + +You can deploy multiple Citrix ADC Ingress Gateway devices and segregate traffic to various deployments in the Istio service mesh. This can be achieved with *custom labels*. By default, Citrix ADC Ingress Gateway service comes up with the `app: citrix-ingressgateway` label. This label is used as a selector while deploying the Ingress Gateway or virtual service resources. If you want to deploy Ingress Gateway with the custom label, you can do it using the `ingressGateway.label` option in the Helm chart. + +To deploy Citrix ADC CPX Ingress Gateway with the label `my_custom_ingressgateway`, do the following step: + + helm repo add citrix https://citrix.github.io/citrix-helm-charts/ + + helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true,ingressGateway.lightWeightCPX=NO,ingressGateway.label=my_custom_ingressgateway + +To deploy Citrix ADC VPX or MPX as an Ingress Gateway with the label `my_custom_ingressgateway`, do the following step: + + kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system + + helm repo add citrix https://citrix.github.io/citrix-helm-charts/ + + helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP=,ingressGateway.label=my_custom_ingressgateway + +## Visualizing statistics of Citrix ADC Ingress Gateway with Metrics Exporter + +By default, [Citrix ADC Metrics Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) is also deployed along with Citrix ADC Ingress Gateway. Citrix ADC Metrics Exporter fetches statistical data from Citrix ADC and exports it to Prometheus running in Istio service mesh. When you add Prometheus as a data source in Grafana, you can visualize this statistical data in the Grafana dashboard. + +Metrics Exporter requires the IP address of Citrix ADC CPX or VPX Ingress Gateway. It is retrieved from the value specified for `ingressGateway.netscalerUrl`. + +When Citrix ADC CPX is deployed as Ingress Gateway, Metrics Exporter runs along with Citrix CPX Ingress Gateway in the same pod and specifying IP address is optional. + +To deploy Citrix ADC as Ingress Gateway without Metrics Exporter, set the value of `metricExporter.required` as false. + + + kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system + + helm repo add citrix https://citrix.github.io/citrix-helm-charts/ + + helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP=,metricExporter.required=false + +"Note:" To remotely access telemetry addons such as Prometheus and Grafana, see [Remotely Accessing Telemetry Addons](https://istio.io/docs/tasks/telemetry/gateways/). + +## Exposing services running on non-HTTP ports + +By default, services running on HTTP ports (80 & 443) are exposed through Citrix ADC Ingress Gateway. Similarly, you can expose services that are deployed on non-HTTP ports through the Citrix ADC Ingress Gateway device. + +To deploy Citrix ADC MPX or VPX, and expose a service running on a TCP port, do the following step. + +In this example, a service running on TCP port 5000 is exposed using port 10000 on Citrix ADC. + + kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system + + helm repo add citrix https://citrix.github.io/citrix-helm-charts/ + + helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP=,ingressGateway.tcpPort[0].name=tcp1,ingressGateway.tcpPort[0].port=10000,ingressGateway.tcpPort[0].targetPort=5000 + + To deploy Citrix ADC CPX and expose a service running on a TCP port, do the following step. + In this example, port 10000 on the Citrix ADC CPX instance is exposed using TCP port 30000 (node port configuration) on the host machine. + + helm repo add citrix https://citrix.github.io/citrix-helm-charts/ + + helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true,ingressGateway.tcpPort[0].name=tcp1,ingressGateway.tcpPort[0].nodePort=30000,ingressGateway.tcpPort[0].port=10000,ingressGateway.tcpPort[0].targetPort=5000 + +## Generate Certificate for Ingress Gateway + +Citrix Ingress gateway needs TLS certificate-key pair for establishing secure communication channel with backend applications. Earlier these certificates were issued by Istio Citadel and bundled in Kubernetes secret. Certificate was loaded in the application pod by doing volume mount of secret. Now `xDS-Adaptor` can generate its own certificate and get it signed by the Istio Citadel (Istiod). This eliminates the need of secret and associated [risks](https://kubernetes.io/docs/concepts/configuration/secret/#risks). + +xDS-Adaptor needs to be provided with details Certificate Authority (CA) for successful signing of Certificate Signing Request (CSR). By default, CA is `istiod.istio-system.svc` which accepts CSRs on port 15012. +To skip this process, don't provide any value (empty string) to `certProvider.caAddr`. +``` + helm repo add citrix https://citrix.github.io/citrix-helm-charts/ + + helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true --set certProvider.caAddr="" +``` +### Configure Third Party Service Account Tokens + +In order to generate certificate for application workload, xDS-Adaptor needs to send valid service account token along with Certificate Signing Request (CSR) to the Istio control plane (Citadel CA). Istio control plane authenticates the xDS-Adaptor using this JWT. +Kubernetes supports two forms of these tokens: + +* Third party tokens, which have a scoped audience and expiration. +* First party tokens, which have no expiration and are mounted into all pods. + + If Kubernetes cluster is installed with third party tokens, then the same information needs to be provided for automatic sidecar injection by passing `--set certProvider.jwtPolicy="third-party-jwt"`. By default, it is `first-party-jwt`. + +``` + helm repo add citrix https://citrix.github.io/citrix-helm-charts/ + + helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true --set certProvider.caAddr="istiod.istio-system.svc" --set certProvider.jwtPolicy="third-party-jwt" + +``` + +To determine if your cluster supports third party tokens, look for the TokenRequest API using below command. If there is no output, then it is `first-party-jwt`. In case of `third-party-jwt`, output will be like below. + +``` +# kubectl get --raw /api/v1 | jq '.resources[] | select(.name | index("serviceaccounts/token"))' + +{ + "name": "serviceaccounts/token", + "singularName": "", + "namespaced": true, + "group": "authentication.k8s.io", + "version": "v1", + "kind": "TokenRequest", + "verbs": [ + "create" + ] +} + +``` + +## **Citrix ADC CPX License Provisioning** +By default, CPX runs with 20 Mbps bandwidth called as [CPX Express](https://www.citrix.com/en-in/products/citrix-adc/cpx-express.html) however for better performance and production deployment customer needs licensed CPX instances. [Citrix ADM](https://www.citrix.com/en-in/products/citrix-application-delivery-management/) is used to check out licenses for Citrix ADC CPX. + +**Bandwidth based licensing** +For provisioning licensing on Citrix ADC CPX, it is mandatory to provide License Server information to CPX. This can be done by setting **ADMSettings.licenseServerIP** as License Server IP. In addition to this, **ADMSettings.bandWidthLicense** needs to be set true and desired bandwidth capacity in Mbps should be set **ADMSettings.bandWidth**. +For example, to set 2Gbps as bandwidth capacity, below command can be used. + + helm repo add citrix https://citrix.github.io/citrix-helm-charts/ + + helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set ADMSettings.licenseServerIP=,ADMSettings.bandWidthLicense=True --set ADMSettings.bandWidth=2000 --set citrixCPX=true + +## **Service Graph configuration** + Citrix ADM Service graph is an observability tool that allows user to analyse service to service communication. The service graph is generated by ADM post collection of transactional data from registered Citrix ADC instances. More details about it can be found [here](https://docs.citrix.