diff --git a/assets/citrix/citrix-adc-istio-ingress-gateway-1.11.0.tgz b/assets/citrix/citrix-adc-istio-ingress-gateway-1.11.0.tgz deleted file mode 100644 index 5d3f32466e..0000000000 Binary files a/assets/citrix/citrix-adc-istio-ingress-gateway-1.11.0.tgz and /dev/null differ diff --git a/assets/citrix/citrix-adc-istio-ingress-gateway-1.11.1.tgz b/assets/citrix/citrix-adc-istio-ingress-gateway-1.11.1.tgz deleted file mode 100644 index e13ecef391..0000000000 Binary files a/assets/citrix/citrix-adc-istio-ingress-gateway-1.11.1.tgz and /dev/null differ diff --git a/assets/citrix/citrix-adc-istio-ingress-gateway-1.14.0.tgz b/assets/citrix/citrix-adc-istio-ingress-gateway-1.14.0.tgz deleted file mode 100644 index b1e682cbd4..0000000000 Binary files a/assets/citrix/citrix-adc-istio-ingress-gateway-1.14.0.tgz and /dev/null differ diff --git a/assets/citrix/citrix-adc-istio-ingress-gateway-1.2.100.tgz b/assets/citrix/citrix-adc-istio-ingress-gateway-1.2.100.tgz deleted file mode 100644 index 4618c0127f..0000000000 Binary files a/assets/citrix/citrix-adc-istio-ingress-gateway-1.2.100.tgz and /dev/null differ diff --git a/assets/citrix/citrix-cpx-istio-sidecar-injector-1.11.0.tgz b/assets/citrix/citrix-cpx-istio-sidecar-injector-1.11.0.tgz deleted file mode 100644 index 6bb5f0c853..0000000000 Binary files a/assets/citrix/citrix-cpx-istio-sidecar-injector-1.11.0.tgz and /dev/null differ diff --git a/assets/citrix/citrix-cpx-istio-sidecar-injector-1.11.1.tgz b/assets/citrix/citrix-cpx-istio-sidecar-injector-1.11.1.tgz deleted file mode 100644 index 2ed0535c05..0000000000 Binary files a/assets/citrix/citrix-cpx-istio-sidecar-injector-1.11.1.tgz and /dev/null differ diff --git a/assets/citrix/citrix-cpx-istio-sidecar-injector-1.14.1.tgz b/assets/citrix/citrix-cpx-istio-sidecar-injector-1.14.1.tgz deleted file mode 100644 index 491d366d7f..0000000000 Binary files a/assets/citrix/citrix-cpx-istio-sidecar-injector-1.14.1.tgz and /dev/null differ diff --git a/assets/citrix/citrix-cpx-with-ingress-controller-1.27.15.tgz b/assets/citrix/citrix-cpx-with-ingress-controller-1.27.15.tgz deleted file mode 100644 index 525b5ba6ea..0000000000 Binary files a/assets/citrix/citrix-cpx-with-ingress-controller-1.27.15.tgz and /dev/null differ diff --git a/assets/citrix/citrix-cpx-with-ingress-controller-1.28.2.tgz b/assets/citrix/citrix-cpx-with-ingress-controller-1.28.2.tgz deleted file mode 100644 index c8114f345d..0000000000 Binary files a/assets/citrix/citrix-cpx-with-ingress-controller-1.28.2.tgz and /dev/null differ diff --git a/assets/citrix/citrix-cpx-with-ingress-controller-1.29.5.tgz b/assets/citrix/citrix-cpx-with-ingress-controller-1.29.5.tgz deleted file mode 100644 index 4cccad030a..0000000000 Binary files a/assets/citrix/citrix-cpx-with-ingress-controller-1.29.5.tgz and /dev/null differ diff --git a/assets/citrix/citrix-cpx-with-ingress-controller-1.30.1.tgz b/assets/citrix/citrix-cpx-with-ingress-controller-1.30.1.tgz deleted file mode 100644 index be73824c26..0000000000 Binary files a/assets/citrix/citrix-cpx-with-ingress-controller-1.30.1.tgz and /dev/null differ diff --git a/assets/citrix/citrix-cpx-with-ingress-controller-1.32.7.tgz b/assets/citrix/citrix-cpx-with-ingress-controller-1.32.7.tgz deleted file mode 100644 index dc8fbc4df5..0000000000 Binary files a/assets/citrix/citrix-cpx-with-ingress-controller-1.32.7.tgz and /dev/null differ diff --git a/assets/citrix/citrix-cpx-with-ingress-controller-1.33.4.tgz b/assets/citrix/citrix-cpx-with-ingress-controller-1.33.4.tgz deleted file mode 100644 index 4d3298b8f7..0000000000 Binary files a/assets/citrix/citrix-cpx-with-ingress-controller-1.33.4.tgz and /dev/null differ diff --git a/assets/citrix/citrix-cpx-with-ingress-controller-1.34.16.tgz b/assets/citrix/citrix-cpx-with-ingress-controller-1.34.16.tgz deleted file mode 100644 index 1b4e89c34e..0000000000 Binary files a/assets/citrix/citrix-cpx-with-ingress-controller-1.34.16.tgz and /dev/null differ diff --git a/assets/citrix/citrix-cpx-with-ingress-controller-1.35.6.tgz b/assets/citrix/citrix-cpx-with-ingress-controller-1.35.6.tgz deleted file mode 100644 index c6042d3d06..0000000000 Binary files a/assets/citrix/citrix-cpx-with-ingress-controller-1.35.6.tgz and /dev/null differ diff --git a/assets/citrix/citrix-cpx-with-ingress-controller-1.8.2800.tgz b/assets/citrix/citrix-cpx-with-ingress-controller-1.8.2800.tgz deleted file mode 100644 index b3a51aa49e..0000000000 Binary files a/assets/citrix/citrix-cpx-with-ingress-controller-1.8.2800.tgz and /dev/null differ diff --git a/assets/citrix/citrix-ingress-controller-1.19.600.tgz b/assets/citrix/citrix-ingress-controller-1.19.600.tgz deleted file mode 100644 index 3377b020e5..0000000000 Binary files a/assets/citrix/citrix-ingress-controller-1.19.600.tgz and /dev/null differ diff --git a/assets/citrix/citrix-ingress-controller-1.27.15.tgz b/assets/citrix/citrix-ingress-controller-1.27.15.tgz deleted file mode 100644 index 524700c17b..0000000000 Binary files a/assets/citrix/citrix-ingress-controller-1.27.15.tgz and /dev/null differ diff --git a/assets/citrix/citrix-ingress-controller-1.28.2.tgz b/assets/citrix/citrix-ingress-controller-1.28.2.tgz deleted file mode 100644 index 5b3f7de9a0..0000000000 Binary files a/assets/citrix/citrix-ingress-controller-1.28.2.tgz and /dev/null differ diff --git a/assets/citrix/citrix-ingress-controller-1.29.5.tgz b/assets/citrix/citrix-ingress-controller-1.29.5.tgz deleted file mode 100644 index 13b8044ea5..0000000000 Binary files a/assets/citrix/citrix-ingress-controller-1.29.5.tgz and /dev/null differ diff --git a/assets/citrix/citrix-ingress-controller-1.30.1.tgz b/assets/citrix/citrix-ingress-controller-1.30.1.tgz deleted file mode 100644 index 1f1c1ac375..0000000000 Binary files a/assets/citrix/citrix-ingress-controller-1.30.1.tgz and /dev/null differ diff --git a/assets/citrix/citrix-ingress-controller-1.32.7.tgz b/assets/citrix/citrix-ingress-controller-1.32.7.tgz deleted file mode 100644 index 816d4be6dc..0000000000 Binary files a/assets/citrix/citrix-ingress-controller-1.32.7.tgz and /dev/null differ diff --git a/assets/citrix/citrix-ingress-controller-1.33.4.tgz b/assets/citrix/citrix-ingress-controller-1.33.4.tgz deleted file mode 100644 index d4b69051a3..0000000000 Binary files a/assets/citrix/citrix-ingress-controller-1.33.4.tgz and /dev/null differ diff --git a/assets/citrix/citrix-ingress-controller-1.34.16.tgz b/assets/citrix/citrix-ingress-controller-1.34.16.tgz deleted file mode 100644 index 54062e56fa..0000000000 Binary files a/assets/citrix/citrix-ingress-controller-1.34.16.tgz and /dev/null differ diff --git a/assets/citrix/citrix-ingress-controller-1.35.6.tgz b/assets/citrix/citrix-ingress-controller-1.35.6.tgz deleted file mode 100644 index 92150345f8..0000000000 Binary files a/assets/citrix/citrix-ingress-controller-1.35.6.tgz and /dev/null differ diff --git a/assets/icons/citrix-adc-istio-ingress-gateway.png b/assets/icons/citrix-adc-istio-ingress-gateway.png deleted file mode 100644 index c9328a2807..0000000000 Binary files a/assets/icons/citrix-adc-istio-ingress-gateway.png and /dev/null differ diff --git a/assets/icons/citrix-cpx-istio-sidecar-injector.png b/assets/icons/citrix-cpx-istio-sidecar-injector.png deleted file mode 100644 index c9328a2807..0000000000 Binary files a/assets/icons/citrix-cpx-istio-sidecar-injector.png and /dev/null differ diff --git a/assets/icons/citrix-cpx-with-ingress-controller.png b/assets/icons/citrix-cpx-with-ingress-controller.png deleted file mode 100644 index c9328a2807..0000000000 Binary files a/assets/icons/citrix-cpx-with-ingress-controller.png and /dev/null differ diff --git a/assets/icons/citrix-ingress-controller.png b/assets/icons/citrix-ingress-controller.png deleted file mode 100644 index c9328a2807..0000000000 Binary files a/assets/icons/citrix-ingress-controller.png and /dev/null differ diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/.helmignore b/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/.helmignore deleted file mode 100644 index 50af031725..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/Chart.yaml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/Chart.yaml deleted file mode 100644 index d08d2d534f..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/Chart.yaml +++ /dev/null @@ -1,23 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Adc Istio Ingress Gateway - catalog.cattle.io/release-name: citrix-adc-istio-ingress-gateway -apiVersion: v2 -appVersion: 1.11.0 -deprecated: true -description: A Helm chart for Citrix ADC as Ingress Gateway installation in Istio - Service Mesh on Kubernetes platform -home: https://www.citrix.com -icon: https://raw.githubusercontent.com/citrix/citrix-xds-adaptor/master/docs/media/Citrix_Logo_Trademark.png -kubeVersion: '>=v1.16.0-0' -maintainers: -- email: dhiraj.gedam@citrix.com - name: dheerajng -- email: subash.dangol@citrix.com - name: subashd -- email: ajeeta.shaket@citrix.com - name: ajeetas -name: citrix-adc-istio-ingress-gateway -sources: -- https://github.com/citrix/citrix-xds-adaptor -version: 1.11.0 diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/README.md b/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/README.md deleted file mode 100644 index a27d5dd172..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/README.md +++ /dev/null @@ -1,479 +0,0 @@ -# Deploy Citrix ADC as an Ingress Gateway in Istio environment using Helm charts - -Citrix Application Delivery Controller (ADC) can be deployed as an Istio Ingress Gateway to control the ingress traffic to Istio service mesh. - -# Table of Contents -1. [TL; DR;](#tldr) -2. [Introduction](#introduction) -3. [Deploy Citrix ADC VPX or MPX as an Ingress Gateway](#deploy-citrix-adc-vpx-or-mpx-as-an-ingress-gateway) -4. [Deploy Citrix ADC CPX as an Ingress Gateway](#deploy-citrix-adc-cpx-as-an-ingress-gateway) -5. [Using Existing Certificates to deploy Citrix ADC as an Ingress Gateway](#using-existing-certificates-to-deploy-citrix-adc-as-an-ingress-gateway) -6. [Deploy Citrix ADC as an Ingress Gateway in multi cluster Istio Service mesh](#deploy-citrix-adc-as-a-multicluster-ingress-gateway) -7. [Segregating traffic with multiple Ingress Gateways](#segregating-traffic-with-multiple-ingress-gateways) -8. [Visualizing statistics of Citrix ADC Ingress Gateway with Metrics Exporter](#visualizing-statistics-of-citrix-adc-ingress-gateway-with-metrics-exporter) -9. [Exposing services running on non-HTTP ports](#exposing-services-running-on-non-http-ports) -10. [Generate Certificate for Ingress Gateway](#generate-certificate-for-ingress-gateway) -11. [Configure Third Party Service Account Tokens](#using-third-party-service-account-tokens) -12. [Citrix ADC CPX License Provisioning](#citrix-adc-cpx-license-provisioning) -13. [Service Graph configuration](#configuration-for-servicegraph) -14. [Citrix ADC as Ingress Gateway: a sample deployment](#citrix-adc-as-ingress-gateway-a-sample-deployment) -15. [Uninstalling the Helm chart](#uninstalling-the-helm-chart) -16. [Citrix ADC VPX/MPX Certificate Verification](#citrix-adc-vpx-or-mpx-certificate-verification) -17. [Configuration Parameters](#configuration-parameters) - - -## TL; DR; - -### To deploy Citrix ADC VPX or MPX as an Ingress Gateway: - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set ingressGateway.netscalerUrl=https://[:port] --set ingressGateway.vserverIP= --set secretName=nslogin - - - -### To deploy Citrix ADC CPX as an Ingress Gateway: - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true - - -## Introduction - -This chart deploys Citrix ADC VPX, MPX, or CPX as an Ingress Gateway in the Istio service mesh using the Helm package manager. For detailed information on different deployment options, see [Deployment Architecture](https://github.com/citrix/citrix-istio-adaptor/blob/master/docs/istio-integration/architecture.md). - -### Compatibility Matrix between Citrix xDS-adaptor and Istio version - -Below table provides info about recommended Citrix xDS-Adaptor version to be used for various Istio versions. - -| Citrix xDS-Adaptor version | Istio version | -|----------------------------|---------------| -| quay.io/citrix/citrix-xds-adaptor:0.9.9 | Istio v1.10+ | -| quay.io/citrix/citrix-xds-adaptor:0.9.8 | Istio v1.8 to Istio v1.9 | -| quay.io/citrix/citrix-xds-adaptor:0.9.5 | Istio v1.6 | - -### Prerequisites - -The following prerequisites are required for deploying Citrix ADC as an Ingress Gateway in Istio service mesh: - -- Ensure that **Istio version 1.8 onwards** is installed -- Ensure that Helm with version 3.x is installed. Follow this [step](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- Ensure that your cluster Kubernetes version should be above 1.16 and the `admissionregistration.k8s.io/v1`, `admissionregistration.k8s.io/v1beta1` API is enabled - - You can verify the API by using the following command: - - kubectl api-versions | grep admissionregistration.k8s.io/v1 - - The following output indicates that the API is enabled: - - admissionregistration.k8s.io/v1 - admissionregistration.k8s.io/v1beta1 - -- **For deploying Citrix ADC VPX or MPX as an Ingress gateway:** - - Create a Kubernetes secret for the Citrix ADC user name and password using the following command: - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - -- **Create system user account for xDS-adaptor in Citrix ADC:** - - The Citrix ADC appliance needs to have system user account (non-default) with certain privileges so that `xDS-adaptor` can configure the Citrix ADC VPX or MPX appliance. Follow the instructions to create the system user account on Citrix ADC. - - Create a Kubernetes secret for the user name and password using the following command: - - ``` - kubectl create secret generic nslogin --from-literal=username='cxa' --from-literal=password='mypassword' - ``` - - The `xDS-adaptor` configures the Citrix ADC using a system user account of the Citrix ADC. The system user account should have certain privileges so that the xDS-adaptor has permissions configure the following on the Citrix ADC: - - - Add, Delete, or View Content Switching (CS) virtual server - - Configure CS policies and actions - - Configure Load Balancing (LB) virtual server - - Configure Service groups - - Cofigure SSl certkeys - - Configure routes - - Configure user monitors - - Add system file (for uploading SSL certkeys from Kubernetes) - - Configure Virtual IP address (VIP) - - Check the status of the Citrix ADC appliance - - Add, Delete or view authentication virtual server, policy, authaction - - Add, Delete or view Policy - - Add, Delete or view Responder policy, action, param - - Add, Delete or view Rewrite policy, action, param - - Add, Delete or view analytics profile - - Add, Delete or view DNS name server - - Add, Delete or view network netprofile - - Add, Delete or view Traffic Management Commands(sessionaction, session policy, sessionparameter) - - -> **Note:** -> -> The system user account would have privileges based on the command policy that you define. - - To create the system user account, do the following: - - 1. Log on to the Citrix ADC appliance. Perform the following: - 1. Use an SSH client, such as PuTTy, to open an SSH connection to the Citrix ADC appliance. - - 2. Log on to the appliance by using the administrator credentials. - - 2. Create the system user account using the following command: - - ``` - add system user - ``` - - For example: - - ``` - add system user cxa mypassword - ``` - - 3. Create a policy to provide required permissions to the system user account. Use the following command: - - ``` - add cmdpolicy cxa-policy ALLOW "((^\S+\s+cs\s+\S+)|(^\S+\s+lb\s+\S+)|(^\S+\s+service\s+\S+)|(^\S+\s+servicegroup\s+\S+)|(^stat\s+system)|(^show\s+ha)|(^\S+\s+ssl\s+certKey)|(^\S+\s+ssl)|(^\S+\s+route)|(^\S+\s+monitor)|(^show\s+ns\s+ip)|(^\S+\s+system\s+file)|)|(^\S+\s+aaa\s+\S+)|(^\S+\s+aaa\s+\S+\s+.*)|(^\S+\s+authentication\s+\S+)|(^\S+\s+authentication\s+\S+\s+.*)|(^\S+\s+policy\s+\S+)|(^\S+\s+policy\s+\S+\s+.*)|(^\S+\s+rewrite\s+\S+)|(^\S+\s+rewrite\s+\S+\s+.*)|(^\S+\s+analytics\s+\S+)|(^\S+\s+analytics\s+\S+\s+.*)|(^\S+\s+dns\s+\S+)|(^\S+\s+dns\s+\S+\s+.*)|(^\S+\s+netProfile)|(^\S+\s+netProfile\s+.*)|(^\S+\s+tm\s+\S+)|(^\S+\s+tm\s+\S+\s+.*)" - ``` - - 4. Bind the policy to the system user account using the following command: - - ``` - bind system user cxa cxa-policy 0 - ``` - -- **Registration of Citrix ADC CPX in ADM** - -Create a secret for ADM username and password - - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= -n citrix-system - -- **Important Note:** For deploying Citrix ADC VPX or MPX as ingress gateway, you should establish the connectivity between Citrix ADC VPX or MPX and cluster nodes. This connectivity can be established by configuring routes on Citrix ADC as mentioned [here](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) or by deploying [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller). - - -## Deploy Citrix ADC VPX or MPX as an Ingress Gateway - - To deploy Citrix ADC VPX or MPX as an Ingress Gateway in the Istio service mesh, do the following step. In this example, release name is specified as `citrix-adc-istio-ingress-gateway` and namespace as `citrix-system`. - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP= --set secretName=nslogin - -## Deploy Citrix ADC CPX as an Ingress Gateway - - To deploy Citrix ADC CPX as an Ingress Gateway, do the following step. In this example, release name is specified as `my-release` and namespace is used as `citrix-system`. - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true - - -## Deploy Citrix ADC as an Ingress Gateway in multi cluster Istio Service mesh - -To deploy **Citrix ADC VPX/MPX as an Ingress Gateway** in multi cluster Istio Service mesh, carry out below steps. -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - -helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP= --set ingressGateway.multiClusterIngress=true -``` - -To deploy **Citrix ADC CPX as an Ingress Gateway** in multi cluster Istio Service mesh, carry out below steps. -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - -helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true --set ingressGateway.multiClusterIngress=true - -``` - -By default, port 15443 of the Citrix ADC will be used to handle all the inter-cluster traffic coming to services deployed in local cluster. These services are exposed using `*.global` domain. -To modify the default 15443 port and "global" domain, use _ingressGateway.multiClusterListenerPort_ and _ingressGateway.multiClusterSvcDomain_ options of helm chart. - -For example, to use port 25443 and _mydomain_ as the service domain to expose local cluster deployed services to services in remote clusters. - -``` - -helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP= --set ingressGateway.multiClusterIngress=true --set ingressGateway.multiClusterListenerPort=25443 --set ingressGateway.multiClusterSvcDomain=mydomain - -``` - -Follow [this](https://github.com/citrix/citrix-helm-charts/tree/master/examples/citrix-adc-ingress-in-multicluster-istio/README.md) as a sample example to deploy Citrix ADC as Ingress gateway in multi-cluster Istio service mesh. - -## Using Existing Certificates to deploy Citrix ADC as an Ingress Gateway - -You may want to use the existing certificate and key for authenticating access to an application using Citrix ADC Ingress Gateway. In that case, you can create a Kubernetes secret from the existing certificate and key. You can mount the Kubernetes secret as data volumes in Citrix ADC Ingress Gateway. - -To create a Kubernetes secret using an existing key named `test_key.pem` and a certificate named `test.pem`, use the following command: - - kubectl create -n citrix-system secret tls citrix-ingressgateway-certs --key test_key.pem --cert test.pem - -Note: Ensure that Kubernetes secret is created in the same namespace where Citrix ADC Ingress Gateway is deployed. - -To deploy Citrix ADC VPX or MPX with secret volume, do the following step: - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP=,ingressGateway.secretVolumes[0].name=test-ingressgateway-certs,ingressGateway.secretVolumes[0].secretName=test-ingressgateway-certs,ingressGateway.secretVolumes[0].mountPath=/etc/istio/test-ingressgateway-certs - -To deploy Citrix ADC CPX with secret volume, do the following step: - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true,ingressGateway.secretVolumes[0].name=test-ingressgateway-certs,ingressGateway.secretVolumes[0].secretName=test-ingressgateway-certs,ingressGateway.secretVolumes[0].mountPath=/etc/istio/test-ingressgateway-certs - -## Segregating traffic with multiple Ingress Gateways - -You can deploy multiple Citrix ADC Ingress Gateway devices and segregate traffic to various deployments in the Istio service mesh. This can be achieved with *custom labels*. By default, Citrix ADC Ingress Gateway service comes up with the `app: citrix-ingressgateway` label. This label is used as a selector while deploying the Ingress Gateway or virtual service resources. If you want to deploy Ingress Gateway with the custom label, you can do it using the `ingressGateway.label` option in the Helm chart. - -To deploy Citrix ADC CPX Ingress Gateway with the label `my_custom_ingressgateway`, do the following step: - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true,ingressGateway.lightWeightCPX=NO,ingressGateway.label=my_custom_ingressgateway - -To deploy Citrix ADC VPX or MPX as an Ingress Gateway with the label `my_custom_ingressgateway`, do the following step: - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP=,ingressGateway.label=my_custom_ingressgateway - -## Visualizing statistics of Citrix ADC Ingress Gateway with Metrics Exporter - -By default, [Citrix ADC Metrics Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) is also deployed along with Citrix ADC Ingress Gateway. Citrix ADC Metrics Exporter fetches statistical data from Citrix ADC and exports it to Prometheus running in Istio service mesh. When you add Prometheus as a data source in Grafana, you can visualize this statistical data in the Grafana dashboard. - -Metrics Exporter requires the IP address of Citrix ADC CPX or VPX Ingress Gateway. It is retrieved from the value specified for `ingressGateway.netscalerUrl`. - -When Citrix ADC CPX is deployed as Ingress Gateway, Metrics Exporter runs along with Citrix CPX Ingress Gateway in the same pod and specifying IP address is optional. - -To deploy Citrix ADC as Ingress Gateway without Metrics Exporter, set the value of `metricExporter.required` as false. - - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP=,metricExporter.required=false - -"Note:" To remotely access telemetry addons such as Prometheus and Grafana, see [Remotely Accessing Telemetry Addons](https://istio.io/docs/tasks/telemetry/gateways/). - -## Exposing services running on non-HTTP ports - -By default, services running on HTTP ports (80 & 443) are exposed through Citrix ADC Ingress Gateway. Similarly, you can expose services that are deployed on non-HTTP ports through the Citrix ADC Ingress Gateway device. - -To deploy Citrix ADC MPX or VPX, and expose a service running on a TCP port, do the following step. - -In this example, a service running on TCP port 5000 is exposed using port 10000 on Citrix ADC. - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP=,ingressGateway.tcpPort[0].name=tcp1,ingressGateway.tcpPort[0].port=10000,ingressGateway.tcpPort[0].targetPort=5000 - - To deploy Citrix ADC CPX and expose a service running on a TCP port, do the following step. - In this example, port 10000 on the Citrix ADC CPX instance is exposed using TCP port 30000 (node port configuration) on the host machine. - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true,ingressGateway.tcpPort[0].name=tcp1,ingressGateway.tcpPort[0].nodePort=30000,ingressGateway.tcpPort[0].port=10000,ingressGateway.tcpPort[0].targetPort=5000 - -## Generate Certificate for Ingress Gateway - -Citrix Ingress gateway needs TLS certificate-key pair for establishing secure communication channel with backend applications. Earlier these certificates were issued by Istio Citadel and bundled in Kubernetes secret. Certificate was loaded in the application pod by doing volume mount of secret. Now `xDS-Adaptor` can generate its own certificate and get it signed by the Istio Citadel (Istiod). This eliminates the need of secret and associated [risks](https://kubernetes.io/docs/concepts/configuration/secret/#risks). - -xDS-Adaptor needs to be provided with details Certificate Authority (CA) for successful signing of Certificate Signing Request (CSR). By default, CA is `istiod.istio-system.svc` which accepts CSRs on port 15012. -To skip this process, don't provide any value (empty string) to `certProvider.caAddr`. -``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true --set certProvider.caAddr="" -``` -### Configure Third Party Service Account Tokens - -In order to generate certificate for application workload, xDS-Adaptor needs to send valid service account token along with Certificate Signing Request (CSR) to the Istio control plane (Citadel CA). Istio control plane authenticates the xDS-Adaptor using this JWT. -Kubernetes supports two forms of these tokens: - -* Third party tokens, which have a scoped audience and expiration. -* First party tokens, which have no expiration and are mounted into all pods. - - If Kubernetes cluster is installed with third party tokens, then the same information needs to be provided for automatic sidecar injection by passing `--set certProvider.jwtPolicy="third-party-jwt"`. By default, it is `first-party-jwt`. - -``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true --set certProvider.caAddr="istiod.istio-system.svc" --set certProvider.jwtPolicy="third-party-jwt" - -``` - -To determine if your cluster supports third party tokens, look for the TokenRequest API using below command. If there is no output, then it is `first-party-jwt`. In case of `third-party-jwt`, output will be like below. - -``` -# kubectl get --raw /api/v1 | jq '.resources[] | select(.name | index("serviceaccounts/token"))' - -{ - "name": "serviceaccounts/token", - "singularName": "", - "namespaced": true, - "group": "authentication.k8s.io", - "version": "v1", - "kind": "TokenRequest", - "verbs": [ - "create" - ] -} - -``` - -## **Citrix ADC CPX License Provisioning** -By default, CPX runs with 20 Mbps bandwidth called as [CPX Express](https://www.citrix.com/en-in/products/citrix-adc/cpx-express.html) however for better performance and production deployment customer needs licensed CPX instances. [Citrix ADM](https://www.citrix.com/en-in/products/citrix-application-delivery-management/) is used to check out licenses for Citrix ADC CPX. - -**Bandwidth based licensing** -For provisioning licensing on Citrix ADC CPX, it is mandatory to provide License Server information to CPX. This can be done by setting **ADMSettings.licenseServerIP** as License Server IP. In addition to this, **ADMSettings.bandWidthLicense** needs to be set true and desired bandwidth capacity in Mbps should be set **ADMSettings.bandWidth**. -For example, to set 2Gbps as bandwidth capacity, below command can be used. - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set ADMSettings.licenseServerIP=,ADMSettings.bandWidthLicense=True --set ADMSettings.bandWidth=2000 --set citrixCPX=true - -## **Service Graph configuration** - Citrix ADM Service graph is an observability tool that allows user to analyse service to service communication. The service graph is generated by ADM post collection of transactional data from registered Citrix ADC instances. More details about it can be found [here](https://docs.citrix.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html). - Citrix ADC needs to be provided with ADM details for registration and data export. This section lists the steps needed to deploy Citrix ADC and register it with ADM. - -**Deploy Citrix ADC CPX as ingress gateway** - 1. Create secret using Citrix ADM Agent credentials, which will be used by Citrix ADC as CPX to communicate with Citrix ADM Agent: - - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= - - 2. Deploy Citrix ADC CPX as ingress gateway using helm command with `ADM` details: - - helm install citrix-adc-istio-ingress-gateway citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true --set ADMSettings.ADMIP= - - -> **Note:** -> If container agent is being used here for Citrix ADM, specify `serviceIP` of container agent in the `ADMSettings.ADMIP` parameter. - -**Deploy Citrix ADC VPX/MPX as ingress gateway** - - Deploy Citrix ADC VPX/MPX as ingress gateway using helm command and set analytics settings on Citrix ADC VPX/MPX for sending transaction metrics to Citrix ADM - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set ingressGateway.netscalerUrl=https://[:port] --set ingressGateway.vserverIP= --set secretName=nslogin - - Add the following configurations in Citrix ADC VPX/MPX - - en ns mode ulfd - - en ns feature appflow - - add appflow collector logproxy_lstreamd -IPAddress -port 5557 -Transport logstream - - set appflow param -templateRefresh 3600 -httpUrl ENABLED -httpCookie ENABLED -httpReferer ENABLED -httpMethod ENABLED -httpHost ENABLED -httpUserAgent ENABLED -httpContentType ENABLED -httpAuthorization ENABLED -httpVia ENABLED -httpXForwardedFor ENABLED -httpLocation ENABLED -httpSetCookie ENABLED -httpSetCookie2 ENABLED -httpDomain ENABLED -httpQueryWithUrl ENABLED metrics ENABLED -events ENABLED -auditlogs ENABLED - - add appflow action logproxy_lstreamd -collectors logproxy_lstreamd - - add appflow policy logproxy_policy true logproxy_lstreamd - - bind appflow global logproxy_policy 10 END -type REQ_DEFAULT - - bind appflow global logproxy_policy 10 END -type OTHERTCP_REQ_DEFAULT - - -> **Note:** -> If container agent is being used here for Citrix ADM, specify `PodIP` of container agent in above manual config. - - -## Citrix ADC as Ingress Gateway: a sample deployment - -A sample deployment of Citrix ADC as an Ingress gateway for the Bookinfo application is provided [here](https://github.com/citrix/citrix-helm-charts/tree/master/examples/citrix-adc-in-istio). - -## Uninstalling the Helm chart - -To uninstall or delete a chart with release name as `my-release`, do the following step. - - helm delete my-release - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Citrix ADC VPX/MPX Certificate Verification - -Create a Kubernetes secret holding the CA certificate of Citrix ADC VPX/MPX with the filename `root-cert.pem`. - - kubectl create secret generic citrix-adc-cert --from-file=./root-cert.pem - -Note: Ensure that Kubernetes secret is created in the same namespace where Citrix ADC Ingress Gateway is deployed. - -To deploy Citrix ADC VPX or MPX with Citrix ADC certificate verification, do the following step: - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP=,ingressGateway.adcServerName= - -## Configuration parameters - -The following table lists the configurable parameters in the Helm chart and their default values. - - -| Parameter | Description | Default | Optional/Mandatory | -|--------------------------------|-------------------------------|---------------------------|---------------------------| -| `citrixCPX` | Citrix ADC CPX | FALSE | Mandatory for Citrix ADC CPX | -| `xDSAdaptor.image` | Image of the Citrix xDS adaptor container (Refer compatibility matrix) |quay.io/citrix/citrix-xds-adaptor:0.9.9 | Mandatory| -| `xDSAdaptor.imagePullPolicy` | Image pull policy for xDS adaptor | IfNotPresent | Optional| -| `xDSAdaptor.secureConnect` | If this value is set to true, xDS-adaptor establishes secure gRPC channel with Istio Pilot | TRUE | Optional| -| `xDSAdaptor.logLevel` | Log level to be set for xDS-adaptor log messages. Possible values: TRACE (most verbose), DEBUG, INFO, WARN, ERROR (least verbose) | DEBUG | Optional| -| `xDSAdaptor.jsonLog` | Set this argument to true if log messages are required in JSON format | false | Optional| -| `coe.coeURL` | Name of [Citrix Observability Exporter](https://github.com/citrix/citrix-observability-exporter) Service in the form of "." | null | Optional| -| `coe.coeTracing` | Use COE to send appflow transactions to Zipkin endpoint. If it is set to true, ADM servicegraph (if configured) can be impacted. | false | Optional| -| `ADMSettings.ADMIP ` | Citrix Application Delivery Management (ADM) IP address | null | Mandatory for Citrix ADC CPX | -| `ADMSettings.licenseServerIP ` | Citrix License Server IP address | null | Optional | -| `ADMSettings.licenseServerPort` | Citrix ADM port if a non-default port is used | 27000 | Optional| -| `ADMSettings.bandWidth` | Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps | null | Optional | -| `ADMSettings.bandWidthLicense` | To specify bandwidth based licensing | false | Optional | -| `ingressGateway.netscalerUrl` | URL or IP address of the Citrix ADC which Istio-adaptor configures (Mandatory if citrixCPX=false)| null |Mandatory for Citrix ADC MPX or VPX| -| `ingressGateway.vserverIP` | Virtual server IP address on Citrix ADC (Mandatory if citrixCPX=false) | null | Mandatory for Citrix ADC MPX or VPX| -| `ingressGateway.adcServerName ` | Citrix ADC ServerName used in the Citrix ADC certificate | null | Optional | -| `ingressGateway.image` | Image of Citrix ADC CPX designated to run as Ingress Gateway |quay.io/citrix/citrix-k8s-cpx-ingress:13.0-79.64 | Mandatory for Citrix ADC CPX | -| `ingressGateway.imagePullPolicy` | Image pull policy | IfNotPresent | Optional| -| `ingressGateway.EULA` | End User License Agreement(EULA) terms and conditions. If yes, then user agrees to EULA terms and conditions. | NO | Mandatory for Citrix ADC CPX -| `ingressGateway.mgmtHttpPort` | Management port of the Citrix ADC CPX | 9080 | Optional| -| `ingressGateway.mgmtHttpsPort` | Secure management port of Citrix ADC CPX | 9443 | Optional| -| `ingressGateway.httpNodePort` | Port on host machine which is used to expose HTTP port (80) of Citrix ADC CPX | 30180 |Optional| -| `ingressGateway.httpsNodePort` | Port on host machine which is used to expose HTTPS port (443) of Citrix ADC CPX | 31443 |Optional| -| `ingressGateway.nodePortRequired` | Set this argument if servicetype to be NodePort of Citrix ADC CPX | false |Optional| -| `ingressGateway.secretVolume` | A map of user defined volumes to be mounted using Kubernetes secrets | null |Optional| -| `ingressGateway.label` | Custom label for the Ingress Gateway service | citrix-ingressgateway |Optional| -| `ingressGateway.netProfile ` | Network profile name used by [CNC](https://github.com/citrix/citrix-k8s-node-controller) to configure Citrix ADC VPX or MPX which is deployed as Ingress Gateway | null | Optional| -| `ingressGateway.multiClusterIngress ` | Flag indicating if Citrix ADC is acting as Ingress gateway to multi cluster Istio mesh installation. Possible values: true/false | false | Optional| -| `ingressGateway.multiClusterListenerPort ` | Port opened on Citrix ADC to enable inter-cluster service to service (E-W) communication | 15443 | Optional| -| `ingressGateway.multiClusterListenerNodePort ` | Nodeport for multiClusterListenerPort in case of Citrix ADC CPX acting as Ingress gateway | 32443 | Optional| -| `ingressGateway.multiClusterSvcDomain ` | Domain suffix of remote service (deployed in other cluster) used in E-W communication | global | Optional| -| `ingressGateway.tcpPort` | For exposing multiple TCP ingress | null |Optional| -| `istioPilot.name` | Name of the Istio Pilot service | istiod |Optional| -| `istioPilot.namespace` | Namespace where Istio Pilot is running | istio-system |Optional| -| `istioPilot.secureGrpcPort` | Secure GRPC port where Istiod (Istio Pilot) is listening (default setting) | 15012 |Optional| -| `istioPilot.insecureGrpcPort` | Insecure GRPC port where Istiod (Istio Pilot) is listening | 15010 |Optional| -| `istioPilot.SAN` | Subject alternative name for Istiod (Istio Pilot) which is the secure production identity framework for everyone (SPIFFE) ID of Istio Pilot | null |Optional| -| `metricExporter.required` | Metrics exporter for Citrix ADC | TRUE |Optional| -| `metricExporter.image` | Image of the Citrix ADC Metrics Exporter | quay.io/citrix/citrix-adc-metrics-exporter:1.4.8 |Optional| -| `metricExporter.port` | Port over which Citrix ADC Metrics Exporter collects metrics of Citrix ADC. | 8888 |Optional| -| `metricExporter.secure` | Enables collecting metrics over TLS | YES |Optional| -| `metricExporter.logLevel` | Level of logging in Citrix ADC Metrics Exporter. Possible values are: DEBUG, INFO, WARNING, ERROR, CRITICAL | ERROR |Optional| -| `metricExporter.imagePullPolicy` | Image pull policy for Citrix ADC Metrics Exporter | IfNotPresent |Optional| -| `certProvider.caAddr` | Certificate Authority (CA) address issuing certificate to application | istiod.istio-system.svc | Optional | -| `certProvider.caPort` | Certificate Authority (CA) port issuing certificate to application | 15012 | Optional | -| `certProvider.trustDomain` | SPIFFE Trust Domain | cluster.local | Optional | -| `certProvider.certTTLinHours` | Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours. Default is 30 days validity | 720 | Optional | -| `certProvider.clusterId` | clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in multicluster environments. For example, in Anthos servicemesh, it might be of the format of `cn--`. In multiCluster environments, it is the value of global.multiCluster.clusterName provided during servicemesh control plane installation | Kubernetes | Optional | -| `certProvider.jwtPolicy` | Service Account token type. Kubernetes platform supports First party tokens and Third party tokens. Usually public cloud based Kubernetes has third-party-jwt | null | Optional | -| `secretName` | Name of the Kubernetes secret holding Citrix ADC credentials | nslogin | Mandatory for Citrix ADC VPX/MPX | - -**Note:** You can use the `values.yaml` file packaged in the chart. This file contains the default configuration values for the chart. diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/app-readme.md b/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/app-readme.md deleted file mode 100644 index dc4ee42acd..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/app-readme.md +++ /dev/null @@ -1,38 +0,0 @@ -# Citrix ADC as an Ingress Gateway for Istio - -An [Istio](https://istio.io/) ingress gateway acts as an entry point for the incoming traffic and secures and controls access to the service mesh. It also performs routing and load balancing. Citrix ADC [CPX](https://docs.citrix.com/en-us/citrix-adc-cpx), MPX, or [VPX](https://docs.citrix.com/en-us/citrix-adc.html), can be deployed as an ingress gateway to the Istio service mesh. - -### Prerequisites - -The following prerequisites are required for deploying Citrix ADC as an Ingress Gateway in Istio service mesh: - -- Ensure that **Istio** is enabled. -- Ensure that your cluster has Kubernetes version 1.16.0 or later. -- Ensure to create secret named **nslogin** with username and password in same namespace in case of VPX/MPX . Choose the **Cluster Explorer > Storage > Secrets** in the navigation bar. - -### Important NOTE: -- Follow this [link](https://github.com/citrix/citrix-helm-charts/blob/master/examples/citrix-adc-in-istio/README.md -) to deploy Citrix ADC as an ingress gateway for application. -- For deploying Citrix ADC VPX or MPX as ingress gateway, you should establish the connectivity between Citrix ADC VPX or MPX and cluster nodes. This connectivity can be established by configuring routes on Citrix ADC as mentioned [here](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) or by deploying [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller). -- To use the certificate and key for authenticating access to an application using Citrix ADC Ingress Gateway. In that case, you can create a Kubernetes secret from the existing certificate and key. You can mount the Kubernetes secret as data volumes in Citrix ADC Ingress Gateway. Then specify a list of secret, volume name, mount path in subsequent fields of `SecretVolume` section: - - Go to `Edit as YAML` option and update below values . - ``` - secretVolumes: - - name: - secretName: - mountPath: - ``` - For more details, follow this [link](https://github.com/citrix/citrix-helm-charts/tree/master/citrix-adc-istio-ingress-gateway#using-existing-certificates-to-deploy-citrix-adc-as-an-ingress-gateway) - -- By default, gateway is configured to expose HTTP(S) services. To expose non-HTTP services, Then specify a list of port, port-name, target-port, nodeport (if applicable) in subsequent fields of `tcpPort` section. - - Go to `Edit as YAML` option and update below values. - ``` - tcpPort: - - name: - nodePort: - port: - targetPort: - ``` - For more details follow this [link](https://github.com/citrix/citrix-helm-charts/tree/master/citrix-adc-istio-ingress-gateway#exposing-services-running-on-non-http-ports) - -This catalog deploys Citrix ADC VPX, MPX, or CPX as an Ingress Gateway in the Istio service mesh. For detailed information on various deployment options,checkout this [link](https://github.com/citrix/citrix-istio-adaptor). diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/questions.yml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/questions.yml deleted file mode 100644 index 36a7b00354..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/questions.yml +++ /dev/null @@ -1,405 +0,0 @@ -labels: - io.rancher.certified: partner -questions: -- variable: citrixCPX - required: true - type: boolean - default: true - description: "Set true to use Citrix ADC CPX as ingress device. Set false to use VPX/MPX as ingress device" - label: citrixCPX - group: "Deployment Settings" -- variable: secrets.name - required: true - type: string - default: "nslogin" - description: "Ensure to create nslogin secret in same namespace" - show_if: "citrixCPX=false" - group: "nslogin Settings" -- variable: xDSAdaptor.image - required: true - type: string - default: "quay.io/citrix/citrix-xds-adaptor:0.9.9" - label: xDSAdaptor Image - description: "xDSAdaptor Image to be used with version" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.imagePullPolicy - required: true - type: enum - default: IfNotPresent - label: xDSAdaptor imagePullPolicy - description: "xDSAdaptor Image pull policy" - options: - - "Always" - - "IfNotPresent" - - "Never" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.proxyType - required: false - type: string - default: "router" - label: xDSAdaptor proxyType - description: "xDSAdaptor proxyType type set to router by default" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.secureConnect - required: true - type: boolean - default: true - label: xDSAdaptor secureConnect - description: "If this value is set to true, xDSAdaptor establishes secure gRPC channel with Istio Pilot" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.logLevel - required: false - type: enum - default: DEBUG - label: xDSAdaptor logLevel - description: "xDSAdaptor logLevel" - options: - - "TRACE" - - "DEBUG" - - "INFO" - - "WARN" - - "ERROR" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.jsonLog - required: false - type: string - default: "true" - label: xDSAdaptor jsonLog - description: "Set this argument to true if log messages are required in JSON format" - group: "xDSAdaptor Settings" -- variable: coe.coeURL - required: false - type: string - label: coe coeURL - description: "Name of Citrix Observability Exporter Service" - group: "COE Settings" -- variable: coe.coeTracing - required: false - type: boolean - label: coe coeTracing - description: "Used to send appflow transactions to Zipkin endpoint,if true ADM servicegraph (if configured) can be impacted" - group: "COE Settings" -- variable: istioPilot.name - required: true - type: string - default: istiod - label: istio-pilot name - group: "istio-pilot Settings" - description: "Name of the Istio Pilot service" -- variable: istioPilot.namespace - required: true - type: string - default: istio-system - label: istio-pilot namespace - description: "Namespace where Istio Pilot is running" - group: "istio-pilot Settings" -- variable: istioPilot.secureGrpcPort - required: true - type: int - default: 15012 - label: istio-pilot secureGrpcPort - show_if: "xDSAdaptor.secureConnect=true" - description: "Secure GRPC port where Istio Pilot is listening" - group: "istio-pilot Settings" -- variable: istioPilot.insecureGrpcPort - required: true - type: int - default: 15010 - show_if: "xDSAdaptor.secureConnect=false" - label: istio-pilot insecureGrpcPort - description: "Insecure GRPC port where Istio Pilot is listening" - group: "istio-pilot Settings" -- variable: istioPilot.SAN - required: false - type: string - default: - label: istio-pilot SAN - description: "Subject alternative name for Istio Pilot which is (SPIFFE) ID of Istio Pilot" - show_if: "xDSAdaptor.secureConnect=true" - group: "istio-pilot Settings" -- variable: ingressGateway.netscalerUrl - required: true - type: string - default: - label: ingressGateway netscalerUrl - description: "URL or IP address of the Citrix ADC which Istio-adaptor configures (Mandatory if citrixCPX=false)" - show_if: "citrixCPX=false" - group: "ingressGateway Settings" -- variable: ingressGateway.image - required: true - type: string - default: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-79.64" - label: ingressGateway Image - description: "ingressGateway image to be used" - group: "ingressGateway Settings" -- variable: ingressGateway.imagePullPolicy - required: true - type: enum - default: IfNotPresent - label: ingressGateway imagePullPolicy - description: Ingress-gateway Image pull policy - group: "ingressGateway Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: ingressGateway.EULA - required: true - type: enum - description: "End user license agreement (read EULA before accepting it yes)" - label: ingressGateway EULA - options: - - "YES" - - "NO" - group: "ingressGateway Settings" -- variable: ingressGateway.mgmtHttpPort - required: true - type: int - default: 10080 - label: ingressGateway mgmtHttpPort - description: "Management port of the Citrix ADC CPX" - show_if: "citrixCPX=true" - group: "ingressGateway Settings" -- variable: ingressGateway.mgmtHttpsPort - required: true - type: int - default: 10443 - show_if: "citrixCPX=true" - label: ingressGateway mgmtHttpsPort - description: "Secure management port of Citrix ADC CPX" - group: "ingressGateway Settings" -- variable: ingressGateway.httpNodePort - required: true - type: int - default: 30180 - show_if: "citrixCPX=true" - label: ingressGateway httpNodePort - description: "Port on host machine which is used to expose HTTP port of Citrix ADC CPX" - group: "ingressGateway Settings" -- variable: ingressGateway.httpsNodePort - required: true - type: int - default: 31443 - show_if: "citrixCPX=true" - label: ingressGateway httpsNodePort - description: "Port on host machine which is used to expose HTTPS port of Citrix ADC CPX" - group: "ingressGateway Settings" -- variable: ingressGateway.nodePortRequired - required: true - type: boolean - default: true - label: ingressGateway nodePortRequired - description: "Set this argument if servicetype to be NodePort of Citrix ADC CPX, else it will be loadbalancer type" - group: "ingressGateway Settings" -- variable: ingressGateway.lightWeightCPX - required: false - type: int - default: 1 - show_if: "citrixCPX=true" - label: ingressGateway lightWeightCPX - description: "Set this argument if lighter version of Citrix ADC CPX used" - group: "ingressGateway Settings" -- variable: ingressGateway.label - required: true - type: string - default: "citrix-ingressgateway" - label: ingressGateway label - description: "Custom label for the Ingress Gateway service" - group: "ingressGateway Settings" -- variable: ingressGateway.vserverIP - required: true - type: string - default: "nsip" - show_if: "citrixCPX=false" - label: ingressGateway vserverIP - description: "Virtual server IP address on Citrix ADC" - group: "ingressGateway Settings" -- variable: ingressGateway.adcServerName - required: false - type: string - default: - label: ingressGateway adcServerName - description: "Citrix ADC ServerName used in the Citrix ADC certificate" - group: "ingressGateway Settings" -- variable: ingressGateway.netProfile - required: false - type: string - default: - label: ingressGateway netProfile - description: "Network profile name used to configure Citrix ADC VPX or MPX which is deployed as Ingress Gateway" - show_if: "citrixCPX=false" - group: "ingressGateway Settings" -- variable: ingressGateway.multiClusterIngress - required: false - type: boolean - default: false - label: ingressGateway multiClusterIngress - description: "Flag indicating if Citrix ADC is acting as Ingress gateway to multi cluster Istio mesh installation" - group: "ingressGateway Settings" -- variable: ingressGateway.multiClusterListenerPort - required: true - type: int - default: 15443 - label: ingressGateway multiClusterListenerPort - description: "Port opened on Citrix ADC to enable inter-cluster service to service (E-W) communication" - show_if: "ingressGateway.multiClusterIngress=true" - group: "ingressGateway Settings" -- variable: ingressGateway.multiClusterListenerNodePort - required: true - type: int - default: 15443 - label: ingressGateway multiClusterListenerNodePort - description: "Nodeport for multiClusterListenerPort in case of Citrix ADC CPX acting as Ingress gateway" - show_if: "ingressGateway.multiClusterIngress=true" - group: "ingressGateway Settings" -- variable: ingressGateway.multiClusterSvcDomain - required: true - type: string - default: global - label: ingressGateway multiClusterSvcDomain - description: "Domain suffix of remote service (deployed in other cluster) used in E-W communication" - show_if: "ingressGateway.multiClusterIngress=true" - group: "ingressGateway Settings" -- variable: metricExporter.required - required: false - type: boolean - default: true - label: Exporter required - description: "Metrics exporter for Citrix ADC" - group: "metricExporter Settings" -- variable: metricExporter.image - required: true - type: string - default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.8" - label: Exporter Image - description: "Exporter Image to be used with version" - show_if: "metricExporter.required=true" - group: "metricExporter Settings" -- variable: metricExporter.port - required: true - type: int - default: 8888 - label: metricExporter Port - show_if: "metricExporter.required=true" - group: "metricExporter Settings" -- variable: metricExporter.logLevel - required: true - type: enum - default: ERROR - label: metricExporter logLevel - show_if: "metricExporter.required=true" - group: "metricExporter Settings" - options: - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - - "TRACE" -- variable: metricExporter.imagePullPolicy - required: true - type: enum - default: IfNotPresent - label: metricExporter imagePullPolicy - description: "Exporter Image pull policy" - show_if: "metricExporter.required=true" - group: "metricExporter Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: certProvider.caAddr - required: true - type: string - default: "istiod.istio-system.svc" - label: certProvider caAddr - description: "Certificate Authority (CA) address issuing certificate to application" - group: "certProvider Settings" -- variable: certProvider.caPort - required: true - type: int - default: 15012 - label: certProvider caPort - description: "Certificate Authority (CA) port issuing certificate to application" - group: "certProvider Settings" -- variable: certProvider.trustDomain - required: true - type: string - default: "cluster.local" - label: certProvider trustDomain - description: "SPIFFE Trust Domain" - group: "certProvider Settings" -- variable: certProvider.certTTLinHours - required: true - type: int - default: 720 - label: certProvider certTTLinHours - description: "Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours." - group: "certProvider Settings" -- variable: certProvider.clusterId - required: true - type: string - default: "Kubernetes" - label: certProvider clusterId - description: "clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in m -ulticluster environments. For example, in Anthos servicemesh, it might be of the format of `cn--`. In multiCluster environments, it is the val -ue of global.multiCluster.clusterName provided during servicemesh control plane installation" - group: "certProvider Settings" -- variable: certProvider.jwtPolicy - required: true - type: enum - default: "first-party-jwt" - label: certProvider jwtPolicy - description: "Kubernetes platform supports First party tokens and Third party tokens" - options: - - "first-party-jwt" - - "third-party-jwt" - group: "certProvider Settings" -- variable: ADMSettings.ADMIP - required: false - type: string - default: - label: ADMSettings ADMIP - description: "Citrix Application Delivery Management (ADM) IP address" - group: "ADMSettings Settings" -- variable: ADMSettings.licenseServerIP - required: false - type: string - default: - label: ADMSettings licenseServerIP - description: "Citrix License Server IP address" - group: "ADMSettings Settings" -- variable: ADMSettings.licenseServerPort - required: false - type: int - default: 27000 - label: ADMSettings licenseServerPort - description: "Citrix ADM port if a non-default port is used" - group: "ADMSettings Settings" -- variable: ADMSettings.bandWidthLicense - required: false - type: boolean - default: false - label: ADMSettings bandWidthLicense - description: "To specify bandwidth based licensing" - group: "ADMSettings Settings" -- variable: ADMSettings.bandWidth - required: false - type: string - default: - label: ADMSettings bandWidth - description: "Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps" - group: "ADMSettings Settings" -- variable: ADMSettings.vCPULicense - required: false - type: boolean - default: "false" - label: ADMSettings vCPULicense - description: "To specify vCPULicense based licensing" - group: "ADMSettings Settings" -- variable: ADMSettings.cpxCores - required: false - type: string - default: - label: ADMSettings cpxCores - description: "To specify cpxCores in licensing" - group: "ADMSettings Settings" diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/templates/_helpers.tpl b/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/templates/_helpers.tpl deleted file mode 100644 index be79f4f8ce..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/templates/_helpers.tpl +++ /dev/null @@ -1,53 +0,0 @@ -{{- define "exporter_nsip" -}} -{{- $match := .Values.ingressGateway.netscalerUrl | toString | regexFind "//.*[:]*" -}} -{{- $match | trimAll ":" | trimAll "/" -}} -{{- end -}} - -{{/* A common function to generate name of the resource. - * Usage: {{ template "generate-name" (list . (dict "suffixname" "citrix-deployment")) }} - * In above example, arguments are given in the list. - * First one is `.` indicating global chart-level scope. - * Second argument name is `suffixname` and value is `citrix-deployment`. - * If release name is `my-release`, then generate-name function would output "my-release-citrix-deployment". - * The function truncates name to 63 chars due to Kubernetes name length restrictions -*/}} -{{- define "generate-name" -}} -{{- $top := index . 0 -}} -{{- $arg1 := index . 1 "suffixname" -}} -{{- printf "%s-%s" $top.Release.Name $arg1 | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* Another common function to generate name of the resource. - * Usage: {{ template "generate-name" (list . "citrix-deployment") }} - * In above example, arguments are given in the list. - * First one is `.` indicating global chart-level scope. - * Second argument is unnamed and takes value as `citrix-deployment`. - * If release name is `my-release`, then generate-name function would output "my-release-citrix-deployment". - * The function truncates name to 63 chars due to Kubernetes name length restrictions -*/}} -{{- define "generate-name2" -}} -{{- $top := index . 0 -}} -{{- $arg1 := index . 1 -}} -{{- printf "%s-%s" $top.Release.Name $arg1 | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* Below function is used to identify default value of jwtPolicy if not provided. - * For on-prem Kubernetes v1.21+, it is third-party-jwt. Else first-party-jwt. - * Note: Don't just do "helm template" to generate yaml file. Else https://github.com/helm/helm/issues/7991 - * is possible. Use "helm template --validate" or "helm install --dry-run --debug". - * Note2: For cloud environments, semverCompare should be ideally done with "<1.21.x-x" as - * Kubernetes version is generally of the format v1.20.7-eks-xxxxxx. So, it fails the "v1.21.x" check but that's fine - * as in cloud environments third-party-jwt is enabled. -*/}} - -{{- define "jwtValue" -}} -{{- if .Values.certProvider.jwtPolicy -}} -{{- printf .Values.certProvider.jwtPolicy -}} -{{- else -}} -{{- if semverCompare "<1.21.x" .Capabilities.KubeVersion.Version -}} -{{- printf "first-party-jwt" -}} -{{- else -}} -{{- printf "third-party-jwt" -}} -{{- end -}} -{{- end -}} -{{- end -}} \ No newline at end of file diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/templates/citrix-adc-ingressgateway-deployment.yaml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/templates/citrix-adc-ingressgateway-deployment.yaml deleted file mode 100644 index 53af158f1b..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/templates/citrix-adc-ingressgateway-deployment.yaml +++ /dev/null @@ -1,509 +0,0 @@ -{{- if eq .Values.citrixCPX true }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "generate-name" (list . (dict "suffixname" "ingress-deployment")) }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - deployment: "cpx-ingressgateway" # This label is useful in ServiceGraph -spec: - replicas: 1 - selector: - matchLabels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - template: - metadata: - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - citrix.com/no.sidecar: "true" - annotations: - scheduler.alpha.kubernetes.io/critical-pod: "" - prometheus.io/port: "{{ .Values.metricExporter.port }}" - prometheus.io/scrape: "true" - spec: - volumes: - - name: citrix-ingressgateway-certs - secret: - optional: true - secretName: "citrix-ingressgateway-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway - - name: citrix-ingressgateway-ca-certs - secret: - optional: true - secretName: "citrix-ingressgateway-ca-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway - {{- range .Values.ingressGateway.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} - - name: cpx-conf - emptyDir: {} - - name: cpx-crash - emptyDir: {} - - name: cpx-pwd - emptyDir: {} - - name: certs - emptyDir: {} -{{- $jwtpolicy := include "jwtValue" . }} -{{- if eq $jwtpolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token -{{- end }} - - name: istiod-ca-cert - configMap: - defaultMode: 0777 - name: istio-ca-root-cert - securityContext: - fsGroup: 32024 - containers: -{{- if eq .Values.metricExporter.required true }} - - name: exporter - image: {{ .Values.metricExporter.image }} - imagePullPolicy: IfNotPresent - args: - - "--target-nsip=127.0.0.1" - - "--port={{ .Values.metricExporter.port }}" - - "--log-level={{ .Values.metricExporter.logLevel }}" - - "--secure=no" - env: - - name: "NS_DEPLOYMENT_MODE" - value: "SIDECAR" - securityContext: - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /var/deviceinfo - name: cpx-pwd -{{- end }} - - name: istio-adaptor - image: {{ .Values.xDSAdaptor.image }} - imagePullPolicy: {{ .Values.xDSAdaptor.imagePullPolicy }} - args: - - -ads-server -{{- if eq .Values.xDSAdaptor.secureConnect true }} - - {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.secureGrpcPort }} # istiod.istio-system.svc:15012 -{{- else }} - - {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.insecureGrpcPort }} # istiod.istio-system.svc:15010 -{{- end }} - - -istio-proxy-type - - {{ .Values.xDSAdaptor.proxyType | default "router" | quote }} -{{- if .Values.istioPilot.SAN }} - - -ads-server-SAN - - {{ .Values.istioPilot.SAN | default "" }} -{{- end }} - - -ads-secure-connect={{ .Values.xDSAdaptor.secureConnect }} - - -citrix-adc - - "http://127.0.0.1" - - -citrix-adc-vip - - "nsip" - - -citrix-adc-password - - "/var/deviceinfo/random_id" -{{- if .Values.ADMSettings.ADMIP }} - - -citrix-adm - - {{ .Values.ADMSettings.ADMIP }} -{{- end }} -{{- if .Values.ADMSettings.licenseServerIP }} - - -citrix-license-server - - {{ .Values.ADMSettings.licenseServerIP }} -{{- end }} -{{- if .Values.coe.coeURL }} - - -coe - - {{ .Values.coe.coeURL }} -{{- end }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: APPLICATION_NAME - valueFrom: - fieldRef: - fieldPath: metadata.labels['app'] - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName -{{- if .Values.certProvider.caAddr }} - - name: CA_ADDR - value: {{ .Values.certProvider.caAddr }}:{{ .Values.certProvider.caPort}} #istiod.istio-system.svc:15012 - - name: TRUST_DOMAIN - value: {{ .Values.certProvider.trustDomain }} #cluster.local - - name: CLUSTER_ID - value: {{ .Values.certProvider.clusterId }} #Kubernetes - - name: CERT_TTL_IN_HOURS - value: {{ .Values.certProvider.certTTLinHours | quote }} - - name: JWT_POLICY - value: {{ include "jwtValue" . | quote }} # If value not provided then third-party-jwt for v>=1.21 otherwise first-party-jwt -{{- end }} -{{- if eq .Values.ingressGateway.multiClusterIngress true }} - - name: MULTICLUSTER_INGRESS - value: "TRUE" - - name: MULTICLUSTER_LISTENER_PORT - value: {{ .Values.ingressGateway.multiClusterListenerPort | quote}} - - name: MULTICLUSTER_SVC_DOMAIN - value: {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }} -{{- end }} -{{- if eq .Values.coe.coeTracing true }} - - name: COE_TRACING - value: "TRUE" -{{- end }} - - name: LOGLEVEL - value: {{ .Values.xDSAdaptor.logLevel | default "DEBUG" | quote }} -{{- if eq .Values.xDSAdaptor.jsonLog true }} - - name: JSONLOG - value: "TRUE" -{{- end }} - securityContext: - readOnlyRootFilesystem: true - runAsGroup: 32024 - runAsUser: 32024 # UID of istio-adaptor container's user - volumeMounts: - - mountPath: /var/deviceinfo - name: cpx-pwd -{{- $jwtpolicy := include "jwtValue" . }} -{{- if eq $jwtpolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token -{{- end }} - - mountPath: /etc/certs - name: certs - - name: istiod-ca-cert - mountPath: /etc/rootcert/ - - mountPath: /etc/istio/ingressgateway-certs # Make sure that Gateway definition has this path mentioned in server.tls section for SIMPLE TLS - name: citrix-ingressgateway-certs - readOnly: true - - mountPath: /etc/istio/ingressgateway-ca-certs # Make sure that Gateway definition has this path mentioned in server.tls section for MUTUAL TLS - name: citrix-ingressgateway-ca-certs - readOnly: true - {{- range .Values.ingressGateway.