andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Migrating citrix charts to automated process

pull/595/head
Samuel Attwood 2022-12-02 00:00:00 -05:00
parent fc40f83137
commit 74f5e05980
84 changed files with 10089 additions and 268 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
assets/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway-1.11.0.tgz → assets/citrix/citrix-adc-istio-ingress-gateway-1.11.0.tgz
View File

0
assets/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway-1.11.1.tgz → assets/citrix/citrix-adc-istio-ingress-gateway-1.11.1.tgz
View File

BIN
assets/citrix/citrix-adc-istio-ingress-gateway-1.14.0.tgz Normal file
View File

Binary file not shown.

0
assets/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway-1.2.100.tgz → assets/citrix/citrix-adc-istio-ingress-gateway-1.2.100.tgz
View File

0
assets/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector-1.11.0.tgz → assets/citrix/citrix-cpx-istio-sidecar-injector-1.11.0.tgz
View File

0
assets/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector-1.11.1.tgz → assets/citrix/citrix-cpx-istio-sidecar-injector-1.11.1.tgz
View File

BIN
assets/citrix/citrix-cpx-istio-sidecar-injector-1.14.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/citrix/citrix-cpx-with-ingress-controller-1.27.15.tgz Normal file
View File

Binary file not shown.

0
assets/citrix-cpx-with-ingress-controller/citrix-cpx-with-ingress-controller-1.8.2800.tgz → assets/citrix/citrix-cpx-with-ingress-controller-1.8.2800.tgz
View File

0
assets/citrix-ingress-controller/citrix-ingress-controller-1.19.600.tgz → assets/citrix/citrix-ingress-controller-1.19.600.tgz
View File

BIN
assets/citrix/citrix-ingress-controller-1.27.15.tgz Normal file
View File

Binary file not shown.

40
charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/templates/citrix-multicluster-gateway.yaml
View File

@ -1,40 +0,0 @@
{{- if eq .Values.ingressGateway.multiClusterIngress true }}
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
annotations:
labels:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
{{- if eq .Values.citrixCPX true }}
deployment: "cpx-ingressgateway" # This label is useful in ServiceGraph
{{- end }}
name: citrix-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
spec:
selector:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
servers:
- hosts:
- {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }}
port:
name: tls
number: {{ .Values.ingressGateway.multiClusterListenerPort }}
protocol: TLS
tls:
mode: AUTO_PASSTHROUGH
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
annotations:
labels:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
name: citrix-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
spec:
host: {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }}
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
{{- end }}

9
charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/Chart.yaml → charts/citrix/citrix-adc-istio-ingress-gateway/Chart.yaml
View File

@ -1,22 +1,21 @@
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Citrix Adc Istio Ingress Gateway
catalog.cattle.io/kube-version: '>=v1.16.0-0'
catalog.cattle.io/release-name: citrix-adc-istio-ingress-gateway
apiVersion: v2
appVersion: 1.11.0
appVersion: 1.14.0
description: A Helm chart for Citrix ADC as Ingress Gateway installation in Istio
Service Mesh on Kubernetes platform
home: https://www.citrix.com
icon: https://raw.githubusercontent.com/citrix/citrix-xds-adaptor/master/docs/media/Citrix_Logo_Trademark.png
icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png
kubeVersion: '>=v1.16.0-0'
maintainers:
- email: dhiraj.gedam@citrix.com
name: dheerajng
- email: subash.dangol@citrix.com
name: subashd
- email: ajeeta.shaket@citrix.com
name: ajeetas
name: citrix-adc-istio-ingress-gateway
sources:
- https://github.com/citrix/citrix-xds-adaptor
version: 1.11.1
version: 1.14.0

156
charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/README.md → charts/citrix/citrix-adc-istio-ingress-gateway/README.md
View File

