andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make charts - citrix-cpx-istio-sidecar-injector

pull/256/head
Samuel Attwood 2021-11-22 18:15:23 -05:00
parent cfd89205c5
commit 7fb60f4a9a
16 changed files with 1321 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector-1.11.1.tgz Normal file
View File

Binary file not shown.

22
charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/.helmignore Normal file
View File

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

22
charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/Chart.yaml Normal file
View File

@ -0,0 +1,22 @@
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Citrix Cpx Istio Sidecar Injector
catalog.cattle.io/release-name: citrix-cpx-istio-sidecar-injector
apiVersion: v2
appVersion: 1.11.0
description: A Helm chart to deploy resources which install Citrix ADC CPX in Istio
Service Mesh as sidecar in application pod
home: https://www.citrix.com
icon: https://raw.githubusercontent.com/citrix/citrix-xds-adaptor/master/docs/media/Citrix_Logo_Trademark.png
kubeVersion: '>=v1.16.0-0'
maintainers:
- email: dhiraj.gedam@citrix.com
name: dheerajng
- email: subash.dangol@citrix.com
name: subashd
- email: ajeeta.shakeet@citrix.com
name: ajeetas
name: citrix-cpx-istio-sidecar-injector
sources:
- https://github.com/citrix/citrix-xds-adaptor
version: 1.11.1

280
charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/README.md Normal file
View File

@ -0,0 +1,280 @@
# Deploy Citrix ADC CPX as a sidecar in Istio environment using Helm charts
Citrix ADC CPX can be deployed as a sidecar proxy in an application pod in the Istio service mesh.
# Table of Contents
1. [TL; DR;](#tldr)
2. [Introduction](#introduction)
3. [Deploy Sidecar Injector for Citrix ADC CPX using Helm chart](#deploy-sidecar-injector-for-citrix-adc-cpx-using-helm-chart)
4. [Observability using Citrix Observability Exporter](#observability-using-coe)
5. [Citrix ADC CPX License Provisioning](#citrix-adc-cpx-license-provisioning)
6. [Service Graph configuration](#configuration-for-servicegraph)
7. [Generate Certificate for Application](#generate-certificate-for-application)
8. [Limitations](#limitations)
9. [Clean Up](#clean-up)
10. [Configuration Parameters](#configuration-parameters)
## <a name="tldr">TL; DR;</a>
kubectl create namespace citrix-system
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES
## <a name="introduction">Introduction</a>
Citrix ADC CPX can act as a sidecar proxy to an application container in Istio. You can inject the Citrix ADC CPX manually or automatically using the [Istio sidecar injector](https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/). Automatic sidecar injection requires resources including a Kubernetes [mutating webhook admission](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) controller, and a service. Using this Helm chart, you can create resources required for automatically deploying Citrix ADC CPX as a sidecar proxy.
In Istio servicemesh, the namespace must be labelled before applying the deployment yaml for [automatic sidecar injection](https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#automatic-sidecar-injection). Once the namespace is labelled, sidecars (envoy or CPX) will be injected while creating pods.
- For CPX, namespace must be labelled `cpx-injection=enabled`
- For Envoy, namespace must be labelled `istio-injection=enabled`
__Note: If a namespace is labelled with both `istio-injection` and `cpx-injection`, Envoy injection takes a priority! Citrix CPX won't be injected on top of the already injected Envoy sidecar. For using Citrix ADC as sidecar, ensure that `istio-injection` label is removed from the namespace.__
For detailed information on different deployment options, see [Deployment Architecture](https://github.com/citrix/citrix-istio-adaptor/blob/master/docs/istio-integration/architecture.md).
### Compatibility Matrix between Citrix xDS-adaptor and Istio version
Below table provides info about recommended Citrix xDS-Adaptor version to be used for various Istio versions.
| Citrix xDS-Adaptor version | Istio version |
|----------------------------|---------------|
| quay.io/citrix/citrix-xds-adaptor:0.9.9 | Istio v1.10+ |
| quay.io/citrix/citrix-xds-adaptor:0.9.8 | Istio v1.8 to Istio v1.9 |
| quay.io/citrix/citrix-xds-adaptor:0.9.5 | Istio v1.6 |
### Prerequisites
The following prerequisites are required for deploying Citrix ADC as a sidecar to an application pod.
- Ensure that **Istio version 1.8 onwards** is installed
- Ensure that Helm with version 3.x is installed. Follow this [step](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same.
- Ensure that your cluster Kubernetes version should be 1.16 onwards and the `admissionregistration.k8s.io/v1`, `admissionregistration.k8s.io/v1beta1` API is enabled
You can verify the API by using the following command:
kubectl api-versions | grep admissionregistration.k8s.io/v1
The following output indicates that the API is enabled:
admissionregistration.k8s.io/v1
admissionregistration.k8s.io/v1beta1
- Create namespace `citrix-system`
kubectl create namespace citrix-system
- **Registration of Citrix ADC CPX in ADM**
Create a secret containing ADM username and password in each application namespace.
kubectl create secret generic admlogin --from-literal=username=<adm-username> --from-literal=password=<adm-password> -n citrix-system
## <a name="deploy-sidecar-injector-for-citrix-adc-cpx-using-helm-chart">Deploy Sidecar Injector for Citrix ADC CPX using Helm chart</a>
**Before you Begin**
To deploy resources for automatic installation of Citrix ADC CPX as a sidecar in Istio, perform the following step. In this example, release name is specified as `cpx-sidecar-injector` and namespace is used as `citrix-system`.
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES
This step installs a mutating webhook and a service resource to application pods in the namespace labeled as `cpx-injection=enabled`.
*"Note:" The `cpx-injection=enabled` label is mandatory for injecting sidecars.*
An example to deploy application along with Citrix ADC CPX sidecar is provided [here](https://github.com/citrix/citrix-helm-charts/tree/master/examples/citrix-adc-in-istio).
