andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
rancher-partner-charts/charts/citrix/citrix-adc-istio-ingress-ga.../templates/citrix-adc-ingressgateway-d...

572 lines
21 KiB
YAML
Raw Blame History

{{- if eq .Values.citrixCPX true }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "generate-name" (list . (dict "suffixname" "ingress-deployment")) }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
deployment: "cpx-ingressgateway" # This label is useful in ServiceGraph
spec:
replicas: 1
selector:
matchLabels:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
template:
metadata:
labels:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
citrix.com/no.sidecar: "true"
adc: "citrix"
deployment: "cpx-ingressgateway" # This label is useful in ServiceGraph
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
prometheus.io/port: "{{ .Values.metricExporter.port }}"
prometheus.io/scrape: "true"
spec:
volumes:
- name: citrix-ingressgateway-certs
secret:
optional: true
secretName: "citrix-ingressgateway-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway
- name: citrix-ingressgateway-ca-certs
secret:
optional: true
secretName: "citrix-ingressgateway-ca-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway
- name: podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
{{- range .Values.ingressGateway.secretVolumes }}
- name: {{ .name }}
secret:
secretName: {{ .secretName | quote }}
optional: true
{{- end }}
- name: cpx-conf
emptyDir: {}
- name: cpx-crash
emptyDir: {}
- name: cpx-pwd
emptyDir: {}
- name: certs
emptyDir: {}
{{- $jwtpolicy := include "jwtValue" . }}
{{- if eq $jwtpolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
{{- end }}
- name: istiod-ca-cert
configMap:
defaultMode: 0777
name: istio-ca-root-cert
securityContext:
fsGroup: 32024
containers:
{{- if eq .Values.metricExporter.required true }}
- name: exporter
image: {{ tpl .Values.metricExporter.image . }}
imagePullPolicy: IfNotPresent
args:
- "--target-nsip=127.0.0.1"
- "--port={{ .Values.metricExporter.port }}"
- "--log-level={{ .Values.metricExporter.logLevel }}"
- "--secure=no"
env:
- name: "NS_DEPLOYMENT_MODE"
value: "SIDECAR"
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /var/deviceinfo
name: cpx-pwd
{{- end }}
- name: istio-adaptor
image: {{ tpl .Values.xDSAdaptor.image . }}
imagePullPolicy: {{ .Values.xDSAdaptor.imagePullPolicy }}
args:
- -ads-server
{{- if eq .Values.xDSAdaptor.secureConnect true }}
- {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.secureGrpcPort }} # istiod.istio-system.svc:15012
{{- else }}
- {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.insecureGrpcPort }} # istiod.istio-system.svc:15010
{{- end }}
- -istio-proxy-type
- {{ .Values.xDSAdaptor.proxyType | default "router" | quote }}
{{- if .Values.istioPilot.SAN }}
- -ads-server-SAN
- {{ .Values.istioPilot.SAN | default "" }}
{{- end }}
- -ads-secure-connect={{ .Values.xDSAdaptor.secureConnect }}
- -citrix-adc
- "http://127.0.0.1"
- -citrix-adc-vip
- "nsip"
- -citrix-adc-password
- "/var/deviceinfo/random_id"
{{- if .Values.ADMSettings.ADMIP }}
- -citrix-adm
- {{ .Values.ADMSettings.ADMIP }}
{{- end }}
{{- if .Values.ingressGateway.cpxLicenseAggregator }}
- -citrix-license-server
- {{ .Values.ingressGateway.cpxLicenseAggregator }}
{{- else if .Values.ADMSettings.licenseServerIP }}
- -citrix-license-server
- {{ .Values.ADMSettings.licenseServerIP }}
{{- end }}
{{- if .Values.coe.coeURL }}
- -coe
- {{ .Values.coe.coeURL }}
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: APPLICATION_NAME
valueFrom:
fieldRef:
fieldPath: metadata.labels['app']
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
{{- if .Values.certProvider.caAddr }}
- name: CA_ADDR
value: {{ .Values.certProvider.caAddr }}:{{ .Values.certProvider.caPort}} #istiod.istio-system.svc:15012
- name: TRUST_DOMAIN
value: {{ .Values.certProvider.trustDomain }} #cluster.local