@ -3,6 +3,7 @@
Citrix Application Delivery Controller (ADC) can be deployed as an Istio Ingress Gateway to control the ingress traffic to Istio service mesh.
# Table of Contents
1. [TL; DR;](#tldr)
2. [Introduction](#introduction)
3. [Deploy Citrix ADC VPX or MPX as an Ingress Gateway](#deploy-citrix-adc-vpx-or-mpx-as-an-ingress-gateway)
@ -21,10 +22,9 @@ Citrix Application Delivery Controller (ADC) can be deployed as an Istio Ingress
16. [Citrix ADC VPX/MPX Certificate Verification](#citrix-adc-vpx-or-mpx-certificate-verification)
17. [Configuration Parameters](#configuration-parameters)
## <a name="tldr">TL; DR;</a>
### To deploy Citrix ADC VPX or MPX as an Ingress Gateway:
### To deploy Citrix ADC VPX or MPX as an Ingress Gateway
kubectl create secret generic nslogin --from-literal=username=<citrix-adc-user> --from-literal=password=<citrix-adc-password> -n citrix-system
@ -32,15 +32,12 @@ Citrix Application Delivery Controller (ADC) can be deployed as an Istio Ingress
helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set ingressGateway.netscalerUrl=https://<nsip>[:port] --set ingressGateway.vserverIP=<IPv4 Address> --set secretName=nslogin
### To deploy Citrix ADC CPX as an Ingress Gateway:
### To deploy Citrix ADC CPX as an Ingress Gateway
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true
## <a name="introduction">Introduction</a>
This chart deploys Citrix ADC VPX, MPX, or CPX as an Ingress Gateway in the Istio service mesh using the Helm package manager. For detailed information on different deployment options, see [Deployment Architecture](https://github.com/citrix/citrix-istio-adaptor/blob/master/docs/istio-integration/architecture.md).
@ -51,7 +48,9 @@ Below table provides info about recommended Citrix xDS-Adaptor version to be use
| Citrix xDS-Adaptor version | Istio version |
|----------------------------|---------------|
| quay.io/citrix/citrix-xds-adaptor:0.9.9 | Istio v1.10+ |
| quay.io/citrix/citrix-xds-adaptor:0.10.3 | Istio v1.14+ |
| quay.io/citrix/citrix-xds-adaptor:0.10.1 | Istio v1.12 to Istio v1.13 |
| quay.io/citrix/citrix-xds-adaptor:0.9.9 | Istio v1.10 to Istio v1.11 |
| quay.io/citrix/citrix-xds-adaptor:0.9.8 | Istio v1.8 to Istio v1.9 |
| quay.io/citrix/citrix-xds-adaptor:0.9.5 | Istio v1.6 |
@ -78,7 +77,6 @@ The following prerequisites are required for deploying Citrix ADC as an Ingress
kubectl create secret generic nslogin --from-literal=username=<citrix-adc-user> --from-literal=password=<citrix-adc-password> -n citrix-system
- **Create system user account for xDS-adaptor in Citrix ADC:**
The Citrix ADC appliance needs to have system user account (non-default) with certain privileges so that `xDS-adaptor` can configure the Citrix ADC VPX or MPX appliance. Follow the instructions to create the system user account on Citrix ADC.
@ -91,25 +89,24 @@ The following prerequisites are required for deploying Citrix ADC as an Ingress
The `xDS-adaptor` configures the Citrix ADC using a system user account of the Citrix ADC. The system user account should have certain privileges so that the xDS-adaptor has permissions configure the following on the Citrix ADC:
- Add, Delete, or View Content Switching (CS) virtual server
- Configure CS policies and actions
- Configure Load Balancing (LB) virtual server
- Configure Service groups
- Cofigure SSl certkeys
- Configure routes
- Configure user monitors
- Add system file (for uploading SSL certkeys from Kubernetes)
- Configure Virtual IP address (VIP)
- Check the status of the Citrix ADC appliance
- Add, Delete or view authentication virtual server, policy, authaction
- Add, Delete or view Policy
- Add, Delete or view Responder policy, action, param
- Add, Delete or view Rewrite policy, action, param
- Add, Delete or view analytics profile
- Add, Delete or view DNS name server
- Add, Delete or view network netprofile
- Add, Delete or view Traffic Management Commands(sessionaction, session policy, sessionparameter)
- Add, Delete, or View Content Switching (CS) virtual server
- Configure CS policies and actions
- Configure Load Balancing (LB) virtual server
- Configure Service groups
- Cofigure SSl certkeys
- Configure routes
- Configure user monitors
- Add system file (for uploading SSL certkeys from Kubernetes)
- Configure Virtual IP address (VIP)
- Check the status of the Citrix ADC appliance
- Add, Delete or view authentication virtual server, policy, authaction
- Add, Delete or view Policy
- Add, Delete or view Responder policy, action, param
- Add, Delete or view Rewrite policy, action, param
- Add, Delete or view analytics profile
- Add, Delete or view DNS name server
- Add, Delete or view network netprofile
- Add, Delete or view Traffic Management Commands(sessionaction, session policy, sessionparameter)
> **Note:**
>
@ -117,12 +114,12 @@ The following prerequisites are required for deploying Citrix ADC as an Ingress
To create the system user account, do the following:
1. Log on to the Citrix ADC appliance. Perform the following:
1. Use an SSH client, such as PuTTy, to open an SSH connection to the Citrix ADC appliance.
1. Log on to the Citrix ADC appliance. Perform the following:
1. Use an SSH client, such as PuTTy, to open an SSH connection to the Citrix ADC appliance.
2. Log on to the appliance by using the administrator credentials.
2. Log on to the appliance by using the administrator credentials.
2. Create the system user account using the following command:
2. Create the system user account using the following command:
```
add system user <username> <password>
@ -134,13 +131,13 @@ The following prerequisites are required for deploying Citrix ADC as an Ingress
add system user cxa mypassword
```
3. Create a policy to provide required permissions to the system user account. Use the following command:
3. Create a policy to provide required permissions to the system user account. Use the following command:
```
add cmdpolicy cxa-policy ALLOW "((^\S+\s+cs\s+\S+)|(^\S+\s+lb\s+\S+)|(^\S+\s+service\s+\S+)|(^\S+\s+servicegroup\s+\S+)|(^stat\s+system)|(^show\s+ha)|(^\S+\s+ssl\s+certKey)|(^\S+\s+ssl)|(^\S+\s+route)|(^\S+\s+monitor)|(^show\s+ns\s+ip)|(^\S+\s+system\s+file)|)|(^\S+\s+aaa\s+\S+)|(^\S+\s+aaa\s+\S+\s+.*)|(^\S+\s+authentication\s+\S+)|(^\S+\s+authentication\s+\S+\s+.*)|(^\S+\s+policy\s+\S+)|(^\S+\s+policy\s+\S+\s+.*)|(^\S+\s+rewrite\s+\S+)|(^\S+\s+rewrite\s+\S+\s+.*)|(^\S+\s+analytics\s+\S+)|(^\S+\s+analytics\s+\S+\s+.*)|(^\S+\s+dns\s+\S+)|(^\S+\s+dns\s+\S+\s+.*)|(^\S+\s+netProfile)|(^\S+\s+netProfile\s+.*)|(^\S+\s+tm\s+\S+)|(^\S+\s+tm\s+\S+\s+.*)"
```
4. Bind the policy to the system user account using the following command:
4. Bind the policy to the system user account using the following command:
```
bind system user cxa cxa-policy 0
@ -154,7 +151,6 @@ Create a secret for ADM username and password
- **Important Note:** For deploying Citrix ADC VPX or MPX as ingress gateway, you should establish the connectivity between Citrix ADC VPX or MPX and cluster nodes. This connectivity can be established by configuring routes on Citrix ADC as mentioned [here](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) or by deploying [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller).
## <a name="deploy-citrix-adc-vpx-or-mpx-as-an-ingress-gateway">Deploy Citrix ADC VPX or MPX as an Ingress Gateway</a>
To deploy Citrix ADC VPX or MPX as an Ingress Gateway in the Istio service mesh, do the following step. In this example, release name is specified as `citrix-adc-istio-ingress-gateway` and namespace as `citrix-system`.
@ -173,10 +169,10 @@ Create a secret for ADM username and password
helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true
## <a name="deploy-citrix-adc-as-a-multicluster-ingress-gateway">Deploy Citrix ADC as an Ingress Gateway in multi cluster Istio Service mesh</a>
To deploy **Citrix ADC VPX/MPX as an Ingress Gateway** in multi cluster Istio Service mesh, carry out below steps.
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
@ -184,6 +180,7 @@ helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-ga
```
To deploy **Citrix ADC CPX as an Ingress Gateway** in multi cluster Istio Service mesh, carry out below steps.
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
@ -230,10 +227,10 @@ To deploy Citrix ADC CPX with secret volume, do the following step:
## <a name="segregating-traffic-with-multiple-ingress-gateways">Segregating traffic with multiple Ingress Gateways</a>
You can deploy multiple Citrix ADC Ingress Gateway devices and segregate traffic to various deployments in the Istio service mesh. This can be achieved with *custom labels*. By default, Citrix ADC Ingress Gateway service comes up with the `app: citrix-ingressgateway` label. This label is used as a selector while deploying the Ingress Gateway or virtual service resources. If you want to deploy Ingress Gateway with the custom label, you can do it using the `ingressGateway.label` option in the Helm chart.
You can deploy multiple Citrix ADC Ingress Gateway devices and segregate traffic to various deployments in the Istio service mesh. This can be achieved with _custom labels_. By default, Citrix ADC Ingress Gateway service comes up with the `app: citrix-ingressgateway` label. This label is used as a selector while deploying the Ingress Gateway or virtual service resources. If you want to deploy Ingress Gateway with the custom label, you can do it using the `ingressGateway.label` option in the Helm chart.
To deploy Citrix ADC CPX Ingress Gateway with the label `my_custom_ingressgateway`, do the following step:
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true,ingressGateway.lightWeightCPX=NO,ingressGateway.label=my_custom_ingressgateway
@ -256,7 +253,6 @@ When Citrix ADC CPX is deployed as Ingress Gateway, Metrics Exporter runs along
To deploy Citrix ADC as Ingress Gateway without Metrics Exporter, set the value of `metricExporter.required` as false.
kubectl create secret generic nslogin --from-literal=username=<citrix-adc-user> --from-literal=password=<citrix-adc-password> -n citrix-system
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
@ -288,23 +284,25 @@ In this example, a service running on TCP port 5000 is exposed using port 10000
## <a name="generate-certificate-for-ingress-gateway">Generate Certificate for Ingress Gateway </a>
Citrix Ingress gateway needs TLS certificate-key pair for establishing secure communication channel with backend applications. Earlier these certificates were issued by Istio Citadel and bundled in Kubernetes secret. Certificate was loaded in the application pod by doing volume mount of secret. Now `xDS-Adaptor` can generate its own certificate and get it signed by the Istio Citadel (Istiod). This eliminates the need of secret and associated [risks](https://kubernetes.io/docs/concepts/configuration/secret/#risks).
Citrix Ingress gateway needs TLS certificate-key pair for establishing secure communication channel with backend applications. Earlier these certificates were issued by Istio Citadel and bundled in Kubernetes secret. Certificate was loaded in the application pod by doing volume mount of secret. Now `xDS-Adaptor` can generate its own certificate and get it signed by the Istio Citadel (Istiod). This eliminates the need of secret and associated [risks](https://kubernetes.io/docs/concepts/configuration/secret/#risks).
xDS-Adaptor needs to be provided with details Certificate Authority (CA) for successful signing of Certificate Signing Request (CSR). By default, CA is `istiod.istio-system.svc` which accepts CSRs on port 15012.
xDS-Adaptor needs to be provided with details Certificate Authority (CA) for successful signing of Certificate Signing Request (CSR). By default, CA is `istiod.istio-system.svc` which accepts CSRs on port 15012.
To skip this process, don't provide any value (empty string) to `certProvider.caAddr`.
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true --set certProvider.caAddr=""
```
### <a name="using-third-party-service-account-tokens">Configure Third Party Service Account Tokens</a>
In order to generate certificate for application workload, xDS-Adaptor needs to send valid service account token along with Certificate Signing Request (CSR) to the Istio control plane (Citadel CA). Istio control plane authenticates the xDS-Adaptor using this JWT.
In order to generate certificate for application workload, xDS-Adaptor needs to send valid service account token along with Certificate Signing Request (CSR) to the Istio control plane (Citadel CA). Istio control plane authenticates the xDS-Adaptor using this JWT.
Kubernetes supports two forms of these tokens:
* Third party tokens, which have a scoped audience and expiration.
* First party tokens, which have no expiration and are mounted into all pods.
- Third party tokens, which have a scoped audience and expiration.
- First party tokens, which have no expiration and are mounted into all pods.
If Kubernetes cluster is installed with third party tokens, then the same information needs to be provided for automatic sidecar injection by passing `--set certProvider.jwtPolicy="third-party-jwt"`. By default, it is `first-party-jwt`.
```
@ -334,29 +332,31 @@ To determine if your cluster supports third party tokens, look for the TokenRequ
```
## <a name="citrix-adc-cpx-license-provisioning">**Citrix ADC CPX License Provisioning**</a>
By default, CPX runs with 20 Mbps bandwidth called as [CPX Express](https://www.citrix.com/en-in/products/citrix-adc/cpx-express.html) however for better performance and production deployment customer needs licensed CPX instances. [Citrix ADM](https://www.citrix.com/en-in/products/citrix-application-delivery-management/) is used to check out licenses for Citrix ADC CPX.
**Bandwidth based licensing**
For provisioning licensing on Citrix ADC CPX, it is mandatory to provide License Server information to CPX. This can be done by setting **ADMSettings.licenseServerIP** as License Server IP. In addition to this, **ADMSettings.bandWidthLicense** needs to be set true and desired bandwidth capacity in Mbps should be set **ADMSettings.bandWidth**.
For example, to set 2Gbps as bandwidth capacity, below command can be used.
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set ADMSettings.licenseServerIP=<Licenseserver_IP>,ADMSettings.bandWidthLicense=True --set ADMSettings.bandWidth=2000 --set citrixCPX=true
## <a name="configuration-for-servicegraph">**Service Graph configuration**</a>
Citrix ADM Service graph is an observability tool that allows user to analyse service to service communication. The service graph is generated by ADM post collection of transactional data from registered Citrix ADC instances. More details about it can be found [here](https://docs.citrix.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html).
Citrix ADC needs to be provided with ADM details for registration and data export. This section lists the steps needed to deploy Citrix ADC and register it with ADM.
**Deploy Citrix ADC CPX as ingress gateway**
1. Create secret using Citrix ADM Agent credentials, which will be used by Citrix ADC as CPX to communicate with Citrix ADM Agent:
kubectl create secret generic admlogin --from-literal=username=<adm-agent-username> --from-literal=password=<adm-agent-password>
kubectl create secret generic admlogin --from-literal=username=<adm-agent-username> --from-literal=password=<adm-agent-password>
2. Deploy Citrix ADC CPX as ingress gateway using helm command with `ADM` details:
helm install citrix-adc-istio-ingress-gateway citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true --set ADMSettings.ADMIP=<ADM-Agent-IP>
helm install citrix-adc-istio-ingress-gateway citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true --set ADMSettings.ADMIP=<ADM-Agent-IP>
> **Note:**
> If container agent is being used here for Citrix ADM, specify `serviceIP` of container agent in the `ADMSettings.ADMIP` parameter.
@ -364,32 +364,30 @@ For example, to set 2Gbps as bandwidth capacity, below command can be used.
**Deploy Citrix ADC VPX/MPX as ingress gateway**
Deploy Citrix ADC VPX/MPX as ingress gateway using helm command and set analytics settings on Citrix ADC VPX/MPX for sending transaction metrics to Citrix ADM
helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set ingressGateway.netscalerUrl=https://<nsip>[:port] --set ingressGateway.vserverIP=<IPv4 Address> --set secretName=nslogin
helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set ingressGateway.netscalerUrl=https://<nsip>[:port] --set ingressGateway.vserverIP=<IPv4 Address> --set secretName=nslogin
Add the following configurations in Citrix ADC VPX/MPX
en ns mode ulfd
en ns mode ulfd
en ns feature appflow
en ns feature appflow
add appflow collector logproxy_lstreamd -IPAddress <ADM-AGENT-IP/POD-IP> -port 5557 -Transport logstream
add appflow collector logproxy_lstreamd -IPAddress <ADM-AGENT-IP/POD-IP> -port 5557 -Transport logstream
set appflow param -templateRefresh 3600 -httpUrl ENABLED -httpCookie ENABLED -httpReferer ENABLED -httpMethod ENABLED -httpHost ENABLED -httpUserAgent ENABLED -httpContentType ENABLED -httpAuthorization ENABLED -httpVia ENABLED -httpXForwardedFor ENABLED -httpLocation ENABLED -httpSetCookie ENABLED -httpSetCookie2 ENABLED -httpDomain ENABLED -httpQueryWithUrl ENABLED metrics ENABLED -events ENABLED -auditlogs ENABLED
set appflow param -templateRefresh 3600 -httpUrl ENABLED -httpCookie ENABLED -httpReferer ENABLED -httpMethod ENABLED -httpHost ENABLED -httpUserAgent ENABLED -httpContentType ENABLED -httpAuthorization ENABLED -httpVia ENABLED -httpXForwardedFor ENABLED -httpLocation ENABLED -httpSetCookie ENABLED -httpSetCookie2 ENABLED -httpDomain ENABLED -httpQueryWithUrl ENABLED metrics ENABLED -events ENABLED -auditlogs ENABLED
add appflow action logproxy_lstreamd -collectors logproxy_lstreamd
add appflow action logproxy_lstreamd -collectors logproxy_lstreamd
add appflow policy logproxy_policy true logproxy_lstreamd
add appflow policy logproxy_policy true logproxy_lstreamd
bind appflow global logproxy_policy 10 END -type REQ_DEFAULT
bind appflow global logproxy_policy 10 END -type REQ_DEFAULT
bind appflow global logproxy_policy 10 END -type OTHERTCP_REQ_DEFAULT
bind appflow global logproxy_policy 10 END -type OTHERTCP_REQ_DEFAULT
> **Note:**
> If container agent is being used here for Citrix ADM, specify `PodIP` of container agent in above manual config.
## <a name="citrix-adc-as-ingress-gateway-a-sample-deployment">Citrix ADC as Ingress Gateway: a sample deployment</a>
A sample deployment of Citrix ADC as an Ingress gateway for the Bookinfo application is provided [here](https://github.com/citrix/citrix-helm-charts/tree/master/examples/citrix-adc-in-istio).
@ -422,28 +420,34 @@ To deploy Citrix ADC VPX or MPX with Citrix ADC certificate verification, do the
The following table lists the configurable parameters in the Helm chart and their default values.
| Parameter | Description | Default | Optional/Mandatory |
|--------------------------------|-------------------------------|---------------------------|---------------------------|
| `citrixCPX` | Citrix ADC CPX | FALSE | Mandatory for Citrix ADC CPX |
| `xDSAdaptor.image` | Image of the Citrix xDS adaptor container (Refer compatibility matrix) |quay.io/citrix/citrix-xds-adaptor:0.9.9 | Mandatory|
| `xDSAdaptor.imageRegistry` | Image registry of the Citrix xDS adaptor container(Refer compatibility matrix) | `quay.io` | Mandatory |
| `xDSAdaptor.imageRepository` | Image repository of the Citrix xDS adaptor container(Refer compatibility matrix) | `citrix/citrix-xds-adaptor` | Mandatory |
| `xDSAdaptor.imageTag` | Image tag of the Citrix xDS adaptor container(Refer compatibility matrix) | `0.10.3` | Mandatory |
| `xDSAdaptor.imagePullPolicy` | Image pull policy for xDS adaptor | IfNotPresent | Optional|
| `xDSAdaptor.secureConnect` | If this value is set to true, xDS-adaptor establishes secure gRPC channel with Istio Pilot | TRUE | Optional|
| `xDSAdaptor.logLevel` | Log level to be set for xDS-adaptor log messages. Possible values: TRACE (most verbose), DEBUG, INFO, WARN, ERROR (least verbose) | DEBUG | Optional|
| `xDSAdaptor.jsonLog` | Set this argument to true if log messages are required in JSON format | false | Optional|
| `xDSAdaptor.defaultSSLListenerOn443` | Create SSL vserver by default for LDS resource for 0.0.0.0 and port 443. If set to false, TCP vserver will be created in absence of TLSContext in tcp_proxy filter | true | Optional |
| `coe.coeURL` | Name of [Citrix Observability Exporter](https://github.com/citrix/citrix-observability-exporter) Service in the form of "<servicename>.<namespace>" | null | Optional|
| `coe.coeTracing` | Use COE to send appflow transactions to Zipkin endpoint. If it is set to true, ADM servicegraph (if configured) can be impacted. | false | Optional|
| `ADMSettings.ADMIP ` | Citrix Application Delivery Management (ADM) IP address | null | Mandatory for Citrix ADC CPX |
| `ADMSettings.licenseServerIP ` | Citrix License Server IP address | null | Optional |
| `ADMSettings.ADMIP` | Citrix Application Delivery Management (ADM) IP address | null | Mandatory for Citrix ADC CPX |
| `ADMSettings.licenseServerIP` | Citrix License Server IP address | null | Optional |
| `ADMSettings.licenseServerPort` | Citrix ADM port if a non-default port is used | 27000 | Optional|
| `ADMSettings.bandWidth` | Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps | null | Optional |
| `ADMSettings.bandWidth` | Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps | 1000 | Optional |
| `ADMSettings.bandWidthLicense` | To specify bandwidth based licensing | false | Optional |
| `ADMSettings.licenseEdition`| License edition that can be Standard, Platinum and Enterprise . By default, Platinum is selected | PLATINUM | optional |
| `ADMSettings.analyticsServerPort` | Port used for Analytics in ADM. Required to plot ServiceGraph. | 5557 | Optional|
| `ingressGateway.netscalerUrl` | URL or IP address of the Citrix ADC which Istio-adaptor configures (Mandatory if citrixCPX=false)| null |Mandatory for Citrix ADC MPX or VPX|
| `ingressGateway.vserverIP` | Virtual server IP address on Citrix ADC (Mandatory if citrixCPX=false) | null | Mandatory for Citrix ADC MPX or VPX|
| `ingressGateway.adcServerName ` | Citrix ADC ServerName used in the Citrix ADC certificate | null | Optional |
| `ingressGateway.image` | Image of Citrix ADC CPX designated to run as Ingress Gateway |quay.io/citrix/citrix-k8s-cpx-ingress:13.0-83.27 | Mandatory for Citrix ADC CPX |
| `ingressGateway.adcServerName` | Citrix ADC ServerName used in the Citrix ADC certificate | null | Optional |
| `ingressGateway.imageRegistry` | Image registry of Citrix ADC CPX designated to run as Ingress Gateway | `quay.io` | Mandatory for Citrix ADC CPX |
| `ingressGateway.imageRepository` | Image repository of Citrix ADC CPX designated to run as Ingress Gateway | `citrix/citrix-k8s-cpx-ingress` | Mandatory for Citrix ADC CPX |
| `ingressGateway.imageTag` | Image tag of Citrix ADC CPX designated to run as Ingress Gateway | `13.1-30.52` | Mandatory for Citrix ADC CPX |
| `ingressGateway.imagePullPolicy` | Image pull policy | IfNotPresent | Optional|
| `ingressGateway.EULA` | End User License Agreement(EULA) terms and conditions. If yes, then user agrees to EULA terms and conditions. | NO | Mandatory for Citrix ADC CPX
| `ingressGateway.EULA` | End User License Agreement(EULA) terms and conditions. If yes, then user agrees to EULA terms and conditions. | NO | Mandatory for Citrix ADC CPX
| `ingressGateway.mgmtHttpPort` | Management port of the Citrix ADC CPX | 9080 | Optional|
| `ingressGateway.mgmtHttpsPort` | Secure management port of Citrix ADC CPX | 9443 | Optional|
| `ingressGateway.httpNodePort` | Port on host machine which is used to expose HTTP port (80) of Citrix ADC CPX | 30180 |Optional|
@ -451,19 +455,23 @@ The following table lists the configurable parameters in the Helm chart and thei
| `ingressGateway.nodePortRequired` | Set this argument if servicetype to be NodePort of Citrix ADC CPX | false |Optional|
| `ingressGateway.secretVolume` | A map of user defined volumes to be mounted using Kubernetes secrets | null |Optional|
| `ingressGateway.label` | Custom label for the Ingress Gateway service | citrix-ingressgateway |Optional|
| `ingressGateway.netProfile ` | Network profile name used by [CNC](https://github.com/citrix/citrix-k8s-node-controller) to configure Citrix ADC VPX or MPX which is deployed as Ingress Gateway | null | Optional|
| `ingressGateway.multiClusterIngress ` | Flag indicating if Citrix ADC is acting as Ingress gateway to multi cluster Istio mesh installation. Possible values: true/false | false | Optional|
| `ingressGateway.multiClusterListenerPort ` | Port opened on Citrix ADC to enable inter-cluster service to service (E-W) communication | 15443 | Optional|
| `ingressGateway.multiClusterListenerNodePort ` | Nodeport for multiClusterListenerPort in case of Citrix ADC CPX acting as Ingress gateway | 32443 | Optional|
| `ingressGateway.multiClusterSvcDomain ` | Domain suffix of remote service (deployed in other cluster) used in E-W communication | global | Optional|
| `ingressGateway.netProfile` | Network profile name used by [CNC](https://github.com/citrix/citrix-k8s-node-controller) to configure Citrix ADC VPX or MPX which is deployed as Ingress Gateway | null | Optional|
| `ingressGateway.multiClusterIngress` | Flag indicating if Citrix ADC is acting as Ingress gateway to multi cluster Istio mesh installation. Possible values: true/false | false | Optional|
| `ingressGateway.multiClusterListenerPort` | Port opened on Citrix ADC to enable inter-cluster service to service (E-W) communication | 15443 | Optional|
| `ingressGateway.multiClusterListenerNodePort` | Nodeport for multiClusterListenerPort in case of Citrix ADC CPX acting as Ingress gateway | 32443 | Optional|
| `ingressGateway.multiClusterSvcDomain` | Domain suffix of remote service (deployed in other cluster) used in E-W communication | global | Optional|
| `ingressGateway.cpxLicenseAggregator` | IP/FQDN of the CPX License Aggregator if it is being used to license the CPX. | null | Optional|
| `ingressGateway.tcpPort` | For exposing multiple TCP ingress | null |Optional|
| `ingressGateway.enableLabelsFeature` | If this variable is true, Istio's [subset](https://istio.io/latest/docs/reference/config/networking/destination-rule/#Subset) of the service and some metadata of the service such as servicename, namespace etc will be stored in the Citrix ADC that might be used for analytics purpose. | FALSE |Optional|
| `istioPilot.name` | Name of the Istio Pilot service | istiod |Optional|
| `istioPilot.namespace` | Namespace where Istio Pilot is running | istio-system |Optional|
| `istioPilot.secureGrpcPort` | Secure GRPC port where Istiod (Istio Pilot) is listening (default setting) | 15012 |Optional|
| `istioPilot.insecureGrpcPort` | Insecure GRPC port where Istiod (Istio Pilot) is listening | 15010 |Optional|
| `istioPilot.SAN` | Subject alternative name for Istiod (Istio Pilot) which is the secure production identity framework for everyone (SPIFFE) ID of Istio Pilot | null |Optional|
| `metricExporter.required` | Metrics exporter for Citrix ADC | TRUE |Optional|
| `metricExporter.image` | Image of the Citrix ADC Metrics Exporter | quay.io/citrix/citrix-adc-metrics-exporter:1.4.9 |Optional|
| `metricExporter.imageRegistry` | Image registry of the Citrix ADC Metrics Exporter | `quay.io` | Optional |
| `metricExporter.imageRepository` | Image repository of the Citrix ADC Metrics Exporter | `citrix/citrix-adc-metrics-exporter` | Optional |
| `metricExporter.imageTag` | Image tag of the Citrix ADC Metrics Exporter | `1.4.9` | Optional |
| `metricExporter.port` | Port over which Citrix ADC Metrics Exporter collects metrics of Citrix ADC. | 8888 |Optional|
| `metricExporter.secure` | Enables collecting metrics over TLS | YES |Optional|
| `metricExporter.logLevel` | Level of logging in Citrix ADC Metrics Exporter. Possible values are: DEBUG, INFO, WARNING, ERROR, CRITICAL | ERROR |Optional|

0
charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/app-readme.md → charts/citrix/citrix-adc-istio-ingress-gateway/app-readme.md
View File

0
charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/questions.yml → charts/citrix/citrix-adc-istio-ingress-gateway/questions.yml
View File

0
charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/templates/_helpers.tpl → charts/citrix/citrix-adc-istio-ingress-gateway/templates/_helpers.tpl
View File

100
charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/templates/citrix-adc-ingressgateway-deployment.yaml → charts/citrix/citrix-adc-istio-ingress-gateway/templates/citrix-adc-ingressgateway-deployment.yaml
View File

@ -17,6 +17,8 @@ spec:
labels:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
citrix.com/no.sidecar: "true"
adc: "citrix"
deployment: "cpx-ingressgateway" # This label is useful in ServiceGraph
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
prometheus.io/port: "{{ .Values.metricExporter.port }}"
@ -31,6 +33,15 @@ spec:
secret:
optional: true
secretName: "citrix-ingressgateway-ca-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway
- name: podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
{{- range .Values.ingressGateway.secretVolumes }}
- name: {{ .name }}
secret:
@ -64,7 +75,7 @@ spec:
containers:
{{- if eq .Values.metricExporter.required true }}
- name: exporter
image: {{ .Values.metricExporter.image }}
image: {{ tpl .Values.metricExporter.image . }}
imagePullPolicy: IfNotPresent
args:
- "--target-nsip=127.0.0.1"
@ -81,7 +92,7 @@ spec:
name: cpx-pwd
{{- end }}
- name: istio-adaptor
image: {{ .Values.xDSAdaptor.image }}
image: {{ tpl .Values.xDSAdaptor.image . }}
imagePullPolicy: {{ .Values.xDSAdaptor.imagePullPolicy }}
args:
- -ads-server
@ -107,7 +118,10 @@ spec:
- -citrix-adm
- {{ .Values.ADMSettings.ADMIP }}
{{- end }}
{{- if .Values.ADMSettings.licenseServerIP }}
{{- if .Values.ingressGateway.cpxLicenseAggregator }}
- -citrix-license-server
- {{ .Values.ingressGateway.cpxLicenseAggregator }}
{{- else if .Values.ADMSettings.licenseServerIP }}
- -citrix-license-server
- {{ .Values.ADMSettings.licenseServerIP }}
{{- end }}
@ -170,7 +184,14 @@ spec:
{{- if eq .Values.xDSAdaptor.jsonLog true }}
- name: JSONLOG
value: "TRUE"
{{- end }}
- name: ENABLE_LABELS_FEATURE
value: {{ .Values.ingressGateway.enableLabelsFeature | quote }}
{{- if eq .Values.xDSAdaptor.defaultSSLListenerOn443 true }}
- name: DEFAULT_SSL_LISTENER_ON_443
value: "TRUE"
{{- end }}
securityContext:
readOnlyRootFilesystem: true
runAsGroup: 32024
@ -193,13 +214,15 @@ spec:
- mountPath: /etc/istio/ingressgateway-ca-certs # Make sure that Gateway definition has this path mentioned in server.tls section for MUTUAL TLS
name: citrix-ingressgateway-ca-certs
readOnly: true
- mountPath: /etc/podinfo
name: podinfo
{{- range .Values.ingressGateway.secretVolumes }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
- name: citrix-ingressgateway
image: "{{ .Values.ingressGateway.image }}"
image: "{{ tpl .Values.ingressGateway.image . }}"
imagePullPolicy: {{ .Values.ingressGateway.imagePullPolicy }}
securityContext:
privileged: true
@ -223,6 +246,23 @@ spec:
- mountPath: /var/deviceinfo
name: cpx-pwd
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if .Values.ingressGateway.cpxLicenseAggregator }}
- name: "CLA"
value: "{{ .Values.ingressGateway.cpxLicenseAggregator }}"
{{- else if .Values.ADMSettings.licenseServerIP }}
- name: "LS_IP"
value: {{ .Values.ADMSettings.licenseServerIP }}
- name: "LS_PORT"
value: "{{ .Values.ADMSettings.licenseServerPort }}"
{{- end }}
- name: "EULA"
value: "{{ .Values.ingressGateway.EULA }}"
{{- if .Values.metricExporter.required }}
@ -233,40 +273,44 @@ spec:
value: "{{ .Values.ingressGateway.mgmtHttpPort }}"
- name: "MGMT_HTTPS_PORT"
value: "{{ .Values.ingressGateway.mgmtHttpsPort }}"
{{- if .Values.ingressGateway.lightWeightCPX }}
- name: "NS_CPX_LITE"
value: "{{ .Values.ingressGateway.lightWeightCPX }}"
value: "1"
{{- end }}
{{- if or .Values.coe.coeURL .Values.ADMSettings.ADMIP }}
- name: "NS_ENABLE_NEWNSLOG"
value: "1"
{{- end }}
- name: "KUBERNETES_TASK_ID"
value: ""
- name: "LS_IP"
value: {{ .Values.ADMSettings.licenseServerIP | default "" }}
- name: "LS_PORT"
value: "{{ .Values.ADMSettings.licenseServerPort}}"
{{- if .Values.ADMSettings.ADMIP }}
- name: "NS_MGMT_SERVER"
value: {{ .Values.ADMSettings.ADMIP }}
value: {{ .Values.ADMSettings.ADMIP | quote }}
- name: "NS_HTTP_PORT"
value: {{ .Values.ingressGateway.mgmtHttpPort | quote }}
- name: "NS_HTTPS_PORT"
value: {{ .Values.ingressGateway.mgmtHttpsPort | quote }}
- name: "ANALYTICS_SERVER"
value: {{ .Values.ADMSettings.ADMIP | quote }}
- name: "ANALYTICS_SERVER_PORT"
value: {{ .Values.ADMSettings.analyticsServerPort | quote }}
{{- end }}
- name: "LOGSTREAM_COLLECTOR_IP"
value: {{ .Values.ADMSettings.ADMIP | default ""}}
#To povision bandwidth based licensing to Citrix ADC CPX from ADM, needs bandwidth
{{- if and ( .Values.ADMSettings.licenseServerIP ) (eq .Values.ADMSettings.bandWidthLicense true) }}
value: {{ .Values.ADMSettings.ADMIP | default "" | quote }}
#Need to set env var BANDWIDTH in order to provide Bandwidth license to Citrix ADC CPX from ADM or CPX License Aggregator
{{- if and ( or ( .Values.ADMSettings.licenseServerIP ) ( .Values.ingressGateway.cpxLicenseAggregator ) ) ( eq .Values.ADMSettings.bandWidthLicense true ) }}
- name: "BANDWIDTH"
value: {{ required "Mention bandwidth for bandwidth based licensing" .Values.ADMSettings.bandWidth | quote }}
value: {{ .Values.ADMSettings.bandWidth | quote }}
{{- end }}
#for multiple-PE support, need to set CPX_CORES
{{- if .Values.ADMSettings.licenseServerIP }}
{{- if or (eq .Values.ADMSettings.vCPULicense true) (eq .Values.ADMSettings.bandWidthLicense true) }}
{{- if or .Values.ADMSettings.licenseServerIP .Values.ingressGateway.cpxLicenseAggregator }}
{{- if or ( eq .Values.ADMSettings.vCPULicense true ) ( eq .Values.ADMSettings.bandWidthLicense true ) }}
- name: "CPX_CORES"
value: {{ .Values.ADMSettings.cpxCores | default 1 | quote }}
{{- end }}
{{- end }}
- name: "EDITION"
value: {{ .Values.ADMSettings.licenseEdition | quote }}
{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }}
- name: NS_MGMT_USER
valueFrom:
@ -298,6 +342,7 @@ spec:
labels:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
citrix.com/no.sidecar: "true"
adc: "citrix"
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
prometheus.io/port: "{{ .Values.metricExporter.port }}"
@ -306,7 +351,7 @@ spec:
containers:
{{- if eq .Values.metricExporter.required true }}
- name: exporter
image: {{ .Values.metricExporter.image }}
image: {{ tpl .Values.metricExporter.image . }}
imagePullPolicy: {{ .Values.metricExporter.imagePullPolicy }}
args:
- "--target-nsip={{- include "exporter_nsip" . -}}"
@ -321,7 +366,7 @@ spec:
readOnly: true
{{- end }}
- name: istio-adaptor
image: {{ .Values.xDSAdaptor.image }}
image: {{ tpl .Values.xDSAdaptor.image . }}
imagePullPolicy: {{ .Values.xDSAdaptor.imagePullPolicy }}
env:
- name: POD_NAME
@ -379,6 +424,12 @@ spec:
- name: JSONLOG
value: "TRUE"
{{- end }}
- name: ENABLE_LABELS_FEATURE
value: "FALSE"
{{- if eq .Values.xDSAdaptor.defaultSSLListenerOn443 true }}
- name: DEFAULT_SSL_LISTENER_ON_443
value: "TRUE"
{{- end }}
- name: NS_USER
valueFrom:
secretKeyRef:
@ -452,6 +503,8 @@ spec:
- mountPath: /etc/istio/ingressgateway-ca-certs # Make sure that Gateway definition has this path mentioned in server.tls section for MUTUAL TLS
name: citrix-ingressgateway-ca-certs
readOnly: true
- mountPath: /etc/podinfo
name: podinfo
{{- range .Values.ingressGateway.secretVolumes }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
@ -482,7 +535,16 @@ spec:
- name: citrix-ingressgateway-ca-certs
secret:
optional: true
secretName: "citrix-ingressgateway-ca-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway
secretName: "citrix-ingressgateway-ca-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway
- name: podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
{{- range .Values.ingressGateway.secretVolumes }}
- name: {{ .name }}
secret:

46
charts/citrix/citrix-adc-istio-ingress-gateway/templates/citrix-multicluster-gateway.yaml Normal file
View File

@ -0,0 +1,46 @@
{{- if eq .Values.ingressGateway.multiClusterIngress true }}
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
annotations:
labels:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
{{- if eq .Values.citrixCPX true }}
deployment: "cpx-ingressgateway" # This label is useful in ServiceGraph
{{- end }}
name: citrix-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
spec:
selector:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
servers:
- port:
name: tls-mc-port
number: {{ .Values.ingressGateway.multiClusterListenerPort }}
protocol: tls
tls:
mode: PASSTHROUGH
hosts:
- {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }}
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: citrix-multicluster-ingressgateway
spec:
hosts:
- {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }}
gateways:
- citrix-multicluster-ingressgateway
tls:
- match:
- port: {{ .Values.ingressGateway.multiClusterListenerPort }}
sniHosts:
- {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }}
route:
- destination:
host: {{ template "generate-name" (list . (dict "suffixname" "citrix-ingress-svc")) }}
port:
number: {{ .Values.ingressGateway.multiClusterListenerPort }}
---
{{- end }}

0
charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/templates/ingressgateway-service.yaml → charts/citrix/citrix-adc-istio-ingress-gateway/templates/ingressgateway-service.yaml
View File

1
charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/templates/metrics-exporter-service.yaml → charts/citrix/citrix-adc-istio-ingress-gateway/templates/metrics-exporter-service.yaml
View File

@ -3,6 +3,7 @@ kind: Service
apiVersion: v1
metadata:
name: {{ template "generate-name" (list . (dict "suffixname" "citrix-exporter-svc")) }}
namespace: {{ .Release.Namespace }}
annotations:
labels:
service-type: citrix-adc-monitor

24
charts/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway/values.yaml → charts/citrix/citrix-adc-istio-ingress-gateway/values.yaml
View File

@ -10,19 +10,26 @@ coe:
metricExporter:
required: true
image: quay.io/citrix/citrix-adc-metrics-exporter:1.4.9
imageRegistry: quay.io
imageRepository: citrix/citrix-adc-metrics-exporter
imageTag: 1.4.9
image: "{{ .Values.metricExporter.imageRegistry }}/{{ .Values.metricExporter.imageRepository }}:{{ .Values.metricExporter.imageTag }}"
port: 8888
secure: "YES"
logLevel: ERROR
imagePullPolicy: IfNotPresent
xDSAdaptor:
image: quay.io/citrix/citrix-xds-adaptor:0.9.9
imageRegistry: quay.io
imageRepository: citrix/citrix-xds-adaptor
imageTag: 0.10.3
image: "{{ .Values.xDSAdaptor.imageRegistry }}/{{ .Values.xDSAdaptor.imageRepository }}:{{ .Values.xDSAdaptor.imageTag }}"
imagePullPolicy: IfNotPresent
proxyType: router
secureConnect: true
logLevel: DEBUG
jsonLog: false
defaultSSLListenerOn443: true
istioPilot:
name: istiod
@ -41,14 +48,17 @@ certProvider:
ingressGateway:
netscalerUrl: null
image: quay.io/citrix/citrix-k8s-cpx-ingress:13.0-83.27
imageRegistry: quay.io
imageRepository: citrix/citrix-k8s-cpx-ingress
imageTag: 13.1-30.52