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - - name: citrix-ingressgateway - image: "{{ .Values.ingressGateway.image }}" - imagePullPolicy: {{ .Values.ingressGateway.imagePullPolicy }} - securityContext: - privileged: true - ports: - - containerPort: 80 - - containerPort: 443 -{{- if .Values.ingressGateway.mgmtHttpPort }} - - containerPort: {{ .Values.ingressGateway.mgmtHttpPort }} -{{- end }} -{{- if .Values.ingressGateway.mgmtHttpsPort }} - - containerPort: {{ .Values.ingressGateway.mgmtHttpsPort }} -{{- end }} -{{- range .Values.ingressGateway.tcpPort }} - - containerPort: {{ .port }} -{{- end }} - volumeMounts: - - mountPath: /cpx/conf/ - name: cpx-conf - - mountPath: /cpx/crash/ - name: cpx-crash - - mountPath: /var/deviceinfo - name: cpx-pwd - env: - - name: "EULA" - value: "{{ .Values.ingressGateway.EULA }}" -{{- if .Values.metricExporter.required }} - - name: "METRICS_EXPORTER_PORT" - value: "{{ .Values.metricExporter.port }}" -{{- end }} - - name: "MGMT_HTTP_PORT" - value: "{{ .Values.ingressGateway.mgmtHttpPort }}" - - name: "MGMT_HTTPS_PORT" - value: "{{ .Values.ingressGateway.mgmtHttpsPort }}" - - name: "NS_CPX_LITE" - value: "{{ .Values.ingressGateway.lightWeightCPX }}" -{{- if or .Values.coe.coeURL .Values.ADMSettings.ADMIP }} - - name: "NS_ENABLE_NEWNSLOG" - value: "1" -{{- end }} - - name: "KUBERNETES_TASK_ID" - value: "" - - name: "LS_IP" - value: {{ .Values.ADMSettings.licenseServerIP | default "" }} - - name: "LS_PORT" - value: "{{ .Values.ADMSettings.licenseServerPort}}" -{{- if .Values.ADMSettings.ADMIP }} - - name: "NS_MGMT_SERVER" - value: {{ .Values.ADMSettings.ADMIP }} - - name: "NS_HTTP_PORT" - value: {{ .Values.ingressGateway.mgmtHttpPort | quote }} - - name: "NS_HTTPS_PORT" - value: {{ .Values.ingressGateway.mgmtHttpsPort | quote }} -{{- end }} - - name: "LOGSTREAM_COLLECTOR_IP" - value: {{ .Values.ADMSettings.ADMIP | default ""}} -#To povision bandwidth based licensing to Citrix ADC CPX from ADM, needs bandwidth -{{- if and ( .Values.ADMSettings.licenseServerIP ) (eq .Values.ADMSettings.bandWidthLicense true) }} - - name: "BANDWIDTH" - value: {{ required "Mention bandwidth for bandwidth based licensing" .Values.ADMSettings.bandWidth | quote }} -{{- end }} -#for multiple-PE support, need to set CPX_CORES -{{- if .Values.ADMSettings.licenseServerIP }} -{{- if or (eq .Values.ADMSettings.vCPULicense true) (eq .Values.ADMSettings.bandWidthLicense true) }} - - name: "CPX_CORES" - value: {{ .Values.ADMSettings.cpxCores | default 1 | quote }} -{{- end }} -{{- end }} -{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }} - - name: NS_MGMT_USER - valueFrom: - secretKeyRef: - name: admlogin - key: username - - name: NS_MGMT_PASS - valueFrom: - secretKeyRef: - name: admlogin - key: password -{{- end }} ---- -{{ else }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "generate-name" (list . (dict "suffixname" "ingress-deployment")) }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - template: - metadata: - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - citrix.com/no.sidecar: "true" - annotations: - scheduler.alpha.kubernetes.io/critical-pod: "" - prometheus.io/port: "{{ .Values.metricExporter.port }}" - prometheus.io/scrape: "true" - spec: - containers: -{{- if eq .Values.metricExporter.required true }} - - name: exporter - image: {{ .Values.metricExporter.image }} - imagePullPolicy: {{ .Values.metricExporter.imagePullPolicy }} - args: - - "--target-nsip={{- include "exporter_nsip" . -}}" - - "--port={{ .Values.metricExporter.port }}" - - "--secure={{ .Values.metricExporter.secure | lower}}" - - "--log-level={{ .Values.metricExporter.logLevel }}" - securityContext: - readOnlyRootFilesystem: true - volumeMounts: - - name: nslogin - mountPath: "/mnt/nslogin" - readOnly: true -{{- end }} - - name: istio-adaptor - image: {{ .Values.xDSAdaptor.image }} - imagePullPolicy: {{ .Values.xDSAdaptor.imagePullPolicy }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: APPLICATION_NAME - valueFrom: - fieldRef: - fieldPath: metadata.labels['app'] - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName -{{- if .Values.certProvider.caAddr }} - - name: CA_ADDR - value: {{ .Values.certProvider.caAddr }}:{{ .Values.certProvider.caPort}} #istiod.istio-system.svc:15012 - - name: TRUST_DOMAIN - value: {{ .Values.certProvider.trustDomain }} #cluster.local - - name: CLUSTER_ID - value: {{ .Values.certProvider.clusterId }} #Kubernetes - - name: CERT_TTL_IN_HOURS - value: {{ .Values.certProvider.certTTLinHours | quote }} - - name: JWT_POLICY - value: {{ include "jwtValue" . | quote }} # third-party-jwt if Kubernetes cluster supports third-party tokens -{{- end }} -{{- if eq .Values.ingressGateway.multiClusterIngress true }} - - name: MULTICLUSTER_INGRESS - value: "TRUE" - - name: MULTICLUSTER_LISTENER_PORT - value: {{ .Values.ingressGateway.multiClusterListenerPort | quote}} - - name: MULTICLUSTER_SVC_DOMAIN - value: {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }} -{{- end }} -{{- if eq .Values.coe.coeTracing true }} - - name: COE_TRACING - value: "TRUE" -{{- end }} - - name: LOGLEVEL - value: {{ .Values.xDSAdaptor.logLevel | default "DEBUG" | quote }} -{{- if eq .Values.xDSAdaptor.jsonLog true }} - - name: JSONLOG - value: "TRUE" -{{- end }} - - name: NS_USER - valueFrom: - secretKeyRef: - name: {{ .Values.secretName }} - key: username - - name: NS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.secretName }} - key: password - args: - - -ads-server -{{- if eq .Values.xDSAdaptor.secureConnect true }} - - {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.secureGrpcPort }} # istiod.istio-system.svc:15012 -{{- else }} - - {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.insecureGrpcPort }} # istiod.istio-system.svc:15010 -{{- end }} - - -istio-proxy-type - - {{ .Values.xDSAdaptor.proxyType | default "router" | quote }} -{{- if .Values.istioPilot.SAN }} - - -ads-server-SAN - - {{ .Values.istioPilot.SAN | default "" }} -{{- end }} - - -ads-secure-connect={{ .Values.xDSAdaptor.secureConnect }} - - -citrix-adc - - {{ required "Mention Citrix ADC IP/URL in https://[:port] format" .Values.ingressGateway.netscalerUrl }} - - -citrix-adc-vip - - {{ required "Mention Vserver IP to be configured on Citrix ADC" .Values.ingressGateway.vserverIP }} - - -citrix-adc-user - - "/etc/nslogin/username" - - -citrix-adc-password - - "/etc/nslogin/password" - # If using VPX/MPX as Ingress gateway, then specify the network profile name - # which was provided to Citrix Node Controller (CNC) -{{- if .Values.ingressGateway.netProfile }} - - -citrix-adc-net-profile - - {{ .Values.ingressGateway.netProfile }} -{{- end }} - - -citrix-adm - - "" -{{- if .Values.coe.coeURL }} - - -coe - - {{ .Values.coe.coeURL }} -{{- end }} -{{- if .Values.ingressGateway.adcServerName }} - - -citrix-adc-server-name - - {{ .Values.ingressGateway.adcServerName }} - - -citrix-adc-server-ca - - "/etc/nitro/root-cert.pem" -{{- end }} - securityContext: - readOnlyRootFilesystem: true - runAsGroup: 32024 - runAsUser: 32024 # UID of istio-adaptor container's user - volumeMounts: - - mountPath: /etc/certs - name: certs - - name: istiod-ca-cert - mountPath: /etc/rootcert/ -{{- $jwtpolicy := include "jwtValue" . }} -{{- if eq $jwtpolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token -{{- end }} - - mountPath: /etc/nslogin - name: nslogin - readOnly: true - - mountPath: /etc/istio/ingressgateway-certs # Make sure that Gateway definition has this path mentioned in server.tls section for SIMPLE TLS - name: citrix-ingressgateway-certs - readOnly: true - - mountPath: /etc/istio/ingressgateway-ca-certs # Make sure that Gateway definition has this path mentioned in server.tls section for MUTUAL TLS - name: citrix-ingressgateway-ca-certs - readOnly: true - {{- range .Values.ingressGateway.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} -{{- if .Values.ingressGateway.adcServerName }} - - mountPath: /etc/nitro/ - name: citrix-adc-cert - readOnly: true -{{- end }} - securityContext: - fsGroup: 32024 - volumes: - - name: nslogin - secret: - optional: true - secretName: {{ .Values.secretName }} - - name: certs - emptyDir: {} - - name: istiod-ca-cert - configMap: - defaultMode: 0777 - name: istio-ca-root-cert - - name: citrix-ingressgateway-certs - secret: - optional: true - secretName: "citrix-ingressgateway-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway - - name: citrix-ingressgateway-ca-certs - secret: - optional: true - secretName: "citrix-ingressgateway-ca-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway - {{- range .Values.ingressGateway.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} -{{- if .Values.ingressGateway.adcServerName }} - - name: citrix-adc-cert - secret: - optional: true - secretName: "citrix-adc-cert" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway -{{- end }} -{{- $jwtpolicy := include "jwtValue" . }} -{{- if eq $jwtpolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token -{{- end }} ---- -{{- end}} diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/templates/citrix-multicluster-gateway.yaml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/templates/citrix-multicluster-gateway.yaml deleted file mode 100644 index 7469cd2462..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/templates/citrix-multicluster-gateway.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if eq .Values.ingressGateway.multiClusterIngress true }} -apiVersion: networking.istio.io/v1beta1 -kind: Gateway -metadata: - annotations: - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} -{{- if eq .Values.citrixCPX true }} - deployment: "cpx-ingressgateway" # This label is useful in ServiceGraph -{{- end }} - name: citrix-multicluster-ingressgateway - namespace: {{ .Release.Namespace }} -spec: - selector: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - servers: - - hosts: - - {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }} - port: - name: tls - number: {{ .Values.ingressGateway.multiClusterListenerPort }} - protocol: TLS - tls: - mode: AUTO_PASSTHROUGH ---- -apiVersion: networking.istio.io/v1beta1 -kind: DestinationRule -metadata: - annotations: - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - name: citrix-multicluster-ingressgateway - namespace: {{ .Release.Namespace }} -spec: - host: {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }} - trafficPolicy: - tls: - mode: ISTIO_MUTUAL ---- -{{- end }} \ No newline at end of file diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/templates/ingressgateway-service.yaml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/templates/ingressgateway-service.yaml deleted file mode 100644 index 38ad4f7bd7..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/templates/ingressgateway-service.yaml +++ /dev/null @@ -1,76 +0,0 @@ -{{- if eq .Values.citrixCPX true }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ template "generate-name" (list . (dict "suffixname" "citrix-ingress-hpa")) }} - namespace: {{ .Release.Namespace }} -spec: - maxReplicas: 1 - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ template "generate-name" (list . (dict "suffixname" "ingress-deployment")) }} - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: 60 ---- -{{- end }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "generate-name" (list . (dict "suffixname" "citrix-ingress-svc")) }} - namespace: {{ .Release.Namespace }} - annotations: - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} -{{- if eq .Values.citrixCPX true }} - deployment: "cpx-ingressgateway" # This label is useful in ServiceGraph -{{- end }} -spec: -{{- if eq .Values.citrixCPX true }} -{{- if eq .Values.ingressGateway.nodePortRequired true }} - type: NodePort -{{- else }} - type: LoadBalancer -{{- end }} -{{- end }} - selector: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - ports: - - - name: http2 -{{- if eq .Values.citrixCPX true }} - nodePort: {{ .Values.ingressGateway.httpNodePort }} -{{- end }} - port: 80 - targetPort: 80 - - - name: https -{{- if eq .Values.citrixCPX true }} - nodePort: {{ .Values.ingressGateway.httpsNodePort }} -{{- end }} - port: 443 - targetPort: 443 -{{- if eq .Values.ingressGateway.multiClusterIngress true }} - - - name: multicluster -{{- if eq .Values.citrixCPX true }} - nodePort: {{ .Values.ingressGateway.multiClusterListenerNodePort }} -{{- end }} - port: {{ .Values.ingressGateway.multiClusterListenerPort }} - targetPort: {{ .Values.ingressGateway.multiClusterListenerPort }} -{{- end }} -{{- $isCPX := .Values.citrixCPX }} -{{- range .Values.ingressGateway.tcpPort }} - - - name: {{ .name }} -{{- if eq $isCPX true }} - nodePort: {{ .nodePort }} -{{- end }} - port: {{ .port }} - targetPort: {{ .targetPort }} -{{- end }} ---- diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/templates/metrics-exporter-service.yaml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/templates/metrics-exporter-service.yaml deleted file mode 100644 index b63096938b..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/templates/metrics-exporter-service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if eq .Values.metricExporter.required true }} -kind: Service -apiVersion: v1 -metadata: - name: {{ template "generate-name" (list . (dict "suffixname" "citrix-exporter-svc")) }} - annotations: - labels: - service-type: citrix-adc-monitor -spec: - selector: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - ports: - - name: exporter-port - port: {{ .Values.metricExporter.port }} - targetPort: {{ .Values.metricExporter.port }} ---- -{{- end }} diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/values.yaml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/values.yaml deleted file mode 100644 index d89962e705..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.0/values.yaml +++ /dev/null @@ -1,74 +0,0 @@ -# Default values for citrix-adc-istio-ingress-gateway -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -citrixCPX: false - -coe: - coeURL: - coeTracing: false - -metricExporter: - required: true - image: quay.io/citrix/citrix-adc-metrics-exporter:1.4.8 - port: 8888 - secure: "YES" - logLevel: ERROR - imagePullPolicy: IfNotPresent - -xDSAdaptor: - image: quay.io/citrix/citrix-xds-adaptor:0.9.9 - imagePullPolicy: IfNotPresent - proxyType: router - secureConnect: true - logLevel: DEBUG - jsonLog: false - -istioPilot: - name: istiod - namespace: istio-system - secureGrpcPort: 15012 - insecureGrpcPort: 15010 - SAN: - -certProvider: - caAddr: istiod.istio-system.svc - caPort: 15012 - trustDomain: cluster.local - certTTLinHours: 720 - clusterId: Kubernetes - jwtPolicy: #specify third-party-jwt if Kubernetes cluster supports third-party tokens. Default from K8s v1.21 - -ingressGateway: - netscalerUrl: null - image: quay.io/citrix/citrix-k8s-cpx-ingress:13.0-79.64 - imagePullPolicy: IfNotPresent - EULA: NO - mgmtHttpPort: 10080 - mgmtHttpsPort: 10443 - httpNodePort: 30180 - httpsNodePort: 31443 - nodePortRequired: true - lightWeightCPX: 1 - secretVolumes: - #licenseServerIP: this value will be taken from ADMSettings.ADMIP - label: citrix-ingressgateway - tcpPort: - vserverIP: nsip - adcServerName: - netProfile: - multiClusterIngress: false - multiClusterListenerPort: 15443 - multiClusterListenerNodePort: 32443 - multiClusterSvcDomain: global - -ADMSettings: - ADMIP: - licenseServerIP: - licenseServerPort: 27000 - bandWidthLicense: false - bandWidth: - vCPULicense: false - cpxCores: - -secretName: nslogin diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/.helmignore b/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/.helmignore deleted file mode 100644 index 50af031725..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/Chart.yaml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/Chart.yaml deleted file mode 100644 index 2ada2c817e..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/Chart.yaml +++ /dev/null @@ -1,23 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Adc Istio Ingress Gateway - catalog.cattle.io/release-name: citrix-adc-istio-ingress-gateway -apiVersion: v2 -appVersion: 1.11.0 -deprecated: true -description: A Helm chart for Citrix ADC as Ingress Gateway installation in Istio - Service Mesh on Kubernetes platform -home: https://www.citrix.com -icon: https://raw.githubusercontent.com/citrix/citrix-xds-adaptor/master/docs/media/Citrix_Logo_Trademark.png -kubeVersion: '>=v1.16.0-0' -maintainers: -- email: dhiraj.gedam@citrix.com - name: dheerajng -- email: subash.dangol@citrix.com - name: subashd -- email: ajeeta.shaket@citrix.com - name: ajeetas -name: citrix-adc-istio-ingress-gateway -sources: -- https://github.com/citrix/citrix-xds-adaptor -version: 1.11.1 diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/README.md b/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/README.md deleted file mode 100644 index f845a434fa..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/README.md +++ /dev/null @@ -1,479 +0,0 @@ -# Deploy Citrix ADC as an Ingress Gateway in Istio environment using Helm charts - -Citrix Application Delivery Controller (ADC) can be deployed as an Istio Ingress Gateway to control the ingress traffic to Istio service mesh. - -# Table of Contents -1. [TL; DR;](#tldr) -2. [Introduction](#introduction) -3. [Deploy Citrix ADC VPX or MPX as an Ingress Gateway](#deploy-citrix-adc-vpx-or-mpx-as-an-ingress-gateway) -4. [Deploy Citrix ADC CPX as an Ingress Gateway](#deploy-citrix-adc-cpx-as-an-ingress-gateway) -5. [Using Existing Certificates to deploy Citrix ADC as an Ingress Gateway](#using-existing-certificates-to-deploy-citrix-adc-as-an-ingress-gateway) -6. [Deploy Citrix ADC as an Ingress Gateway in multi cluster Istio Service mesh](#deploy-citrix-adc-as-a-multicluster-ingress-gateway) -7. [Segregating traffic with multiple Ingress Gateways](#segregating-traffic-with-multiple-ingress-gateways) -8. [Visualizing statistics of Citrix ADC Ingress Gateway with Metrics Exporter](#visualizing-statistics-of-citrix-adc-ingress-gateway-with-metrics-exporter) -9. [Exposing services running on non-HTTP ports](#exposing-services-running-on-non-http-ports) -10. [Generate Certificate for Ingress Gateway](#generate-certificate-for-ingress-gateway) -11. [Configure Third Party Service Account Tokens](#using-third-party-service-account-tokens) -12. [Citrix ADC CPX License Provisioning](#citrix-adc-cpx-license-provisioning) -13. [Service Graph configuration](#configuration-for-servicegraph) -14. [Citrix ADC as Ingress Gateway: a sample deployment](#citrix-adc-as-ingress-gateway-a-sample-deployment) -15. [Uninstalling the Helm chart](#uninstalling-the-helm-chart) -16. [Citrix ADC VPX/MPX Certificate Verification](#citrix-adc-vpx-or-mpx-certificate-verification) -17. [Configuration Parameters](#configuration-parameters) - - -## TL; DR; - -### To deploy Citrix ADC VPX or MPX as an Ingress Gateway: - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set ingressGateway.netscalerUrl=https://[:port] --set ingressGateway.vserverIP= --set secretName=nslogin - - - -### To deploy Citrix ADC CPX as an Ingress Gateway: - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true - - -## Introduction - -This chart deploys Citrix ADC VPX, MPX, or CPX as an Ingress Gateway in the Istio service mesh using the Helm package manager. For detailed information on different deployment options, see [Deployment Architecture](https://github.com/citrix/citrix-istio-adaptor/blob/master/docs/istio-integration/architecture.md). - -### Compatibility Matrix between Citrix xDS-adaptor and Istio version - -Below table provides info about recommended Citrix xDS-Adaptor version to be used for various Istio versions. - -| Citrix xDS-Adaptor version | Istio version | -|----------------------------|---------------| -| quay.io/citrix/citrix-xds-adaptor:0.9.9 | Istio v1.10+ | -| quay.io/citrix/citrix-xds-adaptor:0.9.8 | Istio v1.8 to Istio v1.9 | -| quay.io/citrix/citrix-xds-adaptor:0.9.5 | Istio v1.6 | - -### Prerequisites - -The following prerequisites are required for deploying Citrix ADC as an Ingress Gateway in Istio service mesh: - -- Ensure that **Istio version 1.8 onwards** is installed -- Ensure that Helm with version 3.x is installed. Follow this [step](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- Ensure that your cluster Kubernetes version should be above 1.16 and the `admissionregistration.k8s.io/v1`, `admissionregistration.k8s.io/v1beta1` API is enabled - - You can verify the API by using the following command: - - kubectl api-versions | grep admissionregistration.k8s.io/v1 - - The following output indicates that the API is enabled: - - admissionregistration.k8s.io/v1 - admissionregistration.k8s.io/v1beta1 - -- **For deploying Citrix ADC VPX or MPX as an Ingress gateway:** - - Create a Kubernetes secret for the Citrix ADC user name and password using the following command: - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - -- **Create system user account for xDS-adaptor in Citrix ADC:** - - The Citrix ADC appliance needs to have system user account (non-default) with certain privileges so that `xDS-adaptor` can configure the Citrix ADC VPX or MPX appliance. Follow the instructions to create the system user account on Citrix ADC. - - Create a Kubernetes secret for the user name and password using the following command: - - ``` - kubectl create secret generic nslogin --from-literal=username='cxa' --from-literal=password='mypassword' - ``` - - The `xDS-adaptor` configures the Citrix ADC using a system user account of the Citrix ADC. The system user account should have certain privileges so that the xDS-adaptor has permissions configure the following on the Citrix ADC: - - - Add, Delete, or View Content Switching (CS) virtual server - - Configure CS policies and actions - - Configure Load Balancing (LB) virtual server - - Configure Service groups - - Cofigure SSl certkeys - - Configure routes - - Configure user monitors - - Add system file (for uploading SSL certkeys from Kubernetes) - - Configure Virtual IP address (VIP) - - Check the status of the Citrix ADC appliance - - Add, Delete or view authentication virtual server, policy, authaction - - Add, Delete or view Policy - - Add, Delete or view Responder policy, action, param - - Add, Delete or view Rewrite policy, action, param - - Add, Delete or view analytics profile - - Add, Delete or view DNS name server - - Add, Delete or view network netprofile - - Add, Delete or view Traffic Management Commands(sessionaction, session policy, sessionparameter) - - -> **Note:** -> -> The system user account would have privileges based on the command policy that you define. - - To create the system user account, do the following: - - 1. Log on to the Citrix ADC appliance. Perform the following: - 1. Use an SSH client, such as PuTTy, to open an SSH connection to the Citrix ADC appliance. - - 2. Log on to the appliance by using the administrator credentials. - - 2. Create the system user account using the following command: - - ``` - add system user - ``` - - For example: - - ``` - add system user cxa mypassword - ``` - - 3. Create a policy to provide required permissions to the system user account. Use the following command: - - ``` - add cmdpolicy cxa-policy ALLOW "((^\S+\s+cs\s+\S+)|(^\S+\s+lb\s+\S+)|(^\S+\s+service\s+\S+)|(^\S+\s+servicegroup\s+\S+)|(^stat\s+system)|(^show\s+ha)|(^\S+\s+ssl\s+certKey)|(^\S+\s+ssl)|(^\S+\s+route)|(^\S+\s+monitor)|(^show\s+ns\s+ip)|(^\S+\s+system\s+file)|)|(^\S+\s+aaa\s+\S+)|(^\S+\s+aaa\s+\S+\s+.*)|(^\S+\s+authentication\s+\S+)|(^\S+\s+authentication\s+\S+\s+.*)|(^\S+\s+policy\s+\S+)|(^\S+\s+policy\s+\S+\s+.*)|(^\S+\s+rewrite\s+\S+)|(^\S+\s+rewrite\s+\S+\s+.*)|(^\S+\s+analytics\s+\S+)|(^\S+\s+analytics\s+\S+\s+.*)|(^\S+\s+dns\s+\S+)|(^\S+\s+dns\s+\S+\s+.*)|(^\S+\s+netProfile)|(^\S+\s+netProfile\s+.*)|(^\S+\s+tm\s+\S+)|(^\S+\s+tm\s+\S+\s+.*)" - ``` - - 4. Bind the policy to the system user account using the following command: - - ``` - bind system user cxa cxa-policy 0 - ``` - -- **Registration of Citrix ADC CPX in ADM** - -Create a secret for ADM username and password - - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= -n citrix-system - -- **Important Note:** For deploying Citrix ADC VPX or MPX as ingress gateway, you should establish the connectivity between Citrix ADC VPX or MPX and cluster nodes. This connectivity can be established by configuring routes on Citrix ADC as mentioned [here](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) or by deploying [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller). - - -## Deploy Citrix ADC VPX or MPX as an Ingress Gateway - - To deploy Citrix ADC VPX or MPX as an Ingress Gateway in the Istio service mesh, do the following step. In this example, release name is specified as `citrix-adc-istio-ingress-gateway` and namespace as `citrix-system`. - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP= --set secretName=nslogin - -## Deploy Citrix ADC CPX as an Ingress Gateway - - To deploy Citrix ADC CPX as an Ingress Gateway, do the following step. In this example, release name is specified as `my-release` and namespace is used as `citrix-system`. - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true - - -## Deploy Citrix ADC as an Ingress Gateway in multi cluster Istio Service mesh - -To deploy **Citrix ADC VPX/MPX as an Ingress Gateway** in multi cluster Istio Service mesh, carry out below steps. -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - -helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP= --set ingressGateway.multiClusterIngress=true -``` - -To deploy **Citrix ADC CPX as an Ingress Gateway** in multi cluster Istio Service mesh, carry out below steps. -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - -helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true --set ingressGateway.multiClusterIngress=true - -``` - -By default, port 15443 of the Citrix ADC will be used to handle all the inter-cluster traffic coming to services deployed in local cluster. These services are exposed using `*.global` domain. -To modify the default 15443 port and "global" domain, use _ingressGateway.multiClusterListenerPort_ and _ingressGateway.multiClusterSvcDomain_ options of helm chart. - -For example, to use port 25443 and _mydomain_ as the service domain to expose local cluster deployed services to services in remote clusters. - -``` - -helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP= --set ingressGateway.multiClusterIngress=true --set ingressGateway.multiClusterListenerPort=25443 --set ingressGateway.multiClusterSvcDomain=mydomain - -``` - -Follow [this](https://github.com/citrix/citrix-helm-charts/tree/master/examples/citrix-adc-ingress-in-multicluster-istio/README.md) as a sample example to deploy Citrix ADC as Ingress gateway in multi-cluster Istio service mesh. - -## Using Existing Certificates to deploy Citrix ADC as an Ingress Gateway - -You may want to use the existing certificate and key for authenticating access to an application using Citrix ADC Ingress Gateway. In that case, you can create a Kubernetes secret from the existing certificate and key. You can mount the Kubernetes secret as data volumes in Citrix ADC Ingress Gateway. - -To create a Kubernetes secret using an existing key named `test_key.pem` and a certificate named `test.pem`, use the following command: - - kubectl create -n citrix-system secret tls citrix-ingressgateway-certs --key test_key.pem --cert test.pem - -Note: Ensure that Kubernetes secret is created in the same namespace where Citrix ADC Ingress Gateway is deployed. - -To deploy Citrix ADC VPX or MPX with secret volume, do the following step: - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP=,ingressGateway.secretVolumes[0].name=test-ingressgateway-certs,ingressGateway.secretVolumes[0].secretName=test-ingressgateway-certs,ingressGateway.secretVolumes[0].mountPath=/etc/istio/test-ingressgateway-certs - -To deploy Citrix ADC CPX with secret volume, do the following step: - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true,ingressGateway.secretVolumes[0].name=test-ingressgateway-certs,ingressGateway.secretVolumes[0].secretName=test-ingressgateway-certs,ingressGateway.secretVolumes[0].mountPath=/etc/istio/test-ingressgateway-certs - -## Segregating traffic with multiple Ingress Gateways - -You can deploy multiple Citrix ADC Ingress Gateway devices and segregate traffic to various deployments in the Istio service mesh. This can be achieved with *custom labels*. By default, Citrix ADC Ingress Gateway service comes up with the `app: citrix-ingressgateway` label. This label is used as a selector while deploying the Ingress Gateway or virtual service resources. If you want to deploy Ingress Gateway with the custom label, you can do it using the `ingressGateway.label` option in the Helm chart. - -To deploy Citrix ADC CPX Ingress Gateway with the label `my_custom_ingressgateway`, do the following step: - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true,ingressGateway.lightWeightCPX=NO,ingressGateway.label=my_custom_ingressgateway - -To deploy Citrix ADC VPX or MPX as an Ingress Gateway with the label `my_custom_ingressgateway`, do the following step: - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP=,ingressGateway.label=my_custom_ingressgateway - -## Visualizing statistics of Citrix ADC Ingress Gateway with Metrics Exporter - -By default, [Citrix ADC Metrics Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) is also deployed along with Citrix ADC Ingress Gateway. Citrix ADC Metrics Exporter fetches statistical data from Citrix ADC and exports it to Prometheus running in Istio service mesh. When you add Prometheus as a data source in Grafana, you can visualize this statistical data in the Grafana dashboard. - -Metrics Exporter requires the IP address of Citrix ADC CPX or VPX Ingress Gateway. It is retrieved from the value specified for `ingressGateway.netscalerUrl`. - -When Citrix ADC CPX is deployed as Ingress Gateway, Metrics Exporter runs along with Citrix CPX Ingress Gateway in the same pod and specifying IP address is optional. - -To deploy Citrix ADC as Ingress Gateway without Metrics Exporter, set the value of `metricExporter.required` as false. - - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP=,metricExporter.required=false - -"Note:" To remotely access telemetry addons such as Prometheus and Grafana, see [Remotely Accessing Telemetry Addons](https://istio.io/docs/tasks/telemetry/gateways/). - -## Exposing services running on non-HTTP ports - -By default, services running on HTTP ports (80 & 443) are exposed through Citrix ADC Ingress Gateway. Similarly, you can expose services that are deployed on non-HTTP ports through the Citrix ADC Ingress Gateway device. - -To deploy Citrix ADC MPX or VPX, and expose a service running on a TCP port, do the following step. - -In this example, a service running on TCP port 5000 is exposed using port 10000 on Citrix ADC. - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP=,ingressGateway.tcpPort[0].name=tcp1,ingressGateway.tcpPort[0].port=10000,ingressGateway.tcpPort[0].targetPort=5000 - - To deploy Citrix ADC CPX and expose a service running on a TCP port, do the following step. - In this example, port 10000 on the Citrix ADC CPX instance is exposed using TCP port 30000 (node port configuration) on the host machine. - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true,ingressGateway.tcpPort[0].name=tcp1,ingressGateway.tcpPort[0].nodePort=30000,ingressGateway.tcpPort[0].port=10000,ingressGateway.tcpPort[0].targetPort=5000 - -## Generate Certificate for Ingress Gateway - -Citrix Ingress gateway needs TLS certificate-key pair for establishing secure communication channel with backend applications. Earlier these certificates were issued by Istio Citadel and bundled in Kubernetes secret. Certificate was loaded in the application pod by doing volume mount of secret. Now `xDS-Adaptor` can generate its own certificate and get it signed by the Istio Citadel (Istiod). This eliminates the need of secret and associated [risks](https://kubernetes.io/docs/concepts/configuration/secret/#risks). - -xDS-Adaptor needs to be provided with details Certificate Authority (CA) for successful signing of Certificate Signing Request (CSR). By default, CA is `istiod.istio-system.svc` which accepts CSRs on port 15012. -To skip this process, don't provide any value (empty string) to `certProvider.caAddr`. -``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true --set certProvider.caAddr="" -``` -### Configure Third Party Service Account Tokens - -In order to generate certificate for application workload, xDS-Adaptor needs to send valid service account token along with Certificate Signing Request (CSR) to the Istio control plane (Citadel CA). Istio control plane authenticates the xDS-Adaptor using this JWT. -Kubernetes supports two forms of these tokens: - -* Third party tokens, which have a scoped audience and expiration. -* First party tokens, which have no expiration and are mounted into all pods. - - If Kubernetes cluster is installed with third party tokens, then the same information needs to be provided for automatic sidecar injection by passing `--set certProvider.jwtPolicy="third-party-jwt"`. By default, it is `first-party-jwt`. - -``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true --set certProvider.caAddr="istiod.istio-system.svc" --set certProvider.jwtPolicy="third-party-jwt" - -``` - -To determine if your cluster supports third party tokens, look for the TokenRequest API using below command. If there is no output, then it is `first-party-jwt`. In case of `third-party-jwt`, output will be like below. - -``` -# kubectl get --raw /api/v1 | jq '.resources[] | select(.name | index("serviceaccounts/token"))' - -{ - "name": "serviceaccounts/token", - "singularName": "", - "namespaced": true, - "group": "authentication.k8s.io", - "version": "v1", - "kind": "TokenRequest", - "verbs": [ - "create" - ] -} - -``` - -## **Citrix ADC CPX License Provisioning** -By default, CPX runs with 20 Mbps bandwidth called as [CPX Express](https://www.citrix.com/en-in/products/citrix-adc/cpx-express.html) however for better performance and production deployment customer needs licensed CPX instances. [Citrix ADM](https://www.citrix.com/en-in/products/citrix-application-delivery-management/) is used to check out licenses for Citrix ADC CPX. - -**Bandwidth based licensing** -For provisioning licensing on Citrix ADC CPX, it is mandatory to provide License Server information to CPX. This can be done by setting **ADMSettings.licenseServerIP** as License Server IP. In addition to this, **ADMSettings.bandWidthLicense** needs to be set true and desired bandwidth capacity in Mbps should be set **ADMSettings.bandWidth**. -For example, to set 2Gbps as bandwidth capacity, below command can be used. - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set ADMSettings.licenseServerIP=,ADMSettings.bandWidthLicense=True --set ADMSettings.bandWidth=2000 --set citrixCPX=true - -## **Service Graph configuration** - Citrix ADM Service graph is an observability tool that allows user to analyse service to service communication. The service graph is generated by ADM post collection of transactional data from registered Citrix ADC instances. More details about it can be found [here](https://docs.citrix.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html). - Citrix ADC needs to be provided with ADM details for registration and data export. This section lists the steps needed to deploy Citrix ADC and register it with ADM. - -**Deploy Citrix ADC CPX as ingress gateway** - 1. Create secret using Citrix ADM Agent credentials, which will be used by Citrix ADC as CPX to communicate with Citrix ADM Agent: - - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= - - 2. Deploy Citrix ADC CPX as ingress gateway using helm command with `ADM` details: - - helm install citrix-adc-istio-ingress-gateway citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true --set ADMSettings.ADMIP= - - -> **Note:** -> If container agent is being used here for Citrix ADM, specify `serviceIP` of container agent in the `ADMSettings.ADMIP` parameter. - -**Deploy Citrix ADC VPX/MPX as ingress gateway** - - Deploy Citrix ADC VPX/MPX as ingress gateway using helm command and set analytics settings on Citrix ADC VPX/MPX for sending transaction metrics to Citrix ADM - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set ingressGateway.netscalerUrl=https://[:port] --set ingressGateway.vserverIP= --set secretName=nslogin - - Add the following configurations in Citrix ADC VPX/MPX - - en ns mode ulfd - - en ns feature appflow - - add appflow collector logproxy_lstreamd -IPAddress -port 5557 -Transport logstream - - set appflow param -templateRefresh 3600 -httpUrl ENABLED -httpCookie ENABLED -httpReferer ENABLED -httpMethod ENABLED -httpHost ENABLED -httpUserAgent ENABLED -httpContentType ENABLED -httpAuthorization ENABLED -httpVia ENABLED -httpXForwardedFor ENABLED -httpLocation ENABLED -httpSetCookie ENABLED -httpSetCookie2 ENABLED -httpDomain ENABLED -httpQueryWithUrl ENABLED metrics ENABLED -events ENABLED -auditlogs ENABLED - - add appflow action logproxy_lstreamd -collectors logproxy_lstreamd - - add appflow policy logproxy_policy true logproxy_lstreamd - - bind appflow global logproxy_policy 10 END -type REQ_DEFAULT - - bind appflow global logproxy_policy 10 END -type OTHERTCP_REQ_DEFAULT - - -> **Note:** -> If container agent is being used here for Citrix ADM, specify `PodIP` of container agent in above manual config. - - -## Citrix ADC as Ingress Gateway: a sample deployment - -A sample deployment of Citrix ADC as an Ingress gateway for the Bookinfo application is provided [here](https://github.com/citrix/citrix-helm-charts/tree/master/examples/citrix-adc-in-istio). - -## Uninstalling the Helm chart - -To uninstall or delete a chart with release name as `my-release`, do the following step. - - helm delete my-release - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Citrix ADC VPX/MPX Certificate Verification - -Create a Kubernetes secret holding the CA certificate of Citrix ADC VPX/MPX with the filename `root-cert.pem`. - - kubectl create secret generic citrix-adc-cert --from-file=./root-cert.pem - -Note: Ensure that Kubernetes secret is created in the same namespace where Citrix ADC Ingress Gateway is deployed. - -To deploy Citrix ADC VPX or MPX with Citrix ADC certificate verification, do the following step: - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP=,ingressGateway.adcServerName= - -## Configuration parameters - -The following table lists the configurable parameters in the Helm chart and their default values. - - -| Parameter | Description | Default | Optional/Mandatory | -|--------------------------------|-------------------------------|---------------------------|---------------------------| -| `citrixCPX` | Citrix ADC CPX | FALSE | Mandatory for Citrix ADC CPX | -| `xDSAdaptor.image` | Image of the Citrix xDS adaptor container (Refer compatibility matrix) |quay.io/citrix/citrix-xds-adaptor:0.9.9 | Mandatory| -| `xDSAdaptor.imagePullPolicy` | Image pull policy for xDS adaptor | IfNotPresent | Optional| -| `xDSAdaptor.secureConnect` | If this value is set to true, xDS-adaptor establishes secure gRPC channel with Istio Pilot | TRUE | Optional| -| `xDSAdaptor.logLevel` | Log level to be set for xDS-adaptor log messages. Possible values: TRACE (most verbose), DEBUG, INFO, WARN, ERROR (least verbose) | DEBUG | Optional| -| `xDSAdaptor.jsonLog` | Set this argument to true if log messages are required in JSON format | false | Optional| -| `coe.coeURL` | Name of [Citrix Observability Exporter](https://github.com/citrix/citrix-observability-exporter) Service in the form of "." | null | Optional| -| `coe.coeTracing` | Use COE to send appflow transactions to Zipkin endpoint. If it is set to true, ADM servicegraph (if configured) can be impacted. | false | Optional| -| `ADMSettings.ADMIP ` | Citrix Application Delivery Management (ADM) IP address | null | Mandatory for Citrix ADC CPX | -| `ADMSettings.licenseServerIP ` | Citrix License Server IP address | null | Optional | -| `ADMSettings.licenseServerPort` | Citrix ADM port if a non-default port is used | 27000 | Optional| -| `ADMSettings.bandWidth` | Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps | null | Optional | -| `ADMSettings.bandWidthLicense` | To specify bandwidth based licensing | false | Optional | -| `ingressGateway.netscalerUrl` | URL or IP address of the Citrix ADC which Istio-adaptor configures (Mandatory if citrixCPX=false)| null |Mandatory for Citrix ADC MPX or VPX| -| `ingressGateway.vserverIP` | Virtual server IP address on Citrix ADC (Mandatory if citrixCPX=false) | null | Mandatory for Citrix ADC MPX or VPX| -| `ingressGateway.adcServerName ` | Citrix ADC ServerName used in the Citrix ADC certificate | null | Optional | -| `ingressGateway.image` | Image of Citrix ADC CPX designated to run as Ingress Gateway |quay.io/citrix/citrix-k8s-cpx-ingress:13.0-83.27 | Mandatory for Citrix ADC CPX | -| `ingressGateway.imagePullPolicy` | Image pull policy | IfNotPresent | Optional| -| `ingressGateway.EULA` | End User License Agreement(EULA) terms and conditions. If yes, then user agrees to EULA terms and conditions. | NO | Mandatory for Citrix ADC CPX -| `ingressGateway.mgmtHttpPort` | Management port of the Citrix ADC CPX | 9080 | Optional| -| `ingressGateway.mgmtHttpsPort` | Secure management port of Citrix ADC CPX | 9443 | Optional| -| `ingressGateway.httpNodePort` | Port on host machine which is used to expose HTTP port (80) of Citrix ADC CPX | 30180 |Optional| -| `ingressGateway.httpsNodePort` | Port on host machine which is used to expose HTTPS port (443) of Citrix ADC CPX | 31443 |Optional| -| `ingressGateway.nodePortRequired` | Set this argument if servicetype to be NodePort of Citrix ADC CPX | false |Optional| -| `ingressGateway.secretVolume` | A map of user defined volumes to be mounted using Kubernetes secrets | null |Optional| -| `ingressGateway.label` | Custom label for the Ingress Gateway service | citrix-ingressgateway |Optional| -| `ingressGateway.netProfile ` | Network profile name used by [CNC](https://github.com/citrix/citrix-k8s-node-controller) to configure Citrix ADC VPX or MPX which is deployed as Ingress Gateway | null | Optional| -| `ingressGateway.multiClusterIngress ` | Flag indicating if Citrix ADC is acting as Ingress gateway to multi cluster Istio mesh installation. Possible values: true/false | false | Optional| -| `ingressGateway.multiClusterListenerPort ` | Port opened on Citrix ADC to enable inter-cluster service to service (E-W) communication | 15443 | Optional| -| `ingressGateway.multiClusterListenerNodePort ` | Nodeport for multiClusterListenerPort in case of Citrix ADC CPX acting as Ingress gateway | 32443 | Optional| -| `ingressGateway.multiClusterSvcDomain ` | Domain suffix of remote service (deployed in other cluster) used in E-W communication | global | Optional| -| `ingressGateway.tcpPort` | For exposing multiple TCP ingress | null |Optional| -| `istioPilot.name` | Name of the Istio Pilot service | istiod |Optional| -| `istioPilot.namespace` | Namespace where Istio Pilot is running | istio-system |Optional| -| `istioPilot.secureGrpcPort` | Secure GRPC port where Istiod (Istio Pilot) is listening (default setting) | 15012 |Optional| -| `istioPilot.insecureGrpcPort` | Insecure GRPC port where Istiod (Istio Pilot) is listening | 15010 |Optional| -| `istioPilot.SAN` | Subject alternative name for Istiod (Istio Pilot) which is the secure production identity framework for everyone (SPIFFE) ID of Istio Pilot | null |Optional| -| `metricExporter.required` | Metrics exporter for Citrix ADC | TRUE |Optional| -| `metricExporter.image` | Image of the Citrix ADC Metrics Exporter | quay.io/citrix/citrix-adc-metrics-exporter:1.4.9 |Optional| -| `metricExporter.port` | Port over which Citrix ADC Metrics Exporter collects metrics of Citrix ADC. | 8888 |Optional| -| `metricExporter.secure` | Enables collecting metrics over TLS | YES |Optional| -| `metricExporter.logLevel` | Level of logging in Citrix ADC Metrics Exporter. Possible values are: DEBUG, INFO, WARNING, ERROR, CRITICAL | ERROR |Optional| -| `metricExporter.imagePullPolicy` | Image pull policy for Citrix ADC Metrics Exporter | IfNotPresent |Optional| -| `certProvider.caAddr` | Certificate Authority (CA) address issuing certificate to application | istiod.istio-system.svc | Optional | -| `certProvider.caPort` | Certificate Authority (CA) port issuing certificate to application | 15012 | Optional | -| `certProvider.trustDomain` | SPIFFE Trust Domain | cluster.local | Optional | -| `certProvider.certTTLinHours` | Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours. Default is 30 days validity | 720 | Optional | -| `certProvider.clusterId` | clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in multicluster environments. For example, in Anthos servicemesh, it might be of the format of `cn--`. In multiCluster environments, it is the value of global.multiCluster.clusterName provided during servicemesh control plane installation | Kubernetes | Optional | -| `certProvider.jwtPolicy` | Service Account token type. Kubernetes platform supports First party tokens and Third party tokens. Usually public cloud based Kubernetes has third-party-jwt | null | Optional | -| `secretName` | Name of the Kubernetes secret holding Citrix ADC credentials | nslogin | Mandatory for Citrix ADC VPX/MPX | - -**Note:** You can use the `values.yaml` file packaged in the chart. This file contains the default configuration values for the chart. diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/app-readme.md b/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/app-readme.md deleted file mode 100644 index dc4ee42acd..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/app-readme.md +++ /dev/null @@ -1,38 +0,0 @@ -# Citrix ADC as an Ingress Gateway for Istio - -An [Istio](https://istio.io/) ingress gateway acts as an entry point for the incoming traffic and secures and controls access to the service mesh. It also performs routing and load balancing. Citrix ADC [CPX](https://docs.citrix.com/en-us/citrix-adc-cpx), MPX, or [VPX](https://docs.citrix.com/en-us/citrix-adc.html), can be deployed as an ingress gateway to the Istio service mesh. - -### Prerequisites - -The following prerequisites are required for deploying Citrix ADC as an Ingress Gateway in Istio service mesh: - -- Ensure that **Istio** is enabled. -- Ensure that your cluster has Kubernetes version 1.16.0 or later. -- Ensure to create secret named **nslogin** with username and password in same namespace in case of VPX/MPX . Choose the **Cluster Explorer > Storage > Secrets** in the navigation bar. - -### Important NOTE: -- Follow this [link](https://github.com/citrix/citrix-helm-charts/blob/master/examples/citrix-adc-in-istio/README.md -) to deploy Citrix ADC as an ingress gateway for application. -- For deploying Citrix ADC VPX or MPX as ingress gateway, you should establish the connectivity between Citrix ADC VPX or MPX and cluster nodes. This connectivity can be established by configuring routes on Citrix ADC as mentioned [here](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) or by deploying [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller). -- To use the certificate and key for authenticating access to an application using Citrix ADC Ingress Gateway. In that case, you can create a Kubernetes secret from the existing certificate and key. You can mount the Kubernetes secret as data volumes in Citrix ADC Ingress Gateway. Then specify a list of secret, volume name, mount path in subsequent fields of `SecretVolume` section: - - Go to `Edit as YAML` option and update below values . - ``` - secretVolumes: - - name: - secretName: - mountPath: - ``` - For more details, follow this [link](https://github.com/citrix/citrix-helm-charts/tree/master/citrix-adc-istio-ingress-gateway#using-existing-certificates-to-deploy-citrix-adc-as-an-ingress-gateway) - -- By default, gateway is configured to expose HTTP(S) services. To expose non-HTTP services, Then specify a list of port, port-name, target-port, nodeport (if applicable) in subsequent fields of `tcpPort` section. - - Go to `Edit as YAML` option and update below values. - ``` - tcpPort: - - name: - nodePort: - port: - targetPort: - ``` - For more details follow this [link](https://github.com/citrix/citrix-helm-charts/tree/master/citrix-adc-istio-ingress-gateway#exposing-services-running-on-non-http-ports) - -This catalog deploys Citrix ADC VPX, MPX, or CPX as an Ingress Gateway in the Istio service mesh. For detailed information on various deployment options,checkout this [link](https://github.com/citrix/citrix-istio-adaptor). diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/questions.yml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/questions.yml deleted file mode 100644 index 36a7b00354..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/questions.yml +++ /dev/null @@ -1,405 +0,0 @@ -labels: - io.rancher.certified: partner -questions: -- variable: citrixCPX - required: true - type: boolean - default: true - description: "Set true to use Citrix ADC CPX as ingress device. Set false to use VPX/MPX as ingress device" - label: citrixCPX - group: "Deployment Settings" -- variable: secrets.name - required: true - type: string - default: "nslogin" - description: "Ensure to create nslogin secret in same namespace" - show_if: "citrixCPX=false" - group: "nslogin Settings" -- variable: xDSAdaptor.image - required: true - type: string - default: "quay.io/citrix/citrix-xds-adaptor:0.9.9" - label: xDSAdaptor Image - description: "xDSAdaptor Image to be used with version" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.imagePullPolicy - required: true - type: enum - default: IfNotPresent - label: xDSAdaptor imagePullPolicy - description: "xDSAdaptor Image pull policy" - options: - - "Always" - - "IfNotPresent" - - "Never" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.proxyType - required: false - type: string - default: "router" - label: xDSAdaptor proxyType - description: "xDSAdaptor proxyType type set to router by default" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.secureConnect - required: true - type: boolean - default: true - label: xDSAdaptor secureConnect - description: "If this value is set to true, xDSAdaptor establishes secure gRPC channel with Istio Pilot" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.logLevel - required: false - type: enum - default: DEBUG - label: xDSAdaptor logLevel - description: "xDSAdaptor logLevel" - options: - - "TRACE" - - "DEBUG" - - "INFO" - - "WARN" - - "ERROR" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.jsonLog - required: false - type: string - default: "true" - label: xDSAdaptor jsonLog - description: "Set this argument to true if log messages are required in JSON format" - group: "xDSAdaptor Settings" -- variable: coe.coeURL - required: false - type: string - label: coe coeURL - description: "Name of Citrix Observability Exporter Service" - group: "COE Settings" -- variable: coe.coeTracing - required: false - type: boolean - label: coe coeTracing - description: "Used to send appflow transactions to Zipkin endpoint,if true ADM servicegraph (if configured) can be impacted" - group: "COE Settings" -- variable: istioPilot.name - required: true - type: string - default: istiod - label: istio-pilot name - group: "istio-pilot Settings" - description: "Name of the Istio Pilot service" -- variable: istioPilot.namespace - required: true - type: string - default: istio-system - label: istio-pilot namespace - description: "Namespace where Istio Pilot is running" - group: "istio-pilot Settings" -- variable: istioPilot.secureGrpcPort - required: true - type: int - default: 15012 - label: istio-pilot secureGrpcPort - show_if: "xDSAdaptor.secureConnect=true" - description: "Secure GRPC port where Istio Pilot is listening" - group: "istio-pilot Settings" -- variable: istioPilot.insecureGrpcPort - required: true - type: int - default: 15010 - show_if: "xDSAdaptor.secureConnect=false" - label: istio-pilot insecureGrpcPort - description: "Insecure GRPC port where Istio Pilot is listening" - group: "istio-pilot Settings" -- variable: istioPilot.SAN - required: false - type: string - default: - label: istio-pilot SAN - description: "Subject alternative name for Istio Pilot which is (SPIFFE) ID of Istio Pilot" - show_if: "xDSAdaptor.secureConnect=true" - group: "istio-pilot Settings" -- variable: ingressGateway.netscalerUrl - required: true - type: string - default: - label: ingressGateway netscalerUrl - description: "URL or IP address of the Citrix ADC which Istio-adaptor configures (Mandatory if citrixCPX=false)" - show_if: "citrixCPX=false" - group: "ingressGateway Settings" -- variable: ingressGateway.image - required: true - type: string - default: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-79.64" - label: ingressGateway Image - description: "ingressGateway image to be used" - group: "ingressGateway Settings" -- variable: ingressGateway.imagePullPolicy - required: true - type: enum - default: IfNotPresent - label: ingressGateway imagePullPolicy - description: Ingress-gateway Image pull policy - group: "ingressGateway Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: ingressGateway.EULA - required: true - type: enum - description: "End user license agreement (read EULA before accepting it yes)" - label: ingressGateway EULA - options: - - "YES" - - "NO" - group: "ingressGateway Settings" -- variable: ingressGateway.mgmtHttpPort - required: true - type: int - default: 10080 - label: ingressGateway mgmtHttpPort - description: "Management port of the Citrix ADC CPX" - show_if: "citrixCPX=true" - group: "ingressGateway Settings" -- variable: ingressGateway.mgmtHttpsPort - required: true - type: int - default: 10443 - show_if: "citrixCPX=true" - label: ingressGateway mgmtHttpsPort - description: "Secure management port of Citrix ADC CPX" - group: "ingressGateway Settings" -- variable: ingressGateway.httpNodePort - required: true - type: int - default: 30180 - show_if: "citrixCPX=true" - label: ingressGateway httpNodePort - description: "Port on host machine which is used to expose HTTP port of Citrix ADC CPX" - group: "ingressGateway Settings" -- variable: ingressGateway.httpsNodePort - required: true - type: int - default: 31443 - show_if: "citrixCPX=true" - label: ingressGateway httpsNodePort - description: "Port on host machine which is used to expose HTTPS port of Citrix ADC CPX" - group: "ingressGateway Settings" -- variable: ingressGateway.nodePortRequired - required: true - type: boolean - default: true - label: ingressGateway nodePortRequired - description: "Set this argument if servicetype to be NodePort of Citrix ADC CPX, else it will be loadbalancer type" - group: "ingressGateway Settings" -- variable: ingressGateway.lightWeightCPX - required: false - type: int - default: 1 - show_if: "citrixCPX=true" - label: ingressGateway lightWeightCPX - description: "Set this argument if lighter version of Citrix ADC CPX used" - group: "ingressGateway Settings" -- variable: ingressGateway.label - required: true - type: string - default: "citrix-ingressgateway" - label: ingressGateway label - description: "Custom label for the Ingress Gateway service" - group: "ingressGateway Settings" -- variable: ingressGateway.vserverIP - required: true - type: string - default: "nsip" - show_if: "citrixCPX=false" - label: ingressGateway vserverIP - description: "Virtual server IP address on Citrix ADC" - group: "ingressGateway Settings" -- variable: ingressGateway.adcServerName - required: false - type: string - default: - label: ingressGateway adcServerName - description: "Citrix ADC ServerName used in the Citrix ADC certificate" - group: "ingressGateway Settings" -- variable: ingressGateway.netProfile - required: false - type: string - default: - label: ingressGateway netProfile - description: "Network profile name used to configure Citrix ADC VPX or MPX which is deployed as Ingress Gateway" - show_if: "citrixCPX=false" - group: "ingressGateway Settings" -- variable: ingressGateway.multiClusterIngress - required: false - type: boolean - default: false - label: ingressGateway multiClusterIngress - description: "Flag indicating if Citrix ADC is acting as Ingress gateway to multi cluster Istio mesh installation" - group: "ingressGateway Settings" -- variable: ingressGateway.multiClusterListenerPort - required: true - type: int - default: 15443 - label: ingressGateway multiClusterListenerPort - description: "Port opened on Citrix ADC to enable inter-cluster service to service (E-W) communication" - show_if: "ingressGateway.multiClusterIngress=true" - group: "ingressGateway Settings" -- variable: ingressGateway.multiClusterListenerNodePort - required: true - type: int - default: 15443 - label: ingressGateway multiClusterListenerNodePort - description: "Nodeport for multiClusterListenerPort in case of Citrix ADC CPX acting as Ingress gateway" - show_if: "ingressGateway.multiClusterIngress=true" - group: "ingressGateway Settings" -- variable: ingressGateway.multiClusterSvcDomain - required: true - type: string - default: global - label: ingressGateway multiClusterSvcDomain - description: "Domain suffix of remote service (deployed in other cluster) used in E-W communication" - show_if: "ingressGateway.multiClusterIngress=true" - group: "ingressGateway Settings" -- variable: metricExporter.required - required: false - type: boolean - default: true - label: Exporter required - description: "Metrics exporter for Citrix ADC" - group: "metricExporter Settings" -- variable: metricExporter.image - required: true - type: string - default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.8" - label: Exporter Image - description: "Exporter Image to be used with version" - show_if: "metricExporter.required=true" - group: "metricExporter Settings" -- variable: metricExporter.port - required: true - type: int - default: 8888 - label: metricExporter Port - show_if: "metricExporter.required=true" - group: "metricExporter Settings" -- variable: metricExporter.logLevel - required: true - type: enum - default: ERROR - label: metricExporter logLevel - show_if: "metricExporter.required=true" - group: "metricExporter Settings" - options: - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - - "TRACE" -- variable: metricExporter.imagePullPolicy - required: true - type: enum - default: IfNotPresent - label: metricExporter imagePullPolicy - description: "Exporter Image pull policy" - show_if: "metricExporter.required=true" - group: "metricExporter Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: certProvider.caAddr - required: true - type: string - default: "istiod.istio-system.svc" - label: certProvider caAddr - description: "Certificate Authority (CA) address issuing certificate to application" - group: "certProvider Settings" -- variable: certProvider.caPort - required: true - type: int - default: 15012 - label: certProvider caPort - description: "Certificate Authority (CA) port issuing certificate to application" - group: "certProvider Settings" -- variable: certProvider.trustDomain - required: true - type: string - default: "cluster.local" - label: certProvider trustDomain - description: "SPIFFE Trust Domain" - group: "certProvider Settings" -- variable: certProvider.certTTLinHours - required: true - type: int - default: 720 - label: certProvider certTTLinHours - description: "Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours." - group: "certProvider Settings" -- variable: certProvider.clusterId - required: true - type: string - default: "Kubernetes" - label: certProvider clusterId - description: "clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in m -ulticluster environments. For example, in Anthos servicemesh, it might be of the format of `cn--`. In multiCluster environments, it is the val -ue of global.multiCluster.clusterName provided during servicemesh control plane installation" - group: "certProvider Settings" -- variable: certProvider.jwtPolicy - required: true - type: enum - default: "first-party-jwt" - label: certProvider jwtPolicy - description: "Kubernetes platform supports First party tokens and Third party tokens" - options: - - "first-party-jwt" - - "third-party-jwt" - group: "certProvider Settings" -- variable: ADMSettings.ADMIP - required: false - type: string - default: - label: ADMSettings ADMIP - description: "Citrix Application Delivery Management (ADM) IP address" - group: "ADMSettings Settings" -- variable: ADMSettings.licenseServerIP - required: false - type: string - default: - label: ADMSettings licenseServerIP - description: "Citrix License Server IP address" - group: "ADMSettings Settings" -- variable: ADMSettings.licenseServerPort - required: false - type: int - default: 27000 - label: ADMSettings licenseServerPort - description: "Citrix ADM port if a non-default port is used" - group: "ADMSettings Settings" -- variable: ADMSettings.bandWidthLicense - required: false - type: boolean - default: false - label: ADMSettings bandWidthLicense - description: "To specify bandwidth based licensing" - group: "ADMSettings Settings" -- variable: ADMSettings.bandWidth - required: false - type: string - default: - label: ADMSettings bandWidth - description: "Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps" - group: "ADMSettings Settings" -- variable: ADMSettings.vCPULicense - required: false - type: boolean - default: "false" - label: ADMSettings vCPULicense - description: "To specify vCPULicense based licensing" - group: "ADMSettings Settings" -- variable: ADMSettings.cpxCores - required: false - type: string - default: - label: ADMSettings cpxCores - description: "To specify cpxCores in licensing" - group: "ADMSettings Settings" diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/templates/_helpers.tpl b/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/templates/_helpers.tpl deleted file mode 100644 index be79f4f8ce..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/templates/_helpers.tpl +++ /dev/null @@ -1,53 +0,0 @@ -{{- define "exporter_nsip" -}} -{{- $match := .Values.ingressGateway.netscalerUrl | toString | regexFind "//.*[:]*" -}} -{{- $match | trimAll ":" | trimAll "/" -}} -{{- end -}} - -{{/* A common function to generate name of the resource. - * Usage: {{ template "generate-name" (list . (dict "suffixname" "citrix-deployment")) }} - * In above example, arguments are given in the list. - * First one is `.` indicating global chart-level scope. - * Second argument name is `suffixname` and value is `citrix-deployment`. - * If release name is `my-release`, then generate-name function would output "my-release-citrix-deployment". - * The function truncates name to 63 chars due to Kubernetes name length restrictions -*/}} -{{- define "generate-name" -}} -{{- $top := index . 0 -}} -{{- $arg1 := index . 1 "suffixname" -}} -{{- printf "%s-%s" $top.Release.Name $arg1 | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* Another common function to generate name of the resource. - * Usage: {{ template "generate-name" (list . "citrix-deployment") }} - * In above example, arguments are given in the list. - * First one is `.