andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add charts dir

pull/217/head
root 2021-10-21 22:42:48 -06:00
parent c23b35710e
commit 5e01fd8b9f
11 changed files with 1735 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/.helmignore Normal file
View File

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

22
charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/Chart.yaml Normal file
View File

@ -0,0 +1,22 @@
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Citrix Adc Istio Ingress Gateway
catalog.cattle.io/release-name: citrix-adc-istio-ingress-gateway
apiVersion: v2
appVersion: 1.11.0
description: A Helm chart for Citrix ADC as Ingress Gateway installation in Istio
Service Mesh on Kubernetes platform
home: https://www.citrix.com
icon: https://raw.githubusercontent.com/citrix/citrix-xds-adaptor/master/docs/media/Citrix_Logo_Trademark.png
kubeVersion: '>=v1.16.0-0'
maintainers:
- email: dhiraj.gedam@citrix.com
name: dheerajng
- email: subash.dangol@citrix.com
name: subashd
- email: ajeeta.shaket@citrix.com
name: ajeetas
name: citrix-adc-istio-ingress-gateway
sources:
- https://github.com/citrix/citrix-xds-adaptor
version: 1.11.0

479
charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/README.md Normal file
View File

@ -0,0 +1,479 @@
# Deploy Citrix ADC as an Ingress Gateway in Istio environment using Helm charts
Citrix Application Delivery Controller (ADC) can be deployed as an Istio Ingress Gateway to control the ingress traffic to Istio service mesh.
# Table of Contents
1. [TL; DR;](#tldr)
2. [Introduction](#introduction)
3. [Deploy Citrix ADC VPX or MPX as an Ingress Gateway](#deploy-citrix-adc-vpx-or-mpx-as-an-ingress-gateway)
4. [Deploy Citrix ADC CPX as an Ingress Gateway](#deploy-citrix-adc-cpx-as-an-ingress-gateway)
5. [Using Existing Certificates to deploy Citrix ADC as an Ingress Gateway](#using-existing-certificates-to-deploy-citrix-adc-as-an-ingress-gateway)
6. [Deploy Citrix ADC as an Ingress Gateway in multi cluster Istio Service mesh](#deploy-citrix-adc-as-a-multicluster-ingress-gateway)
7. [Segregating traffic with multiple Ingress Gateways](#segregating-traffic-with-multiple-ingress-gateways)
8. [Visualizing statistics of Citrix ADC Ingress Gateway with Metrics Exporter](#visualizing-statistics-of-citrix-adc-ingress-gateway-with-metrics-exporter)
9. [Exposing services running on non-HTTP ports](#exposing-services-running-on-non-http-ports)
10. [Generate Certificate for Ingress Gateway](#generate-certificate-for-ingress-gateway)
11. [Configure Third Party Service Account Tokens](#using-third-party-service-account-tokens)
12. [Citrix ADC CPX License Provisioning](#citrix-adc-cpx-license-provisioning)
13. [Service Graph configuration](#configuration-for-servicegraph)
14. [Citrix ADC as Ingress Gateway: a sample deployment](#citrix-adc-as-ingress-gateway-a-sample-deployment)
15. [Uninstalling the Helm chart](#uninstalling-the-helm-chart)
16. [Citrix ADC VPX/MPX Certificate Verification](#citrix-adc-vpx-or-mpx-certificate-verification)
17. [Configuration Parameters](#configuration-parameters)
## <a name="tldr">TL; DR;</a>
### To deploy Citrix ADC VPX or MPX as an Ingress Gateway:
kubectl create secret generic nslogin --from-literal=username=<citrix-adc-user> --from-literal=password=<citrix-adc-password> -n citrix-system
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set ingressGateway.netscalerUrl=https://<nsip>[:port] --set ingressGateway.vserverIP=<IPv4 Address> --set secretName=nslogin
### To deploy Citrix ADC CPX as an Ingress Gateway:
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true
## <a name="introduction">Introduction</a>
This chart deploys Citrix ADC VPX, MPX, or CPX as an Ingress Gateway in the Istio service mesh using the Helm package manager. For detailed information on different deployment options, see [Deployment Architecture](https://github.com/citrix/citrix-istio-adaptor/blob/master/docs/istio-integration/architecture.md).
### Compatibility Matrix between Citrix xDS-adaptor and Istio version
Below table provides info about recommended Citrix xDS-Adaptor version to be used for various Istio versions.
| Citrix xDS-Adaptor version | Istio version |
|----------------------------|---------------|
| quay.io/citrix/citrix-xds-adaptor:0.9.9 | Istio v1.10+ |
| quay.io/citrix/citrix-xds-adaptor:0.9.8 | Istio v1.8 to Istio v1.9 |
| quay.io/citrix/citrix-xds-adaptor:0.9.5 | Istio v1.6 |
### Prerequisites
The following prerequisites are required for deploying Citrix ADC as an Ingress Gateway in Istio service mesh:
- Ensure that **Istio version 1.8 onwards** is installed
- Ensure that Helm with version 3.x is installed. Follow this [step](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same.
- Ensure that your cluster Kubernetes version should be above 1.16 and the `admissionregistration.k8s.io/v1`, `admissionregistration.k8s.io/v1beta1` API is enabled
You can verify the API by using the following command:
kubectl api-versions | grep admissionregistration.k8s.io/v1
The following output indicates that the API is enabled:
admissionregistration.k8s.io/v1
admissionregistration.k8s.io/v1beta1
- **For deploying Citrix ADC VPX or MPX as an Ingress gateway:**
Create a Kubernetes secret for the Citrix ADC user name and password using the following command:
kubectl create secret generic nslogin --from-literal=username=<citrix-adc-user> --from-literal=password=<citrix-adc-password> -n citrix-system
- **Create system user account for xDS-adaptor in Citrix ADC:**
The Citrix ADC appliance needs to have system user account (non-default) with certain privileges so that `xDS-adaptor` can configure the Citrix ADC VPX or MPX appliance. Follow the instructions to create the system user account on Citrix ADC.
Create a Kubernetes secret for the user name and password using the following command:
```
kubectl create secret generic nslogin --from-literal=username='cxa' --from-literal=password='mypassword'
```
The `xDS-adaptor` configures the Citrix ADC using a system user account of the Citrix ADC. The system user account should have certain privileges so that the xDS-adaptor has permissions configure the following on the Citrix ADC:
- Add, Delete, or View Content Switching (CS) virtual server
- Configure CS policies and actions
- Configure Load Balancing (LB) virtual server
- Configure Service groups
- Cofigure SSl certkeys
- Configure routes
- Configure user monitors
- Add system file (for uploading SSL certkeys from Kubernetes)
- Configure Virtual IP address (VIP)
- Check the status of the Citrix ADC appliance
- Add, Delete or view authentication virtual server, policy, authaction
- Add, Delete or view Policy
- Add, Delete or view Responder policy, action, param
- Add, Delete or view Rewrite policy, action, param
- Add, Delete or view analytics profile
- Add, Delete or view DNS name server
- Add, Delete or view network netprofile
- Add, Delete or view Traffic Management Commands(sessionaction, session policy, sessionparameter)
> **Note:**
>
> The system user account would have privileges based on the command policy that you define.
To create the system user account, do the following:
1. Log on to the Citrix ADC appliance. Perform the following:
1. Use an SSH client, such as PuTTy, to open an SSH connection to the Citrix ADC appliance.
2. Log on to the appliance by using the administrator credentials.
2. Create the system user account using the following command:
```
add system user <username> <password>
```
For example:
```
add system user cxa mypassword
```
3. Create a policy to provide required permissions to the system user account. Use the following command:
```
add cmdpolicy cxa-policy ALLOW "((^\S+\s+cs\s+\S+)|(^\S+\s+lb\s+\S+)|(^\S+\s+service\s+\S+)|(^\S+\s+servicegroup\s+\S+)|(^stat\s+system)|(^show\s+ha)|(^\S+\s+ssl\s+certKey)|(^\S+\s+ssl)|(^\S+\s+route)|(^\S+\s+monitor)|(^show\s+ns\s+ip)|(^\S+\s+system\s+file)|)|(^\S+\s+aaa\s+\S+)|(^\S+\s+aaa\s+\S+\s+.*)|(^\S+\s+authentication\s+\S+)|(^\S+\s+authentication\s+\S+\s+.*)|(^\S+\s+policy\s+\S+)|(^\S+\s+policy\s+\S+\s+.*)|(^\S+\s+rewrite\s+\S+)|(^\S+\s+rewrite\s+\S+\s+.*)|(^\S+\s+analytics\s+\S+)|(^\S+\s+analytics\s+\S+\s+.*)|(^\S+\s+dns\s+\S+)|(^\S+\s+dns\s+\S+\s+.*)|(^\S+\s+netProfile)|(^\S+\s+netProfile\s+.*)|(^\S+\s+tm\s+\S+)|(^\S+\s+tm\s+\S+\s+.*)"
```
4. Bind the policy to the system user account using the following command:
```
bind system user cxa cxa-policy 0
```
- **Registration of Citrix ADC CPX in ADM**
Create a secret for ADM username and password
kubectl create secret generic admlogin --from-literal=username=<adm-username> --from-literal=password=<adm-password> -n citrix-system
- **Important Note:** For deploying Citrix ADC VPX or MPX as ingress gateway, you should establish the connectivity between Citrix ADC VPX or MPX and cluster nodes. This connectivity can be established by configuring routes on Citrix ADC as mentioned [here](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) or by deploying [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller).
## <a name="deploy-citrix-adc-vpx-or-mpx-as-an-ingress-gateway">Deploy Citrix ADC VPX or MPX as an Ingress Gateway</a>
To deploy Citrix ADC VPX or MPX as an Ingress Gateway in the Istio service mesh, do the following step. In this example, release name is specified as `citrix-adc-istio-ingress-gateway` and namespace as `citrix-system`.
kubectl create secret generic nslogin --from-literal=username=<citrix-adc-user> --from-literal=password=<citrix-adc-password> -n citrix-system
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,ingressGateway.netscalerUrl=https://<nsip>[:port],ingressGateway.vserverIP=<IPv4 Address> --set secretName=nslogin
## <a name="deploy-citrix-adc-cpx-as-an-ingress-gateway">Deploy Citrix ADC CPX as an Ingress Gateway</a>
To deploy Citrix ADC CPX as an Ingress Gateway, do the following step. In this example, release name is specified as `my-release` and namespace is used as `citrix-system`.
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true
## <a name="deploy-citrix-adc-as-a-multicluster-ingress-gateway">Deploy Citrix ADC as an Ingress Gateway in multi cluster Istio Service mesh</a>
To deploy **Citrix ADC VPX/MPX as an Ingress Gateway** in multi cluster Istio Service mesh, carry out below steps.
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,ingressGateway.netscalerUrl=https://<nsip>[:port],ingressGateway.vserverIP=<IPv4 Address> --set ingressGateway.multiClusterIngress=true
```
To deploy **Citrix ADC CPX as an Ingress Gateway** in multi cluster Istio Service mesh, carry out below steps.
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true --set ingressGateway.multiClusterIngress=true
```