image: "{{ .Values.ingressGateway.imageRegistry }}/{{ .Values.ingressGateway.imageRepository }}:{{ .Values.ingressGateway.imageTag }}"
imagePullPolicy: IfNotPresent
EULA: NO
mgmtHttpPort: 10080
mgmtHttpsPort: 10443
httpNodePort: 30180
httpsNodePort: 31443
nodePortRequired: true
nodePortRequired: false
lightWeightCPX: 1
secretVolumes:
#licenseServerIP: this value will be taken from ADMSettings.ADMIP
@ -61,14 +71,18 @@ ingressGateway:
multiClusterListenerPort: 15443
multiClusterListenerNodePort: 32443
multiClusterSvcDomain: global
cpxLicenseAggregator:
enableLabelsFeature: FALSE
ADMSettings:
ADMIP:
licenseServerIP:
licenseServerPort: 27000
bandWidthLicense: false
bandWidth:
bandWidth: 1000 #Bandwidth should be given in Mbps
vCPULicense: false
cpxCores:
analyticsServerPort: 5557
licenseEdition: PLATINUM
secretName: nslogin

22
charts/citrix/citrix-cpx-istio-sidecar-injector/.helmignore Normal file
View File

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

21
charts/citrix/citrix-cpx-istio-sidecar-injector/Chart.yaml Normal file
View File

@ -0,0 +1,21 @@
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Citrix Cpx Istio Sidecar Injector
catalog.cattle.io/kube-version: '>=v1.16.0-0'
catalog.cattle.io/release-name: citrix-cpx-istio-sidecar-injector
apiVersion: v2
appVersion: 1.14.1
description: A Helm chart to deploy resources which install Citrix ADC CPX in Istio
Service Mesh as sidecar in application pod
home: https://www.citrix.com
icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png
kubeVersion: '>=v1.16.0-0'
maintainers:
- email: dhiraj.gedam@citrix.com
name: dheerajng
- email: subash.dangol@citrix.com
name: subashd
name: citrix-cpx-istio-sidecar-injector
sources:
- https://github.com/citrix/citrix-xds-adaptor
version: 1.14.1

294
charts/citrix/citrix-cpx-istio-sidecar-injector/README.md Normal file
View File

@ -0,0 +1,294 @@
# Deploy Citrix ADC CPX as a sidecar in Istio environment using Helm charts
Citrix ADC CPX can be deployed as a sidecar proxy in an application pod in the Istio service mesh.
# Table of Contents
1. [TL; DR;](#tldr)
2. [Introduction](#introduction)
3. [Deploy Sidecar Injector for Citrix ADC CPX using Helm chart](#deploy-sidecar-injector-for-citrix-adc-cpx-using-helm-chart)
4. [Observability using Citrix Observability Exporter](#observability-using-coe)
5. [Citrix ADC CPX License Provisioning](#citrix-adc-cpx-license-provisioning)
6. [Service Graph configuration](#configuration-for-servicegraph)
7. [Generate Certificate for Application](#generate-certificate-for-application)
8. [Limitations](#limitations)
9. [Clean Up](#clean-up)
10. [Configuration Parameters](#configuration-parameters)
## <a name="tldr">TL; DR;</a>
kubectl create namespace citrix-system
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES
## <a name="introduction">Introduction</a>
Citrix ADC CPX can act as a sidecar proxy to an application container in Istio. You can inject the Citrix ADC CPX manually or automatically using the [Istio sidecar injector](https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/). Automatic sidecar injection requires resources including a Kubernetes [mutating webhook admission](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) controller, and a service. Using this Helm chart, you can create resources required for automatically deploying Citrix ADC CPX as a sidecar proxy.
In Istio servicemesh, the namespace must be labelled before applying the deployment yaml for [automatic sidecar injection](https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#automatic-sidecar-injection). Once the namespace is labelled, sidecars (envoy or CPX) will be injected while creating pods.
- For CPX, namespace must be labelled `cpx-injection=enabled`
- For Envoy, namespace must be labelled `istio-injection=enabled`
__Note: If a namespace is labelled with both `istio-injection` and `cpx-injection`, Envoy injection takes a priority! Citrix CPX won't be injected on top of the already injected Envoy sidecar. For using Citrix ADC as sidecar, ensure that `istio-injection` label is removed from the namespace.__
For detailed information on different deployment options, see [Deployment Architecture](https://github.com/citrix/citrix-istio-adaptor/blob/master/docs/istio-integration/architecture.md).
### Compatibility Matrix between Citrix xDS-adaptor and Istio version
Below table provides info about recommended Citrix xDS-Adaptor version to be used for various Istio versions.
| Citrix xDS-Adaptor version | Istio version |
|----------------------------|---------------|
| quay.io/citrix/citrix-xds-adaptor:0.10.3 | Istio v1.14+ |
| quay.io/citrix/citrix-xds-adaptor:0.10.1 | Istio v1.12 to Istio v1.13 |
| quay.io/citrix/citrix-xds-adaptor:0.9.9 | Istio v1.10 to Istio v1.11 |
| quay.io/citrix/citrix-xds-adaptor:0.9.8 | Istio v1.8 to Istio v1.9 |
| quay.io/citrix/citrix-xds-adaptor:0.9.5 | Istio v1.6 |
### Prerequisites
The following prerequisites are required for deploying Citrix ADC as a sidecar to an application pod.
- Ensure that **Istio version 1.8 onwards** is installed
- Ensure that Helm with version 3.x is installed. Follow this [step](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same.
- Ensure that your cluster Kubernetes version should be 1.16 onwards and the `admissionregistration.k8s.io/v1`, `admissionregistration.k8s.io/v1beta1` API is enabled
You can verify the API by using the following command:
kubectl api-versions | grep admissionregistration.k8s.io/v1
The following output indicates that the API is enabled:
admissionregistration.k8s.io/v1
admissionregistration.k8s.io/v1beta1
- Create namespace `citrix-system`
kubectl create namespace citrix-system
- **Registration of Citrix ADC CPX in ADM**
Create a secret containing ADM username and password in each application namespace.
kubectl create secret generic admlogin --from-literal=username=<adm-username> --from-literal=password=<adm-password> -n citrix-system
## <a name="deploy-sidecar-injector-for-citrix-adc-cpx-using-helm-chart">Deploy Sidecar Injector for Citrix ADC CPX using Helm chart</a>
**Before you Begin**
To deploy resources for automatic installation of Citrix ADC CPX as a sidecar in Istio, perform the following step. In this example, release name is specified as `cpx-sidecar-injector` and namespace is used as `citrix-system`.
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES
This step installs a mutating webhook and a service resource to application pods in the namespace labeled as `cpx-injection=enabled`.
*"Note:" The `cpx-injection=enabled` label is mandatory for injecting sidecars.*
An example to deploy application along with Citrix ADC CPX sidecar is provided [here](https://github.com/citrix/citrix-helm-charts/tree/master/examples/citrix-adc-in-istio).
# <a name="observability-using-coe"> Observability using Citrix Observability Exporter </a>
### Pre-requisites
1. Citrix Observability Exporter (COE) should be deployed in the cluster.
2. Citrix ADC CPX should be running with versions 13.0-48+ or 12.1-56+.
Citrix ADC CPXes serving East West traffic send its metrics and transaction data to COE which has a support for Prometheus and Zipkin.
Metrics data can be visualized in Prometheus dashboard.
Zipkin enables users to analyze tracing for East-West service to service communication.
*Note*: Istio should be [installed](https://istio.io/docs/tasks/observability/distributed-tracing/zipkin/#before-you-begin) with Zipkin as tracing endpoint.
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES,coe.coeURL=<coe-service-name>.<namespace>
```
By default, COE is primarily used for Prometheus integration. Servicegraph and tracing is handled by Citrix ADM appliance. To enable Zipkin tracing, set argument `coe.coeTracing=true` in helm command. Default value of coeTracing is set to false.
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES,coe.coeURL=<coe-service-name>.<namespace>,coe.coeTracing=true
```
For example, if COE is deployed as `coe` in `citrix-system` namespace, then below helm command will deploy sidecar injector webhook which will be deploying Citrix ADC CPX sidecar proxies in application pods, and these sidecar proxies will be configured to establish communication channels with COE.
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES,coe.coeURL=coe.citrix-system
```
*Important*: Apply below mentioned annotations on COE deployment so that Prometheus can scrape data from COE.
```
prometheus.io/scrape: "true"
prometheus.io/port: "5563" # Prometheus port
```
## <a name="citrix-adc-cpx-license-provisioning">**Citrix ADC CPX License Provisioning**</a>
By default, CPX runs with 20 Mbps bandwidth called as [CPX Express](https://www.citrix.com/en-in/products/citrix-adc/cpx-express.html) however for better performance and production deployment customer needs licensed CPX instances. [Citrix ADM](https://www.citrix.com/en-in/products/citrix-application-delivery-management/) is used to check out licenses for Citrix ADC CPX.
**Bandwidth based licensing**
For provisioning licensing on Citrix ADC CPX, it is mandatory to provide License Server information to CPX. This can be done by setting **ADMSettings.licenseServerIP** as License Server IP. In addition to this, **ADMSettings.bandWidthLicense** needs to be set true and desired bandwidth capacity in Mbps should be set **ADMSettings.bandWidth**.
For example, to set 2Gbps as bandwidth capacity, below command can be used.
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set ADMSettings.licenseServerIP=<licenseServer_IP>,ADMSettings.bandWidthLicense=True --set ADMSettings.bandWidth=2000
```
## <a name="configuration-for-servicegraph">**Service Graph configuration**</a>
Citrix ADM Service graph is an observability tool that allows user to analyse service to service communication. The service graph is generated by ADM post collection of transactional data from registered Citrix ADC instances. More details about it can be found [here](https://docs.citrix.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html).
Citrix ADC needs to be provided with ADM details for registration and data export. This section lists the steps needed to deploy Citrix ADC and register it with ADM.
1. Create secret using Citrix ADM Agent credentials, which will be used by Citrix ADC as CPX to communicate with Citrix ADM Agent:
kubectl create secret generic admlogin --from-literal=username=<adm-agent-username> --from-literal=password=<adm-agent-password>
2. Deploy Citrix ADC CPX sidecar injector using helm command with `ADM` details:
helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set ADMSettings.ADMIP=<ADM-Agent-IP>
> **Note:**
> If container agent is being used here for Citrix ADM, specify `serviceIP` of container agent in the `ADMSettings.ADMIP` parameter.
## <a name="generate-certificate-for-application">Generate Certificate for Application </a>
Application needs TLS certificate-key pair for establishing secure communication channel with other applications. Earlier these certificates were issued by Istio Citadel and bundled in Kubernetes secret. Certificate was loaded in the application pod by doing volume mount of secret. Now `xDS-Adaptor` can generate its own certificate and get it signed by the Istio Citadel (Istiod). This eliminates the need of secret and associated [risks](https://kubernetes.io/docs/concepts/configuration/secret/#risks).
xDS-Adaptor needs to be provided with details Certificate Authority (CA) for successful signing of Certificate Signing Request (CSR). By default, CA is `istiod.istio-system.svc` which accepts CSRs on port 15012.
To skip this process, don't provide any value (empty string) to `certProvider.caAddr`.
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set certProvider.caAddr=""
```
### <a name="using-third-party-service-account-tokens">Configure Third Party Service Account Tokens</a>
In order to generate certificate for application workload, xDS-Adaptor needs to send valid service account token along with Certificate Signing Request (CSR) to the Istio control plane (Citadel CA). Istio control plane authenticates the xDS-Adaptor using this JWT.
Kubernetes supports two forms of these tokens:
* Third party tokens, which have a scoped audience and expiration.
* First party tokens, which have no expiration and are mounted into all pods.
If Kubernetes cluster is installed with third party tokens, then the same information needs to be provided for automatic sidecar injection by passing `--set certProvider.jwtPolicy="third-party-jwt"`. By default, it is `first-party-jwt`.
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set certProvider.caAddr="istiod.istio-system.svc" --set certProvider.jwtPolicy="third-party-jwt"
```
To determine if your cluster supports third party tokens, look for the TokenRequest API using below command. If there is no output, then it is `first-party-jwt`. In case of `third-party-jwt`, output will be like below.
```
# kubectl get --raw /api/v1 | jq '.resources[] | select(.name | index("serviceaccounts/token"))'
{
"name": "serviceaccounts/token",
"singularName": "",
"namespaced": true,
"group": "authentication.k8s.io",
"version": "v1",
"kind": "TokenRequest",
"verbs": [
"create"
]
}
```
## <a name="limitations">Limitations</a>
Citrix ADC CPX occupies certain ports for internal usage. This makes application service running on one of these restricted ports incompatible with the Citrix ADC CPX.
The list of ports is mentioned below. Citrix is working on delisting some of the major ports from the given list, and same shall be available in future releases.
#### Restricted Ports
| Sr No |Port Number|
|-------|-----------|
| 1 | 80 |
| 2 | 3010 |
| 3 | 5555 |
| 4 | 8080 |
## <a name="clean-up">Clean Up</a>
To delete the resources created for automatic injection with the release name `cpx-sidecar-injector`, perform the following step.
helm delete cpx-sidecar-injector
## <a name="configuration-parameters">Configuration parameters</a>
The following table lists the configurable parameters and their default values in the Helm chart.
| Parameter | Description | Default |
|--------------------------------|-------------------------------|---------------------------|
| `xDSAdaptor.imageRegistry` | Image registry of the Citrix xDS adaptor container | `quay.io` |
| `xDSAdaptor.imageRepository` | Image repository of the Citrix xDS adaptor container | `citrix/citrix-xds-adaptor` |
| `xDSAdaptor.imageTag` | Image tag of the Citrix xDS adaptor container | `0.10.3` |
| `xDSAdaptor.imagePullPolicy` | Image pull policy for xDS-adaptor | IfNotPresent |
| `xDSAdaptor.secureConnect` | If this value is set to true, xDS-adaptor establishes secure gRPC channel with Istio Pilot | TRUE |
| `xDSAdaptor.logLevel` | Log level to be set for xDS-adaptor log messages. Possible values: TRACE (most verbose), DEBUG, INFO, WARN, ERROR (least verbose) | DEBUG | Optional|
| `xDSAdaptor.jsonLog` | Set this argument to true if log messages are required in JSON format | false | Optional|
| `xDSAdaptor.defaultSSLListenerOn443` | Create SSL vserver by default for LDS resource for 0.0.0.0 and port 443. If set to false, TCP vserver will be created in absence of TLSContext in tcp_proxy filter | true | Optional |
| `coe.coeURL` | Name of [Citrix Observability Exporter](https://github.com/citrix/citrix-observability-exporter) Service in the form of _servicename.namespace_ | NIL | Optional|
| `coe.coeTracing` | Use COE to send appflow transactions to Zipkin endpoint. If it is set to true, ADM servicegraph (if configured) can be impacted. | false | Optional|
| `ADMSettings.ADMIP` | Provide the Citrix Application Delivery Management (ADM) IP address | NIL |
| `ADMSettings.licenseServerIP` | Citrix License Server IP address | NIL | Optional |
| `ADMSettings.licenseServerPort` | Citrix ADM port if a non-default port is used | 27000 |
| `ADMSettings.bandWidth` | Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps | 1000 | Optional |
| `ADMSettings.analyticsServerPort` | Port used for Analytics in ADM. Required to plot ServiceGraph. | 5557 | Optional |
| `ADMSettings.licenseEdition`| License edition that can be Standard, Platinum and Enterprise . By default, Platinum is selected | PLATINUM | optional |
| `istioPilot.name` | Name of the Istio Pilot service | istio-pilot | Mandatory |
| `istioPilot.namespace` | Namespace where Istio Pilot is running | istio-system |
| `istioPilot.secureGrpcPort` | Secure GRPC port where Istio Pilot is listening (Default setting) | 15011 |
| `istioPilot.insecureGrpcPort` | Insecure GRPC port where Istio Pilot is listening | 15010 |
| `istioPilot.proxyType` | Type of Citrix ADC associated with the xDS-adaptor. Possible values are: sidecar and router. | sidecar|
| `istioPilot.SAN` | Subject alternative name for Istio Pilot which is the Secure Production Identity Framework For Everyone (SPIFFE) ID of Istio Pilot. | NIL |
| `cpxProxy.netscalerUrl` | URL or IP address of the Citrix ADC which will be configured by Istio-adaptor. | http://127.0.0.1 |
| `cpxProxy.imageRegistry` | Image registry of Citrix ADC CPX designated to run as sidecar proxy | `quay.io` |
| `cpxProxy.imageRepository` | Image repository of Citrix ADC CPX designated to run as sidecar proxy | `citrix/citrix-k8s-cpx-ingress` |
| `cpxProxy.imageTag` | Image tag of Citrix ADC CPX designated to run as sidecar proxy | `13.1-30.52` |
| `cpxProxy.imagePullPolicy` | Image pull policy for Citrix ADC | IfNotPresent |
| `cpxProxy.EULA` | End User License Agreement(EULA) terms and conditions. If yes, then user agrees to EULA terms and conditions. | NO |
| `cpxProxy.cpxSidecarMode` | Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX is running as sidecar mode or not. | YES |
| `cpxProxy.cpxDisableProbe` | Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX will disable probing dynamic services. It should be enabled for multicluster setup. | YES |
| `cpxProxy.cpxLicenseAggregator` | IP/FQDN of the CPX License Aggregator if it is being used to license the CPX. | Null | optional |
| `cpxProxy.enableLabelsFeature` | If this variable is true, Istio's [subset](https://istio.io/latest/docs/reference/config/networking/destination-rule/#Subset) of the service and some metadata of the service such as servicename, namespace etc will be stored in the Citrix ADC that might be used for analytics purpose. | FALSE |Optional|
| `sidecarWebHook.webhookImageRegistry` | Image registry of sidecarWebHook. Mutating webhook associated with the sidecar injector. It invokes a service `cpx-sidecar-injector` to inject sidecar proxies in the application pod. | `quay.io` |
| `sidecarWebHook.webhookImageRepository` | Image repository of sidecarWebHook. Mutating webhook associated with the sidecar injector. It invokes a service `cpx-sidecar-injector` to inject sidecar proxies in the application pod. | `citrix/cpx-istio-sidecar-injector` |
| `sidecarWebHook.webhookImageTag` | Image tag of sidecarWebHook. Mutating webhook associated with the sidecar injector. It invokes a service `cpx-sidecar-injector` to inject sidecar proxies in the application pod. | `1.3.0` |
| `sidecarWebHook.imagePullPolicy` | Image pull policy |IfNotPresent|
| `sidecarCertsGenerator.imageRegistry` | Image registry of sidecarCertsGenerator. Certificate genrator image associated with sidecar injector. This image generates certificate and key needed for CPX sidecar injection. | `quay.io` |
| `sidecarCertsGenerator.imageRepository` | Image repository of sidecarCertsGenerator. Certificate genrator image associated with sidecar injector. This image generates certificate and key needed for CPX sidecar injection. | `citrix/cpx-sidecar-injector-certgen` |
| `sidecarCertsGenerator.imageTag` | Image tag of sidecarCertsGenerator. Certificate genrator image associated with sidecar injector. This image generates certificate and key needed for CPX sidecar injection. | `1.2.0` |
| `sidecarCertsGenerator.imagePullPolicy` | Image pull policy |IfNotPresent|
| `webhook.injectionLabelName` | Label of namespace where automatic Citrix ADC CPX sidecar injection is required. | cpx-injection |
| `certProvider.caAddr` | Certificate Authority (CA) address issuing certificate to application | istiod.istio-system.svc | Optional |
| `certProvider.caPort` | Certificate Authority (CA) port issuing certificate to application | 15012 | Optional |
| `certProvider.trustDomain` | SPIFFE Trust Domain | cluster.local | Optional |
| `certProvider.certTTLinHours` | Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours. Default is 30 days validity | 720 | Optional |
| `certProvider.clusterId` | clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in multicluster environments. For example, in Anthos servicemesh, it might be of the format of `cn<project-name>-<region>-<cluster_name>`. In multiCluster environments, it is the value of global.multiCluster.clusterName provided during servicemesh control plane installation | Kubernetes | Optional |
| `certProvider.jwtPolicy` | Service Account token type. Kubernetes platform supports First party tokens and Third party tokens. | first-party-jwt | Optional |
| `certProvider.jwtPolicy` | Service Account token type. Kubernetes platform supports First party tokens and Third party tokens. Usually public cloud based Kubernetes has third-party-jwt | Null | Optional |
**Note:** You can use the `values.yaml` file packaged in the chart. This file contains the default configuration values for the chart.

0
packages/citrix-cpx-istio-sidecar-injector/generated-changes/overlay/app-readme.md → charts/citrix/citrix-cpx-istio-sidecar-injector/app-readme.md
View File

127
charts/citrix/citrix-cpx-istio-sidecar-injector/create-certs-for-cpx-istio-chart.sh Normal file
View File

@ -0,0 +1,127 @@
#!/bin/bash
set -e
usage() {
cat <<EOF
Generate certificate suitable for use with an Istio webhook service.
This script uses k8s' CertificateSigningRequest API to a generate a
certificate signed by k8s CA suitable for use with Istio webhook
services. This requires permissions to create and approve CSR. See
https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster for
detailed explantion and additional instructions.
The server key/cert k8s CA cert are stored in a k8s secret.
usage: ${0} [OPTIONS]
The following flags are required.
--service Service name of webhook (e.g. cpx-sidecar-injector).
--namespace Namespace where webhook service and secret reside (e.g. citrix-system).
--secret Secret name for CA certificate and server certificate/key pair (e.g. cpx-sidecar-injector-certs).
EOF
exit 1
}
while [[ $# -gt 0 ]]; do
case ${1} in
--service)
service="$2"
shift
;;
--secret)
secret="$2"
shift
;;
--namespace)
namespace="$2"
shift
;;
*)
usage
;;
esac
shift
done
[ -z ${service} ] && service=cpx-sidecar-injector
[ -z ${secret} ] && secret=cpx-sidecar-injector-certs
[ -z ${namespace} ] && namespace=citrix-system
if [ ! -x "$(command -v openssl)" ]; then
echo "openssl not found"
exit 1
fi
csrName=${service}.${namespace}
#tmpdir=$(mktemp -d)
scriptdir="$(dirname "$BASH_SOURCE")"
certdir="$scriptdir/cpx-certs"
mkdir -p ${certdir}
echo "creating certs in directory ${certdir} "
cat <<EOF >> ${certdir}/csr.conf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${service}
DNS.2 = ${service}.${namespace}
DNS.3 = ${service}.${namespace}.svc
EOF
openssl genrsa -out ${certdir}/key.pem 2048
openssl req -new -key ${certdir}/key.pem -subj "/CN=${service}.${namespace}.svc" -out ${certdir}/server.csr -config ${certdir}/csr.conf
# clean-up any previously created CSR for our service. Ignore errors if not present.
kubectl delete csr ${csrName} 2>/dev/null || true
# create server cert/key CSR and send to k8s API
cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: ${csrName}
spec:
groups:
- system:authenticated
request: $(cat ${certdir}/server.csr | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- server auth
EOF
# verify CSR has been created
while true; do
kubectl get csr ${csrName}
if [ "$?" -eq 0 ]; then
break
fi
done
# approve and fetch the signed certificate
kubectl certificate approve ${csrName}
# verify certificate has been signed
for x in $(seq 10); do
serverCert=$(kubectl get csr ${csrName} -o jsonpath='{.status.certificate}')
if [[ ${serverCert} != '' ]]; then
break
fi
sleep 1
done
if [[ ${serverCert} == '' ]]; then
echo "ERROR: After approving csr ${csrName}, the signed certificate did not appear on the resource. Giving up after 10 attempts." >&2
exit 1
fi
echo ${serverCert} | openssl base64 -d -A -out ${certdir}/cert.pem
# create the secret with CA cert and server cert/key
kubectl create secret generic ${secret} \
--from-file=key.pem=${certdir}/key.pem \
--from-file=cert.pem=${certdir}/cert.pem \
--dry-run -o yaml |
kubectl -n ${namespace} apply -f -

0
packages/citrix-cpx-istio-sidecar-injector/generated-changes/overlay/questions.yml → charts/citrix/citrix-cpx-istio-sidecar-injector/questions.yml
View File

20
charts/citrix/citrix-cpx-istio-sidecar-injector/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,20 @@
{{/* Below function is used to identify default value of jwtPolicy if not provided.
* For on-prem Kubernetes v1.21+, it is third-party-jwt. Else first-party-jwt.
* Note: Don't just do "helm template" to generate yaml file. Else https://github.com/helm/helm/issues/7991
* is possible. Use "helm template --validate" or "helm install --dry-run --debug".
* Note2: For cloud environments, semverCompare should be ideally done with "<1.21.x-x" as
* Kubernetes version is generally of the format v1.20.7-eks-xxxxxx. So, it fails the "v1.21.x" check but that's fine
* as in cloud environments third-party-jwt is enabled.
*/}}
{{- define "jwtValue" -}}
{{- if .Values.certProvider.jwtPolicy -}}
{{- printf .Values.certProvider.jwtPolicy -}}
{{- else -}}
{{- if semverCompare "<1.21.x" .Capabilities.KubeVersion.Version -}}
{{- printf "first-party-jwt" -}}
{{- else -}}
{{- printf "third-party-jwt" -}}
{{- end -}}
{{- end -}}
{{- end -}}

263
charts/citrix/citrix-cpx-istio-sidecar-injector/templates/cpx-sidecar-injector-configmap.yaml Normal file
View File

@ -0,0 +1,263 @@
# This configmap stores the sidecar proxy info and arguments needed
apiVersion: v1
kind: ConfigMap
metadata:
name: cpx-istio-sidecar-injector
namespace: {{.Release.Namespace}}
labels:
app: cpx-sidecar-injector
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
istio: sidecar-injector
data:
config: |-
policy: enabled
# If user does *NOT* want to inject sidecar on some pods based on label,
# then mention such labels in 'neverInjectSelector' entry.
# Note: This is valid only when istio's sidecar-injector image is running.
neverInjectSelector:
- matchExpressions:
- {key: citrix.com/no.sidecar, operator: Exists}
# Here, if pod has a label citrix.com/no.sidecar, then sidecar won't be injected for that pod.
template: |-
containers:
- name: istio-adaptor
image: {{ tpl .Values.xDSAdaptor.image . }}
imagePullPolicy: {{ .Values.xDSAdaptor.imagePullPolicy }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: APPLICATION_NAME
valueFrom:
fieldRef:
fieldPath: metadata.labels['app']
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
{{- if .Values.certProvider.caAddr }}
- name: CA_ADDR
value: {{ .Values.certProvider.caAddr }}:{{ .Values.certProvider.caPort}} #istiod.istio-system.svc:15012
- name: TRUST_DOMAIN
value: {{ .Values.certProvider.trustDomain }} #cluster.local
- name: CLUSTER_ID
value: {{ .Values.certProvider.clusterId }} #Kubernetes
- name: CERT_TTL_IN_HOURS
value: {{ .Values.certProvider.certTTLinHours }}
- name: JWT_POLICY
value: {{ include "jwtValue" . | quote }} # third-party-jwt if Kubernetes cluster supports third-party tokens
{{- end }}
- name: NS_USER
value: nsroot
- name: NS_PASSWORD
value: nsroot
{{- if eq .Values.coe.coeTracing true }}
- name: COE_TRACING
value: "TRUE"
{{- end }}
- name: ENABLE_LABELS_FEATURE
value: {{ .Values.cpxProxy.enableLabelsFeature | quote }}
{{- if eq .Values.xDSAdaptor.defaultSSLListenerOn443 true }}
- name: DEFAULT_SSL_LISTENER_ON_443
value: "TRUE"
{{- end }}
- name: LOGLEVEL
value: {{ .Values.xDSAdaptor.logLevel | default "DEBUG" | quote }}
{{- if eq .Values.xDSAdaptor.jsonLog true }}
- name: JSONLOG
value: "TRUE"
{{- end }}
args:
- -ads-server
{{- if eq .Values.xDSAdaptor.secureConnect true }}
- {{ .Values.istioPilot.name}}.{{.Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.secureGrpcPort }} # istiod.istio-system.svc:15012
{{- else }}
- {{ .Values.istioPilot.name}}.{{.Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.insecureGrpcPort }} # istiod.istio-system.svc:15010
{{- end }}
- -ads-secure-connect={{ .Values.xDSAdaptor.secureConnect}}
- -ads-server-SAN
- {{ .Values.istioPilot.SAN }}
- -istio-proxy-type
- {{ .Values.xDSAdaptor.proxyType | default "sidecar" | quote }}
- -citrix-adc
- "{{- .Values.cpxProxy.netscalerUrl }}:{{- .Values.cpxProxy.mgmtHttpPort | toString }}"
- -citrix-adc-password
- "/var/deviceinfo/random_id"
{{- if .Values.ADMSettings.ADMIP }}
- -citrix-adm
- {{ .Values.ADMSettings.ADMIP }}
{{- end }}
{{- if .Values.cpxProxy.cpxLicenseAggregator }}
- -citrix-license-server
- {{ .Values.cpxProxy.cpxLicenseAggregator }}
{{- else if .Values.ADMSettings.licenseServerIP }}
- -citrix-license-server
- {{ .Values.ADMSettings.licenseServerIP }}
{{- end }}
{{- if .Values.coe.coeURL }}
- -coe
- {{ .Values.coe.coeURL }}
{{- end }}
volumeMounts:
- mountPath: /var/deviceinfo
name: cpx-pwd
{{- $jwtpolicy := include "jwtValue" . }}
{{- if eq $jwtpolicy "third-party-jwt" }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
- mountPath: /etc/nslogin
name: nslogin
readOnly: true
- name: certs
mountPath: /etc/certs
- name: istiod-ca-cert
mountPath: /etc/rootcert/
- name: podinfo
mountPath: /etc/podinfo
securityContext:
readOnlyRootFilesystem: true
runAsGroup: 32024
runAsUser: 32024 # UID of xds-adaptor container's user
runAsNonRoot: true
- name: cpx-proxy
image: {{ tpl .Values.cpxProxy.image . }}
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if .Values.cpxProxy.cpxLicenseAggregator }}
- name: "CLA"
value: "{{ .Values.cpxProxy.cpxLicenseAggregator }}"
{{- else if .Values.ADMSettings.licenseServerIP }}
- name: "LS_IP"
value: {{ .Values.ADMSettings.licenseServerIP }}
- name: "LS_PORT"
value: {{ .Values.ADMSettings.licenseServerPort }}
{{- end}}
- name: "EULA"
value: "{{ .Values.cpxProxy.EULA }}"
- name: "CPX_SIDECAR_MODE"
value: {{ .Values.cpxProxy.cpxSidecarMode | quote }}
- name: "CPX_DISABLE_PROBE"
value: "{{ .Values.cpxProxy.cpxDisableProbe }}"
- name: "MGMT_HTTP_PORT"
value: {{ .Values.cpxProxy.mgmtHttpPort | quote }}
- name: "MGMT_HTTPS_PORT"
value: {{ .Values.cpxProxy.mgmtHttpsPort | quote }}
- name: "KUBERNETES_TASK_ID"
value: ""
- name: "NS_CPX_LITE"
value: 1
{{- if or .Values.coe.coeURL .Values.ADMSettings.ADMIP }}
- name: "NS_ENABLE_NEWNSLOG"
value: 1
{{- end }}
{{- if .Values.ADMSettings.ADMIP }}
- name: "NS_MGMT_SERVER"
value: {{ .Values.ADMSettings.ADMIP | quote }}
- name: "NS_HTTP_PORT"
value: {{ .Values.cpxProxy.mgmtHttpPort | quote }}
- name: "NS_HTTPS_PORT"
value: {{ .Values.cpxProxy.mgmtHttpsPort | quote }}
- name: "ANALYTICS_SERVER"
value: {{ .Values.ADMSettings.ADMIP | quote }}
- name: "ANALYTICS_SERVER_PORT"
value: {{.Values.ADMSettings.analyticsServerPort | quote }}
{{- end }}
- name: "LOGSTREAM_COLLECTOR_IP"
value: {{ .Values.ADMSettings.ADMIP | default "" | quote }}
{{- if and ( or ( .Values.ADMSettings.licenseServerIP ) ( .Values.cpxProxy.cpxLicenseAggregator ) ) ( eq .Values.ADMSettings.bandWidthLicense true ) }}
- name: "BANDWIDTH" #Need to set env var BANDWIDTH in order to provide Bandwidth license to Citrix ADC CPX from ADM or CPX License Aggregator
value: {{ .Values.ADMSettings.bandWidth | quote }}
- name: "EDITION"
value: {{ .Values.ADMSettings.licenseEdition | quote }}
{{- end }}
{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }}
- name: NS_MGMT_USER
valueFrom:
secretKeyRef:
name: admlogin
key: username
- name: NS_MGMT_PASS
valueFrom:
secretKeyRef:
name: admlogin
key: password
{{- end }}
volumeMounts:
- mountPath: /cpx/conf/
name: cpx-conf
- mountPath: /var/deviceinfo
name: cpx-pwd
- mountPath: /cpx/crash/
name: cpx-crash
volumes:
- name: cpx-conf
emptyDir: {}
- name: cpx-pwd
emptyDir: {}
- name: cpx-crash
emptyDir: {}
- name: nslogin
secret:
optional: true
secretName: nslogin
- name: certs
emptyDir: {}
{{- $jwtpolicy := include "jwtValue" . }}
{{- if eq $jwtpolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
{{- end }}
- name: istiod-ca-cert
configMap:
defaultMode: 0777
name: istio-ca-root-cert
- name: podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
values: |-
{
"global": {
"jwtPolicy": "third-party-jwt",
},
"adcSelector": {
"adc": "citrix",
}
}
---

114
charts/citrix/citrix-cpx-istio-sidecar-injector/templates/cpx-sidecar-injector-deployment-service.yaml Normal file
View File

@ -0,0 +1,114 @@
apiVersion: v1
kind: Service
metadata:
name: cpx-sidecar-injector
namespace: {{ .Release.Namespace }}
labels:
istio: sidecar-injector
app: cpx-sidecar-injector
spec:
ports:
- port: 443
selector:
istio: sidecar-injector
---
# Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: cpx-sidecar-injector
namespace: {{ .Release.Namespace }}
labels:
app: sidecarInjectorWebhook
istio: sidecar-injector
app: cpx-sidecar-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
replicas: 1
selector:
matchLabels:
app: cpx-sidecar-injector
istio: sidecar-injector
template:
metadata:
labels:
istio: sidecar-injector
app: cpx-sidecar-injector
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: cpx-sidecar-injector-service-account
initContainers:
- name: sidecar-certs-generator
image: {{ tpl .Values.sidecarCertsGenerator.image . }}
imagePullPolicy: {{ .Values.sidecarCertsGenerator.imagePullPolicy }}
securityContext:
privileged: true
volumeMounts:
- name: certs
mountPath: /tmp
containers:
- name: sidecar-injector-webhook
image: {{ tpl .Values.sidecarWebHook.webhookImage . }}
imagePullPolicy: {{ .Values.sidecarWebHook.imagePullPolicy }}
securityContext:
privileged: true
args:
- --caCertFile=/etc/istio/certs/cert.pem
- --tlsCertFile=/etc/istio/certs/cert.pem
- --tlsKeyFile=/etc/istio/certs/key.pem
- --injectConfig=/etc/istio/inject/config
- --meshConfig=/etc/istio/config/mesh
- --healthCheckInterval=10s
- --webhookConfigName=cpx-sidecar-injector
- --webhookName=cpx-sidecar-injector.citrix.io
- --objectWebhookName=object.cpx-sidecar-injector.citrix.io
volumeMounts:
- name: config-volume
mountPath: /etc/istio/config
readOnly: true
- name: certs
mountPath: /etc/istio/certs
readOnly: true
- name: inject-config
mountPath: /etc/istio/inject
readOnly: true
livenessProbe:
exec:
command:
- cat
- /health
failureThreshold: 5
initialDelaySeconds: 4
periodSeconds: 10
readinessProbe:
exec:
command:
- cat
- /health
failureThreshold: 5
initialDelaySeconds: 4
periodSeconds: 10
initialDelaySeconds: 4
resources:
requests:
cpu: 10m
volumes:
- name: config-volume
configMap:
name: istio
- name: certs
emptyDir: {}
- name: inject-config
configMap:
name: cpx-istio-sidecar-injector
items:
- key: config
path: config
- key: values
path: values
---

16
charts/citrix/citrix-cpx-istio-sidecar-injector/templates/cpx-sidecar-injector-istioConfigMap.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: istio
namespace: {{ .Release.Namespace }}
labels:
app: cpx-sidecar-injector
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
istio: sidecar-injector
data:
mesh: |-
# Needed for injection of securityContext in PodSpec during auto-sidecar injection
sdsUdsPath: unix:/etc/istio/proxy/SDS
---

48
charts/citrix/citrix-cpx-istio-sidecar-injector/templates/cpx-sidecar-injector-serviceaccount.yaml Normal file
View File

@ -0,0 +1,48 @@
# Serviceaccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: cpx-sidecar-injector-service-account
namespace: {{ .Release.Namespace }}
labels:
app: cpx-sidecar-injector
---
# ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cpx-sidecar-injector-istio-system
labels:
app: cpx-sidecar-injector
rules:
- apiGroups: ["*"]
resources: ["configmaps"]
verbs: ["get", "list", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests", "certificatesigningrequests/approval"]
verbs: ["get", "list", "create", "watch", "delete", "update"]
- apiGroups: ["certificates.k8s.io"]
resources: ["signers"]
resourceNames: ["kubernetes.io/legacy-unknown", "kubernetes.io/kubelet-serving"]
verbs: ["get", "list", "create", "watch", "delete", "update", "approve"]
---
# ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cpx-sidecar-injector-admin-role-binding-istio-system
labels:
app: cpx-sidecar-injector
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cpx-sidecar-injector-istio-system
subjects:
- kind: ServiceAccount
name: cpx-sidecar-injector-service-account
namespace: {{ .Release.Namespace }}
---

15
charts/citrix/citrix-cpx-istio-sidecar-injector/templates/cpx-sidecar-networkpolicy.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app: cpx-sidecar-injector
name: cpx-sidecar-injector
namespace: {{ .Release.Namespace }}
spec:
ingress:
- {}
podSelector:
matchLabels:
app: cpx-sidecar-injector
policyTypes:
- Ingress

57
charts/citrix/citrix-cpx-istio-sidecar-injector/templates/mutatingwebhook.yaml Normal file
View File

@ -0,0 +1,57 @@
# Mutating wehbook is used to perform sidecar injection.
# It calls sidecar-injector-service when the label is matched.
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: cpx-sidecar-injector
namespace: {{ .Release.Namespace }}
labels:
app: cpx-sidecar-injector
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
webhooks:
- name: cpx-sidecar-injector.citrix.io
admissionReviewVersions:
- v1
clientConfig:
service:
name: cpx-sidecar-injector
namespace: {{ .Release.Namespace }}
path: "/inject"
caBundle: ""
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
scope: "*"
sideEffects: None
failurePolicy: Fail
namespaceSelector:
matchLabels:
{{- if .Values.webhook.injectionLabelName }}
{{ .Values.webhook.injectionLabelName }}: enabled
{{- else }}
cpx-injection: enabled
{{- end }}
- name: object.cpx-sidecar-injector.citrix.io
admissionReviewVersions:
- v1
clientConfig:
service:
name: cpx-sidecar-injector
namespace: {{ .Release.Namespace }}
path: "/inject"
caBundle: ""
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
scope: "*"
sideEffects: None
failurePolicy: Fail
objectSelector:
matchLabels:
sidecar.citrix.io/inject: "true"
---

77
charts/citrix/citrix-cpx-istio-sidecar-injector/values.yaml Normal file
View File

@ -0,0 +1,77 @@
# Default values for cpx-istio.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
xDSAdaptor:
imageRegistry: quay.io
imageRepository: citrix/citrix-xds-adaptor
imageTag: 0.10.3
image: "{{ .Values.xDSAdaptor.imageRegistry }}/{{ .Values.xDSAdaptor.imageRepository }}:{{ .Values.xDSAdaptor.imageTag }}"
imagePullPolicy: IfNotPresent
proxyType: sidecar
secureConnect: true
logLevel: DEBUG
jsonLog: false
defaultSSLListenerOn443: true
coe:
coeURL:
coeTracing: false
istioPilot:
name: istiod
namespace: istio-system
secureGrpcPort: 15012
insecureGrpcPort: 15010
SAN: #"spiffe://cluster.local/ns/istio-system/sa/istiod-service-account"
certProvider:
caAddr: istiod.istio-system.svc
caPort: 15012
trustDomain: cluster.local
certTTLinHours: 720
clusterId: Kubernetes
jwtPolicy: #specify third-party-jwt if Kubernetes cluster supports third-party tokens
cpxProxy:
netscalerUrl: "http://127.0.0.1"
imageRegistry: quay.io
imageRepository: citrix/citrix-k8s-cpx-ingress
imageTag: 13.1-30.52