` indicating global chart-level scope. - * Second argument is unnamed and takes value as `citrix-deployment`. - * If release name is `my-release`, then generate-name function would output "my-release-citrix-deployment". - * The function truncates name to 63 chars due to Kubernetes name length restrictions -*/}} -{{- define "generate-name2" -}} -{{- $top := index . 0 -}} -{{- $arg1 := index . 1 -}} -{{- printf "%s-%s" $top.Release.Name $arg1 | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* Below function is used to identify default value of jwtPolicy if not provided. - * For on-prem Kubernetes v1.21+, it is third-party-jwt. Else first-party-jwt. - * Note: Don't just do "helm template" to generate yaml file. Else https://github.com/helm/helm/issues/7991 - * is possible. Use "helm template --validate" or "helm install --dry-run --debug". - * Note2: For cloud environments, semverCompare should be ideally done with "<1.21.x-x" as - * Kubernetes version is generally of the format v1.20.7-eks-xxxxxx. So, it fails the "v1.21.x" check but that's fine - * as in cloud environments third-party-jwt is enabled. -*/}} - -{{- define "jwtValue" -}} -{{- if .Values.certProvider.jwtPolicy -}} -{{- printf .Values.certProvider.jwtPolicy -}} -{{- else -}} -{{- if semverCompare "<1.21.x" .Capabilities.KubeVersion.Version -}} -{{- printf "first-party-jwt" -}} -{{- else -}} -{{- printf "third-party-jwt" -}} -{{- end -}} -{{- end -}} -{{- end -}} \ No newline at end of file diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/templates/citrix-adc-ingressgateway-deployment.yaml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/templates/citrix-adc-ingressgateway-deployment.yaml deleted file mode 100644 index 53af158f1b..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/templates/citrix-adc-ingressgateway-deployment.yaml +++ /dev/null @@ -1,509 +0,0 @@ -{{- if eq .Values.citrixCPX true }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "generate-name" (list . (dict "suffixname" "ingress-deployment")) }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - deployment: "cpx-ingressgateway" # This label is useful in ServiceGraph -spec: - replicas: 1 - selector: - matchLabels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - template: - metadata: - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - citrix.com/no.sidecar: "true" - annotations: - scheduler.alpha.kubernetes.io/critical-pod: "" - prometheus.io/port: "{{ .Values.metricExporter.port }}" - prometheus.io/scrape: "true" - spec: - volumes: - - name: citrix-ingressgateway-certs - secret: - optional: true - secretName: "citrix-ingressgateway-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway - - name: citrix-ingressgateway-ca-certs - secret: - optional: true - secretName: "citrix-ingressgateway-ca-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway - {{- range .Values.ingressGateway.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} - - name: cpx-conf - emptyDir: {} - - name: cpx-crash - emptyDir: {} - - name: cpx-pwd - emptyDir: {} - - name: certs - emptyDir: {} -{{- $jwtpolicy := include "jwtValue" . }} -{{- if eq $jwtpolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token -{{- end }} - - name: istiod-ca-cert - configMap: - defaultMode: 0777 - name: istio-ca-root-cert - securityContext: - fsGroup: 32024 - containers: -{{- if eq .Values.metricExporter.required true }} - - name: exporter - image: {{ .Values.metricExporter.image }} - imagePullPolicy: IfNotPresent - args: - - "--target-nsip=127.0.0.1" - - "--port={{ .Values.metricExporter.port }}" - - "--log-level={{ .Values.metricExporter.logLevel }}" - - "--secure=no" - env: - - name: "NS_DEPLOYMENT_MODE" - value: "SIDECAR" - securityContext: - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /var/deviceinfo - name: cpx-pwd -{{- end }} - - name: istio-adaptor - image: {{ .Values.xDSAdaptor.image }} - imagePullPolicy: {{ .Values.xDSAdaptor.imagePullPolicy }} - args: - - -ads-server -{{- if eq .Values.xDSAdaptor.secureConnect true }} - - {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.secureGrpcPort }} # istiod.istio-system.svc:15012 -{{- else }} - - {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.insecureGrpcPort }} # istiod.istio-system.svc:15010 -{{- end }} - - -istio-proxy-type - - {{ .Values.xDSAdaptor.proxyType | default "router" | quote }} -{{- if .Values.istioPilot.SAN }} - - -ads-server-SAN - - {{ .Values.istioPilot.SAN | default "" }} -{{- end }} - - -ads-secure-connect={{ .Values.xDSAdaptor.secureConnect }} - - -citrix-adc - - "http://127.0.0.1" - - -citrix-adc-vip - - "nsip" - - -citrix-adc-password - - "/var/deviceinfo/random_id" -{{- if .Values.ADMSettings.ADMIP }} - - -citrix-adm - - {{ .Values.ADMSettings.ADMIP }} -{{- end }} -{{- if .Values.ADMSettings.licenseServerIP }} - - -citrix-license-server - - {{ .Values.ADMSettings.licenseServerIP }} -{{- end }} -{{- if .Values.coe.coeURL }} - - -coe - - {{ .Values.coe.coeURL }} -{{- end }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: APPLICATION_NAME - valueFrom: - fieldRef: - fieldPath: metadata.labels['app'] - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName -{{- if .Values.certProvider.caAddr }} - - name: CA_ADDR - value: {{ .Values.certProvider.caAddr }}:{{ .Values.certProvider.caPort}} #istiod.istio-system.svc:15012 - - name: TRUST_DOMAIN - value: {{ .Values.certProvider.trustDomain }} #cluster.local - - name: CLUSTER_ID - value: {{ .Values.certProvider.clusterId }} #Kubernetes - - name: CERT_TTL_IN_HOURS - value: {{ .Values.certProvider.certTTLinHours | quote }} - - name: JWT_POLICY - value: {{ include "jwtValue" . | quote }} # If value not provided then third-party-jwt for v>=1.21 otherwise first-party-jwt -{{- end }} -{{- if eq .Values.ingressGateway.multiClusterIngress true }} - - name: MULTICLUSTER_INGRESS - value: "TRUE" - - name: MULTICLUSTER_LISTENER_PORT - value: {{ .Values.ingressGateway.multiClusterListenerPort | quote}} - - name: MULTICLUSTER_SVC_DOMAIN - value: {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }} -{{- end }} -{{- if eq .Values.coe.coeTracing true }} - - name: COE_TRACING - value: "TRUE" -{{- end }} - - name: LOGLEVEL - value: {{ .Values.xDSAdaptor.logLevel | default "DEBUG" | quote }} -{{- if eq .Values.xDSAdaptor.jsonLog true }} - - name: JSONLOG - value: "TRUE" -{{- end }} - securityContext: - readOnlyRootFilesystem: true - runAsGroup: 32024 - runAsUser: 32024 # UID of istio-adaptor container's user - volumeMounts: - - mountPath: /var/deviceinfo - name: cpx-pwd -{{- $jwtpolicy := include "jwtValue" . }} -{{- if eq $jwtpolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token -{{- end }} - - mountPath: /etc/certs - name: certs - - name: istiod-ca-cert - mountPath: /etc/rootcert/ - - mountPath: /etc/istio/ingressgateway-certs # Make sure that Gateway definition has this path mentioned in server.tls section for SIMPLE TLS - name: citrix-ingressgateway-certs - readOnly: true - - mountPath: /etc/istio/ingressgateway-ca-certs # Make sure that Gateway definition has this path mentioned in server.tls section for MUTUAL TLS - name: citrix-ingressgateway-ca-certs - readOnly: true - {{- range .Values.ingressGateway.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - - name: citrix-ingressgateway - image: "{{ .Values.ingressGateway.image }}" - imagePullPolicy: {{ .Values.ingressGateway.imagePullPolicy }} - securityContext: - privileged: true - ports: - - containerPort: 80 - - containerPort: 443 -{{- if .Values.ingressGateway.mgmtHttpPort }} - - containerPort: {{ .Values.ingressGateway.mgmtHttpPort }} -{{- end }} -{{- if .Values.ingressGateway.mgmtHttpsPort }} - - containerPort: {{ .Values.ingressGateway.mgmtHttpsPort }} -{{- end }} -{{- range .Values.ingressGateway.tcpPort }} - - containerPort: {{ .port }} -{{- end }} - volumeMounts: - - mountPath: /cpx/conf/ - name: cpx-conf - - mountPath: /cpx/crash/ - name: cpx-crash - - mountPath: /var/deviceinfo - name: cpx-pwd - env: - - name: "EULA" - value: "{{ .Values.ingressGateway.EULA }}" -{{- if .Values.metricExporter.required }} - - name: "METRICS_EXPORTER_PORT" - value: "{{ .Values.metricExporter.port }}" -{{- end }} - - name: "MGMT_HTTP_PORT" - value: "{{ .Values.ingressGateway.mgmtHttpPort }}" - - name: "MGMT_HTTPS_PORT" - value: "{{ .Values.ingressGateway.mgmtHttpsPort }}" - - name: "NS_CPX_LITE" - value: "{{ .Values.ingressGateway.lightWeightCPX }}" -{{- if or .Values.coe.coeURL .Values.ADMSettings.ADMIP }} - - name: "NS_ENABLE_NEWNSLOG" - value: "1" -{{- end }} - - name: "KUBERNETES_TASK_ID" - value: "" - - name: "LS_IP" - value: {{ .Values.ADMSettings.licenseServerIP | default "" }} - - name: "LS_PORT" - value: "{{ .Values.ADMSettings.licenseServerPort}}" -{{- if .Values.ADMSettings.ADMIP }} - - name: "NS_MGMT_SERVER" - value: {{ .Values.ADMSettings.ADMIP }} - - name: "NS_HTTP_PORT" - value: {{ .Values.ingressGateway.mgmtHttpPort | quote }} - - name: "NS_HTTPS_PORT" - value: {{ .Values.ingressGateway.mgmtHttpsPort | quote }} -{{- end }} - - name: "LOGSTREAM_COLLECTOR_IP" - value: {{ .Values.ADMSettings.ADMIP | default ""}} -#To povision bandwidth based licensing to Citrix ADC CPX from ADM, needs bandwidth -{{- if and ( .Values.ADMSettings.licenseServerIP ) (eq .Values.ADMSettings.bandWidthLicense true) }} - - name: "BANDWIDTH" - value: {{ required "Mention bandwidth for bandwidth based licensing" .Values.ADMSettings.bandWidth | quote }} -{{- end }} -#for multiple-PE support, need to set CPX_CORES -{{- if .Values.ADMSettings.licenseServerIP }} -{{- if or (eq .Values.ADMSettings.vCPULicense true) (eq .Values.ADMSettings.bandWidthLicense true) }} - - name: "CPX_CORES" - value: {{ .Values.ADMSettings.cpxCores | default 1 | quote }} -{{- end }} -{{- end }} -{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }} - - name: NS_MGMT_USER - valueFrom: - secretKeyRef: - name: admlogin - key: username - - name: NS_MGMT_PASS - valueFrom: - secretKeyRef: - name: admlogin - key: password -{{- end }} ---- -{{ else }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "generate-name" (list . (dict "suffixname" "ingress-deployment")) }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - template: - metadata: - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - citrix.com/no.sidecar: "true" - annotations: - scheduler.alpha.kubernetes.io/critical-pod: "" - prometheus.io/port: "{{ .Values.metricExporter.port }}" - prometheus.io/scrape: "true" - spec: - containers: -{{- if eq .Values.metricExporter.required true }} - - name: exporter - image: {{ .Values.metricExporter.image }} - imagePullPolicy: {{ .Values.metricExporter.imagePullPolicy }} - args: - - "--target-nsip={{- include "exporter_nsip" . -}}" - - "--port={{ .Values.metricExporter.port }}" - - "--secure={{ .Values.metricExporter.secure | lower}}" - - "--log-level={{ .Values.metricExporter.logLevel }}" - securityContext: - readOnlyRootFilesystem: true - volumeMounts: - - name: nslogin - mountPath: "/mnt/nslogin" - readOnly: true -{{- end }} - - name: istio-adaptor - image: {{ .Values.xDSAdaptor.image }} - imagePullPolicy: {{ .Values.xDSAdaptor.imagePullPolicy }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: APPLICATION_NAME - valueFrom: - fieldRef: - fieldPath: metadata.labels['app'] - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName -{{- if .Values.certProvider.caAddr }} - - name: CA_ADDR - value: {{ .Values.certProvider.caAddr }}:{{ .Values.certProvider.caPort}} #istiod.istio-system.svc:15012 - - name: TRUST_DOMAIN - value: {{ .Values.certProvider.trustDomain }} #cluster.local - - name: CLUSTER_ID - value: {{ .Values.certProvider.clusterId }} #Kubernetes - - name: CERT_TTL_IN_HOURS - value: {{ .Values.certProvider.certTTLinHours | quote }} - - name: JWT_POLICY - value: {{ include "jwtValue" . | quote }} # third-party-jwt if Kubernetes cluster supports third-party tokens -{{- end }} -{{- if eq .Values.ingressGateway.multiClusterIngress true }} - - name: MULTICLUSTER_INGRESS - value: "TRUE" - - name: MULTICLUSTER_LISTENER_PORT - value: {{ .Values.ingressGateway.multiClusterListenerPort | quote}} - - name: MULTICLUSTER_SVC_DOMAIN - value: {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }} -{{- end }} -{{- if eq .Values.coe.coeTracing true }} - - name: COE_TRACING - value: "TRUE" -{{- end }} - - name: LOGLEVEL - value: {{ .Values.xDSAdaptor.logLevel | default "DEBUG" | quote }} -{{- if eq .Values.xDSAdaptor.jsonLog true }} - - name: JSONLOG - value: "TRUE" -{{- end }} - - name: NS_USER - valueFrom: - secretKeyRef: - name: {{ .Values.secretName }} - key: username - - name: NS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.secretName }} - key: password - args: - - -ads-server -{{- if eq .Values.xDSAdaptor.secureConnect true }} - - {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.secureGrpcPort }} # istiod.istio-system.svc:15012 -{{- else }} - - {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.insecureGrpcPort }} # istiod.istio-system.svc:15010 -{{- end }} - - -istio-proxy-type - - {{ .Values.xDSAdaptor.proxyType | default "router" | quote }} -{{- if .Values.istioPilot.SAN }} - - -ads-server-SAN - - {{ .Values.istioPilot.SAN | default "" }} -{{- end }} - - -ads-secure-connect={{ .Values.xDSAdaptor.secureConnect }} - - -citrix-adc - - {{ required "Mention Citrix ADC IP/URL in https://[:port] format" .Values.ingressGateway.netscalerUrl }} - - -citrix-adc-vip - - {{ required "Mention Vserver IP to be configured on Citrix ADC" .Values.ingressGateway.vserverIP }} - - -citrix-adc-user - - "/etc/nslogin/username" - - -citrix-adc-password - - "/etc/nslogin/password" - # If using VPX/MPX as Ingress gateway, then specify the network profile name - # which was provided to Citrix Node Controller (CNC) -{{- if .Values.ingressGateway.netProfile }} - - -citrix-adc-net-profile - - {{ .Values.ingressGateway.netProfile }} -{{- end }} - - -citrix-adm - - "" -{{- if .Values.coe.coeURL }} - - -coe - - {{ .Values.coe.coeURL }} -{{- end }} -{{- if .Values.ingressGateway.adcServerName }} - - -citrix-adc-server-name - - {{ .Values.ingressGateway.adcServerName }} - - -citrix-adc-server-ca - - "/etc/nitro/root-cert.pem" -{{- end }} - securityContext: - readOnlyRootFilesystem: true - runAsGroup: 32024 - runAsUser: 32024 # UID of istio-adaptor container's user - volumeMounts: - - mountPath: /etc/certs - name: certs - - name: istiod-ca-cert - mountPath: /etc/rootcert/ -{{- $jwtpolicy := include "jwtValue" . }} -{{- if eq $jwtpolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token -{{- end }} - - mountPath: /etc/nslogin - name: nslogin - readOnly: true - - mountPath: /etc/istio/ingressgateway-certs # Make sure that Gateway definition has this path mentioned in server.tls section for SIMPLE TLS - name: citrix-ingressgateway-certs - readOnly: true - - mountPath: /etc/istio/ingressgateway-ca-certs # Make sure that Gateway definition has this path mentioned in server.tls section for MUTUAL TLS - name: citrix-ingressgateway-ca-certs - readOnly: true - {{- range .Values.ingressGateway.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} -{{- if .Values.ingressGateway.adcServerName }} - - mountPath: /etc/nitro/ - name: citrix-adc-cert - readOnly: true -{{- end }} - securityContext: - fsGroup: 32024 - volumes: - - name: nslogin - secret: - optional: true - secretName: {{ .Values.secretName }} - - name: certs - emptyDir: {} - - name: istiod-ca-cert - configMap: - defaultMode: 0777 - name: istio-ca-root-cert - - name: citrix-ingressgateway-certs - secret: - optional: true - secretName: "citrix-ingressgateway-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway - - name: citrix-ingressgateway-ca-certs - secret: - optional: true - secretName: "citrix-ingressgateway-ca-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway - {{- range .Values.ingressGateway.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} -{{- if .Values.ingressGateway.adcServerName }} - - name: citrix-adc-cert - secret: - optional: true - secretName: "citrix-adc-cert" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway -{{- end }} -{{- $jwtpolicy := include "jwtValue" . }} -{{- if eq $jwtpolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token -{{- end }} ---- -{{- end}} diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/templates/citrix-multicluster-gateway.yaml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/templates/citrix-multicluster-gateway.yaml deleted file mode 100644 index 7469cd2462..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/templates/citrix-multicluster-gateway.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if eq .Values.ingressGateway.multiClusterIngress true }} -apiVersion: networking.istio.io/v1beta1 -kind: Gateway -metadata: - annotations: - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} -{{- if eq .Values.citrixCPX true }} - deployment: "cpx-ingressgateway" # This label is useful in ServiceGraph -{{- end }} - name: citrix-multicluster-ingressgateway - namespace: {{ .Release.Namespace }} -spec: - selector: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - servers: - - hosts: - - {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }} - port: - name: tls - number: {{ .Values.ingressGateway.multiClusterListenerPort }} - protocol: TLS - tls: - mode: AUTO_PASSTHROUGH ---- -apiVersion: networking.istio.io/v1beta1 -kind: DestinationRule -metadata: - annotations: - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - name: citrix-multicluster-ingressgateway - namespace: {{ .Release.Namespace }} -spec: - host: {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }} - trafficPolicy: - tls: - mode: ISTIO_MUTUAL ---- -{{- end }} \ No newline at end of file diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/templates/ingressgateway-service.yaml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/templates/ingressgateway-service.yaml deleted file mode 100644 index 38ad4f7bd7..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/templates/ingressgateway-service.yaml +++ /dev/null @@ -1,76 +0,0 @@ -{{- if eq .Values.citrixCPX true }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ template "generate-name" (list . (dict "suffixname" "citrix-ingress-hpa")) }} - namespace: {{ .Release.Namespace }} -spec: - maxReplicas: 1 - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ template "generate-name" (list . (dict "suffixname" "ingress-deployment")) }} - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: 60 ---- -{{- end }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "generate-name" (list . (dict "suffixname" "citrix-ingress-svc")) }} - namespace: {{ .Release.Namespace }} - annotations: - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} -{{- if eq .Values.citrixCPX true }} - deployment: "cpx-ingressgateway" # This label is useful in ServiceGraph -{{- end }} -spec: -{{- if eq .Values.citrixCPX true }} -{{- if eq .Values.ingressGateway.nodePortRequired true }} - type: NodePort -{{- else }} - type: LoadBalancer -{{- end }} -{{- end }} - selector: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - ports: - - - name: http2 -{{- if eq .Values.citrixCPX true }} - nodePort: {{ .Values.ingressGateway.httpNodePort }} -{{- end }} - port: 80 - targetPort: 80 - - - name: https -{{- if eq .Values.citrixCPX true }} - nodePort: {{ .Values.ingressGateway.httpsNodePort }} -{{- end }} - port: 443 - targetPort: 443 -{{- if eq .Values.ingressGateway.multiClusterIngress true }} - - - name: multicluster -{{- if eq .Values.citrixCPX true }} - nodePort: {{ .Values.ingressGateway.multiClusterListenerNodePort }} -{{- end }} - port: {{ .Values.ingressGateway.multiClusterListenerPort }} - targetPort: {{ .Values.ingressGateway.multiClusterListenerPort }} -{{- end }} -{{- $isCPX := .Values.citrixCPX }} -{{- range .Values.ingressGateway.tcpPort }} - - - name: {{ .name }} -{{- if eq $isCPX true }} - nodePort: {{ .nodePort }} -{{- end }} - port: {{ .port }} - targetPort: {{ .targetPort }} -{{- end }} ---- diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/templates/metrics-exporter-service.yaml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/templates/metrics-exporter-service.yaml deleted file mode 100644 index b63096938b..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/templates/metrics-exporter-service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if eq .Values.metricExporter.required true }} -kind: Service -apiVersion: v1 -metadata: - name: {{ template "generate-name" (list . (dict "suffixname" "citrix-exporter-svc")) }} - annotations: - labels: - service-type: citrix-adc-monitor -spec: - selector: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - ports: - - name: exporter-port - port: {{ .Values.metricExporter.port }} - targetPort: {{ .Values.metricExporter.port }} ---- -{{- end }} diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/values.yaml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/values.yaml deleted file mode 100644 index f6a6d0051f..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.11.1/values.yaml +++ /dev/null @@ -1,74 +0,0 @@ -# Default values for citrix-adc-istio-ingress-gateway -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -citrixCPX: false - -coe: - coeURL: - coeTracing: false - -metricExporter: - required: true - image: quay.io/citrix/citrix-adc-metrics-exporter:1.4.9 - port: 8888 - secure: "YES" - logLevel: ERROR - imagePullPolicy: IfNotPresent - -xDSAdaptor: - image: quay.io/citrix/citrix-xds-adaptor:0.9.9 - imagePullPolicy: IfNotPresent - proxyType: router - secureConnect: true - logLevel: DEBUG - jsonLog: false - -istioPilot: - name: istiod - namespace: istio-system - secureGrpcPort: 15012 - insecureGrpcPort: 15010 - SAN: - -certProvider: - caAddr: istiod.istio-system.svc - caPort: 15012 - trustDomain: cluster.local - certTTLinHours: 720 - clusterId: Kubernetes - jwtPolicy: #specify third-party-jwt if Kubernetes cluster supports third-party tokens. Default from K8s v1.21 - -ingressGateway: - netscalerUrl: null - image: quay.io/citrix/citrix-k8s-cpx-ingress:13.0-83.27 - imagePullPolicy: IfNotPresent - EULA: NO - mgmtHttpPort: 10080 - mgmtHttpsPort: 10443 - httpNodePort: 30180 - httpsNodePort: 31443 - nodePortRequired: true - lightWeightCPX: 1 - secretVolumes: - #licenseServerIP: this value will be taken from ADMSettings.ADMIP - label: citrix-ingressgateway - tcpPort: - vserverIP: nsip - adcServerName: - netProfile: - multiClusterIngress: false - multiClusterListenerPort: 15443 - multiClusterListenerNodePort: 32443 - multiClusterSvcDomain: global - -ADMSettings: - ADMIP: - licenseServerIP: - licenseServerPort: 27000 - bandWidthLicense: false - bandWidth: - vCPULicense: false - cpxCores: - -secretName: nslogin diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/Chart.yaml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/Chart.yaml deleted file mode 100644 index 5f4419de2e..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/Chart.yaml +++ /dev/null @@ -1,22 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Adc Istio Ingress Gateway - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-adc-istio-ingress-gateway -apiVersion: v2 -appVersion: 1.14.0 -deprecated: true -description: A Helm chart for Citrix ADC as Ingress Gateway installation in Istio - Service Mesh on Kubernetes platform -home: https://www.citrix.com -icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png -kubeVersion: '>=v1.16.0-0' -maintainers: -- email: dhiraj.gedam@citrix.com - name: dheerajng -- email: subash.dangol@citrix.com - name: subashd -name: citrix-adc-istio-ingress-gateway -sources: -- https://github.com/citrix/citrix-xds-adaptor -version: 1.14.0 diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/README.md b/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/README.md deleted file mode 100644 index aefb0c33b4..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/README.md +++ /dev/null @@ -1,487 +0,0 @@ -# Deploy Citrix ADC as an Ingress Gateway in Istio environment using Helm charts - -Citrix Application Delivery Controller (ADC) can be deployed as an Istio Ingress Gateway to control the ingress traffic to Istio service mesh. - -# Table of Contents - -1. [TL; DR;](#tldr) -2. [Introduction](#introduction) -3. [Deploy Citrix ADC VPX or MPX as an Ingress Gateway](#deploy-citrix-adc-vpx-or-mpx-as-an-ingress-gateway) -4. [Deploy Citrix ADC CPX as an Ingress Gateway](#deploy-citrix-adc-cpx-as-an-ingress-gateway) -5. [Using Existing Certificates to deploy Citrix ADC as an Ingress Gateway](#using-existing-certificates-to-deploy-citrix-adc-as-an-ingress-gateway) -6. [Deploy Citrix ADC as an Ingress Gateway in multi cluster Istio Service mesh](#deploy-citrix-adc-as-a-multicluster-ingress-gateway) -7. [Segregating traffic with multiple Ingress Gateways](#segregating-traffic-with-multiple-ingress-gateways) -8. [Visualizing statistics of Citrix ADC Ingress Gateway with Metrics Exporter](#visualizing-statistics-of-citrix-adc-ingress-gateway-with-metrics-exporter) -9. [Exposing services running on non-HTTP ports](#exposing-services-running-on-non-http-ports) -10. [Generate Certificate for Ingress Gateway](#generate-certificate-for-ingress-gateway) -11. [Configure Third Party Service Account Tokens](#using-third-party-service-account-tokens) -12. [Citrix ADC CPX License Provisioning](#citrix-adc-cpx-license-provisioning) -13. [Service Graph configuration](#configuration-for-servicegraph) -14. [Citrix ADC as Ingress Gateway: a sample deployment](#citrix-adc-as-ingress-gateway-a-sample-deployment) -15. [Uninstalling the Helm chart](#uninstalling-the-helm-chart) -16. [Citrix ADC VPX/MPX Certificate Verification](#citrix-adc-vpx-or-mpx-certificate-verification) -17. [Configuration Parameters](#configuration-parameters) - -## TL; DR; - -### To deploy Citrix ADC VPX or MPX as an Ingress Gateway - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set ingressGateway.netscalerUrl=https://[:port] --set ingressGateway.vserverIP= --set secretName=nslogin - -### To deploy Citrix ADC CPX as an Ingress Gateway - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true - -## Introduction - -This chart deploys Citrix ADC VPX, MPX, or CPX as an Ingress Gateway in the Istio service mesh using the Helm package manager. For detailed information on different deployment options, see [Deployment Architecture](https://github.com/citrix/citrix-istio-adaptor/blob/master/docs/istio-integration/architecture.md). - -### Compatibility Matrix between Citrix xDS-adaptor and Istio version - -Below table provides info about recommended Citrix xDS-Adaptor version to be used for various Istio versions. - -| Citrix xDS-Adaptor version | Istio version | -|----------------------------|---------------| -| quay.io/citrix/citrix-xds-adaptor:0.10.3 | Istio v1.14+ | -| quay.io/citrix/citrix-xds-adaptor:0.10.1 | Istio v1.12 to Istio v1.13 | -| quay.io/citrix/citrix-xds-adaptor:0.9.9 | Istio v1.10 to Istio v1.11 | -| quay.io/citrix/citrix-xds-adaptor:0.9.8 | Istio v1.8 to Istio v1.9 | -| quay.io/citrix/citrix-xds-adaptor:0.9.5 | Istio v1.6 | - -### Prerequisites - -The following prerequisites are required for deploying Citrix ADC as an Ingress Gateway in Istio service mesh: - -- Ensure that **Istio version 1.8 onwards** is installed -- Ensure that Helm with version 3.x is installed. Follow this [step](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- Ensure that your cluster Kubernetes version should be above 1.16 and the `admissionregistration.k8s.io/v1`, `admissionregistration.k8s.io/v1beta1` API is enabled - - You can verify the API by using the following command: - - kubectl api-versions | grep admissionregistration.k8s.io/v1 - - The following output indicates that the API is enabled: - - admissionregistration.k8s.io/v1 - admissionregistration.k8s.io/v1beta1 - -- **For deploying Citrix ADC VPX or MPX as an Ingress gateway:** - - Create a Kubernetes secret for the Citrix ADC user name and password using the following command: - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - -- **Create system user account for xDS-adaptor in Citrix ADC:** - - The Citrix ADC appliance needs to have system user account (non-default) with certain privileges so that `xDS-adaptor` can configure the Citrix ADC VPX or MPX appliance. Follow the instructions to create the system user account on Citrix ADC. - - Create a Kubernetes secret for the user name and password using the following command: - - ``` - kubectl create secret generic nslogin --from-literal=username='cxa' --from-literal=password='mypassword' - ``` - - The `xDS-adaptor` configures the Citrix ADC using a system user account of the Citrix ADC. The system user account should have certain privileges so that the xDS-adaptor has permissions configure the following on the Citrix ADC: - - - Add, Delete, or View Content Switching (CS) virtual server - - Configure CS policies and actions - - Configure Load Balancing (LB) virtual server - - Configure Service groups - - Cofigure SSl certkeys - - Configure routes - - Configure user monitors - - Add system file (for uploading SSL certkeys from Kubernetes) - - Configure Virtual IP address (VIP) - - Check the status of the Citrix ADC appliance - - Add, Delete or view authentication virtual server, policy, authaction - - Add, Delete or view Policy - - Add, Delete or view Responder policy, action, param - - Add, Delete or view Rewrite policy, action, param - - Add, Delete or view analytics profile - - Add, Delete or view DNS name server - - Add, Delete or view network netprofile - - Add, Delete or view Traffic Management Commands(sessionaction, session policy, sessionparameter) - -> **Note:** -> -> The system user account would have privileges based on the command policy that you define. - - To create the system user account, do the following: - - 1. Log on to the Citrix ADC appliance. Perform the following: - 1. Use an SSH client, such as PuTTy, to open an SSH connection to the Citrix ADC appliance. - - 2. Log on to the appliance by using the administrator credentials. - - 2. Create the system user account using the following command: - - ``` - add system user - ``` - - For example: - - ``` - add system user cxa mypassword - ``` - - 3. Create a policy to provide required permissions to the system user account. Use the following command: - - ``` - add cmdpolicy cxa-policy ALLOW "((^\S+\s+cs\s+\S+)|(^\S+\s+lb\s+\S+)|(^\S+\s+service\s+\S+)|(^\S+\s+servicegroup\s+\S+)|(^stat\s+system)|(^show\s+ha)|(^\S+\s+ssl\s+certKey)|(^\S+\s+ssl)|(^\S+\s+route)|(^\S+\s+monitor)|(^show\s+ns\s+ip)|(^\S+\s+system\s+file)|)|(^\S+\s+aaa\s+\S+)|(^\S+\s+aaa\s+\S+\s+.*)|(^\S+\s+authentication\s+\S+)|(^\S+\s+authentication\s+\S+\s+.*)|(^\S+\s+policy\s+\S+)|(^\S+\s+policy\s+\S+\s+.*)|(^\S+\s+rewrite\s+\S+)|(^\S+\s+rewrite\s+\S+\s+.*)|(^\S+\s+analytics\s+\S+)|(^\S+\s+analytics\s+\S+\s+.*)|(^\S+\s+dns\s+\S+)|(^\S+\s+dns\s+\S+\s+.*)|(^\S+\s+netProfile)|(^\S+\s+netProfile\s+.*)|(^\S+\s+tm\s+\S+)|(^\S+\s+tm\s+\S+\s+.*)" - ``` - - 4. Bind the policy to the system user account using the following command: - - ``` - bind system user cxa cxa-policy 0 - ``` - -- **Registration of Citrix ADC CPX in ADM** - -Create a secret for ADM username and password - - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= -n citrix-system - -- **Important Note:** For deploying Citrix ADC VPX or MPX as ingress gateway, you should establish the connectivity between Citrix ADC VPX or MPX and cluster nodes. This connectivity can be established by configuring routes on Citrix ADC as mentioned [here](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) or by deploying [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller). - -## Deploy Citrix ADC VPX or MPX as an Ingress Gateway - - To deploy Citrix ADC VPX or MPX as an Ingress Gateway in the Istio service mesh, do the following step. In this example, release name is specified as `citrix-adc-istio-ingress-gateway` and namespace as `citrix-system`. - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP= --set secretName=nslogin - -## Deploy Citrix ADC CPX as an Ingress Gateway - - To deploy Citrix ADC CPX as an Ingress Gateway, do the following step. In this example, release name is specified as `my-release` and namespace is used as `citrix-system`. - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true - -## Deploy Citrix ADC as an Ingress Gateway in multi cluster Istio Service mesh - -To deploy **Citrix ADC VPX/MPX as an Ingress Gateway** in multi cluster Istio Service mesh, carry out below steps. - -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - -helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP= --set ingressGateway.multiClusterIngress=true -``` - -To deploy **Citrix ADC CPX as an Ingress Gateway** in multi cluster Istio Service mesh, carry out below steps. - -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - -helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true --set ingressGateway.multiClusterIngress=true - -``` - -By default, port 15443 of the Citrix ADC will be used to handle all the inter-cluster traffic coming to services deployed in local cluster. These services are exposed using `*.global` domain. -To modify the default 15443 port and "global" domain, use _ingressGateway.multiClusterListenerPort_ and _ingressGateway.multiClusterSvcDomain_ options of helm chart. - -For example, to use port 25443 and _mydomain_ as the service domain to expose local cluster deployed services to services in remote clusters. - -``` - -helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP= --set ingressGateway.multiClusterIngress=true --set ingressGateway.multiClusterListenerPort=25443 --set ingressGateway.multiClusterSvcDomain=mydomain - -``` - -Follow [this](https://github.com/citrix/citrix-helm-charts/tree/master/examples/citrix-adc-ingress-in-multicluster-istio/README.md) as a sample example to deploy Citrix ADC as Ingress gateway in multi-cluster Istio service mesh. - -## Using Existing Certificates to deploy Citrix ADC as an Ingress Gateway - -You may want to use the existing certificate and key for authenticating access to an application using Citrix ADC Ingress Gateway. In that case, you can create a Kubernetes secret from the existing certificate and key. You can mount the Kubernetes secret as data volumes in Citrix ADC Ingress Gateway. - -To create a Kubernetes secret using an existing key named `test_key.pem` and a certificate named `test.pem`, use the following command: - - kubectl create -n citrix-system secret tls citrix-ingressgateway-certs --key test_key.pem --cert test.pem - -Note: Ensure that Kubernetes secret is created in the same namespace where Citrix ADC Ingress Gateway is deployed. - -To deploy Citrix ADC VPX or MPX with secret volume, do the following step: - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP=,ingressGateway.secretVolumes[0].name=test-ingressgateway-certs,ingressGateway.secretVolumes[0].secretName=test-ingressgateway-certs,ingressGateway.secretVolumes[0].mountPath=/etc/istio/test-ingressgateway-certs - -To deploy Citrix ADC CPX with secret volume, do the following step: - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true,ingressGateway.secretVolumes[0].name=test-ingressgateway-certs,ingressGateway.secretVolumes[0].secretName=test-ingressgateway-certs,ingressGateway.secretVolumes[0].mountPath=/etc/istio/test-ingressgateway-certs - -## Segregating traffic with multiple Ingress Gateways - -You can deploy multiple Citrix ADC Ingress Gateway devices and segregate traffic to various deployments in the Istio service mesh. This can be achieved with _custom labels_. By default, Citrix ADC Ingress Gateway service comes up with the `app: citrix-ingressgateway` label. This label is used as a selector while deploying the Ingress Gateway or virtual service resources. If you want to deploy Ingress Gateway with the custom label, you can do it using the `ingressGateway.label` option in the Helm chart. - -To deploy Citrix ADC CPX Ingress Gateway with the label `my_custom_ingressgateway`, do the following step: - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true,ingressGateway.lightWeightCPX=NO,ingressGateway.label=my_custom_ingressgateway - -To deploy Citrix ADC VPX or MPX as an Ingress Gateway with the label `my_custom_ingressgateway`, do the following step: - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP=,ingressGateway.label=my_custom_ingressgateway - -## Visualizing statistics of Citrix ADC Ingress Gateway with Metrics Exporter - -By default, [Citrix ADC Metrics Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) is also deployed along with Citrix ADC Ingress Gateway. Citrix ADC Metrics Exporter fetches statistical data from Citrix ADC and exports it to Prometheus running in Istio service mesh. When you add Prometheus as a data source in Grafana, you can visualize this statistical data in the Grafana dashboard. - -Metrics Exporter requires the IP address of Citrix ADC CPX or VPX Ingress Gateway. It is retrieved from the value specified for `ingressGateway.netscalerUrl`. - -When Citrix ADC CPX is deployed as Ingress Gateway, Metrics Exporter runs along with Citrix CPX Ingress Gateway in the same pod and specifying IP address is optional. - -To deploy Citrix ADC as Ingress Gateway without Metrics Exporter, set the value of `metricExporter.required` as false. - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP=,metricExporter.required=false - -"Note:" To remotely access telemetry addons such as Prometheus and Grafana, see [Remotely Accessing Telemetry Addons](https://istio.io/docs/tasks/telemetry/gateways/). - -## Exposing services running on non-HTTP ports - -By default, services running on HTTP ports (80 & 443) are exposed through Citrix ADC Ingress Gateway. Similarly, you can expose services that are deployed on non-HTTP ports through the Citrix ADC Ingress Gateway device. - -To deploy Citrix ADC MPX or VPX, and expose a service running on a TCP port, do the following step. - -In this example, a service running on TCP port 5000 is exposed using port 10000 on Citrix ADC. - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP=,ingressGateway.tcpPort[0].name=tcp1,ingressGateway.tcpPort[0].port=10000,ingressGateway.tcpPort[0].targetPort=5000 - - To deploy Citrix ADC CPX and expose a service running on a TCP port, do the following step. - In this example, port 10000 on the Citrix ADC CPX instance is exposed using TCP port 30000 (node port configuration) on the host machine. - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true,ingressGateway.tcpPort[0].name=tcp1,ingressGateway.tcpPort[0].nodePort=30000,ingressGateway.tcpPort[0].port=10000,ingressGateway.tcpPort[0].targetPort=5000 - -## Generate Certificate for Ingress Gateway - -Citrix Ingress gateway needs TLS certificate-key pair for establishing secure communication channel with backend applications. Earlier these certificates were issued by Istio Citadel and bundled in Kubernetes secret. Certificate was loaded in the application pod by doing volume mount of secret. Now `xDS-Adaptor` can generate its own certificate and get it signed by the Istio Citadel (Istiod). This eliminates the need of secret and associated [risks](https://kubernetes.io/docs/concepts/configuration/secret/#risks). - -xDS-Adaptor needs to be provided with details Certificate Authority (CA) for successful signing of Certificate Signing Request (CSR). By default, CA is `istiod.istio-system.svc` which accepts CSRs on port 15012. -To skip this process, don't provide any value (empty string) to `certProvider.caAddr`. - -``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true --set certProvider.caAddr="" -``` - -### Configure Third Party Service Account Tokens - -In order to generate certificate for application workload, xDS-Adaptor needs to send valid service account token along with Certificate Signing Request (CSR) to the Istio control plane (Citadel CA). Istio control plane authenticates the xDS-Adaptor using this JWT. -Kubernetes supports two forms of these tokens: - -- Third party tokens, which have a scoped audience and expiration. -- First party tokens, which have no expiration and are mounted into all pods. - - If Kubernetes cluster is installed with third party tokens, then the same information needs to be provided for automatic sidecar injection by passing `--set certProvider.jwtPolicy="third-party-jwt"`. By default, it is `first-party-jwt`. - -``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true --set certProvider.caAddr="istiod.istio-system.svc" --set certProvider.jwtPolicy="third-party-jwt" - -``` - -To determine if your cluster supports third party tokens, look for the TokenRequest API using below command. If there is no output, then it is `first-party-jwt`. In case of `third-party-jwt`, output will be like below. - -``` -# kubectl get --raw /api/v1 | jq '.resources[] | select(.name | index("serviceaccounts/token"))' - -{ - "name": "serviceaccounts/token", - "singularName": "", - "namespaced": true, - "group": "authentication.k8s.io", - "version": "v1", - "kind": "TokenRequest", - "verbs": [ - "create" - ] -} - -``` - -## **Citrix ADC CPX License Provisioning** - -By default, CPX runs with 20 Mbps bandwidth called as [CPX Express](https://www.citrix.com/en-in/products/citrix-adc/cpx-express.html) however for better performance and production deployment customer needs licensed CPX instances. [Citrix ADM](https://www.citrix.com/en-in/products/citrix-application-delivery-management/) is used to check out licenses for Citrix ADC CPX. - -**Bandwidth based licensing** -For provisioning licensing on Citrix ADC CPX, it is mandatory to provide License Server information to CPX. This can be done by setting **ADMSettings.licenseServerIP** as License Server IP. In addition to this, **ADMSettings.bandWidthLicense** needs to be set true and desired bandwidth capacity in Mbps should be set **ADMSettings.bandWidth**. -For example, to set 2Gbps as bandwidth capacity, below command can be used. - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set ADMSettings.licenseServerIP=,ADMSettings.bandWidthLicense=True --set ADMSettings.bandWidth=2000 --set citrixCPX=true - -## **Service Graph configuration** - - Citrix ADM Service graph is an observability tool that allows user to analyse service to service communication. The service graph is generated by ADM post collection of transactional data from registered Citrix ADC instances. More details about it can be found [here](https://docs.citrix.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html). - Citrix ADC needs to be provided with ADM details for registration and data export. This section lists the steps needed to deploy Citrix ADC and register it with ADM. - -**Deploy Citrix ADC CPX as ingress gateway** - - 1. Create secret using Citrix ADM Agent credentials, which will be used by Citrix ADC as CPX to communicate with Citrix ADM Agent: - - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= - - 2. Deploy Citrix ADC CPX as ingress gateway using helm command with `ADM` details: - - helm install citrix-adc-istio-ingress-gateway citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true --set ADMSettings.ADMIP= - -> **Note:** -> If container agent is being used here for Citrix ADM, specify `serviceIP` of container agent in the `ADMSettings.ADMIP` parameter. - -**Deploy Citrix ADC VPX/MPX as ingress gateway** - - Deploy Citrix ADC VPX/MPX as ingress gateway using helm command and set analytics settings on Citrix ADC VPX/MPX for sending transaction metrics to Citrix ADM - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set ingressGateway.netscalerUrl=https://[:port] --set ingressGateway.vserverIP= --set secretName=nslogin - - Add the following configurations in Citrix ADC VPX/MPX - - en ns mode ulfd - - en ns feature appflow - - add appflow collector logproxy_lstreamd -IPAddress -port 5557 -Transport logstream - - set appflow param -templateRefresh 3600 -httpUrl ENABLED -httpCookie ENABLED -httpReferer ENABLED -httpMethod ENABLED -httpHost ENABLED -httpUserAgent ENABLED -httpContentType ENABLED -httpAuthorization ENABLED -httpVia ENABLED -httpXForwardedFor ENABLED -httpLocation ENABLED -httpSetCookie ENABLED -httpSetCookie2 ENABLED -httpDomain ENABLED -httpQueryWithUrl ENABLED metrics ENABLED -events ENABLED -auditlogs ENABLED - - add appflow action logproxy_lstreamd -collectors logproxy_lstreamd - - add appflow policy logproxy_policy true logproxy_lstreamd - - bind appflow global logproxy_policy 10 END -type REQ_DEFAULT - - bind appflow global logproxy_policy 10 END -type OTHERTCP_REQ_DEFAULT - -> **Note:** -> If container agent is being used here for Citrix ADM, specify `PodIP` of container agent in above manual config. - -## Citrix ADC as Ingress Gateway: a sample deployment - -A sample deployment of Citrix ADC as an Ingress gateway for the Bookinfo application is provided [here](https://github.com/citrix/citrix-helm-charts/tree/master/examples/citrix-adc-in-istio). - -## Uninstalling the Helm chart - -To uninstall or delete a chart with release name as `my-release`, do the following step. - - helm delete my-release - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Citrix ADC VPX/MPX Certificate Verification - -Create a Kubernetes secret holding the CA certificate of Citrix ADC VPX/MPX with the filename `root-cert.pem`. - - kubectl create secret generic citrix-adc-cert --from-file=./root-cert.pem - -Note: Ensure that Kubernetes secret is created in the same namespace where Citrix ADC Ingress Gateway is deployed. - -To deploy Citrix ADC VPX or MPX with Citrix ADC certificate verification, do the following step: - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,secretName=nslogin,ingressGateway.netscalerUrl=https://[:port],ingressGateway.vserverIP=,ingressGateway.adcServerName= - -## Configuration parameters - -The following table lists the configurable parameters in the Helm chart and their default values. - -| Parameter | Description | Default | Optional/Mandatory | -|--------------------------------|-------------------------------|---------------------------|---------------------------| -| `citrixCPX` | Citrix ADC CPX | FALSE | Mandatory for Citrix ADC CPX | -| `xDSAdaptor.imageRegistry` | Image registry of the Citrix xDS adaptor container(Refer compatibility matrix) | `quay.io` | Mandatory | -| `xDSAdaptor.imageRepository` | Image repository of the Citrix xDS adaptor container(Refer compatibility matrix) | `citrix/citrix-xds-adaptor` | Mandatory | -| `xDSAdaptor.imageTag` | Image tag of the Citrix xDS adaptor container(Refer compatibility matrix) | `0.10.3` | Mandatory | -| `xDSAdaptor.imagePullPolicy` | Image pull policy for xDS adaptor | IfNotPresent | Optional| -| `xDSAdaptor.secureConnect` | If this value is set to true, xDS-adaptor establishes secure gRPC channel with Istio Pilot | TRUE | Optional| -| `xDSAdaptor.logLevel` | Log level to be set for xDS-adaptor log messages. Possible values: TRACE (most verbose), DEBUG, INFO, WARN, ERROR (least verbose) | DEBUG | Optional| -| `xDSAdaptor.jsonLog` | Set this argument to true if log messages are required in JSON format | false | Optional| -| `xDSAdaptor.defaultSSLListenerOn443` | Create SSL vserver by default for LDS resource for 0.0.0.0 and port 443. If set to false, TCP vserver will be created in absence of TLSContext in tcp_proxy filter | true | Optional | -| `coe.coeURL` | Name of [Citrix Observability Exporter](https://github.com/citrix/citrix-observability-exporter) Service in the form of "." | null | Optional| -| `coe.coeTracing` | Use COE to send appflow transactions to Zipkin endpoint. If it is set to true, ADM servicegraph (if configured) can be impacted. | false | Optional| -| `ADMSettings.ADMIP` | Citrix Application Delivery Management (ADM) IP address | null | Mandatory for Citrix ADC CPX | -| `ADMSettings.licenseServerIP` | Citrix License Server IP address | null | Optional | -| `ADMSettings.licenseServerPort` | Citrix ADM port if a non-default port is used | 27000 | Optional| -| `ADMSettings.bandWidth` | Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps | 1000 | Optional | -| `ADMSettings.bandWidthLicense` | To specify bandwidth based licensing | false | Optional | -| `ADMSettings.licenseEdition`| License edition that can be Standard, Platinum and Enterprise . By default, Platinum is selected | PLATINUM | optional | -| `ADMSettings.analyticsServerPort` | Port used for Analytics in ADM. Required to plot ServiceGraph. | 5557 | Optional| -| `ingressGateway.netscalerUrl` | URL or IP address of the Citrix ADC which Istio-adaptor configures (Mandatory if citrixCPX=false)| null |Mandatory for Citrix ADC MPX or VPX| -| `ingressGateway.vserverIP` | Virtual server IP address on Citrix ADC (Mandatory if citrixCPX=false) | null | Mandatory for Citrix ADC MPX or VPX| -| `ingressGateway.adcServerName` | Citrix ADC ServerName used in the Citrix ADC certificate | null | Optional | -| `ingressGateway.imageRegistry` | Image registry of Citrix ADC CPX designated to run as Ingress Gateway | `quay.io` | Mandatory for Citrix ADC CPX | -| `ingressGateway.imageRepository` | Image repository of Citrix ADC CPX designated to run as Ingress Gateway | `citrix/citrix-k8s-cpx-ingress` | Mandatory for Citrix ADC CPX | -| `ingressGateway.imageTag` | Image tag of Citrix ADC CPX designated to run as Ingress Gateway | `13.1-30.52` | Mandatory for Citrix ADC CPX | -| `ingressGateway.imagePullPolicy` | Image pull policy | IfNotPresent | Optional| -| `ingressGateway.EULA` | End User License Agreement(EULA) terms and conditions. If yes, then user agrees to EULA terms and conditions. | NO | Mandatory for Citrix ADC CPX -| `ingressGateway.mgmtHttpPort` | Management port of the Citrix ADC CPX | 9080 | Optional| -| `ingressGateway.mgmtHttpsPort` | Secure management port of Citrix ADC CPX | 9443 | Optional| -| `ingressGateway.httpNodePort` | Port on host machine which is used to expose HTTP port (80) of Citrix ADC CPX | 30180 |Optional| -| `ingressGateway.httpsNodePort` | Port on host machine which is used to expose HTTPS port (443) of Citrix ADC CPX | 31443 |Optional| -| `ingressGateway.nodePortRequired` | Set this argument if servicetype to be NodePort of Citrix ADC CPX | false |Optional| -| `ingressGateway.secretVolume` | A map of user defined volumes to be mounted using Kubernetes secrets | null |Optional| -| `ingressGateway.label` | Custom label for the Ingress Gateway service | citrix-ingressgateway |Optional| -| `ingressGateway.netProfile` | Network profile name used by [CNC](https://github.com/citrix/citrix-k8s-node-controller) to configure Citrix ADC VPX or MPX which is deployed as Ingress Gateway | null | Optional| -| `ingressGateway.multiClusterIngress` | Flag indicating if Citrix ADC is acting as Ingress gateway to multi cluster Istio mesh installation. Possible values: true/false | false | Optional| -| `ingressGateway.multiClusterListenerPort` | Port opened on Citrix ADC to enable inter-cluster service to service (E-W) communication | 15443 | Optional| -| `ingressGateway.multiClusterListenerNodePort` | Nodeport for multiClusterListenerPort in case of Citrix ADC CPX acting as Ingress gateway | 32443 | Optional| -| `ingressGateway.multiClusterSvcDomain` | Domain suffix of remote service (deployed in other cluster) used in E-W communication | global | Optional| -| `ingressGateway.cpxLicenseAggregator` | IP/FQDN of the CPX License Aggregator if it is being used to license the CPX. | null | Optional| -| `ingressGateway.tcpPort` | For exposing multiple TCP ingress | null |Optional| -| `ingressGateway.enableLabelsFeature` | If this variable is true, Istio's [subset](https://istio.io/latest/docs/reference/config/networking/destination-rule/#Subset) of the service and some metadata of the service such as servicename, namespace etc will be stored in the Citrix ADC that might be used for analytics purpose. | FALSE |Optional| -| `istioPilot.name` | Name of the Istio Pilot service | istiod |Optional| -| `istioPilot.namespace` | Namespace where Istio Pilot is running | istio-system |Optional| -| `istioPilot.secureGrpcPort` | Secure GRPC port where Istiod (Istio Pilot) is listening (default setting) | 15012 |Optional| -| `istioPilot.insecureGrpcPort` | Insecure GRPC port where Istiod (Istio Pilot) is listening | 15010 |Optional| -| `istioPilot.SAN` | Subject alternative name for Istiod (Istio Pilot) which is the secure production identity framework for everyone (SPIFFE) ID of Istio Pilot | null |Optional| -| `metricExporter.required` | Metrics exporter for Citrix ADC | TRUE |Optional| -| `metricExporter.imageRegistry` | Image registry of the Citrix ADC Metrics Exporter | `quay.io` | Optional | -| `metricExporter.imageRepository` | Image repository of the Citrix ADC Metrics Exporter | `citrix/citrix-adc-metrics-exporter` | Optional | -| `metricExporter.imageTag` | Image tag of the Citrix ADC Metrics Exporter | `1.4.9` | Optional | -| `metricExporter.port` | Port over which Citrix ADC Metrics Exporter collects metrics of Citrix ADC. | 8888 |Optional| -| `metricExporter.secure` | Enables collecting metrics over TLS | YES |Optional| -| `metricExporter.logLevel` | Level of logging in Citrix ADC Metrics Exporter. Possible values are: DEBUG, INFO, WARNING, ERROR, CRITICAL | ERROR |Optional| -| `metricExporter.imagePullPolicy` | Image pull policy for Citrix ADC Metrics Exporter | IfNotPresent |Optional| -| `certProvider.caAddr` | Certificate Authority (CA) address issuing certificate to application | istiod.istio-system.svc | Optional | -| `certProvider.caPort` | Certificate Authority (CA) port issuing certificate to application | 15012 | Optional | -| `certProvider.trustDomain` | SPIFFE Trust Domain | cluster.local | Optional | -| `certProvider.certTTLinHours` | Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours. Default is 30 days validity | 720 | Optional | -| `certProvider.clusterId` | clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in multicluster environments. For example, in Anthos servicemesh, it might be of the format of `cn--`. In multiCluster environments, it is the value of global.multiCluster.clusterName provided during servicemesh control plane installation | Kubernetes | Optional | -| `certProvider.jwtPolicy` | Service Account token type. Kubernetes platform supports First party tokens and Third party tokens. Usually public cloud based Kubernetes has third-party-jwt | null | Optional | -| `secretName` | Name of the Kubernetes secret holding Citrix ADC credentials | nslogin | Mandatory for Citrix ADC VPX/MPX | - -**Note:** You can use the `values.yaml` file packaged in the chart. This file contains the default configuration values for the chart. diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/app-readme.md b/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/app-readme.md deleted file mode 100644 index dc4ee42acd..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/app-readme.md +++ /dev/null @@ -1,38 +0,0 @@ -# Citrix ADC as an Ingress Gateway for Istio - -An [Istio](https://istio.io/) ingress gateway acts as an entry point for the incoming traffic and secures and controls access to the service mesh. It also performs routing and load balancing. Citrix ADC [CPX](https://docs.citrix.com/en-us/citrix-adc-cpx), MPX, or [VPX](https://docs.citrix.com/en-us/citrix-adc.html), can be deployed as an ingress gateway to the Istio service mesh. - -### Prerequisites - -The following prerequisites are required for deploying Citrix ADC as an Ingress Gateway in Istio service mesh: - -- Ensure that **Istio** is enabled. -- Ensure that your cluster has Kubernetes version 1.16.0 or later. -- Ensure to create secret named **nslogin** with username and password in same namespace in case of VPX/MPX . Choose the **Cluster Explorer > Storage > Secrets** in the navigation bar. - -### Important NOTE: -- Follow this [link](https://github.com/citrix/citrix-helm-charts/blob/master/examples/citrix-adc-in-istio/README.md -) to deploy Citrix ADC as an ingress gateway for application. -- For deploying Citrix ADC VPX or MPX as ingress gateway, you should establish the connectivity between Citrix ADC VPX or MPX and cluster nodes. This connectivity can be established by configuring routes on Citrix ADC as mentioned [here](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) or by deploying [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller). -- To use the certificate and key for authenticating access to an application using Citrix ADC Ingress Gateway. In that case, you can create a Kubernetes secret from the existing certificate and key. You can mount the Kubernetes secret as data volumes in Citrix ADC Ingress Gateway. Then specify a list of secret, volume name, mount path in subsequent fields of `SecretVolume` section: - - Go to `Edit as YAML` option and update below values . - ``` - secretVolumes: - - name: - secretName: - mountPath: - ``` - For more details, follow this [link](https://github.com/citrix/citrix-helm-charts/tree/master/citrix-adc-istio-ingress-gateway#using-existing-certificates-to-deploy-citrix-adc-as-an-ingress-gateway) - -- By default, gateway is configured to expose HTTP(S) services. To expose non-HTTP services, Then specify a list of port, port-name, target-port, nodeport (if applicable) in subsequent fields of `tcpPort` section. - - Go to `Edit as YAML` option and update below values. - ``` - tcpPort: - - name: - nodePort: - port: - targetPort: - ``` - For more details follow this [link](https://github.com/citrix/citrix-helm-charts/tree/master/citrix-adc-istio-ingress-gateway#exposing-services-running-on-non-http-ports) - -This catalog deploys Citrix ADC VPX, MPX, or CPX as an Ingress Gateway in the Istio service mesh. For detailed information on various deployment options,checkout this [link](https://github.com/citrix/citrix-istio-adaptor). diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/questions.yml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/questions.yml deleted file mode 100644 index 36a7b00354..