Deploy Citrix ingress controller using Helm charts¶
As a standalone pod in the Kubernetes cluster. Use this mode if you are controlling Citrix ADCs (Citrix ADC MPX or Citrix ADC VPX) outside the cluster. For example, with dual-tier topologies, or single-tier topology where the single tier is a Citrix ADC MPX or VPX.
As a sidecar (in the same pod) with Citrix ADC CPX in the Kubernetes cluster. The sidecar controller is only responsible for the associated Citrix ADC CPX within the same pod. This mode is used in dual-tier or cloud) topologies.
The helm charts for Citrix ingress controller is available on Helm Hub.
Deploy Citrix ingress controller as a standalone pod in the Kubernetes cluster¶
Use the citrix-k8s-ingress-controller chart to run Citrix ingress controller as a pod in your Kubernetes cluster. The chart deploys Citrix ingress controller as a pod in your Kubernetes cluster and configures the Citrix ADC VPX or MPX ingress device.
Determine the NS_IP address needed by the controller to communicate with the appliance. The IP address might be anyone of the following depending on the type of Citrix ADC deployment:
(Standalone appliances) NSIP - The management IP address of a standalone Citrix ADC appliance. For more information, see IP Addressing in Citrix ADC.
(Appliances in High Availability mode) SNIP - The subnet IP address. For more information, see IP Addressing in Citrix ADC.
(Appliances in Clustered mode) CLIP - The cluster management IP (CLIP) address for a clustered Citrix ADC deployment. For more information, see IP addressing for a cluster.
The username and password of the Citrix ADC VPX or MPX appliance used as the Ingress device. The Citrix ADC appliance needs to have system user account (non-default) with certain privileges so that Citrix ingress controller can configure the Citrix ADC VPX or MPX appliance. For instructions to create the system user account on Citrix ADC, seeCreate System User Account for Citrix ingress controller in Citrix ADC.
You can directly pass the username and password or use Kubernetes secrets. If you want to use Kubernetes secrets, create a secrete for the username and password using the following command:
kubectl create secret generic nslogin --from-literal=username='cic' --from-literal=password='mypassword'
Create System User Account for Citrix ingress controller in Citrix ADC¶
Citrix ingress controller configures the Citrix ADC using a system user account of the Citrix ADC. The system user account should have certain privileges so that the Citrix ingress controller has permission to configure the following on the Citrix ADC:
- Add, Delete, or View Content Switching (CS) virtual server
- Configure CS policies and actions
- Configure Load Balancing (LB) virtual server
- Configure Service groups
- Cofigure SSl certkeys
- Configure routes
- Configure user monitors
- Add system file (for uploading SSL certkeys from Kubernetes)
- Configure Virtual IP address (VIP)
- Check the status of the Citrix ADC appliance
To create the system user account, perform the following:
Log on to the Citrix ADC appliance. Perform the following:
Use an SSH client, such as PuTTy, to open an SSH connection to the Citrix ADC appliance.
Log on to the appliance by using the administrator credentials.
Create the system user account using the following command:
add system user <username> <password>
add system user cic mypassword
Create a policy to provide required permissions to the system user account. Use the following command:
add cmdpolicy cic-policy ALLOW "^(?!shell)(?!sftp)(?!scp)(?!batch)(?!source)(?!.*superuser)(?!.*nsroot)(?!install)(?!show\s+system\s+(user|cmdPolicy|file))(?!(set|add|rm|create|export|kill)\s+system)(?!(unbind|bind)\s+system\s+(user|group))(?!diff\s+ns\s+config)(?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^(add|show)\s+system\s+file)"
The system user account would have privileges based on the command policy that you define. The command policy mentioned in step 3 is similar to the built-in
sysAdmincommand policy with additional permission to upload files.
Bind the policy to the system user account using the following command:
bind system user cic cic-policy 0
To deploy Citrix ingress controller as a standalone pod:
To deploy Citrix ingress controller as standalone pod, follow the instructions provided in the Citrix ingress controller Helm Hub.
Deploy Citrix ingress controller as a sidecar with Citrix ADC CPX in the Kubernetes cluster¶
Use the citrix-k8s-cpx-ingress-controller chart to deploy a Citrix ADC CPX with Citrix ingress controller as a sidecar. The chart deploys a Citrix ADC CPX instance that is used for load balancing the North-South traffic to the microservices in your Kubernetes cluster and the sidecar Citrix ingress controller configures the Citrix ADC CPX.
To deploy Citrix ADC CPX with Citrix ingress controller as a sidecar, follow the instruction provided in the Citrix ingress controller Helm Hub.