# <a name="observability-using-coe"> Observability using Citrix Observability Exporter </a>
### Pre-requisites
1. Citrix Observability Exporter (COE) should be deployed in the cluster.
2. Citrix ADC CPX should be running with versions 13.0-48+ or 12.1-56+.
Citrix ADC CPXes serving East West traffic send its metrics and transaction data to COE which has a support for Prometheus and Zipkin.
Metrics data can be visualized in Prometheus dashboard.
Zipkin enables users to analyze tracing for East-West service to service communication.
*Note*: Istio should be [installed](https://istio.io/docs/tasks/observability/distributed-tracing/zipkin/#before-you-begin) with Zipkin as tracing endpoint.
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES,coe.coeURL=<coe-service-name>.<namespace>
```
By default, COE is primarily used for Prometheus integration. Servicegraph and tracing is handled by Citrix ADM appliance. To enable Zipkin tracing, set argument `coe.coeTracing=true` in helm command. Default value of coeTracing is set to false.
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES,coe.coeURL=<coe-service-name>.<namespace>,coe.coeTracing=true
```
For example, if COE is deployed as `coe` in `citrix-system` namespace, then below helm command will deploy sidecar injector webhook which will be deploying Citrix ADC CPX sidecar proxies in application pods, and these sidecar proxies will be configured to establish communication channels with COE.
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES,coe.coeURL=coe.citrix-system
```
*Important*: Apply below mentioned annotations on COE deployment so that Prometheus can scrape data from COE.
```
prometheus.io/scrape: "true"
prometheus.io/port: "5563" # Prometheus port
```
## <a name="citrix-adc-cpx-license-provisioning">**Citrix ADC CPX License Provisioning**</a>
By default, CPX runs with 20 Mbps bandwidth called as [CPX Express](https://www.citrix.com/en-in/products/citrix-adc/cpx-express.html) however for better performance and production deployment customer needs licensed CPX instances. [Citrix ADM](https://www.citrix.com/en-in/products/citrix-application-delivery-management/) is used to check out licenses for Citrix ADC CPX.
**Bandwidth based licensing**
For provisioning licensing on Citrix ADC CPX, it is mandatory to provide License Server information to CPX. This can be done by setting **ADMSettings.licenseServerIP** as License Server IP. In addition to this, **ADMSettings.bandWidthLicense** needs to be set true and desired bandwidth capacity in Mbps should be set **ADMSettings.bandWidth**.
For example, to set 2Gbps as bandwidth capacity, below command can be used.
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set ADMSettings.licenseServerIP=<licenseServer_IP>,ADMSettings.bandWidthLicense=True --set ADMSettings.bandWidth=2000
```
## <a name="configuration-for-servicegraph">**Service Graph configuration**</a>
Citrix ADM Service graph is an observability tool that allows user to analyse service to service communication. The service graph is generated by ADM post collection of transactional data from registered Citrix ADC instances. More details about it can be found [here](https://docs.citrix.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html).
Citrix ADC needs to be provided with ADM details for registration and data export. This section lists the steps needed to deploy Citrix ADC and register it with ADM.
1. Create secret using Citrix ADM Agent credentials, which will be used by Citrix ADC as CPX to communicate with Citrix ADM Agent:
kubectl create secret generic admlogin --from-literal=username=<adm-agent-username> --from-literal=password=<adm-agent-password>
2. Deploy Citrix ADC CPX sidecar injector using helm command with `ADM` details:
helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set ADMSettings.ADMIP=<ADM-Agent-IP>
> **Note:**
> If container agent is being used here for Citrix ADM, specify `PodIP` of container agent in the `ADMSettings.ADMIP` parameter.
## <a name="generate-certificate-for-application">Generate Certificate for Application </a>
Application needs TLS certificate-key pair for establishing secure communication channel with other applications. Earlier these certificates were issued by Istio Citadel and bundled in Kubernetes secret. Certificate was loaded in the application pod by doing volume mount of secret. Now `xDS-Adaptor` can generate its own certificate and get it signed by the Istio Citadel (Istiod). This eliminates the need of secret and associated [risks](https://kubernetes.io/docs/concepts/configuration/secret/#risks).
xDS-Adaptor needs to be provided with details Certificate Authority (CA) for successful signing of Certificate Signing Request (CSR). By default, CA is `istiod.istio-system.svc` which accepts CSRs on port 15012.
To skip this process, don't provide any value (empty string) to `certProvider.caAddr`.
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set certProvider.caAddr=""
```
### <a name="using-third-party-service-account-tokens">Configure Third Party Service Account Tokens</a>
In order to generate certificate for application workload, xDS-Adaptor needs to send valid service account token along with Certificate Signing Request (CSR) to the Istio control plane (Citadel CA). Istio control plane authenticates the xDS-Adaptor using this JWT.
Kubernetes supports two forms of these tokens:
* Third party tokens, which have a scoped audience and expiration.
* First party tokens, which have no expiration and are mounted into all pods.
If Kubernetes cluster is installed with third party tokens, then the same information needs to be provided for automatic sidecar injection by passing `--set certProvider.jwtPolicy="third-party-jwt"`. By default, it is `first-party-jwt`.
```
helm repo add citrix https://citrix.github.io/citrix-helm-charts/
helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set certProvider.caAddr="istiod.istio-system.svc" --set certProvider.jwtPolicy="third-party-jwt"
```
To determine if your cluster supports third party tokens, look for the TokenRequest API using below command. If there is no output, then it is `first-party-jwt`. In case of `third-party-jwt`, output will be like below.
```
# kubectl get --raw /api/v1 | jq '.resources[] | select(.name | index("serviceaccounts/token"))'
{
"name": "serviceaccounts/token",
"singularName": "",
"namespaced": true,
"group": "authentication.k8s.io",
"version": "v1",
"kind": "TokenRequest",
"verbs": [
"create"
]
}
```
## <a name="limitations">Limitations</a>
Citrix ADC CPX occupies certain ports for internal usage. This makes application service running on one of these restricted ports incompatible with the Citrix ADC CPX.
The list of ports is mentioned below. Citrix is working on delisting some of the major ports from the given list, and same shall be available in future releases.