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/questions.yml +++ /dev/null @@ -1,405 +0,0 @@ -labels: - io.rancher.certified: partner -questions: -- variable: citrixCPX - required: true - type: boolean - default: true - description: "Set true to use Citrix ADC CPX as ingress device. Set false to use VPX/MPX as ingress device" - label: citrixCPX - group: "Deployment Settings" -- variable: secrets.name - required: true - type: string - default: "nslogin" - description: "Ensure to create nslogin secret in same namespace" - show_if: "citrixCPX=false" - group: "nslogin Settings" -- variable: xDSAdaptor.image - required: true - type: string - default: "quay.io/citrix/citrix-xds-adaptor:0.9.9" - label: xDSAdaptor Image - description: "xDSAdaptor Image to be used with version" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.imagePullPolicy - required: true - type: enum - default: IfNotPresent - label: xDSAdaptor imagePullPolicy - description: "xDSAdaptor Image pull policy" - options: - - "Always" - - "IfNotPresent" - - "Never" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.proxyType - required: false - type: string - default: "router" - label: xDSAdaptor proxyType - description: "xDSAdaptor proxyType type set to router by default" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.secureConnect - required: true - type: boolean - default: true - label: xDSAdaptor secureConnect - description: "If this value is set to true, xDSAdaptor establishes secure gRPC channel with Istio Pilot" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.logLevel - required: false - type: enum - default: DEBUG - label: xDSAdaptor logLevel - description: "xDSAdaptor logLevel" - options: - - "TRACE" - - "DEBUG" - - "INFO" - - "WARN" - - "ERROR" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.jsonLog - required: false - type: string - default: "true" - label: xDSAdaptor jsonLog - description: "Set this argument to true if log messages are required in JSON format" - group: "xDSAdaptor Settings" -- variable: coe.coeURL - required: false - type: string - label: coe coeURL - description: "Name of Citrix Observability Exporter Service" - group: "COE Settings" -- variable: coe.coeTracing - required: false - type: boolean - label: coe coeTracing - description: "Used to send appflow transactions to Zipkin endpoint,if true ADM servicegraph (if configured) can be impacted" - group: "COE Settings" -- variable: istioPilot.name - required: true - type: string - default: istiod - label: istio-pilot name - group: "istio-pilot Settings" - description: "Name of the Istio Pilot service" -- variable: istioPilot.namespace - required: true - type: string - default: istio-system - label: istio-pilot namespace - description: "Namespace where Istio Pilot is running" - group: "istio-pilot Settings" -- variable: istioPilot.secureGrpcPort - required: true - type: int - default: 15012 - label: istio-pilot secureGrpcPort - show_if: "xDSAdaptor.secureConnect=true" - description: "Secure GRPC port where Istio Pilot is listening" - group: "istio-pilot Settings" -- variable: istioPilot.insecureGrpcPort - required: true - type: int - default: 15010 - show_if: "xDSAdaptor.secureConnect=false" - label: istio-pilot insecureGrpcPort - description: "Insecure GRPC port where Istio Pilot is listening" - group: "istio-pilot Settings" -- variable: istioPilot.SAN - required: false - type: string - default: - label: istio-pilot SAN - description: "Subject alternative name for Istio Pilot which is (SPIFFE) ID of Istio Pilot" - show_if: "xDSAdaptor.secureConnect=true" - group: "istio-pilot Settings" -- variable: ingressGateway.netscalerUrl - required: true - type: string - default: - label: ingressGateway netscalerUrl - description: "URL or IP address of the Citrix ADC which Istio-adaptor configures (Mandatory if citrixCPX=false)" - show_if: "citrixCPX=false" - group: "ingressGateway Settings" -- variable: ingressGateway.image - required: true - type: string - default: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-79.64" - label: ingressGateway Image - description: "ingressGateway image to be used" - group: "ingressGateway Settings" -- variable: ingressGateway.imagePullPolicy - required: true - type: enum - default: IfNotPresent - label: ingressGateway imagePullPolicy - description: Ingress-gateway Image pull policy - group: "ingressGateway Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: ingressGateway.EULA - required: true - type: enum - description: "End user license agreement (read EULA before accepting it yes)" - label: ingressGateway EULA - options: - - "YES" - - "NO" - group: "ingressGateway Settings" -- variable: ingressGateway.mgmtHttpPort - required: true - type: int - default: 10080 - label: ingressGateway mgmtHttpPort - description: "Management port of the Citrix ADC CPX" - show_if: "citrixCPX=true" - group: "ingressGateway Settings" -- variable: ingressGateway.mgmtHttpsPort - required: true - type: int - default: 10443 - show_if: "citrixCPX=true" - label: ingressGateway mgmtHttpsPort - description: "Secure management port of Citrix ADC CPX" - group: "ingressGateway Settings" -- variable: ingressGateway.httpNodePort - required: true - type: int - default: 30180 - show_if: "citrixCPX=true" - label: ingressGateway httpNodePort - description: "Port on host machine which is used to expose HTTP port of Citrix ADC CPX" - group: "ingressGateway Settings" -- variable: ingressGateway.httpsNodePort - required: true - type: int - default: 31443 - show_if: "citrixCPX=true" - label: ingressGateway httpsNodePort - description: "Port on host machine which is used to expose HTTPS port of Citrix ADC CPX" - group: "ingressGateway Settings" -- variable: ingressGateway.nodePortRequired - required: true - type: boolean - default: true - label: ingressGateway nodePortRequired - description: "Set this argument if servicetype to be NodePort of Citrix ADC CPX, else it will be loadbalancer type" - group: "ingressGateway Settings" -- variable: ingressGateway.lightWeightCPX - required: false - type: int - default: 1 - show_if: "citrixCPX=true" - label: ingressGateway lightWeightCPX - description: "Set this argument if lighter version of Citrix ADC CPX used" - group: "ingressGateway Settings" -- variable: ingressGateway.label - required: true - type: string - default: "citrix-ingressgateway" - label: ingressGateway label - description: "Custom label for the Ingress Gateway service" - group: "ingressGateway Settings" -- variable: ingressGateway.vserverIP - required: true - type: string - default: "nsip" - show_if: "citrixCPX=false" - label: ingressGateway vserverIP - description: "Virtual server IP address on Citrix ADC" - group: "ingressGateway Settings" -- variable: ingressGateway.adcServerName - required: false - type: string - default: - label: ingressGateway adcServerName - description: "Citrix ADC ServerName used in the Citrix ADC certificate" - group: "ingressGateway Settings" -- variable: ingressGateway.netProfile - required: false - type: string - default: - label: ingressGateway netProfile - description: "Network profile name used to configure Citrix ADC VPX or MPX which is deployed as Ingress Gateway" - show_if: "citrixCPX=false" - group: "ingressGateway Settings" -- variable: ingressGateway.multiClusterIngress - required: false - type: boolean - default: false - label: ingressGateway multiClusterIngress - description: "Flag indicating if Citrix ADC is acting as Ingress gateway to multi cluster Istio mesh installation" - group: "ingressGateway Settings" -- variable: ingressGateway.multiClusterListenerPort - required: true - type: int - default: 15443 - label: ingressGateway multiClusterListenerPort - description: "Port opened on Citrix ADC to enable inter-cluster service to service (E-W) communication" - show_if: "ingressGateway.multiClusterIngress=true" - group: "ingressGateway Settings" -- variable: ingressGateway.multiClusterListenerNodePort - required: true - type: int - default: 15443 - label: ingressGateway multiClusterListenerNodePort - description: "Nodeport for multiClusterListenerPort in case of Citrix ADC CPX acting as Ingress gateway" - show_if: "ingressGateway.multiClusterIngress=true" - group: "ingressGateway Settings" -- variable: ingressGateway.multiClusterSvcDomain - required: true - type: string - default: global - label: ingressGateway multiClusterSvcDomain - description: "Domain suffix of remote service (deployed in other cluster) used in E-W communication" - show_if: "ingressGateway.multiClusterIngress=true" - group: "ingressGateway Settings" -- variable: metricExporter.required - required: false - type: boolean - default: true - label: Exporter required - description: "Metrics exporter for Citrix ADC" - group: "metricExporter Settings" -- variable: metricExporter.image - required: true - type: string - default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.8" - label: Exporter Image - description: "Exporter Image to be used with version" - show_if: "metricExporter.required=true" - group: "metricExporter Settings" -- variable: metricExporter.port - required: true - type: int - default: 8888 - label: metricExporter Port - show_if: "metricExporter.required=true" - group: "metricExporter Settings" -- variable: metricExporter.logLevel - required: true - type: enum - default: ERROR - label: metricExporter logLevel - show_if: "metricExporter.required=true" - group: "metricExporter Settings" - options: - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - - "TRACE" -- variable: metricExporter.imagePullPolicy - required: true - type: enum - default: IfNotPresent - label: metricExporter imagePullPolicy - description: "Exporter Image pull policy" - show_if: "metricExporter.required=true" - group: "metricExporter Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: certProvider.caAddr - required: true - type: string - default: "istiod.istio-system.svc" - label: certProvider caAddr - description: "Certificate Authority (CA) address issuing certificate to application" - group: "certProvider Settings" -- variable: certProvider.caPort - required: true - type: int - default: 15012 - label: certProvider caPort - description: "Certificate Authority (CA) port issuing certificate to application" - group: "certProvider Settings" -- variable: certProvider.trustDomain - required: true - type: string - default: "cluster.local" - label: certProvider trustDomain - description: "SPIFFE Trust Domain" - group: "certProvider Settings" -- variable: certProvider.certTTLinHours - required: true - type: int - default: 720 - label: certProvider certTTLinHours - description: "Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours." - group: "certProvider Settings" -- variable: certProvider.clusterId - required: true - type: string - default: "Kubernetes" - label: certProvider clusterId - description: "clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in m -ulticluster environments. For example, in Anthos servicemesh, it might be of the format of `cn--`. In multiCluster environments, it is the val -ue of global.multiCluster.clusterName provided during servicemesh control plane installation" - group: "certProvider Settings" -- variable: certProvider.jwtPolicy - required: true - type: enum - default: "first-party-jwt" - label: certProvider jwtPolicy - description: "Kubernetes platform supports First party tokens and Third party tokens" - options: - - "first-party-jwt" - - "third-party-jwt" - group: "certProvider Settings" -- variable: ADMSettings.ADMIP - required: false - type: string - default: - label: ADMSettings ADMIP - description: "Citrix Application Delivery Management (ADM) IP address" - group: "ADMSettings Settings" -- variable: ADMSettings.licenseServerIP - required: false - type: string - default: - label: ADMSettings licenseServerIP - description: "Citrix License Server IP address" - group: "ADMSettings Settings" -- variable: ADMSettings.licenseServerPort - required: false - type: int - default: 27000 - label: ADMSettings licenseServerPort - description: "Citrix ADM port if a non-default port is used" - group: "ADMSettings Settings" -- variable: ADMSettings.bandWidthLicense - required: false - type: boolean - default: false - label: ADMSettings bandWidthLicense - description: "To specify bandwidth based licensing" - group: "ADMSettings Settings" -- variable: ADMSettings.bandWidth - required: false - type: string - default: - label: ADMSettings bandWidth - description: "Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps" - group: "ADMSettings Settings" -- variable: ADMSettings.vCPULicense - required: false - type: boolean - default: "false" - label: ADMSettings vCPULicense - description: "To specify vCPULicense based licensing" - group: "ADMSettings Settings" -- variable: ADMSettings.cpxCores - required: false - type: string - default: - label: ADMSettings cpxCores - description: "To specify cpxCores in licensing" - group: "ADMSettings Settings" diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/templates/_helpers.tpl b/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/templates/_helpers.tpl deleted file mode 100644 index be79f4f8ce..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/templates/_helpers.tpl +++ /dev/null @@ -1,53 +0,0 @@ -{{- define "exporter_nsip" -}} -{{- $match := .Values.ingressGateway.netscalerUrl | toString | regexFind "//.*[:]*" -}} -{{- $match | trimAll ":" | trimAll "/" -}} -{{- end -}} - -{{/* A common function to generate name of the resource. - * Usage: {{ template "generate-name" (list . (dict "suffixname" "citrix-deployment")) }} - * In above example, arguments are given in the list. - * First one is `.` indicating global chart-level scope. - * Second argument name is `suffixname` and value is `citrix-deployment`. - * If release name is `my-release`, then generate-name function would output "my-release-citrix-deployment". - * The function truncates name to 63 chars due to Kubernetes name length restrictions -*/}} -{{- define "generate-name" -}} -{{- $top := index . 0 -}} -{{- $arg1 := index . 1 "suffixname" -}} -{{- printf "%s-%s" $top.Release.Name $arg1 | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* Another common function to generate name of the resource. - * Usage: {{ template "generate-name" (list . "citrix-deployment") }} - * In above example, arguments are given in the list. - * First one is `.` indicating global chart-level scope. - * Second argument is unnamed and takes value as `citrix-deployment`. - * If release name is `my-release`, then generate-name function would output "my-release-citrix-deployment". - * The function truncates name to 63 chars due to Kubernetes name length restrictions -*/}} -{{- define "generate-name2" -}} -{{- $top := index . 0 -}} -{{- $arg1 := index . 1 -}} -{{- printf "%s-%s" $top.Release.Name $arg1 | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* Below function is used to identify default value of jwtPolicy if not provided. - * For on-prem Kubernetes v1.21+, it is third-party-jwt. Else first-party-jwt. - * Note: Don't just do "helm template" to generate yaml file. Else https://github.com/helm/helm/issues/7991 - * is possible. Use "helm template --validate" or "helm install --dry-run --debug". - * Note2: For cloud environments, semverCompare should be ideally done with "<1.21.x-x" as - * Kubernetes version is generally of the format v1.20.7-eks-xxxxxx. So, it fails the "v1.21.x" check but that's fine - * as in cloud environments third-party-jwt is enabled. -*/}} - -{{- define "jwtValue" -}} -{{- if .Values.certProvider.jwtPolicy -}} -{{- printf .Values.certProvider.jwtPolicy -}} -{{- else -}} -{{- if semverCompare "<1.21.x" .Capabilities.KubeVersion.Version -}} -{{- printf "first-party-jwt" -}} -{{- else -}} -{{- printf "third-party-jwt" -}} -{{- end -}} -{{- end -}} -{{- end -}} \ No newline at end of file diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/templates/citrix-adc-ingressgateway-deployment.yaml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/templates/citrix-adc-ingressgateway-deployment.yaml deleted file mode 100644 index 8d80e572ef..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/templates/citrix-adc-ingressgateway-deployment.yaml +++ /dev/null @@ -1,571 +0,0 @@ -{{- if eq .Values.citrixCPX true }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "generate-name" (list . (dict "suffixname" "ingress-deployment")) }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - deployment: "cpx-ingressgateway" # This label is useful in ServiceGraph -spec: - replicas: 1 - selector: - matchLabels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - template: - metadata: - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - citrix.com/no.sidecar: "true" - adc: "citrix" - deployment: "cpx-ingressgateway" # This label is useful in ServiceGraph - annotations: - scheduler.alpha.kubernetes.io/critical-pod: "" - prometheus.io/port: "{{ .Values.metricExporter.port }}" - prometheus.io/scrape: "true" - spec: - volumes: - - name: citrix-ingressgateway-certs - secret: - optional: true - secretName: "citrix-ingressgateway-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway - - name: citrix-ingressgateway-ca-certs - secret: - optional: true - secretName: "citrix-ingressgateway-ca-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway - - name: podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- range .Values.ingressGateway.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} - - name: cpx-conf - emptyDir: {} - - name: cpx-crash - emptyDir: {} - - name: cpx-pwd - emptyDir: {} - - name: certs - emptyDir: {} -{{- $jwtpolicy := include "jwtValue" . }} -{{- if eq $jwtpolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token -{{- end }} - - name: istiod-ca-cert - configMap: - defaultMode: 0777 - name: istio-ca-root-cert - securityContext: - fsGroup: 32024 - containers: -{{- if eq .Values.metricExporter.required true }} - - name: exporter - image: {{ tpl .Values.metricExporter.image . }} - imagePullPolicy: IfNotPresent - args: - - "--target-nsip=127.0.0.1" - - "--port={{ .Values.metricExporter.port }}" - - "--log-level={{ .Values.metricExporter.logLevel }}" - - "--secure=no" - env: - - name: "NS_DEPLOYMENT_MODE" - value: "SIDECAR" - securityContext: - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /var/deviceinfo - name: cpx-pwd -{{- end }} - - name: istio-adaptor - image: {{ tpl .Values.xDSAdaptor.image . }} - imagePullPolicy: {{ .Values.xDSAdaptor.imagePullPolicy }} - args: - - -ads-server -{{- if eq .Values.xDSAdaptor.secureConnect true }} - - {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.secureGrpcPort }} # istiod.istio-system.svc:15012 -{{- else }} - - {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.insecureGrpcPort }} # istiod.istio-system.svc:15010 -{{- end }} - - -istio-proxy-type - - {{ .Values.xDSAdaptor.proxyType | default "router" | quote }} -{{- if .Values.istioPilot.SAN }} - - -ads-server-SAN - - {{ .Values.istioPilot.SAN | default "" }} -{{- end }} - - -ads-secure-connect={{ .Values.xDSAdaptor.secureConnect }} - - -citrix-adc - - "http://127.0.0.1" - - -citrix-adc-vip - - "nsip" - - -citrix-adc-password - - "/var/deviceinfo/random_id" -{{- if .Values.ADMSettings.ADMIP }} - - -citrix-adm - - {{ .Values.ADMSettings.ADMIP }} -{{- end }} -{{- if .Values.ingressGateway.cpxLicenseAggregator }} - - -citrix-license-server - - {{ .Values.ingressGateway.cpxLicenseAggregator }} -{{- else if .Values.ADMSettings.licenseServerIP }} - - -citrix-license-server - - {{ .Values.ADMSettings.licenseServerIP }} -{{- end }} -{{- if .Values.coe.coeURL }} - - -coe - - {{ .Values.coe.coeURL }} -{{- end }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: APPLICATION_NAME - valueFrom: - fieldRef: - fieldPath: metadata.labels['app'] - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName -{{- if .Values.certProvider.caAddr }} - - name: CA_ADDR - value: {{ .Values.certProvider.caAddr }}:{{ .Values.certProvider.caPort}} #istiod.istio-system.svc:15012 - - name: TRUST_DOMAIN - value: {{ .Values.certProvider.trustDomain }} #cluster.local - - name: CLUSTER_ID - value: {{ .Values.certProvider.clusterId }} #Kubernetes - - name: CERT_TTL_IN_HOURS - value: {{ .Values.certProvider.certTTLinHours | quote }} - - name: JWT_POLICY - value: {{ include "jwtValue" . | quote }} # If value not provided then third-party-jwt for v>=1.21 otherwise first-party-jwt -{{- end }} -{{- if eq .Values.ingressGateway.multiClusterIngress true }} - - name: MULTICLUSTER_INGRESS - value: "TRUE" - - name: MULTICLUSTER_LISTENER_PORT - value: {{ .Values.ingressGateway.multiClusterListenerPort | quote}} - - name: MULTICLUSTER_SVC_DOMAIN - value: {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }} -{{- end }} -{{- if eq .Values.coe.coeTracing true }} - - name: COE_TRACING - value: "TRUE" -{{- end }} - - name: LOGLEVEL - value: {{ .Values.xDSAdaptor.logLevel | default "DEBUG" | quote }} -{{- if eq .Values.xDSAdaptor.jsonLog true }} - - name: JSONLOG - value: "TRUE" - -{{- end }} - - name: ENABLE_LABELS_FEATURE - value: {{ .Values.ingressGateway.enableLabelsFeature | quote }} -{{- if eq .Values.xDSAdaptor.defaultSSLListenerOn443 true }} - - name: DEFAULT_SSL_LISTENER_ON_443 - value: "TRUE" -{{- end }} - securityContext: - readOnlyRootFilesystem: true - runAsGroup: 32024 - runAsUser: 32024 # UID of istio-adaptor container's user - volumeMounts: - - mountPath: /var/deviceinfo - name: cpx-pwd -{{- $jwtpolicy := include "jwtValue" . }} -{{- if eq $jwtpolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token -{{- end }} - - mountPath: /etc/certs - name: certs - - name: istiod-ca-cert - mountPath: /etc/rootcert/ - - mountPath: /etc/istio/ingressgateway-certs # Make sure that Gateway definition has this path mentioned in server.tls section for SIMPLE TLS - name: citrix-ingressgateway-certs - readOnly: true - - mountPath: /etc/istio/ingressgateway-ca-certs # Make sure that Gateway definition has this path mentioned in server.tls section for MUTUAL TLS - name: citrix-ingressgateway-ca-certs - readOnly: true - - mountPath: /etc/podinfo - name: podinfo - {{- range .Values.ingressGateway.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - - name: citrix-ingressgateway - image: "{{ tpl .Values.ingressGateway.image . }}" - imagePullPolicy: {{ .Values.ingressGateway.imagePullPolicy }} - securityContext: - privileged: true - ports: - - containerPort: 80 - - containerPort: 443 -{{- if .Values.ingressGateway.mgmtHttpPort }} - - containerPort: {{ .Values.ingressGateway.mgmtHttpPort }} -{{- end }} -{{- if .Values.ingressGateway.mgmtHttpsPort }} - - containerPort: {{ .Values.ingressGateway.mgmtHttpsPort }} -{{- end }} -{{- range .Values.ingressGateway.tcpPort }} - - containerPort: {{ .port }} -{{- end }} - volumeMounts: - - mountPath: /cpx/conf/ - name: cpx-conf - - mountPath: /cpx/crash/ - name: cpx-crash - - mountPath: /var/deviceinfo - name: cpx-pwd - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace -{{- if .Values.ingressGateway.cpxLicenseAggregator }} - - name: "CLA" - value: "{{ .Values.ingressGateway.cpxLicenseAggregator }}" -{{- else if .Values.ADMSettings.licenseServerIP }} - - name: "LS_IP" - value: {{ .Values.ADMSettings.licenseServerIP }} - - name: "LS_PORT" - value: "{{ .Values.ADMSettings.licenseServerPort }}" -{{- end }} - - name: "EULA" - value: "{{ .Values.ingressGateway.EULA }}" -{{- if .Values.metricExporter.required }} - - name: "METRICS_EXPORTER_PORT" - value: "{{ .Values.metricExporter.port }}" -{{- end }} - - name: "MGMT_HTTP_PORT" - value: "{{ .Values.ingressGateway.mgmtHttpPort }}" - - name: "MGMT_HTTPS_PORT" - value: "{{ .Values.ingressGateway.mgmtHttpsPort }}" -{{- if .Values.ingressGateway.lightWeightCPX }} - - name: "NS_CPX_LITE" - value: "1" -{{- end }} -{{- if or .Values.coe.coeURL .Values.ADMSettings.ADMIP }} - - name: "NS_ENABLE_NEWNSLOG" - value: "1" -{{- end }} - - name: "KUBERNETES_TASK_ID" - value: "" -{{- if .Values.ADMSettings.ADMIP }} - - name: "NS_MGMT_SERVER" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "NS_HTTP_PORT" - value: {{ .Values.ingressGateway.mgmtHttpPort | quote }} - - name: "NS_HTTPS_PORT" - value: {{ .Values.ingressGateway.mgmtHttpsPort | quote }} - - name: "ANALYTICS_SERVER" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "ANALYTICS_SERVER_PORT" - value: {{ .Values.ADMSettings.analyticsServerPort | quote }} -{{- end }} - - name: "LOGSTREAM_COLLECTOR_IP" - value: {{ .Values.ADMSettings.ADMIP | default "" | quote }} -#Need to set env var BANDWIDTH in order to provide Bandwidth license to Citrix ADC CPX from ADM or CPX License Aggregator -{{- if and ( or ( .Values.ADMSettings.licenseServerIP ) ( .Values.ingressGateway.cpxLicenseAggregator ) ) ( eq .Values.ADMSettings.bandWidthLicense true ) }} - - name: "BANDWIDTH" - value: {{ .Values.ADMSettings.bandWidth | quote }} -{{- end }} -#for multiple-PE support, need to set CPX_CORES -{{- if or .Values.ADMSettings.licenseServerIP .Values.ingressGateway.cpxLicenseAggregator }} -{{- if or ( eq .Values.ADMSettings.vCPULicense true ) ( eq .Values.ADMSettings.bandWidthLicense true ) }} - - name: "CPX_CORES" - value: {{ .Values.ADMSettings.cpxCores | default 1 | quote }} -{{- end }} -{{- end }} - - name: "EDITION" - value: {{ .Values.ADMSettings.licenseEdition | quote }} -{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }} - - name: NS_MGMT_USER - valueFrom: - secretKeyRef: - name: admlogin - key: username - - name: NS_MGMT_PASS - valueFrom: - secretKeyRef: - name: admlogin - key: password -{{- end }} ---- -{{ else }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "generate-name" (list . (dict "suffixname" "ingress-deployment")) }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - template: - metadata: - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - citrix.com/no.sidecar: "true" - adc: "citrix" - annotations: - scheduler.alpha.kubernetes.io/critical-pod: "" - prometheus.io/port: "{{ .Values.metricExporter.port }}" - prometheus.io/scrape: "true" - spec: - containers: -{{- if eq .Values.metricExporter.required true }} - - name: exporter - image: {{ tpl .Values.metricExporter.image . }} - imagePullPolicy: {{ .Values.metricExporter.imagePullPolicy }} - args: - - "--target-nsip={{- include "exporter_nsip" . -}}" - - "--port={{ .Values.metricExporter.port }}" - - "--secure={{ .Values.metricExporter.secure | lower}}" - - "--log-level={{ .Values.metricExporter.logLevel }}" - securityContext: - readOnlyRootFilesystem: true - volumeMounts: - - name: nslogin - mountPath: "/mnt/nslogin" - readOnly: true -{{- end }} - - name: istio-adaptor - image: {{ tpl .Values.xDSAdaptor.image . }} - imagePullPolicy: {{ .Values.xDSAdaptor.imagePullPolicy }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: APPLICATION_NAME - valueFrom: - fieldRef: - fieldPath: metadata.labels['app'] - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName -{{- if .Values.certProvider.caAddr }} - - name: CA_ADDR - value: {{ .Values.certProvider.caAddr }}:{{ .Values.certProvider.caPort}} #istiod.istio-system.svc:15012 - - name: TRUST_DOMAIN - value: {{ .Values.certProvider.trustDomain }} #cluster.local - - name: CLUSTER_ID - value: {{ .Values.certProvider.clusterId }} #Kubernetes - - name: CERT_TTL_IN_HOURS - value: {{ .Values.certProvider.certTTLinHours | quote }} - - name: JWT_POLICY - value: {{ include "jwtValue" . | quote }} # third-party-jwt if Kubernetes cluster supports third-party tokens -{{- end }} -{{- if eq .Values.ingressGateway.multiClusterIngress true }} - - name: MULTICLUSTER_INGRESS - value: "TRUE" - - name: MULTICLUSTER_LISTENER_PORT - value: {{ .Values.ingressGateway.multiClusterListenerPort | quote}} - - name: MULTICLUSTER_SVC_DOMAIN - value: {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }} -{{- end }} -{{- if eq .Values.coe.coeTracing true }} - - name: COE_TRACING - value: "TRUE" -{{- end }} - - name: LOGLEVEL - value: {{ .Values.xDSAdaptor.logLevel | default "DEBUG" | quote }} -{{- if eq .Values.xDSAdaptor.jsonLog true }} - - name: JSONLOG - value: "TRUE" -{{- end }} - - name: ENABLE_LABELS_FEATURE - value: "FALSE" -{{- if eq .Values.xDSAdaptor.defaultSSLListenerOn443 true }} - - name: DEFAULT_SSL_LISTENER_ON_443 - value: "TRUE" -{{- end }} - - name: NS_USER - valueFrom: - secretKeyRef: - name: {{ .Values.secretName }} - key: username - - name: NS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.secretName }} - key: password - args: - - -ads-server -{{- if eq .Values.xDSAdaptor.secureConnect true }} - - {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.secureGrpcPort }} # istiod.istio-system.svc:15012 -{{- else }} - - {{ .Values.istioPilot.name}}.{{ .Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.insecureGrpcPort }} # istiod.istio-system.svc:15010 -{{- end }} - - -istio-proxy-type - - {{ .Values.xDSAdaptor.proxyType | default "router" | quote }} -{{- if .Values.istioPilot.SAN }} - - -ads-server-SAN - - {{ .Values.istioPilot.SAN | default "" }} -{{- end }} - - -ads-secure-connect={{ .Values.xDSAdaptor.secureConnect }} - - -citrix-adc - - {{ required "Mention Citrix ADC IP/URL in https://[:port] format" .Values.ingressGateway.netscalerUrl }} - - -citrix-adc-vip - - {{ required "Mention Vserver IP to be configured on Citrix ADC" .Values.ingressGateway.vserverIP }} - - -citrix-adc-user - - "/etc/nslogin/username" - - -citrix-adc-password - - "/etc/nslogin/password" - # If using VPX/MPX as Ingress gateway, then specify the network profile name - # which was provided to Citrix Node Controller (CNC) -{{- if .Values.ingressGateway.netProfile }} - - -citrix-adc-net-profile - - {{ .Values.ingressGateway.netProfile }} -{{- end }} - - -citrix-adm - - "" -{{- if .Values.coe.coeURL }} - - -coe - - {{ .Values.coe.coeURL }} -{{- end }} -{{- if .Values.ingressGateway.adcServerName }} - - -citrix-adc-server-name - - {{ .Values.ingressGateway.adcServerName }} - - -citrix-adc-server-ca - - "/etc/nitro/root-cert.pem" -{{- end }} - securityContext: - readOnlyRootFilesystem: true - runAsGroup: 32024 - runAsUser: 32024 # UID of istio-adaptor container's user - volumeMounts: - - mountPath: /etc/certs - name: certs - - name: istiod-ca-cert - mountPath: /etc/rootcert/ -{{- $jwtpolicy := include "jwtValue" . }} -{{- if eq $jwtpolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token -{{- end }} - - mountPath: /etc/nslogin - name: nslogin - readOnly: true - - mountPath: /etc/istio/ingressgateway-certs # Make sure that Gateway definition has this path mentioned in server.tls section for SIMPLE TLS - name: citrix-ingressgateway-certs - readOnly: true - - mountPath: /etc/istio/ingressgateway-ca-certs # Make sure that Gateway definition has this path mentioned in server.tls section for MUTUAL TLS - name: citrix-ingressgateway-ca-certs - readOnly: true - - mountPath: /etc/podinfo - name: podinfo - {{- range .Values.ingressGateway.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} -{{- if .Values.ingressGateway.adcServerName }} - - mountPath: /etc/nitro/ - name: citrix-adc-cert - readOnly: true -{{- end }} - securityContext: - fsGroup: 32024 - volumes: - - name: nslogin - secret: - optional: true - secretName: {{ .Values.secretName }} - - name: certs - emptyDir: {} - - name: istiod-ca-cert - configMap: - defaultMode: 0777 - name: istio-ca-root-cert - - name: citrix-ingressgateway-certs - secret: - optional: true - secretName: "citrix-ingressgateway-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway - - name: citrix-ingressgateway-ca-certs - secret: - optional: true - secretName: "citrix-ingressgateway-ca-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway - - name: podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- range .Values.ingressGateway.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} -{{- if .Values.ingressGateway.adcServerName }} - - name: citrix-adc-cert - secret: - optional: true - secretName: "citrix-adc-cert" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway -{{- end }} -{{- $jwtpolicy := include "jwtValue" . }} -{{- if eq $jwtpolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token -{{- end }} ---- -{{- end}} diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/templates/citrix-multicluster-gateway.yaml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/templates/citrix-multicluster-gateway.yaml deleted file mode 100644 index ae40331fe4..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/templates/citrix-multicluster-gateway.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{- if eq .Values.ingressGateway.multiClusterIngress true }} -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - annotations: - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} -{{- if eq .Values.citrixCPX true }} - deployment: "cpx-ingressgateway" # This label is useful in ServiceGraph -{{- end }} - name: citrix-multicluster-ingressgateway - namespace: {{ .Release.Namespace }} -spec: - selector: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - servers: - - port: - name: tls-mc-port - number: {{ .Values.ingressGateway.multiClusterListenerPort }} - protocol: tls - tls: - mode: PASSTHROUGH - hosts: - - {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }} ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: citrix-multicluster-ingressgateway -spec: - hosts: - - {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }} - gateways: - - citrix-multicluster-ingressgateway - tls: - - match: - - port: {{ .Values.ingressGateway.multiClusterListenerPort }} - sniHosts: - - {{ printf "'*.%s'" .Values.ingressGateway.multiClusterSvcDomain }} - route: - - destination: - host: {{ template "generate-name" (list . (dict "suffixname" "citrix-ingress-svc")) }} - port: - number: {{ .Values.ingressGateway.multiClusterListenerPort }} ---- -{{- end }} \ No newline at end of file diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/templates/ingressgateway-service.yaml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/templates/ingressgateway-service.yaml deleted file mode 100644 index 38ad4f7bd7..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/templates/ingressgateway-service.yaml +++ /dev/null @@ -1,76 +0,0 @@ -{{- if eq .Values.citrixCPX true }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ template "generate-name" (list . (dict "suffixname" "citrix-ingress-hpa")) }} - namespace: {{ .Release.Namespace }} -spec: - maxReplicas: 1 - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ template "generate-name" (list . (dict "suffixname" "ingress-deployment")) }} - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: 60 ---- -{{- end }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "generate-name" (list . (dict "suffixname" "citrix-ingress-svc")) }} - namespace: {{ .Release.Namespace }} - annotations: - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} -{{- if eq .Values.citrixCPX true }} - deployment: "cpx-ingressgateway" # This label is useful in ServiceGraph -{{- end }} -spec: -{{- if eq .Values.citrixCPX true }} -{{- if eq .Values.ingressGateway.nodePortRequired true }} - type: NodePort -{{- else }} - type: LoadBalancer -{{- end }} -{{- end }} - selector: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - ports: - - - name: http2 -{{- if eq .Values.citrixCPX true }} - nodePort: {{ .Values.ingressGateway.httpNodePort }} -{{- end }} - port: 80 - targetPort: 80 - - - name: https -{{- if eq .Values.citrixCPX true }} - nodePort: {{ .Values.ingressGateway.httpsNodePort }} -{{- end }} - port: 443 - targetPort: 443 -{{- if eq .Values.ingressGateway.multiClusterIngress true }} - - - name: multicluster -{{- if eq .Values.citrixCPX true }} - nodePort: {{ .Values.ingressGateway.multiClusterListenerNodePort }} -{{- end }} - port: {{ .Values.ingressGateway.multiClusterListenerPort }} - targetPort: {{ .Values.ingressGateway.multiClusterListenerPort }} -{{- end }} -{{- $isCPX := .Values.citrixCPX }} -{{- range .Values.ingressGateway.tcpPort }} - - - name: {{ .name }} -{{- if eq $isCPX true }} - nodePort: {{ .nodePort }} -{{- end }} - port: {{ .port }} - targetPort: {{ .targetPort }} -{{- end }} ---- diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/templates/metrics-exporter-service.yaml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/templates/metrics-exporter-service.yaml deleted file mode 100644 index 4448ad191d..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/templates/metrics-exporter-service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if eq .Values.metricExporter.required true }} -kind: Service -apiVersion: v1 -metadata: - name: {{ template "generate-name" (list . (dict "suffixname" "citrix-exporter-svc")) }} - namespace: {{ .Release.Namespace }} - annotations: - labels: - service-type: citrix-adc-monitor -spec: - selector: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - ports: - - name: exporter-port - port: {{ .Values.metricExporter.port }} - targetPort: {{ .Values.metricExporter.port }} ---- -{{- end }} diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/values.yaml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/values.yaml deleted file mode 100644 index 123e6d4814..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.14.0/values.yaml +++ /dev/null @@ -1,88 +0,0 @@ -# Default values for citrix-adc-istio-ingress-gateway -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -citrixCPX: false - -coe: - coeURL: - coeTracing: false - -metricExporter: - required: true - imageRegistry: quay.io - imageRepository: citrix/citrix-adc-metrics-exporter - imageTag: 1.4.9 - image: "{{ .Values.metricExporter.imageRegistry }}/{{ .Values.metricExporter.imageRepository }}:{{ .Values.metricExporter.imageTag }}" - port: 8888 - secure: "YES" - logLevel: ERROR - imagePullPolicy: IfNotPresent - -xDSAdaptor: - imageRegistry: quay.io - imageRepository: citrix/citrix-xds-adaptor - imageTag: 0.10.3 - image: "{{ .Values.xDSAdaptor.imageRegistry }}/{{ .Values.xDSAdaptor.imageRepository }}:{{ .Values.xDSAdaptor.imageTag }}" - imagePullPolicy: IfNotPresent - proxyType: router - secureConnect: true - logLevel: DEBUG - jsonLog: false - defaultSSLListenerOn443: true - -istioPilot: - name: istiod - namespace: istio-system - secureGrpcPort: 15012 - insecureGrpcPort: 15010 - SAN: - -certProvider: - caAddr: istiod.istio-system.svc - caPort: 15012 - trustDomain: cluster.local - certTTLinHours: 720 - clusterId: Kubernetes - jwtPolicy: #specify third-party-jwt if Kubernetes cluster supports third-party tokens. Default from K8s v1.21 - -ingressGateway: - netscalerUrl: null - imageRegistry: quay.io - imageRepository: citrix/citrix-k8s-cpx-ingress - imageTag: 13.1-30.52 - image: "{{ .Values.ingressGateway.imageRegistry }}/{{ .Values.ingressGateway.imageRepository }}:{{ .Values.ingressGateway.imageTag }}" - imagePullPolicy: IfNotPresent - EULA: NO - mgmtHttpPort: 10080 - mgmtHttpsPort: 10443 - httpNodePort: 30180 - httpsNodePort: 31443 - nodePortRequired: false - lightWeightCPX: 1 - secretVolumes: - #licenseServerIP: this value will be taken from ADMSettings.ADMIP - label: citrix-ingressgateway - tcpPort: - vserverIP: nsip - adcServerName: - netProfile: - multiClusterIngress: false - multiClusterListenerPort: 15443 - multiClusterListenerNodePort: 32443 - multiClusterSvcDomain: global - cpxLicenseAggregator: - enableLabelsFeature: FALSE - -ADMSettings: - ADMIP: - licenseServerIP: - licenseServerPort: 27000 - bandWidthLicense: false - bandWidth: 1000 #Bandwidth should be given in Mbps - vCPULicense: false - cpxCores: - analyticsServerPort: 5557 - licenseEdition: PLATINUM - -secretName: nslogin diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/.helmignore b/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/.helmignore deleted file mode 100644 index 50af031725..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/Chart.yaml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/Chart.yaml deleted file mode 100644 index ff3131b1de..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/Chart.yaml +++ /dev/null @@ -1,19 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/release-name: citrix-adc-istio-ingress-gateway -apiVersion: v1 -appVersion: 1.2.1 -deprecated: true -description: A Helm chart for Citrix ADC as Ingress Gateway installation in Istio - Service Mesh on Kubernetes platform -home: https://www.citrix.com -icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png -maintainers: -- email: dhiraj.gedam@citrix.com - name: dheerajng -- email: subash.dangol@citrix.com - name: subashd -name: citrix-adc-istio-ingress-gateway -sources: -- https://github.com/citrix/citrix-istio-adaptor -version: 1.2.100 diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/README.md b/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/README.md deleted file mode 100644 index 0362e7b1fd..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/README.md +++ /dev/null @@ -1,220 +0,0 @@ -# Deploy Citrix ADC as an Ingress Gateway in Istio environment using Helm charts - -Citrix Application Delivery Controller (ADC) can be deployed as an Istio Ingress Gateway to control the ingress traffic to Istio service mesh. - -# Table of Contents -1. [TL; DR;](#tldr) -2. [Introduction](#introduction) -3. [Deploy Citrix ADC VPX or MPX as an Ingress Gateway](#deploy-citrix-adc-vpx-or-mpx-as-an-ingress-gateway) -4. [Deploy Citrix ADC CPX as an Ingress Gateway](#deploy-citrix-adc-cpx-as-an-ingress-gateway) -5. [Using Existing Certificates to deploy Citrix ADC as an Ingress Gateway](#using-existing-certificates-to-deploy-citrix-adc-as-an-ingress-gateway) -6. [Segregating traffic with multiple Ingress Gateways](#segregating-traffic-with-multiple-ingress-gateways) -7. [Visualizing statistics of Citrix ADC Ingress Gateway with Metrics Exporter](#visualizing-statistics-of-citrix-adc-ingress-gateway-with-metrics-exporter) -8. [Exposing services running on non-HTTP ports](#exposing-services-running-on-non-http-ports) -9. [Citrix ADC as Ingress Gateway: a sample deployment](#citrix-adc-as-ingress-gateway-a-sample-deployment) -10. [Uninstalling the Helm chart](#uninstalling-the-helm-chart) -11. [Configuration Parameters](#configuration-parameters) - - -## TL; DR; - -### To deploy Citrix ADC VPX or MPX as an Ingress Gateway: - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set istioAdaptor.netscalerUrl=https://[:port] --set istioAdaptor.vserverIP= - -### To deploy Citrix ADC CPX as an Ingress Gateway: - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true - - -## Introduction - -This chart deploys Citrix ADC VPX, MPX, or CPX as an Ingress Gateway in the Istio service mesh using the Helm package manager. For detailed information on different deployment options, see [Deployment Architecture](https://github.com/citrix/citrix-istio-adaptor/blob/master/docs/architecture.md). - -### Prerequisites - -The following prerequisites are required for deploying Citrix ADC as an Ingress Gateway in Istio service mesh: - -- Ensure that **Istio version 1.3.0** is installed -- Ensure that Helm with version 3.x is installed. Follow this [step](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- Ensure that your cluster has Kubernetes version 1.14.0 or later and the `admissionregistration.k8s.io/v1beta1` API is enabled -- **For deploying Citrix ADC VPX or MPX as an Ingress gateway:** - - Create a Kubernetes secret for the Citrix ADC user name and password using the following command: - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - -You can verify the API by using the following command: - - kubectl api-versions | grep admissionregistration.k8s.io/v1beta1 - -The following output indicates that the API is enabled: - - admissionregistration.k8s.io/v1beta1 - -- **Important Note:** For deploying Citrix ADC VPX or MPX as ingress gateway, you should establish the connectivity between Citrix ADC VPX or MPX and cluster nodes. This connectivity can be established by configuring routes on Citrix ADC as mentioned [here](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) or by deploying [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller). - - -## Deploy Citrix ADC VPX or MPX as an Ingress Gateway - - To deploy Citrix ADC VPX or MPX as an Ingress Gateway in the Istio service mesh, do the following step. In this example, release name is specified as `citrix-adc-istio-ingress-gateway` and namespace as `citrix-system`. - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,istioAdaptor.netscalerUrl=https://[:port],istioAdaptor.vserverIP= - -## Deploy Citrix ADC CPX as an Ingress Gateway - - To deploy Citrix ADC CPX as an Ingress Gateway, do the following step. In this example, release name is specified as `my-release` and namespace is used as `citrix-system`. - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true - - -## Using Existing Certificates to deploy Citrix ADC as an Ingress Gateway - -You may want to use the existing certificate and key for authenticating access to an application using Citrix ADC Ingress Gateway. In that case, you can create a Kubernetes secret from the existing certificate and key. You can mount the Kubernetes secret as data volumes in Citrix ADC Ingress Gateway. - -To create a Kubernetes secret using an existing key named `test_key.pem` and a certificate named `test.pem`, use the following command: - - kubectl create -n citrix-system secret tls citrix-ingressgateway-certs --key test_key.pem --cert test.pem - -Note: Ensure that Kubernetes secret is created in the same namespace where Citrix ADC Ingress Gateway is deployed. - -To deploy Citrix ADC VPX or MPX with secret volume, do the following step: - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,istioAdaptor.netscalerUrl=https://[:port],istioAdaptor.vserverIP=,ingressGateway.secretVolumes[0].name=test-ingressgateway-certs,ingressGateway.secretVolumes[0].secretName=test-ingressgateway-certs,ingressGateway.secretVolumes[0].mountPath=/etc/istio/test-ingressgateway-certs - -To deploy Citrix ADC CPX with secret volume, do the following step: - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true,ingressGateway.secretVolumes[0].name=test-ingressgateway-certs,ingressGateway.secretVolumes[0].secretName=test-ingressgateway-certs,ingressGateway.secretVolumes[0].mountPath=/etc/istio/test-ingressgateway-certs - -## Segregating traffic with multiple Ingress Gateways - -You can deploy multiple Citrix ADC Ingress Gateway devices and segregate traffic to various deployments in the Istio service mesh. This can be achieved with *custom labels*. By default, Citrix ADC Ingress Gateway service comes up with the `app: citrix-ingressgateway` label. This label is used as a selector while deploying the Ingress Gateway or virtual service resources. If you want to deploy Ingress Gateway with the custom label, you can do it using the `ingressGateway.label` option in the Helm chart. - -To deploy Citrix ADC CPX Ingress Gateway with the label `my_custom_ingressgateway`, do the following step: - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true,ingressGateway.lightWeightCPX=NO,ingressGateway.label=my_custom_ingressgateway - -To deploy Citrix ADC VPX or MPX as an Ingress Gateway with the label `my_custom_ingressgateway`, do the following step: - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,istioAdaptor.netscalerUrl=https://[:port],istioAdaptor.vserverIP=,ingressGateway.label=my_custom_ingressgateway - -## Visualizing statistics of Citrix ADC Ingress Gateway with Metrics Exporter - -By default, [Citrix ADC Metrics Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) is also deployed along with Citrix ADC Ingress Gateway. Citrix ADC Metrics Exporter fetches statistical data from Citrix ADC and exports it to Prometheus running in Istio service mesh. When you add Prometheus as a data source in Grafana, you can visualize this statistical data in the Grafana dashboard. - -Metrics Exporter requires the IP address of Citrix ADC CPX or VPX Ingress Gateway. It is retrieved from the value specified for `istioAdaptor.netscalerUrl`. - -When Citrix ADC CPX is deployed as Ingress Gateway, Metrics Exporter runs along with Citrix CPX Ingress Gateway in the same pod and specifying IP address is optional. - -To deploy Citrix ADC as Ingress Gateway without Metrics Exporter, set the value of `metricExporter.required` as false. - - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,istioAdaptor.netscalerUrl=https://[:port],istioAdaptor.vserverIP=,metricExporter.required=false - -"Note:" To remotely access telemetry addons such as Prometheus and Grafana, see [Remotely Accessing Telemetry Addons](https://istio.io/docs/tasks/telemetry/gateways/). - -## Exposing services running on non-HTTP ports - -By default, services running on HTTP ports (80 & 443) are exposed through Citrix ADC Ingress Gateway. Similarly, you can expose services that are deployed on non-HTTP ports through the Citrix ADC Ingress Gateway device. - -To deploy Citrix ADC MPX or VPX, and expose a service running on a TCP port, do the following step. - -In this example, a service running on TCP port 5000 is exposed using port 10000 on Citrix ADC. - - kubectl create secret generic nslogin --from-literal=username= --from-literal=password= -n citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,istioAdaptor.netscalerUrl=https://[:port],istioAdaptor.vserverIP=,ingressGateway.tcpPort[0].name=tcp1,ingressGateway.tcpPort[0].port=10000,ingressGateway.tcpPort[0].targetPort=5000 - - To deploy Citrix ADC CPX and expose a service running on a TCP port, do the following step. - In this example, port 10000 on the Citrix ADC CPX instance is exposed using TCP port 30000 (node port configuration) on the host machine. - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install my-release citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES,citrixCPX=true,ingressGateway.tcpPort[0].name=tcp1,ingressGateway.tcpPort[0].nodePort=30000,ingressGateway.tcpPort[0].port=10000,ingressGateway.tcpPort[0].targetPort=5000 - - -## Citrix ADC as Ingress Gateway: a sample deployment - -A sample deployment of Citrix ADC as an Ingress gateway for the Bookinfo application is provided [here](https://github.com/citrix/citrix-helm-charts/tree/master/examples/citrix-adc-in-istio). - -## Uninstalling the Helm chart - -To uninstall or delete a chart with release name as `my-release`, do the following step. - - helm delete my-release - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Configuration parameters - -The following table lists the configurable parameters in the Helm chart and their default values. - - -| Parameter | Description | Default | Optional/Mandatory | -|--------------------------------|-------------------------------|---------------------------|---------------------------| -| `citrixCPX` | Citrix ADC CPX | FALSE | Mandatory for Citrix ADC CPX | -| `istioAdaptor.image` | Image of the Citrix Istio-adaptor container |quay.io/citrix/citrix-istio-adaptor| Mandatory| -| `istioAdaptor.tag` | Tag of the Istio adaptor image | 1.2.0 | Mandatory| -| `istioAdaptor.imagePullPolicy` | Image pull policy for Istio-adaptor | IfNotPresent | Optional| -| `istioAdaptor.vserverIP` | Virtual server IP address on Citrix ADC (Mandatory if citrixCPX=false) | null | Mandatory for Citrix ADC MPX or VPX| -| `istioAdaptor.netscalerUrl` | URL or IP address of the Citrix ADC which Istio-adaptor configures (Mandatory if citrixCPX=false)| null |Mandatory for Citrix ADC MPX or VPX| -| `istioAdaptor.secureConnect` | If this value is set to true, Istio-adaptor establishes secure gRPC channel with Istio Pilot | TRUE | Optional| -| `istioAdaptor.netProfile ` | Network profile name used by [CNC](https://github.com/citrix/citrix-k8s-node-controller) to configure Citrix ADC VPX or MPX which is deployed as Ingress Gateway | null | Optional| -| `istioAdaptor.coeURL` | Name of [Citrix Observability Exporter](https://github.com/citrix/citrix-observability-exporter) Service in the form of "." | null | Optional| -| `istioAdaptor.ADMIP ` | Citrix Application Delivery Management (ADM) IP address | NIL | Mandatory for Citrix ADC CPX | -| `istioAdaptor.ADMFingerPrint ` | Citrix Application Delivery Management (ADM) Finger Print. For more information, see [this](https://docs.citrix.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html) | NIL | Optional| -| `ingressGateway.image` | Image of Citrix ADC CPX designated to run as Ingress Gateway |quay.io/citrix/citrix-k8s-cpx-ingress| Mandatory for Citrix ADC CPX | -| `ingressGateway.tag` | Version of Citrix ADC CPX | 13.0-47.22 | Mandatory for Citrix ADC CPX | -| `ingressGateway.imagePullPolicy` | Image pull policy | IfNotPresent | Optional| -| `ingressGateway.EULA` | End User License Agreement(EULA) terms and conditions. If yes, then user agrees to EULA terms and conditions. | NO | Mandatory for Citrix ADC CPX -| `ingressGateway.mgmtHttpPort` | Management port of the Citrix ADC CPX | 9080 | Optional| -| `ingressGateway.mgmtHttpsPort` | Secure management port of Citrix ADC CPX | 9443 | Optional| -| `ingressGateway.httpNodePort` | Port on host machine which is used to expose HTTP port (80) of Citrix ADC CPX | 30180 |Optional| -| `ingressGateway.httpsNodePort` | Port on host machine which is used to expose HTTPS port (443) of Citrix ADC CPX | 31443 |Optional| -| `ingressGateway.secretVolume` | A map of user defined volumes to be mounted using Kubernetes secrets | null |Optional| -| `ingressGateway.licenseServerPort` | Citrix ADM port if a non-default port is used | 27000 | Optional| -| `ingressGateway.label` | Custom label for the Ingress Gateway service | citrix-ingressgateway |Optional| -| `ingressGateway.tcpPort` | For exposing multiple TCP ingress | NIL |Optional| -| `istioPilot.name` | Name of the Istio Pilot service | istio-pilot |Optional| -| `istioPilot.namespace` | Namespace where Istio Pilot is running | istio-system |Optional| -| `istioPilot.secureGrpcPort` | Secure GRPC port where Istio Pilot is listening (default setting) | 15011 |Optional| -| `istioPilot.insecureGrpcPort` | Insecure GRPC port where Istio Pilot is listening | 15010 |Optional| -| `istioPilot.SAN` | Subject alternative name for Istio Pilot which is the secure production identity framework for everyone (SPIFFE) ID of Istio Pilot | spiffe://cluster.local/ns/istio-system/sa/istio-pilot-service-account |Optional| -| `metricExporter.required` | Metrics exporter for Citrix ADC | TRUE |Optional| -| `metricExporter.image` | Image of the Citrix ADC Metrics Exporter | quay.io/citrix/citrix-adc-metrics-exporter |Optional| -| `metricExporter.version` | Version of the Citrix ADC Metrics Exporter image | 1.4.0 |Optional| -| `metricExporter.port` | Port over which Citrix ADC Metrics Exporter collects metrics of Citrix ADC. | 8888 |Optional| -| `metricExporter.secure` | Enables collecting metrics over TLS | YES |Optional| -| `metricExporter.logLevel` | Level of logging in Citrix ADC Metrics Exporter. Possible values are: DEBUG, INFO, WARNING, ERROR, CRITICAL | ERROR |Optional| -| `metricExporter.imagePullPolicy` | Image pull policy for Citrix ADC Metrics Exporter | IfNotPresent |Optional| - diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/app-readme.md b/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/app-readme.md deleted file mode 100644 index 15e4cb6fe4..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/app-readme.md +++ /dev/null @@ -1,18 +0,0 @@ -# Citrix ADC as an Ingress Gateway for Istio - -An [Istio](https://istio.io/) ingress gateway acts as an entry point for the incoming traffic and secures and controls access to the service mesh. It also performs routing and load balancing. Citrix ADC [CPX](https://docs.citrix.com/en-us/citrix-adc-cpx), MPX, or [VPX](https://docs.citrix.com/en-us/citrix-adc.html), can be deployed as an ingress gateway to the Istio service mesh. - -### Prerequisites - -The following prerequisites are required for deploying Citrix ADC as an Ingress Gateway in Istio service mesh: - -- Ensure that **Istio** is enabled. -- Ensure that your cluster has Kubernetes version 1.14.0 or later. -- Ensure to create secret named **nslogin** with username and password in same namespace in case of VPX/MPX . Choose the **Resources > Secrets** in the navigation bar. - -### Important NOTE: -- Follow this [link](https://github.com/citrix/citrix-helm-charts/blob/master/examples/citrix-adc-in-istio/README.md -) to deploy Citrix ADC as an ingress gateway for application. -- For deploying Citrix ADC VPX or MPX as ingress gateway, you should establish the connectivity between Citrix ADC VPX or MPX and cluster nodes. This connectivity can be established by configuring routes on Citrix ADC as mentioned [here](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) or by deploying [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller). - -This catalog deploys Citrix ADC VPX, MPX, or CPX as an Ingress Gateway in the Istio service mesh. For detailed information on various deployment options,checkout this [link](https://github.com/citrix/citrix-istio-adaptor). diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/questions.yml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/questions.yml deleted file mode 100644 index 1ee110b950..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/questions.yml +++ /dev/null @@ -1,300 +0,0 @@ -questions: -- variable: citrixCPX - required: true - type: boolean - default: true - description: "Set true to use Citrix ADC CPX as ingress device. Set false to use VPX/MPX as ingress device" - label: citrixCPX - group: "Deployment Settings" -- variable: secrets.name - required: true - type: string - default: "nslogin" - description: "Ensure to create nslogin secret in same namespace" - show_if: "citrixCPX=false" - group: "nslogin Settings" -- variable: istioAdaptor.image - required: true - type: string - default: "quay.io/citrix/citrix-istio-adaptor" - label: istioAdaptor Image - description: "Istio-adaptor Image to be used" - group: "Istio-adaptor Settings" -- variable: istioAdaptor.tag - required: true - type: string - default: "1.2.1" - label: istioAdaptor tag - group: "Istio-adaptor Settings" -- variable: istioAdaptor.imagePullPolicy - required: true - type: enum - default: IfNotPresent - label: istioAdaptor imagePullPolicy - description: "Istio-adaptor Image pull policy" - options: - - "Always" - - "IfNotPresent" - - "Never" - group: "Istio-adaptor Settings" -- variable: istioAdaptor.netscalerUrl - required: true - type: string - default: null - label: istioAdaptor netscalerUrl - description: "URL or IP address of the Citrix ADC which Istio-adaptor configures" - show_if: "citrixCPX=false" - group: "Istio-adaptor Settings" -- variable: istioAdaptor.secureConnect - type: boolean - default: true - label: istioAdaptor secureConnect - description: "If this value is set to true, Istio-adaptor establishes secure gRPC channel with Istio Pilot" - group: "Istio-adaptor Settings" -- variable: istioAdaptor.vserverIP - required: true - type: string - label: istioAdaptor vserverIP - show_if: "citrixCPX=false" - descriptions: "Virtual server IP address on Citrix ADC" - group: "Istio-adaptor Settings" -- variable: istioAdaptor.netProfile - type: string - label: istioAdaptor netProfile - description: "profile name used by CNC to configure VPX/MPX" - show_if: "citrixCPX=false" - group: "Istio-adaptor Settings" -- variable: istioAdaptor.ADMIP - type: string - label: istioAdaptor ADMIP - description: "Citrix Application Delivery Management (ADM) IP address" - group: "Istio-adaptor Settings" -- variable: istioAdaptor.ADMFingerPrint - type: string - label: istioAdaptor ADMFingerPrint - description: "Citrix Application Delivery Management (ADM) Finger Print." - group: "Istio-adaptor Settings" -- variable: istioAdaptor.coeURL - type: string - label: istioAdaptor coeURL - description: "Name of Citrix Observability Exporter Service" - group: "Istio-adaptor Settings" -- variable: istioPilot.name - required: true - type: string - default: istio-pilot - label: istio-pilot name - group: "istio-pilot Settings" - description: "Name of the Istio Pilot service" -- variable: istioPilot.namespace - required: true - type: string - default: istio-system - label: istio-pilot namespace - description: "Namespace where Istio Pilot is running" - group: "istio-pilot Settings" -- variable: istioPilot.secureGrpcPort - required: true - type: int - default: 15011 - label: istio-pilot secureGrpcPort - show_if: "istioAdaptor.secureConnect=true" - description: "Secure GRPC port where Istio Pilot is listening" - group: "istio-pilot Settings" -- variable: istioPilot.insecureGrpcPort - required: true - type: int - default: 15010 - show_if: "istioAdaptor.secureConnect=false" - label: istio-pilot insecureGrpcPort - description: "Insecure GRPC port where Istio Pilot is listening" - group: "istio-pilot Settings" -- variable: istioPilot.SAN - required: true - type: string - default: "spiffe://cluster.local/ns/istio-system/sa/istio-pilot-service-account" - label: istio-pilot SAN - description: "Subject alternative name for Istio Pilot which is (SPIFFE) ID of Istio Pilot" - show_if: "istioAdaptor.secureConnect=true" - group: "istio-pilot Settings" -- variable: ingressGateway.image - required: true - type: string - default: "quay.io/citrix/citrix-k8s-cpx-ingress" - label: ingressGateway Image - description: "ingressGateway image to be used" - group: "ingressGateway Settings" -- variable: ingressGateway.tag - required: true - type: string - default: "13.0-47.22" - label: ingressGateway tag - group: "ingressGateway Settings" -- variable: ingressGateway.imagePullPolicy - required: true - type: enum - default: IfNotPresent - label: ingressGateway imagePullPolicy - description: Ingress-gateway Image pull policy - group: "ingressGateway Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: ingressGateway.EULA - required: true - type: enum - description: "End user license agreement (read EULA before accepting it yes)" - label: ingressGateway EULA - options: - - "YES" - - "NO" - group: "ingressGateway Settings" -- variable: ingressGateway.mgmtHttpPort - required: true - type: int - default: 10080 - label: ingressGateway mgmtHttpPort - description: "Management port of the Citrix ADC CPX" - show_if: "citrixCPX=true" - group: "ingressGateway Settings" -- variable: ingressGateway.mgmtHttpsPort - required: true - type: int - default: 10443 - show_if: "citrixCPX=true" - label: ingressGateway mgmtHttpsPort - description: "Secure management port of Citrix ADC CPX" - group: "ingressGateway Settings" -- variable: ingressGateway.httpNodePort - required: true - type: int - default: 30180 - show_if: "citrixCPX=true" - label: ingressGateway httpNodePort - description: "Port on host machine which is used to expose HTTP port of Citrix ADC CPX" - group: "ingressGateway Settings" -- variable: ingressGateway.httpsNodePort - required: true - type: int - default: 31443 - show_if: "citrixCPX=true" - label: ingressGateway httpsNodePort - description: "Port on host machine which is used to expose HTTPS port of Citrix ADC CPX" - group: "ingressGateway Settings" -- variable: ingressGateway.exposeMutipleApps - required: true - type: boolean - default: false - description: "By default, only one service is exposed via ingress gateway. To expose another service, select it TRUE, and then specify a set of secret, volume name, mount path in subsequent fields" - label: exposeMutipleApps - group: "ingressGateway Settings" -- variable: ingressGateway.secretVolumes[0].name - required: true - type: string - show_if: "ingressGateway.exposeMutipleApps=true" - label: ingressGateway secretVolumes name - group: "ingressGateway Settings" -- variable: ingressGateway.secretVolumes[0].secretName - required: true - type: string - show_if: "ingressGateway.exposeMutipleApps=true" - label: ingressGateway secretVolumes secretName - description: "user defined volumes to be mounted using Kubernetes secrets name" - group: "ingressGateway Settings" -- variable: ingressGateway.secretVolumes[0].mountPath - required: true - type: string - show_if: "ingressGateway.exposeMutipleApps=true" - label: ingressGateway secretVolumes mountPath - group: "ingressGateway Settings" -- variable: ingressGateway.licenseServerPort - type: int - default: 27000 - label: ingressGateway licenseServerPort - description: "Citrix ADM port if a non-default port is used" - group: "ingressGateway Settings" -- variable: ingressGateway.label - required: true - type: string - default: "citrix-ingressgateway" - label: ingressGateway label - description: "Custom label for the Ingress Gateway service" - group: "ingressGateway Settings" -- variable: ingressGateway.exposeNonHttpService - required: true - type: boolean - default: false - description: "By default, gateway is configured to expose HTTP(S) services. To expose non-HTTP services, select exposeNonHttpService to True, and then specify a set of port, port-name, target-port, nodeport (if applicable) in subsequent field." - label: exposeNonHttpService - group: "ingressGateway Settings" -- variable: ingressGateway.tcpPort[0].name - required: true - type: string - default: - label: Services runing on tcpPort name - show_if: "ingressGateway.exposeNonHttpService=true" - group: "ingressGateway Settings" -- variable: ingressGateway.tcpPort[0].nodePort - required: true - type: int - min: 30000 - max: 32767 - label: Citrix ADC CPX exposed using nodePort - show_if: "citrixCPX=true && ingressGateway.exposeNonHttpService=true" - description: "NodePort (to set explicitly, choose port between 30000-32767)" - group: "ingressGateway Settings" -- variable: ingressGateway.tcpPort[0].port - required: true - type: int - label: Services exposed using Port on Citrix ADC - show_if: "ingressGateway.exposeNonHttpService=true" - group: "ingressGateway Settings" -- variable: ingressGateway.tcpPort[0].targetPort - required: true - type: int - label: Services running on targetPort - show_if: "ingressGateway.exposeNonHttpService=true" - group: "ingressGateway Settings" -- variable: metricExporter.image - required: true - type: string - default: "quay.io/citrix/citrix-adc-metrics-exporter" - label: Exporter Image - description: "Exporter Image to be used" - group: "metricExporter Settings" -- variable: metricExporter.version - required: true - type: string - default: "1.4.0" - label: metricExporter Version - group: "metricExporter Settings" -- variable: metricExporter.port - required: true - type: int - default: 8888 - label: metricExporter Port - group: "metricExporter Settings" -- variable: metricExporter.logLevel - required: true - type: enum - default: ERROR - label: metricExporter logLevel - group: "metricExporter Settings" - options: - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - - "TRACE" -- variable: metricExporter.imagePullPolicy - required: true - type: enum - default: IfNotPresent - label: metricExporter imagePullPolicy - description: "Exporter Image pull policy" - group: "metricExporter Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/templates/_helpers.tpl b/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/templates/_helpers.tpl deleted file mode 100644 index 91374c7bd5..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/templates/_helpers.tpl +++ /dev/null @@ -1,4 +0,0 @@ -{{- define "exporter_nsip" -}} -{{- $match := .Values.istioAdaptor.netscalerUrl | toString | regexFind "//.*[:]*" -}} -{{- $match | trimAll ":" | trimAll "/" -}} -{{- end -}} diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/templates/citrix-adc-ingressgateway-deployment.yaml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/templates/citrix-adc-ingressgateway-deployment.yaml deleted file mode 100644 index fcf187f55a..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/templates/citrix-adc-ingressgateway-deployment.yaml +++ /dev/null @@ -1,330 +0,0 @@ -{{- if eq .Values.citrixCPX true }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: citrix-ingressgateway - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - template: - metadata: - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - annotations: - scheduler.alpha.kubernetes.io/critical-pod: "" - prometheus.io/port: "{{ .Values.metricExporter.port }}" - prometheus.io/scrape: "true" - spec: - volumes: - - name: nslogin - secret: - secretName: nslogin - - name: istio-certs - secret: - optional: true - secretName: istio.default - - name: citrix-ingressgateway-certs - secret: - optional: true - secretName: "citrix-ingressgateway-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway - - name: citrix-ingressgateway-ca-certs - secret: - optional: true - secretName: "citrix-ingressgateway-ca-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway - {{- range .Values.ingressGateway.