By default, port 15443 of the Citrix ADC will be used to handle all the inter-cluster traffic coming to services deployed in local cluster. These services are exposed using `*.global` domain.
To modify the default 15443 port and "global" domain, use _ingressGateway.multiClusterListenerPort_ and _ingressGateway.multiClusterSvcDomain_ options of helm chart.
For example, to use port 25443 and _mydomain_ as the service domain to expose local cluster deployed services to services in remote clusters.
```
helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,ingressGateway.netscalerUrl=https://<nsip>[:port],ingressGateway.vserverIP=<IPv4 Address> --set ingressGateway.multiClusterIngress=true --set ingressGateway.multiClusterListenerPort=25443 --set ingressGateway.multiClusterSvcDomain=mydomain
```
Follow [this](https://github.com/citrix/citrix-helm-charts/tree/master/examples/citrix-adc-ingress-in-multicluster-istio/README.md) as a sample example to deploy Citrix ADC as Ingress gateway in multi-cluster Istio service mesh.
## <a name="using-existing-certificates-to-deploy-citrix-adc-as-an-ingress-gateway">Using Existing Certificates to deploy Citrix ADC as an Ingress Gateway</a>
You may want to use the existing certificate and key for authenticating access to an application using Citrix ADC Ingress Gateway. In that case, you can create a Kubernetes secret from the existing certificate and key. You can mount the Kubernetes secret as data volumes in Citrix ADC Ingress Gateway.
To create a Kubernetes secret using an existing key named `test_key.pem` and a certificate named `test.pem`, use the following command:
kubectl create -n citrix-system secret tls citrix-ingressgateway-certs --key test_key.pem --cert test.pem
Note: Ensure that Kubernetes secret is created in the same namespace where Citrix ADC Ingress Gateway is deployed.
To deploy Citrix ADC VPX or MPX with secret volume, do the following step:
kubectl create secret generic nslogin --from-literal=username=<citrix-adc-user> --from-literal=password=<citrix-adc-password> -n citrix-system
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://<nsip>[:port],ingressGateway.vserverIP=<IPv4 Address>,ingressGateway.secretVolumes[0].name=test-ingressgateway-certs,ingressGateway.secretVolumes[0].secretName=test-ingressgateway-certs,ingressGateway.secretVolumes[0].mountPath=/etc/istio/test-ingressgateway-certs
To deploy Citrix ADC CPX with secret volume, do the following step:
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true,ingressGateway.secretVolumes[0].name=test-ingressgateway-certs,ingressGateway.secretVolumes[0].secretName=test-ingressgateway-certs,ingressGateway.secretVolumes[0].mountPath=/etc/istio/test-ingressgateway-certs
## <a name="segregating-traffic-with-multiple-ingress-gateways">Segregating traffic with multiple Ingress Gateways</a>
You can deploy multiple Citrix ADC Ingress Gateway devices and segregate traffic to various deployments in the Istio service mesh. This can be achieved with *custom labels*. By default, Citrix ADC Ingress Gateway service comes up with the `app: citrix-ingressgateway` label. This label is used as a selector while deploying the Ingress Gateway or virtual service resources. If you want to deploy Ingress Gateway with the custom label, you can do it using the `ingressGateway.label` option in the Helm chart.
To deploy Citrix ADC CPX Ingress Gateway with the label `my_custom_ingressgateway`, do the following step:
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true,ingressGateway.lightWeightCPX=NO,ingressGateway.label=my_custom_ingressgateway
To deploy Citrix ADC VPX or MPX as an Ingress Gateway with the label `my_custom_ingressgateway`, do the following step:
kubectl create secret generic nslogin --from-literal=username=<citrix-adc-user> --from-literal=password=<citrix-adc-password> -n citrix-system
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://<nsip>[:port],ingressGateway.vserverIP=<IPv4 Address>,ingressGateway.label=my_custom_ingressgateway
## <a name="visualizing-statistics-of-citrix-adc-ingress-gateway-with-metrics-exporter">Visualizing statistics of Citrix ADC Ingress Gateway with Metrics Exporter</a>
By default, [Citrix ADC Metrics Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) is also deployed along with Citrix ADC Ingress Gateway. Citrix ADC Metrics Exporter fetches statistical data from Citrix ADC and exports it to Prometheus running in Istio service mesh. When you add Prometheus as a data source in Grafana, you can visualize this statistical data in the Grafana dashboard.
Metrics Exporter requires the IP address of Citrix ADC CPX or VPX Ingress Gateway. It is retrieved from the value specified for `ingressGateway.netscalerUrl`.
When Citrix ADC CPX is deployed as Ingress Gateway, Metrics Exporter runs along with Citrix CPX Ingress Gateway in the same pod and specifying IP address is optional.
To deploy Citrix ADC as Ingress Gateway without Metrics Exporter, set the value of `metricExporter.required` as false.
kubectl create secret generic nslogin --from-literal=username=<citrix-adc-user> --from-literal=password=<citrix-adc-password> -n citrix-system
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://<nsip>[:port],ingressGateway.vserverIP=<IPv4 Address>,metricExporter.required=false
"Note:" To remotely access telemetry addons such as Prometheus and Grafana, see [Remotely Accessing Telemetry Addons](https://istio.io/docs/tasks/telemetry/gateways/).
## <a name="exposing-services-running-on-non-http-ports">Exposing services running on non-HTTP ports</a>
By default, services running on HTTP ports (80 & 443) are exposed through Citrix ADC Ingress Gateway. Similarly, you can expose services that are deployed on non-HTTP ports through the Citrix ADC Ingress Gateway device.
To deploy Citrix ADC MPX or VPX, and expose a service running on a TCP port, do the following step.
In this example, a service running on TCP port 5000 is exposed using port 10000 on Citrix ADC.
kubectl create secret generic nslogin --from-literal=username=<citrix-adc-user> --from-literal=password=<citrix-adc-password> -n citrix-system
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://<nsip>[:port],ingressGateway.vserverIP=<IPv4 Address>,ingressGateway.tcpPort[0].name=tcp1,ingressGateway.tcpPort[0].port=10000,ingressGateway.tcpPort[0].targetPort=5000
To deploy Citrix ADC CPX and expose a service running on a TCP port, do the following step.
In this example, port 10000 on the Citrix ADC CPX instance is exposed using TCP port 30000 (node port configuration) on the host machine.
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true,ingressGateway.tcpPort[0].name=tcp1,ingressGateway.tcpPort[0].nodePort=30000,ingressGateway.tcpPort[0].port=10000,ingressGateway.tcpPort[0].targetPort=5000
## <a name="generate-certificate-for-ingress-gateway">Generate Certificate for Ingress Gateway </a>
Citrix Ingress gateway needs TLS certificate-key pair for establishing secure communication channel with backend applications. Earlier these certificates were issued by Istio Citadel and bundled in Kubernetes secret. Certificate was loaded in the application pod by doing volume mount of secret. Now `xDS-Adaptor` can generate its own certificate and get it signed by the Istio Citadel (Istiod). This eliminates the need of secret and associated [risks](https://kubernetes.io/docs/concepts/configuration/secret/#risks).
xDS-Adaptor needs to be provided with details Certificate Authority (CA) for successful signing of Certificate Signing Request (CSR). By default, CA is `istiod.istio-system.svc` which accepts CSRs on port 15012.
To skip this process, don't provide any value (empty string) to `certProvider.caAddr`.
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true --set certProvider.caAddr=""
```
### <a name="using-third-party-service-account-tokens">Configure Third Party Service Account Tokens</a>
In order to generate certificate for application workload, xDS-Adaptor needs to send valid service account token along with Certificate Signing Request (CSR) to the Istio control plane (Citadel CA). Istio control plane authenticates the xDS-Adaptor using this JWT.
Kubernetes supports two forms of these tokens:
* Third party tokens, which have a scoped audience and expiration.
* First party tokens, which have no expiration and are mounted into all pods.
If Kubernetes cluster is installed with third party tokens, then the same information needs to be provided for automatic sidecar injection by passing `--set certProvider.jwtPolicy="third-party-jwt"`. By default, it is `first-party-jwt`.
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true --set certProvider.caAddr="istiod.istio-system.svc" --set certProvider.jwtPolicy="third-party-jwt"
```
To determine if your cluster supports third party tokens, look for the TokenRequest API using below command. If there is no output, then it is `first-party-jwt`. In case of `third-party-jwt`, output will be like below.
```
# kubectl get --raw /api/v1 | jq '.resources[] | select(.name | index("serviceaccounts/token"))'
{
"name": "serviceaccounts/token",
"singularName": "",
"namespaced": true,
"group": "authentication.k8s.io",
"version": "v1",
"kind": "TokenRequest",
"verbs": [
"create"
]
}
```
## <a name="citrix-adc-cpx-license-provisioning">**Citrix ADC CPX License Provisioning**</a>
By default, CPX runs with 20 Mbps bandwidth called as [CPX Express](https://www.citrix.com/en-in/products/citrix-adc/cpx-express.html) however for better performance and production deployment customer needs licensed CPX instances. [Citrix ADM](https://www.citrix.com/en-in/products/citrix-application-delivery-management/) is used to check out licenses for Citrix ADC CPX.
**Bandwidth based licensing**
For provisioning licensing on Citrix ADC CPX, it is mandatory to provide License Server information to CPX. This can be done by setting **ADMSettings.licenseServerIP** as License Server IP. In addition to this, **ADMSettings.bandWidthLicense** needs to be set true and desired bandwidth capacity in Mbps should be set **ADMSettings.bandWidth**.
For example, to set 2Gbps as bandwidth capacity, below command can be used.
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set ADMSettings.licenseServerIP=<Licenseserver_IP>,ADMSettings.bandWidthLicense=True --set ADMSettings.bandWidth=2000 --set citrixCPX=true
## <a name="configuration-for-servicegraph">**Service Graph configuration**</a>
Citrix ADM Service graph is an observability tool that allows user to analyse service to service communication. The service graph is generated by ADM post collection of transactional data from registered Citrix ADC instances. More details about it can be found [here](https://docs.citrix.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html).