#### Restricted Ports
| Sr No |Port Number|
|-------|-----------|
| 1 | 80 |
| 2 | 3010 |
| 3 | 5555 |
| 4 | 8080 |
## <a name="clean-up">Clean Up</a>
To delete the resources created for automatic injection with the release name `cpx-sidecar-injector`, perform the following step.
helm delete cpx-sidecar-injector
## <a name="configuration-parameters">Configuration parameters</a>
The following table lists the configurable parameters and their default values in the Helm chart.
| Parameter | Description | Default |
|--------------------------------|-------------------------------|---------------------------|
| `xDSAdaptor.image` | Image of the Citrix xDS Adaptor container | quay.io/citrix/citrix-xds-adaptor:0.9.9 |
| `xDSAdaptor.imagePullPolicy` | Image pull policy for xDS-adaptor | IfNotPresent |
| `xDSAdaptor.secureConnect` | If this value is set to true, xDS-adaptor establishes secure gRPC channel with Istio Pilot | TRUE |
| `xDSAdaptor.logLevel` | Log level to be set for xDS-adaptor log messages. Possible values: TRACE (most verbose), DEBUG, INFO, WARN, ERROR (least verbose) | DEBUG | Optional|
| `xDSAdaptor.jsonLog` | Set this argument to true if log messages are required in JSON format | false | Optional|
| `coe.coeURL` | Name of [Citrix Observability Exporter](https://github.com/citrix/citrix-observability-exporter) Service in the form of _servicename.namespace_ | NIL | Optional|
| `coe.coeTracing` | Use COE to send appflow transactions to Zipkin endpoint. If it is set to true, ADM servicegraph (if configured) can be impacted. | false | Optional|
| `ADMSettings.ADMIP` | Provide the Citrix Application Delivery Management (ADM) IP address | NIL |
| `ADMSettings.licenseServerIP ` | Citrix License Server IP address | NIL | Optional |
| `ADMSettings.licenseServerPort` | Citrix ADM port if a non-default port is used | 27000 |
| `ADMSettings.bandWidth` | Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps | NIL | Optional |
| `ADMSettings.bandWidthLicense` | To specify bandwidth based licensing | false | Optional |
| `istioPilot.name` | Name of the Istio Pilot service | istio-pilot |
| `istioPilot.namespace` | Namespace where Istio Pilot is running | istio-system |
| `istioPilot.secureGrpcPort` | Secure GRPC port where Istio Pilot is listening (Default setting) | 15011 |
| `istioPilot.insecureGrpcPort` | Insecure GRPC port where Istio Pilot is listening | 15010 |
| `istioPilot.proxyType` | Type of Citrix ADC associated with the xDS-adaptor. Possible values are: sidecar and router. | sidecar|
| `istioPilot.SAN` | Subject alternative name for Istio Pilot which is the Secure Production Identity Framework For Everyone (SPIFFE) ID of Istio Pilot. | NIL |
| `cpxProxy.netscalerUrl` | URL or IP address of the Citrix ADC which will be configured by Istio-adaptor. | http://127.0.0.1 |
| `cpxProxy.image` | Citrix ADC CPX image used as sidecar proxy | quay.io/citrix/citrix-k8s-cpx-ingress:13.0-83.27 |
| `cpxProxy.imagePullPolicy` | Image pull policy for Citrix ADC | IfNotPresent |
| `cpxProxy.EULA` | End User License Agreement(EULA) terms and conditions. If yes, then user agrees to EULA terms and conditions. | NO |
| `cpxProxy.cpxSidecarMode` | Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX is running as sidecar mode or not. | YES |
| `cpxProxy.cpxDisableProbe` | Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX will disable probing dynamic services. It should be enabled for multicluster setup. | YES |
| `sidecarWebHook.webhookImage` | Mutating webhook associated with the sidecar injector. It invokes a service `cpx-sidecar-injector` to inject sidecar proxies in the application pod. | quay.io/citrix/cpx-istio-sidecar-injector:1.1.0 |
| `sidecarWebHook.imagePullPolicy` | Image pull policy |IfNotPresent|
| `sidecarCertsGenerator.image` | Certificate genrator image associated with sidecar injector. This image generates certificate and key needed for CPX sidecar injection. | quay.io/citrix/cpx-sidecar-injector-certgen:1.1.0 |
| `sidecarCertsGenerator.imagePullPolicy` | Image pull policy |IfNotPresent|
| `webhook.injectionLabelName` | Label of namespace where automatic Citrix ADC CPX sidecar injection is required. | cpx-injection |
| `certProvider.caAddr` | Certificate Authority (CA) address issuing certificate to application | istiod.istio-system.svc | Optional |
| `certProvider.caPort` | Certificate Authority (CA) port issuing certificate to application | 15012 | Optional |
| `certProvider.trustDomain` | SPIFFE Trust Domain | cluster.local | Optional |
| `certProvider.certTTLinHours` | Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours. Default is 30 days validity | 720 | Optional |
| `certProvider.clusterId` | clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in multicluster environments. For example, in Anthos servicemesh, it might be of the format of `cn<project-name>-<region>-<cluster_name>`. In multiCluster environments, it is the value of global.multiCluster.clusterName provided during servicemesh control plane installation | Kubernetes | Optional |
| `certProvider.jwtPolicy` | Service Account token type. Kubernetes platform supports First party tokens and Third party tokens. | first-party-jwt | Optional |
| `certProvider.jwtPolicy` | Service Account token type. Kubernetes platform supports First party tokens and Third party tokens. Usually public cloud based Kubernetes has third-party-jwt | null | Optional |
**Note:** You can use the `values.yaml` file packaged in the chart. This file contains the default configuration values for the chart.

28
charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/app-readme.md Normal file
View File

@ -0,0 +1,28 @@
# Citrix ADC as a Sidecar for Istio
Citrix ADC [CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) can act as a sidecar proxy to an application container in Istio. You can inject the Citrix ADC CPX manually or automatically using the [Istio sidecar injector](https://istio.io/docs/setup/additional-setup/sidecar-injection/).