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} - - name: cpx-conf - emptyDir: {} - containers: -{{- if eq .Values.metricExporter.required true }} - - name: exporter - image: {{ .Values.metricExporter.image }}:{{ .Values.metricExporter.version }} - imagePullPolicy: IfNotPresent - args: - - "--target-nsip=127.0.0.1" - - "--port={{ .Values.metricExporter.port }}" - - "--log-level={{ .Values.metricExporter.logLevel }}" - env: - - name: NS_USER - valueFrom: - secretKeyRef: - name: nslogin - key: username - - name: NS_PASSWORD - valueFrom: - secretKeyRef: - name: nslogin - key: password -{{- end }} - - name: istio-adaptor - image: {{ .Values.istioAdaptor.image }}:{{ .Values.istioAdaptor.tag }} - imagePullPolicy: {{ .Values.istioAdaptor.imagePullPolicy }} - args: - - -pilot-location -{{- if eq .Values.istioAdaptor.secureConnect true }} - - {{ .Values.istioPilot.name}}.{{.Values.istioPilot.namespace }}:{{ .Values.istioPilot.secureGrpcPort }} # istio-pilot.istio-system:15011 -{{- else }} - - {{ .Values.istioPilot.name}}.{{.Values.istioPilot.namespace }}:{{ .Values.istioPilot.insecureGrpcPort }} # istio-pilot.istio-system:15010 -{{- end }} - - -proxy-type - - {{ .Values.istioAdaptor.proxyType | default "router" | quote }} - - -pilot-SAN - - {{ .Values.istioPilot.SAN }} - - -netscaler-url - - "http://127.0.0.1" - - -secure-connect={{ .Values.istioAdaptor.secureConnect}} - - -adm-ip -{{- if .Values.istioAdaptor.ADMIP }} - - {{ .Values.istioAdaptor.ADMIP }} -{{- else }} - - "" -{{- end }} -{{- if .Values.istioAdaptor.coeURL }} - - -coe-url - - {{ .Values.istioAdaptor.coeURL }} -{{- end }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: APPLICATION_NAME - valueFrom: - fieldRef: - fieldPath: metadata.labels['app'] - securityContext: - readOnlyRootFilesystem: true - runAsUser: 32024 # UID of istio-adaptor container's user - volumeMounts: - - mountPath: /etc/certs - name: istio-certs - readOnly: true - - mountPath: /etc/nslogin - name: nslogin - readOnly: true - - mountPath: /etc/istio/ingressgateway-certs # Make sure that Gateway definition has this path mentioned in server.tls section for SIMPLE TLS - name: citrix-ingressgateway-certs - readOnly: true - - mountPath: /etc/istio/ingressgateway-ca-certs # Make sure that Gateway definition has this path mentioned in server.tls section for MUTUAL TLS - name: citrix-ingressgateway-ca-certs - readOnly: true - {{- range .Values.ingressGateway.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - - name: citrix-ingressgateway - image: "{{ .Values.ingressGateway.image }}:{{ .Values.ingressGateway.tag }}" - imagePullPolicy: {{ .Values.ingressGateway.imagePullPolicy }} - securityContext: - privileged: true - ports: - - containerPort: 80 - - containerPort: 443 -{{- if .Values.ingressGateway.mgmtHttpPort }} - - containerPort: {{ .Values.ingressGateway.mgmtHttpPort }} -{{- end }} -{{- if .Values.ingressGateway.mgmtHttpsPort }} - - containerPort: {{ .Values.ingressGateway.mgmtHttpsPort }} -{{- end }} -{{- range .Values.ingressGateway.tcpPort }} - - containerPort: {{ .port }} -{{- end }} - volumeMounts: - - mountPath: /cpx/conf/ - name: cpx-conf - env: - - name: "EULA" - value: "{{ .Values.ingressGateway.EULA }}" - - name: "MGMT_HTTP_PORT" - value: "{{ .Values.ingressGateway.mgmtHttpPort }}" - - name: "MGMT_HTTPS_PORT" - value: "{{ .Values.ingressGateway.mgmtHttpsPort }}" - - name: "NS_CPX_LITE" - value: "{{ .Values.ingressGateway.lightWeightCPX }}" -{{- if or .Values.istioAdaptor.coeURL .Values.istioAdaptor.ADMIP }} - - name: "NS_ENABLE_NEWNSLOG" - value: "1" -{{- end }} - - name: "KUBERNETES_TASK_ID" - value: "" - - name: "LS_IP" - value: {{ .Values.istioAdaptor.ADMIP | default "" }} - - name: "LS_PORT" - value: "{{ .Values.ingressGateway.licenseServerPort}}" -{{- if .Values.istioAdaptor.ADMFingerPrint }} - - name: "NS_MGMT_SERVER" - value: {{ .Values.istioAdaptor.ADMIP }} - - name: "NS_MGMT_FINGER_PRINT" - value: {{ .Values.istioAdaptor.ADMFingerPrint | quote }} - - name: "NS_HTTP_PORT" - value: {{ .Values.ingressGateway.mgmtHttpPort | quote }} - - name: "NS_HTTPS_PORT" - value: {{ .Values.ingressGateway.mgmtHttpsPort | quote }} -{{- end }} - - name: "LOGSTREAM_COLLECTOR_IP" - value: {{ .Values.istioAdaptor.ADMIP | default ""}} - ---- -{{ else }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: citrix-ingressgateway - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - template: - metadata: - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - annotations: - scheduler.alpha.kubernetes.io/critical-pod: "" - prometheus.io/port: "{{ .Values.metricExporter.port }}" - prometheus.io/scrape: "true" - spec: - containers: -{{- if eq .Values.metricExporter.required true }} - - name: exporter - image: {{ .Values.metricExporter.image }}:{{ .Values.metricExporter.version }} - imagePullPolicy: {{ .Values.metricExporter.imagePullPolicy }} - args: - - "--target-nsip={{- include "exporter_nsip" . -}}" - - "--port={{ .Values.metricExporter.port }}" - - "--secure={{ .Values.metricExporter.secure | lower}}" - - "--log-level={{ .Values.metricExporter.logLevel }}" - env: - - name: NS_USER - valueFrom: - secretKeyRef: - name: nslogin - key: username - - name: NS_PASSWORD - valueFrom: - secretKeyRef: - name: nslogin - key: password -{{- end }} - - name: istio-adaptor - image: {{ .Values.istioAdaptor.image }}:{{ .Values.istioAdaptor.tag }} - imagePullPolicy: {{ .Values.istioAdaptor.imagePullPolicy }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: APPLICATION_NAME - valueFrom: - fieldRef: - fieldPath: metadata.labels['app'] - args: - - -pilot-location -{{- if eq .Values.istioAdaptor.secureConnect true }} - - {{ .Values.istioPilot.name}}.{{.Values.istioPilot.namespace }}:{{ .Values.istioPilot.secureGrpcPort }} # istio-pilot.istio-system:15011 -{{- else }} - - {{ .Values.istioPilot.name}}.{{.Values.istioPilot.namespace }}:{{ .Values.istioPilot.insecureGrpcPort }} # istio-pilot.istio-system:15010 -{{- end }} - - -proxy-type - - {{ .Values.istioAdaptor.proxyType | default "router" | quote }} - - -pilot-SAN - - {{ .Values.istioPilot.SAN }} - - -netscaler-url - - {{ required "Mention Citrix ADC IP/URL in https://[:port] format" .Values.istioAdaptor.netscalerUrl }} - - -vserver-ip - - {{ required "Mention Vserver IP to be configured on Citrix ADC" .Values.istioAdaptor.vserverIP }} - - -secure-connect={{ .Values.istioAdaptor.secureConnect | default true }} - # If using VPX/MPX as Ingress gateway, then specify the network profile name - # which was provided to Citrix Node Controller (CNC) -{{- if .Values.istioAdaptor.netProfile }} - - -net-profile - - {{ .Values.istioAdaptor.netProfile }} -{{- end }} - - -adm-ip - - "" -{{- if .Values.istioAdaptor.coeURL }} - - -coe-url - - {{ .Values.istioAdaptor.coeURL }} -{{- end }} - securityContext: - readOnlyRootFilesystem: true - runAsUser: 32024 # UID of istio-adaptor container's user - volumeMounts: - - mountPath: /etc/certs - name: istio-certs - readOnly: true - - mountPath: /etc/nslogin - name: nslogin - readOnly: true - - mountPath: /etc/istio/ingressgateway-certs # Make sure that Gateway definition has this path mentioned in server.tls section for SIMPLE TLS - name: citrix-ingressgateway-certs - readOnly: true - - mountPath: /etc/istio/ingressgateway-ca-certs # Make sure that Gateway definition has this path mentioned in server.tls section for MUTUAL TLS - name: citrix-ingressgateway-ca-certs - readOnly: true - {{- range .Values.ingressGateway.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - volumes: - - name: nslogin - secret: - secretName: nslogin - - name: istio-certs - secret: - optional: true - secretName: istio.default - - name: citrix-ingressgateway-certs - secret: - optional: true - secretName: "citrix-ingressgateway-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway - - name: citrix-ingressgateway-ca-certs - secret: - optional: true - secretName: "citrix-ingressgateway-ca-certs" # IMPORTANT: This secret MUST BE created before deploying gateway and ingress-gateway - {{- range .Values.ingressGateway.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} ---- -{{- end}} diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/templates/ingressgateway-service.yaml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/templates/ingressgateway-service.yaml deleted file mode 100644 index ba18349b39..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/templates/ingressgateway-service.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{- if eq .Values.citrixCPX true }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: citrix-ingressgateway - namespace: {{ .Release.Namespace }} -spec: - maxReplicas: 1 - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: citrix-ingressgateway - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: 60 ---- -{{- end }} -apiVersion: v1 -kind: Service -metadata: - name: citrix-ingressgateway - namespace: {{ .Release.Namespace }} - annotations: - labels: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} -spec: -{{- if eq .Values.citrixCPX true }} - type: LoadBalancer -{{- end }} - selector: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - ports: - - - name: http2 -{{- if eq .Values.citrixCPX true }} - nodePort: {{ .Values.ingressGateway.httpNodePort }} -{{- end }} - port: 80 - targetPort: 80 - - - name: https -{{- if eq .Values.citrixCPX true }} - nodePort: {{ .Values.ingressGateway.httpsNodePort }} -{{- end }} - port: 443 - targetPort: 443 -{{- $isCPX := .Values.citrixCPX }} -{{- range .Values.ingressGateway.tcpPort }} - - - name: {{ .name }} -{{- if eq $isCPX true }} - nodePort: {{ .nodePort }} -{{- end }} - port: {{ .port }} - targetPort: {{ .targetPort }} -{{- end }} ---- diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/templates/metrics-exporter-service.yaml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/templates/metrics-exporter-service.yaml deleted file mode 100644 index ad77e2374b..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/templates/metrics-exporter-service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if eq .Values.metricExporter.required true }} -kind: Service -apiVersion: v1 -metadata: - name: exporter - annotations: - labels: - service-type: citrix-adc-monitor -spec: - selector: - app: {{ .Values.ingressGateway.label | default "citrix-ingressgateway" }} - ports: - - name: exporter-port - port: {{ .Values.metricExporter.port }} - targetPort: {{ .Values.metricExporter.port }} ---- -{{- end }} diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/templates/secret.yaml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/templates/secret.yaml deleted file mode 100644 index 0201c116dc..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/templates/secret.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if eq .Values.citrixCPX true }} -apiVersion: v1 -kind: Secret -metadata: - name: nslogin - namespace: {{ .Release.Namespace }} -type: Opaque -data: - username: "bnNyb290" - password: "bnNyb290" -{{- end }} diff --git a/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/values.yaml b/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/values.yaml deleted file mode 100644 index ba929f218e..0000000000 --- a/charts/citrix/citrix-adc-istio-ingress-gateway/1.2.100/values.yaml +++ /dev/null @@ -1,50 +0,0 @@ -# Default values for citrix-adc-istio-ingress-gateway -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -citrixCPX: false - -metricExporter: - required: true - image: quay.io/citrix/citrix-adc-metrics-exporter - version: 1.4.0 - port: 8888 - secure: "YES" - logLevel: ERROR - imagePullPolicy: IfNotPresent - -istioAdaptor: - image: quay.io/citrix/citrix-istio-adaptor - tag: 1.2.1 - imagePullPolicy: IfNotPresent - netscalerUrl: null - proxyType: router - secureConnect: true - vserverIP: - netProfile: - ADMIP: - ADMFingerPrint: - coeURL: - -istioPilot: - name: istio-pilot - namespace: istio-system - secureGrpcPort: 15011 - insecureGrpcPort: 15010 - SAN: spiffe://cluster.local/ns/istio-system/sa/istio-pilot-service-account - -ingressGateway: - image: quay.io/citrix/citrix-k8s-cpx-ingress - tag: 13.0-47.22 - imagePullPolicy: IfNotPresent - EULA: NO - mgmtHttpPort: 10080 - mgmtHttpsPort: 10443 - httpNodePort: 30180 - httpsNodePort: 31443 - lightWeightCPX: 1 - secretVolumes: - #licenseServerIP: this value will be taken from istioAdaptor.ADMIP - licenseServerPort: 27000 - label: citrix-ingressgateway - tcpPort: diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/.helmignore b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/.helmignore deleted file mode 100644 index 50af031725..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/Chart.yaml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/Chart.yaml deleted file mode 100644 index 357c3e8794..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/Chart.yaml +++ /dev/null @@ -1,23 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Cpx Istio Sidecar Injector - catalog.cattle.io/release-name: citrix-cpx-istio-sidecar-injector -apiVersion: v2 -appVersion: 1.11.0 -deprecated: true -description: A Helm chart to deploy resources which install Citrix ADC CPX in Istio - Service Mesh as sidecar in application pod -home: https://www.citrix.com -icon: https://raw.githubusercontent.com/citrix/citrix-xds-adaptor/master/docs/media/Citrix_Logo_Trademark.png -kubeVersion: '>=v1.16.0-0' -maintainers: -- email: dhiraj.gedam@citrix.com - name: dheerajng -- email: subash.dangol@citrix.com - name: subashd -- email: ajeeta.shakeet@citrix.com - name: ajeetas -name: citrix-cpx-istio-sidecar-injector -sources: -- https://github.com/citrix/citrix-xds-adaptor -version: 1.11.0 diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/README.md b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/README.md deleted file mode 100644 index 731614114b..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/README.md +++ /dev/null @@ -1,280 +0,0 @@ -# Deploy Citrix ADC CPX as a sidecar in Istio environment using Helm charts - -Citrix ADC CPX can be deployed as a sidecar proxy in an application pod in the Istio service mesh. - - -# Table of Contents -1. [TL; DR;](#tldr) -2. [Introduction](#introduction) -3. [Deploy Sidecar Injector for Citrix ADC CPX using Helm chart](#deploy-sidecar-injector-for-citrix-adc-cpx-using-helm-chart) -4. [Observability using Citrix Observability Exporter](#observability-using-coe) -5. [Citrix ADC CPX License Provisioning](#citrix-adc-cpx-license-provisioning) -6. [Service Graph configuration](#configuration-for-servicegraph) -7. [Generate Certificate for Application](#generate-certificate-for-application) -8. [Limitations](#limitations) -9. [Clean Up](#clean-up) -10. [Configuration Parameters](#configuration-parameters) - - -## TL; DR; - - kubectl create namespace citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES - - -## Introduction - -Citrix ADC CPX can act as a sidecar proxy to an application container in Istio. You can inject the Citrix ADC CPX manually or automatically using the [Istio sidecar injector](https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/). Automatic sidecar injection requires resources including a Kubernetes [mutating webhook admission](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) controller, and a service. Using this Helm chart, you can create resources required for automatically deploying Citrix ADC CPX as a sidecar proxy. - -In Istio servicemesh, the namespace must be labelled before applying the deployment yaml for [automatic sidecar injection](https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#automatic-sidecar-injection). Once the namespace is labelled, sidecars (envoy or CPX) will be injected while creating pods. -- For CPX, namespace must be labelled `cpx-injection=enabled` -- For Envoy, namespace must be labelled `istio-injection=enabled` - -__Note: If a namespace is labelled with both `istio-injection` and `cpx-injection`, Envoy injection takes a priority! Citrix CPX won't be injected on top of the already injected Envoy sidecar. For using Citrix ADC as sidecar, ensure that `istio-injection` label is removed from the namespace.__ - -For detailed information on different deployment options, see [Deployment Architecture](https://github.com/citrix/citrix-istio-adaptor/blob/master/docs/istio-integration/architecture.md). - -### Compatibility Matrix between Citrix xDS-adaptor and Istio version - -Below table provides info about recommended Citrix xDS-Adaptor version to be used for various Istio versions. - -| Citrix xDS-Adaptor version | Istio version | -|----------------------------|---------------| -| quay.io/citrix/citrix-xds-adaptor:0.9.9 | Istio v1.10+ | -| quay.io/citrix/citrix-xds-adaptor:0.9.8 | Istio v1.8 to Istio v1.9 | -| quay.io/citrix/citrix-xds-adaptor:0.9.5 | Istio v1.6 | - -### Prerequisites - -The following prerequisites are required for deploying Citrix ADC as a sidecar to an application pod. - -- Ensure that **Istio version 1.8 onwards** is installed -- Ensure that Helm with version 3.x is installed. Follow this [step](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- Ensure that your cluster Kubernetes version should be 1.16 onwards and the `admissionregistration.k8s.io/v1`, `admissionregistration.k8s.io/v1beta1` API is enabled - -You can verify the API by using the following command: - - kubectl api-versions | grep admissionregistration.k8s.io/v1 - -The following output indicates that the API is enabled: - - admissionregistration.k8s.io/v1 - admissionregistration.k8s.io/v1beta1 - -- Create namespace `citrix-system` - - kubectl create namespace citrix-system - -- **Registration of Citrix ADC CPX in ADM** - -Create a secret containing ADM username and password in each application namespace. - - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= -n citrix-system - -## Deploy Sidecar Injector for Citrix ADC CPX using Helm chart - -**Before you Begin** - -To deploy resources for automatic installation of Citrix ADC CPX as a sidecar in Istio, perform the following step. In this example, release name is specified as `cpx-sidecar-injector` and namespace is used as `citrix-system`. - - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES - -This step installs a mutating webhook and a service resource to application pods in the namespace labeled as `cpx-injection=enabled`. - -*"Note:" The `cpx-injection=enabled` label is mandatory for injecting sidecars.* - -An example to deploy application along with Citrix ADC CPX sidecar is provided [here](https://github.com/citrix/citrix-helm-charts/tree/master/examples/citrix-adc-in-istio). - - -# Observability using Citrix Observability Exporter - -### Pre-requisites - -1. Citrix Observability Exporter (COE) should be deployed in the cluster. - -2. Citrix ADC CPX should be running with versions 13.0-48+ or 12.1-56+. - -Citrix ADC CPXes serving East West traffic send its metrics and transaction data to COE which has a support for Prometheus and Zipkin. - -Metrics data can be visualized in Prometheus dashboard. - -Zipkin enables users to analyze tracing for East-West service to service communication. - -*Note*: Istio should be [installed](https://istio.io/docs/tasks/observability/distributed-tracing/zipkin/#before-you-begin) with Zipkin as tracing endpoint. - -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - -helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES,coe.coeURL=. -``` - -By default, COE is primarily used for Prometheus integration. Servicegraph and tracing is handled by Citrix ADM appliance. To enable Zipkin tracing, set argument `coe.coeTracing=true` in helm command. Default value of coeTracing is set to false. - -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - -helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES,coe.coeURL=.,coe.coeTracing=true - -``` - -For example, if COE is deployed as `coe` in `citrix-system` namespace, then below helm command will deploy sidecar injector webhook which will be deploying Citrix ADC CPX sidecar proxies in application pods, and these sidecar proxies will be configured to establish communication channels with COE. - -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - -helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES,coe.coeURL=coe.citrix-system -``` - -*Important*: Apply below mentioned annotations on COE deployment so that Prometheus can scrape data from COE. -``` - prometheus.io/scrape: "true" - prometheus.io/port: "5563" # Prometheus port -``` -## **Citrix ADC CPX License Provisioning** -By default, CPX runs with 20 Mbps bandwidth called as [CPX Express](https://www.citrix.com/en-in/products/citrix-adc/cpx-express.html) however for better performance and production deployment customer needs licensed CPX instances. [Citrix ADM](https://www.citrix.com/en-in/products/citrix-application-delivery-management/) is used to check out licenses for Citrix ADC CPX. - -**Bandwidth based licensing** -For provisioning licensing on Citrix ADC CPX, it is mandatory to provide License Server information to CPX. This can be done by setting **ADMSettings.licenseServerIP** as License Server IP. In addition to this, **ADMSettings.bandWidthLicense** needs to be set true and desired bandwidth capacity in Mbps should be set **ADMSettings.bandWidth**. -For example, to set 2Gbps as bandwidth capacity, below command can be used. - -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - -helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set ADMSettings.licenseServerIP=,ADMSettings.bandWidthLicense=True --set ADMSettings.bandWidth=2000 - -``` - -## **Service Graph configuration** - Citrix ADM Service graph is an observability tool that allows user to analyse service to service communication. The service graph is generated by ADM post collection of transactional data from registered Citrix ADC instances. More details about it can be found [here](https://docs.citrix.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html). - Citrix ADC needs to be provided with ADM details for registration and data export. This section lists the steps needed to deploy Citrix ADC and register it with ADM. - - 1. Create secret using Citrix ADM Agent credentials, which will be used by Citrix ADC as CPX to communicate with Citrix ADM Agent: - - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= - - 2. Deploy Citrix ADC CPX sidecar injector using helm command with `ADM` details: - - helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set ADMSettings.ADMIP= - -> **Note:** -> If container agent is being used here for Citrix ADM, specify `PodIP` of container agent in the `ADMSettings.ADMIP` parameter. - -## Generate Certificate for Application - -Application needs TLS certificate-key pair for establishing secure communication channel with other applications. Earlier these certificates were issued by Istio Citadel and bundled in Kubernetes secret. Certificate was loaded in the application pod by doing volume mount of secret. Now `xDS-Adaptor` can generate its own certificate and get it signed by the Istio Citadel (Istiod). This eliminates the need of secret and associated [risks](https://kubernetes.io/docs/concepts/configuration/secret/#risks). - -xDS-Adaptor needs to be provided with details Certificate Authority (CA) for successful signing of Certificate Signing Request (CSR). By default, CA is `istiod.istio-system.svc` which accepts CSRs on port 15012. -To skip this process, don't provide any value (empty string) to `certProvider.caAddr`. -``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set certProvider.caAddr="" -``` - -### Configure Third Party Service Account Tokens - -In order to generate certificate for application workload, xDS-Adaptor needs to send valid service account token along with Certificate Signing Request (CSR) to the Istio control plane (Citadel CA). Istio control plane authenticates the xDS-Adaptor using this JWT. -Kubernetes supports two forms of these tokens: - -* Third party tokens, which have a scoped audience and expiration. -* First party tokens, which have no expiration and are mounted into all pods. - - If Kubernetes cluster is installed with third party tokens, then the same information needs to be provided for automatic sidecar injection by passing `--set certProvider.jwtPolicy="third-party-jwt"`. By default, it is `first-party-jwt`. - -``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set certProvider.caAddr="istiod.istio-system.svc" --set certProvider.jwtPolicy="third-party-jwt" - -``` - -To determine if your cluster supports third party tokens, look for the TokenRequest API using below command. If there is no output, then it is `first-party-jwt`. In case of `third-party-jwt`, output will be like below. - -``` -# kubectl get --raw /api/v1 | jq '.resources[] | select(.name | index("serviceaccounts/token"))' - -{ - "name": "serviceaccounts/token", - "singularName": "", - "namespaced": true, - "group": "authentication.k8s.io", - "version": "v1", - "kind": "TokenRequest", - "verbs": [ - "create" - ] -} - -``` - -## Limitations - -Citrix ADC CPX occupies certain ports for internal usage. This makes application service running on one of these restricted ports incompatible with the Citrix ADC CPX. -The list of ports is mentioned below. Citrix is working on delisting some of the major ports from the given list, and same shall be available in future releases. - -#### Restricted Ports - -| Sr No |Port Number| -|-------|-----------| -| 1 | 80 | -| 2 | 3010 | -| 3 | 5555 | -| 4 | 8080 | - -## Clean Up - -To delete the resources created for automatic injection with the release name `cpx-sidecar-injector`, perform the following step. - - helm delete cpx-sidecar-injector - -## Configuration parameters - -The following table lists the configurable parameters and their default values in the Helm chart. - - -| Parameter | Description | Default | -|--------------------------------|-------------------------------|---------------------------| -| `xDSAdaptor.image` | Image of the Citrix xDS Adaptor container | quay.io/citrix/citrix-xds-adaptor:0.9.9 | -| `xDSAdaptor.imagePullPolicy` | Image pull policy for xDS-adaptor | IfNotPresent | -| `xDSAdaptor.secureConnect` | If this value is set to true, xDS-adaptor establishes secure gRPC channel with Istio Pilot | TRUE | -| `xDSAdaptor.logLevel` | Log level to be set for xDS-adaptor log messages. Possible values: TRACE (most verbose), DEBUG, INFO, WARN, ERROR (least verbose) | DEBUG | Optional| -| `xDSAdaptor.jsonLog` | Set this argument to true if log messages are required in JSON format | false | Optional| -| `coe.coeURL` | Name of [Citrix Observability Exporter](https://github.com/citrix/citrix-observability-exporter) Service in the form of _servicename.namespace_ | NIL | Optional| -| `coe.coeTracing` | Use COE to send appflow transactions to Zipkin endpoint. If it is set to true, ADM servicegraph (if configured) can be impacted. | false | Optional| -| `ADMSettings.ADMIP` | Provide the Citrix Application Delivery Management (ADM) IP address | NIL | -| `ADMSettings.licenseServerIP ` | Citrix License Server IP address | NIL | Optional | -| `ADMSettings.licenseServerPort` | Citrix ADM port if a non-default port is used | 27000 | -| `ADMSettings.bandWidth` | Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps | NIL | Optional | -| `ADMSettings.bandWidthLicense` | To specify bandwidth based licensing | false | Optional | -| `istioPilot.name` | Name of the Istio Pilot service | istio-pilot | -| `istioPilot.namespace` | Namespace where Istio Pilot is running | istio-system | -| `istioPilot.secureGrpcPort` | Secure GRPC port where Istio Pilot is listening (Default setting) | 15011 | -| `istioPilot.insecureGrpcPort` | Insecure GRPC port where Istio Pilot is listening | 15010 | -| `istioPilot.proxyType` | Type of Citrix ADC associated with the xDS-adaptor. Possible values are: sidecar and router. | sidecar| -| `istioPilot.SAN` | Subject alternative name for Istio Pilot which is the Secure Production Identity Framework For Everyone (SPIFFE) ID of Istio Pilot. | NIL | -| `cpxProxy.netscalerUrl` | URL or IP address of the Citrix ADC which will be configured by Istio-adaptor. | http://127.0.0.1 | -| `cpxProxy.image` | Citrix ADC CPX image used as sidecar proxy | quay.io/citrix/citrix-k8s-cpx-ingress:13.0-79.64 | -| `cpxProxy.imagePullPolicy` | Image pull policy for Citrix ADC | IfNotPresent | -| `cpxProxy.EULA` | End User License Agreement(EULA) terms and conditions. If yes, then user agrees to EULA terms and conditions. | NO | -| `cpxProxy.cpxSidecarMode` | Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX is running as sidecar mode or not. | YES | -| `cpxProxy.cpxDisableProbe` | Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX will disable probing dynamic services. It should be enabled for multicluster setup. | YES | -| `sidecarWebHook.webhookImage` | Mutating webhook associated with the sidecar injector. It invokes a service `cpx-sidecar-injector` to inject sidecar proxies in the application pod. | quay.io/citrix/cpx-istio-sidecar-injector:1.0.0 | -| `sidecarWebHook.imagePullPolicy` | Image pull policy |IfNotPresent| -| `sidecarCertsGenerator.image` | Certificate genrator image associated with sidecar injector. This image generates certificate and key needed for CPX sidecar injection. | quay.io/citrix/cpx-sidecar-injector-certgen:1.1.0 | -| `sidecarCertsGenerator.imagePullPolicy` | Image pull policy |IfNotPresent| -| `webhook.injectionLabelName` | Label of namespace where automatic Citrix ADC CPX sidecar injection is required. | cpx-injection | -| `certProvider.caAddr` | Certificate Authority (CA) address issuing certificate to application | istiod.istio-system.svc | Optional | -| `certProvider.caPort` | Certificate Authority (CA) port issuing certificate to application | 15012 | Optional | -| `certProvider.trustDomain` | SPIFFE Trust Domain | cluster.local | Optional | -| `certProvider.certTTLinHours` | Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours. Default is 30 days validity | 720 | Optional | -| `certProvider.clusterId` | clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in multicluster environments. For example, in Anthos servicemesh, it might be of the format of `cn--`. In multiCluster environments, it is the value of global.multiCluster.clusterName provided during servicemesh control plane installation | Kubernetes | Optional | -| `certProvider.jwtPolicy` | Service Account token type. Kubernetes platform supports First party tokens and Third party tokens. | first-party-jwt | Optional | -| `certProvider.jwtPolicy` | Service Account token type. Kubernetes platform supports First party tokens and Third party tokens. Usually public cloud based Kubernetes has third-party-jwt | null | Optional | - -**Note:** You can use the `values.yaml` file packaged in the chart. This file contains the default configuration values for the chart. diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/app-readme.md b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/app-readme.md deleted file mode 100644 index aa16d21361..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/app-readme.md +++ /dev/null @@ -1,28 +0,0 @@ -# Citrix ADC as a Sidecar for Istio - -Citrix ADC [CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) can act as a sidecar proxy to an application container in Istio. You can inject the Citrix ADC CPX manually or automatically using the [Istio sidecar injector](https://istio.io/docs/setup/additional-setup/sidecar-injection/). - - -### Prerequisites - -The following prerequisites are required for deploying Citrix ADC as a sidecar in an application pod - -- Ensure that **Istio** is enabled. -- Ensure that your cluster has Kubernetes version 1.16.0 or later. -- Ensure the [Kubernetes controller manager](https://rancher.com/docs/rke/latest/en/config-options/services/#kubernetes-controller-manager)’s default certificate signer is enabled. - -**Note**: For RKE based cluster, extra arguments need to be provided for kube-controller service. -```services: - kube-controller: - extra_args: - cluster-signing-cert-file: "/etc/kubernetes/ssl/kube-ca.pem" - cluster-signing-key-file: "/etc/kubernetes/ssl/kube-ca-key.pem" -``` -For detailed information follow this [link](https://github.com/citrix/citrix-xds-adaptor/blob/master/docs/istio-integration/rancher-provisioned-cluster.md) - -### Important NOTE: - - We should not **Enable Istio Auto Injection** on Application namespace. - - The cpx-injection=enabled label is mandatory for injecting sidecars. - - An example to deploy application along with Citrix ADC CPX sidecar is provided [here](https://github.com/citrix/citrix-helm-charts/blob/master/examples/citrix-adc-in-istio/README.md). - -This catalog create resources required for automatically deploying Citrix ADC CPX as a sidecar proxy.For detailed information follow this [link](https://github.com/citrix/citrix-helm-charts/tree/master/citrix-cpx-istio-sidecar-injector) diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/create-certs-for-cpx-istio-chart.sh b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/create-certs-for-cpx-istio-chart.sh deleted file mode 100644 index ed5d58a4e0..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/create-certs-for-cpx-istio-chart.sh +++ /dev/null @@ -1,127 +0,0 @@ -#!/bin/bash - -set -e - -usage() { - cat <> ${certdir}/csr.conf -[req] -req_extensions = v3_req -distinguished_name = req_distinguished_name -[req_distinguished_name] -[ v3_req ] -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment -extendedKeyUsage = serverAuth -subjectAltName = @alt_names -[alt_names] -DNS.1 = ${service} -DNS.2 = ${service}.${namespace} -DNS.3 = ${service}.${namespace}.svc -EOF - -openssl genrsa -out ${certdir}/key.pem 2048 -openssl req -new -key ${certdir}/key.pem -subj "/CN=${service}.${namespace}.svc" -out ${certdir}/server.csr -config ${certdir}/csr.conf - -# clean-up any previously created CSR for our service. Ignore errors if not present. -kubectl delete csr ${csrName} 2>/dev/null || true - -# create server cert/key CSR and send to k8s API -cat <&2 - exit 1 -fi -echo ${serverCert} | openssl base64 -d -A -out ${certdir}/cert.pem - - -# create the secret with CA cert and server cert/key -kubectl create secret generic ${secret} \ - --from-file=key.pem=${certdir}/key.pem \ - --from-file=cert.pem=${certdir}/cert.pem \ - --dry-run -o yaml | - kubectl -n ${namespace} apply -f - diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/questions.yml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/questions.yml deleted file mode 100644 index 18483b84a7..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/questions.yml +++ /dev/null @@ -1,291 +0,0 @@ -labels: - io.rancher.certified: partner -questions: -- variable: xDSAdaptor.image - required: true - type: string - default: "quay.io/citrix/citrix-xds-adaptor:0.9.9" - description: "xds-adaptor Image to be used" - label: xDSAdaptor Image - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.imagePullPolicy - required: true - type: enum - default: IfNotPresent - description: "Istio-adaptor Image pull policy" - label: istioAdaptor imagePullPolicy - options: - - "Always" - - "IfNotPresent" - - "Never" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.proxyType - required: true - type: string - default: true - label: xDSAdaptor proxyType - description: "xDSAdaptor proxyType type set to router by default" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.secureConnect - required: false - type: boolean - default: true - label: xDSAdaptor secureConnect - description: "xDSAdaptor establishes secure gRPC channel with Istio Pilot, if value is set to true" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.logLevel - required: false - type: enum - default: DEBUG - label: xDSAdaptor logLevel - description: "xDSAdaptor logLevel" - options: - - "TRACE" - - "DEBUG" - - "INFO" - - "WARN" - - "ERROR" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.jsonLog - required: false - type: string - default: "true" - label: xDSAdaptor jsonLog - description: "Set this argument to true if log messages are required in JSON format" - group: "xDSAdaptor Settings" -- variable: coe.coeURL - required: false - type: string - label: coe coeURL - description: "Name of Citrix Observability Exporter Service" - group: "COE Settings" -- variable: coe.coeTracing - required: false - type: boolean - label: coe coeTracing - description: "Used to send appflow transactions to Zipkin endpoint,if true ADM servicegraph (if configured) can be impacted" - group: "COE Settings" -- variable: istioPilot.name - required: true - type: string - default: istio-pilot - label: istio-pilot name - group: "istio-pilot Settings" -- variable: istioPilot.namespace - required: true - type: string - default: istio-system - label: istio-pilot namespace - description: "Name of the Istio Pilot service" - group: "istio-pilot Settings" -- variable: istioPilot.secureGrpcPort - required: true - type: int - default: 15011 - description: "Secure GRPC port where Istio Pilot is listening" - label: istio-pilot secureGrpcPort - show_if: "xDSAdaptor.secureConnect=true" - group: "istio-pilot Settings" -- variable: istioPilot.insecureGrpcPort - required: true - type: int - default: 15010 - label: istio-pilot insecureGrpcPort - description: "Insecure GRPC port where Istio Pilot is listening" - show_if: "xDSAdaptor.secureConnect=false" - group: "istio-pilot Settings" -- variable: istioPilot.SAN - required: false - type: string - default: - label: istio-pilot SAN - description: "Subject alternative name for Istio Pilot which is (SPIFFE) ID of Istio Pilot" - show_if: "xDSAdaptor.secureConnect=true" - group: "istio-pilot Settings" -- variable: certProvider.caAddr - required: true - type: string - default: "istiod.istio-system.svc" - label: certProvider caAddr - description: "Certificate Authority (CA) address issuing certificate to application" - group: "certProvider Settings" -- variable: certProvider.caPort - required: true - type: int - default: 15012 - label: certProvider caPort - description: "Certificate Authority (CA) port issuing certificate to application" - group: "certProvider Settings" -- variable: certProvider.trustDomain - required: true - type: string - default: "cluster.local" - label: certProvider trustDomain - description: "SPIFFE Trust Domain" - group: "certProvider Settings" -- variable: certProvider.certTTLinHours - required: true - type: int - default: 720 - label: certProvider certTTLinHours - description: "Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours." - group: "certProvider Settings" -- variable: certProvider.clusterId - required: true - type: string - default: "Kubernetes" - label: certProvider clusterId - description: "clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in m -ulticluster environments. For example, in Anthos servicemesh, it might be of the format of `cn--`. In multiCluster environments, it is the val -ue of global.multiCluster.clusterName provided during servicemesh control plane installation" - group: "certProvider Settings" -- variable: certProvider.jwtPolicy - required: true - type: enum - default: "first-party-jwt" - label: certProvider jwtPolicy - description: "Kubernetes platform supports First party tokens and Third party tokens" - options: - - "first-party-jwt" - - "third-party-jwt" -- variable: cpxProxy.netscalerUrl - required: true - type: string - default: "http://127.0.0.1" - description: "Citrix ADC CPX image used as sidecar proxy" - label: cpxProxy image - group: "cpxProxy Settings" -- variable: cpxProxy.image - required: true - type: string - default: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-79.64" - description: "Citrix ADC CPX image used as sidecar proxy" - label: cpxProxy image - group: "cpxProxy Settings" -- variable: cpxProxy.imagePullPolicy - required: true - type: enum - default: IfNotPresent - description: "cpxProxy Image pull policy" - label: cpxProxy imagePullPolicy - options: - - "Always" - - "IfNotPresent" - - "Never" - group: "cpxProxy Settings" -- variable: cpxProxy.EULA - required: true - type: enum - label: cpxProxy EULA license - options: - - "YES" - - "NO" - group: "cpxProxy Settings" -- variable: cpxProxy.cpxSidecarMode - required: true - type: string - default: "YES" - description: "Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX is running as sidecar mode or not" - label: cpxProxy image - options: - - "YES" - - "NO" - group: "cpxProxy Settings" -- variable: cpxProxy.mgmtHttpPort - required: true - type: int - default: 10080 - label: cpxProxy mgmtHttpPort - group: "cpxProxy Settings" -- variable: cpxProxy.mgmtHttpsPort - required: true - type: int - default: 10443 - label: cpxProxy mgmtHttpsPort - group: "cpxProxy Settings" -- variable: cpxProxy.cpxDisableProbe - required: true - type: string - default: YES - description: "Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX will disable probing dynamic services. It should be enabled for multicluster setup." - label: cpxProxy cpxDisableProbe - options: - - "YES" - - "NO" - group: "cpxProxy Settings" -- variable: sidecarWebHook.webhookImage - required: true - type: string - default: "quay.io/citrix/cpx-istio-sidecar-injector:1.0.0" - label: sidecarWebHook webhookImage - description: "webhookImage image to be used" - group: "sidecarWebHook Settings" -- variable: sidecarWebHook.imagePullPolicy - required: true - type: enum - default: IfNotPresent - label: sidecarWebHook imagePullPolicy - options: - - "Always" - - "IfNotPresent" - - "Never" - group: "sidecarWebHook Settings" -- variable: sidecarCertsGenerator.image - required: true - type: string - default: " quay.io/citrix/cpx-sidecar-injector-certgen:1.1.0" - label: sidecarWebHook webhookImage - description: "webhookImage image to be used" - group: "sidecarCertsGenerator Settings" -- variable: sidecarCertsGenerator.imagePullPolicy - required: true - type: enum - default: IfNotPresent - label: sidecarWebHook imagePullPolicy - options: - - "Always" - - "IfNotPresent" - - "Never" - group: "sidecarCertsGenerator Settings" -- variable: ADMSettings.ADMIP - required: false - type: string - default: - label: ADMSettings ADMIP - description: "Citrix Application Delivery Management (ADM) IP address" - group: "ADMSettings Settings" -- variable: ADMSettings.licenseServerIP - required: false - type: string - default: - label: ADMSettings licenseServerIP - description: "Citrix License Server IP address" - group: "ADMSettings Settings" -- variable: ADMSettings.licenseServerPort - required: false - type: int - default: 27000 - label: ADMSettings licenseServerPort - description: "Citrix ADM port if a non-default port is used" - group: "ADMSettings Settings" -- variable: ADMSettings.bandWidthLicense - required: false - type: boolean - default: false - label: ADMSettings bandWidthLicense - description: "To specify bandwidth based licensing" - group: "ADMSettings Settings" -- variable: ADMSettings.bandWidth - required: false - type: string - default: - label: ADMSettings bandWidth - description: "Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps" - group: "ADMSettings Settings" -- variable: webhook.injectionLabelName - required: true - type: string - default: "cpx-injection" - label: webhook injectionLabelName - description: "Label of namespace, where automatic sidecr injection is required" - group: "webhook Settings" diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/templates/_helpers.tpl b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/templates/_helpers.tpl deleted file mode 100644 index 964b92cd5c..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/templates/_helpers.tpl +++ /dev/null @@ -1,20 +0,0 @@ -{{/* Below function is used to identify default value of jwtPolicy if not provided. - * For on-prem Kubernetes v1.21+, it is third-party-jwt. Else first-party-jwt. - * Note: Don't just do "helm template" to generate yaml file. Else https://github.com/helm/helm/issues/7991 - * is possible. Use "helm template --validate" or "helm install --dry-run --debug". - * Note2: For cloud environments, semverCompare should be ideally done with "<1.21.x-x" as - * Kubernetes version is generally of the format v1.20.7-eks-xxxxxx. So, it fails the "v1.21.x" check but that's fine - * as in cloud environments third-party-jwt is enabled. -*/}} - -{{- define "jwtValue" -}} -{{- if .Values.certProvider.jwtPolicy -}} -{{- printf .Values.certProvider.jwtPolicy -}} -{{- else -}} -{{- if semverCompare "<1.21.x" .Capabilities.KubeVersion.Version -}} -{{- printf "first-party-jwt" -}} -{{- else -}} -{{- printf "third-party-jwt" -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/templates/cpx-sidecar-injector-configmap.yaml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/templates/cpx-sidecar-injector-configmap.yaml deleted file mode 100644 index 77b9e84e63..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/templates/cpx-sidecar-injector-configmap.yaml +++ /dev/null @@ -1,221 +0,0 @@ -# This configmap stores the sidecar proxy info and arguments needed -apiVersion: v1 -kind: ConfigMap -metadata: - name: cpx-istio-sidecar-injector - namespace: {{.Release.Namespace}} - labels: - app: cpx-sidecar-injector - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - istio: sidecar-injector -data: - config: |- - policy: enabled - # If user does *NOT* want to inject sidecar on some pods based on label, - # then mention such labels in 'neverInjectSelector' entry. - # Note: This is valid only when istio's sidecar-injector image is running. - neverInjectSelector: - - matchExpressions: - - {key: citrix.com/no.sidecar, operator: Exists} - # Here, if pod has a label citrix.com/no.sidecar, then sidecar won't be injected for that pod. - template: |- - containers: - - name: istio-adaptor - image: {{ .Values.xDSAdaptor.image }} - imagePullPolicy: {{ .Values.xDSAdaptor.imagePullPolicy }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: APPLICATION_NAME - valueFrom: - fieldRef: - fieldPath: metadata.labels['app'] - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName -{{- if .Values.certProvider.caAddr }} - - name: CA_ADDR - value: {{ .Values.certProvider.caAddr }}:{{ .Values.certProvider.caPort}} #istiod.istio-system.svc:15012 - - name: TRUST_DOMAIN - value: {{ .Values.certProvider.trustDomain }} #cluster.local - - name: CLUSTER_ID - value: {{ .Values.certProvider.clusterId }} #Kubernetes - - name: CERT_TTL_IN_HOURS - value: {{ .Values.certProvider.certTTLinHours }} - - name: JWT_POLICY - value: {{ include "jwtValue" . | quote }} # third-party-jwt if Kubernetes cluster supports third-party tokens -{{- end }} - - name: NS_USER - value: nsroot - - name: NS_PASSWORD - value: nsroot -{{- if eq .Values.coe.coeTracing true }} - - name: COE_TRACING - value: "TRUE" -{{- end }} - - name: LOGLEVEL - value: {{ .Values.xDSAdaptor.logLevel | default "DEBUG" | quote }} -{{- if eq .Values.xDSAdaptor.jsonLog true }} - - name: JSONLOG - value: "TRUE" -{{- end }} - args: - - -ads-server -{{- if eq .Values.xDSAdaptor.secureConnect true }} - - {{ .Values.istioPilot.name}}.{{.Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.secureGrpcPort }} # istiod.istio-system.svc:15012 -{{- else }} - - {{ .Values.istioPilot.name}}.{{.Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.insecureGrpcPort }} # istiod.istio-system.svc:15010 -{{- end }} - - -ads-secure-connect={{ .Values.xDSAdaptor.secureConnect}} - - -ads-server-SAN - - {{ .Values.istioPilot.SAN }} - - -istio-proxy-type - - {{ .Values.xDSAdaptor.proxyType | default "sidecar" | quote }} - - -citrix-adc - - "{{- .Values.cpxProxy.netscalerUrl }}:{{- .Values.cpxProxy.mgmtHttpPort | toString }}" - - -citrix-adc-password - - "/var/deviceinfo/random_id" -{{- if .Values.ADMSettings.ADMIP }} - - -citrix-adm - - {{ .Values.ADMSettings.ADMIP }} -{{- end }} -{{- if .Values.ADMSettings.licenseServerIP }} - - -citrix-license-server - - {{ .Values.ADMSettings.licenseServerIP }} -{{- end }} -{{- if .Values.coe.coeURL }} - - -coe - - {{ .Values.coe.coeURL }} -{{- end }} - volumeMounts: - - mountPath: /var/deviceinfo - name: cpx-pwd -{{- $jwtpolicy := include "jwtValue" . }} -{{- if eq $jwtpolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token -{{- end }} - - mountPath: /etc/nslogin - name: nslogin - readOnly: true - - name: certs - mountPath: /etc/certs - - name: istiod-ca-cert - mountPath: /etc/rootcert/ - securityContext: - readOnlyRootFilesystem: true - runAsGroup: 32024 - runAsUser: 32024 # UID of xds-adaptor container's user - runAsNonRoot: true - - name: cpx-proxy - image: {{ .Values.cpxProxy.image }} - imagePullPolicy: IfNotPresent - securityContext: - privileged: true - env: - - name: "EULA" - value: "{{ .Values.cpxProxy.EULA }}" - - name: "CPX_SIDECAR_MODE" - value: {{ .Values.cpxProxy.cpxSidecarMode | quote }} - - name: "CPX_DISABLE_PROBE" - value: "{{ .Values.cpxProxy.cpxDisableProbe }}" - - name: "MGMT_HTTP_PORT" - value: {{ .Values.cpxProxy.mgmtHttpPort | quote }} - - name: "MGMT_HTTPS_PORT" - value: {{ .Values.cpxProxy.mgmtHttpsPort | quote }} - - name: "KUBERNETES_TASK_ID" - value: "" - - name: "NS_CPX_LITE" - value: 1 -{{- if or .Values.coe.coeURL .Values.ADMSettings.ADMIP }} - - name: "NS_ENABLE_NEWNSLOG" - value: 1 -{{- end }} - - name: "LS_IP" - value: {{ .Values.ADMSettings.licenseServerIP | default "" }} - - name: "LS_PORT" - value: {{ .Values.ADMSettings.licenseServerPort}} -{{- if .Values.ADMSettings.ADMIP }} - - name: "NS_MGMT_SERVER" - value: {{ .Values.ADMSettings.ADMIP }} - - name: "NS_HTTP_PORT" - value: {{ .Values.cpxProxy.mgmtHttpPort | quote }} - - name: "NS_HTTPS_PORT" - value: {{ .Values.cpxProxy.mgmtHttpsPort | quote }} -{{- end }} - - name: "LOGSTREAM_COLLECTOR_IP" - value: {{ .Values.ADMSettings.ADMIP | default "" }} -{{- if and ( .Values.ADMSettings.licenseServerIP ) (eq .Values.ADMSettings.bandWidthLicense true) }} - - name: "BANDWIDTH" #bandwidth is required for provision bandwidth based licensing to Citrix ADC CPX from ADM - value: {{ required "Mention bandwidth for bandwidth based licensing" .Values.ADMSettings.bandWidth | quote }} -{{- end }} -{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }} - - name: NS_MGMT_USER - valueFrom: - secretKeyRef: - name: admlogin - key: username - - name: NS_MGMT_PASS - valueFrom: - secretKeyRef: - name: admlogin - key: password -{{- end }} - volumeMounts: - - mountPath: /cpx/conf/ - name: cpx-conf - - mountPath: /var/deviceinfo - name: cpx-pwd - - mountPath: /cpx/crash/ - name: cpx-crash - volumes: - - name: cpx-conf - emptyDir: {} - - name: cpx-pwd - emptyDir: {} - - name: cpx-crash - emptyDir: {} - - name: nslogin - secret: - optional: true - secretName: nslogin - - name: certs - emptyDir: {} -{{- $jwtpolicy := include "jwtValue" . }} -{{- if eq $jwtpolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token -{{- end }} - - name: istiod-ca-cert - configMap: - defaultMode: 0777 - name: istio-ca-root-cert - values: |- - { - "global": { - "jwtPolicy": "third-party-jwt", - } - } ---- diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/templates/cpx-sidecar-injector-deployment-service.yaml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/templates/cpx-sidecar-injector-deployment-service.yaml deleted file mode 100644 index baa898a5d7..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/templates/cpx-sidecar-injector-deployment-service.yaml +++ /dev/null @@ -1,108 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: cpx-sidecar-injector - namespace: {{ .Release.Namespace }} - labels: - istio: sidecar-injector - app: cpx-sidecar-injector -spec: - ports: - - port: 443 - selector: - istio: sidecar-injector - ---- -# Deployment -apiVersion: apps/v1 -kind: Deployment -metadata: - name: cpx-sidecar-injector - namespace: {{ .Release.Namespace }} - labels: - app: sidecarInjectorWebhook - istio: sidecar-injector - app: cpx-sidecar-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -spec: - replicas: 1 - selector: - matchLabels: - app: cpx-sidecar-injector - istio: sidecar-injector - template: - metadata: - labels: - istio: sidecar-injector - app: cpx-sidecar-injector - annotations: - sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" - spec: - serviceAccountName: cpx-sidecar-injector-service-account - initContainers: - - name: sidecar-certs-generator - image: {{ .Values.sidecarCertsGenerator.image }} - imagePullPolicy: {{ .Values.sidecarCertsGenerator.imagePullPolicy }} - volumeMounts: - - name: certs - mountPath: /tmp - containers: - - name: sidecar-injector-webhook - image: {{ .Values.sidecarWebHook.webhookImage }} - imagePullPolicy: {{ .Values.sidecarWebHook.imagePullPolicy }} - args: - - --caCertFile=/etc/istio/certs/cert.pem - - --tlsCertFile=/etc/istio/certs/cert.pem - - --tlsKeyFile=/etc/istio/certs/key.pem - - --injectConfig=/etc/istio/inject/config - - --meshConfig=/etc/istio/config/mesh - - --healthCheckInterval=10s - - --webhookConfigName=cpx-sidecar-injector - volumeMounts: - - name: config-volume - mountPath: /etc/istio/config - readOnly: true - - name: certs - mountPath: /etc/istio/certs - readOnly: true - - name: inject-config - mountPath: /etc/istio/inject - readOnly: true - livenessProbe: - exec: - command: - - cat - - /health - failureThreshold: 5 - initialDelaySeconds: 4 - periodSeconds: 10 - readinessProbe: - exec: - command: - - cat - - /health - failureThreshold: 5 - initialDelaySeconds: 4 - periodSeconds: 10 - initialDelaySeconds: 4 - resources: - requests: - cpu: 10m - - volumes: - - name: config-volume - configMap: - name: istio - - name: certs - emptyDir: {} - - name: inject-config - configMap: - name: cpx-istio-sidecar-injector - items: - - key: config - path: config - - key: values - path: values ---- diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/templates/cpx-sidecar-injector-istioConfigMap.yaml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/templates/cpx-sidecar-injector-istioConfigMap.yaml deleted file mode 100644 index 8d7e8f7083..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/templates/cpx-sidecar-injector-istioConfigMap.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio - namespace: {{ .Release.Namespace }} - labels: - app: cpx-sidecar-injector - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - istio: sidecar-injector -data: - mesh: |- - # Needed for injection of securityContext in PodSpec during auto-sidecar injection - sdsUdsPath: unix:/etc/istio/proxy/SDS - ---- diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/templates/cpx-sidecar-injector-serviceaccount.yaml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/templates/cpx-sidecar-injector-serviceaccount.yaml deleted file mode 100644 index 161998c6c4..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/templates/cpx-sidecar-injector-serviceaccount.yaml +++ /dev/null @@ -1,48 +0,0 @@ -# Serviceaccount -apiVersion: v1 -kind: ServiceAccount -metadata: - name: cpx-sidecar-injector-service-account - namespace: {{ .Release.Namespace }} - labels: - app: cpx-sidecar-injector - ---- -# ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cpx-sidecar-injector-istio-system - labels: - app: cpx-sidecar-injector -rules: -- apiGroups: ["*"] - resources: ["configmaps"] - verbs: ["get", "list", "watch"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "patch"] -- apiGroups: ["certificates.k8s.io"] - resources: ["certificatesigningrequests", "certificatesigningrequests/approval"] - verbs: ["get", "list", "create", "watch", "delete", "update"] -- apiGroups: ["certificates.k8s.io"] - resources: ["signers"] - resourceNames: ["kubernetes.io/legacy-unknown", "kubernetes.io/kubelet-serving"] - verbs: ["get", "list", "create", "watch", "delete", "update", "approve"] ---- -# ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cpx-sidecar-injector-admin-role-binding-istio-system - labels: - app: cpx-sidecar-injector -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cpx-sidecar-injector-istio-system -subjects: - - kind: ServiceAccount - name: cpx-sidecar-injector-service-account - namespace: {{ .Release.Namespace }} ---- diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/templates/cpx-sidecar-networkpolicy.yaml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/templates/cpx-sidecar-networkpolicy.yaml deleted file mode 100644 index 83234a10da..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/templates/cpx-sidecar-networkpolicy.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - labels: - app: cpx-sidecar-injector - name: cpx-sidecar-injector - namespace: {{ .Release.Namespace }} -spec: - ingress: - - {} - podSelector: - matchLabels: - app: cpx-sidecar-injector - policyTypes: - - Ingress diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/templates/mutatingwebhook.yaml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/templates/mutatingwebhook.yaml deleted file mode 100644 index 8796710966..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# Mutating wehbook is used to perform sidecar injection. -# It calls sidecar-injector-service when the label is matched. -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: cpx-sidecar-injector - namespace: {{ .Release.Namespace }} - labels: - app: cpx-sidecar-injector - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} -webhooks: - - name: sidecar-injector.istio.io - admissionReviewVersions: - - v1 - clientConfig: - service: - name: cpx-sidecar-injector - namespace: {{ .Release.Namespace }} - path: "/inject" - caBundle: "" - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - scope: "*" - sideEffects: None - failurePolicy: Fail - namespaceSelector: - matchLabels: -{{- if .Values.webhook.injectionLabelName }} - {{ .Values.webhook.injectionLabelName }}: enabled -{{- else }} - cpx-injection: enabled -{{- end }} ---- diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/values.yaml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/values.yaml deleted file mode 100644 index 5c601fe2b9..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.0/values.yaml +++ /dev/null @@ -1,60 +0,0 @@ -# Default values for cpx-istio. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -xDSAdaptor: - image: quay.io/citrix/citrix-xds-adaptor:0.9.9 - imagePullPolicy: IfNotPresent - proxyType: sidecar - secureConnect: true - logLevel: DEBUG - jsonLog: false - -coe: - coeURL: - coeTracing: false - -istioPilot: - name: istiod - namespace: istio-system - secureGrpcPort: 15012 - insecureGrpcPort: 15010 - SAN: #"spiffe://cluster.local/ns/istio-system/sa/istiod-service-account" - -certProvider: - caAddr: istiod.istio-system.svc - caPort: 15012 - trustDomain: cluster.local - certTTLinHours: 720 - clusterId: Kubernetes - jwtPolicy: #specify third-party-jwt if Kubernetes cluster supports third-party tokens - -cpxProxy: - netscalerUrl: "http://127.0.0.1" - image: quay.io/citrix/citrix-k8s-cpx-ingress:13.0-79.64 - imagePullPolicy: IfNotPresent - EULA: NO - cpxSidecarMode: YES - mgmtHttpPort: 10080 - mgmtHttpsPort: 10443 - cpxDisableProbe: "YES" - #licenseServerIP: this value is taken from ADMSettings.ADMIP - -sidecarWebHook: - webhookImage: quay.io/citrix/cpx-istio-sidecar-injector:1.0.0 - imagePullPolicy: IfNotPresent - -sidecarCertsGenerator: - image: quay.io/citrix/cpx-sidecar-injector-certgen:1.1.0 - imagePullPolicy: IfNotPresent - -ADMSettings: - ADMIP: - licenseServerIP: - licenseServerPort: 27000 - bandWidthLicense: false - bandWidth: - -webhook: - injectionLabelName: cpx-injection - diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/.helmignore b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/.helmignore deleted file mode 100644 index 50af031725..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/Chart.yaml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/Chart.yaml deleted file mode 100644 index 354e3cb869..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/Chart.yaml +++ /dev/null @@ -1,23 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Cpx Istio Sidecar Injector - catalog.cattle.io/release-name: citrix-cpx-istio-sidecar-injector -apiVersion: v2 -appVersion: 1.11.0 -deprecated: true -description: A Helm chart to deploy resources which install Citrix ADC CPX in Istio - Service Mesh as sidecar in application pod -home: https://www.citrix.com -icon: https://raw.githubusercontent.com/citrix/citrix-xds-adaptor/master/docs/media/Citrix_Logo_Trademark.png -kubeVersion: '>=v1.16.0-0' -maintainers: -- email: dhiraj.gedam@citrix.com - name: dheerajng -- email: subash.dangol@citrix.com - name: subashd -- email: ajeeta.shakeet@citrix.com - name: ajeetas -name: citrix-cpx-istio-sidecar-injector -sources: -- https://github.com/citrix/citrix-xds-adaptor -version: 1.11.1 diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/README.md b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/README.md deleted file mode 100644 index 83434ceca6..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/README.md +++ /dev/null @@ -1,280 +0,0 @@ -# Deploy Citrix ADC CPX as a sidecar in Istio environment using Helm charts - -Citrix ADC CPX can be deployed as a sidecar proxy in an application pod in the Istio service mesh. - - -# Table of Contents -1. [TL; DR;](#tldr) -2. [Introduction](#introduction) -3. [Deploy Sidecar Injector for Citrix ADC CPX using Helm chart](#deploy-sidecar-injector-for-citrix-adc-cpx-using-helm-chart) -4. [Observability using Citrix Observability Exporter](#observability-using-coe) -5. [Citrix ADC CPX License Provisioning](#citrix-adc-cpx-license-provisioning) -6. [Service Graph configuration](#configuration-for-servicegraph) -7. [Generate Certificate for Application](#generate-certificate-for-application) -8. [Limitations](#limitations) -9. [Clean Up](#clean-up) -10. [Configuration Parameters](#configuration-parameters) - - -## TL; DR; - - kubectl create namespace citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES - - -## Introduction - -Citrix ADC CPX can act as a sidecar proxy to an application container in Istio. You can inject the Citrix ADC CPX manually or automatically using the [Istio sidecar injector](https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/). Automatic sidecar injection requires resources including a Kubernetes [mutating webhook admission](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) controller, and a service. Using this Helm chart, you can create resources required for automatically deploying Citrix ADC CPX as a sidecar proxy. - -In Istio servicemesh, the namespace must be labelled before applying the deployment yaml for [automatic sidecar injection](https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#automatic-sidecar-injection). Once the namespace is labelled, sidecars (envoy or CPX) will be injected while creating pods. -- For CPX, namespace must be labelled `cpx-injection=enabled` -- For Envoy, namespace must be labelled `istio-injection=enabled` - -__Note: If a namespace is labelled with both `istio-injection` and `cpx-injection`, Envoy injection takes a priority! Citrix CPX won't be injected on top of the already injected Envoy sidecar. For using Citrix ADC as sidecar, ensure that `istio-injection` label is removed from the namespace.