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html). + Citrix ADC needs to be provided with ADM details for registration and data export. This section lists the steps needed to deploy Citrix ADC and register it with ADM. + +**Deploy Citrix ADC CPX as ingress gateway** + 1. Create secret using Citrix ADM Agent credentials, which will be used by Citrix ADC as CPX to communicate with Citrix ADM Agent: + + kubectl create secret generic admlogin --from-literal=username= --from-literal=password= + + 2. Deploy Citrix ADC CPX as ingress gateway using helm command with `ADM` details: + + helm install citrix-adc-istio-ingress-gateway citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true --set ADMSettings.ADMIP= + + +> **Note:** +> If container agent is being used here for Citrix ADM, specify `serviceIP` of container agent in the `ADMSettings.ADMIP` parameter. + +**Deploy Citrix ADC VPX/MPX as ingress gateway** + + Deploy Citrix ADC VPX/MPX as ingress gateway using helm command and set analytics settings on Citrix ADC VPX/MPX for sending transaction metrics to Citrix ADM + + helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set ingressGateway.netscalerUrl=https://[:port] --set ingressGateway.vserverIP= --set secretName=nslogin + + Add the following configurations in Citrix ADC VPX/MPX + + en ns mode ulfd + + en ns feature appflow + + add appflow collector logproxy_lstreamd -IPAddress -port 5557 -Transport logstream + + set appflow param -templateRefresh 3600 -httpUrl ENABLED -httpCookie ENABLED -httpReferer ENABLED -httpMethod ENABLED -httpHost ENABLED -httpUserAgent ENABLED -httpContentType ENABLED -httpAuthorization ENABLED -httpVia ENABLED -httpXForwardedFor ENABLED -httpLocation ENABLED -httpSetCookie ENABLED -httpSetCookie2 ENABLED -httpDomain ENABLED -httpQueryWithUrl ENABLED metrics ENABLED -events ENABLED -auditlogs ENABLED + + add appflow action logproxy_lstreamd -collectors logproxy_lstreamd + + add appflow policy logproxy_policy true logproxy_lstreamd + + bind appflow global logproxy_policy 10 END -type REQ_DEFAULT + + bind appflow global logproxy_policy 10 END -type OTHERTCP_REQ_DEFAULT + + +> **Note:** +> If container agent is being used here for Citrix ADM, specify `PodIP` of container agent in above manual config. + + +## Citrix ADC as Ingress Gateway: a sample deployment + +A sample deployment of Citrix ADC as an Ingress gateway for the Bookinfo application is provided [here](https://github.com/citrix/citrix-helm-charts/tree/master/examples/citrix-adc-in-istio). + +## Uninstalling the Helm chart + +To uninstall or delete a chart with release name as `my-release`, do the following step. + + helm delete my-release + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Citrix ADC VPX/MPX Certificate Verification + +Create a Kubernetes secret holding the CA certificate of Citrix ADC VPX/MPX with the filename `root-cert.pem`. + + kubectl create secret generic citrix-adc-cert --from-file=./root-cert.pem + +Note: Ensure that Kubernetes secret is created in the same namespace where Citrix ADC Ingress Gateway is deployed. + +To deploy Citrix ADC VPX or MPX with Citrix ADC certificate verification, do the following step: + + kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system + + helm repo add citrix https://citrix.github.io/citrix-helm-charts/ + + helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP=,ingressGateway.adcServerName= + +## Configuration parameters + +The following table lists the configurable parameters in the Helm chart and their default values. + + +| Parameter | Description | Default | Optional/Mandatory | +|--------------------------------|-------------------------------|---------------------------|---------------------------| +| `citrixCPX` | Citrix ADC CPX | FALSE | Mandatory for Citrix ADC CPX | +| `xDSAdaptor.image` | Image of the Citrix xDS adaptor container (Refer compatibility matrix) |quay.io/citrix/citrix-xds-adaptor:0.9.9 | Mandatory| +| `xDSAdaptor.imagePullPolicy` | Image pull policy for xDS adaptor | IfNotPresent | Optional| +| `xDSAdaptor.secureConnect` | If this value is set to true, xDS-adaptor establishes secure gRPC channel with Istio Pilot | TRUE | Optional| +| `xDSAdaptor.logLevel` | Log level to be set for xDS-adaptor log messages. Possible values: TRACE (most verbose), DEBUG, INFO, WARN, ERROR (least verbose) | DEBUG | Optional| +| `xDSAdaptor.jsonLog` | Set this argument to true if log messages are required in JSON format | false | Optional| +| `coe.coeURL` | Name of [Citrix Observability Exporter](https://github.com/citrix/citrix-observability-exporter) Service in the form of "." | null | Optional| +| `coe.coeTracing` | Use COE to send appflow transactions to Zipkin endpoint. If it is set to true, ADM servicegraph (if configured) can be impacted. | false | Optional| +| `ADMSettings.ADMIP ` | Citrix Application Delivery Management (ADM) IP address | null | Mandatory for Citrix ADC CPX | +| `ADMSettings.licenseServerIP ` | Citrix License Server IP address | null | Optional | +| `ADMSettings.licenseServerPort` | Citrix ADM port if a non-default port is used | 27000 | Optional| +| `ADMSettings.bandWidth` | Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps | null | Optional | +| `ADMSettings.bandWidthLicense` | To specify bandwidth based licensing | false | Optional | +| `ingressGateway.netscalerUrl` | URL or IP address of the Citrix ADC which Istio-adaptor configures (Mandatory if citrixCPX=false)| null |Mandatory for Citrix ADC MPX or VPX| +| `ingressGateway.vserverIP` | Virtual server IP address on Citrix ADC (Mandatory if citrixCPX=false) | null | Mandatory for Citrix ADC MPX or VPX| +| `ingressGateway.adcServerName ` | Citrix ADC ServerName used in the Citrix ADC certificate | null | Optional | +| `ingressGateway.image` | Image of Citrix ADC CPX designated to run as Ingress Gateway |quay.io/citrix/citrix-k8s-cpx-ingress:13.0-79.64 | Mandatory for Citrix ADC CPX | +| `ingressGateway.imagePullPolicy` | Image pull policy | IfNotPresent | Optional| +| `ingressGateway.EULA` | End User License Agreement(EULA) terms and conditions. If yes, then user agrees to EULA terms and conditions. | NO | Mandatory for Citrix ADC CPX +| `ingressGateway.mgmtHttpPort` | Management port of the Citrix ADC CPX | 9080 | Optional| +| `ingressGateway.mgmtHttpsPort` | Secure management port of Citrix ADC CPX | 9443 | Optional| +| `ingressGateway.httpNodePort` | Port on host machine which is used to expose HTTP port (80) of Citrix ADC CPX | 30180 |Optional| +| `ingressGateway.httpsNodePort` | Port on host machine which is used to expose HTTPS port (443) of Citrix ADC CPX | 31443 |Optional| +| `ingressGateway.nodePortRequired` | Set this argument if servicetype to be NodePort of Citrix ADC CPX | false |Optional| +| `ingressGateway.secretVolume` | A map of user defined volumes to be mounted using Kubernetes secrets | null |Optional| +| `ingressGateway.label` | Custom