### Prerequisites
The following prerequisites are required for deploying Citrix ADC as a sidecar in an application pod
- Ensure that **Istio** is enabled.
- Ensure that your cluster has Kubernetes version 1.16.0 or later.
- Ensure the [Kubernetes controller manager](https://rancher.com/docs/rke/latest/en/config-options/services/#kubernetes-controller-manager)s default certificate signer is enabled.
**Note**: For RKE based cluster, extra arguments need to be provided for kube-controller service.
```services:
kube-controller:
extra_args:
cluster-signing-cert-file: "/etc/kubernetes/ssl/kube-ca.pem"
cluster-signing-key-file: "/etc/kubernetes/ssl/kube-ca-key.pem"
```
For detailed information follow this [link](https://github.com/citrix/citrix-xds-adaptor/blob/master/docs/istio-integration/rancher-provisioned-cluster.md)
### Important NOTE:
- We should not **Enable Istio Auto Injection** on Application namespace.
- The cpx-injection=enabled label is mandatory for injecting sidecars.
- An example to deploy application along with Citrix ADC CPX sidecar is provided [here](https://github.com/citrix/citrix-helm-charts/blob/master/examples/citrix-adc-in-istio/README.md).
This catalog create resources required for automatically deploying Citrix ADC CPX as a sidecar proxy.For detailed information follow this [link](https://github.com/citrix/citrix-helm-charts/tree/master/citrix-cpx-istio-sidecar-injector)

127
charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/create-certs-for-cpx-istio-chart.sh Normal file
View File

@ -0,0 +1,127 @@
#!/bin/bash
set -e
usage() {
cat <<EOF
Generate certificate suitable for use with an Istio webhook service.
This script uses k8s' CertificateSigningRequest API to a generate a
certificate signed by k8s CA suitable for use with Istio webhook
services. This requires permissions to create and approve CSR. See
https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster for
detailed explantion and additional instructions.
The server key/cert k8s CA cert are stored in a k8s secret.
usage: ${0} [OPTIONS]
The following flags are required.
--service Service name of webhook (e.g. cpx-sidecar-injector).
--namespace Namespace where webhook service and secret reside (e.g. citrix-system).
--secret Secret name for CA certificate and server certificate/key pair (e.g. cpx-sidecar-injector-certs).
EOF
exit 1
}
while [[ $# -gt 0 ]]; do
case ${1} in
--service)
service="$2"
shift
;;
--secret)
secret="$2"
shift
;;
--namespace)
namespace="$2"
shift
;;
*)
usage
;;
esac
shift
done
[ -z ${service} ] && service=cpx-sidecar-injector
[ -z ${secret} ] && secret=cpx-sidecar-injector-certs
[ -z ${namespace} ] && namespace=citrix-system
if [ ! -x "$(command -v openssl)" ]; then
echo "openssl not found"
exit 1
fi
csrName=${service}.${namespace}
#tmpdir=$(mktemp -d)
scriptdir="$(dirname "$BASH_SOURCE")"
certdir="$scriptdir/cpx-certs"
mkdir -p ${certdir}
echo "creating certs in directory ${certdir} "
cat <<EOF >> ${certdir}/csr.conf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${service}
DNS.2 = ${service}.${namespace}
DNS.3 = ${service}.${namespace}.svc
EOF
openssl genrsa -out ${certdir}/key.pem 2048
openssl req -new -key ${certdir}/key.pem -subj "/CN=${service}.${namespace}.svc" -out ${certdir}/server.csr -config ${certdir}/csr.conf
# clean-up any previously created CSR for our service. Ignore errors if not present.
kubectl delete csr ${csrName} 2>/dev/null || true
# create server cert/key CSR and send to k8s API
cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: ${csrName}
spec:
groups:
- system:authenticated
request: $(cat ${certdir}/server.csr | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- server auth
EOF
# verify CSR has been created
while true; do
kubectl get csr ${csrName}
if [ "$?" -eq 0 ]; then
break
fi
done
# approve and fetch the signed certificate
kubectl certificate approve ${csrName}
# verify certificate has been signed
for x in $(seq 10); do
serverCert=$(kubectl get csr ${csrName} -o jsonpath='{.status.certificate}')
if [[ ${serverCert} != '' ]]; then
break
fi
sleep 1
done
if [[ ${serverCert} == '' ]]; then
echo "ERROR: After approving csr ${csrName}, the signed certificate did not appear on the resource. Giving up after 10 attempts." >&2
exit 1
fi
echo ${serverCert} | openssl base64 -d -A -out ${certdir}/cert.pem
# create the secret with CA cert and server cert/key
kubectl create secret generic ${secret} \
--from-file=key.pem=${certdir}/key.pem \
--from-file=cert.pem=${certdir}/cert.pem \
--dry-run -o yaml |
kubectl -n ${namespace} apply -f -

291
charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/questions.yml Normal file
View File

@ -0,0 +1,291 @@
labels:
io.rancher.certified: partner
questions:
- variable: xDSAdaptor.image
required: true
type: string
default: "quay.io/citrix/citrix-xds-adaptor:0.9.9"
description: "xds-adaptor Image to be used"
label: xDSAdaptor Image
group: "xDSAdaptor Settings"
- variable: xDSAdaptor.imagePullPolicy
required: true
type: enum
default: IfNotPresent
description: "Istio-adaptor Image pull policy"
label: istioAdaptor imagePullPolicy
options:
- "Always"
- "IfNotPresent"
- "Never"
group: "xDSAdaptor Settings"
- variable: xDSAdaptor.proxyType
required: true
type: string
default: true
label: xDSAdaptor proxyType
description: "xDSAdaptor proxyType type set to router by default"