__ - -For detailed information on different deployment options, see [Deployment Architecture](https://github.com/citrix/citrix-istio-adaptor/blob/master/docs/istio-integration/architecture.md). - -### Compatibility Matrix between Citrix xDS-adaptor and Istio version - -Below table provides info about recommended Citrix xDS-Adaptor version to be used for various Istio versions. - -| Citrix xDS-Adaptor version | Istio version | -|----------------------------|---------------| -| quay.io/citrix/citrix-xds-adaptor:0.9.9 | Istio v1.10+ | -| quay.io/citrix/citrix-xds-adaptor:0.9.8 | Istio v1.8 to Istio v1.9 | -| quay.io/citrix/citrix-xds-adaptor:0.9.5 | Istio v1.6 | - -### Prerequisites - -The following prerequisites are required for deploying Citrix ADC as a sidecar to an application pod. - -- Ensure that **Istio version 1.8 onwards** is installed -- Ensure that Helm with version 3.x is installed. Follow this [step](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- Ensure that your cluster Kubernetes version should be 1.16 onwards and the `admissionregistration.k8s.io/v1`, `admissionregistration.k8s.io/v1beta1` API is enabled - -You can verify the API by using the following command: - - kubectl api-versions | grep admissionregistration.k8s.io/v1 - -The following output indicates that the API is enabled: - - admissionregistration.k8s.io/v1 - admissionregistration.k8s.io/v1beta1 - -- Create namespace `citrix-system` - - kubectl create namespace citrix-system - -- **Registration of Citrix ADC CPX in ADM** - -Create a secret containing ADM username and password in each application namespace. - - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= -n citrix-system - -## Deploy Sidecar Injector for Citrix ADC CPX using Helm chart - -**Before you Begin** - -To deploy resources for automatic installation of Citrix ADC CPX as a sidecar in Istio, perform the following step. In this example, release name is specified as `cpx-sidecar-injector` and namespace is used as `citrix-system`. - - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES - -This step installs a mutating webhook and a service resource to application pods in the namespace labeled as `cpx-injection=enabled`. - -*"Note:" The `cpx-injection=enabled` label is mandatory for injecting sidecars.* - -An example to deploy application along with Citrix ADC CPX sidecar is provided [here](https://github.com/citrix/citrix-helm-charts/tree/master/examples/citrix-adc-in-istio). - - -# Observability using Citrix Observability Exporter - -### Pre-requisites - -1. Citrix Observability Exporter (COE) should be deployed in the cluster. - -2. Citrix ADC CPX should be running with versions 13.0-48+ or 12.1-56+. - -Citrix ADC CPXes serving East West traffic send its metrics and transaction data to COE which has a support for Prometheus and Zipkin. - -Metrics data can be visualized in Prometheus dashboard. - -Zipkin enables users to analyze tracing for East-West service to service communication. - -*Note*: Istio should be [installed](https://istio.io/docs/tasks/observability/distributed-tracing/zipkin/#before-you-begin) with Zipkin as tracing endpoint. - -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - -helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES,coe.coeURL=. -``` - -By default, COE is primarily used for Prometheus integration. Servicegraph and tracing is handled by Citrix ADM appliance. To enable Zipkin tracing, set argument `coe.coeTracing=true` in helm command. Default value of coeTracing is set to false. - -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - -helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES,coe.coeURL=.,coe.coeTracing=true - -``` - -For example, if COE is deployed as `coe` in `citrix-system` namespace, then below helm command will deploy sidecar injector webhook which will be deploying Citrix ADC CPX sidecar proxies in application pods, and these sidecar proxies will be configured to establish communication channels with COE. - -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - -helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES,coe.coeURL=coe.citrix-system -``` - -*Important*: Apply below mentioned annotations on COE deployment so that Prometheus can scrape data from COE. -``` - prometheus.io/scrape: "true" - prometheus.io/port: "5563" # Prometheus port -``` -## **Citrix ADC CPX License Provisioning** -By default, CPX runs with 20 Mbps bandwidth called as [CPX Express](https://www.citrix.com/en-in/products/citrix-adc/cpx-express.html) however for better performance and production deployment customer needs licensed CPX instances. [Citrix ADM](https://www.citrix.com/en-in/products/citrix-application-delivery-management/) is used to check out licenses for Citrix ADC CPX. - -**Bandwidth based licensing** -For provisioning licensing on Citrix ADC CPX, it is mandatory to provide License Server information to CPX. This can be done by setting **ADMSettings.licenseServerIP** as License Server IP. In addition to this, **ADMSettings.bandWidthLicense** needs to be set true and desired bandwidth capacity in Mbps should be set **ADMSettings.bandWidth**. -For example, to set 2Gbps as bandwidth capacity, below command can be used. - -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - -helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set ADMSettings.licenseServerIP=,ADMSettings.bandWidthLicense=True --set ADMSettings.bandWidth=2000 - -``` - -## **Service Graph configuration** - Citrix ADM Service graph is an observability tool that allows user to analyse service to service communication. The service graph is generated by ADM post collection of transactional data from registered Citrix ADC instances. More details about it can be found [here](https://docs.citrix.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html). - Citrix ADC needs to be provided with ADM details for registration and data export. This section lists the steps needed to deploy Citrix ADC and register it with ADM. - - 1. Create secret using Citrix ADM Agent credentials, which will be used by Citrix ADC as CPX to communicate with Citrix ADM Agent: - - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= - - 2. Deploy Citrix ADC CPX sidecar injector using helm command with `ADM` details: - - helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set ADMSettings.ADMIP= - -> **Note:** -> If container agent is being used here for Citrix ADM, specify `PodIP` of container agent in the `ADMSettings.ADMIP` parameter. - -## Generate Certificate for Application - -Application needs TLS certificate-key pair for establishing secure communication channel with other applications. Earlier these certificates were issued by Istio Citadel and bundled in Kubernetes secret. Certificate was loaded in the application pod by doing volume mount of secret. Now `xDS-Adaptor` can generate its own certificate and get it signed by the Istio Citadel (Istiod). This eliminates the need of secret and associated [risks](https://kubernetes.io/docs/concepts/configuration/secret/#risks). - -xDS-Adaptor needs to be provided with details Certificate Authority (CA) for successful signing of Certificate Signing Request (CSR). By default, CA is `istiod.istio-system.svc` which accepts CSRs on port 15012. -To skip this process, don't provide any value (empty string) to `certProvider.caAddr`. -``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set certProvider.caAddr="" -``` - -### Configure Third Party Service Account Tokens - -In order to generate certificate for application workload, xDS-Adaptor needs to send valid service account token along with Certificate Signing Request (CSR) to the Istio control plane (Citadel CA). Istio control plane authenticates the xDS-Adaptor using this JWT. -Kubernetes supports two forms of these tokens: - -* Third party tokens, which have a scoped audience and expiration. -* First party tokens, which have no expiration and are mounted into all pods. - - If Kubernetes cluster is installed with third party tokens, then the same information needs to be provided for automatic sidecar injection by passing `--set certProvider.jwtPolicy="third-party-jwt"`. By default, it is `first-party-jwt`. - -``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set certProvider.caAddr="istiod.istio-system.svc" --set certProvider.jwtPolicy="third-party-jwt" - -``` - -To determine if your cluster supports third party tokens, look for the TokenRequest API using below command. If there is no output, then it is `first-party-jwt`. In case of `third-party-jwt`, output will be like below. - -``` -# kubectl get --raw /api/v1 | jq '.resources[] | select(.name | index("serviceaccounts/token"))' - -{ - "name": "serviceaccounts/token", - "singularName": "", - "namespaced": true, - "group": "authentication.k8s.io", - "version": "v1", - "kind": "TokenRequest", - "verbs": [ - "create" - ] -} - -``` - -## Limitations - -Citrix ADC CPX occupies certain ports for internal usage. This makes application service running on one of these restricted ports incompatible with the Citrix ADC CPX. -The list of ports is mentioned below. Citrix is working on delisting some of the major ports from the given list, and same shall be available in future releases. - -#### Restricted Ports - -| Sr No |Port Number| -|-------|-----------| -| 1 | 80 | -| 2 | 3010 | -| 3 | 5555 | -| 4 | 8080 | - -## Clean Up - -To delete the resources created for automatic injection with the release name `cpx-sidecar-injector`, perform the following step. - - helm delete cpx-sidecar-injector - -## Configuration parameters - -The following table lists the configurable parameters and their default values in the Helm chart. - - -| Parameter | Description | Default | -|--------------------------------|-------------------------------|---------------------------| -| `xDSAdaptor.image` | Image of the Citrix xDS Adaptor container | quay.io/citrix/citrix-xds-adaptor:0.9.9 | -| `xDSAdaptor.imagePullPolicy` | Image pull policy for xDS-adaptor | IfNotPresent | -| `xDSAdaptor.secureConnect` | If this value is set to true, xDS-adaptor establishes secure gRPC channel with Istio Pilot | TRUE | -| `xDSAdaptor.logLevel` | Log level to be set for xDS-adaptor log messages. Possible values: TRACE (most verbose), DEBUG, INFO, WARN, ERROR (least verbose) | DEBUG | Optional| -| `xDSAdaptor.jsonLog` | Set this argument to true if log messages are required in JSON format | false | Optional| -| `coe.coeURL` | Name of [Citrix Observability Exporter](https://github.com/citrix/citrix-observability-exporter) Service in the form of _servicename.namespace_ | NIL | Optional| -| `coe.coeTracing` | Use COE to send appflow transactions to Zipkin endpoint. If it is set to true, ADM servicegraph (if configured) can be impacted. | false | Optional| -| `ADMSettings.ADMIP` | Provide the Citrix Application Delivery Management (ADM) IP address | NIL | -| `ADMSettings.licenseServerIP ` | Citrix License Server IP address | NIL | Optional | -| `ADMSettings.licenseServerPort` | Citrix ADM port if a non-default port is used | 27000 | -| `ADMSettings.bandWidth` | Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps | NIL | Optional | -| `ADMSettings.bandWidthLicense` | To specify bandwidth based licensing | false | Optional | -| `istioPilot.name` | Name of the Istio Pilot service | istio-pilot | -| `istioPilot.namespace` | Namespace where Istio Pilot is running | istio-system | -| `istioPilot.secureGrpcPort` | Secure GRPC port where Istio Pilot is listening (Default setting) | 15011 | -| `istioPilot.insecureGrpcPort` | Insecure GRPC port where Istio Pilot is listening | 15010 | -| `istioPilot.proxyType` | Type of Citrix ADC associated with the xDS-adaptor. Possible values are: sidecar and router. | sidecar| -| `istioPilot.SAN` | Subject alternative name for Istio Pilot which is the Secure Production Identity Framework For Everyone (SPIFFE) ID of Istio Pilot. | NIL | -| `cpxProxy.netscalerUrl` | URL or IP address of the Citrix ADC which will be configured by Istio-adaptor. | http://127.0.0.1 | -| `cpxProxy.image` | Citrix ADC CPX image used as sidecar proxy | quay.io/citrix/citrix-k8s-cpx-ingress:13.0-83.27 | -| `cpxProxy.imagePullPolicy` | Image pull policy for Citrix ADC | IfNotPresent | -| `cpxProxy.EULA` | End User License Agreement(EULA) terms and conditions. If yes, then user agrees to EULA terms and conditions. | NO | -| `cpxProxy.cpxSidecarMode` | Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX is running as sidecar mode or not. | YES | -| `cpxProxy.cpxDisableProbe` | Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX will disable probing dynamic services. It should be enabled for multicluster setup. | YES | -| `sidecarWebHook.webhookImage` | Mutating webhook associated with the sidecar injector. It invokes a service `cpx-sidecar-injector` to inject sidecar proxies in the application pod. | quay.io/citrix/cpx-istio-sidecar-injector:1.1.0 | -| `sidecarWebHook.imagePullPolicy` | Image pull policy |IfNotPresent| -| `sidecarCertsGenerator.image` | Certificate genrator image associated with sidecar injector. This image generates certificate and key needed for CPX sidecar injection. | quay.io/citrix/cpx-sidecar-injector-certgen:1.1.0 | -| `sidecarCertsGenerator.imagePullPolicy` | Image pull policy |IfNotPresent| -| `webhook.injectionLabelName` | Label of namespace where automatic Citrix ADC CPX sidecar injection is required. | cpx-injection | -| `certProvider.caAddr` | Certificate Authority (CA) address issuing certificate to application | istiod.istio-system.svc | Optional | -| `certProvider.caPort` | Certificate Authority (CA) port issuing certificate to application | 15012 | Optional | -| `certProvider.trustDomain` | SPIFFE Trust Domain | cluster.local | Optional | -| `certProvider.certTTLinHours` | Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours. Default is 30 days validity | 720 | Optional | -| `certProvider.clusterId` | clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in multicluster environments. For example, in Anthos servicemesh, it might be of the format of `cn--`. In multiCluster environments, it is the value of global.multiCluster.clusterName provided during servicemesh control plane installation | Kubernetes | Optional | -| `certProvider.jwtPolicy` | Service Account token type. Kubernetes platform supports First party tokens and Third party tokens. | first-party-jwt | Optional | -| `certProvider.jwtPolicy` | Service Account token type. Kubernetes platform supports First party tokens and Third party tokens. Usually public cloud based Kubernetes has third-party-jwt | null | Optional | - -**Note:** You can use the `values.yaml` file packaged in the chart. This file contains the default configuration values for the chart. diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/app-readme.md b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/app-readme.md deleted file mode 100644 index aa16d21361..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/app-readme.md +++ /dev/null @@ -1,28 +0,0 @@ -# Citrix ADC as a Sidecar for Istio - -Citrix ADC [CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) can act as a sidecar proxy to an application container in Istio. You can inject the Citrix ADC CPX manually or automatically using the [Istio sidecar injector](https://istio.io/docs/setup/additional-setup/sidecar-injection/). - - -### Prerequisites - -The following prerequisites are required for deploying Citrix ADC as a sidecar in an application pod - -- Ensure that **Istio** is enabled. -- Ensure that your cluster has Kubernetes version 1.16.0 or later. -- Ensure the [Kubernetes controller manager](https://rancher.com/docs/rke/latest/en/config-options/services/#kubernetes-controller-manager)’s default certificate signer is enabled. - -**Note**: For RKE based cluster, extra arguments need to be provided for kube-controller service. -```services: - kube-controller: - extra_args: - cluster-signing-cert-file: "/etc/kubernetes/ssl/kube-ca.pem" - cluster-signing-key-file: "/etc/kubernetes/ssl/kube-ca-key.pem" -``` -For detailed information follow this [link](https://github.com/citrix/citrix-xds-adaptor/blob/master/docs/istio-integration/rancher-provisioned-cluster.md) - -### Important NOTE: - - We should not **Enable Istio Auto Injection** on Application namespace. - - The cpx-injection=enabled label is mandatory for injecting sidecars. - - An example to deploy application along with Citrix ADC CPX sidecar is provided [here](https://github.com/citrix/citrix-helm-charts/blob/master/examples/citrix-adc-in-istio/README.md). - -This catalog create resources required for automatically deploying Citrix ADC CPX as a sidecar proxy.For detailed information follow this [link](https://github.com/citrix/citrix-helm-charts/tree/master/citrix-cpx-istio-sidecar-injector) diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/create-certs-for-cpx-istio-chart.sh b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/create-certs-for-cpx-istio-chart.sh deleted file mode 100644 index ed5d58a4e0..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/create-certs-for-cpx-istio-chart.sh +++ /dev/null @@ -1,127 +0,0 @@ -#!/bin/bash - -set -e - -usage() { - cat <> ${certdir}/csr.conf -[req] -req_extensions = v3_req -distinguished_name = req_distinguished_name -[req_distinguished_name] -[ v3_req ] -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment -extendedKeyUsage = serverAuth -subjectAltName = @alt_names -[alt_names] -DNS.1 = ${service} -DNS.2 = ${service}.${namespace} -DNS.3 = ${service}.${namespace}.svc -EOF - -openssl genrsa -out ${certdir}/key.pem 2048 -openssl req -new -key ${certdir}/key.pem -subj "/CN=${service}.${namespace}.svc" -out ${certdir}/server.csr -config ${certdir}/csr.conf - -# clean-up any previously created CSR for our service. Ignore errors if not present. -kubectl delete csr ${csrName} 2>/dev/null || true - -# create server cert/key CSR and send to k8s API -cat <&2 - exit 1 -fi -echo ${serverCert} | openssl base64 -d -A -out ${certdir}/cert.pem - - -# create the secret with CA cert and server cert/key -kubectl create secret generic ${secret} \ - --from-file=key.pem=${certdir}/key.pem \ - --from-file=cert.pem=${certdir}/cert.pem \ - --dry-run -o yaml | - kubectl -n ${namespace} apply -f - diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/questions.yml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/questions.yml deleted file mode 100644 index 18483b84a7..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/questions.yml +++ /dev/null @@ -1,291 +0,0 @@ -labels: - io.rancher.certified: partner -questions: -- variable: xDSAdaptor.image - required: true - type: string - default: "quay.io/citrix/citrix-xds-adaptor:0.9.9" - description: "xds-adaptor Image to be used" - label: xDSAdaptor Image - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.imagePullPolicy - required: true - type: enum - default: IfNotPresent - description: "Istio-adaptor Image pull policy" - label: istioAdaptor imagePullPolicy - options: - - "Always" - - "IfNotPresent" - - "Never" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.proxyType - required: true - type: string - default: true - label: xDSAdaptor proxyType - description: "xDSAdaptor proxyType type set to router by default" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.secureConnect - required: false - type: boolean - default: true - label: xDSAdaptor secureConnect - description: "xDSAdaptor establishes secure gRPC channel with Istio Pilot, if value is set to true" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.logLevel - required: false - type: enum - default: DEBUG - label: xDSAdaptor logLevel - description: "xDSAdaptor logLevel" - options: - - "TRACE" - - "DEBUG" - - "INFO" - - "WARN" - - "ERROR" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.jsonLog - required: false - type: string - default: "true" - label: xDSAdaptor jsonLog - description: "Set this argument to true if log messages are required in JSON format" - group: "xDSAdaptor Settings" -- variable: coe.coeURL - required: false - type: string - label: coe coeURL - description: "Name of Citrix Observability Exporter Service" - group: "COE Settings" -- variable: coe.coeTracing - required: false - type: boolean - label: coe coeTracing - description: "Used to send appflow transactions to Zipkin endpoint,if true ADM servicegraph (if configured) can be impacted" - group: "COE Settings" -- variable: istioPilot.name - required: true - type: string - default: istio-pilot - label: istio-pilot name - group: "istio-pilot Settings" -- variable: istioPilot.namespace - required: true - type: string - default: istio-system - label: istio-pilot namespace - description: "Name of the Istio Pilot service" - group: "istio-pilot Settings" -- variable: istioPilot.secureGrpcPort - required: true - type: int - default: 15011 - description: "Secure GRPC port where Istio Pilot is listening" - label: istio-pilot secureGrpcPort - show_if: "xDSAdaptor.secureConnect=true" - group: "istio-pilot Settings" -- variable: istioPilot.insecureGrpcPort - required: true - type: int - default: 15010 - label: istio-pilot insecureGrpcPort - description: "Insecure GRPC port where Istio Pilot is listening" - show_if: "xDSAdaptor.secureConnect=false" - group: "istio-pilot Settings" -- variable: istioPilot.SAN - required: false - type: string - default: - label: istio-pilot SAN - description: "Subject alternative name for Istio Pilot which is (SPIFFE) ID of Istio Pilot" - show_if: "xDSAdaptor.secureConnect=true" - group: "istio-pilot Settings" -- variable: certProvider.caAddr - required: true - type: string - default: "istiod.istio-system.svc" - label: certProvider caAddr - description: "Certificate Authority (CA) address issuing certificate to application" - group: "certProvider Settings" -- variable: certProvider.caPort - required: true - type: int - default: 15012 - label: certProvider caPort - description: "Certificate Authority (CA) port issuing certificate to application" - group: "certProvider Settings" -- variable: certProvider.trustDomain - required: true - type: string - default: "cluster.local" - label: certProvider trustDomain - description: "SPIFFE Trust Domain" - group: "certProvider Settings" -- variable: certProvider.certTTLinHours - required: true - type: int - default: 720 - label: certProvider certTTLinHours - description: "Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours." - group: "certProvider Settings" -- variable: certProvider.clusterId - required: true - type: string - default: "Kubernetes" - label: certProvider clusterId - description: "clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in m -ulticluster environments. For example, in Anthos servicemesh, it might be of the format of `cn--`. In multiCluster environments, it is the val -ue of global.multiCluster.clusterName provided during servicemesh control plane installation" - group: "certProvider Settings" -- variable: certProvider.jwtPolicy - required: true - type: enum - default: "first-party-jwt" - label: certProvider jwtPolicy - description: "Kubernetes platform supports First party tokens and Third party tokens" - options: - - "first-party-jwt" - - "third-party-jwt" -- variable: cpxProxy.netscalerUrl - required: true - type: string - default: "http://127.0.0.1" - description: "Citrix ADC CPX image used as sidecar proxy" - label: cpxProxy image - group: "cpxProxy Settings" -- variable: cpxProxy.image - required: true - type: string - default: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-79.64" - description: "Citrix ADC CPX image used as sidecar proxy" - label: cpxProxy image - group: "cpxProxy Settings" -- variable: cpxProxy.imagePullPolicy - required: true - type: enum - default: IfNotPresent - description: "cpxProxy Image pull policy" - label: cpxProxy imagePullPolicy - options: - - "Always" - - "IfNotPresent" - - "Never" - group: "cpxProxy Settings" -- variable: cpxProxy.EULA - required: true - type: enum - label: cpxProxy EULA license - options: - - "YES" - - "NO" - group: "cpxProxy Settings" -- variable: cpxProxy.cpxSidecarMode - required: true - type: string - default: "YES" - description: "Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX is running as sidecar mode or not" - label: cpxProxy image - options: - - "YES" - - "NO" - group: "cpxProxy Settings" -- variable: cpxProxy.mgmtHttpPort - required: true - type: int - default: 10080 - label: cpxProxy mgmtHttpPort - group: "cpxProxy Settings" -- variable: cpxProxy.mgmtHttpsPort - required: true - type: int - default: 10443 - label: cpxProxy mgmtHttpsPort - group: "cpxProxy Settings" -- variable: cpxProxy.cpxDisableProbe - required: true - type: string - default: YES - description: "Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX will disable probing dynamic services. It should be enabled for multicluster setup." - label: cpxProxy cpxDisableProbe - options: - - "YES" - - "NO" - group: "cpxProxy Settings" -- variable: sidecarWebHook.webhookImage - required: true - type: string - default: "quay.io/citrix/cpx-istio-sidecar-injector:1.0.0" - label: sidecarWebHook webhookImage - description: "webhookImage image to be used" - group: "sidecarWebHook Settings" -- variable: sidecarWebHook.imagePullPolicy - required: true - type: enum - default: IfNotPresent - label: sidecarWebHook imagePullPolicy - options: - - "Always" - - "IfNotPresent" - - "Never" - group: "sidecarWebHook Settings" -- variable: sidecarCertsGenerator.image - required: true - type: string - default: " quay.io/citrix/cpx-sidecar-injector-certgen:1.1.0" - label: sidecarWebHook webhookImage - description: "webhookImage image to be used" - group: "sidecarCertsGenerator Settings" -- variable: sidecarCertsGenerator.imagePullPolicy - required: true - type: enum - default: IfNotPresent - label: sidecarWebHook imagePullPolicy - options: - - "Always" - - "IfNotPresent" - - "Never" - group: "sidecarCertsGenerator Settings" -- variable: ADMSettings.ADMIP - required: false - type: string - default: - label: ADMSettings ADMIP - description: "Citrix Application Delivery Management (ADM) IP address" - group: "ADMSettings Settings" -- variable: ADMSettings.licenseServerIP - required: false - type: string - default: - label: ADMSettings licenseServerIP - description: "Citrix License Server IP address" - group: "ADMSettings Settings" -- variable: ADMSettings.licenseServerPort - required: false - type: int - default: 27000 - label: ADMSettings licenseServerPort - description: "Citrix ADM port if a non-default port is used" - group: "ADMSettings Settings" -- variable: ADMSettings.bandWidthLicense - required: false - type: boolean - default: false - label: ADMSettings bandWidthLicense - description: "To specify bandwidth based licensing" - group: "ADMSettings Settings" -- variable: ADMSettings.bandWidth - required: false - type: string - default: - label: ADMSettings bandWidth - description: "Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps" - group: "ADMSettings Settings" -- variable: webhook.injectionLabelName - required: true - type: string - default: "cpx-injection" - label: webhook injectionLabelName - description: "Label of namespace, where automatic sidecr injection is required" - group: "webhook Settings" diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/templates/_helpers.tpl b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/templates/_helpers.tpl deleted file mode 100644 index 964b92cd5c..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/templates/_helpers.tpl +++ /dev/null @@ -1,20 +0,0 @@ -{{/* Below function is used to identify default value of jwtPolicy if not provided. - * For on-prem Kubernetes v1.21+, it is third-party-jwt. Else first-party-jwt. - * Note: Don't just do "helm template" to generate yaml file. Else https://github.com/helm/helm/issues/7991 - * is possible. Use "helm template --validate" or "helm install --dry-run --debug". - * Note2: For cloud environments, semverCompare should be ideally done with "<1.21.x-x" as - * Kubernetes version is generally of the format v1.20.7-eks-xxxxxx. So, it fails the "v1.21.x" check but that's fine - * as in cloud environments third-party-jwt is enabled. -*/}} - -{{- define "jwtValue" -}} -{{- if .Values.certProvider.jwtPolicy -}} -{{- printf .Values.certProvider.jwtPolicy -}} -{{- else -}} -{{- if semverCompare "<1.21.x" .Capabilities.KubeVersion.Version -}} -{{- printf "first-party-jwt" -}} -{{- else -}} -{{- printf "third-party-jwt" -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-configmap.yaml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-configmap.yaml deleted file mode 100644 index 77b9e84e63..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-configmap.yaml +++ /dev/null @@ -1,221 +0,0 @@ -# This configmap stores the sidecar proxy info and arguments needed -apiVersion: v1 -kind: ConfigMap -metadata: - name: cpx-istio-sidecar-injector - namespace: {{.Release.Namespace}} - labels: - app: cpx-sidecar-injector - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - istio: sidecar-injector -data: - config: |- - policy: enabled - # If user does *NOT* want to inject sidecar on some pods based on label, - # then mention such labels in 'neverInjectSelector' entry. - # Note: This is valid only when istio's sidecar-injector image is running. - neverInjectSelector: - - matchExpressions: - - {key: citrix.com/no.sidecar, operator: Exists} - # Here, if pod has a label citrix.com/no.sidecar, then sidecar won't be injected for that pod. - template: |- - containers: - - name: istio-adaptor - image: {{ .Values.xDSAdaptor.image }} - imagePullPolicy: {{ .Values.xDSAdaptor.imagePullPolicy }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: APPLICATION_NAME - valueFrom: - fieldRef: - fieldPath: metadata.labels['app'] - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName -{{- if .Values.certProvider.caAddr }} - - name: CA_ADDR - value: {{ .Values.certProvider.caAddr }}:{{ .Values.certProvider.caPort}} #istiod.istio-system.svc:15012 - - name: TRUST_DOMAIN - value: {{ .Values.certProvider.trustDomain }} #cluster.local - - name: CLUSTER_ID - value: {{ .Values.certProvider.clusterId }} #Kubernetes - - name: CERT_TTL_IN_HOURS - value: {{ .Values.certProvider.certTTLinHours }} - - name: JWT_POLICY - value: {{ include "jwtValue" . | quote }} # third-party-jwt if Kubernetes cluster supports third-party tokens -{{- end }} - - name: NS_USER - value: nsroot - - name: NS_PASSWORD - value: nsroot -{{- if eq .Values.coe.coeTracing true }} - - name: COE_TRACING - value: "TRUE" -{{- end }} - - name: LOGLEVEL - value: {{ .Values.xDSAdaptor.logLevel | default "DEBUG" | quote }} -{{- if eq .Values.xDSAdaptor.jsonLog true }} - - name: JSONLOG - value: "TRUE" -{{- end }} - args: - - -ads-server -{{- if eq .Values.xDSAdaptor.secureConnect true }} - - {{ .Values.istioPilot.name}}.{{.Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.secureGrpcPort }} # istiod.istio-system.svc:15012 -{{- else }} - - {{ .Values.istioPilot.name}}.{{.Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.insecureGrpcPort }} # istiod.istio-system.svc:15010 -{{- end }} - - -ads-secure-connect={{ .Values.xDSAdaptor.secureConnect}} - - -ads-server-SAN - - {{ .Values.istioPilot.SAN }} - - -istio-proxy-type - - {{ .Values.xDSAdaptor.proxyType | default "sidecar" | quote }} - - -citrix-adc - - "{{- .Values.cpxProxy.netscalerUrl }}:{{- .Values.cpxProxy.mgmtHttpPort | toString }}" - - -citrix-adc-password - - "/var/deviceinfo/random_id" -{{- if .Values.ADMSettings.ADMIP }} - - -citrix-adm - - {{ .Values.ADMSettings.ADMIP }} -{{- end }} -{{- if .Values.ADMSettings.licenseServerIP }} - - -citrix-license-server - - {{ .Values.ADMSettings.licenseServerIP }} -{{- end }} -{{- if .Values.coe.coeURL }} - - -coe - - {{ .Values.coe.coeURL }} -{{- end }} - volumeMounts: - - mountPath: /var/deviceinfo - name: cpx-pwd -{{- $jwtpolicy := include "jwtValue" . }} -{{- if eq $jwtpolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token -{{- end }} - - mountPath: /etc/nslogin - name: nslogin - readOnly: true - - name: certs - mountPath: /etc/certs - - name: istiod-ca-cert - mountPath: /etc/rootcert/ - securityContext: - readOnlyRootFilesystem: true - runAsGroup: 32024 - runAsUser: 32024 # UID of xds-adaptor container's user - runAsNonRoot: true - - name: cpx-proxy - image: {{ .Values.cpxProxy.image }} - imagePullPolicy: IfNotPresent - securityContext: - privileged: true - env: - - name: "EULA" - value: "{{ .Values.cpxProxy.EULA }}" - - name: "CPX_SIDECAR_MODE" - value: {{ .Values.cpxProxy.cpxSidecarMode | quote }} - - name: "CPX_DISABLE_PROBE" - value: "{{ .Values.cpxProxy.cpxDisableProbe }}" - - name: "MGMT_HTTP_PORT" - value: {{ .Values.cpxProxy.mgmtHttpPort | quote }} - - name: "MGMT_HTTPS_PORT" - value: {{ .Values.cpxProxy.mgmtHttpsPort | quote }} - - name: "KUBERNETES_TASK_ID" - value: "" - - name: "NS_CPX_LITE" - value: 1 -{{- if or .Values.coe.coeURL .Values.ADMSettings.ADMIP }} - - name: "NS_ENABLE_NEWNSLOG" - value: 1 -{{- end }} - - name: "LS_IP" - value: {{ .Values.ADMSettings.licenseServerIP | default "" }} - - name: "LS_PORT" - value: {{ .Values.ADMSettings.licenseServerPort}} -{{- if .Values.ADMSettings.ADMIP }} - - name: "NS_MGMT_SERVER" - value: {{ .Values.ADMSettings.ADMIP }} - - name: "NS_HTTP_PORT" - value: {{ .Values.cpxProxy.mgmtHttpPort | quote }} - - name: "NS_HTTPS_PORT" - value: {{ .Values.cpxProxy.mgmtHttpsPort | quote }} -{{- end }} - - name: "LOGSTREAM_COLLECTOR_IP" - value: {{ .Values.ADMSettings.ADMIP | default "" }} -{{- if and ( .Values.ADMSettings.licenseServerIP ) (eq .Values.ADMSettings.bandWidthLicense true) }} - - name: "BANDWIDTH" #bandwidth is required for provision bandwidth based licensing to Citrix ADC CPX from ADM - value: {{ required "Mention bandwidth for bandwidth based licensing" .Values.ADMSettings.bandWidth | quote }} -{{- end }} -{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }} - - name: NS_MGMT_USER - valueFrom: - secretKeyRef: - name: admlogin - key: username - - name: NS_MGMT_PASS - valueFrom: - secretKeyRef: - name: admlogin - key: password -{{- end }} - volumeMounts: - - mountPath: /cpx/conf/ - name: cpx-conf - - mountPath: /var/deviceinfo - name: cpx-pwd - - mountPath: /cpx/crash/ - name: cpx-crash - volumes: - - name: cpx-conf - emptyDir: {} - - name: cpx-pwd - emptyDir: {} - - name: cpx-crash - emptyDir: {} - - name: nslogin - secret: - optional: true - secretName: nslogin - - name: certs - emptyDir: {} -{{- $jwtpolicy := include "jwtValue" . }} -{{- if eq $jwtpolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token -{{- end }} - - name: istiod-ca-cert - configMap: - defaultMode: 0777 - name: istio-ca-root-cert - values: |- - { - "global": { - "jwtPolicy": "third-party-jwt", - } - } ---- diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-deployment-service.yaml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-deployment-service.yaml deleted file mode 100644 index baa898a5d7..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-deployment-service.yaml +++ /dev/null @@ -1,108 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: cpx-sidecar-injector - namespace: {{ .Release.Namespace }} - labels: - istio: sidecar-injector - app: cpx-sidecar-injector -spec: - ports: - - port: 443 - selector: - istio: sidecar-injector - ---- -# Deployment -apiVersion: apps/v1 -kind: Deployment -metadata: - name: cpx-sidecar-injector - namespace: {{ .Release.Namespace }} - labels: - app: sidecarInjectorWebhook - istio: sidecar-injector - app: cpx-sidecar-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -spec: - replicas: 1 - selector: - matchLabels: - app: cpx-sidecar-injector - istio: sidecar-injector - template: - metadata: - labels: - istio: sidecar-injector - app: cpx-sidecar-injector - annotations: - sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" - spec: - serviceAccountName: cpx-sidecar-injector-service-account - initContainers: - - name: sidecar-certs-generator - image: {{ .Values.sidecarCertsGenerator.image }} - imagePullPolicy: {{ .Values.sidecarCertsGenerator.imagePullPolicy }} - volumeMounts: - - name: certs - mountPath: /tmp - containers: - - name: sidecar-injector-webhook - image: {{ .Values.sidecarWebHook.webhookImage }} - imagePullPolicy: {{ .Values.sidecarWebHook.imagePullPolicy }} - args: - - --caCertFile=/etc/istio/certs/cert.pem - - --tlsCertFile=/etc/istio/certs/cert.pem - - --tlsKeyFile=/etc/istio/certs/key.pem - - --injectConfig=/etc/istio/inject/config - - --meshConfig=/etc/istio/config/mesh - - --healthCheckInterval=10s - - --webhookConfigName=cpx-sidecar-injector - volumeMounts: - - name: config-volume - mountPath: /etc/istio/config - readOnly: true - - name: certs - mountPath: /etc/istio/certs - readOnly: true - - name: inject-config - mountPath: /etc/istio/inject - readOnly: true - livenessProbe: - exec: - command: - - cat - - /health - failureThreshold: 5 - initialDelaySeconds: 4 - periodSeconds: 10 - readinessProbe: - exec: - command: - - cat - - /health - failureThreshold: 5 - initialDelaySeconds: 4 - periodSeconds: 10 - initialDelaySeconds: 4 - resources: - requests: - cpu: 10m - - volumes: - - name: config-volume - configMap: - name: istio - - name: certs - emptyDir: {} - - name: inject-config - configMap: - name: cpx-istio-sidecar-injector - items: - - key: config - path: config - - key: values - path: values ---- diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-istioConfigMap.yaml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-istioConfigMap.yaml deleted file mode 100644 index 8d7e8f7083..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-istioConfigMap.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio - namespace: {{ .Release.Namespace }} - labels: - app: cpx-sidecar-injector - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - istio: sidecar-injector -data: - mesh: |- - # Needed for injection of securityContext in PodSpec during auto-sidecar injection - sdsUdsPath: unix:/etc/istio/proxy/SDS - ---- diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-serviceaccount.yaml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-serviceaccount.yaml deleted file mode 100644 index 161998c6c4..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-serviceaccount.yaml +++ /dev/null @@ -1,48 +0,0 @@ -# Serviceaccount -apiVersion: v1 -kind: ServiceAccount -metadata: - name: cpx-sidecar-injector-service-account - namespace: {{ .Release.Namespace }} - labels: - app: cpx-sidecar-injector - ---- -# ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cpx-sidecar-injector-istio-system - labels: - app: cpx-sidecar-injector -rules: -- apiGroups: ["*"] - resources: ["configmaps"] - verbs: ["get", "list", "watch"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "patch"] -- apiGroups: ["certificates.k8s.io"] - resources: ["certificatesigningrequests", "certificatesigningrequests/approval"] - verbs: ["get", "list", "create", "watch", "delete", "update"] -- apiGroups: ["certificates.k8s.io"] - resources: ["signers"] - resourceNames: ["kubernetes.io/legacy-unknown", "kubernetes.io/kubelet-serving"] - verbs: ["get", "list", "create", "watch", "delete", "update", "approve"] ---- -# ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cpx-sidecar-injector-admin-role-binding-istio-system - labels: - app: cpx-sidecar-injector -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cpx-sidecar-injector-istio-system -subjects: - - kind: ServiceAccount - name: cpx-sidecar-injector-service-account - namespace: {{ .Release.Namespace }} ---- diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-networkpolicy.yaml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-networkpolicy.yaml deleted file mode 100644 index 83234a10da..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-networkpolicy.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - labels: - app: cpx-sidecar-injector - name: cpx-sidecar-injector - namespace: {{ .Release.Namespace }} -spec: - ingress: - - {} - podSelector: - matchLabels: - app: cpx-sidecar-injector - policyTypes: - - Ingress diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/templates/mutatingwebhook.yaml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/templates/mutatingwebhook.yaml deleted file mode 100644 index 8796710966..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# Mutating wehbook is used to perform sidecar injection. -# It calls sidecar-injector-service when the label is matched. -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: cpx-sidecar-injector - namespace: {{ .Release.Namespace }} - labels: - app: cpx-sidecar-injector - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} -webhooks: - - name: sidecar-injector.istio.io - admissionReviewVersions: - - v1 - clientConfig: - service: - name: cpx-sidecar-injector - namespace: {{ .Release.Namespace }} - path: "/inject" - caBundle: "" - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - scope: "*" - sideEffects: None - failurePolicy: Fail - namespaceSelector: - matchLabels: -{{- if .Values.webhook.injectionLabelName }} - {{ .Values.webhook.injectionLabelName }}: enabled -{{- else }} - cpx-injection: enabled -{{- end }} ---- diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/values.yaml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/values.yaml deleted file mode 100644 index 0a982a58e3..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.11.1/values.yaml +++ /dev/null @@ -1,60 +0,0 @@ -# Default values for cpx-istio. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -xDSAdaptor: - image: quay.io/citrix/citrix-xds-adaptor:0.9.9 - imagePullPolicy: IfNotPresent - proxyType: sidecar - secureConnect: true - logLevel: DEBUG - jsonLog: false - -coe: - coeURL: - coeTracing: false - -istioPilot: - name: istiod - namespace: istio-system - secureGrpcPort: 15012 - insecureGrpcPort: 15010 - SAN: #"spiffe://cluster.local/ns/istio-system/sa/istiod-service-account" - -certProvider: - caAddr: istiod.istio-system.svc - caPort: 15012 - trustDomain: cluster.local - certTTLinHours: 720 - clusterId: Kubernetes - jwtPolicy: #specify third-party-jwt if Kubernetes cluster supports third-party tokens - -cpxProxy: - netscalerUrl: "http://127.0.0.1" - image: quay.io/citrix/citrix-k8s-cpx-ingress:13.0-83.27 - imagePullPolicy: IfNotPresent - EULA: NO - cpxSidecarMode: YES - mgmtHttpPort: 10080 - mgmtHttpsPort: 10443 - cpxDisableProbe: "YES" - #licenseServerIP: this value is taken from ADMSettings.ADMIP - -sidecarWebHook: - webhookImage: quay.io/citrix/cpx-istio-sidecar-injector:1.1.0 - imagePullPolicy: IfNotPresent - -sidecarCertsGenerator: - image: quay.io/citrix/cpx-sidecar-injector-certgen:1.1.0 - imagePullPolicy: IfNotPresent - -ADMSettings: - ADMIP: - licenseServerIP: - licenseServerPort: 27000 - bandWidthLicense: false - bandWidth: - -webhook: - injectionLabelName: cpx-injection - diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/.helmignore b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/.helmignore deleted file mode 100644 index 50af031725..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/Chart.yaml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/Chart.yaml deleted file mode 100644 index 607b0e95b9..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/Chart.yaml +++ /dev/null @@ -1,22 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Cpx Istio Sidecar Injector - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-cpx-istio-sidecar-injector -apiVersion: v2 -appVersion: 1.14.1 -deprecated: true -description: A Helm chart to deploy resources which install Citrix ADC CPX in Istio - Service Mesh as sidecar in application pod -home: https://www.citrix.com -icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png -kubeVersion: '>=v1.16.0-0' -maintainers: -- email: dhiraj.gedam@citrix.com - name: dheerajng -- email: subash.dangol@citrix.com - name: subashd -name: citrix-cpx-istio-sidecar-injector -sources: -- https://github.com/citrix/citrix-xds-adaptor -version: 1.14.1 diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/README.md b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/README.md deleted file mode 100644 index 62ee974e35..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/README.md +++ /dev/null @@ -1,294 +0,0 @@ -# Deploy Citrix ADC CPX as a sidecar in Istio environment using Helm charts - -Citrix ADC CPX can be deployed as a sidecar proxy in an application pod in the Istio service mesh. - - -# Table of Contents -1. [TL; DR;](#tldr) -2. [Introduction](#introduction) -3. [Deploy Sidecar Injector for Citrix ADC CPX using Helm chart](#deploy-sidecar-injector-for-citrix-adc-cpx-using-helm-chart) -4. [Observability using Citrix Observability Exporter](#observability-using-coe) -5. [Citrix ADC CPX License Provisioning](#citrix-adc-cpx-license-provisioning) -6. [Service Graph configuration](#configuration-for-servicegraph) -7. [Generate Certificate for Application](#generate-certificate-for-application) -8. [Limitations](#limitations) -9. [Clean Up](#clean-up) -10. [Configuration Parameters](#configuration-parameters) - - -## TL; DR; - - kubectl create namespace citrix-system - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES - - -## Introduction - -Citrix ADC CPX can act as a sidecar proxy to an application container in Istio. You can inject the Citrix ADC CPX manually or automatically using the [Istio sidecar injector](https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/). Automatic sidecar injection requires resources including a Kubernetes [mutating webhook admission](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) controller, and a service. Using this Helm chart, you can create resources required for automatically deploying Citrix ADC CPX as a sidecar proxy. - -In Istio servicemesh, the namespace must be labelled before applying the deployment yaml for [automatic sidecar injection](https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#automatic-sidecar-injection). Once the namespace is labelled, sidecars (envoy or CPX) will be injected while creating pods. -- For CPX, namespace must be labelled `cpx-injection=enabled` -- For Envoy, namespace must be labelled `istio-injection=enabled` - -__Note: If a namespace is labelled with both `istio-injection` and `cpx-injection`, Envoy injection takes a priority! Citrix CPX won't be injected on top of the already injected Envoy sidecar. For using Citrix ADC as sidecar, ensure that `istio-injection` label is removed from the namespace.__ - -For detailed information on different deployment options, see [Deployment Architecture](https://github.com/citrix/citrix-istio-adaptor/blob/master/docs/istio-integration/architecture.md). - -### Compatibility Matrix between Citrix xDS-adaptor and Istio version - -Below table provides info about recommended Citrix xDS-Adaptor version to be used for various Istio versions. - -| Citrix xDS-Adaptor version | Istio version | -|----------------------------|---------------| -| quay.io/citrix/citrix-xds-adaptor:0.10.3 | Istio v1.14+ | -| quay.io/citrix/citrix-xds-adaptor:0.10.1 | Istio v1.12 to Istio v1.13 | -| quay.io/citrix/citrix-xds-adaptor:0.9.9 | Istio v1.10 to Istio v1.11 | -| quay.io/citrix/citrix-xds-adaptor:0.9.8 | Istio v1.8 to Istio v1.9 | -| quay.io/citrix/citrix-xds-adaptor:0.9.5 | Istio v1.6 | - -### Prerequisites - -The following prerequisites are required for deploying Citrix ADC as a sidecar to an application pod. - -- Ensure that **Istio version 1.8 onwards** is installed -- Ensure that Helm with version 3.x is installed. Follow this [step](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- Ensure that your cluster Kubernetes version should be 1.16 onwards and the `admissionregistration.k8s.io/v1`, `admissionregistration.k8s.io/v1beta1` API is enabled - -You can verify the API by using the following command: - - kubectl api-versions | grep admissionregistration.k8s.io/v1 - -The following output indicates that the API is enabled: - - admissionregistration.k8s.io/v1 - admissionregistration.k8s.io/v1beta1 - -- Create namespace `citrix-system` - - kubectl create namespace citrix-system - -- **Registration of Citrix ADC CPX in ADM** - -Create a secret containing ADM username and password in each application namespace. - - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= -n citrix-system - -## Deploy Sidecar Injector for Citrix ADC CPX using Helm chart - -**Before you Begin** - -To deploy resources for automatic installation of Citrix ADC CPX as a sidecar in Istio, perform the following step. In this example, release name is specified as `cpx-sidecar-injector` and namespace is used as `citrix-system`. - - - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES - -This step installs a mutating webhook and a service resource to application pods in the namespace labeled as `cpx-injection=enabled`. - -*"Note:" The `cpx-injection=enabled` label is mandatory for injecting sidecars.* - -An example to deploy application along with Citrix ADC CPX sidecar is provided [here](https://github.com/citrix/citrix-helm-charts/tree/master/examples/citrix-adc-in-istio). - - -# Observability using Citrix Observability Exporter - -### Pre-requisites - -1. Citrix Observability Exporter (COE) should be deployed in the cluster. - -2. Citrix ADC CPX should be running with versions 13.0-48+ or 12.1-56+. - -Citrix ADC CPXes serving East West traffic send its metrics and transaction data to COE which has a support for Prometheus and Zipkin. - -Metrics data can be visualized in Prometheus dashboard. - -Zipkin enables users to analyze tracing for East-West service to service communication. - -*Note*: Istio should be [installed](https://istio.io/docs/tasks/observability/distributed-tracing/zipkin/#before-you-begin) with Zipkin as tracing endpoint. - -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - -helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES,coe.coeURL=. -``` - -By default, COE is primarily used for Prometheus integration. Servicegraph and tracing is handled by Citrix ADM appliance. To enable Zipkin tracing, set argument `coe.coeTracing=true` in helm command. Default value of coeTracing is set to false. - -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - -helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES,coe.coeURL=.,coe.coeTracing=true - -``` - -For example, if COE is deployed as `coe` in `citrix-system` namespace, then below helm command will deploy sidecar injector webhook which will be deploying Citrix ADC CPX sidecar proxies in application pods, and these sidecar proxies will be configured to establish communication channels with COE. - -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - -helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES,coe.coeURL=coe.citrix-system -``` - -*Important*: Apply below mentioned annotations on COE deployment so that Prometheus can scrape data from COE. -``` - prometheus.io/scrape: "true" - prometheus.io/port: "5563" # Prometheus port -``` -## **Citrix ADC CPX License Provisioning** -By default, CPX runs with 20 Mbps bandwidth called as [CPX Express](https://www.citrix.com/en-in/products/citrix-adc/cpx-express.html) however for better performance and production deployment customer needs licensed CPX instances. [Citrix ADM](https://www.citrix.com/en-in/products/citrix-application-delivery-management/) is used to check out licenses for Citrix ADC CPX. - -**Bandwidth based licensing** -For provisioning licensing on Citrix ADC CPX, it is mandatory to provide License Server information to CPX. This can be done by setting **ADMSettings.licenseServerIP** as License Server IP. In addition to this, **ADMSettings.bandWidthLicense** needs to be set true and desired bandwidth capacity in Mbps should be set **ADMSettings.bandWidth**. -For example, to set 2Gbps as bandwidth capacity, below command can be used. - -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - -helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set ADMSettings.licenseServerIP=,ADMSettings.bandWidthLicense=True --set ADMSettings.bandWidth=2000 - -``` - -## **Service Graph configuration** - Citrix ADM Service graph is an observability tool that allows user to analyse service to service communication. The service graph is generated by ADM post collection of transactional data from registered Citrix ADC instances. More details about it can be found [here](https://docs.citrix.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html). - Citrix ADC needs to be provided with ADM details for registration and data export. This section lists the steps needed to deploy Citrix ADC and register it with ADM. - - 1. Create secret using Citrix ADM Agent credentials, which will be used by Citrix ADC as CPX to communicate with Citrix ADM Agent: - - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= - - 2. Deploy Citrix ADC CPX sidecar injector using helm command with `ADM` details: - - helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set ADMSettings.ADMIP= - -> **Note:** -> If container agent is being used here for Citrix ADM, specify `serviceIP` of container agent in the `ADMSettings.ADMIP` parameter. - -## Generate Certificate for Application - -Application needs TLS certificate-key pair for establishing secure communication channel with other applications. Earlier these certificates were issued by Istio Citadel and bundled in Kubernetes secret. Certificate was loaded in the application pod by doing volume mount of secret. Now `xDS-Adaptor` can generate its own certificate and get it signed by the Istio Citadel (Istiod). This eliminates the need of secret and associated [risks](https://kubernetes.io/docs/concepts/configuration/secret/#risks). - -xDS-Adaptor needs to be provided with details Certificate Authority (CA) for successful signing of Certificate Signing Request (CSR). By default, CA is `istiod.istio-system.svc` which accepts CSRs on port 15012. -To skip this process, don't provide any value (empty string) to `certProvider.caAddr`. -``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set certProvider.caAddr="" -``` - -### Configure Third Party Service Account Tokens - -In order to generate certificate for application workload, xDS-Adaptor needs to send valid service account token along with Certificate Signing Request (CSR) to the Istio control plane (Citadel CA). Istio control plane authenticates the xDS-Adaptor using this JWT. -Kubernetes supports two forms of these tokens: - -* Third party tokens, which have a scoped audience and expiration. -* First party tokens, which have no expiration and are mounted into all pods. - - If Kubernetes cluster is installed with third party tokens, then the same information needs to be provided for automatic sidecar injection by passing `--set certProvider.jwtPolicy="third-party-jwt"`. By default, it is `first-party-jwt`. - -``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set certProvider.caAddr="istiod.istio-system.svc" --set certProvider.jwtPolicy="third-party-jwt" - -``` - -To determine if your cluster supports third party tokens, look for the TokenRequest API using below command. If there is no output, then it is `first-party-jwt`. In case of `third-party-jwt`, output will be like below. - -``` -# kubectl get --raw /api/v1 | jq '.resources[] | select(.name | index("serviceaccounts/token"))' - -{ - "name": "serviceaccounts/token", - "singularName": "", - "namespaced": true, - "group": "authentication.k8s.io", - "version": "v1", - "kind": "TokenRequest", - "verbs": [ - "create" - ] -} - -``` - -## Limitations - -Citrix ADC CPX occupies certain ports for internal usage. This makes application service running on one of these restricted ports incompatible with the Citrix ADC CPX. -The list of ports is mentioned below. Citrix is working on delisting some of the major ports from the given list, and same shall be available in future releases. - -#### Restricted Ports - -| Sr No |Port Number| -|-------|-----------| -| 1 | 80 | -| 2 | 3010 | -| 3 | 5555 | -| 4 | 8080 | - -## Clean Up - -To delete the resources created for automatic injection with the release name `cpx-sidecar-injector`, perform the following step. - - helm delete cpx-sidecar-injector - -## Configuration parameters - -The following table lists the configurable parameters and their default values in the Helm chart. - - -| Parameter | Description | Default | -|--------------------------------|-------------------------------|---------------------------| -| `xDSAdaptor.imageRegistry` | Image registry of the Citrix xDS adaptor container | `quay.io` | -| `xDSAdaptor.imageRepository` | Image repository of the Citrix xDS adaptor container | `citrix/citrix-xds-adaptor` | -| `xDSAdaptor.imageTag` | Image tag of the Citrix xDS adaptor container | `0.10.3` | -| `xDSAdaptor.imagePullPolicy` | Image pull policy for xDS-adaptor | IfNotPresent | -| `xDSAdaptor.secureConnect` | If this value is set to true, xDS-adaptor establishes secure gRPC channel with Istio Pilot | TRUE | -| `xDSAdaptor.logLevel` | Log level to be set for xDS-adaptor log messages. Possible values: TRACE (most verbose), DEBUG, INFO, WARN, ERROR (least verbose) | DEBUG | Optional| -| `xDSAdaptor.jsonLog` | Set this argument to true if log messages are required in JSON format | false | Optional| -| `xDSAdaptor.defaultSSLListenerOn443` | Create SSL vserver by default for LDS resource for 0.0.0.0 and port 443. If set to false, TCP vserver will be created in absence of TLSContext in tcp_proxy filter | true | Optional | -| `coe.coeURL` | Name of [Citrix Observability Exporter](https://github.com/citrix/citrix-observability-exporter) Service in the form of _servicename.namespace_ | NIL | Optional| -| `coe.coeTracing` | Use COE to send appflow transactions to Zipkin endpoint. If it is set to true, ADM servicegraph (if configured) can be impacted. | false | Optional| -| `ADMSettings.ADMIP` | Provide the Citrix Application Delivery Management (ADM) IP address | NIL | -| `ADMSettings.licenseServerIP` | Citrix License Server IP address | NIL | Optional | -| `ADMSettings.licenseServerPort` | Citrix ADM port if a non-default port is used | 27000 | -| `ADMSettings.bandWidth` | Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps | 1000 | Optional | -| `ADMSettings.analyticsServerPort` | Port used for Analytics in ADM. Required to plot ServiceGraph. | 5557 | Optional | -| `ADMSettings.licenseEdition`| License edition that can be Standard, Platinum and Enterprise . By default, Platinum is selected | PLATINUM | optional | -| `istioPilot.name` | Name of the Istio Pilot service | istio-pilot | Mandatory | -| `istioPilot.namespace` | Namespace where Istio Pilot is running | istio-system | -| `istioPilot.secureGrpcPort` | Secure GRPC port where Istio Pilot is listening (Default setting) | 15011 | -| `istioPilot.insecureGrpcPort` | Insecure GRPC port where Istio Pilot is listening | 15010 | -| `istioPilot.proxyType` | Type of Citrix ADC associated with the xDS-adaptor. Possible values are: sidecar and router. | sidecar| -| `istioPilot.SAN` | Subject alternative name for Istio Pilot which is the Secure Production Identity Framework For Everyone (SPIFFE) ID of Istio Pilot. | NIL | -| `cpxProxy.netscalerUrl` | URL or IP address of the Citrix ADC which will be configured by Istio-adaptor. | http://127.0.0.1 | -| `cpxProxy.imageRegistry` | Image registry of Citrix ADC CPX designated to run as sidecar proxy | `quay.io` | -| `cpxProxy.imageRepository` | Image repository of Citrix ADC CPX designated to run as sidecar proxy | `citrix/citrix-k8s-cpx-ingress` | -| `cpxProxy.imageTag` | Image tag of Citrix ADC CPX designated to run as sidecar proxy | `13.1-30.52` | -| `cpxProxy.imagePullPolicy` | Image pull policy for Citrix ADC | IfNotPresent | -| `cpxProxy.EULA` | End User License Agreement(EULA) terms and conditions. If yes, then user agrees to EULA terms and conditions. | NO | -| `cpxProxy.cpxSidecarMode` | Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX is running as sidecar mode or not. | YES | -| `cpxProxy.cpxDisableProbe` | Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX will disable probing dynamic services. It should be enabled for multicluster setup. | YES | -| `cpxProxy.cpxLicenseAggregator` | IP/FQDN of the CPX License Aggregator if it is being used to license the CPX. | Null | optional | -| `cpxProxy.enableLabelsFeature` | If this variable is true, Istio's [subset](https://istio.io/latest/docs/reference/config/networking/destination-rule/#Subset) of the service and some metadata of the service such as servicename, namespace etc will be stored in the Citrix ADC that might be used for analytics purpose. | FALSE |Optional| -| `sidecarWebHook.webhookImageRegistry` | Image registry of sidecarWebHook. Mutating webhook associated with the sidecar injector. It invokes a service `cpx-sidecar-injector` to inject sidecar proxies in the application pod. | `quay.io` | -| `sidecarWebHook.webhookImageRepository` | Image repository of sidecarWebHook. Mutating webhook associated with the sidecar injector. It invokes a service `cpx-sidecar-injector` to inject sidecar proxies in the application pod. | `citrix/cpx-istio-sidecar-injector` | -| `sidecarWebHook.webhookImageTag` | Image tag of sidecarWebHook. Mutating webhook associated with the sidecar injector. It invokes a service `cpx-sidecar-injector` to inject sidecar proxies in the application pod. | `1.3.0` | -| `sidecarWebHook.imagePullPolicy` | Image pull policy |IfNotPresent| -| `sidecarCertsGenerator.imageRegistry` | Image registry of sidecarCertsGenerator. Certificate genrator image associated with sidecar injector. This image generates certificate and key needed for CPX sidecar injection. | `quay.io` | -| `sidecarCertsGenerator.imageRepository` | Image repository of sidecarCertsGenerator. Certificate genrator image associated with sidecar injector. This image generates certificate and key needed for CPX sidecar injection. | `citrix/cpx-sidecar-injector-certgen` | -| `sidecarCertsGenerator.imageTag` | Image tag of sidecarCertsGenerator. Certificate genrator image associated with sidecar injector. This image generates certificate and key needed for CPX sidecar injection. | `1.2.0` | -| `sidecarCertsGenerator.imagePullPolicy` | Image pull policy |IfNotPresent| -| `webhook.injectionLabelName` | Label of namespace where automatic Citrix ADC CPX sidecar injection is required. | cpx-injection | -| `certProvider.caAddr` | Certificate Authority (CA) address issuing certificate to application | istiod.istio-system.svc | Optional | -| `certProvider.caPort` | Certificate Authority (CA) port issuing certificate to application | 15012 | Optional | -| `certProvider.trustDomain` | SPIFFE Trust Domain | cluster.local | Optional | -| `certProvider.certTTLinHours` | Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours. Default is 30 days validity | 720 | Optional | -| `certProvider.clusterId` | clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in multicluster environments. For example, in Anthos servicemesh, it might be of the format of `cn--`. In multiCluster environments, it is the value of global.multiCluster.clusterName provided during servicemesh control plane installation | Kubernetes | Optional | -| `certProvider.jwtPolicy` | Service Account token type. Kubernetes platform supports First party tokens and Third party tokens. | first-party-jwt | Optional | -| `certProvider.jwtPolicy` | Service Account token type. Kubernetes platform supports First party tokens and Third party tokens. Usually public cloud based Kubernetes has third-party-jwt | Null | Optional | - -**Note:** You can use the `values.yaml` file packaged in the chart. This file contains the default configuration values for the chart. diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/app-readme.md b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/app-readme.md deleted file mode 100644 index aa16d21361..