label for the Ingress Gateway service | citrix-ingressgateway |Optional| +| `ingressGateway.netProfile ` | Network profile name used by [CNC](https://github.com/citrix/citrix-k8s-node-controller) to configure Citrix ADC VPX or MPX which is deployed as Ingress Gateway | null | Optional| +| `ingressGateway.multiClusterIngress ` | Flag indicating if Citrix ADC is acting as Ingress gateway to multi cluster Istio mesh installation. Possible values: true/false | false | Optional| +| `ingressGateway.multiClusterListenerPort ` | Port opened on Citrix ADC to enable inter-cluster service to service (E-W) communication | 15443 | Optional| +| `ingressGateway.multiClusterListenerNodePort ` | Nodeport for multiClusterListenerPort in case of Citrix ADC CPX acting as Ingress gateway | 32443 | Optional| +| `ingressGateway.multiClusterSvcDomain ` | Domain suffix of remote service (deployed in other cluster) used in E-W communication | global | Optional| +| `ingressGateway.tcpPort` | For exposing multiple TCP ingress | null |Optional| +| `istioPilot.name` | Name of the Istio Pilot service | istiod |Optional| +| `istioPilot.namespace` | Namespace where Istio Pilot is running | istio-system |Optional| +| `istioPilot.secureGrpcPort` | Secure GRPC port where Istiod (Istio Pilot) is listening (default setting) | 15012 |Optional| +| `istioPilot.insecureGrpcPort` | Insecure GRPC port where Istiod (Istio Pilot) is listening | 15010 |Optional| +| `istioPilot.SAN` | Subject alternative name for Istiod (Istio Pilot) which is the secure production identity framework for everyone (SPIFFE) ID of Istio Pilot | null |Optional| +| `metricExporter.required` | Metrics exporter for Citrix ADC | TRUE |Optional| +| `metricExporter.image` | Image of the Citrix ADC Metrics Exporter | quay.io/citrix/citrix-adc-metrics-exporter:1.4.8 |Optional| +| `metricExporter.port` | Port over which Citrix ADC Metrics Exporter collects metrics of Citrix ADC. | 8888 |Optional| +| `metricExporter.secure` | Enables collecting metrics over TLS | YES |Optional| +| `metricExporter.logLevel` | Level of logging in Citrix ADC Metrics Exporter. Possible values are: DEBUG, INFO, WARNING, ERROR, CRITICAL | ERROR |Optional| +| `metricExporter.imagePullPolicy` | Image pull policy for Citrix ADC Metrics Exporter | IfNotPresent |Optional| +| `certProvider.caAddr` | Certificate Authority (CA) address issuing certificate to application | istiod.istio-system.svc | Optional | +| `certProvider.caPort` | Certificate Authority (CA) port issuing certificate to application | 15012 | Optional | +| `certProvider.trustDomain` | SPIFFE Trust Domain | cluster.local | Optional | +| `certProvider.certTTLinHours` | Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours. Default is 30 days validity | 720 | Optional | +| `certProvider.clusterId` | clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in multicluster environments. For example, in Anthos servicemesh, it might be of the format of `cn--`. In multiCluster environments, it is the value of global.multiCluster.clusterName provided during servicemesh control plane installation | Kubernetes | Optional | +| `certProvider.jwtPolicy` | Service Account token type. Kubernetes platform supports First party tokens and Third party tokens. Usually public cloud based Kubernetes has third-party-jwt | null | Optional | +| `secretName` | Name of the Kubernetes secret holding Citrix ADC credentials | nslogin | Mandatory for Citrix ADC VPX/MPX | + +**Note:** You can use the `values.yaml` file packaged in the chart. This file contains the default configuration values for the chart. diff --git a/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/app-readme.md b/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/app-readme.md new file mode 100644 index 000000000..dc4ee42ac --- /dev/null +++ b/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/app-readme.md @@ -0,0 +1,38 @@ +# Citrix ADC as an Ingress Gateway for Istio + +An [Istio](https://istio.io/) ingress gateway acts as an entry point for the incoming traffic and secures and controls access to the service mesh. It also performs routing and load balancing. Citrix ADC [CPX](https://docs.citrix.com/en-us/citrix-adc-cpx), MPX, or [VPX](https://docs.citrix.com/en-us/citrix-adc.html), can be deployed as an ingress gateway to the Istio service mesh. + +### Prerequisites + +The following prerequisites are required for deploying Citrix ADC as an Ingress Gateway in Istio service mesh: + +- Ensure that **Istio** is enabled. +- Ensure that your cluster has Kubernetes version 1.16.0 or later. +- Ensure to create secret named **nslogin** with username and password in same namespace in case of VPX/MPX . Choose the **Cluster Explorer > Storage > Secrets** in the navigation bar. + +### Important NOTE: +- Follow this [link](https://github.com/citrix/citrix-helm-charts/blob/master/examples/citrix-adc-in-istio/README.md +) to deploy Citrix ADC as an ingress gateway for application. +- For deploying Citrix ADC VPX or MPX as ingress gateway, you should establish the connectivity between Citrix ADC VPX or MPX and cluster nodes. This connectivity can be established by configuring routes on Citrix ADC as mentioned [here](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) or by deploying [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller). +- To use the certificate and key for authenticating access to an application using Citrix ADC Ingress Gateway. In that case, you can create a Kubernetes secret from the existing certificate and key. You can mount the Kubernetes secret as data volumes in Citrix ADC Ingress Gateway. Then specify a list of secret, volume name, mount path in subsequent fields of `SecretVolume` section: + - Go to `Edit as YAML` option and update below values . + ``` + secretVolumes: + - name: + secretName: + mountPath: + ``` + For more details, follow this [link](https://github.com/citrix/citrix-helm-charts/tree/master/citrix-adc-istio-ingress-gateway#using-existing-certificates-to-deploy-citrix-adc-as-an-ingress-gateway) + +- By default, gateway is configured to expose HTTP(S) services. To expose non-HTTP services, Then specify a list of port, port-name, target-port, nodeport (if applicable) in subsequent fields of `tcpPort` section. + - Go to `Edit as YAML` option and update below values. + ``` + tcpPort: + - name: + nodePort: + port: + targetPort: + ``` + For more details follow this [link](https://github.com/citrix/citrix-helm-charts/tree/master/citrix-adc-istio-ingress-gateway#exposing-services-running-on-non-http-ports) + +This catalog deploys Citrix ADC VPX, MPX, or CPX as an Ingress Gateway in the Istio service mesh. For detailed information on various deployment options,checkout this [link](https://github.com/citrix/citrix-istio-adaptor). diff --git a/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/questions.yml b/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/questions.yml new file mode 100644 index 000000000..36a7b0035 --- /dev/null +++ b/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/questions.yml @@ -0,0 +1,405 @@ +labels: + io.rancher.certified: partner +questions: +- variable: citrixCPX + required: true + type: boolean + default: true + description: "Set true to use Citrix ADC CPX as ingress device. Set false to use VPX/MPX as ingress device" + label: citrixCPX + group: "Deployment Settings" +- variable: secrets.name + required: true + type: string + default: "nslogin" + description: "Ensure to create nslogin secret in same namespace" + show_if: "citrixCPX=false" + group: "nslogin Settings" +- variable: xDSAdaptor.image + required: true + type: string + default: "quay.io/citrix/citrix-xds-adaptor:0.9.9" + label: xDSAdaptor Image + description: "xDSAdaptor Image to be used with version" + group: "xDSAdaptor Settings" +- variable: xDSAdaptor.imagePullPolicy + required: true + type: enum + default: IfNotPresent + label: xDSAdaptor imagePullPolicy + description: "xDSAdaptor Image pull policy" + options: + - "Always" + - "IfNotPresent" + - "Never" + group: "xDSAdaptor Settings" +- variable: xDSAdaptor.proxyType + required: false + type: string + default: "router" + label: xDSAdaptor proxyType + description: "xDSAdaptor proxyType type set to router by default" + group: "xDSAdaptor Settings" +- variable: xDSAdaptor.secureConnect + required: true + type: boolean + default: true + label: xDSAdaptor secureConnect + description: "If this value is set to true, xDSAdaptor establishes secure gRPC channel with Istio Pilot" + group: "xDSAdaptor Settings" +- variable: xDSAdaptor.logLevel + required: false + type: enum + default: DEBUG + label: xDSAdaptor logLevel + description: "xDSAdaptor logLevel" + options: + - "TRACE" + - "DEBUG" + - "INFO" + - "WARN" + - "ERROR" + group: "xDSAdaptor Settings" +- variable: xDSAdaptor.jsonLog + required: false + type: string + default: "true" + label: xDSAdaptor jsonLog + description: "Set this argument to true if log messages are required in JSON format" + group: "xDSAdaptor Settings" +- variable: coe.coeURL + required: false + type: string + label: coe coeURL + description: "Name of Citrix Observability Exporter Service" + group: "COE Settings" +- variable: coe.coeTracing + required: false + type: boolean + label: coe coeTracing + description: "Used to send appflow transactions to Zipkin endpoint,if true ADM servicegraph (if configured) can be impacted" + group: "COE Settings" +- variable: istioPilot.name + required: true + type: string + default: istiod + label: istio-pilot name + group: "istio-pilot Settings" + description: "Name of the Istio Pilot service" +- variable: istioPilot.namespace + required: true + type: string + default: istio-system + label: istio-pilot namespace + description: "Namespace where Istio Pilot is running" + group: "istio-pilot Settings" +- variable: istioPilot.secureGrpcPort + required: true + type: int + default: 15012 + label: istio-pilot secureGrpcPort + show_if: "xDSAdaptor.secureConnect=true" + description: "Secure GRPC port where Istio Pilot is listening" + group: "istio-pilot Settings" +- variable: istioPilot.insecureGrpcPort + required: true + type: int + default: 15010 + show_if: "xDSAdaptor.secureConnect=false" + label: istio-pilot insecureGrpcPort + description: "Insecure GRPC port where Istio Pilot is listening" + group: "istio-pilot Settings" +- variable: istioPilot.SAN + required: false + type: string + default: + label: istio-pilot SAN + description: "Subject alternative name for Istio Pilot which is (SPIFFE) ID of Istio Pilot" + show_if: "xDSAdaptor.secureConnect=true" + group: "istio-pilot Settings" +- variable: ingressGateway.netscalerUrl + required: true + type: string + default: + label: ingressGateway netscalerUrl + description: "URL or IP address of the Citrix ADC which Istio-adaptor configures (Mandatory if citrixCPX=false)" + show_if: "citrixCPX=false" + group: "ingressGateway Settings" +- variable: ingressGateway.image + required: true + type: string + default: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-79.64" + label: ingressGateway Image + description: "ingressGateway image to be used" + group: "ingressGateway Settings" +- variable: ingressGateway.imagePullPolicy + required: true + type: enum + default: IfNotPresent + label: ingressGateway imagePullPolicy + description: Ingress-gateway Image pull policy + group: "ingressGateway Settings" + options: + - "Always" + - "IfNotPresent" + - "Never" +- variable: ingressGateway.EULA + required: true + type: enum + description: "End user license agreement (read EULA before accepting it yes)" + label: ingressGateway EULA + options: + - "YES" + - "NO" + group: "ingressGateway Settings" +- variable: ingressGateway.mgmtHttpPort + required: true + type: int + default: 10080 + label: ingressGateway mgmtHttpPort + description: "Management port of the Citrix ADC CPX" + show_if: "citrixCPX=true" + group: "ingressGateway Settings" +- variable: ingressGateway.mgmtHttpsPort + required: true + type: int + default: 10443 + show_if: "citrixCPX=true" + label: ingressGateway mgmtHttpsPort + description: "Secure management port of Citrix ADC CPX" + group: "ingressGateway Settings" +- variable: ingressGateway.httpNodePort + required: true + type: int + default: 30180 + show_if: "citrixCPX=true" + label: ingressGateway httpNodePort + description: "Port on host machine which is used to expose HTTP port of Citrix ADC CPX" + group: "ingressGateway Settings" +- variable: ingressGateway.httpsNodePort + required: true + type: int + default: 31443 + show_if: "citrixCPX=true" + label: ingressGateway httpsNodePort + description: "Port on host machine which is used to expose HTTPS port of Citrix ADC CPX" + group: "ingressGateway Settings" +- variable: ingressGateway.nodePortRequired + required: true + type: boolean + default: true + label: ingressGateway nodePortRequired + description: "Set this argument if servicetype to be NodePort of Citrix ADC CPX, else it will be loadbalancer type" + group: "ingressGateway Settings" +- variable: ingressGateway.lightWeightCPX + required: false + type: int + default: 1 + show_if: "citrixCPX=true" + label: ingressGateway lightWeightCPX + description: "Set this argument if lighter version of Citrix ADC CPX used" + group: "ingressGateway Settings" +- variable: ingressGateway.label + required: true + type: string + default: "citrix-ingressgateway" + label: ingressGateway label + description: "Custom label for the Ingress Gateway service" + group: "ingressGateway Settings" +- variable: ingressGateway.vserverIP + required: true + type: string + default: "nsip" + show_if: "citrixCPX=false" + label: ingressGateway vserverIP + description: "Virtual server IP address on Citrix ADC" + group: "ingressGateway Settings" +- variable: ingressGateway.adcServerName + required: false + type: string + default: + label: ingressGateway adcServerName + description: "Citrix ADC ServerName used in the Citrix ADC certificate" + group: "ingressGateway Settings" +- variable: ingressGateway.netProfile + required: false + type: string + default: + label: ingressGateway netProfile + description: "Network profile name used to configure Citrix ADC VPX or MPX which is deployed as Ingress Gateway" + show_if: "citrixCPX=false" + group: "ingressGateway Settings" +- variable: ingressGateway.multiClusterIngress + required: false + type: boolean + default: false + label: ingressGateway multiClusterIngress + description: "Flag indicating if Citrix ADC is acting as Ingress gateway to multi cluster Istio mesh installation" + group: "ingressGateway Settings" +- variable: ingressGateway.multiClusterListenerPort + required: true + type: int + default: 15443 + label: ingressGateway multiClusterListenerPort + description: "Port opened on Citrix ADC to enable inter-cluster