Citrix ADC needs to be provided with ADM details for registration and data export. This section lists the steps needed to deploy Citrix ADC and register it with ADM.
**Deploy Citrix ADC CPX as ingress gateway**
1. Create secret using Citrix ADM Agent credentials, which will be used by Citrix ADC as CPX to communicate with Citrix ADM Agent:
kubectl create secret generic admlogin --from-literal=username=<adm-agent-username> --from-literal=password=<adm-agent-password>
2. Deploy Citrix ADC CPX as ingress gateway using helm command with `ADM` details:
helm install citrix-adc-istio-ingress-gateway citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true --set ADMSettings.ADMIP=<ADM-Agent-IP>
> **Note:**
> If container agent is being used here for Citrix ADM, specify `serviceIP` of container agent in the `ADMSettings.ADMIP` parameter.
**Deploy Citrix ADC VPX/MPX as ingress gateway**
Deploy Citrix ADC VPX/MPX as ingress gateway using helm command and set analytics settings on Citrix ADC VPX/MPX for sending transaction metrics to Citrix ADM
helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set ingressGateway.netscalerUrl=https://<nsip>[:port] --set ingressGateway.vserverIP=<IPv4 Address> --set secretName=nslogin
Add the following configurations in Citrix ADC VPX/MPX
en ns mode ulfd
en ns feature appflow
add appflow collector logproxy_lstreamd -IPAddress <ADM-AGENT-IP/POD-IP> -port 5557 -Transport logstream
set appflow param -templateRefresh 3600 -httpUrl ENABLED -httpCookie ENABLED -httpReferer ENABLED -httpMethod ENABLED -httpHost ENABLED -httpUserAgent ENABLED -httpContentType ENABLED -httpAuthorization ENABLED -httpVia ENABLED -httpXForwardedFor ENABLED -httpLocation ENABLED -httpSetCookie ENABLED -httpSetCookie2 ENABLED -httpDomain ENABLED -httpQueryWithUrl ENABLED metrics ENABLED -events ENABLED -auditlogs ENABLED
add appflow action logproxy_lstreamd -collectors logproxy_lstreamd
add appflow policy logproxy_policy true logproxy_lstreamd
bind appflow global logproxy_policy 10 END -type REQ_DEFAULT
bind appflow global logproxy_policy 10 END -type OTHERTCP_REQ_DEFAULT
> **Note:**
> If container agent is being used here for Citrix ADM, specify `PodIP` of container agent in above manual config.
## <a name="citrix-adc-as-ingress-gateway-a-sample-deployment">Citrix ADC as Ingress Gateway: a sample deployment</a>
A sample deployment of Citrix ADC as an Ingress gateway for the Bookinfo application is provided [here](https://github.com/citrix/citrix-helm-charts/tree/master/examples/citrix-adc-in-istio).
## <a name="uninstalling-the-helm-chart">Uninstalling the Helm chart</a>
To uninstall or delete a chart with release name as `my-release`, do the following step.
helm delete my-release
The command removes all the Kubernetes components associated with the chart and deletes the release.
## <a name="citrix-adc-vpx-or-mpx-certificate-verification">Citrix ADC VPX/MPX Certificate Verification</a>
Create a Kubernetes secret holding the CA certificate of Citrix ADC VPX/MPX with the filename `root-cert.pem`.
kubectl create secret generic citrix-adc-cert --from-file=./root-cert.pem
Note: Ensure that Kubernetes secret is created in the same namespace where Citrix ADC Ingress Gateway is deployed.
To deploy Citrix ADC VPX or MPX with Citrix ADC certificate verification, do the following step:
kubectl create secret generic nslogin --from-literal=username=<citrix-adc-user> --from-literal=password=<citrix-adc-password> -n citrix-system
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://<nsip>[:port],ingressGateway.vserverIP=<IPv4 Address>,ingressGateway.adcServerName=<ADC Cert Server Name>
## <a name="configuration-parameters">Configuration parameters</a>
The following table lists the configurable parameters in the Helm chart and their default values.
| Parameter | Description | Default | Optional/Mandatory |
|--------------------------------|-------------------------------|---------------------------|---------------------------|
| `citrixCPX` | Citrix ADC CPX | FALSE | Mandatory for Citrix ADC CPX |
| `xDSAdaptor.image` | Image of the Citrix xDS adaptor container (Refer compatibility matrix) |quay.io/citrix/citrix-xds-adaptor:0.9.9 | Mandatory|
| `xDSAdaptor.imagePullPolicy` | Image pull policy for xDS adaptor | IfNotPresent | Optional|
| `xDSAdaptor.secureConnect` | If this value is set to true, xDS-adaptor establishes secure gRPC channel with Istio Pilot | TRUE | Optional|
| `xDSAdaptor.logLevel` | Log level to be set for xDS-adaptor log messages. Possible values: TRACE (most verbose), DEBUG, INFO, WARN, ERROR (least verbose) | DEBUG | Optional|
| `xDSAdaptor.jsonLog` | Set this argument to true if log messages are required in JSON format | false | Optional|
| `coe.coeURL` | Name of [Citrix Observability Exporter](https://github.com/citrix/citrix-observability-exporter) Service in the form of "<servicename>.<namespace>" | null | Optional|
| `coe.coeTracing` | Use COE to send appflow transactions to Zipkin endpoint. If it is set to true, ADM servicegraph (if configured) can be impacted. | false | Optional|
| `ADMSettings.ADMIP ` | Citrix Application Delivery Management (ADM) IP address | null | Mandatory for Citrix ADC CPX |
| `ADMSettings.licenseServerIP ` | Citrix License Server IP address | null | Optional |
| `ADMSettings.licenseServerPort` | Citrix ADM port if a non-default port is used | 27000 | Optional|
| `ADMSettings.bandWidth` | Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps | null | Optional |
| `ADMSettings.bandWidthLicense` | To specify bandwidth based licensing | false | Optional |
| `ingressGateway.netscalerUrl` | URL or IP address of the Citrix ADC which Istio-adaptor configures (Mandatory if citrixCPX=false)| null |Mandatory for Citrix ADC MPX or VPX|
| `ingressGateway.vserverIP` | Virtual server IP address on Citrix ADC (Mandatory if citrixCPX=false) | null | Mandatory for Citrix ADC MPX or VPX|
| `ingressGateway.adcServerName ` | Citrix ADC ServerName used in the Citrix ADC certificate | null | Optional |
| `ingressGateway.image` | Image of Citrix ADC CPX designated to run as Ingress Gateway |quay.io/citrix/citrix-k8s-cpx-ingress:13.0-79.64 | Mandatory for Citrix ADC CPX |
| `ingressGateway.imagePullPolicy` | Image pull policy | IfNotPresent | Optional|
| `ingressGateway.EULA` | End User License Agreement(EULA) terms and conditions. If yes, then user agrees to EULA terms and conditions. | NO | Mandatory for Citrix ADC CPX
| `ingressGateway.mgmtHttpPort` | Management port of the Citrix ADC CPX | 9080 | Optional|
| `ingressGateway.mgmtHttpsPort` | Secure management port of Citrix ADC CPX | 9443 | Optional|
| `ingressGateway.httpNodePort` | Port on host machine which is used to expose HTTP port (80) of Citrix ADC CPX | 30180 |Optional|
| `ingressGateway.httpsNodePort` | Port on host machine which is used to expose HTTPS port (443) of Citrix ADC CPX | 31443 |Optional|
| `ingressGateway.nodePortRequired` | Set this argument if servicetype to be NodePort of Citrix ADC CPX | false |Optional|
| `ingressGateway.secretVolume` | A map of user defined volumes to be mounted using Kubernetes secrets | null |Optional|
| `ingressGateway.label` | Custom label for the Ingress Gateway service | citrix-ingressgateway |Optional|
| `ingressGateway.netProfile ` | Network profile name used by [CNC](https://github.com/citrix/citrix-k8s-node-controller) to configure Citrix ADC VPX or MPX which is deployed as Ingress Gateway | null | Optional|
| `ingressGateway.multiClusterIngress ` | Flag indicating if Citrix ADC is acting as Ingress gateway to multi cluster Istio mesh installation. Possible values: true/false | false | Optional|
| `ingressGateway.multiClusterListenerPort ` | Port opened on Citrix ADC to enable inter-cluster service to service (E-W) communication | 15443 | Optional|
| `ingressGateway.multiClusterListenerNodePort ` | Nodeport for multiClusterListenerPort in case of Citrix ADC CPX acting as Ingress gateway | 32443 | Optional|
| `ingressGateway.multiClusterSvcDomain ` | Domain suffix of remote service (deployed in other cluster) used in E-W communication | global | Optional|
| `ingressGateway.tcpPort` | For exposing multiple TCP ingress | null |Optional|
| `istioPilot.name` | Name of the Istio Pilot service | istiod |Optional|
| `istioPilot.namespace` | Namespace where Istio Pilot is running | istio-system |Optional|
| `istioPilot.secureGrpcPort` | Secure GRPC port where Istiod (Istio Pilot) is listening (default setting) | 15012 |Optional|
| `istioPilot.insecureGrpcPort` | Insecure GRPC port where Istiod (Istio Pilot) is listening | 15010 |Optional|
| `istioPilot.SAN` | Subject alternative name for Istiod (Istio Pilot) which is the secure production identity framework for everyone (SPIFFE) ID of Istio Pilot | null |Optional|
| `metricExporter.required` | Metrics exporter for Citrix ADC | TRUE |Optional|
| `metricExporter.image` | Image of the Citrix ADC Metrics Exporter | quay.io/citrix/citrix-adc-metrics-exporter:1.4.8 |Optional|
| `metricExporter.port` | Port over which Citrix ADC Metrics Exporter collects metrics of Citrix ADC. | 8888 |Optional|
| `metricExporter.secure` | Enables collecting metrics over TLS | YES |Optional|
| `metricExporter.logLevel` | Level of logging in Citrix ADC Metrics Exporter. Possible values are: DEBUG, INFO, WARNING, ERROR, CRITICAL | ERROR |Optional|
| `metricExporter.imagePullPolicy` | Image pull policy for Citrix ADC Metrics Exporter | IfNotPresent |Optional|
| `certProvider.caAddr` | Certificate Authority (CA) address issuing certificate to application | istiod.istio-system.svc | Optional |
| `certProvider.caPort` | Certificate Authority (CA) port issuing certificate to application | 15012 | Optional |
| `certProvider.trustDomain` | SPIFFE Trust Domain | cluster.local | Optional |
| `certProvider.certTTLinHours` | Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours. Default is 30 days validity | 720 | Optional |
| `certProvider.clusterId` | clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in multicluster environments. For example, in Anthos servicemesh, it might be of the format of `cn<project-name>-<region>-<cluster_name>`. In multiCluster environments, it is the value of global.multiCluster.clusterName provided during servicemesh control plane installation | Kubernetes | Optional |
| `certProvider.jwtPolicy` | Service Account token type. Kubernetes platform supports First party tokens and Third party tokens. Usually public cloud based Kubernetes has third-party-jwt | null | Optional |
| `secretName` | Name of the Kubernetes secret holding Citrix ADC credentials | nslogin | Mandatory for Citrix ADC VPX/MPX |
**Note:** You can use the `values.yaml` file packaged in the chart. This file contains the default configuration values for the chart.