image: "{{ .Values.cpxProxy.imageRegistry }}/{{ .Values.cpxProxy.imageRepository }}:{{ .Values.cpxProxy.imageTag }}"
imagePullPolicy: IfNotPresent
EULA: NO
cpxSidecarMode: YES
mgmtHttpPort: 10080
mgmtHttpsPort: 10443
cpxDisableProbe: "YES"
cpxLicenseAggregator:
enableLabelsFeature: FALSE
#licenseServerIP: this value is taken from ADMSettings.ADMIP
sidecarWebHook:
webhookImageRegistry: quay.io
webhookImageRepository: citrix/cpx-istio-sidecar-injector
webhookImageTag: 1.3.0
webhookImage: "{{ .Values.sidecarWebHook.webhookImageRegistry }}/{{ .Values.sidecarWebHook.webhookImageRepository }}:{{ .Values.sidecarWebHook.webhookImageTag }}"
imagePullPolicy: IfNotPresent
sidecarCertsGenerator:
imageRegistry: quay.io
imageRepository: citrix/cpx-sidecar-injector-certgen
imageTag: 1.2.0
image: "{{ .Values.sidecarCertsGenerator.imageRegistry }}/{{ .Values.sidecarCertsGenerator.imageRepository }}:{{ .Values.sidecarCertsGenerator.imageTag }}"
imagePullPolicy: IfNotPresent
ADMSettings:
ADMIP:
licenseServerIP:
licenseServerPort: 27000
bandWidthLicense: false
bandWidth: 1000
analyticsServerPort: 5557
licenseEdition: PLATINUM
webhook:
injectionLabelName: cpx-injection

21
charts/citrix/citrix-cpx-with-ingress-controller/Chart.yaml Normal file
View File

@ -0,0 +1,21 @@
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Citrix Cpx with Ingress Controller
catalog.cattle.io/kube-version: '>=v1.16.0-0'
catalog.cattle.io/release-name: citrix-cpx-with-ingress-controller
apiVersion: v2
appVersion: 1.27.15
description: A Helm chart for Citrix ADC CPX with Citrix ingress Controller running
as sidecar.
home: https://www.citrix.com
icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png
kubeVersion: '>=v1.16.0-0'
maintainers:
- email: priyanka.sharma@citrix.com
name: priyankash-citrix
- email: subash.dangol@citrix.com
name: subashd
name: citrix-cpx-with-ingress-controller
sources:
- https://github.com/citrix/citrix-k8s-ingress-controller
version: 1.27.15

572
charts/citrix/citrix-cpx-with-ingress-controller/README.md Normal file
View File

@ -0,0 +1,572 @@
# Citrix ADC CPX with Citrix Ingress Controller running as sidecar.
In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) with Citrix ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). The Citrix ADC CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar Citrix ingress controller configures the Citrix ADC CPX.
## TL;DR;
### For Kubernetes
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes
```
To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller
```
helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,crds.install=true
```
### For OpenShift
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true
```
To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller
```
helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,crds.install=true
```
> **Important:**
>
> The "license.accept" is a mandatory argument and should be set to "yes" to accept the terms of the Citrix license.
## Introduction
This Helm chart deploys a Citrix ADC CPX with Citrix ingress controller as a sidecar in the [Kubernetes](https://kubernetes.io/) or in the [Openshift](https://www.openshift.com) cluster using the [Helm](https://helm.sh/) package manager.
### Prerequisites
- The [Kubernetes](https://kubernetes.io/) version should be 1.16 and above if using Kubernetes environment.
- The [Openshift](https://www.openshift.com) version 4.8 or later if using OpenShift platform.
- The [Helm](https://helm.sh/) version 3.x or later. You can follow instruction given [here](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same.
- You have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator), if you want to view the metrics of the Citrix ADC CPX collected by the [metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics).
- Registration of Citrix ADC CPX in ADM: You may want to register your CPX in ADM for licensing or to obtain [servicegraph](https://docs.citrix.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html). For this you will have to create a Kubernetes secret using ADM credentials and provide it while install the chart. Create a Kubernetes secret for the user name and password using the following command:
```
kubectl create secret generic admlogin --from-literal=username=<adm-username> --from-literal=password=<adm-password> -n citrix-system
```
## Installing the Chart
Add the Citrix Ingress Controller helm chart repository using command:
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
```
### For Kubernetes:
#### 1. Citrix ADC CPX with Citrix Ingress Controller running as side car.
To install the chart with the release name ``` my-release```:
```
helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,ingressClass[0]=<ingressClassName>
```
> **Note:**
>
> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings.
The command deploys Citrix ADC CPX with Citrix ingress controller as a sidecar on the Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation.
#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car.
[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana.
> **Note:**
>
> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator).
Use the following command for this:
```
helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,ingressClass[0]=<ingressClassName>,exporter.required=true
```
### For OpenShift:
Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift:
```
oc adm policy add-scc-to-user privileged system:serviceaccount:<namespace>:<service-account-name>
```
#### 1. Citrix ADC CPX with Citrix Ingress Controller running as side car.
To install the chart with the release name, `my-release`, use the following command:
```
helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true
```
#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car.
[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana.
> **Note:**
>
> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator).
Use the following command for this:
```
helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,exporter.required=true
```
### Installed components
The following components are installed:
- [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx/netscaler-cpx.html)
- [Citrix ingress controller](https://github.com/citrix/citrix-k8s-ingress-controller) (if enabled)
- [Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) (if enabled)
### Citrix ADC CPX Service Annotations:
The parameter `serviceAnnotations` can be used to annotate CPX service while installing Citrix ADC CPX using this helm chart.
For example, if CPX is getting deployed in Azure and an Azure Internal Load Balancer is required before CPX then the annotation `service.beta.kubernetes.io/azure-load-balancer-internal:True` can be set in CPX service using Helm command:
```
helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceAnnotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal=True
```
or the same can be provided in [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml):
```
license:
accept: yes
serviceAnnotations:
service.beta.kubernetes.io/azure-load-balancer-internal: True
```
which can be used to install Citrix ADC CPX using Helm command:
```
helm install my-release citrix/citrix-cpx-with-ingress-controller -f values.yaml
```
To know more about service annotations supported by Kubernetes on various platforms please see [this](https://kubernetes.io/docs/concepts/services-networking/service/).
### Citrix ADC CPX Service Ports:
By default, port 80 and 443 of CPX service will exposed when CPX is installed using this helm chart. If it is required to expose any other ports in CPX service then the parameter `servicePorts` can be used for it.
For example, if port 9999 is required to be exposed then below helm command can be used for installing Citrix ADC CPX:
```
helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,servicePorts[0].port=9999,servicePorts[0].protocol=TCP,servicePorts[0].name=https
```
or the same can be provided in [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml):
```
license:
accept: yes
servicePorts:
- port: 9090
protocol: TCP
name: https
```
which can be used to install Citrix ADC using Helm command:
```
helm install my-release citrix/citrix-cpx-with-ingress-controller -f values.yaml
```
> **Note:** If `servicePorts` parameters is used, only ports provided in this parameter will be exposed in CPX service.
> If you want to expose default ports 80 or 443, then you will need to explicity mention these also in this parameter.
### Configuration for ServiceGraph:
If Citrix ADC CPX need to send data to the Citrix ADM to bring up the servicegraph, then the below steps can be followed to install Citrix ADC CPX with ingress controller. Citrix ingress controller configures Citrix ADC CPX with the configuration required for servicegraph.
1. Create secret using Citrix ADC Agent credentials, which will be used by Citrix ADC CPX to communicate with Citrix ADM Agent:
kubectl create secret generic admlogin --from-literal=username=<adm-agent-username> --from-literal=password=<adm-agent-password>
2. Deploy Citrix ADC CPX with Citrix ingress controller using helm command:
helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.distributedTracing.enable=true,analyticsConfig.endpoint.server=<ADM-Agent-IP>,ADMSettings.ADMIP=<ADM-Agent-IP>,ADMSettings.loginSecret=<Secret-for-ADM-Agent-credentials>
> **Note:**
> If container agent is being used here for Citrix ADM, please provide `svcIP` of container agent in the `analyticsConfig.endpoint.server` parameter.
## Citrix ADC CPX DaemonSet with Citrix Ingress Controller as sidecar for BGP Advertisement
The previous section of deploying CPX as a Deployment requires a Tier-1 Loadbalancer such as Citrix VPX or cloud loadbalancers to route the traffic to CPX instances running in Kubernetes cluster, but you can also leverage BGP network fabric in your on-prem environemnt to route the traffic to CPX instances in a Kubernetes or Openshift cluster. you need to deploy CPX with Citrix Ingress Controller as Daemonset to advertise the ExternalIPs of the K8s services of type LoadBalancer to your BGP Fabric. Citrix ADC CPX establishes a BGP peering session with your network routers, and uses that peering session to advertise the IP addresses of external cluster services. If your routers have ECMP capability, the traffic is load-balanced to multiple CPX instances by the upstream router, which in turn load-balances to actual application pods. When you deploy the Citrix ADC CPX with this mode, Citrix ADC CPX adds iptables rules for each service of type LoadBalancer on Kubernetes nodes. The traffic destined to the external IP address is routed to Citrix ADC CPX pods. You can also set the 'ingressIP' variable to an IP Address to advertise the External IP address for Ingress resources. Refer [documentation](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) for complete details about BGP advertisement with CPX.
### Download the chart
You can download the chart usimg `helm pull` command.
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm pull citrix/citrix-cpx-with-ingress-controller
tar -zxvf citrix-cpx-with-ingress-controller-x.y.z.tgz
```
### Edit the BGP configuration in values.yaml
BGP configurations enables CPX to peer with neighbor routers for advertisting the routes for Service of Type LoadBalancer. Citrix Ingress Controllers uses static IPs given in Service YAML or using an IPAM controller to allocate an External IP address, and same is advertisted to the neighbour router with the Gateway as Node IP. An example BGP configurations is given below.
```
# BGP configurations: local AS, remote AS and remote address is mandatory to provide.
bgpSettings:
required: true
bgpConfig:
- bgpRouter:
# Local AS number for BGP advertisement
localAS:
neighbor:
# Address of the nighbor router for BGP advertisement
- address: xx.xx.xx.xx
# Remote AS number
remoteAS:
advertisementInterval: 10
ASOriginationInterval: 10
```
If the cluster spawns across multiple networks, you can also specify the NodeSelector to give different neighbors for different Cluster Nodes as shown below.
```
bgpSettings:
required: true
bgpConfig:
- nodeSelector: datacenter=ds1
bgpRouter:
localAS:
neighbor:
- address: xx.xx.xx.xx
remoteAS:
advertisementInterval: 10
ASOriginationInterval: 10
- nodeSelector: datacenter=ds2
bgpRouter:
localAS:
neighbor:
- address: yy.yy.yy.yy
remoteAS:
advertisementInterval: 10
ASOriginationInterval: 10
```
### Deploy the chart
#### For Kubernetes:
#### 1. Citrix ADC CPX DaemonSet with Citrix Ingress Controller running as side car for BGP Advertisement.
To install the chart with the release name ``` my-release```:
```
helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true
```
If you are running Citrix IPAM for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below:
```
helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true
```
If you are using ingress resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed.
```
helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=<Ingress External IP Address>
```
> **Note:**
>
> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings.
The command deploys Citrix ADC CPX Daemonset with Citrix ingress controller as a sidecar on the Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation.
#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car for BGP Advertisement.
[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana.
> **Note:**
>
> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator).
Use the following command for this:
```
helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,exporter.required=true
```
If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below:
```
helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,exporter.required=true
```
If you are using ingress resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed.
```
helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=<Ingress external IP>, exporter.required=true
```
#### For OpenShift:
Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift:
```
oc adm policy add-scc-to-user privileged system:serviceaccount:<namespace>:<service-account-name>
```
#### 1. Citrix ADC CPX DaemonSet with Citrix Ingress Controller running as side car for BGP Advertisement.
To install the chart with the release name, `my-release`, use the following command:
```
helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,openshift=true
```
If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below:
```
helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,openshift=true
```
If you are using ingress or Route resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed.
```
helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=<Ingress External IP Address>,openshift=true
```
#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car for BGP Advertisement.
[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana.
> **Note:**
>
> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator).
Use the following command for this:
```
helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,openshift=true,exporter.required=true
```
If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below:
```
helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,openshift=true,exporter.required=true
```
If you are using ingress or Route resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed.
```
helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=<Ingress External IP Address>,openshift=true,exporter.required=true
```
## CRDs configuration
CRDs can be installed/upgraded when we install/upgrade Citrix ADC CPX with Citrix ingress controller using `crds.install=true` parameter in Helm. If you do not want to install CRDs, then set the option `crds.install` to `false`. By default, CRDs too get deleted if you uninstall through Helm. This means, even the CustomResource objects created by the customer will get deleted. If you want to avoid this data loss set `crds.retainOnDelete` to `true`.
> **Note:**
> Installing again may fail due to the presence of CRDs. Make sure that you back up all CustomResource objects and clean up CRDs before re-installing Citrix ADC CPX with Citrix ingress controller.
There are a few examples of how to use these CRDs, which are placed in the folder: [Example-CRDs](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds). Refer to them and install as needed, using the following command:
```kubectl create -f <crd-example.yaml>```
### Details of the supported CRDs:
#### authpolicies CRD:
Authentication policies are used to enforce access restrictions to resources hosted by an application or an API server.
Citrix provides a Kubernetes CustomResourceDefinitions (CRDs) called the [Auth CRD](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/auth) that you can use with the Citrix ingress controller to define authentication policies on the ingress Citrix ADC.
Example file: [auth_example.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/auth_example.yaml)
#### continuousdeployments CRD for canary:
Canary release is a technique to reduce the risk of introducing a new software version in production by first rolling out the change to a small subset of users. After user validation, the application is rolled out to the larger set of users. Citrix ADC-Integrated [Canary Deployment solution](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/canary) stitches together all components of continuous delivery (CD) and makes canary deployment easier for the application developers.
#### httproutes and listeners CRDs for contentrouting:
[Content Routing (CR)](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/contentrouting) is the execution of defined rules that determine the placement and configuration of network traffic between users and web applications, based on the content being sent. For example, a pattern in the URL or header fields of the request.
Example files: [HTTPRoute_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/HTTPRoute_crd.yaml), [Listener_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/Listener_crd.yaml)
#### ratelimits CRD:
In a Kubernetes deployment, you can [rate limit the requests](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/ratelimit) to the resources on the back end server or services using rate limiting feature provided by the ingress Citrix ADC.
Example files: [ratelimit-example1.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example1.yaml), [ratelimit-example2.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example2.yaml)
#### vips CRD:
Citrix provides a CustomResourceDefinitions (CRD) called [VIP](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/vip) for asynchronous communication between the IPAM controller and Citrix ingress controller.
The IPAM controller is provided by Citrix for IP address management. It allocates IP address to the service from a defined IP address range. The Citrix ingress controller configures the IP address allocated to the service as virtual IP (VIP) in Citrix ADX VPX. And, the service is exposed using the IP address.
When a new service is created, the Citrix ingress controller creates a CRD object for the service with an empty IP address field. The IPAM Controller listens to addition, deletion, or modification of the CRD and updates it with an IP address to the CRD. Once the CRD object is updated, the Citrix ingress controller automatically configures Citrix ADC-specfic configuration in the tier-1 Citrix ADC VPX.
#### rewritepolicies CRD:
In kubernetes environment, to deploy specific layer 7 policies to handle scenarios such as, redirecting HTTP traffic to a specific URL, blocking a set of IP addresses to mitigate DDoS attacks, imposing HTTP to HTTPS and so on, requires you to add appropriate libraries within the microservices and manually configure the policies. Instead, you can use the [Rewrite and Responder features](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/crd/rewrite-responder-policies-deployment.yaml) provided by the Ingress Citrix ADC device to deploy these policies.
Example files: [target-url-rewrite.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/target-url-rewrite.yaml)
#### wafs CRD:
[WAF CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/waf.md) can be used to configure the web application firewall policies with the Citrix ingress controller on the Citrix ADC VPX, MPX, SDX, and CPX. The WAF CRD enables communication between the Citrix ingress controller and Citrix ADC for enforcing web application firewall policies.
In a Kubernetes deployment, you can enforce a web application firewall policy to protect the server using the WAF CRD. For more information about web application firewall, see [Web application security](https://docs.citrix.com/en-us/citrix-adc/13/application-firewall/introduction/web-application-security.html).
Example files: [wafhtmlxsssql.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wafhtmlxsssql.yaml)
#### CORS CRD:
[CORS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) Cross-origin resource sharing (CORS) is a mechanism allows a web application running under one domain to securely access resources in another domain. You can configure CORS policies on Citrix ADC using Citrix ingress controller to allow one domain (the origin domain) to call APIs in another domain. For more information, see the [cross-origin resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) documentation.
Example files: [cors-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/corspolicy-example.yaml)
#### APPQOE CRD:
[APPQOE CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) When a Citrix ADC appliance receives an HTTP request and forwards it to a back-end server, sometimes there may be connection failures with the back-end server. You can configure the request-retry feature on Citrix ADC to forward the request to the next available server, instead of sending the reset to the client. Hence, the client saves round trip time when Citrix ADC initiates the same request to the next available service.
For more information, see the AppQoE support documentation. [Appqoe resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) documentation.
Example files: [appqoe-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/appqoe_example.yaml)
#### WILDCARDDNS CRD:
[WILDCARDDNS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) Wildcard DNS domains are used to handle requests for nonexistent domains and subdomains. In a zone, use wildcard domains to redirect queries for all nonexistent domains or subdomains to a particular server, instead of creating a separate Resource Record (RR) for each domain. The most common use of a wildcard DNS domain is to create a zone that can be used to forward mail from the internet to some other mail system.
For more information, see the Wild card DNS domains support documentation. [Wildcard DNS Entry CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) documentation.
Example files: [wildcarddns-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wildcarddns-example.yaml)
## Citrix ADC CPX servicetype LoadBalancer
Citrix ADC CPX can be installed with service having servicetype LoadBalancer. Following arguments can be used in the `helm install` command for the same:
```
helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceType.loadBalancer.enabled=True
```
## Citrix ADC CPX servicetype NodePort
Citrix ADC CPX can be installed with service having servicetype Nodeport. Following arguments can be used in the `helm install` command for the same:
```
helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceType.nodePort.enabled=True
```
Additionally, `serviceType.nodePort.httpPort` and `serviceType.nodePort.httpsPort` arguments can be used to select the nodePort for the CPX service for HTTP and HTTPS ports.
### Tolerations
Taints are applied on cluster nodes whereas tolerations are applied on pods. Tolerations enable pods to be scheduled on node with matching taints. For more information see [Taints and Tolerations in Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/).
Toleration can be applied to pod running Citrix ADC CPX and ingress controller containers using `tolerations` argument while deploying CPX+CIC using helm chart. This argument takes list of tolerations that user need to apply on the CPX+CIC pods.
For example, following command can be used to apply toleration on the CPX+CIC pod:
```
helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,tolerations[0].key=<toleration-key>,tolerations[0].value=<toleration-value>,tolerations[0].operator=<toleration-operator>,tolerations[0].effect=<toleration-effect>
```
Here tolerations[0].key, tolerations[0].value and tolerations[0].effect are the key, value and effect that was used while tainting the node.
Effect represents what should happen to the pod if the pod don't have any matching toleration. It can have values `NoSchedule`, `NoExecute` and `PreferNoSchedule`.
Operator represents the operation to be used for key and value comparison between taint and tolerations. It can have values `Exists` and `Equal`. The default value for operator is `Equal`.
## Configuration
The following table lists the configurable parameters of the Citrix ADC CPX with Citrix ingress controller as side car chart and their default values.
| Parameters | Mandatory or Optional | Default value | Description |
| ---------- | --------------------- | ------------- | ----------- |
| license.accept | Mandatory | no | Set `yes` to accept the Citrix ingress controller end user license agreement. |
| imageRegistry | Mandatory | `quay.io` | The Citrix ADC CPX image registry |
| imageRepository | Mandatory | `citrix/citrix-k8s-cpx-ingress` | The Citrix ADC CPX image repository |
| imageTag | Mandatory | `13.1-30.52` | The Citrix ADC CPX image tag |
| pullPolicy | Mandatory | IfNotPresent | The Citrix ADC CPX image pull policy. |
| daemonSet | Optional | False | Set this to true if Citrix ADC CPX needs to be deployed as DaemonSet. |
| cic.imageRegistry | Mandatory | `quay.io` | The Citrix ingress controller image registry |
| cic.imageRepository | Mandatory | `citrix/citrix-k8s-ingress-controller` | The Citrix ingress controller image repository |
| cic.imageTag | Mandatory | `1.27.15` | The Citrix ingress controller image tag |
| cic.pullPolicy | Mandatory | IfNotPresent | The Citrix ingress controller image pull policy. |
| cic.required | Mandatory | true | CIC to be run as sidecar with Citrix ADC CPX |
| cic.resources | Optional | {} | CPU/Memory resource requests/limits for Citrix Ingress Controller container |
| imagePullSecrets | Optional | N/A | Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret please see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). |
| nameOverride | Optional | N/A | String to partially override deployment fullname template with a string (will prepend the release name) |
| fullNameOverride | Optional | N/A | String to fully override deployment fullname template with a string |
| resources | Optional | {} | CPU/Memory resource requests/limits for Citrix CPX container |
| nitroReadTimeout | Optional | 20 | The nitro Read timeout in seconds, defaults to 20 |
| logLevel | Optional | DEBUG | The loglevel to control the logs generated by CIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG and TRACE. For more information, see [Logging](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).|
| jsonLog | Optional | false | Set this argument to true if log messages are required in JSON format |
| nsConfigDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Ingress |
| nsSvcLbDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Type Load Balancer Service |
| nsDnsNameserver | Optional | N/A | To add DNS Nameservers in ADC |
| optimizeEndpointBinding | Optional | false | To enable/disable binding of backend endpoints to servicegroup in a single API-call. Recommended when endpoints(pods) per application are large in number. Applicable only for Citrix ADC Version >=13.0-45.7 |
| defaultSSLCertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC. |
| nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for Citrix ADC service group configurations. |
| cpxLicenseAggregator | Optional | N/A | IP/FQDN of the CPX License Aggregator if it is being used to license the CPX. |
| nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). |
| logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter. |
| nsProtocol | Optional | http | Protocol http or https used for the communication between Citrix Ingress Controller and CPX |
| cpxBgpRouter | Optional | false| If set to true, this CPX is deployed as daemonset in BGP controller mode wherein BGP advertisements are done for attracting external traffic to Kubernetes clusters |
| replicaCount | Optional | 1 | Number of CPX-CIC pods to be deployed. With `cpxBgpRouter : true`, replicaCount is 1 since CPX will be deployed as DaemonSet |
| nsIP | Optional | 192.168.1.2 | NSIP used by CPX for internal communication when run in Host mode, i.e when cpxBgpRouter is set to true. A /24 internal network is created in this IP range which is used for internal communications withing the network namespace. |
| nsGateway | Optional | 192.168.1.1 | Gateway used by CPX for internal communication when run in Host mode, i.e when cpxBgpRouter is set to true. If not specified, first IP in the nsIP network is used as gateway. It must be in same network as nsIP |
| bgpPort | Optional | 179 | BGP port used by CPX for BGP advertisement if cpxBgpRouter is set to true|
| ingressIP | Optional | N/A | External IP address to be used by ingress resources if not overriden by ingress.com/frontend-ip annotation in Ingress resources. This is also advertised to external routers when pxBgpRouter is set to true|
| entityPrefix | Optional | k8s | The prefix for the resources on the Citrix ADC CPX. |
| ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify Citrix ingress controller to configure Citrix ADC associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here |
| setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 |
| updateIngressStatus | Optional | False | Set this argument if you want to update ingress status of the ingress resources exposed via CPX. This is only applicable if servicetype of CPX service is LoadBalancer. |
| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. |
| openshift | Optional | false | Set this argument if OpenShift environment is being used. |
| disableOpenshiftRoutes | false | By default Openshift routes are processed in openshift environment, this variable can be used to disable Ingress controller processing the openshift routes. |
| routeLabels | Optional | N/A | You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. |
| namespaceLabels | Optional | N/A | You can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. |
| sslCertManagedByAWS | Optional | False | Set this argument if SSL certs used is managed by AWS while deploying Citrix ADC CPX in AWS. |
| nodeSelector.key | Optional | N/A | Node label key to be used for nodeSelector option for CPX-CIC deployment. |
| nodeSelector.value | Optional | N/A | Node label value to be used for nodeSelector option in CPX-CIC deployment. |
| podAnnotations | Optional | N/A | Map of annotations to add to the pods. |
| affinity | Optional | N/A | Affinity labels for pod assignment. |
| tolerations | Optional | N/A | Specify the tolerations for the CPX-CIC deployment. |
| serviceType.loadBalancer.enabled | Optional | False | Set this argument if you want servicetype of CPX service to be LoadBalancer. |
| serviceType.nodePort.enabled | Optional | False | Set this argument if you want servicetype of CPX service to be NodePort. |
| serviceType.nodePort.httpPort | Optional | N/A | Specify the HTTP nodeport to be used for NodePort CPX service. |
| serviceType.nodePort.httpsPort | Optional | N/A | Specify the HTTPS nodeport to be used for NodePort CPX service. |
| serviceAnnotations | Optional | N/A | Dictionary of annotations to be used in CPX service. Key in this dictionary is the name of the annotation and Value is the required value of that annotation. For example, [see this](#citrix-adc-cpx-service-annotations). |
| serviceSpec.externalTrafficPolicy | Optional | Cluster | Use this parameter to provide externalTrafficPolicy for CPX service of type LoadBalancer or NodePort. `serviceType.loadBalancer.enabled` or `serviceType.nodePort.enabled` should be set to `true` according to your use case for using this parameter. |
| serviceSpec.loadBalancerIP | Optional | N/A | Use this parameter to provide LoadBalancer IP to CPX service of type LoadBalancer. `serviceType.loadBalancer.enabled` should be set to `true` for using this parameter. |
| serviceSpec.loadBalancerSourceRanges | Optional | N/A | Provide the list of IP Address or range which should be allowed to access the Network Load Balancer. `serviceType.loadBalancer.enabled` should be set to `true` for using this parameter. For details, see [Network Load Balancer support on AWS](https://kubernetes.io/docs/concepts/services-networking/service/#aws-nlb-support). |
| servicePorts | Optional | N/A | List of port. Each element in this list is a dictionary that contains information about the port. For example, [see this](#citrix-adc-cpx-service-ports). |
| ADMSettings.licenseServerIP | Optional | N/A | Provide the Citrix Application Delivery Management (ADM) IP address to license Citrix ADC CPX. For more information, see [Licensing](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/licensing/). |
| ADMSettings.licenseServerPort | Optional | 27000 | Citrix ADM port if non-default port is used. |
| ADMSettings.ADMIP | Optional | N/A | Citrix Application Delivery Management (ADM) IP address. |
| ADMSettings.loginSecret | Optional | N/A | The secret key to login to the ADM. For information on how to create the secret keys, see [Prerequisites](#prerequistes). |
| ADMSettings.bandWidthLicense | Optional | False | Set to true if you want to use bandwidth based licensing for Citrix ADC CPX. |
| ADMSettings.bandWidth | Optional | 1000 | Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps. |
| ADMSettings.vCPULicense | Optional | N/A | Set to true if you want to use vCPU based licensing for Citrix ADC CPX. |
| ADMSettings.licenseEdition| Optional | PLATINUM | License edition that can be Standard, Platinum and Enterprise . By default, Platinum is selected.|
| ADMSettings.cpxCores | Optional | 1 | Desired number of vCPU to be set for Citrix ADC CPX. |
| ADMSettings.analyticsServerPort | Optional | 5557 | Port used for Analytics by ADM. Required to plot ServiceGraph. |
| exporter.required | Optional | false | Use the argument if you want to run the [Exporter for Citrix ADC Stats](https://github.com/citrix/citrix-adc-metrics-exporter) along with Citrix ingress controller to pull metrics for the Citrix ADC CPX|
| exporter.imageRegistry | Optional | `quay.io` | The Exporter for Citrix ADC Stats image registry |
| exporter.imageRepository | Optional | `citrix/citrix-adc-metrics-exporter` | The Exporter for Citrix ADC Stats image repository |
| exporter.imageTag | Optional | `1.4.9` | The Exporter for Citrix ADC Stats image tag |
| exporter.pullPolicy | Optional | IfNotPresent | The Exporter for Citrix ADC Stats image pull policy. |
| exporter.resources | Optional | {} | CPU/Memory resource requests/limits for Metrics exporter container |
| exporter.ports.containerPort | Optional | 8888 | The Exporter for Citrix ADC Stats container port. |
| analyticsConfig.required | Mandatory | false | Set this to true if you want to configure Citrix ADC to send metrics and transaction records to analytics service. |
| analyticsConfig.distributedTracing.enable | Optional | false | Set this value to true to enable OpenTracing in Citrix ADC. |
| analyticsConfig.distributedTracing.samplingrate | Optional | 100 | Specifies the OpenTracing sampling rate in percentage. |
| analyticsConfig.endpoint.server | Optional | N/A | Set this value as the IP address or DNS address of the analytics server. |
| analyticsConfig.endpoint.service | Optional | N/A | Set this value as the IP address or service name with namespace of the analytics service deployed in Kuberenetes. Format: namespace/servicename|
| analyticsConfig.timeseries.port | Optional | 5563 | Specify the port used to expose analytics service for timeseries endpoint. |
| analyticsConfig.timeseries.metrics.enable | Optional | Set this value to true to enable sending metrics from Citrix ADC. |
| analyticsConfig.timeseries.metrics.mode | Optional | avro | Specifies the mode of metric endpoint. |
| analyticsConfig.timeseries.auditlogs.enable | Optional | false | Set this value to true to export audit log data from Citrix ADC. |
| analyticsConfig.timeseries.events.enable | Optional | false | Set this value to true to export events from the Citrix ADC. |
| analyticsConfig.transactions.enable | Optional | false | Set this value to true to export transactions from Citrix ADC. |
| analyticsConfig.transactions.port | Optional | 5557 | Specify the port used to expose analytics service for transaction endpoint. |
| crds.install | Optional | False | Unset this argument if you don't want to install CustomResourceDefinitions which are consumed by CIC. |
| crds.retainOnDelete | Optional | false | Set this argument if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation. |
| bgpSettings.required | Optional | false | Set this argument if you want to enable BGP configurations for exposing service of Type Loadbalancer through BGP fabric|
| bgpSettings.bgpConfig | Optional| N/A| This represents BGP configurations in YAML format. For the description about individual fields, please refer the [documentation](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) |
| nsLbHashAlgo.required | Optional | false | Set this value to set the LB consistent hashing Algorithm |
| nsLbHashAlgo.hashFingers | Optional |256 | Specifies the number of fingers to be used for hashing algorithm. Possible values are from 1 to 1024, Default value is 256 |
| nsLbHashAlgo.hashAlgorithm | Optional | 'default' | Specifies the supported algorithm. Supported algorithms are "default", "jarh", "prac", Default value is 'default' |
> **Note:**
>
> If Citrix ADM related information is not provided during installation, Citrix ADC CPX will come up with the default license.
Alternatively, you can define a YAML file with the values for the parameters and pass the values while installing the chart.
For example:
```
helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller -f values.yaml
```
> **Tip:**
>
> The [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml) contains the default values of the parameters.
## Uninstalling the Chart
To uninstall/delete the ```my-release``` deployment:
```
helm delete my-release
```
## Related documentation
- [Citrix ADC CPX Documentation](https://docs.citrix.com/en-us/citrix-adc-cpx/12-1/cpx-architecture-and-traffic-flow.html)
- [Citrix ingress controller Documentation](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/)
- [Citrix ingress controller GitHub](https://github.com/citrix/citrix-k8s-ingress-controller)
- [BGP advertisement for External IPs with CPX](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md)

