{{- if eq .Values.citrixCPX true }} apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "generate-name" (list . (dict "suffixname" "ingress-deployment")) }} namespace: {{ .Release.Namespace }} labels: app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} deployment: "cpx-ingressgateway" # This label is useful in ServiceGraph spec: replicas: 1 selector: matchLabels: app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} template: metadata: labels: app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} citrix.com/no.sidecar: "true" adc: "citrix" deployment: "cpx-ingressgateway" # This label is useful in ServiceGraph annotations: scheduler.alpha.kubernetes.io/critical-pod: "" prometheus.io/port: "{{ .Values.metricExporter.port }}" prometheus.io/scrape: "true" spec: volumes: - name: citrix-ingressgateway-certs secret: optional: true secretName: "citrix-ingressgateway-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway - name: citrix-ingressgateway-ca-certs secret: optional: true secretName: "citrix-ingressgateway-ca-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway - name: podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations {{- range .Values.ingressGateway.secretVolumes }} - name: {{ .name }} secret: secretName: {{ .secretName | quote }} optional: true {{- end }} - name: cpx-conf emptyDir: {} - name: cpx-crash emptyDir: {} - name: cpx-pwd emptyDir: {} - name: certs emptyDir: {} {{- $jwtpolicy := include "jwtValue" . }} {{- if eq $jwtpolicy "third-party-jwt" }} - name: istio-token projected: sources: - serviceAccountToken: audience: istio-ca expirationSeconds: 43200 path: istio-token {{- end }} - name: istiod-ca-cert configMap: defaultMode: 0777 name: istio-ca-root-cert securityContext: fsGroup: 32024 containers: {{- if eq .Values.metricExporter.required true }} - name: exporter image: {{ tpl .Values.metricExporter.image . }} imagePullPolicy: IfNotPresent args: - "--target-nsip=127.0.0.1" - "--port={{ .Values.metricExporter.port }}" - "--log-level={{ .Values.metricExporter.logLevel }}" - "--secure=no" env: - name: "NS_DEPLOYMENT_MODE" value: "SIDECAR" securityContext: readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/deviceinfo name: cpx-pwd {{- end }} - name: istio-adaptor image: {{ tpl .Values.xDSAdaptor.image . }} imagePullPolicy: {{ .Values.xDSAdaptor.imagePullPolicy }} args: - -ads-server {{- if eq .Values.xDSAdaptor.secureConnect true }} - {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.secureGrpcPort }} # istiod.istio-system.svc:15012 {{- else }} - {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.insecureGrpcPort }} # istiod.istio-system.svc:15010 {{- end }} - -istio-proxy-type - {{ .Values.xDSAdaptor.proxyType | default "router" | quote }} {{- if .Values.istioPilot.SAN }} - -ads-server-SAN - {{ .Values.istioPilot.SAN | default "" }} {{- end }} - -ads-secure-connect={{ .Values.xDSAdaptor.secureConnect }} - -citrix-adc - "http://127.0.0.1" - -citrix-adc-vip - "nsip" - -citrix-adc-password - "/var/deviceinfo/random_id" {{- if .Values.ADMSettings.ADMIP }} - -citrix-adm - {{ .Values.ADMSettings.ADMIP }} {{- end }} {{- if .Values.ingressGateway.cpxLicenseAggregator }} - -citrix-license-server - {{ .Values.ingressGateway.cpxLicenseAggregator }} {{- else if .Values.ADMSettings.licenseServerIP }} - -citrix-license-server - {{ .Values.ADMSettings.licenseServerIP }} {{- end }} {{- if .Values.coe.coeURL }} - -coe - {{ .Values.coe.coeURL }} {{- end }} env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: APPLICATION_NAME valueFrom: fieldRef: fieldPath: metadata.labels['app'] - name: SERVICE_ACCOUNT valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.serviceAccountName {{- if .Values.certProvider.caAddr }} - name: CA_ADDR value: {{ .Values.certProvider.caAddr }}:{{ .Values.certProvider.caPort}} #istiod.istio-system.svc:15012 - name: TRUST_DOMAIN value: {{ .Values.certProvider.trustDomain }} #cluster.local - name: CLUSTER_ID