38
charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/app-readme.md Normal file
View File

@ -0,0 +1,38 @@
# Citrix ADC as an Ingress Gateway for Istio
An [Istio](https://istio.io/) ingress gateway acts as an entry point for the incoming traffic and secures and controls access to the service mesh. It also performs routing and load balancing. Citrix ADC [CPX](https://docs.citrix.com/en-us/citrix-adc-cpx), MPX, or [VPX](https://docs.citrix.com/en-us/citrix-adc.html), can be deployed as an ingress gateway to the Istio service mesh.
### Prerequisites
The following prerequisites are required for deploying Citrix ADC as an Ingress Gateway in Istio service mesh:
- Ensure that **Istio** is enabled.
- Ensure that your cluster has Kubernetes version 1.16.0 or later.
- Ensure to create secret named **nslogin** with username and password in same namespace in case of VPX/MPX . Choose the **Cluster Explorer > Storage > Secrets** in the navigation bar.
### Important NOTE:
- Follow this [link](https://github.com/citrix/citrix-helm-charts/blob/master/examples/citrix-adc-in-istio/README.md
) to deploy Citrix ADC as an ingress gateway for application.
- For deploying Citrix ADC VPX or MPX as ingress gateway, you should establish the connectivity between Citrix ADC VPX or MPX and cluster nodes. This connectivity can be established by configuring routes on Citrix ADC as mentioned [here](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) or by deploying [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller).
- To use the certificate and key for authenticating access to an application using Citrix ADC Ingress Gateway. In that case, you can create a Kubernetes secret from the existing certificate and key. You can mount the Kubernetes secret as data volumes in Citrix ADC Ingress Gateway. Then specify a list of secret, volume name, mount path in subsequent fields of `SecretVolume` section:
- Go to `Edit as YAML` option and update below values .
```
secretVolumes:
- name:
secretName:
mountPath:
```
For more details, follow this [link](https://github.com/citrix/citrix-helm-charts/tree/master/citrix-adc-istio-ingress-gateway#using-existing-certificates-to-deploy-citrix-adc-as-an-ingress-gateway)
- By default, gateway is configured to expose HTTP(S) services. To expose non-HTTP services, Then specify a list of port, port-name, target-port, nodeport (if applicable) in subsequent fields of `tcpPort` section.
- Go to `Edit as YAML` option and update below values.
```
tcpPort:
- name:
nodePort:
port:
targetPort:
```
For more details follow this [link](https://github.com/citrix/citrix-helm-charts/tree/master/citrix-adc-istio-ingress-gateway#exposing-services-running-on-non-http-ports)
This catalog deploys Citrix ADC VPX, MPX, or CPX as an Ingress Gateway in the Istio service mesh. For detailed information on various deployment options,checkout this [link](https://github.com/citrix/citrix-istio-adaptor).