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/app-readme.md +++ /dev/null @@ -1,28 +0,0 @@ -# Citrix ADC as a Sidecar for Istio - -Citrix ADC [CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) can act as a sidecar proxy to an application container in Istio. You can inject the Citrix ADC CPX manually or automatically using the [Istio sidecar injector](https://istio.io/docs/setup/additional-setup/sidecar-injection/). - - -### Prerequisites - -The following prerequisites are required for deploying Citrix ADC as a sidecar in an application pod - -- Ensure that **Istio** is enabled. -- Ensure that your cluster has Kubernetes version 1.16.0 or later. -- Ensure the [Kubernetes controller manager](https://rancher.com/docs/rke/latest/en/config-options/services/#kubernetes-controller-manager)’s default certificate signer is enabled. - -**Note**: For RKE based cluster, extra arguments need to be provided for kube-controller service. -```services: - kube-controller: - extra_args: - cluster-signing-cert-file: "/etc/kubernetes/ssl/kube-ca.pem" - cluster-signing-key-file: "/etc/kubernetes/ssl/kube-ca-key.pem" -``` -For detailed information follow this [link](https://github.com/citrix/citrix-xds-adaptor/blob/master/docs/istio-integration/rancher-provisioned-cluster.md) - -### Important NOTE: - - We should not **Enable Istio Auto Injection** on Application namespace. - - The cpx-injection=enabled label is mandatory for injecting sidecars. - - An example to deploy application along with Citrix ADC CPX sidecar is provided [here](https://github.com/citrix/citrix-helm-charts/blob/master/examples/citrix-adc-in-istio/README.md). - -This catalog create resources required for automatically deploying Citrix ADC CPX as a sidecar proxy.For detailed information follow this [link](https://github.com/citrix/citrix-helm-charts/tree/master/citrix-cpx-istio-sidecar-injector) diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/create-certs-for-cpx-istio-chart.sh b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/create-certs-for-cpx-istio-chart.sh deleted file mode 100644 index ed5d58a4e0..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/create-certs-for-cpx-istio-chart.sh +++ /dev/null @@ -1,127 +0,0 @@ -#!/bin/bash - -set -e - -usage() { - cat <> ${certdir}/csr.conf -[req] -req_extensions = v3_req -distinguished_name = req_distinguished_name -[req_distinguished_name] -[ v3_req ] -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment -extendedKeyUsage = serverAuth -subjectAltName = @alt_names -[alt_names] -DNS.1 = ${service} -DNS.2 = ${service}.${namespace} -DNS.3 = ${service}.${namespace}.svc -EOF - -openssl genrsa -out ${certdir}/key.pem 2048 -openssl req -new -key ${certdir}/key.pem -subj "/CN=${service}.${namespace}.svc" -out ${certdir}/server.csr -config ${certdir}/csr.conf - -# clean-up any previously created CSR for our service. Ignore errors if not present. -kubectl delete csr ${csrName} 2>/dev/null || true - -# create server cert/key CSR and send to k8s API -cat <&2 - exit 1 -fi -echo ${serverCert} | openssl base64 -d -A -out ${certdir}/cert.pem - - -# create the secret with CA cert and server cert/key -kubectl create secret generic ${secret} \ - --from-file=key.pem=${certdir}/key.pem \ - --from-file=cert.pem=${certdir}/cert.pem \ - --dry-run -o yaml | - kubectl -n ${namespace} apply -f - diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/questions.yml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/questions.yml deleted file mode 100644 index 18483b84a7..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/questions.yml +++ /dev/null @@ -1,291 +0,0 @@ -labels: - io.rancher.certified: partner -questions: -- variable: xDSAdaptor.image - required: true - type: string - default: "quay.io/citrix/citrix-xds-adaptor:0.9.9" - description: "xds-adaptor Image to be used" - label: xDSAdaptor Image - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.imagePullPolicy - required: true - type: enum - default: IfNotPresent - description: "Istio-adaptor Image pull policy" - label: istioAdaptor imagePullPolicy - options: - - "Always" - - "IfNotPresent" - - "Never" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.proxyType - required: true - type: string - default: true - label: xDSAdaptor proxyType - description: "xDSAdaptor proxyType type set to router by default" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.secureConnect - required: false - type: boolean - default: true - label: xDSAdaptor secureConnect - description: "xDSAdaptor establishes secure gRPC channel with Istio Pilot, if value is set to true" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.logLevel - required: false - type: enum - default: DEBUG - label: xDSAdaptor logLevel - description: "xDSAdaptor logLevel" - options: - - "TRACE" - - "DEBUG" - - "INFO" - - "WARN" - - "ERROR" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.jsonLog - required: false - type: string - default: "true" - label: xDSAdaptor jsonLog - description: "Set this argument to true if log messages are required in JSON format" - group: "xDSAdaptor Settings" -- variable: coe.coeURL - required: false - type: string - label: coe coeURL - description: "Name of Citrix Observability Exporter Service" - group: "COE Settings" -- variable: coe.coeTracing - required: false - type: boolean - label: coe coeTracing - description: "Used to send appflow transactions to Zipkin endpoint,if true ADM servicegraph (if configured) can be impacted" - group: "COE Settings" -- variable: istioPilot.name - required: true - type: string - default: istio-pilot - label: istio-pilot name - group: "istio-pilot Settings" -- variable: istioPilot.namespace - required: true - type: string - default: istio-system - label: istio-pilot namespace - description: "Name of the Istio Pilot service" - group: "istio-pilot Settings" -- variable: istioPilot.secureGrpcPort - required: true - type: int - default: 15011 - description: "Secure GRPC port where Istio Pilot is listening" - label: istio-pilot secureGrpcPort - show_if: "xDSAdaptor.secureConnect=true" - group: "istio-pilot Settings" -- variable: istioPilot.insecureGrpcPort - required: true - type: int - default: 15010 - label: istio-pilot insecureGrpcPort - description: "Insecure GRPC port where Istio Pilot is listening" - show_if: "xDSAdaptor.secureConnect=false" - group: "istio-pilot Settings" -- variable: istioPilot.SAN - required: false - type: string - default: - label: istio-pilot SAN - description: "Subject alternative name for Istio Pilot which is (SPIFFE) ID of Istio Pilot" - show_if: "xDSAdaptor.secureConnect=true" - group: "istio-pilot Settings" -- variable: certProvider.caAddr - required: true - type: string - default: "istiod.istio-system.svc" - label: certProvider caAddr - description: "Certificate Authority (CA) address issuing certificate to application" - group: "certProvider Settings" -- variable: certProvider.caPort - required: true - type: int - default: 15012 - label: certProvider caPort - description: "Certificate Authority (CA) port issuing certificate to application" - group: "certProvider Settings" -- variable: certProvider.trustDomain - required: true - type: string - default: "cluster.local" - label: certProvider trustDomain - description: "SPIFFE Trust Domain" - group: "certProvider Settings" -- variable: certProvider.certTTLinHours - required: true - type: int - default: 720 - label: certProvider certTTLinHours - description: "Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours." - group: "certProvider Settings" -- variable: certProvider.clusterId - required: true - type: string - default: "Kubernetes" - label: certProvider clusterId - description: "clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in m -ulticluster environments. For example, in Anthos servicemesh, it might be of the format of `cn--`. In multiCluster environments, it is the val -ue of global.multiCluster.clusterName provided during servicemesh control plane installation" - group: "certProvider Settings" -- variable: certProvider.jwtPolicy - required: true - type: enum - default: "first-party-jwt" - label: certProvider jwtPolicy - description: "Kubernetes platform supports First party tokens and Third party tokens" - options: - - "first-party-jwt" - - "third-party-jwt" -- variable: cpxProxy.netscalerUrl - required: true - type: string - default: "http://127.0.0.1" - description: "Citrix ADC CPX image used as sidecar proxy" - label: cpxProxy image - group: "cpxProxy Settings" -- variable: cpxProxy.image - required: true - type: string - default: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-79.64" - description: "Citrix ADC CPX image used as sidecar proxy" - label: cpxProxy image - group: "cpxProxy Settings" -- variable: cpxProxy.imagePullPolicy - required: true - type: enum - default: IfNotPresent - description: "cpxProxy Image pull policy" - label: cpxProxy imagePullPolicy - options: - - "Always" - - "IfNotPresent" - - "Never" - group: "cpxProxy Settings" -- variable: cpxProxy.EULA - required: true - type: enum - label: cpxProxy EULA license - options: - - "YES" - - "NO" - group: "cpxProxy Settings" -- variable: cpxProxy.cpxSidecarMode - required: true - type: string - default: "YES" - description: "Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX is running as sidecar mode or not" - label: cpxProxy image - options: - - "YES" - - "NO" - group: "cpxProxy Settings" -- variable: cpxProxy.mgmtHttpPort - required: true - type: int - default: 10080 - label: cpxProxy mgmtHttpPort - group: "cpxProxy Settings" -- variable: cpxProxy.mgmtHttpsPort - required: true - type: int - default: 10443 - label: cpxProxy mgmtHttpsPort - group: "cpxProxy Settings" -- variable: cpxProxy.cpxDisableProbe - required: true - type: string - default: YES - description: "Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX will disable probing dynamic services. It should be enabled for multicluster setup." - label: cpxProxy cpxDisableProbe - options: - - "YES" - - "NO" - group: "cpxProxy Settings" -- variable: sidecarWebHook.webhookImage - required: true - type: string - default: "quay.io/citrix/cpx-istio-sidecar-injector:1.0.0" - label: sidecarWebHook webhookImage - description: "webhookImage image to be used" - group: "sidecarWebHook Settings" -- variable: sidecarWebHook.imagePullPolicy - required: true - type: enum - default: IfNotPresent - label: sidecarWebHook imagePullPolicy - options: - - "Always" - - "IfNotPresent" - - "Never" - group: "sidecarWebHook Settings" -- variable: sidecarCertsGenerator.image - required: true - type: string - default: " quay.io/citrix/cpx-sidecar-injector-certgen:1.1.0" - label: sidecarWebHook webhookImage - description: "webhookImage image to be used" - group: "sidecarCertsGenerator Settings" -- variable: sidecarCertsGenerator.imagePullPolicy - required: true - type: enum - default: IfNotPresent - label: sidecarWebHook imagePullPolicy - options: - - "Always" - - "IfNotPresent" - - "Never" - group: "sidecarCertsGenerator Settings" -- variable: ADMSettings.ADMIP - required: false - type: string - default: - label: ADMSettings ADMIP - description: "Citrix Application Delivery Management (ADM) IP address" - group: "ADMSettings Settings" -- variable: ADMSettings.licenseServerIP - required: false - type: string - default: - label: ADMSettings licenseServerIP - description: "Citrix License Server IP address" - group: "ADMSettings Settings" -- variable: ADMSettings.licenseServerPort - required: false - type: int - default: 27000 - label: ADMSettings licenseServerPort - description: "Citrix ADM port if a non-default port is used" - group: "ADMSettings Settings" -- variable: ADMSettings.bandWidthLicense - required: false - type: boolean - default: false - label: ADMSettings bandWidthLicense - description: "To specify bandwidth based licensing" - group: "ADMSettings Settings" -- variable: ADMSettings.bandWidth - required: false - type: string - default: - label: ADMSettings bandWidth - description: "Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps" - group: "ADMSettings Settings" -- variable: webhook.injectionLabelName - required: true - type: string - default: "cpx-injection" - label: webhook injectionLabelName - description: "Label of namespace, where automatic sidecr injection is required" - group: "webhook Settings" diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/templates/_helpers.tpl b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/templates/_helpers.tpl deleted file mode 100644 index 964b92cd5c..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/templates/_helpers.tpl +++ /dev/null @@ -1,20 +0,0 @@ -{{/* Below function is used to identify default value of jwtPolicy if not provided. - * For on-prem Kubernetes v1.21+, it is third-party-jwt. Else first-party-jwt. - * Note: Don't just do "helm template" to generate yaml file. Else https://github.com/helm/helm/issues/7991 - * is possible. Use "helm template --validate" or "helm install --dry-run --debug". - * Note2: For cloud environments, semverCompare should be ideally done with "<1.21.x-x" as - * Kubernetes version is generally of the format v1.20.7-eks-xxxxxx. So, it fails the "v1.21.x" check but that's fine - * as in cloud environments third-party-jwt is enabled. -*/}} - -{{- define "jwtValue" -}} -{{- if .Values.certProvider.jwtPolicy -}} -{{- printf .Values.certProvider.jwtPolicy -}} -{{- else -}} -{{- if semverCompare "<1.21.x" .Capabilities.KubeVersion.Version -}} -{{- printf "first-party-jwt" -}} -{{- else -}} -{{- printf "third-party-jwt" -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/templates/cpx-sidecar-injector-configmap.yaml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/templates/cpx-sidecar-injector-configmap.yaml deleted file mode 100644 index 56d0279ce5..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/templates/cpx-sidecar-injector-configmap.yaml +++ /dev/null @@ -1,263 +0,0 @@ -# This configmap stores the sidecar proxy info and arguments needed -apiVersion: v1 -kind: ConfigMap -metadata: - name: cpx-istio-sidecar-injector - namespace: {{.Release.Namespace}} - labels: - app: cpx-sidecar-injector - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - istio: sidecar-injector -data: - config: |- - policy: enabled - # If user does *NOT* want to inject sidecar on some pods based on label, - # then mention such labels in 'neverInjectSelector' entry. - # Note: This is valid only when istio's sidecar-injector image is running. - neverInjectSelector: - - matchExpressions: - - {key: citrix.com/no.sidecar, operator: Exists} - # Here, if pod has a label citrix.com/no.sidecar, then sidecar won't be injected for that pod. - template: |- - containers: - - name: istio-adaptor - image: {{ tpl .Values.xDSAdaptor.image . }} - imagePullPolicy: {{ .Values.xDSAdaptor.imagePullPolicy }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: APPLICATION_NAME - valueFrom: - fieldRef: - fieldPath: metadata.labels['app'] - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName -{{- if .Values.certProvider.caAddr }} - - name: CA_ADDR - value: {{ .Values.certProvider.caAddr }}:{{ .Values.certProvider.caPort}} #istiod.istio-system.svc:15012 - - name: TRUST_DOMAIN - value: {{ .Values.certProvider.trustDomain }} #cluster.local - - name: CLUSTER_ID - value: {{ .Values.certProvider.clusterId }} #Kubernetes - - name: CERT_TTL_IN_HOURS - value: {{ .Values.certProvider.certTTLinHours }} - - name: JWT_POLICY - value: {{ include "jwtValue" . | quote }} # third-party-jwt if Kubernetes cluster supports third-party tokens -{{- end }} - - name: NS_USER - value: nsroot - - name: NS_PASSWORD - value: nsroot -{{- if eq .Values.coe.coeTracing true }} - - name: COE_TRACING - value: "TRUE" -{{- end }} - - name: ENABLE_LABELS_FEATURE - value: {{ .Values.cpxProxy.enableLabelsFeature | quote }} -{{- if eq .Values.xDSAdaptor.defaultSSLListenerOn443 true }} - - name: DEFAULT_SSL_LISTENER_ON_443 - value: "TRUE" -{{- end }} - - name: LOGLEVEL - value: {{ .Values.xDSAdaptor.logLevel | default "DEBUG" | quote }} -{{- if eq .Values.xDSAdaptor.jsonLog true }} - - name: JSONLOG - value: "TRUE" -{{- end }} - args: - - -ads-server -{{- if eq .Values.xDSAdaptor.secureConnect true }} - - {{ .Values.istioPilot.name}}.{{.Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.secureGrpcPort }} # istiod.istio-system.svc:15012 -{{- else }} - - {{ .Values.istioPilot.name}}.{{.Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.insecureGrpcPort }} # istiod.istio-system.svc:15010 -{{- end }} - - -ads-secure-connect={{ .Values.xDSAdaptor.secureConnect}} - - -ads-server-SAN - - {{ .Values.istioPilot.SAN }} - - -istio-proxy-type - - {{ .Values.xDSAdaptor.proxyType | default "sidecar" | quote }} - - -citrix-adc - - "{{- .Values.cpxProxy.netscalerUrl }}:{{- .Values.cpxProxy.mgmtHttpPort | toString }}" - - -citrix-adc-password - - "/var/deviceinfo/random_id" -{{- if .Values.ADMSettings.ADMIP }} - - -citrix-adm - - {{ .Values.ADMSettings.ADMIP }} -{{- end }} -{{- if .Values.cpxProxy.cpxLicenseAggregator }} - - -citrix-license-server - - {{ .Values.cpxProxy.cpxLicenseAggregator }} -{{- else if .Values.ADMSettings.licenseServerIP }} - - -citrix-license-server - - {{ .Values.ADMSettings.licenseServerIP }} -{{- end }} -{{- if .Values.coe.coeURL }} - - -coe - - {{ .Values.coe.coeURL }} -{{- end }} - volumeMounts: - - mountPath: /var/deviceinfo - name: cpx-pwd -{{- $jwtpolicy := include "jwtValue" . }} -{{- if eq $jwtpolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token -{{- end }} - - mountPath: /etc/nslogin - name: nslogin - readOnly: true - - name: certs - mountPath: /etc/certs - - name: istiod-ca-cert - mountPath: /etc/rootcert/ - - name: podinfo - mountPath: /etc/podinfo - securityContext: - readOnlyRootFilesystem: true - runAsGroup: 32024 - runAsUser: 32024 # UID of xds-adaptor container's user - runAsNonRoot: true - - name: cpx-proxy - image: {{ tpl .Values.cpxProxy.image . }} - imagePullPolicy: IfNotPresent - securityContext: - privileged: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace -{{- if .Values.cpxProxy.cpxLicenseAggregator }} - - name: "CLA" - value: "{{ .Values.cpxProxy.cpxLicenseAggregator }}" -{{- else if .Values.ADMSettings.licenseServerIP }} - - name: "LS_IP" - value: {{ .Values.ADMSettings.licenseServerIP }} - - name: "LS_PORT" - value: {{ .Values.ADMSettings.licenseServerPort }} -{{- end}} - - name: "EULA" - value: "{{ .Values.cpxProxy.EULA }}" - - name: "CPX_SIDECAR_MODE" - value: {{ .Values.cpxProxy.cpxSidecarMode | quote }} - - name: "CPX_DISABLE_PROBE" - value: "{{ .Values.cpxProxy.cpxDisableProbe }}" - - name: "MGMT_HTTP_PORT" - value: {{ .Values.cpxProxy.mgmtHttpPort | quote }} - - name: "MGMT_HTTPS_PORT" - value: {{ .Values.cpxProxy.mgmtHttpsPort | quote }} - - name: "KUBERNETES_TASK_ID" - value: "" - - name: "NS_CPX_LITE" - value: 1 -{{- if or .Values.coe.coeURL .Values.ADMSettings.ADMIP }} - - name: "NS_ENABLE_NEWNSLOG" - value: 1 -{{- end }} -{{- if .Values.ADMSettings.ADMIP }} - - name: "NS_MGMT_SERVER" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "NS_HTTP_PORT" - value: {{ .Values.cpxProxy.mgmtHttpPort | quote }} - - name: "NS_HTTPS_PORT" - value: {{ .Values.cpxProxy.mgmtHttpsPort | quote }} - - name: "ANALYTICS_SERVER" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "ANALYTICS_SERVER_PORT" - value: {{.Values.ADMSettings.analyticsServerPort | quote }} -{{- end }} - - name: "LOGSTREAM_COLLECTOR_IP" - value: {{ .Values.ADMSettings.ADMIP | default "" | quote }} -{{- if and ( or ( .Values.ADMSettings.licenseServerIP ) ( .Values.cpxProxy.cpxLicenseAggregator ) ) ( eq .Values.ADMSettings.bandWidthLicense true ) }} - - name: "BANDWIDTH" #Need to set env var BANDWIDTH in order to provide Bandwidth license to Citrix ADC CPX from ADM or CPX License Aggregator - value: {{ .Values.ADMSettings.bandWidth | quote }} - - name: "EDITION" - value: {{ .Values.ADMSettings.licenseEdition | quote }} -{{- end }} -{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }} - - name: NS_MGMT_USER - valueFrom: - secretKeyRef: - name: admlogin - key: username - - name: NS_MGMT_PASS - valueFrom: - secretKeyRef: - name: admlogin - key: password -{{- end }} - volumeMounts: - - mountPath: /cpx/conf/ - name: cpx-conf - - mountPath: /var/deviceinfo - name: cpx-pwd - - mountPath: /cpx/crash/ - name: cpx-crash - volumes: - - name: cpx-conf - emptyDir: {} - - name: cpx-pwd - emptyDir: {} - - name: cpx-crash - emptyDir: {} - - name: nslogin - secret: - optional: true - secretName: nslogin - - name: certs - emptyDir: {} -{{- $jwtpolicy := include "jwtValue" . }} -{{- if eq $jwtpolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token -{{- end }} - - name: istiod-ca-cert - configMap: - defaultMode: 0777 - name: istio-ca-root-cert - - name: podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - values: |- - { - "global": { - "jwtPolicy": "third-party-jwt", - }, - "adcSelector": { - "adc": "citrix", - } - } ---- diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/templates/cpx-sidecar-injector-deployment-service.yaml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/templates/cpx-sidecar-injector-deployment-service.yaml deleted file mode 100644 index 1736607864..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/templates/cpx-sidecar-injector-deployment-service.yaml +++ /dev/null @@ -1,114 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: cpx-sidecar-injector - namespace: {{ .Release.Namespace }} - labels: - istio: sidecar-injector - app: cpx-sidecar-injector -spec: - ports: - - port: 443 - selector: - istio: sidecar-injector - ---- -# Deployment -apiVersion: apps/v1 -kind: Deployment -metadata: - name: cpx-sidecar-injector - namespace: {{ .Release.Namespace }} - labels: - app: sidecarInjectorWebhook - istio: sidecar-injector - app: cpx-sidecar-injector - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -spec: - replicas: 1 - selector: - matchLabels: - app: cpx-sidecar-injector - istio: sidecar-injector - template: - metadata: - labels: - istio: sidecar-injector - app: cpx-sidecar-injector - annotations: - sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" - spec: - serviceAccountName: cpx-sidecar-injector-service-account - initContainers: - - name: sidecar-certs-generator - image: {{ tpl .Values.sidecarCertsGenerator.image . }} - imagePullPolicy: {{ .Values.sidecarCertsGenerator.imagePullPolicy }} - securityContext: - privileged: true - volumeMounts: - - name: certs - mountPath: /tmp - containers: - - name: sidecar-injector-webhook - image: {{ tpl .Values.sidecarWebHook.webhookImage . }} - imagePullPolicy: {{ .Values.sidecarWebHook.imagePullPolicy }} - securityContext: - privileged: true - args: - - --caCertFile=/etc/istio/certs/cert.pem - - --tlsCertFile=/etc/istio/certs/cert.pem - - --tlsKeyFile=/etc/istio/certs/key.pem - - --injectConfig=/etc/istio/inject/config - - --meshConfig=/etc/istio/config/mesh - - --healthCheckInterval=10s - - --webhookConfigName=cpx-sidecar-injector - - --webhookName=cpx-sidecar-injector.citrix.io - - --objectWebhookName=object.cpx-sidecar-injector.citrix.io - volumeMounts: - - name: config-volume - mountPath: /etc/istio/config - readOnly: true - - name: certs - mountPath: /etc/istio/certs - readOnly: true - - name: inject-config - mountPath: /etc/istio/inject - readOnly: true - livenessProbe: - exec: - command: - - cat - - /health - failureThreshold: 5 - initialDelaySeconds: 4 - periodSeconds: 10 - readinessProbe: - exec: - command: - - cat - - /health - failureThreshold: 5 - initialDelaySeconds: 4 - periodSeconds: 10 - initialDelaySeconds: 4 - resources: - requests: - cpu: 10m - - volumes: - - name: config-volume - configMap: - name: istio - - name: certs - emptyDir: {} - - name: inject-config - configMap: - name: cpx-istio-sidecar-injector - items: - - key: config - path: config - - key: values - path: values ---- diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/templates/cpx-sidecar-injector-istioConfigMap.yaml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/templates/cpx-sidecar-injector-istioConfigMap.yaml deleted file mode 100644 index 8d7e8f7083..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/templates/cpx-sidecar-injector-istioConfigMap.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio - namespace: {{ .Release.Namespace }} - labels: - app: cpx-sidecar-injector - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - istio: sidecar-injector -data: - mesh: |- - # Needed for injection of securityContext in PodSpec during auto-sidecar injection - sdsUdsPath: unix:/etc/istio/proxy/SDS - ---- diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/templates/cpx-sidecar-injector-serviceaccount.yaml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/templates/cpx-sidecar-injector-serviceaccount.yaml deleted file mode 100644 index 161998c6c4..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/templates/cpx-sidecar-injector-serviceaccount.yaml +++ /dev/null @@ -1,48 +0,0 @@ -# Serviceaccount -apiVersion: v1 -kind: ServiceAccount -metadata: - name: cpx-sidecar-injector-service-account - namespace: {{ .Release.Namespace }} - labels: - app: cpx-sidecar-injector - ---- -# ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cpx-sidecar-injector-istio-system - labels: - app: cpx-sidecar-injector -rules: -- apiGroups: ["*"] - resources: ["configmaps"] - verbs: ["get", "list", "watch"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "patch"] -- apiGroups: ["certificates.k8s.io"] - resources: ["certificatesigningrequests", "certificatesigningrequests/approval"] - verbs: ["get", "list", "create", "watch", "delete", "update"] -- apiGroups: ["certificates.k8s.io"] - resources: ["signers"] - resourceNames: ["kubernetes.io/legacy-unknown", "kubernetes.io/kubelet-serving"] - verbs: ["get", "list", "create", "watch", "delete", "update", "approve"] ---- -# ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cpx-sidecar-injector-admin-role-binding-istio-system - labels: - app: cpx-sidecar-injector -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cpx-sidecar-injector-istio-system -subjects: - - kind: ServiceAccount - name: cpx-sidecar-injector-service-account - namespace: {{ .Release.Namespace }} ---- diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/templates/cpx-sidecar-networkpolicy.yaml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/templates/cpx-sidecar-networkpolicy.yaml deleted file mode 100644 index 83234a10da..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/templates/cpx-sidecar-networkpolicy.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - labels: - app: cpx-sidecar-injector - name: cpx-sidecar-injector - namespace: {{ .Release.Namespace }} -spec: - ingress: - - {} - podSelector: - matchLabels: - app: cpx-sidecar-injector - policyTypes: - - Ingress diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/templates/mutatingwebhook.yaml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/templates/mutatingwebhook.yaml deleted file mode 100644 index 8924ec6e87..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,57 +0,0 @@ -# Mutating wehbook is used to perform sidecar injection. -# It calls sidecar-injector-service when the label is matched. -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: cpx-sidecar-injector - namespace: {{ .Release.Namespace }} - labels: - app: cpx-sidecar-injector - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} -webhooks: - - name: cpx-sidecar-injector.citrix.io - admissionReviewVersions: - - v1 - clientConfig: - service: - name: cpx-sidecar-injector - namespace: {{ .Release.Namespace }} - path: "/inject" - caBundle: "" - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - scope: "*" - sideEffects: None - failurePolicy: Fail - namespaceSelector: - matchLabels: -{{- if .Values.webhook.injectionLabelName }} - {{ .Values.webhook.injectionLabelName }}: enabled -{{- else }} - cpx-injection: enabled -{{- end }} - - name: object.cpx-sidecar-injector.citrix.io - admissionReviewVersions: - - v1 - clientConfig: - service: - name: cpx-sidecar-injector - namespace: {{ .Release.Namespace }} - path: "/inject" - caBundle: "" - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - scope: "*" - sideEffects: None - failurePolicy: Fail - objectSelector: - matchLabels: - sidecar.citrix.io/inject: "true" ---- diff --git a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/values.yaml b/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/values.yaml deleted file mode 100644 index 6840785a5e..0000000000 --- a/charts/citrix/citrix-cpx-istio-sidecar-injector/1.14.1/values.yaml +++ /dev/null @@ -1,77 +0,0 @@ -# Default values for cpx-istio. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -xDSAdaptor: - imageRegistry: quay.io - imageRepository: citrix/citrix-xds-adaptor - imageTag: 0.10.3 - image: "{{ .Values.xDSAdaptor.imageRegistry }}/{{ .Values.xDSAdaptor.imageRepository }}:{{ .Values.xDSAdaptor.imageTag }}" - imagePullPolicy: IfNotPresent - proxyType: sidecar - secureConnect: true - logLevel: DEBUG - jsonLog: false - defaultSSLListenerOn443: true - -coe: - coeURL: - coeTracing: false - -istioPilot: - name: istiod - namespace: istio-system - secureGrpcPort: 15012 - insecureGrpcPort: 15010 - SAN: #"spiffe://cluster.local/ns/istio-system/sa/istiod-service-account" - -certProvider: - caAddr: istiod.istio-system.svc - caPort: 15012 - trustDomain: cluster.local - certTTLinHours: 720 - clusterId: Kubernetes - jwtPolicy: #specify third-party-jwt if Kubernetes cluster supports third-party tokens - -cpxProxy: - netscalerUrl: "http://127.0.0.1" - imageRegistry: quay.io - imageRepository: citrix/citrix-k8s-cpx-ingress - imageTag: 13.1-30.52 - image: "{{ .Values.cpxProxy.imageRegistry }}/{{ .Values.cpxProxy.imageRepository }}:{{ .Values.cpxProxy.imageTag }}" - imagePullPolicy: IfNotPresent - EULA: NO - cpxSidecarMode: YES - mgmtHttpPort: 10080 - mgmtHttpsPort: 10443 - cpxDisableProbe: "YES" - cpxLicenseAggregator: - enableLabelsFeature: FALSE - #licenseServerIP: this value is taken from ADMSettings.ADMIP - -sidecarWebHook: - webhookImageRegistry: quay.io - webhookImageRepository: citrix/cpx-istio-sidecar-injector - webhookImageTag: 1.3.0 - webhookImage: "{{ .Values.sidecarWebHook.webhookImageRegistry }}/{{ .Values.sidecarWebHook.webhookImageRepository }}:{{ .Values.sidecarWebHook.webhookImageTag }}" - imagePullPolicy: IfNotPresent - -sidecarCertsGenerator: - imageRegistry: quay.io - imageRepository: citrix/cpx-sidecar-injector-certgen - imageTag: 1.2.0 - image: "{{ .Values.sidecarCertsGenerator.imageRegistry }}/{{ .Values.sidecarCertsGenerator.imageRepository }}:{{ .Values.sidecarCertsGenerator.imageTag }}" - imagePullPolicy: IfNotPresent - -ADMSettings: - ADMIP: - licenseServerIP: - licenseServerPort: 27000 - bandWidthLicense: false - bandWidth: 1000 - analyticsServerPort: 5557 - licenseEdition: PLATINUM - -webhook: - injectionLabelName: cpx-injection - diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/Chart.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/Chart.yaml deleted file mode 100644 index 81e03d88e9..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/Chart.yaml +++ /dev/null @@ -1,22 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Cpx with Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-cpx-with-ingress-controller -apiVersion: v2 -appVersion: 1.27.15 -deprecated: true -description: A Helm chart for Citrix ADC CPX with Citrix ingress Controller running - as sidecar. -home: https://www.citrix.com -icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png -kubeVersion: '>=v1.16.0-0' -maintainers: -- email: priyanka.sharma@citrix.com - name: priyankash-citrix -- email: subash.dangol@citrix.com - name: subashd -name: citrix-cpx-with-ingress-controller -sources: -- https://github.com/citrix/citrix-k8s-ingress-controller -version: 1.27.15 diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/README.md b/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/README.md deleted file mode 100644 index 67d34a3940..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/README.md +++ /dev/null @@ -1,572 +0,0 @@ -# Citrix ADC CPX with Citrix Ingress Controller running as sidecar. - -In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) with Citrix ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). The Citrix ADC CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar Citrix ingress controller configures the Citrix ADC CPX. - -## TL;DR; - -### For Kubernetes - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,crds.install=true - ``` - -### For OpenShift - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,crds.install=true - ``` - -> **Important:** -> -> The "license.accept" is a mandatory argument and should be set to "yes" to accept the terms of the Citrix license. - - -## Introduction -This Helm chart deploys a Citrix ADC CPX with Citrix ingress controller as a sidecar in the [Kubernetes](https://kubernetes.io/) or in the [Openshift](https://www.openshift.com) cluster using the [Helm](https://helm.sh/) package manager. - -### Prerequisites - -- The [Kubernetes](https://kubernetes.io/) version should be 1.16 and above if using Kubernetes environment. -- The [Openshift](https://www.openshift.com) version 4.8 or later if using OpenShift platform. -- The [Helm](https://helm.sh/) version 3.x or later. You can follow instruction given [here](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- You have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator), if you want to view the metrics of the Citrix ADC CPX collected by the [metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics). -- Registration of Citrix ADC CPX in ADM: You may want to register your CPX in ADM for licensing or to obtain [servicegraph](https://docs.citrix.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html). For this you will have to create a Kubernetes secret using ADM credentials and provide it while install the chart. Create a Kubernetes secret for the user name and password using the following command: - - ``` - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= -n citrix-system - ``` - -## Installing the Chart -Add the Citrix Ingress Controller helm chart repository using command: - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - ``` - -### For Kubernetes: -#### 1. Citrix ADC CPX with Citrix Ingress Controller running as side car. -To install the chart with the release name ``` my-release```: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,ingressClass[0]= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ADC CPX with Citrix ingress controller as a sidecar on the Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,ingressClass[0]=,exporter.required=true - ``` - -### For OpenShift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix ADC CPX with Citrix Ingress Controller running as side car. -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true - ``` - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,exporter.required=true - ``` - -### Installed components - -The following components are installed: - -- [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx/netscaler-cpx.html) -- [Citrix ingress controller](https://github.com/citrix/citrix-k8s-ingress-controller) (if enabled) -- [Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) (if enabled) - - -### Citrix ADC CPX Service Annotations: - - The parameter `serviceAnnotations` can be used to annotate CPX service while installing Citrix ADC CPX using this helm chart. - For example, if CPX is getting deployed in Azure and an Azure Internal Load Balancer is required before CPX then the annotation `service.beta.kubernetes.io/azure-load-balancer-internal:True` can be set in CPX service using Helm command: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceAnnotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal=True - ``` - - or the same can be provided in [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml): - - ``` - license: - accept: yes - serviceAnnotations: - service.beta.kubernetes.io/azure-load-balancer-internal: True - ``` - - which can be used to install Citrix ADC CPX using Helm command: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - - To know more about service annotations supported by Kubernetes on various platforms please see [this](https://kubernetes.io/docs/concepts/services-networking/service/). - -### Citrix ADC CPX Service Ports: - - By default, port 80 and 443 of CPX service will exposed when CPX is installed using this helm chart. If it is required to expose any other ports in CPX service then the parameter `servicePorts` can be used for it. - For example, if port 9999 is required to be exposed then below helm command can be used for installing Citrix ADC CPX: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,servicePorts[0].port=9999,servicePorts[0].protocol=TCP,servicePorts[0].name=https - ``` - - or the same can be provided in [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml): - - ``` - license: - accept: yes - servicePorts: - - port: 9090 - protocol: TCP - name: https - ``` - - which can be used to install Citrix ADC using Helm command: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - -> **Note:** If `servicePorts` parameters is used, only ports provided in this parameter will be exposed in CPX service. -> If you want to expose default ports 80 or 443, then you will need to explicity mention these also in this parameter. - -### Configuration for ServiceGraph: - If Citrix ADC CPX need to send data to the Citrix ADM to bring up the servicegraph, then the below steps can be followed to install Citrix ADC CPX with ingress controller. Citrix ingress controller configures Citrix ADC CPX with the configuration required for servicegraph. - - 1. Create secret using Citrix ADC Agent credentials, which will be used by Citrix ADC CPX to communicate with Citrix ADM Agent: - - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= - - 2. Deploy Citrix ADC CPX with Citrix ingress controller using helm command: - - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.distributedTracing.enable=true,analyticsConfig.endpoint.server=,ADMSettings.ADMIP=,ADMSettings.loginSecret= - -> **Note:** -> If container agent is being used here for Citrix ADM, please provide `svcIP` of container agent in the `analyticsConfig.endpoint.server` parameter. - -## Citrix ADC CPX DaemonSet with Citrix Ingress Controller as sidecar for BGP Advertisement - - The previous section of deploying CPX as a Deployment requires a Tier-1 Loadbalancer such as Citrix VPX or cloud loadbalancers to route the traffic to CPX instances running in Kubernetes cluster, but you can also leverage BGP network fabric in your on-prem environemnt to route the traffic to CPX instances in a Kubernetes or Openshift cluster. you need to deploy CPX with Citrix Ingress Controller as Daemonset to advertise the ExternalIPs of the K8s services of type LoadBalancer to your BGP Fabric. Citrix ADC CPX establishes a BGP peering session with your network routers, and uses that peering session to advertise the IP addresses of external cluster services. If your routers have ECMP capability, the traffic is load-balanced to multiple CPX instances by the upstream router, which in turn load-balances to actual application pods. When you deploy the Citrix ADC CPX with this mode, Citrix ADC CPX adds iptables rules for each service of type LoadBalancer on Kubernetes nodes. The traffic destined to the external IP address is routed to Citrix ADC CPX pods. You can also set the 'ingressIP' variable to an IP Address to advertise the External IP address for Ingress resources. Refer [documentation](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) for complete details about BGP advertisement with CPX. - -### Download the chart -You can download the chart usimg `helm pull` command. -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ -helm pull citrix/citrix-cpx-with-ingress-controller -tar -zxvf citrix-cpx-with-ingress-controller-x.y.z.tgz -``` - -### Edit the BGP configuration in values.yaml -BGP configurations enables CPX to peer with neighbor routers for advertisting the routes for Service of Type LoadBalancer. Citrix Ingress Controllers uses static IPs given in Service YAML or using an IPAM controller to allocate an External IP address, and same is advertisted to the neighbour router with the Gateway as Node IP. An example BGP configurations is given below. - -``` -# BGP configurations: local AS, remote AS and remote address is mandatory to provide. -bgpSettings: - required: true - bgpConfig: - - bgpRouter: - # Local AS number for BGP advertisement - localAS: - neighbor: - # Address of the nighbor router for BGP advertisement - - address: xx.xx.xx.xx - # Remote AS number - remoteAS: - advertisementInterval: 10 - ASOriginationInterval: 10 -``` -If the cluster spawns across multiple networks, you can also specify the NodeSelector to give different neighbors for different Cluster Nodes as shown below. - -``` -bgpSettings: - required: true - bgpConfig: - - nodeSelector: datacenter=ds1 - bgpRouter: - localAS: - neighbor: - - address: xx.xx.xx.xx - remoteAS: - advertisementInterval: 10 - ASOriginationInterval: 10 - - nodeSelector: datacenter=ds2 - bgpRouter: - localAS: - neighbor: - - address: yy.yy.yy.yy - remoteAS: - advertisementInterval: 10 - ASOriginationInterval: 10 -``` - -### Deploy the chart -#### For Kubernetes: -#### 1. Citrix ADC CPX DaemonSet with Citrix Ingress Controller running as side car for BGP Advertisement. - - -To install the chart with the release name ``` my-release```: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true - ``` -If you are running Citrix IPAM for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true - ``` -If you are using ingress resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ADC CPX Daemonset with Citrix ingress controller as a sidecar on the Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car for BGP Advertisement. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,exporter.required=true - ``` -If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,exporter.required=true - ``` -If you are using ingress resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=, exporter.required=true - ``` - -#### For OpenShift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix ADC CPX DaemonSet with Citrix Ingress Controller running as side car for BGP Advertisement. -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,openshift=true - ``` -If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,openshift=true - ``` - - If you are using ingress or Route resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=,openshift=true - ``` - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car for BGP Advertisement. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,openshift=true,exporter.required=true - ``` -If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,openshift=true,exporter.required=true - ``` - -If you are using ingress or Route resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=,openshift=true,exporter.required=true - ``` - -## CRDs configuration - -CRDs can be installed/upgraded when we install/upgrade Citrix ADC CPX with Citrix ingress controller using `crds.install=true` parameter in Helm. If you do not want to install CRDs, then set the option `crds.install` to `false`. By default, CRDs too get deleted if you uninstall through Helm. This means, even the CustomResource objects created by the customer will get deleted. If you want to avoid this data loss set `crds.retainOnDelete` to `true`. - -> **Note:** -> Installing again may fail due to the presence of CRDs. Make sure that you back up all CustomResource objects and clean up CRDs before re-installing Citrix ADC CPX with Citrix ingress controller. - -There are a few examples of how to use these CRDs, which are placed in the folder: [Example-CRDs](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds). Refer to them and install as needed, using the following command: -```kubectl create -f ``` - -### Details of the supported CRDs: - -#### authpolicies CRD: - -Authentication policies are used to enforce access restrictions to resources hosted by an application or an API server. - -Citrix provides a Kubernetes CustomResourceDefinitions (CRDs) called the [Auth CRD](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/auth) that you can use with the Citrix ingress controller to define authentication policies on the ingress Citrix ADC. - -Example file: [auth_example.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/auth_example.yaml) - -#### continuousdeployments CRD for canary: - -Canary release is a technique to reduce the risk of introducing a new software version in production by first rolling out the change to a small subset of users. After user validation, the application is rolled out to the larger set of users. Citrix ADC-Integrated [Canary Deployment solution](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/canary) stitches together all components of continuous delivery (CD) and makes canary deployment easier for the application developers. - -#### httproutes and listeners CRDs for contentrouting: - -[Content Routing (CR)](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/contentrouting) is the execution of defined rules that determine the placement and configuration of network traffic between users and web applications, based on the content being sent. For example, a pattern in the URL or header fields of the request. - -Example files: [HTTPRoute_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/HTTPRoute_crd.yaml), [Listener_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/Listener_crd.yaml) - -#### ratelimits CRD: - -In a Kubernetes deployment, you can [rate limit the requests](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/ratelimit) to the resources on the back end server or services using rate limiting feature provided by the ingress Citrix ADC. - -Example files: [ratelimit-example1.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example1.yaml), [ratelimit-example2.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example2.yaml) - -#### vips CRD: - -Citrix provides a CustomResourceDefinitions (CRD) called [VIP](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/vip) for asynchronous communication between the IPAM controller and Citrix ingress controller. - -The IPAM controller is provided by Citrix for IP address management. It allocates IP address to the service from a defined IP address range. The Citrix ingress controller configures the IP address allocated to the service as virtual IP (VIP) in Citrix ADX VPX. And, the service is exposed using the IP address. - -When a new service is created, the Citrix ingress controller creates a CRD object for the service with an empty IP address field. The IPAM Controller listens to addition, deletion, or modification of the CRD and updates it with an IP address to the CRD. Once the CRD object is updated, the Citrix ingress controller automatically configures Citrix ADC-specfic configuration in the tier-1 Citrix ADC VPX. - -#### rewritepolicies CRD: - -In kubernetes environment, to deploy specific layer 7 policies to handle scenarios such as, redirecting HTTP traffic to a specific URL, blocking a set of IP addresses to mitigate DDoS attacks, imposing HTTP to HTTPS and so on, requires you to add appropriate libraries within the microservices and manually configure the policies. Instead, you can use the [Rewrite and Responder features](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/crd/rewrite-responder-policies-deployment.yaml) provided by the Ingress Citrix ADC device to deploy these policies. - -Example files: [target-url-rewrite.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/target-url-rewrite.yaml) - -#### wafs CRD: - -[WAF CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/waf.md) can be used to configure the web application firewall policies with the Citrix ingress controller on the Citrix ADC VPX, MPX, SDX, and CPX. The WAF CRD enables communication between the Citrix ingress controller and Citrix ADC for enforcing web application firewall policies. - -In a Kubernetes deployment, you can enforce a web application firewall policy to protect the server using the WAF CRD. For more information about web application firewall, see [Web application security](https://docs.citrix.com/en-us/citrix-adc/13/application-firewall/introduction/web-application-security.html). - -Example files: [wafhtmlxsssql.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wafhtmlxsssql.yaml) - -#### CORS CRD: - -[CORS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) Cross-origin resource sharing (CORS) is a mechanism allows a web application running under one domain to securely access resources in another domain. You can configure CORS policies on Citrix ADC using Citrix ingress controller to allow one domain (the origin domain) to call APIs in another domain. For more information, see the [cross-origin resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) documentation. - -Example files: [cors-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/corspolicy-example.yaml) - -#### APPQOE CRD: - -[APPQOE CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) When a Citrix ADC appliance receives an HTTP request and forwards it to a back-end server, sometimes there may be connection failures with the back-end server. You can configure the request-retry feature on Citrix ADC to forward the request to the next available server, instead of sending the reset to the client. Hence, the client saves round trip time when Citrix ADC initiates the same request to the next available service. -For more information, see the AppQoE support documentation. [Appqoe resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) documentation. - -Example files: [appqoe-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/appqoe_example.yaml) - -#### WILDCARDDNS CRD: - -[WILDCARDDNS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) Wildcard DNS domains are used to handle requests for nonexistent domains and subdomains. In a zone, use wildcard domains to redirect queries for all nonexistent domains or subdomains to a particular server, instead of creating a separate Resource Record (RR) for each domain. The most common use of a wildcard DNS domain is to create a zone that can be used to forward mail from the internet to some other mail system. -For more information, see the Wild card DNS domains support documentation. [Wildcard DNS Entry CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) documentation. - -Example files: [wildcarddns-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wildcarddns-example.yaml) - -## Citrix ADC CPX servicetype LoadBalancer -Citrix ADC CPX can be installed with service having servicetype LoadBalancer. Following arguments can be used in the `helm install` command for the same: - -``` -helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceType.loadBalancer.enabled=True -``` - -## Citrix ADC CPX servicetype NodePort -Citrix ADC CPX can be installed with service having servicetype Nodeport. Following arguments can be used in the `helm install` command for the same: - -``` -helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceType.nodePort.enabled=True -``` - -Additionally, `serviceType.nodePort.httpPort` and `serviceType.nodePort.httpsPort` arguments can be used to select the nodePort for the CPX service for HTTP and HTTPS ports. - -### Tolerations - -Taints are applied on cluster nodes whereas tolerations are applied on pods. Tolerations enable pods to be scheduled on node with matching taints. For more information see [Taints and Tolerations in Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). - -Toleration can be applied to pod running Citrix ADC CPX and ingress controller containers using `tolerations` argument while deploying CPX+CIC using helm chart. This argument takes list of tolerations that user need to apply on the CPX+CIC pods. - -For example, following command can be used to apply toleration on the CPX+CIC pod: - -``` -helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,tolerations[0].key=,tolerations[0].value=,tolerations[0].operator=,tolerations[0].effect= -``` - -Here tolerations[0].key, tolerations[0].value and tolerations[0].effect are the key, value and effect that was used while tainting the node. -Effect represents what should happen to the pod if the pod don't have any matching toleration. It can have values `NoSchedule`, `NoExecute` and `PreferNoSchedule`. -Operator represents the operation to be used for key and value comparison between taint and tolerations. It can have values `Exists` and `Equal`. The default value for operator is `Equal`. - -## Configuration -The following table lists the configurable parameters of the Citrix ADC CPX with Citrix ingress controller as side car chart and their default values. - -| Parameters | Mandatory or Optional | Default value | Description | -| ---------- | --------------------- | ------------- | ----------- | -| license.accept | Mandatory | no | Set `yes` to accept the Citrix ingress controller end user license agreement. | -| imageRegistry | Mandatory | `quay.io` | The Citrix ADC CPX image registry | -| imageRepository | Mandatory | `citrix/citrix-k8s-cpx-ingress` | The Citrix ADC CPX image repository | -| imageTag | Mandatory | `13.1-30.52` | The Citrix ADC CPX image tag | -| pullPolicy | Mandatory | IfNotPresent | The Citrix ADC CPX image pull policy. | -| daemonSet | Optional | False | Set this to true if Citrix ADC CPX needs to be deployed as DaemonSet. | -| cic.imageRegistry | Mandatory | `quay.io` | The Citrix ingress controller image registry | -| cic.imageRepository | Mandatory | `citrix/citrix-k8s-ingress-controller` | The Citrix ingress controller image repository | -| cic.imageTag | Mandatory | `1.27.15` | The Citrix ingress controller image tag | -| cic.pullPolicy | Mandatory | IfNotPresent | The Citrix ingress controller image pull policy. | -| cic.required | Mandatory | true | CIC to be run as sidecar with Citrix ADC CPX | -| cic.resources | Optional | {} | CPU/Memory resource requests/limits for Citrix Ingress Controller container | -| imagePullSecrets | Optional | N/A | Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret please see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). | -| nameOverride | Optional | N/A | String to partially override deployment fullname template with a string (will prepend the release name) | -| fullNameOverride | Optional | N/A | String to fully override deployment fullname template with a string | -| resources | Optional | {} | CPU/Memory resource requests/limits for Citrix CPX container | -| nitroReadTimeout | Optional | 20 | The nitro Read timeout in seconds, defaults to 20 | -| logLevel | Optional | DEBUG | The loglevel to control the logs generated by CIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG and TRACE. For more information, see [Logging](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).| -| jsonLog | Optional | false | Set this argument to true if log messages are required in JSON format | -| nsConfigDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Ingress | -| nsSvcLbDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Type Load Balancer Service | -| nsDnsNameserver | Optional | N/A | To add DNS Nameservers in ADC | -| optimizeEndpointBinding | Optional | false | To enable/disable binding of backend endpoints to servicegroup in a single API-call. Recommended when endpoints(pods) per application are large in number. Applicable only for Citrix ADC Version >=13.0-45.7 | -| defaultSSLCertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC. | -| nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for Citrix ADC service group configurations. | -| cpxLicenseAggregator | Optional | N/A | IP/FQDN of the CPX License Aggregator if it is being used to license the CPX. | -| nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). | -| logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter. | -| nsProtocol | Optional | http | Protocol http or https used for the communication between Citrix Ingress Controller and CPX | -| cpxBgpRouter | Optional | false| If set to true, this CPX is deployed as daemonset in BGP controller mode wherein BGP advertisements are done for attracting external traffic to Kubernetes clusters | -| replicaCount | Optional | 1 | Number of CPX-CIC pods to be deployed. With `cpxBgpRouter : true`, replicaCount is 1 since CPX will be deployed as DaemonSet | -| nsIP | Optional | 192.168.1.2 | NSIP used by CPX for internal communication when run in Host mode, i.e when cpxBgpRouter is set to true. A /24 internal network is created in this IP range which is used for internal communications withing the network namespace. | -| nsGateway | Optional | 192.168.1.1 | Gateway used by CPX for internal communication when run in Host mode, i.e when cpxBgpRouter is set to true. If not specified, first IP in the nsIP network is used as gateway. It must be in same network as nsIP | -| bgpPort | Optional | 179 | BGP port used by CPX for BGP advertisement if cpxBgpRouter is set to true| -| ingressIP | Optional | N/A | External IP address to be used by ingress resources if not overriden by ingress.com/frontend-ip annotation in Ingress resources. This is also advertised to external routers when pxBgpRouter is set to true| -| entityPrefix | Optional | k8s | The prefix for the resources on the Citrix ADC CPX. | -| ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify Citrix ingress controller to configure Citrix ADC associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here | -| setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 | -| updateIngressStatus | Optional | False | Set this argument if you want to update ingress status of the ingress resources exposed via CPX. This is only applicable if servicetype of CPX service is LoadBalancer. | -| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. | -| openshift | Optional | false | Set this argument if OpenShift environment is being used. | -| disableOpenshiftRoutes | false | By default Openshift routes are processed in openshift environment, this variable can be used to disable Ingress controller processing the openshift routes. | -| routeLabels | Optional | N/A | You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| namespaceLabels | Optional | N/A | You can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| sslCertManagedByAWS | Optional | False | Set this argument if SSL certs used is managed by AWS while deploying Citrix ADC CPX in AWS. | -| nodeSelector.key | Optional | N/A | Node label key to be used for nodeSelector option for CPX-CIC deployment. | -| nodeSelector.value | Optional | N/A | Node label value to be used for nodeSelector option in CPX-CIC deployment. | -| podAnnotations | Optional | N/A | Map of annotations to add to the pods. | -| affinity | Optional | N/A | Affinity labels for pod assignment. | -| tolerations | Optional | N/A | Specify the tolerations for the CPX-CIC deployment. | -| serviceType.loadBalancer.enabled | Optional | False | Set this argument if you want servicetype of CPX service to be LoadBalancer. | -| serviceType.nodePort.enabled | Optional | False | Set this argument if you want servicetype of CPX service to be NodePort. | -| serviceType.nodePort.httpPort | Optional | N/A | Specify the HTTP nodeport to be used for NodePort CPX service. | -| serviceType.nodePort.httpsPort | Optional | N/A | Specify the HTTPS nodeport to be used for NodePort CPX service. | -| serviceAnnotations | Optional | N/A | Dictionary of annotations to be used in CPX service. Key in this dictionary is the name of the annotation and Value is the required value of that annotation. For example, [see this](#citrix-adc-cpx-service-annotations). | -| serviceSpec.externalTrafficPolicy | Optional | Cluster | Use this parameter to provide externalTrafficPolicy for CPX service of type LoadBalancer or NodePort. `serviceType.loadBalancer.enabled` or `serviceType.nodePort.enabled` should be set to `true` according to your use case for using this parameter. | -| serviceSpec.loadBalancerIP | Optional | N/A | Use this parameter to provide LoadBalancer IP to CPX service of type LoadBalancer. `serviceType.loadBalancer.enabled` should be set to `true` for using this parameter. | -| serviceSpec.loadBalancerSourceRanges | Optional | N/A | Provide the list of IP Address or range which should be allowed to access the Network Load Balancer. `serviceType.loadBalancer.enabled` should be set to `true` for using this parameter. For details, see [Network Load Balancer support on AWS](https://kubernetes.io/docs/concepts/services-networking/service/#aws-nlb-support). | -| servicePorts | Optional | N/A | List of port. Each element in this list is a dictionary that contains information about the port. For example, [see this](#citrix-adc-cpx-service-ports). | -| ADMSettings.licenseServerIP | Optional | N/A | Provide the Citrix Application Delivery Management (ADM) IP address to license Citrix ADC CPX. For more information, see [Licensing](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/licensing/). | -| ADMSettings.licenseServerPort | Optional | 27000 | Citrix ADM port if non-default port is used. | -| ADMSettings.ADMIP | Optional | N/A | Citrix Application Delivery Management (ADM) IP address. | -| ADMSettings.loginSecret | Optional | N/A | The secret key to login to the ADM. For information on how to create the secret keys, see [Prerequisites](#prerequistes). | -| ADMSettings.bandWidthLicense | Optional | False | Set to true if you want to use bandwidth based licensing for Citrix ADC CPX. | -| ADMSettings.bandWidth | Optional | 1000 | Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps. | -| ADMSettings.vCPULicense | Optional | N/A | Set to true if you want to use vCPU based licensing for Citrix ADC CPX. | -| ADMSettings.licenseEdition| Optional | PLATINUM | License edition that can be Standard, Platinum and Enterprise . By default, Platinum is selected.