- name: CLUSTER_ID
value: {{ .Values.certProvider.clusterId }} #Kubernetes
- name: CERT_TTL_IN_HOURS
value: {{ .Values.certProvider.certTTLinHours | quote }}
- name: JWT_POLICY
value: {{ include "jwtValue" . | quote }} # If value not provided then third-party-jwt for v>=1.21 otherwise first-party-jwt
{{- end }}
{{- if eq .Values.ingressGateway.multiClusterIngress true }}
- name: MULTICLUSTER_INGRESS
value: "TRUE"
- name: MULTICLUSTER_LISTENER_PORT
value: {{ .Values.ingressGateway.multiClusterListenerPort | quote}}
- name: MULTICLUSTER_SVC_DOMAIN
value: {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }}
{{- end }}
{{- if eq .Values.coe.coeTracing true }}
- name: COE_TRACING
value: "TRUE"
{{- end }}
- name: LOGLEVEL
value: {{ .Values.xDSAdaptor.logLevel | default "DEBUG" | quote }}
{{- if eq .Values.xDSAdaptor.jsonLog true }}
- name: JSONLOG
value: "TRUE"
{{- end }}
- name: ENABLE_LABELS_FEATURE
value: {{ .Values.ingressGateway.enableLabelsFeature | quote }}
{{- if eq .Values.xDSAdaptor.defaultSSLListenerOn443 true }}
- name: DEFAULT_SSL_LISTENER_ON_443
value: "TRUE"
{{- end }}
securityContext:
readOnlyRootFilesystem: true
runAsGroup: 32024
runAsUser: 32024 # UID of istio-adaptor container's user
volumeMounts:
- mountPath: /var/deviceinfo
name: cpx-pwd
{{- $jwtpolicy := include "jwtValue" . }}
{{- if eq $jwtpolicy "third-party-jwt" }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
- mountPath: /etc/certs
name: certs
- name: istiod-ca-cert
mountPath: /etc/rootcert/
- mountPath: /etc/istio/ingressgateway-certs # Make sure that Gateway definition has this path mentioned in server.tls section for SIMPLE TLS
name: citrix-ingressgateway-certs
readOnly: true
- mountPath: /etc/istio/ingressgateway-ca-certs # Make sure that Gateway definition has this path mentioned in server.tls section for MUTUAL TLS
name: citrix-ingressgateway-ca-certs
readOnly: true
- mountPath: /etc/podinfo
name: podinfo
{{- range .Values.ingressGateway.secretVolumes }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
- name: citrix-ingressgateway
image: "{{ tpl .Values.ingressGateway.image . }}"
imagePullPolicy: {{ .Values.ingressGateway.imagePullPolicy }}
securityContext:
privileged: true
ports:
- containerPort: 80
- containerPort: 443
{{- if .Values.ingressGateway.mgmtHttpPort }}
- containerPort: {{ .Values.ingressGateway.mgmtHttpPort }}
{{- end }}
{{- if .Values.ingressGateway.mgmtHttpsPort }}
- containerPort: {{ .Values.ingressGateway.mgmtHttpsPort }}
{{- end }}
{{- range .Values.ingressGateway.tcpPort }}
- containerPort: {{ .port }}
{{- end }}
volumeMounts:
- mountPath: /cpx/conf/
name: cpx-conf
- mountPath: /cpx/crash/
name: cpx-crash
- mountPath: /var/deviceinfo
name: cpx-pwd
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if .Values.ingressGateway.cpxLicenseAggregator }}
- name: "CLA"
value: "{{ .Values.ingressGateway.cpxLicenseAggregator }}"
{{- else if .Values.ADMSettings.licenseServerIP }}
- name: "LS_IP"
value: {{ .Values.ADMSettings.licenseServerIP }}
- name: "LS_PORT"
value: "{{ .Values.ADMSettings.licenseServerPort }}"
{{- end }}
- name: "EULA"
value: "{{ .Values.ingressGateway.EULA }}"
{{- if .Values.metricExporter.required }}
- name: "METRICS_EXPORTER_PORT"
value: "{{ .Values.metricExporter.port }}"
{{- end }}
- name: "MGMT_HTTP_PORT"
value: "{{ .Values.ingressGateway.mgmtHttpPort }}"
- name: "MGMT_HTTPS_PORT"
value: "{{ .Values.ingressGateway.mgmtHttpsPort }}"
{{- if .Values.ingressGateway.lightWeightCPX }}
- name: "NS_CPX_LITE"
value: "1"
{{- end }}
{{- if or .Values.coe.coeURL .Values.ADMSettings.ADMIP }}
- name: "NS_ENABLE_NEWNSLOG"
value: "1"
{{- end }}
- name: "KUBERNETES_TASK_ID"
value: ""
{{- if .Values.ADMSettings.ADMIP }}
- name: "NS_MGMT_SERVER"
value: {{ .Values.ADMSettings.ADMIP | quote }}
- name: "NS_HTTP_PORT"
value: {{ .Values.ingressGateway.mgmtHttpPort | quote }}
- name: "NS_HTTPS_PORT"