405
charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/questions.yml Normal file
View File

@ -0,0 +1,405 @@
labels:
io.rancher.certified: partner
questions:
- variable: citrixCPX
required: true
type: boolean
default: true
description: "Set true to use Citrix ADC CPX as ingress device. Set false to use VPX/MPX as ingress device"
label: citrixCPX
group: "Deployment Settings"
- variable: secrets.name
required: true
type: string
default: "nslogin"
description: "Ensure to create nslogin secret in same namespace"
show_if: "citrixCPX=false"
group: "nslogin Settings"
- variable: xDSAdaptor.image
required: true
type: string
default: "quay.io/citrix/citrix-xds-adaptor:0.9.9"
label: xDSAdaptor Image
description: "xDSAdaptor Image to be used with version"
group: "xDSAdaptor Settings"
- variable: xDSAdaptor.imagePullPolicy
required: true
type: enum
default: IfNotPresent
label: xDSAdaptor imagePullPolicy
description: "xDSAdaptor Image pull policy"
options:
- "Always"
- "IfNotPresent"
- "Never"
group: "xDSAdaptor Settings"
- variable: xDSAdaptor.proxyType
required: false
type: string
default: "router"
label: xDSAdaptor proxyType
description: "xDSAdaptor proxyType type set to router by default"
group: "xDSAdaptor Settings"
- variable: xDSAdaptor.secureConnect
required: true
type: boolean
default: true
label: xDSAdaptor secureConnect
description: "If this value is set to true, xDSAdaptor establishes secure gRPC channel with Istio Pilot"
group: "xDSAdaptor Settings"
- variable: xDSAdaptor.logLevel
required: false
type: enum
default: DEBUG
label: xDSAdaptor logLevel
description: "xDSAdaptor logLevel"
options:
- "TRACE"
- "DEBUG"
- "INFO"
- "WARN"
- "ERROR"
group: "xDSAdaptor Settings"
- variable: xDSAdaptor.jsonLog
required: false
type: string
default: "true"
label: xDSAdaptor jsonLog
description: "Set this argument to true if log messages are required in JSON format"
group: "xDSAdaptor Settings"
- variable: coe.coeURL
required: false
type: string
label: coe coeURL
description: "Name of Citrix Observability Exporter Service"
group: "COE Settings"
- variable: coe.coeTracing
required: false
type: boolean
label: coe coeTracing
description: "Used to send appflow transactions to Zipkin endpoint,if true ADM servicegraph (if configured) can be impacted"
group: "COE Settings"
- variable: istioPilot.name
required: true
type: string
default: istiod
label: istio-pilot name
group: "istio-pilot Settings"
description: "Name of the Istio Pilot service"
- variable: istioPilot.namespace
required: true
type: string
default: istio-system
label: istio-pilot namespace
description: "Namespace where Istio Pilot is running"
group: "istio-pilot Settings"
- variable: istioPilot.secureGrpcPort
required: true
type: int
default: 15012
label: istio-pilot secureGrpcPort
show_if: "xDSAdaptor.secureConnect=true"
description: "Secure GRPC port where Istio Pilot is listening"
group: "istio-pilot Settings"
- variable: istioPilot.insecureGrpcPort
required: true
type: int
default: 15010
show_if: "xDSAdaptor.secureConnect=false"
label: istio-pilot insecureGrpcPort
description: "Insecure GRPC port where Istio Pilot is listening"
group: "istio-pilot Settings"
- variable: istioPilot.SAN
required: false
type: string
default:
label: istio-pilot SAN
description: "Subject alternative name for Istio Pilot which is (SPIFFE) ID of Istio Pilot"
show_if: "xDSAdaptor.secureConnect=true"
group: "istio-pilot Settings"
- variable: ingressGateway.netscalerUrl
required: true
type: string
default:
label: ingressGateway netscalerUrl
description: "URL or IP address of the Citrix ADC which Istio-adaptor configures (Mandatory if citrixCPX=false)"
show_if: "citrixCPX=false"
group: "ingressGateway Settings"
- variable: ingressGateway.image
required: true
type: string
default: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-79.64"
label: ingressGateway Image
description: "ingressGateway image to be used"
group: "ingressGateway Settings"
- variable: ingressGateway.imagePullPolicy
required: true
type: enum
default: IfNotPresent
label: ingressGateway imagePullPolicy
description: Ingress-gateway Image pull policy
group: "ingressGateway Settings"
options:
- "Always"
- "IfNotPresent"
- "Never"
- variable: ingressGateway.EULA
required: true
type: enum
description: "End user license agreement (read EULA before accepting it yes)"
label: ingressGateway EULA
options:
- "YES"
- "NO"
group: "ingressGateway Settings"
- variable: ingressGateway.mgmtHttpPort
required: true
type: int
default: 10080
label: ingressGateway mgmtHttpPort
description: "Management port of the Citrix ADC CPX"
show_if: "citrixCPX=true"
group: "ingressGateway Settings"
- variable: ingressGateway.mgmtHttpsPort
required: true
type: int
default: 10443
show_if: "citrixCPX=true"
label: ingressGateway mgmtHttpsPort
description: "Secure management port of Citrix ADC CPX"
group: "ingressGateway Settings"
- variable: ingressGateway.httpNodePort
required: true
type: int
default: 30180
show_if: "citrixCPX=true"
label: ingressGateway httpNodePort
description: "Port on host machine which is used to expose HTTP port of Citrix ADC CPX"
group: "ingressGateway Settings"
- variable: ingressGateway.httpsNodePort
required: true
type: int
default: 31443
show_if: "citrixCPX=true"
label: ingressGateway httpsNodePort
description: "Port on host machine which is used to expose HTTPS port of Citrix ADC CPX"
group: "ingressGateway Settings"
- variable: ingressGateway.nodePortRequired
required: true
type: boolean
default: true
label: ingressGateway nodePortRequired
description: "Set this argument if servicetype to be NodePort of Citrix ADC CPX, else it will be loadbalancer type"
group: "ingressGateway Settings"
- variable: ingressGateway.lightWeightCPX
required: false
type: int
default: 1
show_if: "citrixCPX=true"
label: ingressGateway lightWeightCPX
description: "Set this argument if lighter version of Citrix ADC CPX used"
group: "ingressGateway Settings"
- variable: ingressGateway.label
required: true
type: string
default: "citrix-ingressgateway"
label: ingressGateway label
description: "Custom label for the Ingress Gateway service"
group: "ingressGateway Settings"
- variable: ingressGateway.vserverIP
required: true
type: string
default: "nsip"
show_if: "citrixCPX=false"
label: ingressGateway vserverIP
description: "Virtual server IP address on Citrix ADC"
group: "ingressGateway Settings"
- variable: ingressGateway.adcServerName
required: false
type: string
default:
label: ingressGateway adcServerName
description: "Citrix ADC ServerName used in the Citrix ADC certificate"
group: "ingressGateway Settings"
- variable: ingressGateway.netProfile
required: false
type: string
default:
label: ingressGateway netProfile
description: "Network profile name used to configure Citrix ADC VPX or MPX which is deployed as Ingress Gateway"
show_if: "citrixCPX=false"
group: "ingressGateway Settings"
- variable: ingressGateway.multiClusterIngress
required: false
type: boolean
default: false
label: ingressGateway multiClusterIngress
description: "Flag indicating if Citrix ADC is acting as Ingress gateway to multi cluster Istio mesh installation"
group: "ingressGateway Settings"
- variable: ingressGateway.multiClusterListenerPort
required: true
type: int
default: 15443
label: ingressGateway multiClusterListenerPort
description: "Port opened on Citrix ADC to enable inter-cluster service to service (E-W) communication"
show_if: "ingressGateway.multiClusterIngress=true"
group: "ingressGateway Settings"
- variable: ingressGateway.multiClusterListenerNodePort
required: true
type: int
default: 15443
label: ingressGateway multiClusterListenerNodePort
description: "Nodeport for multiClusterListenerPort in case of Citrix ADC CPX acting as Ingress gateway"
show_if: "ingressGateway.multiClusterIngress=true"
group: "ingressGateway Settings"
- variable: ingressGateway.multiClusterSvcDomain
required: true
type: string
default: global
label: ingressGateway multiClusterSvcDomain
description: "Domain suffix of remote service (deployed in other cluster) used in E-W communication"
show_if: "ingressGateway.multiClusterIngress=true"
group: "ingressGateway Settings"
- variable: metricExporter.required
required: false
type: boolean
default: true
label: Exporter required
description: "Metrics exporter for Citrix ADC"
group: "metricExporter Settings"
- variable: metricExporter.image
required: true
type: string
default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.8"
label: Exporter Image
description: "Exporter Image to be used with version"
show_if: "metricExporter.required=true"
group: "metricExporter Settings"
- variable: metricExporter.port
required: true
type: int
default: 8888
label: metricExporter Port
show_if: "metricExporter.required=true"
group: "metricExporter Settings"
- variable: metricExporter.logLevel
required: true
type: enum
default: ERROR
label: metricExporter logLevel
show_if: "metricExporter.required=true"
group: "metricExporter Settings"
options:
- "DEBUG"
- "INFO"
- "WARNING"
- "ERROR"
- "TRACE"
- variable: metricExporter.imagePullPolicy
required: true
type: enum
default: IfNotPresent
label: metricExporter imagePullPolicy
description: "Exporter Image pull policy"
show_if: "metricExporter.required=true"
group: "metricExporter Settings"
options:
- "Always"
- "IfNotPresent"
- "Never"
- variable: certProvider.caAddr
required: true
type: string
default: "istiod.istio-system.svc"
label: certProvider caAddr
description: "Certificate Authority (CA) address issuing certificate to application"
group: "certProvider Settings"
- variable: certProvider.caPort
required: true
type: int
default: 15012
label: certProvider caPort
description: "Certificate Authority (CA) port issuing certificate to application"
group: "certProvider Settings"
- variable: certProvider.trustDomain
required: true
type: string
default: "cluster.local"
label: certProvider trustDomain
description: "SPIFFE Trust Domain"
group: "certProvider Settings"
- variable: certProvider.certTTLinHours
required: true
type: int
default: 720
label: certProvider certTTLinHours
description: "Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours."
group: "certProvider Settings"
- variable: certProvider.clusterId
required: true
type: string
default: "Kubernetes"
label: certProvider clusterId
description: "clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in m
ulticluster environments. For example, in Anthos servicemesh, it might be of the format of `cn<project-name>-<region>-<cluster_name>`. In multiCluster environments, it is the val
ue of global.multiCluster.clusterName provided during servicemesh control plane installation"
group: "certProvider Settings"
- variable: certProvider.jwtPolicy
required: true
type: enum
default: "first-party-jwt"
label: certProvider jwtPolicy
description: "Kubernetes platform supports First party tokens and Third party tokens"
options:
- "first-party-jwt"
- "third-party-jwt"
group: "certProvider Settings"
- variable: ADMSettings.ADMIP
required: false
type: string
default:
label: ADMSettings ADMIP
description: "Citrix Application Delivery Management (ADM) IP address"
group: "ADMSettings Settings"
- variable: ADMSettings.licenseServerIP
required: false
type: string
default:
label: ADMSettings licenseServerIP
description: "Citrix License Server IP address"
group: "ADMSettings Settings"
- variable: ADMSettings.licenseServerPort
required: false
type: int
default: 27000
label: ADMSettings licenseServerPort
description: "Citrix ADM port if a non-default port is used"
group: "ADMSettings Settings"
- variable: ADMSettings.bandWidthLicense
required: false
type: boolean
default: false
label: ADMSettings bandWidthLicense
description: "To specify bandwidth based licensing"
group: "ADMSettings Settings"
- variable: ADMSettings.bandWidth
required: false
type: string
default:
label: ADMSettings bandWidth
description: "Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps"
group: "ADMSettings Settings"
- variable: ADMSettings.vCPULicense
required: false
type: boolean
default: "false"
label: ADMSettings vCPULicense
description: "To specify vCPULicense based licensing"
group: "ADMSettings Settings"
- variable: ADMSettings.cpxCores
required: false
type: string
default:
label: ADMSettings cpxCores
description: "To specify cpxCores in licensing"
group: "ADMSettings Settings"