0
packages/citrix-cpx-with-ingress-controller/generated-changes/overlay/app-readme.md → charts/citrix/citrix-cpx-with-ingress-controller/app-readme.md
View File

0
packages/citrix-cpx-with-ingress-controller/generated-changes/overlay/questions.yml → charts/citrix/citrix-cpx-with-ingress-controller/questions.yml
View File

14
charts/citrix/citrix-cpx-with-ingress-controller/templates/NOTES.txt Normal file
View File

@ -0,0 +1,14 @@
Thank you for installing {{ .Chart.Name }}.
Your release is named {{ .Release.Name }}.
To learn more about the release, try:
$ helm status {{ .Release.Name }}
$ helm get {{ .Release.Name }}
To delete :
helm delete {{ .Release.Name }}

97
charts/citrix/citrix-cpx-with-ingress-controller/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,97 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Analytics Server IP or DNS
*/}}
{{- define "analytics.server" -}}
{{- if .Values.analyticsConfig.endpoint.server -}}
{{- printf .Values.analyticsConfig.endpoint.server -}}
{{- else -}}
{{- printf "analytics.%s.svc.cluster.local" .Release.Namespace -}}
{{- end -}}
{{- end -}}
{{- define "citrix-cpx-ingress-controller.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "citrix-cpx-ingress-controller.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "cpxservice.fullname" -}}
{{- $name := default .Chart.Name "cpx-service" .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- define "cpxexporter.fullname" -}}
{{- $name := default .Chart.Name "exporter" .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- define "cpxservicemonitor.fullname" -}}
{{- $name := default .Chart.Name "citrix-adc-cpx-servicemonitor" .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- define "cpxservicemonitorlabel" -}}
{{- $name := default .Chart.Name "citrix-adc-cpx-svcmon" .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- define "cpxconfigmap.fullname" -}}
{{- $name := default .Chart.Name "cpx-cic-configmap" .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "citrix-cpx-ingress-controller.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "citrix-cpx-ingress-controller.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "citrix-cpx-ingress-controller.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}

2515
charts/citrix/citrix-cpx-with-ingress-controller/templates/cic_crds.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

414
charts/citrix/citrix-cpx-with-ingress-controller/templates/citrix-k8s-cpx-ingress.yaml Normal file
View File

@ -0,0 +1,414 @@
apiVersion: apps/v1
{{- if or .Values.cpxBgpRouter .Values.daemonSet }}
kind: DaemonSet
{{- else }}
kind: Deployment
{{- end }}
metadata:
name: {{ include "citrix-cpx-ingress-controller.fullname" . }}
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
app: {{ include "citrix-cpx-ingress-controller.fullname" . }}
{{- if not ( or .Values.cpxBgpRouter .Values.daemonSet ) }}
replicas: {{ .Values.replicaCount }}
{{- end }}
template:
metadata:
name: {{ include "citrix-cpx-ingress-controller.fullname" . }}
labels:
app: {{ include "citrix-cpx-ingress-controller.fullname" . }}
adc: "citrix"
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }}
{{- if .Values.cpxBgpRouter }}
hostNetwork: true
{{- end }}
containers:
- name: cpx-ingress
image: "{{ tpl .Values.image . }}"
imagePullPolicy: {{ .Values.pullPolicy }}
tty: true
securityContext:
privileged: true
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
{{- if .Values.cpxLicenseAggregator }}
- name: "CLA"
value: {{ .Values.cpxLicenseAggregator | quote }}
{{- else if .Values.ADMSettings.licenseServerIP }}
- name: "LS_IP"
value: {{ .Values.ADMSettings.licenseServerIP | quote }}
- name: "LS_PORT"
value: {{ .Values.ADMSettings.licenseServerPort | quote }}
{{- end }}
- name: "EULA"
value: "{{ .Values.license.accept }}"
- name: "KUBERNETES_TASK_ID"
value: ""
{{- if not .Values.cpxBgpRouter }}
- name: "MGMT_HTTP_PORT"
value: {{ .Values.mgmtHttpPort | quote }}
- name: "MGMT_HTTPS_PORT"
value: {{ .Values.mgmtHttpsPort | quote }}
{{- end }}
{{- if .Values.cpxBgpRouter }}
- name: NS_NETMODE
value: HOST
{{- if .Values.nsIP }}
- name: "NS_IP"
value: "{{ .Values.nsIP }}"
{{- end }}
{{- if .Values.nsGateway }}
- name: "NS_GATEWAY"
value: "{{ .Values.nsGateway }}"
{{- end }}
{{- end }}
{{- if .Values.ADMSettings.ADMIP }}
- name: "NS_MGMT_SERVER"
value: {{ .Values.ADMSettings.ADMIP | quote }}
- name: "NS_HTTP_PORT"
value: {{ .Values.mgmtHttpPort | quote }}
- name: "NS_HTTPS_PORT"
value: {{ .Values.mgmtHttpsPort | quote }}
- name: "LOGSTREAM_COLLECTOR_IP"
value: {{ .Values.ADMSettings.ADMIP | quote }}
- name: "ANALYTICS_SERVER"
value: {{ .Values.ADMSettings.ADMIP | quote }}
- name: "ANALYTICS_SERVER_PORT"
value: {{ .Values.ADMSettings.analyticsServerPort | quote }}
{{- end }}
##Need to set env var BANDWIDTH in order to provide Bandwidth license to Citrix ADC CPX from ADM or CPX License Aggregator
{{- if and ( or ( .Values.ADMSettings.licenseServerIP ) ( .Values.cpxLicenseAggregator ) ) ( eq .Values.ADMSettings.bandWidthLicense true ) }}
- name: "BANDWIDTH"
value: {{ .Values.ADMSettings.bandWidth | quote }}
{{- end }}
#for multiple-PE support, need to set CPX_CORES
{{- if or .Values.ADMSettings.licenseServerIP .Values.cpxLicenseAggregator }}
{{- if or ( eq .Values.ADMSettings.vCPULicense true ) ( eq .Values.ADMSettings.bandWidthLicense true ) }}
- name: "CPX_CORES"
value: {{ .Values.ADMSettings.cpxCores | default 1 | quote }}
{{- end }}
{{- end }}
- name: "EDITION"
value: {{ .Values.ADMSettings.licenseEdition }}
{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }}
- name: NS_MGMT_USER
valueFrom:
secretKeyRef:
name: {{ required "Provide Secret for ADM/LicenseServer credentials" .Values.ADMSettings.loginSecret }}
key: username
- name: NS_MGMT_PASS
valueFrom:
secretKeyRef:
name: {{ required "Provide Secret for ADM/LicenseServer credentials" .Values.ADMSettings.loginSecret }}
key: password
{{- end }}
{{- if .Values.exporter.required }}
- name: "METRICS_EXPORTER_PORT"
value: {{ .Values.exporter.ports.containerPort | quote }}
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- mountPath: /var/deviceinfo
name: shared-data
- mountPath: /cpx/
name: cpx-volume
{{- if .Values.cic.required }}
# Add cic as a sidecar
- name: cic
image: "{{ tpl .Values.cic.image . }}"
imagePullPolicy: {{ .Values.cic.pullPolicy }}
env:
- name: "EULA"
value: "{{ .Values.license.accept }}"
{{- if .Values.cpxBgpRouter }}
- name: "NS_IP"
value: {{ .Values.nsIP | default "192.168.1.2" | quote }}
{{- else }}
- name: "NS_IP"
value: "127.0.0.1"
{{- end }}
- name: "NS_APPS_NAME_PREFIX"
value: {{ .Values.entityPrefix | default "k8s"}}
- name: "NS_DEPLOYMENT_MODE"
value: "SIDECAR"
{{- if and .Values.openshift .Values.routeLabels }}
- name: "ROUTE_LABELS"
value: {{ .Values.routeLabels | quote}}
{{- end }}
{{- if and .Values.openshift .Values.namespaceLabels }}
- name: "NAMESPACE_LABELS"
value: {{ .Values.namespaceLabels | quote }}
{{- end }}
{{- if .Values.cpxBgpRouter }}
{{- if eq (upper .Values.nsProtocol) "HTTPS" }}
- name: NS_PROTOCOL
value: HTTPS
- name: NS_PORT
value: "9443"
{{- else }}
- name: NS_PROTOCOL
value: HTTP
- name: NS_PORT
value: "9080"
{{- end }}
{{- if .Values.bgpPort }}
- name: "BGP_PORT"
value: {{ .Values.bgpPort | quote }}
{{- end }}
{{- end }}
- name: "NS_ENABLE_MONITORING"
value: "YES"
{{- if .Values.logProxy }}
- name: "NS_LOGPROXY"
value: {{ .Values.logProxy | quote }}
{{- end }}
{{- if .Values.ingressIP }}
- name: "NS_VIP"
value: {{ .Values.ingressIP | quote }}
{{- end }}
{{- if .Values.nitroReadTimeout }}
- name: "NS_NITRO_READ_TIMEOUT"
value: "{{ .Values.nitroReadTimeout }}"
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
{{- if .Values.kubernetesURL }}
- name: "kubernetes_url"
value: "{{ .Values.kubernetesURL }}"
{{- end }}
{{- if .Values.disableOpenshiftRoutes }}
- name: "DISABLE_OPENSHIFT_ROUTES"
value: "{{ .Values.disableOpenshiftRoutes }}"
{{- end }}
{{- if .Values.nsConfigDnsRec }}
- name: "NS_CONFIG_DNS_REC"
value: "{{ .Values.nsConfigDnsRec }}"
{{- end }}
{{- if .Values.nsSvcLbDnsRec }}
- name: "NS_SVC_LB_DNS_REC"
value: "{{ .Values.nsSvcLbDnsRec }}"
{{- end }}
{{- if .Values.optimizeEndpointBinding }}
- name: "OPTIMIZE_ENDPOINT_BINDING"
value: "{{ .Values.optimizeEndpointBinding }}"
{{- end }}
{{- if .Values.cpxBgpRouter }}
securityContext:
runAsUser: 0
capabilities:
add:
- NET_ADMIN
{{- end }}
args:
- --configmap
{{ .Release.Namespace }}/{{ include "cpxconfigmap.fullname" . }}
{{- if .Values.ipam }}
- --ipam
citrix-ipam-controller
{{- end }}
{{- if .Values.disableAPIServerCertVerify }}
- --disable-apiserver-cert-verify
{{ .Values.disableAPIServerCertVerify }}
{{- end }}
{{- if .Values.cpxBgpRouter }}
- --deployment-type
kube-bgp-router
{{- end }}
{{- if .Values.ingressClass }}
- --ingress-classes
{{- range .Values.ingressClass}}
{{.}}
{{- end }}
{{- end }}
{{- if .Values.defaultSSLCertSecret }}
- --default-ssl-certificate
{{ .Release.Namespace }}/{{ .Values.defaultSSLCertSecret }}
{{- end }}
{{- end }}
{{- if .Values.updateIngressStatus }}
{{- if .Values.cpxBgpRouter }}
- --update-ingress-status
yes
{{- else }}
- --cpx-service
{{ .Release.Namespace }}/{{ include "cpxservice.fullname" . }}
{{- end }}
{{- end }}
volumeMounts:
- mountPath: /var/deviceinfo
name: shared-data
resources:
{{- toYaml .Values.cic.resources | nindent 12 }}
{{- if .Values.exporter.required }}
- name: exporter
image: "{{ tpl .Values.exporter.image . }}"
imagePullPolicy: {{ .Values.exporter.pullPolicy }}
args:
- "--secure=no"
{{- if .Values.cpxBgpRouter }}
- --target-nsip={{ .Values.nsIP | default "192.168.1.2" }}:9080
{{- else }}
- "--target-nsip=127.0.0.1"
{{- end }}
- "--port={{ .Values.exporter.ports.containerPort }}"
env:
- name: "NS_DEPLOYMENT_MODE"
value: "SIDECAR"
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /var/deviceinfo
name: shared-data
resources:
{{- toYaml .Values.exporter.resources | nindent 12 }}
{{- end }}
volumes:
- name: shared-data
emptyDir: {}
- name: cpx-volume
emptyDir: {}
{{- if and .Values.nodeSelector.key .Values.nodeSelector.value }}
nodeSelector:
{{ .Values.nodeSelector.key }}: {{ .Values.nodeSelector.value }}
{{- end }}
{{- if .Values.tolerations }}
tolerations: {{ .Values.tolerations | toYaml | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
---
{{- if .Values.cpxBgpRouter }}
{{- if .Values.exporter.required }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "cpxexporter.fullname" . }}
labels:
app: {{ include "cpxexporter.fullname" . }}
service-type: {{ include "cpxservicemonitorlabel" . }}
spec:
type: ClusterIP
ports:
- port: {{ .Values.exporter.ports.containerPort }}
targetPort: {{ .Values.exporter.ports.containerPort }}
name: exporter-port
selector:
app: {{ include "citrix-cpx-ingress-controller.fullname" . }}
{{- end }}
{{- else }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "cpxservice.fullname" . }}
labels:
app: cpx-service
service-type: {{ include "cpxservicemonitorlabel" . }}
{{- if .Values.serviceAnnotations }}
annotations:
{{- with .Values.serviceAnnotations }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}
spec:
{{- if or .Values.serviceType.loadBalancer.enabled ( and (.Values.updateIngressStatus) (not .Values.cpxBgpRouter)) }}
externalTrafficPolicy: {{ .Values.serviceSpec.externalTrafficPolicy }}
type: LoadBalancer
{{- if .Values.serviceSpec.loadBalancerIP }}
loadBalancerIP: {{ .Values.serviceSpec.loadBalancerIP }}
{{- end }}
{{- else if .Values.serviceType.nodePort.enabled }}
type: NodePort
externalTrafficPolicy: {{ .Values.serviceSpec.externalTrafficPolicy }}
{{- end }}
{{- if and .Values.serviceType.loadBalancer.enabled .Values.serviceSpec.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{- range .Values.serviceSpec.loadBalancerSourceRanges}}
- {{.}}
{{- end }}
{{- end }}
ports:
{{- if .Values.servicePorts }}
{{- with .Values.servicePorts }}
{{ toYaml . | indent 2 }}
{{- end }}
{{- else }}
- port: 80
protocol: TCP
name: http
{{- if and .Values.serviceType.nodePort.enabled .Values.serviceType.nodePort.httpPort }}
nodePort: {{ .Values.serviceType.nodePort.httpPort }}
{{- end }}
- port: 443
protocol: TCP
name: https
{{- if and .Values.serviceType.nodePort.enabled .Values.serviceType.nodePort.httpsPort }}
nodePort: {{ .Values.serviceType.nodePort.httpsPort}}
{{- end }}
{{- end }}
{{- if .Values.exporter.required }}
- port: {{ .Values.exporter.ports.containerPort }}
targetPort: {{ .Values.exporter.ports.containerPort }}
name: exporter-port
{{- end }}
selector:
app: {{ include "citrix-cpx-ingress-controller.fullname" . }}
{{- end }}
---
{{- if .Values.exporter.required }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "cpxservicemonitor.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
servicemonitor: citrix-adc-cpx
spec:
endpoints:
- interval: 30s
port: exporter-port
selector:
matchLabels:
service-type: {{ include "cpxservicemonitorlabel" . }}
namespaceSelector:
matchNames:
- monitoring
- default
- {{ .Release.Namespace }}
{{- end }}

71
charts/citrix/citrix-cpx-with-ingress-controller/templates/configmap.yaml Normal file
View File

@ -0,0 +1,71 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "cpxconfigmap.fullname" . }}
namespace: {{ .Release.Namespace }}
data:
LOGLEVEL: {{ .Values.logLevel | quote | lower }}
JSONLOG: {{ .Values.jsonLog | quote | lower }}
{{- if eq (upper .Values.nsProtocol) "HTTPS" }}
NS_PROTOCOL: "https"
{{- if .Values.cpxBgpRouter }}
NS_PORT: "9443"
{{- else }}
NS_PORT: "443"
{{- end }}
{{- else }}
NS_PROTOCOL: "http"
{{- if .Values.cpxBgpRouter }}
NS_PORT: "9080"
{{- else }}
NS_PORT: "80"
{{- end }}
{{- end }}
{{- if ne (upper .Values.nsHTTP2ServerSide) "OFF" }}
NS_HTTP2_SERVER_SIDE: {{ .Values.nsHTTP2ServerSide | quote }}
{{- end }}
{{- if ne (toString .Values.nsCookieVersion) "0" }}
NS_COOKIE_VERSION: {{ .Values.nsCookieVersion | quote }}
{{- end }}
{{- if .Values.nsDnsNameserver }}
NS_DNS_NAMESERVER: {{ .Values.nsDnsNameserver }}
{{- end }}
{{- if .Values.analyticsConfig.required }}
NS_ANALYTICS_CONFIG: |
distributed_tracing:
enable: {{ .Values.analyticsConfig.distributedTracing.enable | quote }}
samplingrate: {{ .Values.analyticsConfig.distributedTracing.samplingrate }}
endpoint:
server: {{ include "analytics.server" . | quote }}
service: {{ .Values.analyticsConfig.endpoint.service | quote }}
timeseries:
port: {{ .Values.analyticsConfig.timeseries.port }}
metrics:
enable: {{ .Values.analyticsConfig.timeseries.metrics.enable | quote }}
mode: {{ .Values.analyticsConfig.timeseries.metrics.mode | quote }}
auditlogs:
enable: {{ .Values.analyticsConfig.timeseries.auditlogs.enable | quote }}
events:
enable: {{ .Values.analyticsConfig.timeseries.events.enable | quote }}
transactions:
enable: {{ .Values.analyticsConfig.transactions.enable | quote }}
port: {{ .Values.analyticsConfig.transactions.port }}
{{- end }}
{{- if .Values.cpxBgpRouter }}
{{- if .Values.bgpSettings.required }}
NS_BGP_CONFIG: |
{{- with .Values.bgpSettings.bgpConfig }}
bgpConfig:
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.nsLbHashAlgo.required }}
NS_LB_HASH_ALGO: |
hashFingers: {{ .Values.nsLbHashAlgo.hashFingers }}
hashAlgorithm: {{ .Values.nsLbHashAlgo.hashAlgorithm | quote }}
{{- end }}

18
charts/citrix/citrix-cpx-with-ingress-controller/templates/ingressclass.yaml Normal file
View File

@ -0,0 +1,18 @@
{{- $default := .Values.setAsDefaultIngressClass -}}
{{- if semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.GitVersion }}
{{- if .Values.ingressClass }}
{{- range .Values.ingressClass }}
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: {{ . | quote }}
{{- if $default }}
annotations:
ingressclass.kubernetes.io/is-default-class: "true"
{{- end }}
spec:
controller: citrix.com/ingress-controller
---
{{- end }}
{{- end }}
{{- end }}

89
charts/citrix/citrix-cpx-with-ingress-controller/templates/rbac.yaml Normal file
View File

@ -0,0 +1,89 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }}
rules:
- apiGroups: [""]
{{- if .Values.openshift }}
resources: ["endpoints", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"]
{{- else }}
resources: ["endpoints", "pods", "secrets", "routes", "nodes", "namespaces", "configmaps", "services"]
{{- end }}
verbs: ["get", "list", "watch"]
# services/status is needed to update the loadbalancer IP in service status for integrating
# service of type LoadBalancer with external-dns
- apiGroups: [""]
resources: ["services/status"]
verbs: ["patch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create"]
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["patch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingressclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch"]
- apiGroups: ["citrix.com"]
resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"]
verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: ["citrix.com"]
resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"]
verbs: ["patch"]
- apiGroups: ["citrix.com"]
resources: ["vips"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: ["crd.projectcalico.org"]
resources: ["ipamblocks"]
verbs: ["get", "list", "watch"]
{{- if .Values.openshift }}
- apiGroups: ["route.openshift.io"]
resources: ["routes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["network.openshift.io"]
resources: ["hostsubnets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["config.openshift.io"]
resources: ["networks"]
verbs: ["get", "list"]
{{- end }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }}
subjects:
- kind: ServiceAccount
name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.imagePullSecrets }}
- name: {{.}}
{{- end }}
{{- end }}
---

221
charts/citrix/citrix-cpx-with-ingress-controller/values.yaml Normal file
View File

@ -0,0 +1,221 @@
# Default values for citrix-cpx-with-ingress-controller.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# Citrix ADC CPX config details
imageRegistry: quay.io
imageRepository: citrix/citrix-k8s-cpx-ingress
imageTag: 13.1-30.52
image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}"
pullPolicy: IfNotPresent
imagePullSecrets: []
daemonSet: False
nameOverride: ""
replicaCount: 1
fullnameOverride: ""
mgmtHttpPort: 9080
mgmtHttpsPort: 9443
openshift: false
nsHTTP2ServerSide: "OFF"
nsCookieVersion: "0"
nsConfigDnsRec:
nsSvcLbDnsRec:
nsDnsNameserver:
optimizeEndpointBinding:
routeLabels:
namespaceLabels:
# Service Type LoadBalancer and ingress support with CPX through BGP advertisement
# If you enable this, CPX is run as DaemonSet. Please edit the bgpSettings for configuring
# BGP neighbors for propgation of external IPs.
cpxBgpRouter: false
# If cpxBgpRouter is true, then this is the NSIP used by CPX for internal communication
nsIP: 192.168.1.2
# If cpxBgpRouter is true, then this is the Gateway used by CPX for internal communication
nsGateway: 192.168.1.1
# Protocol used for communication between Citrix Ingress Controller sidecar and Citrix CPX
nsProtocol: http
# External IP for ingress resource when bgpRouter is set to True
ingressIP:
# If IPAM controller is used for auto allocation of the external IP for service of type LoadBalancer, set this option to true
ipam: False
# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True
disableAPIServerCertVerify: False
cpxLicenseAggregator:
sslCertManagedByAWS: False
nodeSelector:
key:
value:
tolerations: []
serviceType:
loadBalancer:
enabled: False
nodePort:
enabled: False
httpPort:
httpsPort:
serviceAnnotations: {}
serviceSpec:
externalTrafficPolicy: "Cluster"
loadBalancerIP:
loadBalancerSourceRanges: []
servicePorts: []
# Citrix Ingress Controller config details
cic:
imageRegistry: quay.io
imageRepository: citrix/citrix-k8s-ingress-controller
imageTag: 1.27.15
image: "{{ .Values.cic.imageRegistry }}/{{ .Values.cic.imageRepository }}:{{ .Values.cic.imageTag }}"
pullPolicy: IfNotPresent
required: true
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# Following values depends on no of ingresses configured by Ingress Controllers, so it is
# advised to test with maximum no of ingresses to set these values.
# limits:
# cpu: 1000m
# memory: 1000Mi
# requests:
# cpu: 250m
# memory: 256Mi
entityPrefix:
license:
accept: no
ingressClass:
setAsDefaultIngressClass: False
# nitroReadTimeout is timeout value in seconds for nitro api read timeout(default is 20)
nitroReadTimeout:
logLevel: INFO
jsonLog: false
defaultSSLCertSecret:
updateIngressStatus: False
logProxy:
kubernetesURL:
disableOpenshiftRoutes:
# Citrix ADM/License Server config details
ADMSettings:
licenseServerIP:
licenseServerPort: 27000
ADMIP:
loginSecret:
bandWidthLicense: false
bandWidth: 1000 #bandwidth value shoule be in Mbps
vCPULicense: false
cpxCores:
analyticsServerPort: 5557
licenseEdition: PLATINUM
# Exporter config details
exporter:
required: false
imageRegistry: quay.io
imageRepository: citrix/citrix-adc-metrics-exporter
imageTag: 1.4.9
image: "{{ .Values.exporter.imageRegistry }}/{{ .Values.exporter.imageRepository }}:{{ .Values.exporter.imageTag }}"
pullPolicy: IfNotPresent
ports:
containerPort: 8888
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# For CRDs supported by Citrix Ingress Controller
crds:
install: false
retainOnDelete: false
# Config required to be done by Citrix Ingress Controller for sending metrics to Citrix Observability Exporter
analyticsConfig:
required: false
distributedTracing:
enable: false
samplingrate: 100
endpoint:
server:
service:
timeseries:
port: 5563
metrics:
enable: false
mode: 'avro'
auditlogs:
enable: false
events:
enable: false
transactions:
enable: false
port: 5557
# BGP configurations: local AS, remote AS and remote address is mandatory to provide. Please do the approrpiate changes with respect to your environment
bgpSettings:
# When bgpConfig is configured correctly, set the required to true for the configuration to be applied.
required: false
bgpConfig:
- bgpRouter:
# Local AS number for BGP advertisement
localAS: 100
neighbor:
# Address of the nighbor router for BGP advertisement
- address:
# Remote AS number
remoteAS: 100
advertisementInterval: 10
ASOriginationInterval: 10
bgpPort:
nsLbHashAlgo:
required: false
hashFingers: 256
hashAlgorithm: 'DEFAULT'
# Specifies whether a ServiceAccount should be created
serviceAccount:
create: true
# The name of the ServiceAccount to use.
# If not set and `create` is true, a name is generated using the fullname template
# name:
podAnnotations: {}
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'
# This is the resource for CPX container.
# limits:
# cpu: 500m
# memory: 512Mi
# requests:
# cpu: 100m
# memory: 128Mi
affinity: {}

20
charts/citrix/citrix-ingress-controller/Chart.yaml Normal file
View File

@ -0,0 +1,20 @@
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Citrix Ingress Controller
catalog.cattle.io/kube-version: '>=v1.16.0-0'
catalog.cattle.io/release-name: citrix-ingress-controller
apiVersion: v2
appVersion: 1.27.15
description: A Helm chart for Citrix Ingress Controller configuring MPX/VPX.
home: https://www.citrix.com
icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png
kubeVersion: '>=v1.16.0-0'
maintainers:
- email: priyanka.sharma@citrix.com
name: priyankash-citrix
- email: subash.dangol@citrix.com
name: subashd
name: citrix-ingress-controller
sources:
- https://github.com/citrix/citrix-k8s-ingress-controller
version: 1.27.15