value: {{ .Values.ingressGateway.mgmtHttpsPort | quote }}
- name: "ANALYTICS_SERVER"
value: {{ .Values.ADMSettings.ADMIP | quote }}
- name: "ANALYTICS_SERVER_PORT"
value: {{ .Values.ADMSettings.analyticsServerPort | quote }}
{{- end }}
- name: "LOGSTREAM_COLLECTOR_IP"
value: {{ .Values.ADMSettings.ADMIP | default "" | quote }}
#Need to set env var BANDWIDTH in order to provide Bandwidth license to Citrix ADC CPX from ADM or CPX License Aggregator
{{- if and ( or ( .Values.ADMSettings.licenseServerIP ) ( .Values.ingressGateway.cpxLicenseAggregator ) ) ( eq .Values.ADMSettings.bandWidthLicense true ) }}
- name: "BANDWIDTH"
value: {{ .Values.ADMSettings.bandWidth | quote }}
{{- end }}
#for multiple-PE support, need to set CPX_CORES
{{- if or .Values.ADMSettings.licenseServerIP .Values.ingressGateway.cpxLicenseAggregator }}
{{- if or ( eq .Values.ADMSettings.vCPULicense true ) ( eq .Values.ADMSettings.bandWidthLicense true ) }}
- name: "CPX_CORES"
value: {{ .Values.ADMSettings.cpxCores | default 1 | quote }}
{{- end }}
{{- end }}
- name: "EDITION"
value: {{ .Values.ADMSettings.licenseEdition | quote }}
{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }}
- name: NS_MGMT_USER
valueFrom:
secretKeyRef:
name: admlogin
key: username
- name: NS_MGMT_PASS
valueFrom:
secretKeyRef:
name: admlogin
key: password
{{- end }}
---
{{ else }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "generate-name" (list . (dict "suffixname" "ingress-deployment")) }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
spec:
replicas: 1
selector:
matchLabels:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
template:
metadata:
labels:
app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }}
citrix.com/no.sidecar: "true"
adc: "citrix"
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
prometheus.io/port: "{{ .Values.metricExporter.port }}"
prometheus.io/scrape: "true"
spec:
containers:
{{- if eq .Values.metricExporter.required true }}
- name: exporter
image: {{ tpl .Values.metricExporter.image . }}
imagePullPolicy: {{ .Values.metricExporter.imagePullPolicy }}
args:
- "--target-nsip={{- include "exporter_nsip" . -}}"
- "--port={{ .Values.metricExporter.port }}"
- "--secure={{ .Values.metricExporter.secure | lower}}"
- "--log-level={{ .Values.metricExporter.logLevel }}"
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- name: nslogin
mountPath: "/mnt/nslogin"
readOnly: true
{{- end }}
- name: istio-adaptor
image: {{ tpl .Values.xDSAdaptor.image . }}
imagePullPolicy: {{ .Values.xDSAdaptor.imagePullPolicy }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: APPLICATION_NAME
valueFrom:
fieldRef:
fieldPath: metadata.labels['app']
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
{{- if .Values.certProvider.caAddr }}
- name: CA_ADDR
value: {{ .Values.certProvider.caAddr }}:{{ .Values.certProvider.caPort}} #istiod.istio-system.svc:15012
- name: TRUST_DOMAIN
value: {{ .Values.certProvider.trustDomain }} #cluster.local
- name: CLUSTER_ID
value: {{ .Values.certProvider.clusterId }} #Kubernetes
- name: CERT_TTL_IN_HOURS
value: {{ .Values.certProvider.certTTLinHours | quote }}
- name: JWT_POLICY
value: {{ include "jwtValue" . | quote }} # third-party-jwt if Kubernetes cluster supports third-party tokens
{{- end }}
{{- if eq .Values.ingressGateway.multiClusterIngress true }}
- name: MULTICLUSTER_INGRESS
value: "TRUE"
- name: MULTICLUSTER_LISTENER_PORT
value: {{ .Values.ingressGateway.multiClusterListenerPort | quote}}
- name: MULTICLUSTER_SVC_DOMAIN
value: {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }}
{{- end }}
{{- if eq .Values.coe.coeTracing true }}
- name: COE_TRACING
value: "TRUE"
{{- end }}
- name: LOGLEVEL
value: {{ .Values.xDSAdaptor.logLevel | default "DEBUG" | quote }}
{{- if eq .Values.xDSAdaptor.jsonLog true }}
- name: JSONLOG
value: "TRUE"
{{- end }}
- name: ENABLE_LABELS_FEATURE
value: "FALSE"