53
charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,53 @@
{{- define "exporter_nsip" -}}
{{- $match := .Values.ingressGateway.netscalerUrl | toString | regexFind "//.*[:]*" -}}
{{- $match | trimAll ":" | trimAll "/" -}}
{{- end -}}
{{/* A common function to generate name of the resource.
* Usage: {{ template "generate-name" (list . (dict "suffixname" "citrix-deployment")) }}
* In above example, arguments are given in the list.
* First one is `.` indicating global chart-level scope.
* Second argument name is `suffixname` and value is `citrix-deployment`.
* If release name is `my-release`, then generate-name function would output "my-release-citrix-deployment".
* The function truncates name to 63 chars due to Kubernetes name length restrictions
*/}}
{{- define "generate-name" -}}
{{- $top := index . 0 -}}
{{- $arg1 := index . 1 "suffixname" -}}
{{- printf "%s-%s" $top.Release.Name $arg1 | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/* Another common function to generate name of the resource.
* Usage: {{ template "generate-name" (list . "citrix-deployment") }}
* In above example, arguments are given in the list.
* First one is `.` indicating global chart-level scope.
* Second argument is unnamed and takes value as `citrix-deployment`.
* If release name is `my-release`, then generate-name function would output "my-release-citrix-deployment".
* The function truncates name to 63 chars due to Kubernetes name length restrictions
*/}}
{{- define "generate-name2" -}}
{{- $top := index . 0 -}}
{{- $arg1 := index . 1 -}}
{{- printf "%s-%s" $top.Release.Name $arg1 | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/* Below function is used to identify default value of jwtPolicy if not provided.
* For on-prem Kubernetes v1.21+, it is third-party-jwt. Else first-party-jwt.
* Note: Don't just do "helm template" to generate yaml file. Else https://github.com/helm/helm/issues/7991
* is possible. Use "helm template --validate" or "helm install --dry-run --debug".
* Note2: For cloud environments, semverCompare should be ideally done with "<1.21.x-x" as
* Kubernetes version is generally of the format v1.20.7-eks-xxxxxx. So, it fails the "v1.21.x" check but that's fine
* as in cloud environments third-party-jwt is enabled.
*/}}
{{- define "jwtValue" -}}
{{- if .Values.certProvider.jwtPolicy -}}
{{- printf .Values.certProvider.jwtPolicy -}}
{{- else -}}
{{- if semverCompare "<1.21.x" .Capabilities.KubeVersion.Version -}}
{{- printf "first-party-jwt" -}}
{{- else -}}
{{- printf "third-party-jwt" -}}
{{- end -}}
{{- end -}}
{{- end -}}

509
charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/templates/citrix-adc-ingressgateway-deployment.yaml Normal file
View File