value: {{ .Values.certProvider.clusterId }} #Kubernetes - name: CERT_TTL_IN_HOURS value: {{ .Values.certProvider.certTTLinHours | quote }} - name: JWT_POLICY value: {{ include "jwtValue" . | quote }} # If value not provided then third-party-jwt for v>=1.21 otherwise first-party-jwt {{- end }} {{- if eq .Values.ingressGateway.multiClusterIngress true }} - name: MULTICLUSTER_INGRESS value: "TRUE" - name: MULTICLUSTER_LISTENER_PORT value: {{ .Values.ingressGateway.multiClusterListenerPort | quote}} - name: MULTICLUSTER_SVC_DOMAIN value: {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }} {{- end }} {{- if eq .Values.coe.coeTracing true }} - name: COE_TRACING value: "TRUE" {{- end }} - name: LOGLEVEL value: {{ .Values.xDSAdaptor.logLevel | default "DEBUG" | quote }} {{- if eq .Values.xDSAdaptor.jsonLog true }} - name: JSONLOG value: "TRUE" {{- end }} - name: ENABLE_LABELS_FEATURE value: {{ .Values.ingressGateway.enableLabelsFeature | quote }} {{- if eq .Values.xDSAdaptor.defaultSSLListenerOn443 true }} - name: DEFAULT_SSL_LISTENER_ON_443 value: "TRUE" {{- end }} securityContext: readOnlyRootFilesystem: true runAsGroup: 32024 runAsUser: 32024 # UID of istio-adaptor container's user volumeMounts: - mountPath: /var/deviceinfo name: cpx-pwd {{- $jwtpolicy := include "jwtValue" . }} {{- if eq $jwtpolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token {{- end }} - mountPath: /etc/certs name: certs - name: istiod-ca-cert mountPath: /etc/rootcert/ - mountPath: /etc/istio/ingressgateway-certs # Make sure that Gateway definition has this path mentioned in server.tls section for SIMPLE TLS name: citrix-ingressgateway-certs readOnly: true - mountPath: /etc/istio/ingressgateway-ca-certs # Make sure that Gateway definition has this path mentioned in server.tls section for MUTUAL TLS name: citrix-ingressgateway-ca-certs readOnly: true - mountPath: /etc/podinfo name: podinfo {{- range .Values.ingressGateway.secretVolumes }} - name: {{ .name }} mountPath: {{ .mountPath | quote }} readOnly: true {{- end }} - name: citrix-ingressgateway image: "{{ tpl .Values.ingressGateway.image . }}" imagePullPolicy: {{ .Values.ingressGateway.imagePullPolicy }} securityContext: privileged: true ports: - containerPort: 80 - containerPort: 443 {{- if .Values.ingressGateway.mgmtHttpPort }} - containerPort: {{ .Values.ingressGateway.mgmtHttpPort }} {{- end }} {{- if .Values.ingressGateway.mgmtHttpsPort }} - containerPort: {{ .Values.ingressGateway.mgmtHttpsPort }} {{- end }} {{- range .Values.ingressGateway.tcpPort }} - containerPort: {{ .port }} {{- end }} volumeMounts: - mountPath: /cpx/conf/ name: cpx-conf - mountPath: /cpx/crash/ name: cpx-crash - mountPath: /var/deviceinfo name: cpx-pwd env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace {{- if .Values.ingressGateway.cpxLicenseAggregator }} - name: "CLA" value: "{{ .Values.ingressGateway.cpxLicenseAggregator }}" {{- else if .Values.ADMSettings.licenseServerIP }} - name: "LS_IP" value: {{ .Values.ADMSettings.licenseServerIP }} - name: "LS_PORT" value: "{{ .Values.ADMSettings.licenseServerPort }}" {{- end }} - name: "EULA" value: "{{ .Values.ingressGateway.EULA }}" {{- if .Values.metricExporter.required }} - name: "METRICS_EXPORTER_PORT" value: "{{ .Values.metricExporter.port }}" {{- end }} - name: "MGMT_HTTP_PORT" value: "{{ .Values.ingressGateway.mgmtHttpPort }}" - name: "MGMT_HTTPS_PORT" value: "{{ .Values.ingressGateway.mgmtHttpsPort }}" {{- if .Values.ingressGateway.lightWeightCPX }} - name: "NS_CPX_LITE" value: "1" {{- end }} {{- if or .Values.coe.coeURL .Values.ADMSettings.ADMIP }} - name: "NS_ENABLE_NEWNSLOG" value: "1" {{- end }} - name: "KUBERNETES_TASK_ID" value: "" {{- if .Values.ADMSettings.ADMIP }} - name: "NS_MGMT_SERVER" value: {{ .Values.ADMSettings.ADMIP | quote }} - name: "NS_HTTP_PORT" value: {{ .Values.ingressGateway.mgmtHttpPort | quote }} - name: "NS_HTTPS_PORT" value: {{ .Values.ingressGateway.mgmtHttpsPort | quote }} - name: "ANALYTICS_SERVER" value: {{ .Values.ADMSettings.ADMIP | quote }} - name: "ANALYTICS_SERVER_PORT" value: {{ .Values.ADMSettings.analyticsServerPort | quote }} {{- end }} - name: "LOGSTREAM_COLLECTOR_IP" value: {{ .Values.ADMSettings.ADMIP | default "" | quote }} #Need to set env var BANDWIDTH in order to provide Bandwidth license to Citrix ADC CPX from ADM or CPX License Aggregator {{- if and ( or ( .Values.ADMSettings.licenseServerIP ) ( .Values.ingressGateway.cpxLicenseAggregator ) ) ( eq .Values.ADMSettings.bandWidthLicense true ) }} - name: "BANDWIDTH" value: {{ .Values.ADMSettings.bandWidth | quote }} {{- end }} #for multiple-PE support, need to set CPX_CORES {{- if or .Values.ADMSettings.licenseServerIP .Values.ingressGateway.cpxLicenseAggregator }} {{- if or ( eq .Values.ADMSettings.vCPULicense true ) ( eq .Values.ADMSettings.bandWidthLicense true ) }} - name: "CPX_CORES" value: {{ .Values.ADMSettings.cpxCores | default 1 | quote }} {{- end }} {{- end }} - name: "EDITION" value: {{ .Values.ADMSettings.licenseEdition | quote }} {{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }} - name: NS_MGMT_USER valueFrom: secretKeyRef: name: admlogin key: username - name: NS_MGMT_PASS valueFrom: secretKeyRef: name: admlogin key: password {{- end }} --- {{ else }} apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "generate-name" (list . (dict "suffixname" "ingress-deployment")) }} namespace: {{ .Release.Namespace }} labels: app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} spec: replicas: 1 selector: matchLabels: app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} template: metadata: labels: app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} citrix.com/no.sidecar: "true" adc: "citrix" annotations: scheduler.alpha.kubernetes.io/critical-pod: "" prometheus.io/port: "{{ .Values.metricExporter.port }}" prometheus.io/scrape: "true" spec: containers: {{- if eq .Values.metricExporter.required true }} - name: exporter image: {{ tpl .Values.metricExporter.image . }} imagePullPolicy: {{ .Values.metricExporter.imagePullPolicy }} args: - "--target-nsip={{- include "exporter_nsip" . -}}" - "--port={{ .Values.metricExporter.port }}" - "--secure={{ .Values.metricExporter.secure | lower}}" - "--log-level={{ .Values.metricExporter.logLevel }}" securityContext: readOnlyRootFilesystem: true volumeMounts: - name: nslogin mountPath: "/mnt/nslogin" readOnly: true {{- end }} - name: istio-adaptor image: {{ tpl .Values.xDSAdaptor.image . }} imagePullPolicy: {{ .Values.xDSAdaptor.imagePullPolicy }} env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: APPLICATION_NAME valueFrom: fieldRef: fieldPath: metadata.labels['app'] - name: SERVICE_ACCOUNT valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.serviceAccountName {{- if .Values.certProvider.caAddr }} - name: CA_ADDR value: {{ .Values.certProvider.caAddr }}:{{ .Values.certProvider.caPort}} #istiod.istio-system.svc:15012 - name: TRUST_DOMAIN value: {{ .Values.certProvider.trustDomain }} #cluster.local - name: CLUSTER_ID value: {{ .Values.certProvider.clusterId }} #Kubernetes - name: CERT_TTL_IN_HOURS value: {{ .Values.certProvider.certTTLinHours | quote }} - name: JWT_POLICY value: {{ include "jwtValue" . | quote }} # third-party-jwt if Kubernetes cluster supports third-party tokens {{- end }} {{- if eq .Values.ingressGateway.multiClusterIngress true }} - name: MULTICLUSTER_INGRESS value: "TRUE" - name: MULTICLUSTER_LISTENER_PORT value: {{ .Values.ingressGateway.multiClusterListenerPort | quote}} - name: MULTICLUSTER_SVC_DOMAIN value: {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }} {{- end }} {{- if eq .Values.coe.coeTracing true }} - name: COE_TRACING value: "TRUE" {{- end }} - name: LOGLEVEL value: {{ .Values.xDSAdaptor.logLevel | default "DEBUG" | quote }} {{- if eq .Values.xDSAdaptor.jsonLog true }} - name: JSONLOG value: "TRUE" {{- end }} - name: ENABLE_LABELS_FEATURE value: "FALSE" {{- if eq .Values.xDSAdaptor.defaultSSLListenerOn443 true }} - name: DEFAULT_SSL_LISTENER_ON_443 value: "TRUE" {{- end }} - name: NS_USER valueFrom: secretKeyRef: name: {{ .Values.secretName }} key: username - name: NS_PASSWORD valueFrom: secretKeyRef: name: {{ .Values.secretName }} key: password args: - -ads-server {{- if eq .Values.xDSAdaptor.secureConnect true }} - {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.secureGrpcPort }} # istiod.istio-system.svc:15012 {{- else }} - {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.insecureGrpcPort }} # istiod.istio-system.svc:15010 {{- end }} - -istio-proxy-type - {{ .Values.xDSAdaptor.proxyType | default "router" | quote }} {{- if .Values.istioPilot.SAN }} - -ads-server-SAN - {{ .Values.istioPilot.SAN | default "" }} {{- end }} - -ads-secure-connect={{ .Values.xDSAdaptor.secureConnect }} - -citrix-adc - {{ required "Mention Citrix ADC IP/URL in https://[:port] format" .Values.ingressGateway.netscalerUrl }} - -citrix-adc-vip - {{ required "Mention Vserver IP to be configured on Citrix ADC" .Values.ingressGateway.vserverIP }} - -citrix-adc-user - "/etc/nslogin/username" - -citrix-adc-password - "/etc/nslogin/password" # If using VPX/MPX as Ingress gateway, then specify the network profile name # which was provided to Citrix Node Controller (CNC) {{- if .Values.ingressGateway.netProfile }} - -citrix-adc-net-profile - {{ .Values.ingressGateway.netProfile }} {{- end }} - -citrix-adm - "" {{- if .Values.coe.coeURL }} - -coe - {{ .Values.coe.coeURL }} {{- end }} {{- if .Values.ingressGateway.adcServerName }} - -citrix-adc-server-name - {{ .Values.ingressGateway.adcServerName }} - -citrix-adc-server-ca - "/etc/nitro/root-cert.pem" {{- end }} securityContext: readOnlyRootFilesystem: true runAsGroup: 32024 runAsUser: 32024 # UID of istio-adaptor container's user volumeMounts: - mountPath: /etc/certs name: certs - name: istiod-ca-cert mountPath: /etc/rootcert/ {{- $jwtpolicy := include "jwtValue" . }} {{- if eq $jwtpolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token {{- end }} - mountPath: /etc/nslogin name: nslogin readOnly: true - mountPath: /etc/istio/ingressgateway-certs # Make sure that Gateway definition has this path mentioned in server.tls section for SIMPLE TLS name: citrix-ingressgateway-certs readOnly: true - mountPath: /etc/istio/ingressgateway-ca-certs # Make sure that Gateway definition has this path mentioned in server.tls section for MUTUAL TLS name: citrix-ingressgateway-ca-certs readOnly: true - mountPath: /etc/podinfo name: podinfo {{- range .Values.ingressGateway.secretVolumes }} - name: {{ .name }} mountPath: {{ .mountPath | quote }} readOnly: true {{- end }} {{- if .Values.ingressGateway.adcServerName }} - mountPath: /etc/nitro/ name: citrix-adc-cert readOnly: true {{- end }} securityContext: fsGroup: 32024 volumes: - name: nslogin secret: optional: true secretName: {{ .Values.secretName }} - name: certs emptyDir: {} - name: istiod-ca-cert configMap: defaultMode: 0777 name: istio-ca-root-cert - name: citrix-ingressgateway-certs secret: optional: true secretName: "citrix-ingressgateway-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway - name: citrix-ingressgateway-ca-certs secret: optional: true secretName: "citrix-ingressgateway-ca-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway - name: podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations {{- range .Values.ingressGateway.secretVolumes }} - name: {{ .name }} secret: secretName: {{ .secretName | quote }} optional: true {{- end }} {{- if .Values.ingressGateway.adcServerName }} - name: citrix-adc-cert secret: optional: true secretName: "citrix-adc-cert" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway {{- end }} {{- $jwtpolicy := include "jwtValue" . }} {{- if eq $jwtpolicy "third-party-jwt" }} - name: istio-token projected: sources: - serviceAccountToken: audience: istio-ca expirationSeconds: 43200 path: istio-token {{- end }} --- {{- end}}