492
charts/citrix/citrix-ingress-controller/README.md Normal file
View File

@ -0,0 +1,492 @@
# Citrix Ingress Controller
[Citrix](https://www.citrix.com/en-in/) provides an Ingress Controller for Citrix ADC MPX (hardware), Citrix ADC VPX (virtualized), and [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx/13/about.html) (containerized) for [bare metal](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/deployment/baremetal) and [cloud](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/deployment) deployments. It configures one or more Citrix ADC based on the Ingress resource configuration in [Kubernetes](https://kubernetes.io/) or in [OpenShift](https://www.openshift.com) cluster.
## TL;DR;
### For Kubernetes
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install cic citrix/citrix-ingress-controller --set nsIP=<NSIP>,license.accept=yes,adcCredentialSecret=<Secret-for-ADC-credentials>
```
To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller
```
helm install cic citrix/citrix-ingress-controller --set nsIP=<NSIP>,license.accept=yes,adcCredentialSecret=<Secret-for-ADC-credentials>,crds.install=true
```
### For OpenShift
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install cic citrix/citrix-ingress-controller --set nsIP=<NSIP>,license.accept=yes,adcCredentialSecret=<Secret-for-ADC-credentials>,openshift=true
```
To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller
```
helm install cic citrix/citrix-ingress-controller --set nsIP=<NSIP>,license.accept=yes,adcCredentialSecret=<Secret-for-ADC-credentials>,openshift=true,crds.install=true
```
> **Important:**
>
> The `license.accept` argument is mandatory. Ensure that you set the value as `yes` to accept the terms and conditions of the Citrix license.
## Introduction
This Helm chart deploys Citrix ingress controller in the [Kubernetes](https://kubernetes.io) or in the [Openshift](https://www.openshift.com) cluster using [Helm](https://helm.sh) package manager.
### Prerequisites
- The [Kubernetes](https://kubernetes.io/) version should be 1.16 and above if using Kubernetes environment.
- The [Openshift](https://www.openshift.com) version 4.8 or later if using OpenShift platform.
- The [Helm](https://helm.sh/) version 3.x or later. You can follow instruction given [here](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same.
- You determine the NS_IP IP address needed by the controller to communicate with Citrix ADC. The IP address might be anyone of the following depending on the type of Citrix ADC deployment:
- (Standalone appliances) NSIP - The management IP address of a standalone Citrix ADC appliance. For more information, see [IP Addressing in Citrix ADC](https://docs.citrix.com/en-us/citrix-adc/12-1/networking/ip-addressing.html).
- (Appliances in High Availability mode) SNIP - The subnet IP address. For more information, see [IP Addressing in Citrix ADC](https://docs.citrix.com/en-us/citrix-adc/12-1/networking/ip-addressing.html).
- (Appliances in Clustered mode) CLIP - The cluster management IP (CLIP) address for a clustered Citrix ADC deployment. For more information, see [IP addressing for a cluster](https://docs.citrix.com/en-us/citrix-adc/12-1/clustering/cluster-overview/ip-addressing.html).
- You have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator), if you want to view the metrics of the Citrix ADC CPX collected by the [metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics).
- The user name and password of the Citrix ADC VPX or MPX appliance used as the ingress device. The Citrix ADC appliance needs to have system user account (non-default) with certain privileges so that Citrix ingress controller can configure the Citrix ADC VPX or MPX appliance. For instructions to create the system user account on Citrix ADC, see [Create System User Account for CIC in Citrix ADC](#create-system-user-account-for-cic-in-citrix-adc).
You can pass user name and password using Kubernetes secrets. Create a Kubernetes secret for the user name and password using the following command:
```
kubectl create secret generic nslogin --from-literal=username='cic' --from-literal=password='mypassword'
```
#### Create system User account for Citrix ingress controller in Citrix ADC
Citrix ingress controller configures the Citrix ADC using a system user account of the Citrix ADC. The system user account should have certain privileges so that the CIC has permission configure the following on the Citrix ADC:
- Add, Delete, or View Content Switching (CS) virtual server
- Configure CS policies and actions
- Configure Load Balancing (LB) virtual server
- Configure Service groups
- Cofigure SSl certkeys
- Configure routes
- Configure user monitors
- Add system file (for uploading SSL certkeys from Kubernetes)
- Configure Virtual IP address (VIP)
- Check the status of the Citrix ADC appliance
> **Note:**
>
> The system user account would have privileges based on the command policy that you define.
To create the system user account, do the following:
1. Log on to the Citrix ADC appliance. Perform the following:
1. Use an SSH client, such as PuTTy, to open an SSH connection to the Citrix ADC appliance.
2. Log on to the appliance by using the administrator credentials.
2. Create the system user account using the following command:
```
add system user <username> <password>
```
For example:
```
add system user cic mypassword
```
3. Create a policy to provide required permissions to the system user account. Use the following command:
```
add cmdpolicy cic-policy ALLOW '^(\?!shell)(\?!sftp)(\?!scp)(\?!batch)(\?!source)(\?!.*superuser)(\?!.*nsroot)(\?!install)(\?!show\s+system\s+(user|cmdPolicy|file))(\?!(set|add|rm|create|export|kill)\s+system)(\?!(unbind|bind)\s+system\s+(user|group))(\?!diff\s+ns\s+config)(\?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)^(\?!shell)(\?!sftp)(\?!scp)(\?!batch)(\?!source)(\?!.*superuser)(\?!.*nsroot)(\?!install)(\?!show\s+system\s+(user|cmdPolicy|file))(\?!(set|add|rm|create|export|kill)\s+system)(\?!(unbind|bind)\s+system\s+(user|group))(\?!diff\s+ns\s+config)(\?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)'
```
**Note**: The system user account would have privileges based on the command policy that you define.
The command policy mentioned in ***step 3*** is similar to the built-in `sysAdmin` command policy with another permission to upload files.
The command policy spec provided above have already escaped special characters for easier copy pasting into the Citrix ADC command line.
For configuring the command policy from Citrix ADC Configuration Wizard (GUI), use the below command policy spec.
```
^(?!shell)(?!sftp)(?!scp)(?!batch)(?!source)(?!.*superuser)(?!.*nsroot)(?!install)(?!show\s+system\s+(user|cmdPolicy|file))(?!(set|add|rm|create|export|kill)\s+system)(?!(unbind|bind)\s+system\s+(user|group))(?!diff\s+ns\s+config)(?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)^(?!shell)(?!sftp)(?!scp)(?!batch)(?!source)(?!.*superuser)(?!.*nsroot)(?!install)(?!show\s+system\s+(user|cmdPolicy|file))(?!(set|add|rm|create|export|kill)\s+system)(?!(unbind|bind)\s+system\s+(user|group))(?!diff\s+ns\s+config)(?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)
```
4. Bind the policy to the system user account using the following command:
```
bind system user cic cic-policy 0
```
## Installing the Chart
Add the Citrix Ingress Controller helm chart repository using command:
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
```
### For Kubernetes:
#### 1. Citrix Ingress Controller
To install the chart with the release name, `my-release`, use the following command:
```
helm install my-release citrix/citrix-ingress-controller --set nsIP=<NSIP>,license.accept=yes,adcCredentialSecret=<Secret-for-ADC-credentials>,ingressClass[0]=<ingressClassName>
```
> **Note:**
>
> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings.
The command deploys Citrix ingress controller on Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation.
#### 2. Citrix Ingress Controller with Exporter
[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed along with Citrix ingress controller and collects metrics from the Citrix ADC instances. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana.
> **Note:**
> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator).
Use the following command for this:
```
helm install my-release citrix/citrix-ingress-controller --set nsIP=<NSIP>,license.accept=yes,adcCredentialSecret=<Secret-for-ADC-credentials>,ingressClass[0]=<ingressClassName>,exporter.required=true
```
### For Openshift:
Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift:
```
oc adm policy add-scc-to-user privileged system:serviceaccount:<namespace>:<service-account-name>
```
#### 1. Citrix Ingress Controller
To install the chart with the release name, `my-release`, use the following command:
```
helm install my-release citrix/citrix-ingress-controller --set nsIP=<NSIP>,license.accept=yes,adcCredentialSecret=<Secret-for-ADC-credentials>,openshift=true
```
The command deploys Citrix ingress controller on your Openshift cluster in the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation.
#### 2. Citrix Ingress Controller with Exporter
[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed along with Citrix ingress controller and collects metrics from the Citrix ADC instances. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana.
> **Note:**
> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator)
Use the following command for this:
```
helm install my-release citrix/citrix-ingress-controller --set nsIP=<NSIP>,license.accept=yes,adcCredentialSecret=<Secret-for-ADC-credentials>,openshift=true,exporter.required=true
```
### Installed components
The following components are installed:
- [Citrix ingress controller](https://github.com/citrix/citrix-k8s-ingress-controller)
- [Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) (if enabled)
## Configuration for ServiceGraph:
If Citrix ADC VPX/MPX need to send data to the Citrix ADM to bring up the servicegraph, then the below steps can be followed to install Citrix ingress controller for Citrix ADC VPX/MPX. Citrix ingress controller configures Citrix ADC VPX/MPX with the configuration required for servicegraph.
1. Create secret using Citrix ADC VPX credentials, which will be used by Citrix ingress controller for configuring Citrix ADC VPX/MPX:
kubectl create secret generic nslogin --from-literal=username='cic' --from-literal=password='mypassword'
2. Deploy Citrix ingress controller using helm command:
helm install my-release citrix/citrix-ingress-controller --set nsIP=<NSIP>,nsVIP=<NSVIP>,license.accept=yes,adcCredentialSecret=<Secret-of-Citrix-ADC-credentials>,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.timeseries.port=5563,analyticsConfig.distributedTracing.enable=true,analyticsConfig.transactions.enable=true,analyticsConfig.transactions.port=5557,analyticsConfig.endpoint.server=<ADM-Agent-IP>
> **Note:**
> If container agent is being used here for Citrix ADM, please provide `podIP` of container agent in the `analyticsConfig.endpoint.server` parameter.
## CRDs configuration
CRDs can be installed/upgraded when we install/upgrade Citrix ingress controller using `crds.install=true` parameter in Helm. If you do not want to install CRDs, then set the option `crds.install` to `false`. By default, CRDs too get deleted if you uninstall through Helm. This means, even the CustomResource objects created by the customer will get deleted. If you want to avoid this data loss set `crds.retainOnDelete` to `true`.
> **Note:**
> Installing again may fail due to the presence of CRDs. Make sure that you back up all CustomResource objects and clean up CRDs before re-installing Citrix Ingress Controller.
There are a few examples of how to use these CRDs, which are placed in the folder: [Example-CRDs](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds). Refer to them and install as needed, using the following command:
```kubectl create -f <crd-example.yaml>```
### Details of the supported CRDs:
#### authpolicies CRD:
Authentication policies are used to enforce access restrictions to resources hosted by an application or an API server.
Citrix provides a Kubernetes CustomResourceDefinitions (CRDs) called the [Auth CRD](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/auth) that you can use with the Citrix ingress controller to define authentication policies on the ingress Citrix ADC.
Example file: [auth_example.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/auth_example.yaml)
#### continuousdeployments CRD for canary:
Canary release is a technique to reduce the risk of introducing a new software version in production by first rolling out the change to a small subset of users. After user validation, the application is rolled out to the larger set of users. Citrix ADC-Integrated [Canary Deployment solution](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/canary) stitches together all components of continuous delivery (CD) and makes canary deployment easier for the application developers.
#### httproutes and listeners CRDs for contentrouting:
[Content Routing (CR)](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/contentrouting) is the execution of defined rules that determine the placement and configuration of network traffic between users and web applications, based on the content being sent. For example, a pattern in the URL or header fields of the request.
Example files: [HTTPRoute_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/HTTPRoute_crd.yaml), [Listener_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/Listener_crd.yaml)
#### ratelimits CRD:
In a Kubernetes deployment, you can [rate limit the requests](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/ratelimit) to the resources on the back end server or services using rate limiting feature provided by the ingress Citrix ADC.
Example files: [ratelimit-example1.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example1.yaml), [ratelimit-example2.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example2.yaml)
#### vips CRD:
Citrix provides a CustomResourceDefinitions (CRD) called [VIP](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/vip) for asynchronous communication between the IPAM controller and Citrix ingress controller.
The IPAM controller is provided by Citrix for IP address management. It allocates IP address to the service from a defined IP address range. The Citrix ingress controller configures the IP address allocated to the service as virtual IP (VIP) in Citrix ADX VPX. And, the service is exposed using the IP address.
When a new service is created, the Citrix ingress controller creates a CRD object for the service with an empty IP address field. The IPAM Controller listens to addition, deletion, or modification of the CRD and updates it with an IP address to the CRD. Once the CRD object is updated, the Citrix ingress controller automatically configures Citrix ADC-specfic configuration in the tier-1 Citrix ADC VPX.
#### rewritepolicies CRD:
In kubernetes environment, to deploy specific layer 7 policies to handle scenarios such as, redirecting HTTP traffic to a specific URL, blocking a set of IP addresses to mitigate DDoS attacks, imposing HTTP to HTTPS and so on, requires you to add appropriate libraries within the microservices and manually configure the policies. Instead, you can use the [Rewrite and Responder features](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/crd/rewrite-responder-policies-deployment.yaml) provided by the Ingress Citrix ADC device to deploy these policies.
Example files: [target-url-rewrite.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/target-url-rewrite.yaml)
#### wafs CRD:
[WAF CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/waf.md) can be used to configure the web application firewall policies with the Citrix ingress controller on the Citrix ADC VPX, MPX, SDX, and CPX. The WAF CRD enables communication between the Citrix ingress controller and Citrix ADC for enforcing web application firewall policies.
In a Kubernetes deployment, you can enforce a web application firewall policy to protect the server using the WAF CRD. For more information about web application firewall, see [Web application security](https://docs.citrix.com/en-us/citrix-adc/13/application-firewall/introduction/web-application-security.html).
Example files: [wafhtmlxsssql.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wafhtmlxsssql.yaml)
#### apigateway CRD:
API Gateway CRD is used to configure gitops framework on citrix API gateway. This solution enables citrix ingress controller to generate API gateway configurations out of Open API Specification documents checked in to git repository by API developers and designers.
Example files: [api-gateway-crd-instance.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/api-gateway-crd-instance.yaml)
#### bots CRD:
[BOT CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/bot.md) You can use Bot CRDs to configure the bot management policies with the Citrix ingress controller on the Citrix ADC VPX. The Bot custom resource definition enables communication between the Citrix ingress controller and Citrix ADC for enforcing bot management policies.
In a Kubernetes deployment, you can enforce bot management policy on therequests and responses from and to the server using the Bot CRDs. For more information on security vulnerabilities, see [Bot Detection](https://docs.citrix.com/en-us/citrix-adc/current-release/bot-management/bot-detection.html).
Example files: [botallowlist.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/botallowlist.yaml)
#### CORS CRD:
[CORS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) Cross-origin resource sharing (CORS) is a mechanism allows a web application running under one domain to securely access resources in another domain. You can configure CORS policies on Citrix ADC using Citrix ingress controller to allow one domain (the origin domain) to call APIs in another domain. For more information, see the [cross-origin resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) documentation.
Example files: [cors-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/corspolicy-example.yaml)
#### APPQOE CRD:
[APPQOE CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) When a Citrix ADC appliance receives an HTTP request and forwards it to a back-end server, sometimes there may be connection failures with the back-end server. You can configure the request-retry feature on Citrix ADC to forward the request to the next available server, instead of sending the reset to the client. Hence, the client saves round trip time when Citrix ADC initiates the same request to the next available service.
For more information, see the AppQoE support documentation. [Appqoe resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) documentation.
Example files: [appqoe-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/appqoe_example.yaml)
#### WILDCARDDNS CRD:
[WILDCARDDNS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) Wildcard DNS domains are used to handle requests for nonexistent domains and subdomains. In a zone, use wildcard domains to redirect queries for all nonexistent domains or subdomains to a particular server, instead of creating a separate Resource Record (RR) for each domain. The most common use of a wildcard DNS domain is to create a zone that can be used to forward mail from the internet to some other mail system.
For more information, see the Wild card DNS domains support documentation. [Wildcard DNS Entry CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) documentation.
Example files: [wildcarddns-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wildcarddns-example.yaml)
### Tolerations
Taints are applied on cluster nodes whereas tolerations are applied on pods. Tolerations enable pods to be scheduled on node with matching taints. For more information see [Taints and Tolerations in Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/).
Toleration can be applied to Citrix ingress controller pod using `tolerations` argument while deploying CIC using helm chart. This argument takes list of tolerations that user need to apply on the CIC pods.
For example, following command can be used to apply toleration on the CIC pod:
```
helm install my-release citrix/citrix-ingress-controller --set nsIP=<NSIP>,license.accept=yes,adcCredentialSecret=<Secret-for-ADC-credentials>,tolerations[0].key=<toleration-key>,tolerations[0].value=<toleration-value>,tolerations[0].operator=<toleration-operator>,tolerations[0].effect=<toleration-effect>
```
Here tolerations[0].key, tolerations[0].value and tolerations[0].effect are the key, value and effect that was used while tainting the node.
Effect represents what should happen to the pod if the pod don't have any matching toleration. It can have values `NoSchedule`, `NoExecute` and `PreferNoSchedule`.
Operator represents the operation to be used for key and value comparison between taint and tolerations. It can have values `Exists` and `Equal`. The default value for operator is `Equal`.
### Configuration
The following table lists the mandatory and optional parameters that you can configure during installation:
| Parameters | Mandatory or Optional | Default value | Description |
| --------- | --------------------- | ------------- | ----------- |
| license.accept | Mandatory | no | Set `yes` to accept the CIC end user license agreement. |
| imageRegistry | Mandatory | `quay.io` | The Citrix ingress controller image registry |
| imageRepository | Mandatory | `citrix/citrix-k8s-ingress-controller` | The Citrix ingress controller image repository |
| imageTag | Mandatory | `1.27.15` | The Citrix ingress controller image tag |
| pullPolicy | Mandatory | IfNotPresent | The CIC image pull policy. |
| imagePullSecrets | Optional | N/A | Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret please see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). |
| nameOverride | Optional | N/A | String to partially override deployment fullname template with a string (will prepend the release name) |
| fullNameOverride | Optional | N/A | String to fully override deployment fullname template with a string |
| resources | Optional | {} | CPU/Memory resource requests/limits for Citrix Ingress Controller container |
| adcCredentialSecret | Mandatory | N/A | The secret key to log on to the Citrix ADC VPX or MPX. For information on how to create the secret keys, see [Prerequisites](#prerequistes). |
| secretStore.enabled | Optional | False | Set to "True" for deploying other Secret Provider classes |
| secretStore.username | Optional | N/A | if `secretStore.enabled`, `username` of ADC will be fetched from the Secret Provider |
| secretStore.password | Optional | N/A | if `secretStore.enabled`, `password` of ADC will be fetched from the Secret Provider |
| nsIP | Mandatory | N/A | The IP address of the Citrix ADC device. For details, see [Prerequisites](#prerequistes). |
| nsVIP | Optional | N/A | The Virtual IP address on the Citrix ADC device. |
| nsSNIPS | Optional | N/A | The list of subnet IPAddresses on the Citrix ADC device, which will be used to create PBR Routes instead of Static Routes [PBR support](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md) |
| nsPort | Optional | 443 | The port used by CIC to communicate with Citrix ADC. You can use port 80 for HTTP. |
| nsProtocol | Optional | HTTPS | The protocol used by CIC to communicate with Citrix ADC. You can also use HTTP on port 80. |
| nsEnableLabel | Optional | True | Set to true for plotting Servicegraph. Ensure ``analyticsConfig` are set. |
| nitroReadTimeout | Optional | 20 | The nitro Read timeout in seconds, defaults to 20 |
| logLevel | Optional | DEBUG | The loglevel to control the logs generated by CIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG and TRACE. For more information, see [Logging](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).|
| jsonLog | Optional | false | Set this argument to true if log messages are required in JSON format |
| nsConfigDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Ingress |
| nsSvcLbDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Type Load Balancer Service |
| nsDnsNameserver | Optional | N/A | To add DNS Nameservers in ADC |
| optimizeEndpointBinding | Optional | false | To enable/disable binding of backend endpoints to servicegroup in a single API-call. Recommended when endpoints(pods) per application are large in number. Applicable only for Citrix ADC Version >=13.0-45.7 |
| kubernetesURL | Optional | N/A | The kube-apiserver url that CIC uses to register the events. If the value is not specified, CIC uses the [internal kube-apiserver IP address](https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod). |
| clusterName | Optional | N/A | The unique identifier of the kubernetes cluster on which the CIC is deployed. Used in multi-cluster deployments. |
| ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify CIC to configure Citrix ADC associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here |
| setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default ingress class. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 |
| serviceClass | Optional | N/A | By Default ingress controller configures all TypeLB Service on the ADC. You can use this parameter to finetune this behavior by specifing CIC to only configure TypeLB Service with specific service class. For more information on Service class, see [Service class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/service-classes/). |
| nodeWatch | Optional | false | Use the argument if you want to automatically configure network route from the Ingress Citrix ADC VPX or MPX to the pods in the Kubernetes cluster. For more information, see [Automatically configure route on the Citrix ADC instance](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/network/staticrouting/#automatically-configure-route-on-the-citrix-adc-instance). |
| cncPbr | Optional | False | Use this argument to inform CIC that Citrix Node Controller(CNC) is configuring Policy Based Routes(PBR) on the Citrix ADC. For more information, see [CNC-PBR-SUPPORT](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md#configure-pbr-using-the-citrix-node-controller) |
| defaultSSLCertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC. |
| podIPsforServiceGroupMembers | Optional | False | By default Citrix Ingress Controller will add NodeIP and NodePort as service group members while configuring type LoadBalancer Services and NodePort services. This variable if set to `True` will change the behaviour to add pod IP and Pod port instead of nodeIP and nodePort. Users can set this to `True` if there is a route between ADC and K8s clusters internal pods either using feature-node-watch argument or using Citrix Node Controller. |
| ignoreNodeExternalIP | Optional | False | While adding NodeIP, as Service group members for type LoadBalancer services or NodePort services, Citrix Ingress Controller has a selection criteria whereas it choose Node ExternalIP if available and Node InternalIP, if Node ExternalIP is not present. But some users may want to use Node InternalIP over Node ExternalIP even if Node ExternalIP is present. If this variable is set to `True`, then it prioritises the Node Internal IP to be used for service group members even if node ExternalIP is present |
| nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for Citrix ADC service group configurations. |
| nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). |
| ipam | Optional | False | Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer. |
| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. |
| logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter. |
| entityPrefix | Optional | k8s | The prefix for the resources on the Citrix ADC VPX/MPX. |
| updateIngressStatus | Optional | True | Set this argurment if `Status.LoadBalancer.Ingress` field of the Ingress resources managed by the Citrix ingress controller needs to be updated with allocated IP addresses. For more information see [this](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/ingress-classes.md#updating-the-ingress-status-for-the-ingress-resources-with-the-specified-ip-address). |
| routeLabels | Optional | N/A | You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. |
| namespaceLabels | Optional | N/A | You can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. |
| podAnnotations | Optional | N/A | Map of annotations to add to the pods. |
| affinity | Optional | N/A | Affinity labels for pod assignment. |
| exporter.required | Optional | false | Use the argument, if you want to run the [Exporter for Citrix ADC Stats](https://github.com/citrix/citrix-adc-metrics-exporter) along with CIC to pull metrics for the Citrix ADC VPX or MPX|
| exporter.imageRegistry | Optional | `quay.io` | The Exporter for Citrix ADC Stats image registry |
| exporter.imageRepository | Optional | `citrix/citrix-adc-metrics-exporter` | The Exporter for Citrix ADC Stats image repository |
| exporter.imageTag | Optional | `1.4.9` | The Exporter for Citrix ADC Stats image tag |
| exporter.pullPolicy | Optional | IfNotPresent | The Exporter image pull policy. |
| exporter.ports.containerPort | Optional | 8888 | The Exporter container port. |
| exporter.resources | Optional | {} | CPU/Memory resource requests/limits for Metrics exporter container |
| exporter.extraVolumeMounts | Optional | [] | Specify the Additional VolumeMounts to be mounted in Exporter container. Specify the volumes in `extraVolumes` |
| openshift | Optional | false | Set this argument if OpenShift environment is being used. |
| disableOpenshiftRoutes | Optional | false | By default Openshift routes are processed in openshift environment, this variable can be used to disable Ingress controller processing the openshift routes. |
| nodeSelector.key | Optional | N/A | Node label key to be used for nodeSelector option in CIC deployment. |
| nodeSelector.value | Optional | N/A | Node label value to be used for nodeSelector option in CIC deployment. |
| tolerations | Optional | N/A | Specify the tolerations for the CIC deployment. |
| crds.install | Optional | False | Unset this argument if you don't want to install CustomResourceDefinitions which are consumed by CIC. |
| crds.retainOnDelete | Optional | false | Set this argument if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation. |
| analyticsConfig.required | Mandatory | false | Set this to true if you want to configure Citrix ADC to send metrics and transaction records to analytics . |
| analyticsConfig.distributedTracing.enable | Optional | false | Set this value to true to enable OpenTracing in Citrix ADC. |
| analyticsConfig.distributedTracing.samplingrate | Optional | 100 | Specifies the OpenTracing sampling rate in percentage. |
| analyticsConfig.endpoint.server | Optional | N/A | Set this value as the IP address or DNS address of the analytics server. |
| analyticsConfig.endpoint.service | Optional | N/A | Set this value as the IP address or service name with namespace of the analytics service deployed in k8s environment. Format: namespace/servicename |
| analyticsConfig.timeseries.port | Optional | 30002 | Specify the port used to expose analytics service outside cluster for timeseries endpoint. |
| analyticsConfig.timeseries.metrics.enable | Optional | False | Set this value to true to enable sending metrics from Citrix ADC. |
| analyticsConfig.timeseries.metrics.mode | Optional | avro | Specifies the mode of metric endpoint. |
| analyticsConfig.timeseries.auditlogs.enable | Optional | false | Set this value to true to export audit log data from Citrix ADC. |
| analyticsConfig.timeseries.events.enable | Optional | false | Set this value to true to export events from the Citrix ADC. |
| analyticsConfig.transactions.enable | Optional | false | Set this value to true to export transactions from Citrix ADC. |
| analyticsConfig.transactions.port | Optional | 30001 | Specify the port used to expose analytics service outside cluster for transaction endpoint. |
| nsLbHashAlgo.required | Optional | false | Set this value to set the LB consistent hashing Algorithm |
| nsLbHashAlgo.hashFingers | Optional | 256 | Specifies the number of fingers to be used for hashing algorithm. Possible values are from 1 to 1024, Default value is 256 |
| nsLbHashAlgo.hashAlgorithm | Optional | 'default' | Specifies the supported algorithm. Supported algorithms are "default", "jarh", "prac", Default value is 'default' |
| extraVolumeMounts | Optional | [] | Specify the Additional VolumeMounts to be mounted in CIC container |
| extraVolumes | Optional | [] | Specify the Additional Volumes for additional volumeMounts |
Alternatively, you can define a YAML file with the values for the parameters and pass the values while installing the chart.
For example:
```
helm install my-release citrix/citrix-ingress-controller -f values.yaml
```
> **Tip:**
>
> The [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-ingress-controller/values.yaml) contains the default values of the parameters.
> **Note:**
>
> Please provide frontend-ip (VIP) in your application ingress yaml file. For more info refer [this](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/annotations.md).
## Route Addition in MPX/VPX
For seamless functioning of services deployed in the Kubernetes cluster, it is essential that Ingress NetScaler device should be able to reach the underlying overlay network over which Pods are running.
`feature-node-watch` knob of Citrix Ingress Controller can be used for automatic route configuration on NetScaler towards the pod network. Refer [Static Route Configuration](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) for further details regarding the same.
By default, `feature-node-watch` is false. It needs to be explicitly set to true if auto route configuration is required.
This can also be achieved by deploying [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller).
If your deployment uses one single Citrix ADC Device to loadbalance between multiple k8s clusters, there is a possibilty of CNI subnets to overlap, causing the above mentioned static routing to fail due to route conflicts. In such deployments [Policy Based Routing(PBR)] (https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-policy-based-routes/configuring-policy-based-routes-pbrs-for-ipv4-traffic.html) can be used instead. This would require you to provide one or more subnet IP Addresses unique for each kubernetes cluster either via Environment variable or Configmap, see [PBR Support](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md)
Use the following command to provide subnet IPAddresses(SNIPs) to configure Policy Based Routes(PBR) on the Citrix ADC
```
helm install my-release citrix/citrix-ingress-controller --set nsIP=<NSIP>,license.accept=yes,adcCredentialSecret=<Secret-for-ADC-credentials>,nsSNIPS='[<NS_SNIP1>\, <NS_SNIP2>\, ...]'
```
[Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller) by default also adds static routes while creating the VXLAN tunnel. To use [Policy Based Routing(PBR)] (https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-policy-based-routes/configuring-policy-based-routes-pbrs-for-ipv4-traffic.html) to avoid static route clash, both Citrix Node Controller and Citrix Ingress Controller has to work in conjunction and has to be started with specific arguments. For more details refer [CNC-PBR-SUPPORT](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md#configure-pbr-using-the-citrix-node-controller).
Use the following command to inform Citrix Ingress Controller that Citrix Node Controller is configuring Policy Based Routes(PBR) on the Citrix ADC
```
helm install my-release citrix/citrix-ingress-controller --set nsIP=<NSIP>,license.accept=yes,adcCredentialSecret=<Secret-for-ADC-credentials>,clusterName=<unique-cluster-identifier>,cncPbr=<True/False>
```
For configuring static routes manually on Citrix ADC VPX or MPX to reach the pods inside the cluster follow:
### For Kubernetes:
1. Obtain podCIDR using below options:
```
kubectl get nodes -o yaml | grep podCIDR
```
* podCIDR: 10.244.0.0/24
* podCIDR: 10.244.1.0/24
* podCIDR: 10.244.2.0/24
2. Log on to the Citrix ADC instance.
3. Add Route in Netscaler VPX/MPX
```
add route <podCIDR_network> <podCIDR_netmask> <node_HostIP>
```
4. Ensure that Ingress MPX/VPX has a SNIP present in the host-network (i.e. network over which K8S nodes communicate with each other. Usually eth0 IP is from this network).
Example:
* Node1 IP = 192.0.2.1
* podCIDR = 10.244.1.0/24
* add route 10.244.1.0 255.255.255.0 192.0.2.1
### For OpenShift:
1. Use the following command to get the information about host names, host IP addresses, and subnets for static route configuration.
```
oc get hostsubnet
```
2. Log on to the Citrix ADC instance.
3. Add the route on the Citrix ADC instance using the following command.
```add route <pod_network> <podCIDR_netmask> <gateway>```
4. Ensure that Ingress MPX/VPX has a SNIP present in the host-network (i.e. network over which OpenShift nodes communicate with each other. Usually eth0 IP is from this network).
For example, if the output of the `oc get hostsubnet` is as follows:
* oc get hostsubnet
NAME HOST HOST IP SUBNET
os.example.com os.example.com 192.0.2.1 10.1.1.0/24
* The required static route is as follows:
add route 10.1.1.0 255.255.255.0 192.0.2.1
## Uninstalling the Chart
To uninstall/delete the ```my-release``` deployment:
```
helm delete my-release
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Related documentation
- [Citrix ingress controller Documentation](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/)
- [Citrix ingress controller GitHub](https://github.com/citrix/citrix-k8s-ingress-controller)

0
packages/citrix-ingress-controller/generated-changes/overlay/app-readme.md → charts/citrix/citrix-ingress-controller/app-readme.md
View File

0
packages/citrix-ingress-controller/generated-changes/overlay/questions.yml → charts/citrix/citrix-ingress-controller/questions.yml
View File

15
charts/citrix/citrix-ingress-controller/templates/NOTES.txt Normal file
View File

@ -0,0 +1,15 @@
Thank you for installing {{ .Chart.Name }}.
Your release is named {{ .Release.Name }}.
To learn more about the release, try:
$ helm status {{ .Release.Name }}
$ helm get {{ .Release.Name }}
To delete :
helm delete {{ .Release.Name }}

94
charts/citrix/citrix-ingress-controller/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,94 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Analytics Server IP or DNS
*/}}
{{- define "analytics.server" -}}
{{- if .Values.analyticsConfig.endpoint.server -}}
{{- printf .Values.analyticsConfig.endpoint.server -}}
{{- else -}}
{{- $addresses := first (first (lookup "v1" "Node" "" "").items).status.addresses -}}
{{- printf "%s" ($addresses).address -}}
{{- end -}}
{{- end -}}
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "citrix-ingress-controller.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "citrix-ingress-controller.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "exporter.fullname" -}}
{{- $name := default .Chart.Name "exporter" .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- define "servicemonitor.fullname" -}}
{{- $name := default .Chart.Name "citrix-adc-servicemonitor" .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- define "servicemonitorlabel" -}}
{{- $name := default .Chart.Name "citrix-adc-svcmon" .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- define "cicconfigmap.fullname" -}}
{{- $name := default .Chart.Name "cic-configmap" .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "citrix-ingress-controller.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "citrix-ingress-controller.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "citrix-ingress-controller.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}