@ -0,0 +1,509 @@
{{- if eq .Values.citrixCPX true }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "generate-name" (list . (dict "suffixname" "ingress-deployment")) }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
deployment: "cpx-ingressgateway" # This label is useful in ServiceGraph
spec:
replicas: 1
selector:
matchLabels:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
template:
metadata:
labels:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
citrix.com/no.sidecar: "true"
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
prometheus.io/port: "{{ .Values.metricExporter.port }}"
prometheus.io/scrape: "true"
spec:
volumes:
- name: citrix-ingressgateway-certs
secret:
optional: true
secretName: "citrix-ingressgateway-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway
- name: citrix-ingressgateway-ca-certs
secret:
optional: true
secretName: "citrix-ingressgateway-ca-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway
{{- range .Values.ingressGateway.secretVolumes }}
- name: {{ .name }}
secret:
secretName: {{ .secretName | quote }}
optional: true
{{- end }}
- name: cpx-conf
emptyDir: {}
- name: cpx-crash
emptyDir: {}
- name: cpx-pwd
emptyDir: {}
- name: certs
emptyDir: {}
{{- $jwtpolicy := include "jwtValue" . }}
{{- if eq $jwtpolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
{{- end }}
- name: istiod-ca-cert
configMap:
defaultMode: 0777
name: istio-ca-root-cert
securityContext:
fsGroup: 32024
containers:
{{- if eq .Values.metricExporter.required true }}
- name: exporter
image: {{ .Values.metricExporter.image }}
imagePullPolicy: IfNotPresent
args:
- "--target-nsip=127.0.0.1"
- "--port={{ .Values.metricExporter.port }}"
- "--log-level={{ .Values.metricExporter.logLevel }}"
- "--secure=no"
env:
- name: "NS_DEPLOYMENT_MODE"
value: "SIDECAR"
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /var/deviceinfo
name: cpx-pwd
{{- end }}
- name: istio-adaptor
image: {{ .Values.xDSAdaptor.image }}
imagePullPolicy: {{ .Values.xDSAdaptor.imagePullPolicy }}
args:
- -ads-server
{{- if eq .Values.xDSAdaptor.secureConnect true }}
- {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.secureGrpcPort }} # istiod.istio-system.svc:15012
{{- else }}
- {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.insecureGrpcPort }} # istiod.istio-system.svc:15010
{{- end }}
- -istio-proxy-type
- {{ .Values.xDSAdaptor.proxyType | default "router" | quote }}
{{- if .Values.istioPilot.SAN }}
- -ads-server-SAN
- {{ .Values.istioPilot.SAN | default "" }}
{{- end }}
- -ads-secure-connect={{ .Values.xDSAdaptor.secureConnect }}
- -citrix-adc
- "http://127.0.0.1"
- -citrix-adc-vip
- "nsip"
- -citrix-adc-password
- "/var/deviceinfo/random_id"
{{- if .Values.ADMSettings.ADMIP }}
- -citrix-adm
- {{ .Values.ADMSettings.ADMIP }}
{{- end }}
{{- if .Values.ADMSettings.licenseServerIP }}
- -citrix-license-server
- {{ .Values.ADMSettings.licenseServerIP }}
{{- end }}
{{- if .Values.coe.coeURL }}
- -coe
- {{ .Values.coe.coeURL }}
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: APPLICATION_NAME
valueFrom:
fieldRef:
fieldPath: metadata.labels['app']
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
{{- if .Values.certProvider.caAddr }}
- name: CA_ADDR
value: {{ .Values.certProvider.caAddr }}:{{ .Values.certProvider.caPort}} #istiod.istio-system.svc:15012
- name: TRUST_DOMAIN
value: {{ .Values.certProvider.trustDomain }} #cluster.local
- name: CLUSTER_ID
value: {{ .Values.certProvider.clusterId }} #Kubernetes
- name: CERT_TTL_IN_HOURS
value: {{ .Values.certProvider.certTTLinHours | quote }}
- name: JWT_POLICY
value: {{ include "jwtValue" . | quote }} # If value not provided then third-party-jwt for v>=1.21 otherwise first-party-jwt
{{- end }}
{{- if eq .Values.ingressGateway.multiClusterIngress true }}
- name: MULTICLUSTER_INGRESS
value: "TRUE"
- name: MULTICLUSTER_LISTENER_PORT
value: {{ .Values.ingressGateway.multiClusterListenerPort | quote}}
- name: MULTICLUSTER_SVC_DOMAIN
value: {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }}
{{- end }}
{{- if eq .Values.coe.coeTracing true }}
- name: COE_TRACING
value: "TRUE"
{{- end }}
- name: LOGLEVEL
value: {{ .Values.xDSAdaptor.logLevel | default "DEBUG" | quote }}
{{- if eq .Values.xDSAdaptor.jsonLog true }}
- name: JSONLOG
value: "TRUE"
{{- end }}
securityContext:
readOnlyRootFilesystem: true
runAsGroup: 32024
runAsUser: 32024 # UID of istio-adaptor container's user
volumeMounts:
- mountPath: /var/deviceinfo
name: cpx-pwd
{{- $jwtpolicy := include "jwtValue" . }}
{{- if eq $jwtpolicy "third-party-jwt" }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
- mountPath: /etc/certs
name: certs
- name: istiod-ca-cert
mountPath: /etc/rootcert/
- mountPath: /etc/istio/ingressgateway-certs # Make sure that Gateway definition has this path mentioned in server.tls section for SIMPLE TLS
name: citrix-ingressgateway-certs
readOnly: true
- mountPath: /etc/istio/ingressgateway-ca-certs # Make sure that Gateway definition has this path mentioned in server.tls section for MUTUAL TLS
name: citrix-ingressgateway-ca-certs
readOnly: true
{{- range .Values.ingressGateway.secretVolumes }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
- name: citrix-ingressgateway
image: "{{ .Values.ingressGateway.image }}"
imagePullPolicy: {{ .Values.ingressGateway.imagePullPolicy }}
securityContext:
privileged: true
ports:
- containerPort: 80
- containerPort: 443
{{- if .Values.ingressGateway.mgmtHttpPort }}
- containerPort: {{ .Values.ingressGateway.mgmtHttpPort }}
{{- end }}
{{- if .Values.ingressGateway.mgmtHttpsPort }}
- containerPort: {{ .Values.ingressGateway.mgmtHttpsPort }}
{{- end }}
{{- range .Values.ingressGateway.tcpPort }}
- containerPort: {{ .port }}
{{- end }}
volumeMounts:
- mountPath: /cpx/conf/
name: cpx-conf
- mountPath: /cpx/crash/
name: cpx-crash
- mountPath: /var/deviceinfo
name: cpx-pwd
env:
- name: "EULA"
value: "{{ .Values.ingressGateway.EULA }}"
{{- if .Values.metricExporter.required }}
- name: "METRICS_EXPORTER_PORT"
value: "{{ .Values.metricExporter.port }}"
{{- end }}
- name: "MGMT_HTTP_PORT"
value: "{{ .Values.ingressGateway.mgmtHttpPort }}"
- name: "MGMT_HTTPS_PORT"
value: "{{ .Values.ingressGateway.mgmtHttpsPort }}"
- name: "NS_CPX_LITE"
value: "{{ .Values.ingressGateway.lightWeightCPX }}"
{{- if or .Values.coe.coeURL .Values.ADMSettings.ADMIP }}
- name: "NS_ENABLE_NEWNSLOG"
value: "1"
{{- end }}
- name: "KUBERNETES_TASK_ID"
value: ""
- name: "LS_IP"
value: {{ .Values.ADMSettings.licenseServerIP | default "" }}
- name: "LS_PORT"
value: "{{ .Values.ADMSettings.licenseServerPort}}"
{{- if .Values.ADMSettings.ADMIP }}
- name: "NS_MGMT_SERVER"
value: {{ .Values.ADMSettings.ADMIP }}
- name: "NS_HTTP_PORT"
value: {{ .Values.ingressGateway.mgmtHttpPort | quote }}
- name: "NS_HTTPS_PORT"
value: {{ .Values.ingressGateway.mgmtHttpsPort | quote }}
{{- end }}
- name: "LOGSTREAM_COLLECTOR_IP"
value: {{ .Values.ADMSettings.ADMIP | default ""}}
#To povision bandwidth based licensing to Citrix ADC CPX from ADM, needs bandwidth
{{- if and ( .Values.ADMSettings.licenseServerIP ) (eq .Values.ADMSettings.bandWidthLicense true) }}
- name: "BANDWIDTH"
value: {{ required "Mention bandwidth for bandwidth based licensing" .Values.ADMSettings.bandWidth | quote }}
{{- end }}
#for multiple-PE support, need to set CPX_CORES
{{- if .Values.ADMSettings.licenseServerIP }}
{{- if or (eq .Values.ADMSettings.vCPULicense true) (eq .Values.ADMSettings.bandWidthLicense true) }}
- name: "CPX_CORES"
value: {{ .Values.ADMSettings.cpxCores | default 1 | quote }}
{{- end }}
{{- end }}
{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }}
- name: NS_MGMT_USER
valueFrom:
secretKeyRef:
name: admlogin
key: username
- name: NS_MGMT_PASS
valueFrom:
secretKeyRef:
name: admlogin
key: password
{{- end }}
---
{{ else }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "generate-name" (list . (dict "suffixname" "ingress-deployment")) }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
spec:
replicas: 1
selector:
matchLabels:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
template:
metadata:
labels:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
citrix.com/no.sidecar: "true"
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
prometheus.io/port: "{{ .Values.metricExporter.port }}"
prometheus.io/scrape: "true"
spec:
containers:
{{- if eq .Values.metricExporter.required true }}
- name: exporter
image: {{ .Values.metricExporter.image }}
imagePullPolicy: {{ .Values.metricExporter.imagePullPolicy }}
args:
- "--target-nsip={{- include "exporter_nsip" . -}}"
- "--port={{ .Values.metricExporter.port }}"
- "--secure={{ .Values.metricExporter.secure | lower}}"
- "--log-level={{ .Values.metricExporter.logLevel }}"
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- name: nslogin
mountPath: "/mnt/nslogin"
readOnly: true
{{- end }}
- name: istio-adaptor
image: {{ .Values.xDSAdaptor.image }}
imagePullPolicy: {{ .Values.xDSAdaptor.imagePullPolicy }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: APPLICATION_NAME
valueFrom:
fieldRef:
fieldPath: metadata.labels['app']
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
{{- if .Values.certProvider.caAddr }}
- name: CA_ADDR
value: {{ .Values.certProvider.caAddr }}:{{ .Values.certProvider.caPort}} #istiod.istio-system.svc:15012
- name: TRUST_DOMAIN
value: {{ .Values.certProvider.trustDomain }} #cluster.local
- name: CLUSTER_ID
value: {{ .Values.certProvider.clusterId }} #Kubernetes
- name: CERT_TTL_IN_HOURS
value: {{ .Values.certProvider.certTTLinHours | quote }}
- name: JWT_POLICY
value: {{ include "jwtValue" . | quote }} # third-party-jwt if Kubernetes cluster supports third-party tokens
{{- end }}
{{- if eq .Values.ingressGateway.multiClusterIngress true }}
- name: MULTICLUSTER_INGRESS
value: "TRUE"
- name: MULTICLUSTER_LISTENER_PORT
value: {{ .Values.ingressGateway.multiClusterListenerPort | quote}}
- name: MULTICLUSTER_SVC_DOMAIN
value: {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }}
{{- end }}
{{- if eq .Values.coe.coeTracing true }}
- name: COE_TRACING
value: "TRUE"
{{- end }}
- name: LOGLEVEL
value: {{ .Values.xDSAdaptor.logLevel | default "DEBUG" | quote }}
{{- if eq .Values.xDSAdaptor.jsonLog true }}
- name: JSONLOG
value: "TRUE"
{{- end }}
- name: NS_USER
valueFrom:
secretKeyRef:
name: {{ .Values.secretName }}
key: username
- name: NS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.secretName }}
key: password
args:
- -ads-server
{{- if eq .Values.xDSAdaptor.secureConnect true }}
- {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.secureGrpcPort }} # istiod.istio-system.svc:15012
{{- else }}
- {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.insecureGrpcPort }} # istiod.istio-system.svc:15010
{{- end }}
- -istio-proxy-type
- {{ .Values.xDSAdaptor.proxyType | default "router" | quote }}
{{- if .Values.istioPilot.SAN }}
- -ads-server-SAN
- {{ .Values.istioPilot.SAN | default "" }}
{{- end }}
- -ads-secure-connect={{ .Values.xDSAdaptor.secureConnect }}
- -citrix-adc
- {{ required "Mention Citrix ADC IP/URL in https://<ip>[:port] format" .Values.ingressGateway.netscalerUrl }}
- -citrix-adc-vip
- {{ required "Mention Vserver IP to be configured on Citrix ADC" .Values.ingressGateway.vserverIP }}
- -citrix-adc-user
- "/etc/nslogin/username"
- -citrix-adc-password
- "/etc/nslogin/password"
# If using VPX/MPX as Ingress gateway, then specify the network profile name
# which was provided to Citrix Node Controller (CNC)
{{- if .Values.ingressGateway.netProfile }}
- -citrix-adc-net-profile
- {{ .Values.ingressGateway.netProfile }}
{{- end }}
- -citrix-adm
- ""
{{- if .Values.coe.coeURL }}
- -coe
- {{ .Values.coe.coeURL }}
{{- end }}
{{- if .Values.ingressGateway.adcServerName }}
- -citrix-adc-server-name
- {{ .Values.ingressGateway.adcServerName }}
- -citrix-adc-server-ca
- "/etc/nitro/root-cert.pem"
{{- end }}
securityContext:
readOnlyRootFilesystem: true
runAsGroup: 32024
runAsUser: 32024 # UID of istio-adaptor container's user
volumeMounts:
- mountPath: /etc/certs
name: certs
- name: istiod-ca-cert
mountPath: /etc/rootcert/
{{- $jwtpolicy := include "jwtValue" . }}
{{- if eq $jwtpolicy "third-party-jwt" }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
- mountPath: /etc/nslogin
name: nslogin
readOnly: true
- mountPath: /etc/istio/ingressgateway-certs # Make sure that Gateway definition has this path mentioned in server.tls section for SIMPLE TLS
name: citrix-ingressgateway-certs
readOnly: true
- mountPath: /etc/istio/ingressgateway-ca-certs # Make sure that Gateway definition has this path mentioned in server.tls section for MUTUAL TLS
name: citrix-ingressgateway-ca-certs
readOnly: true
{{- range .Values.ingressGateway.secretVolumes }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- if .Values.ingressGateway.adcServerName }}
- mountPath: /etc/nitro/
name: citrix-adc-cert
readOnly: true
{{- end }}
securityContext:
fsGroup: 32024
volumes:
- name: nslogin
secret:
optional: true
secretName: {{ .Values.secretName }}
- name: certs
emptyDir: {}
- name: istiod-ca-cert
configMap:
defaultMode: 0777
name: istio-ca-root-cert
- name: citrix-ingressgateway-certs
secret:
optional: true
secretName: "citrix-ingressgateway-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway
- name: citrix-ingressgateway-ca-certs
secret:
optional: true
secretName: "citrix-ingressgateway-ca-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway
{{- range .Values.ingressGateway.secretVolumes }}
- name: {{ .name }}
secret:
secretName: {{ .secretName | quote }}
optional: true
{{- end }}
{{- if .Values.ingressGateway.adcServerName }}
- name: citrix-adc-cert
secret:
optional: true
secretName: "citrix-adc-cert" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway
{{- end }}
{{- $jwtpolicy := include "jwtValue" . }}
{{- if eq $jwtpolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
{{- end }}
---
{{- end}}