group: "xDSAdaptor Settings"
- variable: xDSAdaptor.secureConnect
required: false
type: boolean
default: true
label: xDSAdaptor secureConnect
description: "xDSAdaptor establishes secure gRPC channel with Istio Pilot, if value is set to true"
group: "xDSAdaptor Settings"
- variable: xDSAdaptor.logLevel
required: false
type: enum
default: DEBUG
label: xDSAdaptor logLevel
description: "xDSAdaptor logLevel"
options:
- "TRACE"
- "DEBUG"
- "INFO"
- "WARN"
- "ERROR"
group: "xDSAdaptor Settings"
- variable: xDSAdaptor.jsonLog
required: false
type: string
default: "true"
label: xDSAdaptor jsonLog
description: "Set this argument to true if log messages are required in JSON format"
group: "xDSAdaptor Settings"
- variable: coe.coeURL
required: false
type: string
label: coe coeURL
description: "Name of Citrix Observability Exporter Service"
group: "COE Settings"
- variable: coe.coeTracing
required: false
type: boolean
label: coe coeTracing
description: "Used to send appflow transactions to Zipkin endpoint,if true ADM servicegraph (if configured) can be impacted"
group: "COE Settings"
- variable: istioPilot.name
required: true
type: string
default: istio-pilot
label: istio-pilot name
group: "istio-pilot Settings"
- variable: istioPilot.namespace
required: true
type: string
default: istio-system
label: istio-pilot namespace
description: "Name of the Istio Pilot service"
group: "istio-pilot Settings"
- variable: istioPilot.secureGrpcPort
required: true
type: int
default: 15011
description: "Secure GRPC port where Istio Pilot is listening"
label: istio-pilot secureGrpcPort
show_if: "xDSAdaptor.secureConnect=true"
group: "istio-pilot Settings"
- variable: istioPilot.insecureGrpcPort
required: true
type: int
default: 15010
label: istio-pilot insecureGrpcPort
description: "Insecure GRPC port where Istio Pilot is listening"
show_if: "xDSAdaptor.secureConnect=false"
group: "istio-pilot Settings"
- variable: istioPilot.SAN
required: false
type: string
default:
label: istio-pilot SAN
description: "Subject alternative name for Istio Pilot which is (SPIFFE) ID of Istio Pilot"
show_if: "xDSAdaptor.secureConnect=true"
group: "istio-pilot Settings"
- variable: certProvider.caAddr
required: true
type: string
default: "istiod.istio-system.svc"
label: certProvider caAddr
description: "Certificate Authority (CA) address issuing certificate to application"
group: "certProvider Settings"
- variable: certProvider.caPort
required: true
type: int
default: 15012
label: certProvider caPort
description: "Certificate Authority (CA) port issuing certificate to application"
group: "certProvider Settings"
- variable: certProvider.trustDomain
required: true
type: string
default: "cluster.local"
label: certProvider trustDomain
description: "SPIFFE Trust Domain"
group: "certProvider Settings"
- variable: certProvider.certTTLinHours
required: true
type: int
default: 720
label: certProvider certTTLinHours
description: "Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours."
group: "certProvider Settings"
- variable: certProvider.clusterId
required: true
type: string
default: "Kubernetes"
label: certProvider clusterId
description: "clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in m
ulticluster environments. For example, in Anthos servicemesh, it might be of the format of `cn<project-name>-<region>-<cluster_name>`. In multiCluster environments, it is the val
ue of global.multiCluster.clusterName provided during servicemesh control plane installation"
group: "certProvider Settings"
- variable: certProvider.jwtPolicy
required: true
type: enum
default: "first-party-jwt"
label: certProvider jwtPolicy
description: "Kubernetes platform supports First party tokens and Third party tokens"
options:
- "first-party-jwt"
- "third-party-jwt"
- variable: cpxProxy.netscalerUrl
required: true
type: string
default: "http://127.0.0.1"
description: "Citrix ADC CPX image used as sidecar proxy"
label: cpxProxy image
group: "cpxProxy Settings"
- variable: cpxProxy.image
required: true
type: string
default: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-79.64"
description: "Citrix ADC CPX image used as sidecar proxy"
label: cpxProxy image
group: "cpxProxy Settings"
- variable: cpxProxy.imagePullPolicy
required: true
type: enum
default: IfNotPresent
description: "cpxProxy Image pull policy"
label: cpxProxy imagePullPolicy
options:
- "Always"
- "IfNotPresent"
- "Never"
group: "cpxProxy Settings"
- variable: cpxProxy.EULA
required: true
type: enum
label: cpxProxy EULA license
options:
- "YES"
- "NO"
group: "cpxProxy Settings"
- variable: cpxProxy.cpxSidecarMode
required: true
type: string
default: "YES"
description: "Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX is running as sidecar mode or not"
label: cpxProxy image
options:
- "YES"
- "NO"
group: "cpxProxy Settings"
- variable: cpxProxy.mgmtHttpPort
required: true
type: int
default: 10080
label: cpxProxy mgmtHttpPort
group: "cpxProxy Settings"
- variable: cpxProxy.mgmtHttpsPort
required: true
type: int
default: 10443
label: cpxProxy mgmtHttpsPort
group: "cpxProxy Settings"
- variable: cpxProxy.cpxDisableProbe
required: true
type: string
default: YES
description: "Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX will disable probing dynamic services. It should be enabled for multicluster setup."