2515
charts/citrix/citrix-ingress-controller/templates/cic_crds.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

260
charts/citrix/citrix-ingress-controller/templates/citrix-k8s-ingress.yaml Normal file
View File

@ -0,0 +1,260 @@
{{- if .Values.openshift }}
apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
{{- else }}
apiVersion: apps/v1
kind: Deployment
{{- end }}
metadata:
name: {{ include "citrix-ingress-controller.fullname" . }}
namespace: {{ .Release.Namespace }}
spec:
selector:
{{- if .Values.openshift }}
router: {{ include "citrix-ingress-controller.fullname" . }}
{{- else }}
matchLabels:
app: {{ include "citrix-ingress-controller.fullname" . }}
{{- end }}
replicas: 1
{{- if .Values.openshift }}
strategy:
resources: {}
rollingParams:
intervalSeconds: 1
maxSurge: 0
maxUnavailable: 25%
timeoutSeconds: 600
updatePeriodSeconds: 1
type: Rolling
{{- end }}
template:
metadata:
name: cic
labels:
{{- if .Values.openshift }}
router: {{ include "citrix-ingress-controller.fullname" . }}
{{- else }}
app: {{ include "citrix-ingress-controller.fullname" . }}
{{- end }}
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ include "citrix-ingress-controller.serviceAccountName" . }}
containers:
- name: cic
image: "{{ tpl .Values.image . }}"
imagePullPolicy: {{ .Values.pullPolicy }}
args:
- --configmap
{{ .Release.Namespace }}/{{ include "cicconfigmap.fullname" . }}
{{- if .Values.defaultSSLCertSecret }}
- --default-ssl-certificate
{{ .Release.Namespace }}/{{ .Values.defaultSSLCertSecret }}
{{- end }}
{{- if .Values.ingressClass }}
- --ingress-classes
{{- range .Values.ingressClass}}
{{.}}
{{- end }}
{{- end }}
{{- if .Values.serviceClass }}
- --service-classes
{{- range .Values.serviceClass}}
{{.}}
{{- end }}
{{- end }}
- --feature-node-watch
{{ .Values.nodeWatch }}
- --enable-cnc-pbr
{{ .Values.cncPbr }}
{{- if .Values.ipam }}
- --ipam
citrix-ipam-controller
{{- end }}
{{- if .Values.disableAPIServerCertVerify }}
- --disable-apiserver-cert-verify
{{ .Values.disableAPIServerCertVerify }}
{{- end }}
{{- if .Values.updateIngressStatus }}
- --update-ingress-status
yes
{{- end }}
env:
- name: "NS_IP"
value: "{{ .Values.nsIP }}"
{{- if .Values.nsVIP }}
- name: "NS_VIP"
value: "{{ .Values.nsVIP }}"
{{- end }}
{{- if .Values.nitroReadTimeout }}
- name: "NS_NITRO_READ_TIMEOUT"
value: "{{ .Values.nitroReadTimeout }}"
{{- end }}
- name: "NS_USER"
{{- if and .Values.secretStore.enabled .Values.secretStore.username}}
{{- toYaml .Values.secretStore.username | nindent 10 }}
{{- else }}
valueFrom:
secretKeyRef:
name: {{ .Values.adcCredentialSecret }}
key: username
{{- end }}
- name: "NS_PASSWORD"
{{- if and .Values.secretStore.enabled .Values.secretStore.password}}
{{- toYaml .Values.secretStore.password | nindent 10 }}
{{- else }}
valueFrom:
secretKeyRef:
name: {{ .Values.adcCredentialSecret }}
key: password
{{- end }}
- name: "EULA"
value: "{{ .Values.license.accept }}"
{{- if and .Values.openshift .Values.routeLabels }}
- name: "ROUTE_LABELS"
value: {{ .Values.routeLabels | quote}}
{{- end }}
{{- if and .Values.openshift .Values.namespaceLabels }}
- name: "NAMESPACE_LABELS"
value: {{ .Values.namespaceLabels | quote }}
{{- end }}
- name: "NS_APPS_NAME_PREFIX"
value: {{ .Values.entityPrefix | default "k8s"}}
{{- if .Values.kubernetesURL }}
- name: "kubernetes_url"
value: "{{ .Values.kubernetesURL }}"
{{- end }}
{{- if .Values.clusterName }}
- name: "CLUSTER_NAME"
value: "{{ .Values.clusterName }}"
{{- end }}
{{- if .Values.logProxy }}
- name: "NS_LOGPROXY"
value: "{{ .Values.logProxy }}"
{{- end }}
{{- if .Values.disableOpenshiftRoutes }}
- name: "DISABLE_OPENSHIFT_ROUTES"
value: "{{ .Values.disableOpenshiftRoutes }}"
{{- end }}
{{- if .Values.nsConfigDnsRec }}
- name: "NS_CONFIG_DNS_REC"
value: "{{ .Values.nsConfigDnsRec }}"
{{- end }}
{{- if .Values.nsSvcLbDnsRec }}
- name: "NS_SVC_LB_DNS_REC"
value: "{{ .Values.nsSvcLbDnsRec }}"
{{- end }}
{{- if .Values.optimizeEndpointBinding }}
- name: "OPTIMIZE_ENDPOINT_BINDING"
value: "{{ .Values.optimizeEndpointBinding }}"
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- if ne (len .Values.extraVolumeMounts) 0 }}
volumeMounts:
{{- toYaml .Values.extraVolumeMounts | nindent 8 }}
{{- end }}
{{- if .Values.exporter.required }}
- name: exporter
image: "{{ tpl .Values.exporter.image . }}"
imagePullPolicy: {{ .Values.exporter.pullPolicy }}
args:
- "--target-nsip={{ .Values.nsIP }}"
- "--port={{ .Values.exporter.ports.containerPort }}"
env:
- name: "NS_USER"
{{- if and .Values.secretStore.enabled .Values.secretStore.username}}
{{- toYaml .Values.secretStore.username | nindent 10 }}
{{- else }}
valueFrom:
secretKeyRef:
name: {{ .Values.adcCredentialSecret }}
key: username
{{- end }}
- name: "NS_PASSWORD"
{{- if and .Values.secretStore.enabled .Values.secretStore.password}}
{{- toYaml .Values.secretStore.password | nindent 10 }}
{{- else }}
valueFrom:
secretKeyRef:
name: {{ .Values.adcCredentialSecret }}
key: password
{{- end }}
{{- if ne (len .Values.exporter.extraVolumeMounts) 0 }}
volumeMounts:
{{- toYaml .Values.exporter.extraVolumeMounts | nindent 8 }}
{{- end }}
securityContext:
readOnlyRootFilesystem: true
resources:
{{- toYaml .Values.exporter.resources | nindent 12 }}
{{- end }}
{{- if or (and .Values.extraVolumeMounts .Values.extraVolumes) (and .Values.exporter.extraVolumeMounts .Values.extraVolumes) }}
volumes:
{{- end }}
{{- if ne (len .Values.extraVolumes) 0 }}
{{ toYaml .Values.extraVolumes | indent 6 }}
{{- end }}
{{- if and .Values.nodeSelector.key .Values.nodeSelector.value }}
nodeSelector:
{{ .Values.nodeSelector.key }}: {{ .Values.nodeSelector.value }}
{{- end }}
{{- if .Values.tolerations }}
tolerations: {{ .Values.tolerations | toYaml | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
---
{{- if .Values.exporter.required }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "exporter.fullname" . }}
labels:
app: {{ include "exporter.fullname" . }}
service-type: {{ include "servicemonitorlabel" . }}
spec:
type: ClusterIP
ports:
- port: {{ .Values.exporter.ports.containerPort }}
targetPort: {{ .Values.exporter.ports.containerPort }}
name: exporter-port
selector:
{{- if .Values.openshift }}
router: {{ include "citrix-ingress-controller.fullname" . }}
{{- else }}
app: {{ include "citrix-ingress-controller.fullname" . }}
{{- end }}
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "servicemonitor.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
servicemonitor: citrix-adc
spec:
endpoints:
- interval: 30s
port: exporter-port
selector:
matchLabels:
service-type: {{ include "servicemonitorlabel" . }}
namespaceSelector:
matchNames:
- monitoring
- default
- {{ .Release.Namespace }}
{{- end }}

60
charts/citrix/citrix-ingress-controller/templates/configmap.yaml Normal file
View File

@ -0,0 +1,60 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "cicconfigmap.fullname" . }}
namespace: {{ .Release.Namespace }}
data:
LOGLEVEL: {{ .Values.logLevel | quote | lower }}
JSONLOG: {{ .Values.jsonLog | quote | lower }}
NS_PROTOCOL: {{ .Values.nsProtocol | quote | lower }}
NS_PORT: {{ .Values.nsPort | quote }}
{{- if .Values.nsSNIPS }}
NS_SNIPS: {{ .Values.nsSNIPS | toJson}}
{{- end }}
{{- if and .Values.analyticsConfig.required .Values.nsEnableLabel }}
NS_ENABLE_LABELS: {{ .Values.nsEnableLabel | quote}}
{{- end }}
{{- if .Values.podIPsforServiceGroupMembers }}
POD_IPS_FOR_SERVICEGROUP_MEMBERS: {{ .Values.podIPsforServiceGroupMembers | quote }}
{{- end }}
{{- if .Values.ignoreNodeExternalIP }}
IGNORE_NODE_EXTERNAL_IP: {{ .Values.ignoreNodeExternalIP | quote }}
{{- end }}
{{- if ne (upper .Values.nsHTTP2ServerSide) "OFF" }}
NS_HTTP2_SERVER_SIDE: {{ .Values.nsHTTP2ServerSide | quote }}
{{- end }}
{{- if ne (toString .Values.nsCookieVersion) "0" }}
NS_COOKIE_VERSION: {{ .Values.nsCookieVersion | quote }}
{{- end }}
{{- if .Values.nsDnsNameserver }}
NS_DNS_NAMESERVER: {{ .Values.nsDnsNameserver }}
{{- end }}
{{- if .Values.analyticsConfig.required }}
NS_ANALYTICS_CONFIG: |
distributed_tracing:
enable: {{ .Values.analyticsConfig.distributedTracing.enable | quote }}
samplingrate: {{ .Values.analyticsConfig.distributedTracing.samplingrate }}
endpoint:
server: {{ include "analytics.server" . | quote }}
service: {{ .Values.analyticsConfig.endpoint.service | quote }}
timeseries:
port: {{ .Values.analyticsConfig.timeseries.port }}
metrics:
enable: {{ .Values.analyticsConfig.timeseries.metrics.enable | quote }}
mode: {{ .Values.analyticsConfig.timeseries.metrics.mode | quote }}
auditlogs:
enable: {{ .Values.analyticsConfig.timeseries.auditlogs.enable | quote }}
events:
enable: {{ .Values.analyticsConfig.timeseries.events.enable | quote }}
transactions:
enable: {{ .Values.analyticsConfig.transactions.enable | quote }}
port: {{ .Values.analyticsConfig.transactions.port }}
{{- end }}
{{- if .Values.nsLbHashAlgo.required }}
NS_LB_HASH_ALGO: |
hashFingers: {{ .Values.nsLbHashAlgo.hashFingers }}
hashAlgorithm: {{ .Values.nsLbHashAlgo.hashAlgorithm | quote }}
{{- end }}

18
charts/citrix/citrix-ingress-controller/templates/ingressclass.yaml Normal file
View File

@ -0,0 +1,18 @@
{{- $default := .Values.setAsDefaultIngressClass -}}
{{- if semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.GitVersion }}
{{- if .Values.ingressClass }}
{{- range .Values.ingressClass }}
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: {{ . | quote }}
{{- if $default }}
annotations:
ingressclass.kubernetes.io/is-default-class: "true"
{{- end }}
spec:
controller: citrix.com/ingress-controller
---
{{- end }}
{{- end }}
{{- end }}

89
charts/citrix/citrix-ingress-controller/templates/rbac.yaml Normal file
View File

@ -0,0 +1,89 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "citrix-ingress-controller.serviceAccountName" . }}
rules:
- apiGroups: [""]
{{- if .Values.openshift }}
resources: ["endpoints", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"]
{{- else }}
resources: ["endpoints", "pods", "secrets", "routes", "nodes", "namespaces", "configmaps", "services"]
{{- end }}
verbs: ["get", "list", "watch"]
# services/status is needed to update the loadbalancer IP in service status for integrating
# service of type LoadBalancer with external-dns
- apiGroups: [""]
resources: ["services/status"]
verbs: ["patch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create"]
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions","networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["patch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingressclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch"]
- apiGroups: ["citrix.com"]
resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"]
verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: ["citrix.com"]
resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"]
verbs: ["patch"]
- apiGroups: ["citrix.com"]
resources: ["vips"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: ["crd.projectcalico.org"]
resources: ["ipamblocks"]
verbs: ["get", "list", "watch"]
{{- if .Values.openshift }}
- apiGroups: ["route.openshift.io"]
resources: ["routes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["network.openshift.io"]
resources: ["hostsubnets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["config.openshift.io"]
resources: ["networks"]
verbs: ["get", "list"]
{{- end }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "citrix-ingress-controller.serviceAccountName" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "citrix-ingress-controller.serviceAccountName" . }}
subjects:
- kind: ServiceAccount
name: {{ include "citrix-ingress-controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "citrix-ingress-controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.imagePullSecrets }}
- name: {{.}}
{{- end }}
{{- end }}
---

177
charts/citrix/citrix-ingress-controller/values.yaml Normal file
View File

@ -0,0 +1,177 @@
# Default values for citrix-ingress-controller.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# Citrix Ingress Controller config details
imageRegistry: quay.io
imageRepository: citrix/citrix-k8s-ingress-controller
imageTag: 1.27.15
image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}"
pullPolicy: IfNotPresent
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
openshift: false
adcCredentialSecret: # K8s Secret Name
# Enable secretStore to implement CSI Secret Provider classes for holding the nslogin credentials
secretStore:
enabled: false
username: {}
#valueFrom:
# configMapKeyRef:
# name: test1
# key: username
password: {}
#valueFrom:
# configMapKeyRef:
# name: test1
# key: password
nsIP: x.x.x.x
nsVIP:
nsSNIPS:
license:
accept: no
nsPort: 443
nsProtocol: HTTPS
nsEnableLabel: true
# nitroReadTimeout is timeout value in seconds for nitro api read timeout(default is 20)
nitroReadTimeout:
logLevel: INFO
jsonLog: false
entityPrefix:
kubernetesURL:
clusterName:
ingressClass:
setAsDefaultIngressClass: False
serviceClass:
defaultSSLCertSecret:
podIPsforServiceGroupMembers: False
ignoreNodeExternalIP: False
ipam: False
# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True
disableAPIServerCertVerify: False
logProxy:
nodeWatch: false
cncPbr: False
nodeSelector:
key:
value:
tolerations: []
updateIngressStatus: True
nsHTTP2ServerSide: "OFF"
nsCookieVersion: "0"
nsConfigDnsRec:
nsSvcLbDnsRec:
nsDnsNameserver:
optimizeEndpointBinding:
routeLabels:
namespaceLabels:
disableOpenshiftRoutes:
# Exporter config details
exporter:
required: false
imageRegistry: quay.io
imageRepository: citrix/citrix-adc-metrics-exporter
imageTag: 1.4.9
image: "{{ .Values.exporter.imageRegistry }}/{{ .Values.exporter.imageRepository }}:{{ .Values.exporter.imageTag }}"
pullPolicy: IfNotPresent
ports:
containerPort: 8888
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
extraVolumeMounts: []
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user.
#- name: github-key
# mountPath: /etc/config/keys/
# readOnly: true
#- name: agent-init-scripts
# mountPath: /docker-entrypoint.d/
# For CRDs supported by Citrix Ingress Controller
crds:
install: false
retainOnDelete: false
# Config required to be done by Citrix Ingress Controller for sending metrics to Citrix Observability Exporter
analyticsConfig:
required: false
distributedTracing:
enable: false
samplingrate: 100
endpoint:
server:
service:
timeseries:
port: 30002
metrics:
enable: false
mode: 'avro'
auditlogs:
enable: false
events:
enable: false
transactions:
enable: false
port: 30001
nsLbHashAlgo:
required: false
hashFingers: 256
hashAlgorithm: 'DEFAULT'
# Specifies whether a ServiceAccount should be created
serviceAccount:
create: true
# The name of the ServiceAccount to use.
# If not set and `create` is true, a name is generated using the fullname template
# name:
podAnnotations: {}
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# Following values depends on no of ingresses configured by Ingress Controllers, so it is
# advised to test with maximum no of ingresses to set these values.
# limits:
# cpu: 1000m
# memory: 1000Mi
# requests:
# cpu: 500m
# memory: 500Mi
affinity: {}
extraVolumeMounts: []
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user.
#- name: github-key
# mountPath: /etc/config/keys/
# readOnly: true
#- name: agent-init-scripts
# mountPath: /docker-entrypoint.d/
extraVolumes: []
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user.
#- name: agent-init-scripts
# configMap:
# name: agent-init-scripts
# defaultMode: 0755
#- name: github-key
# secret:
# secretName: github-key
# defaultMode: 0744

113
index.yaml
View File

@ -2010,6 +2010,31 @@ entries:
- assets/codefresh/cf-runtime-0.1.401.tgz
version: 0.1.401
citrix-adc-istio-ingress-gateway:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Citrix Adc Istio Ingress Gateway
catalog.cattle.io/kube-version: '>=v1.16.0-0'
catalog.cattle.io/release-name: citrix-adc-istio-ingress-gateway
apiVersion: v2
appVersion: 1.14.0
created: "2022-12-01T23:59:01.209934-05:00"
description: A Helm chart for Citrix ADC as Ingress Gateway installation in Istio
Service Mesh on Kubernetes platform
digest: 97fbe0c1968d5125c060b8ce706c743da4be20273c5ace5f2c9eeb8477cf2bcf
home: https://www.citrix.com
icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png
kubeVersion: '>=v1.16.0-0'
maintainers:
- email: dhiraj.gedam@citrix.com
name: dheerajng
- email: subash.dangol@citrix.com
name: subashd
name: citrix-adc-istio-ingress-gateway
sources:
- https://github.com/citrix/citrix-xds-adaptor
urls:
- assets/citrix/citrix-adc-istio-ingress-gateway-1.14.0.tgz
version: 1.14.0
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Citrix Adc Istio Ingress Gateway
@ -2034,7 +2059,7 @@ entries:
sources:
- https://github.com/citrix/citrix-xds-adaptor
urls:
- assets/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway-1.11.1.tgz
- assets/citrix/citrix-adc-istio-ingress-gateway-1.11.1.tgz
version: 1.11.1
- annotations:
catalog.cattle.io/certified: partner
@ -2060,7 +2085,7 @@ entries:
sources:
- https://github.com/citrix/citrix-xds-adaptor
urls:
- assets/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway-1.11.0.tgz
- assets/citrix/citrix-adc-istio-ingress-gateway-1.11.0.tgz
version: 1.11.0
- annotations:
catalog.cattle.io/certified: partner
@ -2082,9 +2107,34 @@ entries:
sources:
- https://github.com/citrix/citrix-istio-adaptor
urls:
- assets/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway-1.2.100.tgz
- assets/citrix/citrix-adc-istio-ingress-gateway-1.2.100.tgz
version: 1.2.100
citrix-cpx-istio-sidecar-injector:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Citrix Cpx Istio Sidecar Injector
catalog.cattle.io/kube-version: '>=v1.16.0-0'
catalog.cattle.io/release-name: citrix-cpx-istio-sidecar-injector
apiVersion: v2
appVersion: 1.14.1
created: "2022-12-01T23:59:01.212143-05:00"
description: A Helm chart to deploy resources which install Citrix ADC CPX in
Istio Service Mesh as sidecar in application pod
digest: 3f47026101ddc3f23ad6e9d7b15137aa8ac9c474bb066c4cc78c886b32ee44bd
home: https://www.citrix.com
icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png
kubeVersion: '>=v1.16.0-0'
maintainers:
- email: dhiraj.gedam@citrix.com
name: dheerajng
- email: subash.dangol@citrix.com
name: subashd
name: citrix-cpx-istio-sidecar-injector
sources:
- https://github.com/citrix/citrix-xds-adaptor
urls:
- assets/citrix/citrix-cpx-istio-sidecar-injector-1.14.1.tgz
version: 1.14.1
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Citrix Cpx Istio Sidecar Injector
@ -2109,7 +2159,7 @@ entries:
sources:
- https://github.com/citrix/citrix-xds-adaptor
urls:
- assets/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector-1.11.1.tgz
- assets/citrix/citrix-cpx-istio-sidecar-injector-1.11.1.tgz
version: 1.11.1
- annotations:
catalog.cattle.io/certified: partner
@ -2135,9 +2185,34 @@ entries:
sources:
- https://github.com/citrix/citrix-xds-adaptor
urls:
- assets/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector-1.11.0.tgz
- assets/citrix/citrix-cpx-istio-sidecar-injector-1.11.0.tgz
version: 1.11.0
citrix-cpx-with-ingress-controller:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Citrix Cpx with Ingress Controller
catalog.cattle.io/kube-version: '>=v1.16.0-0'
catalog.cattle.io/release-name: citrix-cpx-with-ingress-controller
apiVersion: v2
appVersion: 1.27.15
created: "2022-12-01T23:59:01.213129-05:00"
description: A Helm chart for Citrix ADC CPX with Citrix ingress Controller running
as sidecar.
digest: cdd942918f67ddbae6aaabd7fbbcc51f0435351f12c2225b45f6c380bff8d54a
home: https://www.citrix.com
icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png
kubeVersion: '>=v1.16.0-0'
maintainers:
- email: priyanka.sharma@citrix.com
name: priyankash-citrix
- email: subash.dangol@citrix.com
name: subashd
name: citrix-cpx-with-ingress-controller
sources:
- https://github.com/citrix/citrix-k8s-ingress-controller
urls:
- assets/citrix/citrix-cpx-with-ingress-controller-1.27.15.tgz
version: 1.27.15
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/release-name: citrix-cpx-with-ingress-controller
@ -2158,9 +2233,33 @@ entries:
sources:
- https://github.com/citrix/citrix-k8s-ingress-controller
urls:
- assets/citrix-cpx-with-ingress-controller/citrix-cpx-with-ingress-controller-1.8.2800.tgz
- assets/citrix/citrix-cpx-with-ingress-controller-1.8.2800.tgz
version: 1.8.2800
citrix-ingress-controller:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Citrix Ingress Controller
catalog.cattle.io/kube-version: '>=v1.16.0-0'
catalog.cattle.io/release-name: citrix-ingress-controller
apiVersion: v2
appVersion: 1.27.15
created: "2022-12-01T23:59:01.21585-05:00"
description: A Helm chart for Citrix Ingress Controller configuring MPX/VPX.
digest: 236a9b2e391bf5a89d0e77ebf8f5af174421ed0c81dabea2268f50d6b66d935a
home: https://www.citrix.com
icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png
kubeVersion: '>=v1.16.0-0'
maintainers:
- email: priyanka.sharma@citrix.com
name: priyankash-citrix
- email: subash.dangol@citrix.com
name: subashd
name: citrix-ingress-controller
sources:
- https://github.com/citrix/citrix-k8s-ingress-controller
urls:
- assets/citrix/citrix-ingress-controller-1.27.15.tgz
version: 1.27.15
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Citrix Ingress Controller
@ -2182,7 +2281,7 @@ entries:
sources:
- https://github.com/citrix/citrix-k8s-ingress-controller
urls:
- assets/citrix-ingress-controller/citrix-ingress-controller-1.19.600.tgz
- assets/citrix/citrix-ingress-controller-1.19.600.tgz
version: 1.19.600
cloudcasa:
- annotations:

24
packages/citrix-adc-istio-ingress-gateway/generated-changes/patch/Chart.yaml.patch
View File

@ -1,24 +0,0 @@
--- charts-original/Chart.yaml
+++ charts/Chart.yaml
@@ -1,10 +1,14 @@
+annotations:
+ catalog.cattle.io/certified: partner
+ catalog.cattle.io/display-name: Citrix Adc Istio Ingress Gateway
+ catalog.cattle.io/release-name: citrix-adc-istio-ingress-gateway
apiVersion: v2
appVersion: "1.11.0"
kubeVersion: ">=v1.16.0-0"
description: A Helm chart for Citrix ADC as Ingress Gateway installation in Istio Service Mesh on Kubernetes platform
name: citrix-adc-istio-ingress-gateway
version: 1.11.0
-icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png
+icon: https://raw.githubusercontent.com/citrix/citrix-xds-adaptor/master/docs/media/Citrix_Logo_Trademark.png
home: https://www.citrix.com
sources:
- https://github.com/citrix/citrix-xds-adaptor
@@ -13,3 +17,5 @@
email: dhiraj.gedam@citrix.com
- name: subashd
email: subash.dangol@citrix.com
+- name: ajeetas
+ email: ajeeta.shaket@citrix.com

11
packages/citrix-adc-istio-ingress-gateway/generated-changes/patch/values.yaml.patch
View File

@ -1,11 +0,0 @@
--- charts-original/values.yaml
+++ charts/values.yaml
@@ -48,7 +48,7 @@
mgmtHttpsPort: 10443
httpNodePort: 30180
httpsNodePort: 31443
- nodePortRequired: false
+ nodePortRequired: true
lightWeightCPX: 1
secretVolumes:
#licenseServerIP: this value will be taken from ADMSettings.ADMIP

4
packages/citrix-adc-istio-ingress-gateway/package.yaml
View File

@ -1,4 +0,0 @@
url: https://github.com/citrix/citrix-helm-charts.git
subdirectory: citrix-adc-istio-ingress-gateway
commit: c34bc90141ad8fb2809610ee9d7cb55c90aa6e08
packageVersion: 01

24
packages/citrix-cpx-istio-sidecar-injector/generated-changes/patch/Chart.yaml.patch
View File

@ -1,24 +0,0 @@
--- charts-original/Chart.yaml
+++ charts/Chart.yaml
@@ -1,10 +1,14 @@
+annotations:
+ catalog.cattle.io/certified: partner
+ catalog.cattle.io/display-name: Citrix Cpx Istio Sidecar Injector
+ catalog.cattle.io/release-name: citrix-cpx-istio-sidecar-injector
apiVersion: v2
appVersion: "1.11.0"
kubeVersion: ">=v1.16.0-0"
description: A Helm chart to deploy resources which install Citrix ADC CPX in Istio Service Mesh as sidecar in application pod
name: citrix-cpx-istio-sidecar-injector
version: 1.11.0
-icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png
+icon: https://raw.githubusercontent.com/citrix/citrix-xds-adaptor/master/docs/media/Citrix_Logo_Trademark.png
home: https://www.citrix.com
sources:
- https://github.com/citrix/citrix-xds-adaptor
@@ -13,3 +17,5 @@
email: dhiraj.gedam@citrix.com
- name: subashd
email: subash.dangol@citrix.com
+- name: ajeetas
+ email: ajeeta.shakeet@citrix.com

11
packages/citrix-cpx-istio-sidecar-injector/generated-changes/patch/README.md.patch
View File

@ -1,11 +0,0 @@
--- charts-original/README.md
+++ charts/README.md
@@ -163,7 +163,7 @@
helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set ADMSettings.ADMIP=<ADM-Agent-IP>
> **Note:**
-> If container agent is being used here for Citrix ADM, specify `serviceIP` of container agent in the `ADMSettings.ADMIP` parameter.
+> If container agent is being used here for Citrix ADM, specify `PodIP` of container agent in the `ADMSettings.ADMIP` parameter.
## <a name="generate-certificate-for-application">Generate Certificate for Application </a>

4
packages/citrix-cpx-istio-sidecar-injector/package.yaml
View File

@ -1,4 +0,0 @@
url: https://github.com/citrix/citrix-helm-charts.git
subdirectory: citrix-cpx-istio-sidecar-injector
commit: c34bc90141ad8fb2809610ee9d7cb55c90aa6e08
packageVersion: 01

9
packages/citrix-cpx-with-ingress-controller/generated-changes/patch/Chart.yaml.patch
View File

@ -1,9 +0,0 @@
--- charts-original/Chart.yaml
+++ charts/Chart.yaml
@@ -13,3 +13,6 @@
sources:
- https://github.com/citrix/citrix-k8s-ingress-controller
version: 1.8.28
+annotations:
+ catalog.cattle.io/certified: partner
+ catalog.cattle.io/release-name: citrix-cpx-with-ingress-controller

11
packages/citrix-cpx-with-ingress-controller/generated-changes/patch/README.md.patch
View File

@ -1,11 +0,0 @@
--- charts-original/README.md
+++ charts/README.md
@@ -187,7 +187,7 @@
| ADMSettings.cpxCores | Optional | 1 | Desired number of vCPU to be set for Citrix ADC CPX. |
| exporter.required | Optional | false | Use the argument if you want to run the [Exporter for Citrix ADC Stats](https://github.com/citrix/citrix-adc-metrics-exporter) along with Citrix ingress controller to pull metrics for the Citrix ADC CPX|
-| exporter.image | Optional | `quay.io/citrix/citrix-adc-metrics-exporter:1.4.4` | The Exporter for Citrix ADC Stats image. |
+| exporter.image | Optional | `quay.io/citrix/citrix-adc-metrics-exporter:1.4.5` | The Exporter for Citrix ADC Stats image. |
| exporter.pullPolicy | Optional | IfNotPresent | The Exporter for Citrix ADC Stats image pull policy. |
| exporter.ports.containerPort | Optional | 8888 | The Exporter for Citrix ADC Stats container port. |