40
charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/templates/citrix-multicluster-gateway.yaml Normal file
View File

@ -0,0 +1,40 @@
{{- if eq .Values.ingressGateway.multiClusterIngress true }}
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
annotations:
labels:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
{{- if eq .Values.citrixCPX true }}
deployment: "cpx-ingressgateway" # This label is useful in ServiceGraph
{{- end }}
name: citrix-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
spec:
selector:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
servers:
- hosts:
- {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }}
port:
name: tls
number: {{ .Values.ingressGateway.multiClusterListenerPort }}
protocol: TLS
tls:
mode: AUTO_PASSTHROUGH
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
annotations:
labels:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
name: citrix-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
spec:
host: {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }}
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
{{- end }}

76
charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/templates/ingressgateway-service.yaml Normal file
View File

@ -0,0 +1,76 @@
{{- if eq .Values.citrixCPX true }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ template "generate-name" (list . (dict "suffixname" "citrix-ingress-hpa")) }}
namespace: {{ .Release.Namespace }}
spec:
maxReplicas: 1
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ template "generate-name" (list . (dict "suffixname" "ingress-deployment")) }}
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: 60
---
{{- end }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "generate-name" (list . (dict "suffixname" "citrix-ingress-svc")) }}
namespace: {{ .Release.Namespace }}
annotations:
labels:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
{{- if eq .Values.citrixCPX true }}
deployment: "cpx-ingressgateway" # This label is useful in ServiceGraph
{{- end }}
spec:
{{- if eq .Values.citrixCPX true }}
{{- if eq .Values.ingressGateway.nodePortRequired true }}
type: NodePort
{{- else }}
type: LoadBalancer
{{- end }}
{{- end }}
selector:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
ports:
-
name: http2
{{- if eq .Values.citrixCPX true }}
nodePort: {{ .Values.ingressGateway.httpNodePort }}
{{- end }}
port: 80
targetPort: 80
-
name: https
{{- if eq .Values.citrixCPX true }}
nodePort: {{ .Values.ingressGateway.httpsNodePort }}
{{- end }}
port: 443
targetPort: 443
{{- if eq .Values.ingressGateway.multiClusterIngress true }}
-
name: multicluster
{{- if eq .Values.citrixCPX true }}
nodePort: {{ .Values.ingressGateway.multiClusterListenerNodePort }}
{{- end }}
port: {{ .Values.ingressGateway.multiClusterListenerPort }}
targetPort: {{ .Values.ingressGateway.multiClusterListenerPort }}
{{- end }}
{{- $isCPX := .Values.citrixCPX }}
{{- range .Values.ingressGateway.tcpPort }}
-
name: {{ .name }}
{{- if eq $isCPX true }}
nodePort: {{ .nodePort }}
{{- end }}
port: {{ .port }}
targetPort: {{ .targetPort }}
{{- end }}
---

17
charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/templates/metrics-exporter-service.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if eq .Values.metricExporter.required true }}
kind: Service
apiVersion: v1
metadata:
name: {{ template "generate-name" (list . (dict "suffixname" "citrix-exporter-svc")) }}
annotations:
labels:
service-type: citrix-adc-monitor
spec:
selector:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
ports:
- name: exporter-port
port: {{ .Values.metricExporter.port }}
targetPort: {{ .Values.metricExporter.port }}
---
{{- end }}

74
charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/1.11.0/values.yaml Normal file
View File

@ -0,0 +1,74 @@
# Default values for citrix-adc-istio-ingress-gateway
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
citrixCPX: false
coe:
coeURL:
coeTracing: false
metricExporter:
required: true
image: quay.io/citrix/citrix-adc-metrics-exporter:1.4.8
port: 8888
secure: "YES"
logLevel: ERROR
imagePullPolicy: IfNotPresent
xDSAdaptor:
image: quay.io/citrix/citrix-xds-adaptor:0.9.9
imagePullPolicy: IfNotPresent
proxyType: router
secureConnect: true
logLevel: DEBUG
jsonLog: false
istioPilot:
name: istiod
namespace: istio-system
secureGrpcPort: 15012
insecureGrpcPort: 15010
SAN:
certProvider:
caAddr: istiod.istio-system.svc
caPort: 15012
trustDomain: cluster.local
certTTLinHours: 720
clusterId: Kubernetes
jwtPolicy: #specify third-party-jwt if Kubernetes cluster supports third-party tokens. Default from K8s v1.21
ingressGateway:
netscalerUrl: null
image: quay.io/citrix/citrix-k8s-cpx-ingress:13.0-79.64
imagePullPolicy: IfNotPresent
EULA: NO
mgmtHttpPort: 10080
mgmtHttpsPort: 10443
httpNodePort: 30180
httpsNodePort: 31443
nodePortRequired: true
lightWeightCPX: 1
secretVolumes:
#licenseServerIP: this value will be taken from ADMSettings.ADMIP
label: citrix-ingressgateway
tcpPort:
vserverIP: nsip
adcServerName:
netProfile:
multiClusterIngress: false
multiClusterListenerPort: 15443
multiClusterListenerNodePort: 32443
multiClusterSvcDomain: global
ADMSettings:
ADMIP:
licenseServerIP:
licenseServerPort: 27000
bandWidthLicense: false
bandWidth:
vCPULicense: false
cpxCores:
secretName: nslogin