service to service (E-W) communication" + show_if: "ingressGateway.multiClusterIngress=true" + group: "ingressGateway Settings" +- variable: ingressGateway.multiClusterListenerNodePort + required: true + type: int + default: 15443 + label: ingressGateway multiClusterListenerNodePort + description: "Nodeport for multiClusterListenerPort in case of Citrix ADC CPX acting as Ingress gateway" + show_if: "ingressGateway.multiClusterIngress=true" + group: "ingressGateway Settings" +- variable: ingressGateway.multiClusterSvcDomain + required: true + type: string + default: global + label: ingressGateway multiClusterSvcDomain + description: "Domain suffix of remote service (deployed in other cluster) used in E-W communication" + show_if: "ingressGateway.multiClusterIngress=true" + group: "ingressGateway Settings" +- variable: metricExporter.required + required: false + type: boolean + default: true + label: Exporter required + description: "Metrics exporter for Citrix ADC" + group: "metricExporter Settings" +- variable: metricExporter.image + required: true + type: string + default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.8" + label: Exporter Image + description: "Exporter Image to be used with version" + show_if: "metricExporter.required=true" + group: "metricExporter Settings" +- variable: metricExporter.port + required: true + type: int + default: 8888 + label: metricExporter Port + show_if: "metricExporter.required=true" + group: "metricExporter Settings" +- variable: metricExporter.logLevel + required: true + type: enum + default: ERROR + label: metricExporter logLevel + show_if: "metricExporter.required=true" + group: "metricExporter Settings" + options: + - "DEBUG" + - "INFO" + - "WARNING" + - "ERROR" + - "TRACE" +- variable: metricExporter.imagePullPolicy + required: true + type: enum + default: IfNotPresent + label: metricExporter imagePullPolicy + description: "Exporter Image pull policy" + show_if: "metricExporter.required=true" + group: "metricExporter Settings" + options: + - "Always" + - "IfNotPresent" + - "Never" +- variable: certProvider.caAddr + required: true + type: string + default: "istiod.istio-system.svc" + label: certProvider caAddr + description: "Certificate Authority (CA) address issuing certificate to application" + group: "certProvider Settings" +- variable: certProvider.caPort + required: true + type: int + default: 15012 + label: certProvider caPort + description: "Certificate Authority (CA) port issuing certificate to application" + group: "certProvider Settings" +- variable: certProvider.trustDomain + required: true + type: string + default: "cluster.local" + label: certProvider trustDomain + description: "SPIFFE Trust Domain" + group: "certProvider Settings" +- variable: certProvider.certTTLinHours + required: true + type: int + default: 720 + label: certProvider certTTLinHours + description: "Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours." + group: "certProvider Settings" +- variable: certProvider.clusterId + required: true + type: string + default: "Kubernetes" + label: certProvider clusterId + description: "clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in m +ulticluster environments. For example, in Anthos servicemesh, it might be of the format of `cn--`. In multiCluster environments, it is the val +ue of global.multiCluster.clusterName provided during servicemesh control plane installation" + group: "certProvider Settings" +- variable: certProvider.jwtPolicy + required: true + type: enum + default: "first-party-jwt" + label: certProvider jwtPolicy + description: "Kubernetes platform supports First party tokens and Third party tokens" + options: + - "first-party-jwt" + - "third-party-jwt" + group: "certProvider Settings" +- variable: ADMSettings.ADMIP + required: false + type: string + default: + label: ADMSettings ADMIP + description: "Citrix Application Delivery Management (ADM) IP address" + group: "ADMSettings Settings" +- variable: ADMSettings.licenseServerIP + required: false + type: string + default: + label: ADMSettings licenseServerIP + description: "Citrix License Server IP address" + group: "ADMSettings Settings" +- variable: ADMSettings.licenseServerPort + required: false + type: int + default: 27000 + label: ADMSettings licenseServerPort + description: "Citrix ADM port if a non-default port is used" + group: "ADMSettings Settings" +- variable: ADMSettings.bandWidthLicense + required: false + type: boolean + default: false + label: ADMSettings bandWidthLicense + description: "To specify bandwidth based licensing" + group: "ADMSettings Settings" +- variable: ADMSettings.bandWidth + required: false + type: string + default: + label: ADMSettings bandWidth + description: "Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps" + group: "ADMSettings Settings" +- variable: ADMSettings.vCPULicense + required: false + type: boolean + default: "false" + label: ADMSettings vCPULicense + description: "To specify vCPULicense based licensing" + group: "ADMSettings Settings" +- variable: ADMSettings.cpxCores + required: false + type: string + default: + label: ADMSettings cpxCores + description: "To specify cpxCores in licensing" + group: "ADMSettings Settings" diff --git a/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/templates/_helpers.tpl b/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/templates/_helpers.tpl new file mode 100644 index 000000000..be79f4f8c --- /dev/null +++ b/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/templates/_helpers.tpl @@ -0,0 +1,53 @@ +{{- define "exporter_nsip" -}} +{{- $match := .Values.ingressGateway.netscalerUrl | toString | regexFind "//.*[:]*" -}} +{{- $match | trimAll ":" | trimAll "/" -}} +{{- end -}} + +{{/* A common function to generate name of the resource. + * Usage: {{ template "generate-name" (list . (dict "suffixname" "citrix-deployment")) }} + * In above example, arguments are given in the list. + * First one is `.` indicating global chart-level scope. + * Second argument name is `suffixname` and value is `citrix-deployment`. + * If release name is `my-release`, then generate-name function would output "my-release-citrix-deployment". + * The function truncates name to 63 chars due to Kubernetes name length restrictions +*/}} +{{- define "generate-name" -}} +{{- $top := index . 0 -}} +{{- $arg1 := index . 1 "suffixname" -}} +{{- printf "%s-%s" $top.Release.Name $arg1 | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* Another common function to generate name of the resource. + * Usage: {{ template "generate-name" (list . "citrix-deployment") }} + * In above example, arguments are given in the list. + * First one is `.` indicating global chart-level scope. + * Second argument is unnamed and takes value as `citrix-deployment`. + * If release name is `my-release`, then generate-name function would output "my-release-citrix-deployment". + * The function truncates name to 63 chars due to Kubernetes name length restrictions +*/}} +{{- define "generate-name2" -}} +{{- $top := index . 0 -}} +{{- $arg1 := index . 