{{- if eq .Values.xDSAdaptor.defaultSSLListenerOn443 true }}
- name: DEFAULT_SSL_LISTENER_ON_443
value: "TRUE"
{{- end }}
- name: NS_USER
valueFrom:
secretKeyRef:
name: {{ .Values.secretName }}
key: username
- name: NS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.secretName }}
key: password
args:
- -ads-server
{{- if eq .Values.xDSAdaptor.secureConnect true }}
- {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.secureGrpcPort }} # istiod.istio-system.svc:15012
{{- else }}
- {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.insecureGrpcPort }} # istiod.istio-system.svc:15010
{{- end }}
- -istio-proxy-type
- {{ .Values.xDSAdaptor.proxyType | default "router" | quote }}
{{- if .Values.istioPilot.SAN }}
- -ads-server-SAN
- {{ .Values.istioPilot.SAN | default "" }}
{{- end }}
- -ads-secure-connect={{ .Values.xDSAdaptor.secureConnect }}
- -citrix-adc
- {{ required "Mention Citrix ADC IP/URL in https://<ip>[:port] format" .Values.ingressGateway.netscalerUrl }}
- -citrix-adc-vip
- {{ required "Mention Vserver IP to be configured on Citrix ADC" .Values.ingressGateway.vserverIP }}
- -citrix-adc-user
- "/etc/nslogin/username"
- -citrix-adc-password
- "/etc/nslogin/password"
# If using VPX/MPX as Ingress gateway, then specify the network profile name
# which was provided to Citrix Node Controller (CNC)
{{- if .Values.ingressGateway.netProfile }}
- -citrix-adc-net-profile
- {{ .Values.ingressGateway.netProfile }}
{{- end }}
- -citrix-adm
- ""
{{- if .Values.coe.coeURL }}
- -coe
- {{ .Values.coe.coeURL }}
{{- end }}
{{- if .Values.ingressGateway.adcServerName }}
- -citrix-adc-server-name
- {{ .Values.ingressGateway.adcServerName }}
- -citrix-adc-server-ca
- "/etc/nitro/root-cert.pem"
{{- end }}
securityContext:
readOnlyRootFilesystem: true
runAsGroup: 32024
runAsUser: 32024 # UID of istio-adaptor container's user
volumeMounts:
- mountPath: /etc/certs
name: certs
- name: istiod-ca-cert
mountPath: /etc/rootcert/
{{- $jwtpolicy := include "jwtValue" . }}
{{- if eq $jwtpolicy "third-party-jwt" }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
- mountPath: /etc/nslogin
name: nslogin
readOnly: true
- mountPath: /etc/istio/ingressgateway-certs # Make sure that Gateway definition has this path mentioned in server.tls section for SIMPLE TLS
name: citrix-ingressgateway-certs
readOnly: true
- mountPath: /etc/istio/ingressgateway-ca-certs # Make sure that Gateway definition has this path mentioned in server.tls section for MUTUAL TLS
name: citrix-ingressgateway-ca-certs
readOnly: true
- mountPath: /etc/podinfo
name: podinfo
{{- range .Values.ingressGateway.secretVolumes }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- if .Values.ingressGateway.adcServerName }}
- mountPath: /etc/nitro/
name: citrix-adc-cert
readOnly: true
{{- end }}
securityContext:
fsGroup: 32024
volumes:
- name: nslogin
secret:
optional: true
secretName: {{ .Values.secretName }}
- name: certs
emptyDir: {}
- name: istiod-ca-cert
configMap:
defaultMode: 0777
name: istio-ca-root-cert
- name: citrix-ingressgateway-certs
secret:
optional: true
secretName: "citrix-ingressgateway-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway
- name: citrix-ingressgateway-ca-certs
secret:
optional: true
secretName: "citrix-ingressgateway-ca-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway
- name: podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
{{- range .Values.ingressGateway.secretVolumes }}
- name: {{ .name }}
secret:
secretName: {{ .secretName | quote }}
optional: true
{{- end }}
{{- if .Values.ingressGateway.adcServerName }}
- name: citrix-adc-cert
secret:
optional: true
secretName: "citrix-adc-cert" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway
{{- end }}
{{- $jwtpolicy := include "jwtValue" . }}
{{- if eq $jwtpolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
{{- end }}
---
{{- end}}
Reference in New Issue View Git Blame Copy Permalink