2
packages/citrix-cpx-with-ingress-controller/package.yaml
View File

@ -1,2 +0,0 @@
url: https://citrix.github.io/citrix-helm-charts/citrix-cpx-with-ingress-controller-1.8.28.tgz
packageVersion: 00

16
packages/citrix-ingress-controller/generated-changes/patch/Chart.yaml.patch
View File

@ -1,16 +0,0 @@
--- charts-original/Chart.yaml
+++ charts/Chart.yaml
@@ -1,8 +1,12 @@
+annotations:
+ catalog.cattle.io/certified: partner
+ catalog.cattle.io/display-name: Citrix Ingress Controller
+ catalog.cattle.io/release-name: citrix-ingress-controller
apiVersion: v2
appVersion: 1.19.6
description: A Helm chart for Citrix Ingress Controller configuring MPX/VPX.
home: https://www.citrix.com
-icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png
+icon: https://raw.githubusercontent.com/citrix/citrix-xds-adaptor/master/docs/media/Citrix_Logo_Trademark.png
kubeVersion: '>=v1.16.0-0'
maintainers:
- email: priyanka.sharma@citrix.com

2
packages/citrix-ingress-controller/package.yaml
View File

@ -1,2 +0,0 @@
url: https://citrix.github.io/citrix-helm-charts/citrix-ingress-controller-1.19.6.tgz
packageVersion: 00

0
packages/citrix-adc-istio-ingress-gateway/generated-changes/overlay/app-readme.md → packages/citrix/citrix-adc-istio-ingress-gateway/overlay/app-readme.md
View File

0
packages/citrix-adc-istio-ingress-gateway/generated-changes/overlay/questions.yml → packages/citrix/citrix-adc-istio-ingress-gateway/overlay/questions.yml
View File

4
packages/citrix/citrix-adc-istio-ingress-gateway/upstream.yaml Normal file
View File

@ -0,0 +1,4 @@
HelmRepo: https://citrix.github.io/citrix-helm-charts
HelmChart: citrix-adc-istio-ingress-gateway
Vendor: Citrix
DisplayName: Citrix Adc Istio Ingress Gateway

28
packages/citrix/citrix-cpx-istio-sidecar-injector/overlay/app-readme.md Normal file
View File

@ -0,0 +1,28 @@
# Citrix ADC as a Sidecar for Istio
Citrix ADC [CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) can act as a sidecar proxy to an application container in Istio. You can inject the Citrix ADC CPX manually or automatically using the [Istio sidecar injector](https://istio.io/docs/setup/additional-setup/sidecar-injection/).
### Prerequisites
The following prerequisites are required for deploying Citrix ADC as a sidecar in an application pod
- Ensure that **Istio** is enabled.
- Ensure that your cluster has Kubernetes version 1.16.0 or later.
- Ensure the [Kubernetes controller manager](https://rancher.com/docs/rke/latest/en/config-options/services/#kubernetes-controller-manager)s default certificate signer is enabled.
**Note**: For RKE based cluster, extra arguments need to be provided for kube-controller service.
```services:
kube-controller:
extra_args:
cluster-signing-cert-file: "/etc/kubernetes/ssl/kube-ca.pem"
cluster-signing-key-file: "/etc/kubernetes/ssl/kube-ca-key.pem"
```
For detailed information follow this [link](https://github.com/citrix/citrix-xds-adaptor/blob/master/docs/istio-integration/rancher-provisioned-cluster.md)
### Important NOTE:
- We should not **Enable Istio Auto Injection** on Application namespace.
- The cpx-injection=enabled label is mandatory for injecting sidecars.
- An example to deploy application along with Citrix ADC CPX sidecar is provided [here](https://github.com/citrix/citrix-helm-charts/blob/master/examples/citrix-adc-in-istio/README.md).
This catalog create resources required for automatically deploying Citrix ADC CPX as a sidecar proxy.For detailed information follow this [link](https://github.com/citrix/citrix-helm-charts/tree/master/citrix-cpx-istio-sidecar-injector)

291
packages/citrix/citrix-cpx-istio-sidecar-injector/overlay/questions.yml Normal file
View File

@ -0,0 +1,291 @@
labels:
io.rancher.certified: partner
questions:
- variable: xDSAdaptor.image
required: true
type: string
default: "quay.io/citrix/citrix-xds-adaptor:0.9.9"
description: "xds-adaptor Image to be used"
label: xDSAdaptor Image
group: "xDSAdaptor Settings"
- variable: xDSAdaptor.imagePullPolicy
required: true
type: enum
default: IfNotPresent
description: "Istio-adaptor Image pull policy"
label: istioAdaptor imagePullPolicy
options:
- "Always"
- "IfNotPresent"
- "Never"
group: "xDSAdaptor Settings"
- variable: xDSAdaptor.proxyType
required: true
type: string
default: true
label: xDSAdaptor proxyType
description: "xDSAdaptor proxyType type set to router by default"
group: "xDSAdaptor Settings"
- variable: xDSAdaptor.secureConnect
required: false
type: boolean
default: true
label: xDSAdaptor secureConnect
description: "xDSAdaptor establishes secure gRPC channel with Istio Pilot, if value is set to true"
group: "xDSAdaptor Settings"
- variable: xDSAdaptor.logLevel
required: false
type: enum
default: DEBUG
label: xDSAdaptor logLevel
description: "xDSAdaptor logLevel"
options:
- "TRACE"
- "DEBUG"
- "INFO"
- "WARN"
- "ERROR"
group: "xDSAdaptor Settings"
- variable: xDSAdaptor.jsonLog
required: false
type: string
default: "true"
label: xDSAdaptor jsonLog
description: "Set this argument to true if log messages are required in JSON format"
group: "xDSAdaptor Settings"
- variable: coe.coeURL
required: false
type: string
label: coe coeURL
description: "Name of Citrix Observability Exporter Service"
group: "COE Settings"
- variable: coe.coeTracing
required: false
type: boolean
label: coe coeTracing
description: "Used to send appflow transactions to Zipkin endpoint,if true ADM servicegraph (if configured) can be impacted"
group: "COE Settings"
- variable: istioPilot.name
required: true
type: string
default: istio-pilot
label: istio-pilot name
group: "istio-pilot Settings"
- variable: istioPilot.namespace
required: true
type: string
default: istio-system
label: istio-pilot namespace
description: "Name of the Istio Pilot service"
group: "istio-pilot Settings"
- variable: istioPilot.secureGrpcPort
required: true
type: int
default: 15011
description: "Secure GRPC port where Istio Pilot is listening"
label: istio-pilot secureGrpcPort
show_if: "xDSAdaptor.secureConnect=true"
group: "istio-pilot Settings"
- variable: istioPilot.insecureGrpcPort
required: true
type: int
default: 15010
label: istio-pilot insecureGrpcPort
description: "Insecure GRPC port where Istio Pilot is listening"
show_if: "xDSAdaptor.secureConnect=false"
group: "istio-pilot Settings"
- variable: istioPilot.SAN
required: false
type: string
default:
label: istio-pilot SAN
description: "Subject alternative name for Istio Pilot which is (SPIFFE) ID of Istio Pilot"
show_if: "xDSAdaptor.secureConnect=true"
group: "istio-pilot Settings"
- variable: certProvider.caAddr
required: true
type: string
default: "istiod.istio-system.svc"
label: certProvider caAddr
description: "Certificate Authority (CA) address issuing certificate to application"
group: "certProvider Settings"
- variable: certProvider.caPort
required: true
type: int
default: 15012
label: certProvider caPort
description: "Certificate Authority (CA) port issuing certificate to application"
group: "certProvider Settings"
- variable: certProvider.trustDomain
required: true
type: string
default: "cluster.local"
label: certProvider trustDomain
description: "SPIFFE Trust Domain"
group: "certProvider Settings"
- variable: certProvider.certTTLinHours
required: true
type: int
default: 720
label: certProvider certTTLinHours
description: "Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours."
group: "certProvider Settings"
- variable: certProvider.clusterId
required: true
type: string
default: "Kubernetes"
label: certProvider clusterId
description: "clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in m
ulticluster environments. For example, in Anthos servicemesh, it might be of the format of `cn<project-name>-<region>-<cluster_name>`. In multiCluster environments, it is the val
ue of global.multiCluster.clusterName provided during servicemesh control plane installation"
group: "certProvider Settings"
- variable: certProvider.jwtPolicy
required: true
type: enum
default: "first-party-jwt"
label: certProvider jwtPolicy
description: "Kubernetes platform supports First party tokens and Third party tokens"
options:
- "first-party-jwt"
- "third-party-jwt"
- variable: cpxProxy.netscalerUrl
required: true
type: string
default: "http://127.0.0.1"
description: "Citrix ADC CPX image used as sidecar proxy"
label: cpxProxy image
group: "cpxProxy Settings"
- variable: cpxProxy.image
required: true
type: string
default: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-79.64"
description: "Citrix ADC CPX image used as sidecar proxy"
label: cpxProxy image
group: "cpxProxy Settings"
- variable: cpxProxy.imagePullPolicy
required: true
type: enum
default: IfNotPresent
description: "cpxProxy Image pull policy"
label: cpxProxy imagePullPolicy
options:
- "Always"
- "IfNotPresent"
- "Never"
group: "cpxProxy Settings"
- variable: cpxProxy.EULA
required: true
type: enum
label: cpxProxy EULA license
options:
- "YES"
- "NO"
group: "cpxProxy Settings"
- variable: cpxProxy.cpxSidecarMode
required: true
type: string
default: "YES"
description: "Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX is running as sidecar mode or not"
label: cpxProxy image
options:
- "YES"
- "NO"
group: "cpxProxy Settings"
- variable: cpxProxy.mgmtHttpPort
required: true
type: int
default: 10080
label: cpxProxy mgmtHttpPort
group: "cpxProxy Settings"
- variable: cpxProxy.mgmtHttpsPort
required: true
type: int
default: 10443
label: cpxProxy mgmtHttpsPort
group: "cpxProxy Settings"
- variable: cpxProxy.cpxDisableProbe
required: true
type: string
default: YES
description: "Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX will disable probing dynamic services. It should be enabled for multicluster setup."
label: cpxProxy cpxDisableProbe
options:
- "YES"
- "NO"
group: "cpxProxy Settings"
- variable: sidecarWebHook.webhookImage
required: true
type: string
default: "quay.io/citrix/cpx-istio-sidecar-injector:1.0.0"
label: sidecarWebHook webhookImage
description: "webhookImage image to be used"
group: "sidecarWebHook Settings"
- variable: sidecarWebHook.imagePullPolicy
required: true
type: enum
default: IfNotPresent
label: sidecarWebHook imagePullPolicy
options:
- "Always"
- "IfNotPresent"
- "Never"
group: "sidecarWebHook Settings"
- variable: sidecarCertsGenerator.image
required: true
type: string
default: " quay.io/citrix/cpx-sidecar-injector-certgen:1.1.0"
label: sidecarWebHook webhookImage
description: "webhookImage image to be used"
group: "sidecarCertsGenerator Settings"
- variable: sidecarCertsGenerator.imagePullPolicy
required: true
type: enum
default: IfNotPresent
label: sidecarWebHook imagePullPolicy
options:
- "Always"
- "IfNotPresent"
- "Never"
group: "sidecarCertsGenerator Settings"
- variable: ADMSettings.ADMIP
required: false
type: string
default:
label: ADMSettings ADMIP
description: "Citrix Application Delivery Management (ADM) IP address"
group: "ADMSettings Settings"
- variable: ADMSettings.licenseServerIP
required: false
type: string
default:
label: ADMSettings licenseServerIP
description: "Citrix License Server IP address"
group: "ADMSettings Settings"
- variable: ADMSettings.licenseServerPort
required: false
type: int
default: 27000
label: ADMSettings licenseServerPort
description: "Citrix ADM port if a non-default port is used"
group: "ADMSettings Settings"
- variable: ADMSettings.bandWidthLicense
required: false
type: boolean
default: false
label: ADMSettings bandWidthLicense
description: "To specify bandwidth based licensing"
group: "ADMSettings Settings"
- variable: ADMSettings.bandWidth
required: false
type: string
default:
label: ADMSettings bandWidth
description: "Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps"
group: "ADMSettings Settings"
- variable: webhook.injectionLabelName
required: true
type: string
default: "cpx-injection"
label: webhook injectionLabelName
description: "Label of namespace, where automatic sidecr injection is required"
group: "webhook Settings"

4
packages/citrix/citrix-cpx-istio-sidecar-injector/upstream.yaml Normal file
View File

@ -0,0 +1,4 @@
HelmRepo: https://citrix.github.io/citrix-helm-charts
HelmChart: citrix-cpx-istio-sidecar-injector
Vendor: Citrix
DisplayName: Citrix Cpx Istio Sidecar Injector

5
packages/citrix/citrix-cpx-with-ingress-controller/overlay/app-readme.md Normal file
View File

@ -0,0 +1,5 @@
# Citrix ADC CPX with Citrix Ingress Controller running as sidecar.
In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) with Citrix ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). The Citrix ADC CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar Citrix ingress controller configures the Citrix ADC CPX.
This Chart bootstraps deployment of Citrix ADC CPX with Citrix Ingress Controller as sidecar.

211
packages/citrix/citrix-cpx-with-ingress-controller/overlay/questions.yml Normal file
View File

@ -0,0 +1,211 @@
questions:
- variable: license.accept
required: true
default: "no"
type: enum
description: "Set to yes to accept the terms and conditions of the Citrix license."
label: Accept License
group: "Deployment Settings"
options:
- "yes"
- "no"
- variable: openshift
default: false
type: boolean
description: "openshift is set to true if charts are being deployed in OpenShift environment"
label: Openshift flag
group: "Deployment Settings"
- variable: nsNamespace
type: string
description: "Prefix for the resources on Citrix ADC"
label: Resource Prefix
group: "Deployment Settings"
- variable: ingressClass[0]
type: string
description: "ingressClass is the name of the Ingress Class"
label: Ingress Class
group: "Deployment Settings"
- variable: logLevel
default: "DEBUG"
type: enum
options:
- "TRACE"
- "DEBUG"
- "INFO"
- "WARNING"
- "ERROR"
description: "logLevel of Citrix Ingress Controller pod"
label: LogLevel
group: "Deployment Settings"
- variable: defaultSSLCert
type: string
description: "Secret containing the default ceritifcate for SSL vservers"
label: Default SSLCert
group: "ADC Settings"
- variable: logProxy
type: string
description: "Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporte"
label: LogProxy
group: "Deployment Settings"
- variable: http2ServerSide
default: "OFF"
type: enum
options:
- "ON"
- "OFF"
description: "Set to ON to enable HTTP2 for Citrix ADC service group configurations"
label: HTTP2 on ADC
group: "ADC Settings"
- variable: nodeSelector.key
type: string
label: NodeSelector Key
group: "Deployment Settings"
- variable: nodeSelector.value
type: string
label: NodeSelector Value
group: "Deployment Settings"
- variable: ADMSettings.licenseServerIP
type: string
label: ADM LicenseServerIP
group: "ADM Settings"
- variable: ADMSettings.licenseServerPort
default: 27000
type: int
label: ADM LicenseServerPort
group: "ADM Settings"
- variable: ADMSettings.ADMIP
type: string
label: ADM IP
group: "ADM Settings"
- variable: ADMSettings.ADMFingerPrint
type: string
label: ADM FingerPrint
group: "ADM Settings"
- variable: ADMSettings.loginSecret
type: string
label: ADM Login Secret
group: "ADM Settings"
- variable: ADMSettings.bandWidthLicense
type: boolean
label: CPX Bandwidth License
group: "ADM Settings"
- variable: ADMSettings.bandWidth
type: int
label: CPX Bandwidth
group: "ADM Settings"
- variable: ADMSettings.vCPULicense
type: boolean
label: CPX vCPU License
group: "ADM Settings"
- variable: ADMSettings.cpxCores
type: int
label: CPX Cores
group: "ADM Settings"
- variable: cic.pullpolicy
default: "IfNotPresent"
type: enum
label: CIC Image Pullpolicy
group: "CIC/CPX Image Settings"
options:
- "Always"
- "IfNotPresent"
- "Never"
- variable: pullpolicy
default: "IfNotPresent"
type: enum
label: CPX Image Pullpolicy
group: "CIC/CPX Image Settings"
options:
- "Always"
- "IfNotPresent"
- "Never"
- variable: cic.image
default: "quay.io/citrix/citrix-k8s-ingress-controller:1.8.28"
type: string
label: CIC Image
group: "CIC/CPX Image Settings"
- variable: image
type: string
default: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-58.30"
label: CPX Image
group: "CIC/CPX Image Settings"
- variable: exporter.image
default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.5"
type: string
description: "Exporter Image to be used"
label: Exporter Image
group: "Exporter Settings"
- variable: exporter.pullPolicy
default: "IfNotPresent"
type: string
description: "Exporter Image pull policy"
label: Exporter Image PullPolicy
group: "Exporter Settings"
- variable: exporter.ports.containerPort
default: 8888
type: int
label: Exporter ContainerPort
group: "Exporter Settings"
- variable: coeConfig.distributedTracing.enable
default: false
type: boolean
label: Enable distributedTracing
group: "COE Settings"
- variable: coeConfig.distributedTracing.samplingrate
default: 100
type: int
label: COE Sampling Rate
group: "COE Settings"
- variable: coeConfig.endpoint.server
type: string
label: COE Endpoint Server
group: "COE Settings"
- variable: coeConfig.timeseries.port
default: 5563
type: int
label: COE timeseries port
group: "COE Settings"
- variable: coeConfig.timeseries.metrics.enable
default: false
type: boolean
label: Enable timeseries metrics
group: "COE Settings"
- variable: coeConfig.timeseries.metrics.mode
default: 'avro'
type: string
label: COE timeseries metrics Mode
group: "COE Settings"
- variable: coeConfig.timeseries.auditlogs.enable
default: false
type: string
label: Enable timeseries auditlogs
group: "COE Settings"
- variable: coeConfig.timeseries.events.enable
default: false
type: string
label: Enable timeseries events
group: "COE Settings"
- variable: coeConfig.transactions.enable
default: false
type: string
label: Enable transactions
group: "COE Settings"
- variable: coeConfig.transactions.port
default: 5557
type: int
label: COE transactions port
group: "COE Settings"
- variable: crds.install
default: true
type: boolean
description: "If set to true the charts will install CustomResourceDefinitions which are consumed by CIC."
label: CRD flag
group: "Deployment Settings"
- variable: crds.retainOnDelete
default: false
type: boolean
description: "Set this argument to true if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation."
label: CRD retainOnDelete flag
group: "Deployment Settings"

4
packages/citrix/citrix-cpx-with-ingress-controller/upstream.yaml Normal file
View File

@ -0,0 +1,4 @@
HelmRepo: https://citrix.github.io/citrix-helm-charts
HelmChart: citrix-cpx-with-ingress-controller
Vendor: Citrix
DisplayName: Citrix Cpx with Ingress Controller

5
packages/citrix/citrix-ingress-controller/overlay/app-readme.md Normal file
View File

@ -0,0 +1,5 @@
# Citrix Ingress Controller
[Citrix Ingress Controler](https://github.com/citrix/citrix-k8s-ingress-controller) is an ingress controller for Citrix ADC MPX (hardware), Citrix ADC VPX (virtualized), and Citrix ADC CPX (containerized) for bare metal and cloud deployments. It is built around Kubernetes Ingress and automatically configures Citrix ADC based on the Ingress resource configuration.
This Chart bootstraps standalone Citrix Ingress Controller which can be used to configure Citrix MPX or VPX.

348
packages/citrix/citrix-ingress-controller/overlay/questions.yml Normal file
View File

@ -0,0 +1,348 @@
labels:
io.rancher.certified: partner
questions:
- variable: license.accept
required: true
type: enum
description: "Set to yes to accept the terms and conditions of the Citrix license."
label: Accept License
group: "Deployment Settings"
options:
- "yes"
- "no"
- variable: openshift
default: false
type: boolean
description: "openshift is set to true if charts are being deployed in OpenShift environment"
label: Openshift flag
group: "Deployment Settings"
- variable: adcCredentialSecret
required: true
default: ""
type: string
description: "adcCredentialSecret is secret file for NetScaler login"
label: adcCredentialSecret Name
group: "Deployment Settings"
- variable: imagePullSecrets[0]
required: false
type: string
description: "Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository"
label: imagePullSecrets
group: "Deployment Settings"
- variable: nsIP
required: true
type: string
description: "nsIP is NetScaler NSIP/SNIP, SNIP in case of HA (mgmt has to be enabled)"
label: Citrix ADC IP
group: "ADC Settings"
- variable: nsVIP
required: false
type: string
label: Virtual IP of Citrix ADC
group: "ADC Settings"
- variable: nsSNIPS
required: false
type: string
description: "The list of subnet IPAddresses on the Citrix ADC device, which will be used to create PBR Routes instead of Static Routes"
label: Citrix ADC nsSNIPS
group: "ADC Settings"
- variable: nsPort
required: false
default: 443
type: int
description: "nsPort is port for ADC NITRO"
label: nsPort
group: "ADC Settings"
- variable: nsProtocol
required: false
default: "HTTPS"
type: string
description: "nsProtocol is protocol for ADC NITRO"
label: nsProtocol
group: "ADC Settings"
- variable: entityPrefix
required: false
type: string
description: "The prefix for the resources on the Citrix ADC VPX/MPX"
label: entityPrefix
group: "ADC Settings"
- variable: kubernetesURL
required: false
type: string
description: "kubernetesURL is for registering events to kubeapi server"
label: Kubernetes API-server URL
group: "Deployment Settings"
- variable: clusterName
required: false
type: string
description: "The unique identifier of the kubernetes cluster on which the CIC is deployed"
label: Cluster Name
group: "Deployment Settings"
- variable: ingressClass[0]
required: false
type: string
description: "ingressClass is the name of the Ingress Class"
label: Ingress Class
group: "Deployment Settings"
- variable: setAsDefaultIngressClass
required: false
default: False
type: boolean
description: "Set the IngressClass object as default ingress class. New Ingresses without an `ingressClassName` field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19"
label: setAsDefaultIngressClass
group: "Deployment Settings"
- variable: serviceClass[0]
required: false
type: string
description: "serviceClass is the name of the Service Class"
label: Service Class
group: "Deployment Settings"
- variable: defaultSSLCertSecret
required: false
type: string
description: "Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC."
label: defaultSSLCertSecret
group: "ADC Settings"
- variable: podIPsforServiceGroupMembers
required: false
default: False
type: boolean
description: "By default Citrix Ingress Controller will add NodeIP and NodePort as service group members,This variable if set to True will change the behaviour to add pod IP and Pod port instead of nodeIP and nodePort."
label: podIPsforServiceGroupMembers
group: "Deployment Settings"
- variable: ignoreNodeExternalIP
required: false
default: False
type: boolean
label: ignoreNodeExternalIP
group: "Deployment Settings"
- variable: ipam
required: false
default: False
type: boolean
description: "Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer"
label: ipam
group: "Deployment Settings"
- variable: logProxy
required: false
default: False
type: string
description: "Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter."
label: Log Proxy
group: "Deployment Settings"
- variable: nodeWatch
required: false
default: false
type: boolean
description: "nodeWatch is used for automatic route configuration on NetScaler towards the pod network"
label: NodeWatch
group: "ADC Settings"
- variable: cncPbr
required: false
default: false
type: boolean
description: "Use this argument to inform CIC that Citrix Node Controller(CNC) is configuring Policy Based Routes(PBR) on the Citrix ADC."
label: CNC PBR
group: "ADC Settings"
- variable: nodeSelector.key
required: false
type: string
description: "Node label key to be used for nodeSelector option in CIC deployment"
label: NodeSelector Key
group: "Deployment Settings"
- variable: nodeSelector.value
required: false
type: string
description: "Node label value to be used for nodeSelector option in CIC deployment."
label: NodeSelector value
group: "Deployment Settings"
- variable: tolerations[0]
required: false
type: string
description: "Specify the tolerations for the CIC deployment"
label: Tolerations
group: "Deployment Settings"
- variable: updateIngressStatus
required: false
default: false
type: boolean
description: "Set this argurment if Status.LoadBalancer.Ingress field of the Ingress resources managed by the Citrix ingress controller needs to be updated with allocated IP addresses"
label: Update Ingress Status
group: "Deployment Settings"
- variable: nsHTTP2ServerSide
required: false
default: "OFF"
type: string
description: "Set this argument to ON for enabling HTTP2 for Citrix ADC service group configurations."
label: nsHTTP2ServerSide
group: "Deployment Settings"
- variable: nsCookieVersion
required: false
default: "0"
type: string
description: "Specify the persistence cookie version (0 or 1)"
label: nsCookieVersion
group: "Deployment Settings"
- variable: routeLabels
required: false
type: string
description: "You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster."
label: Route Labels
group: "Deployment Settings"
- variable: namespaceLabels
required: false
type: string
description: "you can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster"
label: namespaceLabels
group: "Deployment Settings"
- variable: cic.image
required: true
type: string
default: "quay.io/citrix/citrix-k8s-ingress-controller:1.19.6"
label: CIC Image
group: "CIC Image Settings"
- variable: cic.pullpolicy
required: true
default: "IfNotPresent"
type: enum
label: CIC Image Pullpolicy
group: "CIC Image Settings"
options:
- "Always"
- "IfNotPresent"
- "Never"
- variable: logLevel
required: false
default: "INFO"
type: enum
label: CIC Loglevel
group: "CIC Image Settings"
options:
- "DEBUG"
- "INFO"
- "WARNING"
- "ERROR"
- "TRACE"
- variable: exporter.required
default: false
type: boolean
description: "If set to true exporter will be deployed as sidecar"
label: Enable Exporter
group: "Exporter Settings"
- variable: exporter.image
default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.9"
required: false
type: string
description: "Exporter Image"
label: Exporter Image
group: "Exporter Settings"
- variable: exporter.pullPolicy
required: false
default: IfNotPresent
type: string
description: "Exporter Image pull policy"
label: Exporter Image PullPolicy
group: "Exporter Settings"
- variable: exporter.ports.containerPort
required: false
default: 8888
type: int
label: Exporter ContainerPort
group: "Exporter Settings"
- variable: crds.install
required: false
default: true
type: boolean
description: "If set to true the charts will install CustomResourceDefinitions which are consumed by CIC."
label: CRD flag
group: "Deployment Settings"
- variable: crds.retainOnDelete
required: false
default: false
type: boolean
description: "Set this argument to true if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation."
label: CRD retainOnDelete flag
group: "Deployment Settings"
- variable: coeConfig.required
required: true
default: false
type: boolean
description: "Set this to true if you want to configure Citrix ADC to send metrics and transaction records to COE"
label: Enable COE
group: "COE Settings"
- variable: coeConfig.distributedTracing.enable
required: false
default: false
type: boolean
description: "Set this value to true to enable OpenTracing in Citrix ADC."
label: Enable coeConfig DistributedTracing
group: "COE Settings"
- variable: coeConfig.distributedTracing.samplingrate
required: false
default: "100"
type: string
description: "Specifies the OpenTracing sampling rate in percentage."
label: coeConfig DistributedTracing Samplingrate
group: "COE Settings"
- variable: coeConfig.endpoint.server
required: false
type: string
description: "Set this value as the IP address or DNS address of the analytics server"
label: coeConfig Endpoint Server
group: "COE Settings"
- variable: coeConfig.timeseries.port
required: false
default: "30002"
type: string
description: "Specify the port used to expose COE service outside cluster for timeseries endpoint"
label: coeConfig timeseries Port
group: "COE Settings"
- variable: coeConfig.timeseries.metrics.enable
required: false
default: False
type: boolean
description: "Set this value to true to enable sending metrics from Citrix ADC"
label: Enable coeConfig Timeseries Metrics
group: "COE Settings"
- variable: coeConfig.timeseries.metrics.mode
required: false
default: "avro"
type: string
description: "Specifies the mode of metric endpoint"
label: coeConfig Timeseries Metrics Mode
group: "COE Settings"
- variable: coeConfig.timeseries.auditlogs.enable
required: false
default: False
type: boolean
description: "Set this value to true to export audit log data from Citrix ADC"
label: coeConfig Timeseries Auditlogs Enable
group: "COE Settings"
- variable: coeConfig.timeseries.events.enable
required: false
default: False
type: boolean
description: "Set this value to true to export events from the Citrix ADC"
label: Enable coeConfig Timeseries Events
group: "COE Settings"
- variable: coeConfig.transactions.enable
required: false
default: False
type: boolean
description: "Set this value to true to export transactions from Citrix ADC"
label: Enable coeConfig Transactions
group: "COE Settings"
- variable: coeConfig.transactions.port
required: false
default: 30001
type: string
description: "Specify the port used to expose COE service outside cluster for transaction endpoint"
label: coeConfig Transactions Port
group: "COE Settings"
- variable: serviceAccount.create
required: false
default: true
type: boolean
description: "Specifies whether a ServiceAccount should be created"
label: ServiceAccount Create
group: "Deployment Settings"

4
packages/citrix/citrix-ingress-controller/upstream.yaml Normal file
View File

@ -0,0 +1,4 @@
HelmRepo: https://citrix.github.io/citrix-helm-charts
HelmChart: citrix-ingress-controller
Vendor: Citrix
DisplayName: Citrix Ingress Controller