1 -}} +{{- printf "%s-%s" $top.Release.Name $arg1 | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* Below function is used to identify default value of jwtPolicy if not provided. + * For on-prem Kubernetes v1.21+, it is third-party-jwt. Else first-party-jwt. + * Note: Don't just do "helm template" to generate yaml file. Else https://github.com/helm/helm/issues/7991 + * is possible. Use "helm template --validate" or "helm install --dry-run --debug". + * Note2: For cloud environments, semverCompare should be ideally done with "<1.21.x-x" as + * Kubernetes version is generally of the format v1.20.7-eks-xxxxxx. So, it fails the "v1.21.x" check but that's fine + * as in cloud environments third-party-jwt is enabled. +*/}} + +{{- define "jwtValue" -}} +{{- if .Values.certProvider.jwtPolicy -}} +{{- printf .Values.certProvider.jwtPolicy -}} +{{- else -}} +{{- if semverCompare "<1.21.x" .Capabilities.KubeVersion.Version -}} +{{- printf "first-party-jwt" -}} +{{- else -}} +{{- printf "third-party-jwt" -}} +{{- end -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/templates/citrix-adc-ingressgateway-deployment.yaml b/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/templates/citrix-adc-ingressgateway-deployment.yaml new file mode 100644 index 000000000..53af158f1 --- /dev/null +++ b/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/templates/citrix-adc-ingressgateway-deployment.yaml @@ -0,0 +1,509 @@ +{{- if eq .Values.citrixCPX true }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "generate-name" (list . (dict "suffixname" "ingress-deployment")) }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} + deployment: "cpx-ingressgateway" # This label is useful in ServiceGraph +spec: + replicas: 1 + selector: + matchLabels: + app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} + template: + metadata: + labels: + app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} + citrix.com/no.sidecar: "true" + annotations: + scheduler.alpha.kubernetes.io/critical-pod: "" + prometheus.io/port: "{{ .Values.metricExporter.port }}" + prometheus.io/scrape: "true" + spec: + volumes: + - name: citrix-ingressgateway-certs + secret: + optional: true + secretName: "citrix-ingressgateway-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway + - name: citrix-ingressgateway-ca-certs + secret: + optional: true + secretName: "citrix-ingressgateway-ca-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway + {{- range .Values.ingressGateway.secretVolumes }} + - name: {{ .name }} + secret: + secretName: {{ .secretName | quote }} + optional: true + {{- end }} + - name: cpx-conf + emptyDir: {} + - name: cpx-crash + emptyDir: {} + - name: cpx-pwd + emptyDir: {} + - name: certs + emptyDir: {} +{{- $jwtpolicy := include "jwtValue" . }} +{{- if eq $jwtpolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token +{{- end }} + - name: istiod-ca-cert + configMap: + defaultMode: 0777 + name: istio-ca-root-cert + securityContext: + fsGroup: 32024 + containers: +{{- if eq .Values.metricExporter.required true }} + - name: exporter + image: {{ .Values.metricExporter.image }} + imagePullPolicy: IfNotPresent + args: + - "--target-nsip=127.0.0.1" + - "--port={{ .Values.metricExporter.port }}" + - "--log-level={{ .Values.metricExporter.logLevel }}" + - "--secure=no" + env: + - name: "NS_DEPLOYMENT_MODE" + value: "SIDECAR" + securityContext: + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /var/deviceinfo + name: cpx-pwd +{{- end }} + - name: istio-adaptor + image: {{ .Values.xDSAdaptor.image }} + imagePullPolicy: {{ .Values.xDSAdaptor.imagePullPolicy }} + args: + - -ads-server +{{- if eq .Values.xDSAdaptor.secureConnect true }} + - {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.secureGrpcPort }} # istiod.istio-system.svc:15012 +{{- else }} + - {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.insecureGrpcPort }} # istiod.istio-system.svc:15010 +{{- end }} + - -istio-proxy-type + - {{ .Values.xDSAdaptor.proxyType | default "router" | quote }} +{{- if .Values.istioPilot.SAN }} + - -ads-server-SAN + - {{ .Values.istioPilot.SAN | default "" }} +{{- end }} + - -ads-secure-connect={{ .Values.xDSAdaptor.secureConnect }} + - -citrix-adc + - "http://127.0.0.1" + - -citrix-adc-vip + - "nsip" + - -citrix-adc-password + - "/var/deviceinfo/random_id" +{{- if .Values.ADMSettings.ADMIP }} + - -citrix-adm + - {{ .Values.ADMSettings.ADMIP }} +{{- end }} +{{- if .Values.ADMSettings.licenseServerIP }} + - -citrix-license-server + - {{ .Values.ADMSettings.licenseServerIP }} +{{- end }} +{{- if .Values.coe.coeURL }} + - -coe + - {{ .Values.coe.coeURL }} +{{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: APPLICATION_NAME + valueFrom: + fieldRef: + fieldPath: metadata.labels['app'] + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName +{{- if .Values.certProvider.caAddr }} + - name: CA_ADDR + value: {{ .Values.certProvider.caAddr }}:{{ .Values.certProvider.caPort}} #istiod.istio-system.svc:15012 + - name: TRUST_DOMAIN + value: {{ .Values.certProvider.trustDomain }} #cluster.local + - name: CLUSTER_ID + value: {{ .Values.certProvider.clusterId }} #Kubernetes + - name: CERT_TTL_IN_HOURS + value: {{ .Values.certProvider.certTTLinHours | quote }} + - name: JWT_POLICY + value: {{ include "jwtValue" . | quote }} # If value not provided then third-party-jwt for v>=1.21 otherwise first-party-jwt +{{- end }} +{{- if eq .Values.ingressGateway.multiClusterIngress true }} + - name: MULTICLUSTER_INGRESS + value: "TRUE" + - name: MULTICLUSTER_LISTENER_PORT + value: {{ .Values.ingressGateway.multiClusterListenerPort | quote}} + - name: MULTICLUSTER_SVC_DOMAIN + value: {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }} +{{- end }} +{{- if eq .Values.coe.coeTracing true }} + - name: COE_TRACING + value: "TRUE" +{{- end }} + - name: LOGLEVEL + value: {{ .Values.xDSAdaptor.logLevel | default "DEBUG" | quote }} +{{- if eq .Values.xDSAdaptor.jsonLog true }} + - name: JSONLOG + value: "TRUE" +{{- end }} + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 32024 + runAsUser: 32024 # UID of istio-adaptor container's user + volumeMounts: + - mountPath: /var/deviceinfo + name: cpx-pwd +{{- $jwtpolicy := include "jwtValue" . }} +{{- if eq $jwtpolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token +{{- end }} + - mountPath: /etc/certs + name: certs + - name: istiod-ca-cert + mountPath: /etc/rootcert/ + - mountPath: /etc/istio/ingressgateway-certs # Make sure that Gateway definition has this path mentioned in server.tls section for SIMPLE TLS + name: citrix-ingressgateway-certs + readOnly: true + - mountPath: /etc/istio/ingressgateway-ca-certs # Make sure that Gateway definition has this path mentioned in server.tls section for MUTUAL TLS + name: citrix-ingressgateway-ca-certs + readOnly: true + {{- range .Values.ingressGateway.secretVolumes }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + - name: citrix-ingressgateway + image: "{{ .Values.ingressGateway.image }}" + imagePullPolicy: {{ .Values.ingressGateway.imagePullPolicy }} + securityContext: + privileged: true + ports: + - containerPort: 80 + - containerPort: 443 +{{- if .Values.ingressGateway.mgmtHttpPort }} + - containerPort: {{ .Values.ingressGateway.mgmtHttpPort }} +{{- end }} +{{- if .Values.ingressGateway.mgmtHttpsPort }} + - containerPort: {{ .Values.ingressGateway.mgmtHttpsPort }} +{{- end }} +{{- range .Values.ingressGateway.tcpPort }} + - containerPort: {{ .port }} +{{- end }} + volumeMounts: + - mountPath: /cpx/conf/ + name: cpx-conf + - mountPath: /cpx/crash/ + name: cpx-crash + - mountPath: /var/deviceinfo + name: cpx-pwd + env: + - name: "EULA" + value: "{{ .Values.ingressGateway.EULA }}" +{{- if .Values.metricExporter.required }} + - name: "METRICS_EXPORTER_PORT" + value: "{{ .Values.metricExporter.port }}" +{{- end }} + - name: "MGMT_HTTP_PORT" + value: "{{ .Values.ingressGateway.mgmtHttpPort }}" + - name: "MGMT_HTTPS_PORT" + value: "{{ .Values.ingressGateway.mgmtHttpsPort }}" + - name: "NS_CPX_LITE" + value: "{{ .Values.ingressGateway.lightWeightCPX }}" +{{- if or .Values.coe.coeURL .Values.ADMSettings.ADMIP }} + - name: "NS_ENABLE_NEWNSLOG" + value: "1" +{{- end }} + - name: "KUBERNETES_TASK_ID" + value: "" + - name: "LS_IP" + value: {{ .Values.ADMSettings.licenseServerIP | default "" }} + - name: "LS_PORT" + value: "{{ .Values.ADMSettings.licenseServerPort}}" +{{- if .Values.ADMSettings.ADMIP }} + - name: "NS_MGMT_SERVER" + value: {{ .Values.ADMSettings.ADMIP }} + - name: "NS_HTTP_PORT" + value: {{ .Values.ingressGateway.mgmtHttpPort | quote }} + - name: "NS_HTTPS_PORT" + value: {{ .Values.ingressGateway.mgmtHttpsPort | quote }} +{{- end }} + - name: "LOGSTREAM_COLLECTOR_IP" + value: {{ .Values.ADMSettings.ADMIP | default ""}} +#To povision bandwidth based licensing to Citrix ADC CPX from ADM, needs bandwidth +{{- if and ( .Values.ADMSettings.licenseServerIP ) (eq .Values.ADMSettings.bandWidthLicense true) }} + - name: "BANDWIDTH" + value: {{ required "Mention bandwidth for bandwidth based licensing" .Values.ADMSettings.bandWidth | quote }} +{{- end }} +#for multiple-PE support, need to set CPX_CORES +{{- if .Values.ADMSettings.licenseServerIP }} +{{- if or (eq .Values.ADMSettings.vCPULicense true) (eq .Values.ADMSettings.bandWidthLicense true) }} + - name: "CPX_CORES" + value: {{ .Values.ADMSettings.cpxCores | default 1 | quote }} +{{- end }} +{{- end }} +{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }} + - name: NS_MGMT_USER + valueFrom: + secretKeyRef: + name: admlogin + key: username + - name: NS_MGMT_PASS + valueFrom: + secretKeyRef: + name: admlogin + key: password +{{- end }} +--- +{{ else }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "generate-name" (list . (dict "suffixname" "ingress-deployment")) }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} + template: + metadata: + labels: + app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} + citrix.com/no.sidecar: "true" + annotations: + scheduler.alpha.kubernetes.io/critical-pod: "" + prometheus.io/port: "{{ .Values.metricExporter.port }}" + prometheus.io/scrape: "true" + spec: + containers: +{{- if eq .Values.metricExporter.required true }} + - name: exporter + image: {{ .Values.metricExporter.image }} + imagePullPolicy: {{ .Values.metricExporter.imagePullPolicy }} + args: + - "--target-nsip={{- include "exporter_nsip" . -}}" + - "--port={{ .Values.metricExporter.port }}" + - "--secure={{ .Values.metricExporter.secure | lower}}" + - "--log-level={{ .Values.metricExporter.logLevel }}" + securityContext: + readOnlyRootFilesystem: true + volumeMounts: + - name: nslogin + mountPath: "/mnt/nslogin" + readOnly: true +{{- end }} + - name: istio-adaptor + image: {{ .Values.xDSAdaptor.image }} + imagePullPolicy: {{ .Values.xDSAdaptor.imagePullPolicy }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: APPLICATION_NAME + valueFrom: + fieldRef: + fieldPath: metadata.labels['app'] + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName +{{- if .Values.certProvider.caAddr }} + - name: CA_ADDR + value: {{ .Values.certProvider.caAddr }}:{{ .Values.certProvider.caPort}} #istiod.istio-system.svc:15012 + - name: TRUST_DOMAIN + value: {{ .Values.certProvider.trustDomain }} #cluster.local + - name: CLUSTER_ID + value: {{ .Values.certProvider.clusterId }} #Kubernetes + - name: CERT_TTL_IN_HOURS + value: {{ .Values.certProvider.certTTLinHours | quote }} + - name: JWT_POLICY + value: {{ include "jwtValue" . | quote }} # third-party-jwt if Kubernetes cluster supports third-party tokens +{{- end }} +{{- if eq .Values.ingressGateway.multiClusterIngress true }} + - name: MULTICLUSTER_INGRESS + value: "TRUE" + - name: MULTICLUSTER_LISTENER_PORT + value: {{ .Values.ingressGateway.multiClusterListenerPort | quote}} + - name: MULTICLUSTER_SVC_DOMAIN + value: {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }} +{{- end }} +{{- if eq .Values.coe.coeTracing true }} + - name: COE_TRACING + value: "TRUE" +{{- end }} + - name: LOGLEVEL + value: {{ .Values.xDSAdaptor.logLevel | default "DEBUG" | quote }} +{{- if eq .Values.xDSAdaptor.jsonLog true }} + - name: JSONLOG + value: "TRUE" +{{- end }} + - name: NS_USER + valueFrom: + secretKeyRef: + name: {{ .Values.secretName }} + key: username + - name: NS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secretName }} + key: password + args: + - -ads-server +{{- if eq .Values.xDSAdaptor.secureConnect true }} + - {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.secureGrpcPort }} # istiod.istio-system.svc:15012 +{{- else }} + - {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.insecureGrpcPort }} # istiod.istio-system.svc:15010 +{{- end }} + - -istio-proxy-type + - {{ .Values.xDSAdaptor.proxyType | default "router" | quote }} +{{- if .Values.istioPilot.SAN }} + - -ads-server-SAN + - {{ .Values.istioPilot.SAN | default "" }} +{{- end }} + - -ads-secure-connect={{ .Values.xDSAdaptor.secureConnect }} + - -citrix-adc + - {{ required "Mention Citrix ADC IP/URL in https://[:port] format" .Values.ingressGateway.netscalerUrl }} + - -citrix-adc-vip + - {{ required "Mention Vserver IP to be configured on Citrix ADC" .Values.ingressGateway.vserverIP }} + - -citrix-adc-user + - "/etc/nslogin/username" + - -citrix-adc-password + - "/etc/nslogin/password" + # If using VPX/MPX as Ingress gateway, then specify the network profile name + # which was provided to Citrix Node Controller (CNC) +{{- if .Values.ingressGateway.netProfile }} + - -citrix-adc-net-profile + - {{ .Values.ingressGateway.netProfile }} +{{- end }} + - -citrix-adm + - "" +{{- if .Values.coe.coeURL }} + - -coe + - {{ .Values.coe.coeURL }} +{{- end }} +{{- if .Values.ingressGateway.adcServerName }} + - -citrix-adc-server-name + - {{ .Values.ingressGateway.adcServerName }} + - -citrix-adc-server-ca + - "/etc/nitro/root-cert.pem" +{{- end }} + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 32024 + runAsUser: 32024 # UID of istio-adaptor container's user + volumeMounts: + - mountPath: /etc/certs + name: certs + - name: istiod-ca-cert + mountPath: /etc/rootcert/ +{{- $jwtpolicy := include "jwtValue" . }} +{{- if eq $jwtpolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token +{{- end }} + - mountPath: /etc/nslogin + name: nslogin + readOnly: true + - mountPath: /etc/istio/ingressgateway-certs # Make sure that Gateway definition has this path mentioned in server.tls section for SIMPLE TLS + name: citrix-ingressgateway-certs + readOnly: true + - mountPath: /etc/istio/ingressgateway-ca-certs # Make sure that Gateway definition has this path mentioned in server.tls section for MUTUAL TLS + name: citrix-ingressgateway-ca-certs + readOnly: true + {{- range .Values.ingressGateway.secretVolumes }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} +{{- if .Values.ingressGateway.adcServerName }} + - mountPath: /etc/nitro/ + name: citrix-adc-cert + readOnly: true +{{- end }} + securityContext: + fsGroup: 32024 + volumes: + - name: nslogin + secret: + optional: true + secretName: {{ .Values.secretName }} + - name: certs + emptyDir: {} + - name: istiod-ca-cert + configMap: + defaultMode: 0777 + name: istio-ca-root-cert + - name: citrix-ingressgateway-certs + secret: + optional: true + secretName: "citrix-ingressgateway-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway + - name: citrix-ingressgateway-ca-certs + secret: + optional: true + secretName: "citrix-ingressgateway-ca-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway + {{- range .Values.ingressGateway.secretVolumes }} + - name: {{ .name }} + secret: + secretName: {{ .secretName | quote }} + optional: true + {{- end }} +{{- if .Values.ingressGateway.adcServerName }} + - name: citrix-adc-cert + secret: + optional: true + secretName: "citrix-adc-cert" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway +{{- end }} +{{- $jwtpolicy := include "jwtValue" . }} +{{- if eq $jwtpolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token +{{- end }} +--- +{{- end}} diff --git a/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/templates/citrix-multicluster-gateway.yaml b/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/templates/citrix-multicluster-gateway.yaml new file mode 100644 index 000000000..7469cd246 --- /dev/null +++ b/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/templates/citrix-multicluster-gateway.yaml @@ -0,0 +1,40 @@ +{{- if eq .Values.ingressGateway.multiClusterIngress true }} +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + annotations: + labels: + app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} +{{- if eq .Values.citrixCPX true }} + deployment: "cpx-ingressgateway" # This label is useful in ServiceGraph +{{- end }} + name: citrix-multicluster-ingressgateway + namespace: {{ .Release.Namespace }} +spec: + selector: + app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} + servers: + - hosts: + - {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }} + port: + name: tls + number: {{ .Values.ingressGateway.multiClusterListenerPort }} + protocol: TLS + tls: + mode: AUTO_PASSTHROUGH +--- +apiVersion: networking.istio.io/v1beta1 +kind: DestinationRule +metadata: + annotations: + labels: + app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} + name: citrix-multicluster-ingressgateway + namespace: {{ .Release.Namespace }} +spec: + host: {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }} + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +--- +{{- end }} \ No newline at end of file diff --git a/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/templates/ingressgateway-service.yaml b/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/templates/ingressgateway-service.yaml new file mode 100644 index 000000000..38ad4f7bd --- /dev/null +++ b/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/templates/ingressgateway-service.yaml @@ -0,0 +1,76 @@ +{{- if eq .Values.citrixCPX true }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "generate-name" (list . (dict "suffixname" "citrix-ingress-hpa")) }} + namespace: {{ .Release.Namespace }} +spec: + maxReplicas: 1 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "generate-name" (list . (dict "suffixname" "ingress-deployment")) }} + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 60 +--- +{{- end }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "generate-name" (list . (dict "suffixname" "citrix-ingress-svc")) }} + namespace: {{ .Release.Namespace }} + annotations: + labels: + app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} +{{- if eq .Values.citrixCPX true }} + deployment: "cpx-ingressgateway" # This label is useful in ServiceGraph +{{- end }} +spec: +{{- if eq .Values.citrixCPX true }} +{{- if eq .Values.ingressGateway.nodePortRequired true }} + type: NodePort +{{- else }} + type: LoadBalancer +{{- end }} +{{- end }} + selector: + app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} + ports: + - + name: http2 +{{- if eq .Values.citrixCPX true }} + nodePort: {{ .Values.ingressGateway.httpNodePort }} +{{- end }} + port: 80 + targetPort: 80 + - + name: https +{{- if eq .Values.citrixCPX true }} + nodePort: {{ .Values.ingressGateway.httpsNodePort }} +{{- end }} + port: 443 + targetPort: 443 +{{- if eq .Values.ingressGateway.multiClusterIngress true }} + - + name: multicluster +{{- if eq .Values.citrixCPX true }} + nodePort: {{ .Values.ingressGateway.multiClusterListenerNodePort }} +{{- end }} + port: {{ .Values.ingressGateway.multiClusterListenerPort }} + targetPort: {{ .Values.ingressGateway.multiClusterListenerPort }} +{{- end }} +{{- $isCPX := .Values.citrixCPX }} +{{- range .Values.ingressGateway.tcpPort }} + - + name: {{ .name }} +{{- if eq $isCPX true }} + nodePort: {{ .nodePort }} +{{- end }} + port: {{ .port }} + targetPort: {{ .targetPort }} +{{- end }} +--- diff --git a/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/templates/metrics-exporter-service.yaml b/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/templates/metrics-exporter-service.yaml new file mode 100644 index 000000000..b63096938 --- /dev/null +++ b/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/templates/metrics-exporter-service.yaml @@ -0,0 +1,17 @@ +{{- if eq .Values.metricExporter.required true }} +kind: Service +apiVersion: v1 +metadata: + name: {{ template "generate-name" (list . (dict "suffixname" "citrix-exporter-svc")) }} + annotations: + labels: + service-type: citrix-adc-monitor +spec: + selector: + app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} + ports: + - name: exporter-port + port: {{ .Values.metricExporter.port }} + targetPort: {{ .Values.metricExporter.port }} +--- +{{- end }} diff --git a/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/values.yaml b/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/values.yaml new file mode 100644 index 000000000..d89962e70 --- /dev/null +++ b/charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/values.yaml @@ -0,0 +1,74 @@ +# Default values for citrix-adc-istio-ingress-gateway +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +citrixCPX: false + +coe: + coeURL: + coeTracing: false + +metricExporter: + required: true + image: quay.io/citrix/citrix-adc-metrics-exporter:1.4.8 + port: 8888 + secure: "YES" + logLevel: ERROR + imagePullPolicy: IfNotPresent + +xDSAdaptor: + image: quay.io/citrix/citrix-xds-adaptor:0.9.9 + imagePullPolicy: IfNotPresent + proxyType: router + secureConnect: true + logLevel: DEBUG + jsonLog: false + +istioPilot: + name: istiod + namespace: istio-system + secureGrpcPort: 15012 + insecureGrpcPort: 15010 + SAN: + +certProvider: + caAddr: istiod.istio-system.svc + caPort: 15012 + trustDomain: cluster.local + certTTLinHours: 720 + clusterId: Kubernetes + jwtPolicy: #specify third-party-jwt if Kubernetes cluster supports third-party tokens. Default from K8s v1.21 + +ingressGateway: + netscalerUrl: null + image: quay.io/citrix/citrix-k8s-cpx-ingress:13.0-79.64 + imagePullPolicy: IfNotPresent + EULA: NO + mgmtHttpPort: 10080 + mgmtHttpsPort: 10443 + httpNodePort: 30180 + httpsNodePort: 31443 + nodePortRequired: true + lightWeightCPX: 1 + secretVolumes: + #licenseServerIP: this value will be taken from ADMSettings.ADMIP + label: citrix-ingressgateway + tcpPort: + vserverIP: nsip + adcServerName: + netProfile: + multiClusterIngress: false + multiClusterListenerPort: 15443 + multiClusterListenerNodePort: 32443 + multiClusterSvcDomain: global + +ADMSettings: + ADMIP: + licenseServerIP: + licenseServerPort: 27000 + bandWidthLicense: false + bandWidth: + vCPULicense: false + cpxCores: + +secretName: nslogin