label: cpxProxy cpxDisableProbe
options:
- "YES"
- "NO"
group: "cpxProxy Settings"
- variable: sidecarWebHook.webhookImage
required: true
type: string
default: "quay.io/citrix/cpx-istio-sidecar-injector:1.0.0"
label: sidecarWebHook webhookImage
description: "webhookImage image to be used"
group: "sidecarWebHook Settings"
- variable: sidecarWebHook.imagePullPolicy
required: true
type: enum
default: IfNotPresent
label: sidecarWebHook imagePullPolicy
options:
- "Always"
- "IfNotPresent"
- "Never"
group: "sidecarWebHook Settings"
- variable: sidecarCertsGenerator.image
required: true
type: string
default: " quay.io/citrix/cpx-sidecar-injector-certgen:1.1.0"
label: sidecarWebHook webhookImage
description: "webhookImage image to be used"
group: "sidecarCertsGenerator Settings"
- variable: sidecarCertsGenerator.imagePullPolicy
required: true
type: enum
default: IfNotPresent
label: sidecarWebHook imagePullPolicy
options:
- "Always"
- "IfNotPresent"
- "Never"
group: "sidecarCertsGenerator Settings"
- variable: ADMSettings.ADMIP
required: false
type: string
default:
label: ADMSettings ADMIP
description: "Citrix Application Delivery Management (ADM) IP address"
group: "ADMSettings Settings"
- variable: ADMSettings.licenseServerIP
required: false
type: string
default:
label: ADMSettings licenseServerIP
description: "Citrix License Server IP address"
group: "ADMSettings Settings"
- variable: ADMSettings.licenseServerPort
required: false
type: int
default: 27000
label: ADMSettings licenseServerPort
description: "Citrix ADM port if a non-default port is used"
group: "ADMSettings Settings"
- variable: ADMSettings.bandWidthLicense
required: false
type: boolean
default: false
label: ADMSettings bandWidthLicense
description: "To specify bandwidth based licensing"
group: "ADMSettings Settings"
- variable: ADMSettings.bandWidth
required: false
type: string
default:
label: ADMSettings bandWidth
description: "Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps"
group: "ADMSettings Settings"
- variable: webhook.injectionLabelName
required: true
type: string
default: "cpx-injection"
label: webhook injectionLabelName
description: "Label of namespace, where automatic sidecr injection is required"
group: "webhook Settings"

20
charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,20 @@
{{/* Below function is used to identify default value of jwtPolicy if not provided.
* For on-prem Kubernetes v1.21+, it is third-party-jwt. Else first-party-jwt.
* Note: Don't just do "helm template" to generate yaml file. Else https://github.com/helm/helm/issues/7991
* is possible. Use "helm template --validate" or "helm install --dry-run --debug".
* Note2: For cloud environments, semverCompare should be ideally done with "<1.21.x-x" as
* Kubernetes version is generally of the format v1.20.7-eks-xxxxxx. So, it fails the "v1.21.x" check but that's fine
* as in cloud environments third-party-jwt is enabled.
*/}}
{{- define "jwtValue" -}}
{{- if .Values.certProvider.jwtPolicy -}}
{{- printf .Values.certProvider.jwtPolicy -}}
{{- else -}}
{{- if semverCompare "<1.21.x" .Capabilities.KubeVersion.Version -}}
{{- printf "first-party-jwt" -}}
{{- else -}}
{{- printf "third-party-jwt" -}}
{{- end -}}
{{- end -}}
{{- end -}}

221
charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-configmap.yaml Normal file
View File

@ -0,0 +1,221 @@
# This configmap stores the sidecar proxy info and arguments needed
apiVersion: v1
kind: ConfigMap
metadata:
name: cpx-istio-sidecar-injector
namespace: {{.Release.Namespace}}
labels:
app: cpx-sidecar-injector
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
istio: sidecar-injector
data:
config: |-
policy: enabled
# If user does *NOT* want to inject sidecar on some pods based on label,
# then mention such labels in 'neverInjectSelector' entry.
# Note: This is valid only when istio's sidecar-injector image is running.
neverInjectSelector:
- matchExpressions:
- {key: citrix.com/no.sidecar, operator: Exists}
# Here, if pod has a label citrix.com/no.sidecar, then sidecar won't be injected for that pod.
template: |-
containers:
- name: istio-adaptor
image: {{ .Values.xDSAdaptor.image }}
imagePullPolicy: {{ .Values.xDSAdaptor.imagePullPolicy }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: APPLICATION_NAME
valueFrom:
fieldRef:
fieldPath: metadata.labels['app']
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
{{- if .Values.certProvider.caAddr }}
- name: CA_ADDR
value: {{ .Values.certProvider.caAddr }}:{{ .Values.certProvider.caPort}} #istiod.istio-system.svc:15012
- name: TRUST_DOMAIN
value: {{ .Values.certProvider.trustDomain }} #cluster.local
- name: CLUSTER_ID
value: {{ .Values.certProvider.clusterId }} #Kubernetes
- name: CERT_TTL_IN_HOURS
value: {{ .Values.certProvider.certTTLinHours }}
- name: JWT_POLICY
value: {{ include "jwtValue" . | quote }} # third-party-jwt if Kubernetes cluster supports third-party tokens
{{- end }}
- name: NS_USER
value: nsroot
- name: NS_PASSWORD
value: nsroot
{{- if eq .Values.coe.coeTracing true }}
- name: COE_TRACING
value: "TRUE"
{{- end }}
- name: LOGLEVEL
value: {{ .Values.xDSAdaptor.logLevel | default "DEBUG" | quote }}
{{- if eq .Values.xDSAdaptor.jsonLog true }}
- name: JSONLOG
value: "TRUE"
{{- end }}
args:
- -ads-server
{{- if eq .Values.xDSAdaptor.secureConnect true }}
- {{ .Values.istioPilot.name}}.{{.Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.secureGrpcPort }} # istiod.istio-system.svc:15012
{{- else }}
- {{ .Values.istioPilot.name}}.{{.Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.insecureGrpcPort }} # istiod.istio-system.svc:15010
{{- end }}
- -ads-secure-connect={{ .Values.xDSAdaptor.secureConnect}}
- -ads-server-SAN
- {{ .Values.istioPilot.SAN }}
- -istio-proxy-type
- {{ .Values.xDSAdaptor.proxyType | default "sidecar" | quote }}
- -citrix-adc
- "{{- .Values.cpxProxy.netscalerUrl }}:{{- .Values.cpxProxy.mgmtHttpPort | toString }}"
- -citrix-adc-password
- "/var/deviceinfo/random_id"
{{- if .Values.ADMSettings.ADMIP }}
- -citrix-adm
- {{ .Values.ADMSettings.ADMIP }}
{{- end }}
{{- if .Values.ADMSettings.licenseServerIP }}
- -citrix-license-server
- {{ .Values.ADMSettings.licenseServerIP }}
{{- end }}
{{- if .Values.coe.coeURL }}
- -coe
- {{ .Values.coe.coeURL }}
{{- end }}
volumeMounts:
- mountPath: /var/deviceinfo
name: cpx-pwd
{{- $jwtpolicy := include "jwtValue" . }}
{{- if eq $jwtpolicy "third-party-jwt" }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
- mountPath: /etc/nslogin
name: nslogin
readOnly: true
- name: certs
mountPath: /etc/certs
- name: istiod-ca-cert
mountPath: /etc/rootcert/
securityContext:
readOnlyRootFilesystem: true
runAsGroup: 32024
runAsUser: 32024 # UID of xds-adaptor container's user
runAsNonRoot: true
- name: cpx-proxy
image: {{ .Values.cpxProxy.image }}
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
env:
- name: "EULA"
value: "{{ .Values.cpxProxy.EULA }}"
- name: "CPX_SIDECAR_MODE"
value: {{ .Values.cpxProxy.cpxSidecarMode | quote }}
- name: "CPX_DISABLE_PROBE"
value: "{{ .Values.cpxProxy.cpxDisableProbe }}"
- name: "MGMT_HTTP_PORT"
value: {{ .Values.cpxProxy.mgmtHttpPort | quote }}
- name: "MGMT_HTTPS_PORT"
value: {{ .Values.cpxProxy.mgmtHttpsPort | quote }}
- name: "KUBERNETES_TASK_ID"
value: ""
- name: "NS_CPX_LITE"
value: 1
{{- if or .Values.coe.coeURL .Values.ADMSettings.ADMIP }}
- name: "NS_ENABLE_NEWNSLOG"
value: 1
{{- end }}
- name: "LS_IP"
value: {{ .Values.ADMSettings.licenseServerIP | default "" }}
- name: "LS_PORT"
value: {{ .Values.ADMSettings.licenseServerPort}}
{{- if .Values.ADMSettings.ADMIP }}
- name: "NS_MGMT_SERVER"
value: {{ .Values.ADMSettings.ADMIP }}
- name: "NS_HTTP_PORT"
value: {{ .Values.cpxProxy.mgmtHttpPort | quote }}
- name: "NS_HTTPS_PORT"
value: {{ .Values.cpxProxy.mgmtHttpsPort | quote }}
{{- end }}
- name: "LOGSTREAM_COLLECTOR_IP"
value: {{ .Values.ADMSettings.ADMIP | default "" }}
{{- if and ( .Values.ADMSettings.licenseServerIP ) (eq .Values.ADMSettings.bandWidthLicense true) }}
- name: "BANDWIDTH" #bandwidth is required for provision bandwidth based licensing to Citrix ADC CPX from ADM
value: {{ required "Mention bandwidth for bandwidth based licensing" .Values.ADMSettings.bandWidth | quote }}
{{- end }}
{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }}
- name: NS_MGMT_USER
valueFrom:
secretKeyRef:
name: admlogin
key: username
- name: NS_MGMT_PASS
valueFrom:
secretKeyRef:
name: admlogin
key: password
{{- end }}
volumeMounts:
- mountPath: /cpx/conf/
name: cpx-conf
- mountPath: /var/deviceinfo
name: cpx-pwd
- mountPath: /cpx/crash/
name: cpx-crash
volumes:
- name: cpx-conf
emptyDir: {}
- name: cpx-pwd
emptyDir: {}
- name: cpx-crash
emptyDir: {}
- name: nslogin
secret:
optional: true
secretName: nslogin
- name: certs
emptyDir: {}
{{- $jwtpolicy := include "jwtValue" . }}
{{- if eq $jwtpolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
{{- end }}
- name: istiod-ca-cert
configMap:
defaultMode: 0777
name: istio-ca-root-cert
values: |-
{
"global": {
"jwtPolicy": "third-party-jwt",
}
}
---

108
charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-deployment-service.yaml Normal file
View File

@ -0,0 +1,108 @@
apiVersion: v1
kind: Service
metadata:
name: cpx-sidecar-injector
namespace: {{ .Release.Namespace }}
labels:
istio: sidecar-injector
app: cpx-sidecar-injector
spec:
ports:
- port: 443
selector:
istio: sidecar-injector
---
# Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: cpx-sidecar-injector
namespace: {{ .Release.Namespace }}
labels:
app: sidecarInjectorWebhook
istio: sidecar-injector
app: cpx-sidecar-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
replicas: 1
selector:
matchLabels:
app: cpx-sidecar-injector
istio: sidecar-injector
template:
metadata:
labels:
istio: sidecar-injector
app: cpx-sidecar-injector
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: cpx-sidecar-injector-service-account
initContainers:
- name: sidecar-certs-generator
image: {{ .Values.sidecarCertsGenerator.image }}
imagePullPolicy: {{ .Values.sidecarCertsGenerator.imagePullPolicy }}
volumeMounts:
- name: certs
mountPath: /tmp
containers:
- name: sidecar-injector-webhook
image: {{ .Values.sidecarWebHook.webhookImage }}
imagePullPolicy: {{ .Values.sidecarWebHook.imagePullPolicy }}
args:
- --caCertFile=/etc/istio/certs/cert.pem
- --tlsCertFile=/etc/istio/certs/cert.pem
- --tlsKeyFile=/etc/istio/certs/key.pem
- --injectConfig=/etc/istio/inject/config
- --meshConfig=/etc/istio/config/mesh
- --healthCheckInterval=10s
- --webhookConfigName=cpx-sidecar-injector
volumeMounts:
- name: config-volume
mountPath: /etc/istio/config
readOnly: true
- name: certs
mountPath: /etc/istio/certs
readOnly: true
- name: inject-config
mountPath: /etc/istio/inject
readOnly: true
livenessProbe:
exec:
command:
- cat
- /health
failureThreshold: 5
initialDelaySeconds: 4
periodSeconds: 10
readinessProbe:
exec:
command:
- cat
- /health
failureThreshold: 5
initialDelaySeconds: 4
periodSeconds: 10
initialDelaySeconds: 4
resources:
requests:
cpu: 10m
volumes:
- name: config-volume
configMap:
name: istio
- name: certs
emptyDir: {}
- name: inject-config
configMap:
name: cpx-istio-sidecar-injector
items:
- key: config
path: config
- key: values
path: values
---

16
charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-istioConfigMap.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: istio
namespace: {{ .Release.Namespace }}
labels:
app: cpx-sidecar-injector
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
istio: sidecar-injector
data:
mesh: |-
# Needed for injection of securityContext in PodSpec during auto-sidecar injection
sdsUdsPath: unix:/etc/istio/proxy/SDS
---

48
charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-serviceaccount.yaml Normal file
View File

@ -0,0 +1,48 @@
# Serviceaccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: cpx-sidecar-injector-service-account
namespace: {{ .Release.Namespace }}
labels:
app: cpx-sidecar-injector
---
# ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cpx-sidecar-injector-istio-system
labels:
app: cpx-sidecar-injector
rules:
- apiGroups: ["*"]
resources: ["configmaps"]
verbs: ["get", "list", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests", "certificatesigningrequests/approval"]
verbs: ["get", "list", "create", "watch", "delete", "update"]
- apiGroups: ["certificates.k8s.io"]
resources: ["signers"]
resourceNames: ["kubernetes.io/legacy-unknown", "kubernetes.io/kubelet-serving"]
verbs: ["get", "list", "create", "watch", "delete", "update", "approve"]
---
# ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cpx-sidecar-injector-admin-role-binding-istio-system
labels:
app: cpx-sidecar-injector
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cpx-sidecar-injector-istio-system
subjects:
- kind: ServiceAccount
name: cpx-sidecar-injector-service-account
namespace: {{ .Release.Namespace }}
---

15
charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-networkpolicy.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app: cpx-sidecar-injector
name: cpx-sidecar-injector
namespace: {{ .Release.Namespace }}
spec:
ingress:
- {}
podSelector:
matchLabels:
app: cpx-sidecar-injector
policyTypes:
- Ingress

37
charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/mutatingwebhook.yaml Normal file
View File

@ -0,0 +1,37 @@
# Mutating wehbook is used to perform sidecar injection.
# It calls sidecar-injector-service when the label is matched.
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: cpx-sidecar-injector
namespace: {{ .Release.Namespace }}
labels:
app: cpx-sidecar-injector
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
webhooks:
- name: sidecar-injector.istio.io
admissionReviewVersions:
- v1
clientConfig:
service:
name: cpx-sidecar-injector
namespace: {{ .Release.Namespace }}
path: "/inject"
caBundle: ""
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
scope: "*"
sideEffects: None
failurePolicy: Fail
namespaceSelector:
matchLabels:
{{- if .Values.webhook.injectionLabelName }}
{{ .Values.webhook.injectionLabelName }}: enabled
{{- else }}
cpx-injection: enabled
{{- end }}
---

60
charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/values.yaml Normal file
View File

@ -0,0 +1,60 @@
# Default values for cpx-istio.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
xDSAdaptor:
image: quay.io/citrix/citrix-xds-adaptor:0.9.9
imagePullPolicy: IfNotPresent
proxyType: sidecar
secureConnect: true
logLevel: DEBUG
jsonLog: false
coe:
coeURL:
coeTracing: false
istioPilot:
name: istiod
namespace: istio-system
secureGrpcPort: 15012
insecureGrpcPort: 15010
SAN: #"spiffe://cluster.local/ns/istio-system/sa/istiod-service-account"
certProvider:
caAddr: istiod.istio-system.svc
caPort: 15012
trustDomain: cluster.local
certTTLinHours: 720
clusterId: Kubernetes
jwtPolicy: #specify third-party-jwt if Kubernetes cluster supports third-party tokens
cpxProxy:
netscalerUrl: "http://127.0.0.1"
image: quay.io/citrix/citrix-k8s-cpx-ingress:13.0-83.27
imagePullPolicy: IfNotPresent
EULA: NO
cpxSidecarMode: YES
mgmtHttpPort: 10080
mgmtHttpsPort: 10443
cpxDisableProbe: "YES"
#licenseServerIP: this value is taken from ADMSettings.ADMIP
sidecarWebHook:
webhookImage: quay.io/citrix/cpx-istio-sidecar-injector:1.1.0
imagePullPolicy: IfNotPresent
sidecarCertsGenerator:
image: quay.io/citrix/cpx-sidecar-injector-certgen:1.1.0
imagePullPolicy: IfNotPresent
ADMSettings:
ADMIP:
licenseServerIP:
licenseServerPort: 27000
bandWidthLicense: false
bandWidth:
webhook:
injectionLabelName: cpx-injection

26
index.yaml
View File

@ -366,6 +366,32 @@ entries:
- assets/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway-1.2.100.tgz
version: 1.2.100
citrix-cpx-istio-sidecar-injector:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Citrix Cpx Istio Sidecar Injector
catalog.cattle.io/release-name: citrix-cpx-istio-sidecar-injector
apiVersion: v2
appVersion: 1.11.0
created: "2021-11-22T18:14:45.857822-05:00"
description: A Helm chart to deploy resources which install Citrix ADC CPX in
Istio Service Mesh as sidecar in application pod
digest: bf1aee48044ff55d859db570c7402a2ce64f6cc948623a2aacf413a2df55a26f
home: https://www.citrix.com
icon: https://raw.githubusercontent.com/citrix/citrix-xds-adaptor/master/docs/media/Citrix_Logo_Trademark.png
kubeVersion: '>=v1.16.0-0'
maintainers:
- email: dhiraj.gedam@citrix.com
name: dheerajng
- email: subash.dangol@citrix.com
name: subashd
- email: ajeeta.shakeet@citrix.com
name: ajeetas
name: citrix-cpx-istio-sidecar-injector
sources:
- https://github.com/citrix/citrix-xds-adaptor
urls:
- assets/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector-1.11.1.tgz
version: 1.11.1
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Citrix Cpx Istio Sidecar Injector