| -| ADMSettings.cpxCores | Optional | 1 | Desired number of vCPU to be set for Citrix ADC CPX. | -| ADMSettings.analyticsServerPort | Optional | 5557 | Port used for Analytics by ADM. Required to plot ServiceGraph. | -| exporter.required | Optional | false | Use the argument if you want to run the [Exporter for Citrix ADC Stats](https://github.com/citrix/citrix-adc-metrics-exporter) along with Citrix ingress controller to pull metrics for the Citrix ADC CPX| -| exporter.imageRegistry | Optional | `quay.io` | The Exporter for Citrix ADC Stats image registry | -| exporter.imageRepository | Optional | `citrix/citrix-adc-metrics-exporter` | The Exporter for Citrix ADC Stats image repository | -| exporter.imageTag | Optional | `1.4.9` | The Exporter for Citrix ADC Stats image tag | -| exporter.pullPolicy | Optional | IfNotPresent | The Exporter for Citrix ADC Stats image pull policy. | -| exporter.resources | Optional | {} | CPU/Memory resource requests/limits for Metrics exporter container | -| exporter.ports.containerPort | Optional | 8888 | The Exporter for Citrix ADC Stats container port. | -| analyticsConfig.required | Mandatory | false | Set this to true if you want to configure Citrix ADC to send metrics and transaction records to analytics service. | -| analyticsConfig.distributedTracing.enable | Optional | false | Set this value to true to enable OpenTracing in Citrix ADC. | -| analyticsConfig.distributedTracing.samplingrate | Optional | 100 | Specifies the OpenTracing sampling rate in percentage. | -| analyticsConfig.endpoint.server | Optional | N/A | Set this value as the IP address or DNS address of the analytics server. | -| analyticsConfig.endpoint.service | Optional | N/A | Set this value as the IP address or service name with namespace of the analytics service deployed in Kuberenetes. Format: namespace/servicename| -| analyticsConfig.timeseries.port | Optional | 5563 | Specify the port used to expose analytics service for timeseries endpoint. | -| analyticsConfig.timeseries.metrics.enable | Optional | Set this value to true to enable sending metrics from Citrix ADC. | -| analyticsConfig.timeseries.metrics.mode | Optional | avro | Specifies the mode of metric endpoint. | -| analyticsConfig.timeseries.auditlogs.enable | Optional | false | Set this value to true to export audit log data from Citrix ADC. | -| analyticsConfig.timeseries.events.enable | Optional | false | Set this value to true to export events from the Citrix ADC. | -| analyticsConfig.transactions.enable | Optional | false | Set this value to true to export transactions from Citrix ADC. | -| analyticsConfig.transactions.port | Optional | 5557 | Specify the port used to expose analytics service for transaction endpoint. | -| crds.install | Optional | False | Unset this argument if you don't want to install CustomResourceDefinitions which are consumed by CIC. | -| crds.retainOnDelete | Optional | false | Set this argument if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation. | -| bgpSettings.required | Optional | false | Set this argument if you want to enable BGP configurations for exposing service of Type Loadbalancer through BGP fabric| -| bgpSettings.bgpConfig | Optional| N/A| This represents BGP configurations in YAML format. For the description about individual fields, please refer the [documentation](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) | -| nsLbHashAlgo.required | Optional | false | Set this value to set the LB consistent hashing Algorithm | -| nsLbHashAlgo.hashFingers | Optional |256 | Specifies the number of fingers to be used for hashing algorithm. Possible values are from 1 to 1024, Default value is 256 | -| nsLbHashAlgo.hashAlgorithm | Optional | 'default' | Specifies the supported algorithm. Supported algorithms are "default", "jarh", "prac", Default value is 'default' | - -> **Note:** -> -> If Citrix ADM related information is not provided during installation, Citrix ADC CPX will come up with the default license. - -Alternatively, you can define a YAML file with the values for the parameters and pass the values while installing the chart. - -For example: - ``` - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - -> **Tip:** -> -> The [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml) contains the default values of the parameters. - -## Uninstalling the Chart -To uninstall/delete the ```my-release``` deployment: - ``` - helm delete my-release - ``` - -## Related documentation - -- [Citrix ADC CPX Documentation](https://docs.citrix.com/en-us/citrix-adc-cpx/12-1/cpx-architecture-and-traffic-flow.html) -- [Citrix ingress controller Documentation](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/) -- [Citrix ingress controller GitHub](https://github.com/citrix/citrix-k8s-ingress-controller) -- [BGP advertisement for External IPs with CPX](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/app-readme.md b/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/app-readme.md deleted file mode 100644 index ef45a3d907..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/app-readme.md +++ /dev/null @@ -1,5 +0,0 @@ -# Citrix ADC CPX with Citrix Ingress Controller running as sidecar. - -In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) with Citrix ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). The Citrix ADC CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar Citrix ingress controller configures the Citrix ADC CPX. - -This Chart bootstraps deployment of Citrix ADC CPX with Citrix Ingress Controller as sidecar. diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/questions.yml b/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/questions.yml deleted file mode 100644 index 0c87144137..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/questions.yml +++ /dev/null @@ -1,211 +0,0 @@ -questions: -- variable: license.accept - required: true - default: "no" - type: enum - description: "Set to yes to accept the terms and conditions of the Citrix license." - label: Accept License - group: "Deployment Settings" - options: - - "yes" - - "no" -- variable: openshift - default: false - type: boolean - description: "openshift is set to true if charts are being deployed in OpenShift environment" - label: Openshift flag - group: "Deployment Settings" -- variable: nsNamespace - type: string - description: "Prefix for the resources on Citrix ADC" - label: Resource Prefix - group: "Deployment Settings" -- variable: ingressClass[0] - type: string - description: "ingressClass is the name of the Ingress Class" - label: Ingress Class - group: "Deployment Settings" -- variable: logLevel - default: "DEBUG" - type: enum - options: - - "TRACE" - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - description: "logLevel of Citrix Ingress Controller pod" - label: LogLevel - group: "Deployment Settings" -- variable: defaultSSLCert - type: string - description: "Secret containing the default ceritifcate for SSL vservers" - label: Default SSLCert - group: "ADC Settings" -- variable: logProxy - type: string - description: "Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporte" - label: LogProxy - group: "Deployment Settings" -- variable: http2ServerSide - default: "OFF" - type: enum - options: - - "ON" - - "OFF" - description: "Set to ON to enable HTTP2 for Citrix ADC service group configurations" - label: HTTP2 on ADC - group: "ADC Settings" -- variable: nodeSelector.key - type: string - label: NodeSelector Key - group: "Deployment Settings" -- variable: nodeSelector.value - type: string - label: NodeSelector Value - group: "Deployment Settings" - - -- variable: ADMSettings.licenseServerIP - type: string - label: ADM LicenseServerIP - group: "ADM Settings" -- variable: ADMSettings.licenseServerPort - default: 27000 - type: int - label: ADM LicenseServerPort - group: "ADM Settings" -- variable: ADMSettings.ADMIP - type: string - label: ADM IP - group: "ADM Settings" -- variable: ADMSettings.ADMFingerPrint - type: string - label: ADM FingerPrint - group: "ADM Settings" -- variable: ADMSettings.loginSecret - type: string - label: ADM Login Secret - group: "ADM Settings" -- variable: ADMSettings.bandWidthLicense - type: boolean - label: CPX Bandwidth License - group: "ADM Settings" -- variable: ADMSettings.bandWidth - type: int - label: CPX Bandwidth - group: "ADM Settings" -- variable: ADMSettings.vCPULicense - type: boolean - label: CPX vCPU License - group: "ADM Settings" -- variable: ADMSettings.cpxCores - type: int - label: CPX Cores - group: "ADM Settings" -- variable: cic.pullpolicy - default: "IfNotPresent" - type: enum - label: CIC Image Pullpolicy - group: "CIC/CPX Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: pullpolicy - default: "IfNotPresent" - type: enum - label: CPX Image Pullpolicy - group: "CIC/CPX Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: cic.image - default: "quay.io/citrix/citrix-k8s-ingress-controller:1.8.28" - type: string - label: CIC Image - group: "CIC/CPX Image Settings" -- variable: image - type: string - default: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-58.30" - label: CPX Image - group: "CIC/CPX Image Settings" -- variable: exporter.image - default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.5" - type: string - description: "Exporter Image to be used" - label: Exporter Image - group: "Exporter Settings" -- variable: exporter.pullPolicy - default: "IfNotPresent" - type: string - description: "Exporter Image pull policy" - label: Exporter Image PullPolicy - group: "Exporter Settings" -- variable: exporter.ports.containerPort - default: 8888 - type: int - label: Exporter ContainerPort - group: "Exporter Settings" -- variable: coeConfig.distributedTracing.enable - default: false - type: boolean - label: Enable distributedTracing - group: "COE Settings" -- variable: coeConfig.distributedTracing.samplingrate - default: 100 - type: int - label: COE Sampling Rate - group: "COE Settings" -- variable: coeConfig.endpoint.server - type: string - label: COE Endpoint Server - group: "COE Settings" -- variable: coeConfig.timeseries.port - default: 5563 - type: int - label: COE timeseries port - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.enable - default: false - type: boolean - label: Enable timeseries metrics - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.mode - default: 'avro' - type: string - label: COE timeseries metrics Mode - group: "COE Settings" -- variable: coeConfig.timeseries.auditlogs.enable - default: false - type: string - label: Enable timeseries auditlogs - group: "COE Settings" -- variable: coeConfig.timeseries.events.enable - default: false - type: string - label: Enable timeseries events - group: "COE Settings" -- variable: coeConfig.transactions.enable - default: false - type: string - label: Enable transactions - group: "COE Settings" -- variable: coeConfig.transactions.port - default: 5557 - type: int - label: COE transactions port - group: "COE Settings" -- variable: crds.install - default: true - type: boolean - description: "If set to true the charts will install CustomResourceDefinitions which are consumed by CIC." - label: CRD flag - group: "Deployment Settings" -- variable: crds.retainOnDelete - default: false - type: boolean - description: "Set this argument to true if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation." - label: CRD retainOnDelete flag - group: "Deployment Settings" diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/templates/NOTES.txt b/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/templates/NOTES.txt deleted file mode 100644 index bccfdf69a4..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/templates/NOTES.txt +++ /dev/null @@ -1,14 +0,0 @@ -Thank you for installing {{ .Chart.Name }}. - -Your release is named {{ .Release.Name }}. - - -To learn more about the release, try: - - $ helm status {{ .Release.Name }} - $ helm get {{ .Release.Name }} - - -To delete : - helm delete {{ .Release.Name }} - diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/templates/_helpers.tpl b/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/templates/_helpers.tpl deleted file mode 100644 index 92e636ce23..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/templates/_helpers.tpl +++ /dev/null @@ -1,97 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Analytics Server IP or DNS -*/}} -{{- define "analytics.server" -}} -{{- if .Values.analyticsConfig.endpoint.server -}} -{{- printf .Values.analyticsConfig.endpoint.server -}} -{{- else -}} -{{- printf "analytics.%s.svc.cluster.local" .Release.Namespace -}} -{{- end -}} -{{- end -}} - - -{{- define "citrix-cpx-ingress-controller.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "citrix-cpx-ingress-controller.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "cpxservice.fullname" -}} -{{- $name := default .Chart.Name "cpx-service" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxexporter.fullname" -}} -{{- $name := default .Chart.Name "exporter" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxservicemonitor.fullname" -}} -{{- $name := default .Chart.Name "citrix-adc-cpx-servicemonitor" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxservicemonitorlabel" -}} -{{- $name := default .Chart.Name "citrix-adc-cpx-svcmon" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxconfigmap.fullname" -}} -{{- $name := default .Chart.Name "cpx-cic-configmap" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "citrix-cpx-ingress-controller.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "citrix-cpx-ingress-controller.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "citrix-cpx-ingress-controller.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/templates/cic_crds.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/templates/cic_crds.yaml deleted file mode 100644 index 6ff58466f8..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/templates/cic_crds.yaml +++ /dev/null @@ -1,2515 +0,0 @@ -{{- if .Values.crds.install }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: rewritepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: rewritepolicy - plural: rewritepolicies - singular: rewritepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - rewrite-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to rewrite policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - rewrite-policy: - type: object - properties: - rewrite-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOREWRITE', 'RESET', 'DROP'] - operation: - description: 'Type of user-defined rewrite action.' - type: string - enum: ["noop", "delete", "insert_http_header", "delete_http_header", - "corrupt_http_header", "insert_before", "insert_after", "replace", - "replace_http_res", "delete_all", "replace_all", "insert_before_all", - "insert_after_all", "clientless_vpn_encode", "clientless_vpn_encode_all", - "clientless_vpn_decode", "clientless_vpn_decode_all", "insert_sip_header", - "delete_sip_header", "corrupt_sip_header", "replace_sip_res", "replace_diameter_header_field", - "replace_dns_header_field", "replace_dns_answer_section"] - target: - description: 'Default syntax expression that specifies which part of the request or response to rewrite.' - type: string - maxLength: 1229 - modify-expression: - description: 'Default syntax expression that specifies the content to insert into the request - or response at the specified location, or that replaces the specified string.' - type: string - maxLength: 7991 - multiple-occurence-modify: - description: 'Search facility that is used to match multiple strings in the request or response.' - type: string - maxLength: 171 - additional-multiple-occurence-modify: - description: 'Specify additional criteria to refine the results of the search. - Always starts with the "extend(m,n)" operation, where "m" specifies number of bytes to the left of selected data - and "n" specifies number of bytes to the right of selected data. - You can use refineSearch only on body expressions, and only when rewrite-criteria is any one of this: - INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - comment: - description: 'Any comments to preserve information about this rewrite policy.' - type: string - maxLength: 255 - required: [rewrite-criteria, operation, target, direction] - required: [rewrite-policy] - - responder-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to responder policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", - "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - responder-policy: - type: object - properties: - redirect: - type: object - description: 'Use this option when you want to Redirect the request when request matches to policy.' - properties: - url: - description: 'URL on which you want to redirect the request.' - type: string - maxLength: 7991 - redirect-status-code: - description: 'HTTP response status code, for example 200, 302, 404, etc.' - type: integer - minimum: 100 - maximum: 599 - redirect-reason: - description: 'Expression specifying the reason for redirecting the request.' - type: string - maxLength: 7991 - required: [url] - respondwith: - type: object - description: 'Use this parameter when you want to respond to the request when request matches to policy.' - properties: - http-payload-string: - description: 'Expression that you want to sent as response to the request.' - type: string - maxLength: 7991 - required: [http-payload-string] - noop: - type: string - description: 'Use this option when you want to send the request to the protected server instead of - responding to it when request matches to policy.' - properties: - target: - description: 'Default syntax expression that specifies to perform noop operation on' - type: string - maxLength: 1229 - reset: - type: string - description: 'Use this option when you want to Reset the client connection by closing it when request matches to policy.' - properties: - drop: - type: string - description: 'Use this option when you want to drop the request without sending a response to the user when request matches to policy.' - properties: - respond-criteria: - description: 'Default syntax expression that the policy uses to determine whether to respond to the specified request.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOOP', 'RESET', 'DROP'] - comment: - description: 'Any comments to preserve information about this responder policy.' - type: string - maxLength: 255 - required: [respond-criteria] - oneOf: [required: [redirect], required: [respondwith], required: [noop], required: [reset], required: [drop]] - required: [responder-policy] - - dataset: - type: array - items: - type: object - properties: - name: - description: 'Name of the dataset.' - type: string - maxLength: 32 - type: - description: 'Type of value to bind to the dataset.' - type: string - enum: ["ipv4", "number", "ipv6", "ulong", "double", "mac"] - comment: - description: 'Any comments to preserve information about this dataset.' - type: string - maxLength: 255 - values: - description: 'Value of the specified type that is associated with this dataset.' - type: array - items: - type: string - required: [name, type, values] - - patset: - type: array - items: - type: object - properties: - name: - description: 'Name of the Patset.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this patset.' - type: string - maxLength: 255 - values: - description: 'String of characters that constitutes a pattern and is associated with this patset.' - type: array - items: - type: string - required: [name, values] - - stringmap: - type: array - items: - type: object - properties: - name: - description: 'Name of the Stringmap.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this stringmap.' - type: string - maxLength: 255 - values: - description: 'List of (key,value) pairs to be bound to this string map.' - type: array - items: - type: object - properties: - key: - description: 'Character string constituting the key to be bound to this string map.' - type: string - maxLength: 2047 - value: - description: 'Character string constituting the value associated with the key.' - type: string - maxLength: 2047 - required: [name, values] - - httpcallout_policy: - type: array - items: - type: object - properties: - name: - description: 'httpcallout name' - type: string - maxLength: 32 - server_ip: - description: 'IP Address of the server(callout agent) to which the callout is sent.' - type: string - server_port: - description: 'Port of the server(callout agent) to which the callout is sent.' - type: integer - minimum: 1 - maximum: 65535 - http_method: - description: |+ - 'Method used in the HTTP request that this callout sends. - Default http method is GET' - type: string - enum: ['GET', 'POST'] - host_expr: - description: |+ - 'String expression to configure the Host header. Can contain a literal value - (for example, 10.101.10.11) or a derived value (for example, http.req.header("Host")). - The literal value can be an IP address or a fully qualified domain name. Mutually - exclusive with the full HTTP request expression.' - type: string - maxLength: 255 - url_stem_expr: - description: |+ - 'String expression for generating the URL stem. Can contain a literal string - (for example, "/mysite/index.html") or an expression that derives the value - (for example, http.req.url).' - type: string - maxLength: 8191 - headers: - type: array - description: |+ - 'One or more headers to insert into the HTTP request. Each header is represented by - name and expr, where expr is an expression that is evaluated at runtime to provide - the value for the named header. You can configure a maximum of eight headers for - an HTTP callout.' - items: - type: object - properties: - name: - description: 'header name' - type: string - expr: - description: 'header expression' - type: string - parameters: - type: array - description: |+ - 'One or more query parameters to insert into the HTTP request URL (for a GET request) - or into the request body (for a POST request). Each parameter is represented by - name and expr, where expr is an expression that is evaluated at run time to provide - the value for the named parameter (name=value). The parameter values are URL encoded.' - items: - type: object - properties: - name: - description: 'parameter name' - type: string - expr: - description: 'parameter expression' - type: string - body_expr: - description: |+ - 'An advanced string expression for generating the body of the request. - The expression can contain a literal string or an expression that derives - the value (for example, client.ip.src).' - type: string - full_req_expr: - description: |+ - 'Exact HTTP request, in the form of an expression, which the Citrix ADC sends - to the callout agent. The request expression is constrained by the feature - for which the callout is used. For example, an HTTP.RES expression cannot be - used in a request-time policy bank or in a TCP content switching policy bank.' - type: string - scheme: - description: |+ - 'Type of scheme for the callout server. - Default scheme is HTTP' - type: string - enum: ['HTTP', 'HTTPS'] - cache_for_secs: - description: |+ - 'Duration, in seconds, for which the callout response is cached. - The cached responses are stored in an integrated caching content - group named "calloutContentGroup". If no duration is configured, - the callout responses will not be cached unless normal caching - configuration is used to cache them. This parameter takes precedence over any - normal caching configuration that would otherwise apply to these responses.' - type: integer - minimum: 1 - maximum: 31536000 - return_type: - description: |+ - 'Type of data that the target callout agent returns in response to the callout - Available settings function as follows: - * TEXT - Treat the returned value as a text string. - * NUM - Treat the returned value as a number. - * BOOL - Treat the returned value as a Boolean value.' - type: string - enum: ['TEXT', 'NUM', 'BOOL'] - result_expr: - description: |+ - 'Expression that extracts the callout results from the response sent by the HTTP callout - agent. Must be a response based expression, that is, it must begin with HTTP.RES. The - operations in this expression must match the return type. For example, if you configure - a return type of TEXT, the result expression must be a text based expression. If the - return type is NUM, the result expression (resultExpr) must return a numeric value, - as in the following example: http.res.body(10000).length.' - type: string - maxLength: 8191 - comment: - description: 'Any comments to preserve information about this HTTP callout.' - type: string - maxLength: 255 - allOf: - - properties: - required: [name, server_ip, server_port] - - properties: - oneOf: - - properties: - required: [full_req_expr] - - properties: - anyOf: - - properties: - required: [http_method] - - properties: - required: [host_expr] - - properties: - required: [url_stem_expr] - - properties: - required: [headers] - - properties: - required: [parameters] - - properties: - required: [body_expr] - anyOf: [required: [rewrite-policies], required: [responder-policies]] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ratelimits.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: ratelimit - plural: ratelimits - singular: ratelimit - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the ratelimit policies are applied.' - type: array - items: - type: string - maxLength: 127 - selector_keys: - type: object - description: 'Traffic match criteria to which apply above rate-limit/throttling. All keys are applied as AND condition. If no keys are specified, rate-limit applies at service level' - properties: - basic: - type: object - description: "Basic traffic stream selection criteria to which to apply the ratelimit" - properties: - path: - type: array - description: "api resource path prefix match. e.g. /api/v1/products" - items: - type: string - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - header_name: - description: "HTTP header that identifies the unique API client for e.g. X-apikey" - type: string - per_client_ip: - description: "Setting this applies the throttling limit to each unique Client IP address accessing the API resource" - type: boolean - req_threshold: - description: 'Max requests per timeslice units to be allowed' - type: integer - timeslice: - description: 'Timeslice in miliseconds in multiple of 10. Defaults to 1000 miliseconds' - type: integer - limittype: - description: "Burst mode or smooth. Defaults to smooth limittype if not specified" - type: string - enum: ['BURSTY','SMOOTH'] - throttle_action: - type: string - enum: ['DROP', 'RESET','REDIRECT', 'RESPOND'] - description: "Drop will drop the requests exceeding limits, RESET will reset the client connection, Redirect will redirect to specified URL, respond will respond with 429 'Exceeded allowed rate of requests'" - redirect_url: - type: string - description: "Redirect-URL" - logpackets: - type: object - description: 'Adds an audit message action. The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - required: [req_threshold] ---- -#Sample CRD instance - -#apiVersion: citrix.com/v1 -#description: VIP for apache service -#kind: vip -#metadata: -# name: service-apache -# namespace: default -#spec: -# description: VIP for the apache Service -# ipaddress: 10.99.98.90 -# kind: service -# name: apache - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vips.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: vip - plural: vips - singular: vip - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - jsonPath: .spec.ipaddress - name: VIP - type: string - - name: Age - type: date - jsonPath: .metadata.creationTimestamp - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - ipaddress: - type: string - name: - type: string - kind: - type: string - enum: ["service", "ingress"] - description: - type: string - range-name: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: authpolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: authpolicy - plural: authpolicies - singular: authpolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: |+ - 'Name of the services for which the policies applied' - type: array - items: - type: string - maxLength: 63 - authentication_mechanism: - type: object - description: |+ - 'Authentication mechanism. Options: using forms or using request header. - Default is Authentication using request header, when no option is specified' - properties: - using_request_header: - description: |+ - 'Enable user authentication using request header. Use when the credentials - or api keys are passed in a header. For example, when using Basic, Digest, - Bearer authentication or api keys. - When authentication using forms is provided, this is set to OFF' - - type: string - using_forms: - type: object - description: 'Enables authentication using forms. Use with user/web authentication.' - properties: - authentication_host: - description: |+ - 'Fully qualified domain name (FQDN) for authentication. - This FQDN should be unique and should resolve to frontend IP of - ADC with Ingress/service type LoadBalancer (or) vip of Listener CRD' - type: string - maxLength: 255 - authentication_host_cert: - description: |+ - 'Name of the SSL certificate to be used with authentication_host. - This certificate is mandatory while using_forms' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - ingress_name: - description: |+ - 'Ingress name for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - lb_service_name: - description: |+ - 'Service of type LoadBalancer for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - listener_name: - description: |+ - 'Listener CRD name for which the authentication using forms is applicable.' - type: string - maxLength: 63 - vip: - description: |+ - 'Frontend IP of ingress for which the authentication - using forms is applicable. This refers to frontend-ip provided - with Ingress. It is suggested to use vip, if more than one Ingress - resource use the same frontend-ip' - type: string - required: [authentication_host, authentication_host_cert] - oneOf: - - properties: - required: [ingress_name] - - properties: - required: [lb_service_name] - - properties: - required: [listener_name] - - properties: - required: [vip] - oneOf: - - properties: - using_request_header: - enum: ['ON'] - required: [using_request_header] - - properties: - required: [using_forms] - - authentication_providers: - description: |+ - 'Authentication Configuration for required authentication providers/schemes. - One or more of these can be created' - type: array - items: - description: 'Create config for a single authentication provider of a particular type' - type: object - properties: - name: - description: 'Name for this provider, has to be unique, referenced by authentication policies' - type: string - maxLength: 127 - - oauth: - description: 'Authentication provided by external oAuth provider' - type: object - properties: - issuer: - description: 'Identity of the server whose tokens are to be accepted' - type: string - maxLength: 127 - audience: - description: 'Audience for which token sent by Authorization server is applicable' - type: array - items: - type: string - maxLength: 127 - jwks_uri: - description: |+ - 'URL of the endpoint that contains JWKs (Json Web Key) for - JWT (Json Web Token) verification' - type: string - maxLength: 127 - introspect_url: - description: ' URL of the introspection server' - type: string - maxLength: 127 - client_credentials: - description: |+ - 'secrets object that contains Client Id and secret as known - to Introspection server' - type: string - maxLength: 253 - token_in_hdr: - description: |+ - 'custom header name where token is present, - default is Authorization header' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - token_in_param: - description: 'query parameter name where token is present' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - signature_algorithms: - description: 'list of allowed signature algorithms, by default HS256, RS256, RS512 are allowed' - type: array - items: - type: string - enum: ['HS256', 'RS256', 'RS512'] - claims_to_save: - description: 'list of claims to be saved, used to create authorization policies' - type: array - items: - type: string - maxLength: 127 - metadata_url: - description: 'URL used to get OAUTH/OIDC provider metadata' - type: string - maxLength: 255 - user_field: - description: |+ - 'Attribute in the token from which username should be extracted. - by default, ADC looks at email attribute for user id' - type: string - maxLength: 127 - default_group: - description: |+ - 'group assigned to the request if authentication succeeds, - this is in addition to any extracted groups from token' - type: string - maxLength: 63 - grant_type: - description: 'used to specify the type of flow to the token end point, defaults to CODE' - type: array - items: - type: string - enum: ['CODE','PASSWORD'] - pkce: - description: 'specify whether to enable Proof Key Code Exchange, defaults to ENABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - token_ep_auth_method: - description: |+ - 'authentication method to be used with token end point, - defaults to client_secret_post' - type: string - enum: ['client_secret_post', 'client_secret_jwt'] - - anyOf: - - properties: - required : [jwks_uri] - - properties: - required : [introspect_url, client_credentials] - - properties: - required : [metadata_url] - - ldap: - description: 'LDAP authentication provider' - type: object - properties: - server_ip: - description: 'IP address assigned to the LDAP server' - type: string - server_name: - description: 'LDAP server name as a FQDN' - type: string - maxLength: 127 - server_port: - description: 'Port on which the LDAP server accepts connections. Default is 389' - type: integer - minimum: 1 - maximum: 65535 - base: - description: |+ - 'Base (node) from which to start LDAP searches. If the LDAP server is - running locally, the default value of base is dc=netscaler, dc=com' - type: string - maxLength: 127 - server_login_credentials: - description: |+ - 'Kubernetes secret object providing credentials to login to LDAP server, - The secret data should have username and password' - type: string - login_name: - description: |+ - 'LDAP login name attribute. The Citrix ADC uses the LDAP login name - to query external LDAP servers or Active Directories' - type: string - maxLength: 127 - security_type: - description: |+ - 'Type of security used for communications between the Citrix ADC - and the LDAP server. Default is TLS' - type: string - enum: ['PLAINTEXT', 'TLS', 'SSL'] - validate_server_cert: - description: 'Validate LDAP Server certs. Default is NO' - type: string - enum: ['YES', 'NO'] - hostname: - description: |+ - 'Hostname for the LDAP server. If validate_server_cert is ON, - this must be the host name on the certificate from the LDAP - A hostname mismatch will cause a connection failure' - type: string - maxLength: 127 - sub_attribute_name: - description: 'LDAP group sub-attribute name. Used for group extraction from the LDAP server.' - type: string - maxLength: 31 - group_attribute_name: - description: 'LDAP group attribute name. Used for group extraction on the LDAP server.' - type: string - maxLength: 31 - search_filter: - description: |+ - 'String to be combined with the default LDAP user search string to form the - search value. For example, if the search filter "vpnallowed=true" is combined - with the LDAP login name "samaccount" and the user-supplied username is "bob", - the result is the LDAP search string ""(&(vpnallowed=true)(samaccount=bob)"" - (Be sure to enclose the search string in two sets of double quotation marks)' - type: string - maxLength: 255 - auth_timeout: - description: |+ - 'Number of seconds the Citrix ADC waits for a response from the server - Default is 3' - type: integer - minimum: 1 - maximum: 4294967295 - password_change: - description: 'Allow password change requests. Default is DISABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be fetched - from LDAP server and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - oneOf: - - properties: - required: [server_ip] - - properties: - required: [server_name] - - saml: - description: |+ - 'SAML authentication provider. - Currently SAML is supported only with authentication mechanism using forms' - type: object - properties: - metadata_url: - description: 'URL is used for obtaining saml metadata.' - type: string - maxLength: 255 - metadata_refresh_interval: - description: |+ - 'Interval in minutes for fetching metadata from specified metadata URL. - Default is 36000' - type: integer - minimum: 1 - maximum: 4294967295 - signing_cert: - description: 'SSL certificate to sign requests from SP to IDP' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - audience: - description: 'Audience for which assertion sent by IdP is applicable' - type: string - maxLength: 127 - issuer_name: - description: 'The name to be used in requests sent from SP to IDP to identify citrix ADC' - type: string - maxLength: 63 - binding: - description: 'Specifies the transport mechanism of saml message. Default is POST' - type: string - enum: ['REDIRECT', 'POST', 'ARTIFACT'] - artifact_resolution_service_url: - description: 'URL of the Artifact Resolution Service on IdP' - type: string - maxLength: 255 - logout_binding: - description: 'Specifies the transport mechanism of saml logout. Default is POST' - type: string - enum: ['REDIRECT', 'POST'] - reject_unsigned_assertion: - description: |+ - 'Reject unsigned SAML assertions. ON, rejects assertion without signature. - STRICT ensure that both Response and Assertion are signed. Default is ON' - type: string - enum: ['ON', 'OFF', 'STRICT'] - user_field: - description: 'SAML user ID, as given in the SAML assertion' - type: string - maxLength: 63 - default_authentication_group: - description: |+ - 'This is the default group that is chosen when the authentication - succeeds in addition to extracted groups' - type: string - maxLength: 63 - skew_time: - description: |+ - 'Allowed clock skew in number of minutes on an incoming assertion. - Default is 5' - type: integer - minimum: 1 - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be extracted - and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - required: - - metadata_url - - basic_local_db: - type: object - description: |+ - 'Basic HTTP authentication supported by ADC, user data in local DB of ADC. - Users needs to be added on ADC' - properties: - use_local_auth: - description: 'Use ADC authentication' - type: string - enum: ['YES'] - - required: - - name - - authentication_policies: - description: 'Authentication policies' - type: array - items: - type: object - description: 'Authentication policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - required: - - path - expression: - description: 'ADC syntax expression for authentication' - type: string - maxLength: 1229 - provider: - description: 'name of the authentication provider for the policy, empty if no authentication required' - type: array - items: - type: string - maxLength: 127 - maxItems: 1 - oneOf: - - required: [resource, provider] - - required: [expression, provider] - - authorization_policies: - description: 'Authorization policies' - type: array - items: - type: object - description: 'Authorization policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - description: ' http method' - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - claims: - description: 'authorization scopes required for selected resource saved as claims or attributes' - type: array - items: - type: object - properties: - name: - description: 'name of the claim/attribute to check' - type: string - maxLength: 127 - values: - description: 'list of claim values required for the request' - type: array - items: - type: string - maxLength: 127 - minItems: 1 - required: - - name - - values - required: - - claims - expression: - description: 'ADC syntax expression for authorization' - type: string - maxLength: 1229 - oneOf: - - required: [resource] - - required: [expression] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: listeners.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - version: null - names: - kind: Listener - plural: listeners - singular: listener - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - required: [spec] - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [protocol] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - protocol: - type: string - enum: ["https", "http"] - description: "Protocol for this listener" - vip: - type: string - description: "VIP address, Optional for CPX, required for Tier-1 deployments" - secondaryVips: - type: array - description: "An array of Secondary VIPs. All the VIPs will be part of an ipset" - minItems: 1 - items: - type: string - redirectPort: - type: integer - minimum: 1 - maximum: 65535 - description: "Port from which http traffic should be redirected to https" - port: - type: integer - minimum: 1 - maximum: 65535 - certificates: - type: array - description: "certificates attached to the endpoints - Not applicable for HTTP" - minItems: 1 - items: - type: object - properties: - preconfigured: - type: string - description: "Preconfigured Certificate name on ADC " - secret: - type: object - description: "Kuberentes secret object" - required: [name] - properties: - name: - type: string - description: "name of the Kubernetes Secret object where Cert is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the kubernetes secret object; Default is same namespace where the Listener object is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - default: - type: boolean - description: "Only one of the certificate can be marked as default which will be presented if none of the cert matches with the hostname" - oneOf: - - required: ["preconfigured"] - - required: ["secret"] - policies: - type: object - description: "Policies attached to the Listener" - properties: - httpprofile: - type: object - description: "HTTP profile configurations for the Listener, HTTP level configurations" - properties: - preconfigured: - type: string - description: "Preconfigured or Built-in HTTP profile name" - config: - type: object - description: "HTTP profile configuration for the listener. For individual fields, refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nshttpprofile/nshttpprofile/ Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - tcpprofile: - type: object - description: "TCP level configurations, uses ns tcpprofile of citrix ADC" - properties: - preconfigured: - description: "Preconfigured or Built-in TCP profile name" - type: string - config: - type: object - description: "TCPprofile configurations for the listener. For individual fields refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nstcpprofile/ ; Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - csvserverConfig: - type: object - description: "CS Vserver configuration for the listener" - additionalProperties: - type: string - sslprofile: - type: object - description: "SSL profile configuration" - properties: - preconfigured: - type: string - description: "SSL profile which is preconfigured in ADC. Ciphers bound to the profile is not overriden" - config: - description: "Citrix ADC frontend SSL profile configurations. Refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ssl/sslprofile/ for all configurations; Name field is auto generated" - type: object - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - sslciphers: - type: array - description: "List of ciphers to be bound to the ssl profile for the listener. Priority is as per the order in the list. A cipher suite, predefined cipher group or User created cipher group can be mentioned" - minItems: 1 - items: - type: string - description: "Cipher suite, cipher group name" - analyticsprofile: - type: object - description: "Analytics profile configuration" - properties: - preconfigured: - type: array - description: "Preconfigured Analytics profile that needs to be bound to the vserver" - minItems: 1 - items: - type: string - description: "Name of the analytics profile preconfigured that will be bound to the Vserver" - config: - type: array - description: "An array of analytics to be enabled" - minItems: 1 - items: - type: object - description: "Anlytics to be enabled" - required: ['type'] - properties: - type: - description: "Analytics profile to be enabled, you can enable one or more of the webinsight, tcpinsight, securityinsight, videoinsight, hdxinsight, gatewayinsight, timeseries, lsninsight, botinsight " - type: string - enum: ["webinsight", "tcpinsight", "securityinsight", "videoinsight", "hdxinsight", "gatewayinsight", "timeseries", "lsninsight", "botinsight"] - parameters: - type: object - description: "Additional parameters for analytics profile. Please refer:https://developer-docs.citrix.com/projects/citrix-adc-nitro-api-reference/en/latest/configuration/analytics/analyticsprofile/" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - routes: - type: array - description: "List of route objects attached to the listener" - minItems: 1 - items: - type: object - properties: - name: - type: string - description: "Name of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - labelSelector: - description: "Labels key value pair, if the route carries the same labels, it is automatically attached" - type: object - additionalProperties: - type: string - oneOf: - - required: [name, namespace] - - required: [labelSelector] - defaultAction: - type: object - description: "Default action for the listener: One of Backend or Redirect" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - namespace: - description: "Service namespace" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - backendConfig: - description: "General backend service options" - type: object - properties: - secure_backend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: httproutes.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - version: null - names: - kind: HTTPRoute - plural: httproutes - singular: httproute - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [rules] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - hostname: - type: array - description: "List of domain names that share the same route, default is '*'" - minItems: 1 - items: - type: string - description: "Domain name" - rules: - type: array - description: "List Content routing rules with an action defined" - minItems: 1 - items: - type: object - required: [name, action] - properties: - name: - type: string - description: "A name to represent the rule, this is used as an identifier in content routing policy name in ADC" - minLength: 1 - maxLength: 20 - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - match: - type: array - description: "List of rules with same action" - minItems: 1 - items: - type: object - anyOf: - - required: [path] - - required: [headers] - - required: [cookies] - - required: [queryParams] - - required: [method] - - required: [policyExpression] - properties: - path: - type: object - description: "URL Path based content routing" - properties: - prefix: - type: string - description: "URL path matches the prefix expression" - exact: - type: string - description: "URL Path must match exact path" - regex: - type: string - description: "PCRE based regex expression for path matching" - headers: - type: array - description: "List of header for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Header details for content routing, Check for existence of a header or header name-value match" - properties: - headerName: - type: object - description: "Header name based content routing, Here existence of header is used for routing" - properties: - exact: - type: string - description: "Header Name - treated as exact must exist" - contains: - type: string - description: "Header Name - A header must exist that contain the string the name" - regex: - type: string - description: "header Name - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header name must not exist" - oneOf: - - required: [exact] - - required: [contains] - - required: [regex] - headerValue: - type: object - description: "Header Name and Value based match" - properties: - name: - type: string - description: "Header name that must match the value" - exact: - type: string - description: "Header value - treated as exact" - contains: - type: string - description: "Header value - treated as contains" - regex: - type: string - description: "header value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header if present must not match the value" - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - queryParams: - type: array - description: "List of Query parameters for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Query parameters Name and Value based match" - properties: - name: - type: string - description: "Query name that must match the value. If no value is specified, matches with any value" - exact: - type: string - description: "Query value - Exact match" - contains: - type: string - description: "Query value - value must have the string(substring)" - regex: - type: string - description: "Query value - Value must match this regex patterm" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e query if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - cookies: - type: array - description: "List of Cookie params for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Cookie based routing" - properties: - name: - type: string - description: "cookie name that must match the value. If no value specified, it matches with any value" - exact: - type: string - description: "cookie value - treated as exact" - contains: - type: string - description: "cookie value - treated as substring" - regex: - type: string - description: "cookie value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e cookie if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - method: - type: string - description: "HTTP method for content routing eg: POST, PUT, DELETE etc" - policyExpression: - type: string - description: "Citrix ADC policy expressions; refer: https://docs.citrix.com/en-us/netscaler/media/expression-prefix.pdf" - action: - type: object - description: "Action for the matched rule" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - backendConfig: - type: object - description: "General backend service options" - properties: - secureBackend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - # name must match the spec fields below, and be in the form: . - name: continuousdeployments.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: continuousdeployment - plural: continuousdeployments - singular: continuousdeployment - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - cronSpec: - type: integer - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wafs.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: waf - plural: wafs - singular: waf - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the waf policies are applied.' - type: array - items: - type: string - maxLength: 127 - application_type: - description: 'Type of applications to protect' - type: array - items: - type: string - enum: ['HTML', 'JSON', 'XML'] - signatures: - description: 'Location of external signature file' - type: string - redirect_url: - description: 'When a URL is blocked/down, redirect_url represents the alternate URL where the client requests should be sent.' - type: string - html_error_object: - description: 'Location of customized error page to respond when html or common violation are hit' - type: string - xml_error_object: - description: 'Location of customized error page to respond when xml violations are hit' - type: string - json_error_object: - description: 'Location of customized error page to respond when json violations are hit' - type: string - ip_reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - description: 'Enabling IP reputation feature' - target: - description: 'To control what traffic to be inspected by Web Application Firewall. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable application firewall security checks' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - settings: - description: 'To fine tune application firewall security checks default settings' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - relaxations: - description: 'Section which contains relaxation rules for known traffic and false positives' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - enforcements: - description: 'Section which contains enforcement or restriction rules' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: bots.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: bot - plural: bots - singular: bot - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the bot policies are applied.' - type: array - items: - type: string - maxLength: 127 - signatures: - description: 'Location of external bot signature file' - type: string - redirect_url: - description: 'url to redirect when bot violation is hit' - type: string - target: - description: 'To control what traffic to be inspected by BOT. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable bot ecurity checks' - type: object - properties: - allow_list: - type: string - enum: ['ON', 'OFF'] - block_list: - type: string - enum: ['ON', 'OFF'] - device_fingerprint: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: string - enum: ['ON', 'OFF'] - ratelimit: - type: string - enum: ['ON', 'OFF'] - tps: - type: string - enum: ['ON', 'OFF'] - trap: - type: object - x-kubernetes-preserve-unknown-fields: true - bindings: - description: 'Section which contains binding rules for bot security checks' - type: object - properties: - allow_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - - block_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - ratelimit: - type: array - items: - type: object - properties: - url: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - cookie: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - captcha: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - tps: - type: object - properties: - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - host: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - trapinsertion: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: apigatewaypolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: apigatewaypolicy - plural: apigatewaypolicies - singular: apigatewaypolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - api_definition: - type: object - properties: - repository: - type: string - branch: - type: string - oas_secret_ref: - type: string - files: - type: array - items: - type: string - maxLength: 127 - api_proxy: - type: object - properties: - ipaddress: - type: string - port: - type: integer - protocol: - type: string - secret: - type: string - policies: - type: array - items: - type: object - properties: - name: - type: string - selector: - type: array - items: - type: object - properties: - tags: - type: array - items: - type: string - api: - type: string - method: - type: array - items: - type: string - maxLength: 127 - upstream: - type: object - properties: - service: - type: string - port: - type: integer - policy_bindings: - type: object - properties: - ratelimit: - type: object - properties: - name: - type: string - waf: - type: object - properties: - name: - type: string - rewritepolicy: - type: object - properties: - name: - type: string - bot: - type: object - properties: - name: - type: string - aaa: - type: array - items: - type: object - properties: - crd_name: - type: string - mappings: - type: array - items: - type: object - properties: - petstore_auth: - type: string - api_key: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: corspolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: corspolicy - plural: corspolicies - singular: corspolicy - shortNames: - - cp - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'The list of Kubernetes services to which you want to apply the cors policies.' - type: array - items: - type: string - maxLength: 63 - allow_origin: - description: 'Represents list of allowed origins, it is used to screen the “origin” in the cors pre flight request' - type: array - items: - type: string - maxLength: 2083 - allow_methods: - description: 'Indicates which methods are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Methods in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - allow_headers: - description: 'Indicates which headers are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Headers in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - max_age: - description: 'Indicates the number of seconds (5 by default) the information provided by the `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` headers can be cached. This variable will be used to set Access-Control-Max-Age in the pre-flight cors response.' - type: integer - allow_credentials: - description: 'Indicates whether the response can be shared when the request’s credentials mode is "include". This variable will be set to Access-Control-Allow-Credentials in the rewrite action.' - type: boolean - required: [servicenames, allow_origin, allow_methods, allow_headers] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: appqoepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: appqoepolicy - plural: appqoepolicies - singular: appqoepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - appqoe-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to appqoe policy.' - type: array - items: - type: string - maxLength: 127 - appqoe-policy: - type: object - properties: - operation-retry: - type: object - properties: - on-reset: - description: "To set Retry on Connection Reset or Not" - type: string - enum: ['YES','NO'] - on-timeout: - description: "Time in milliseconds for retry" - type: integer - minimum: 30 - maximum: 2000 - number-of-retries: - description: "To set number of retries" - type: integer - minimum: 1 - maximum: 7 - required: [operation-retry] - appqoe-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - required: [appqoe-criteria, operation-retry] - required: [appqoe-policy] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wildcarddnsentries.citrix.com -spec: - group: citrix.com - names: - kind: wildcarddnsentry - plural: wildcarddnsentries - singular: wildcarddnsentry - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: Current Status of the CRD - jsonPath: .status.state - - name: Message - type: string - description: Status Message - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - zone: - type: object - description: DNS configuration for a zone - properties: - domain: - type: string - description: Domain name - dnsaddrec: - type: object - description: DNS Address record - properties: - domain-ip: - type: string - description: IPv4 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - dnsaaaarec: - type: object - description: DNS AAAA record - properties: - domain-ip: - type: string - description: IPv6 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - soarec: - type: object - description: SOA record - properties: - origin-server: - type: string - description: Origin server domain - contact: - type: string - description: Admin contact - serial: - type: integer - description: >- - The secondary server uses this parameter to - determine whether it requires a zone transfer from - the primary server. - refresh: - type: integer - description: >- - Time, in seconds, for which a secondary server must - wait between successive checks on the value of the - serial number. - retry: - type: integer - description: >- - Time, in seconds, between retries if a secondary server's - attempt to contact the primary server for a zone refresh fails. - expire: - type: integer - description: >- - Time, in seconds, after which the zone data on a secondary - nameserver can no longer be considered authoritative because - all refresh and retry attempts made during the period have failed." - nsrec: - type: object - description: Name server record - properties: - nameserver: - type: string - description: Host name of the name server to add to the domain. - ttl: - type: integer - description: >- - Time to Live (TTL), in seconds, for the record. TTL - is the time for which the record must be cached by - DNS proxies. The specified TTL is applied to all the - resource records that are of the same record type - and belong to the specified domain name ---- -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/templates/citrix-k8s-cpx-ingress.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/templates/citrix-k8s-cpx-ingress.yaml deleted file mode 100644 index 8af1c96e63..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/templates/citrix-k8s-cpx-ingress.yaml +++ /dev/null @@ -1,414 +0,0 @@ -apiVersion: apps/v1 -{{- if or .Values.cpxBgpRouter .Values.daemonSet }} -kind: DaemonSet -{{- else }} -kind: Deployment -{{- end }} -metadata: - name: {{ include "citrix-cpx-ingress-controller.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - selector: - matchLabels: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} -{{- if not ( or .Values.cpxBgpRouter .Values.daemonSet ) }} - replicas: {{ .Values.replicaCount }} -{{- end }} - template: - metadata: - name: {{ include "citrix-cpx-ingress-controller.fullname" . }} - labels: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} - adc: "citrix" -{{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} -{{- end }} - spec: - serviceAccountName: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -{{- if .Values.cpxBgpRouter }} - hostNetwork: true -{{- end }} - containers: - - name: cpx-ingress - image: "{{ tpl .Values.image . }}" - imagePullPolicy: {{ .Values.pullPolicy }} - tty: true - securityContext: - privileged: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace -{{- if .Values.cpxLicenseAggregator }} - - name: "CLA" - value: {{ .Values.cpxLicenseAggregator | quote }} -{{- else if .Values.ADMSettings.licenseServerIP }} - - name: "LS_IP" - value: {{ .Values.ADMSettings.licenseServerIP | quote }} - - name: "LS_PORT" - value: {{ .Values.ADMSettings.licenseServerPort | quote }} -{{- end }} - - name: "EULA" - value: "{{ .Values.license.accept }}" - - name: "KUBERNETES_TASK_ID" - value: "" -{{- if not .Values.cpxBgpRouter }} - - name: "MGMT_HTTP_PORT" - value: {{ .Values.mgmtHttpPort | quote }} - - name: "MGMT_HTTPS_PORT" - value: {{ .Values.mgmtHttpsPort | quote }} -{{- end }} -{{- if .Values.cpxBgpRouter }} - - name: NS_NETMODE - value: HOST -{{- if .Values.nsIP }} - - name: "NS_IP" - value: "{{ .Values.nsIP }}" -{{- end }} -{{- if .Values.nsGateway }} - - name: "NS_GATEWAY" - value: "{{ .Values.nsGateway }}" -{{- end }} -{{- end }} -{{- if .Values.ADMSettings.ADMIP }} - - name: "NS_MGMT_SERVER" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "NS_HTTP_PORT" - value: {{ .Values.mgmtHttpPort | quote }} - - name: "NS_HTTPS_PORT" - value: {{ .Values.mgmtHttpsPort | quote }} - - name: "LOGSTREAM_COLLECTOR_IP" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "ANALYTICS_SERVER" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "ANALYTICS_SERVER_PORT" - value: {{ .Values.ADMSettings.analyticsServerPort | quote }} -{{- end }} -##Need to set env var BANDWIDTH in order to provide Bandwidth license to Citrix ADC CPX from ADM or CPX License Aggregator -{{- if and ( or ( .Values.ADMSettings.licenseServerIP ) ( .Values.cpxLicenseAggregator ) ) ( eq .Values.ADMSettings.bandWidthLicense true ) }} - - name: "BANDWIDTH" - value: {{ .Values.ADMSettings.bandWidth | quote }} -{{- end }} -#for multiple-PE support, need to set CPX_CORES -{{- if or .Values.ADMSettings.licenseServerIP .Values.cpxLicenseAggregator }} -{{- if or ( eq .Values.ADMSettings.vCPULicense true ) ( eq .Values.ADMSettings.bandWidthLicense true ) }} - - name: "CPX_CORES" - value: {{ .Values.ADMSettings.cpxCores | default 1 | quote }} -{{- end }} -{{- end }} - - name: "EDITION" - value: {{ .Values.ADMSettings.licenseEdition }} -{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }} - - name: NS_MGMT_USER - valueFrom: - secretKeyRef: - name: {{ required "Provide Secret for ADM/LicenseServer credentials" .Values.ADMSettings.loginSecret }} - key: username - - name: NS_MGMT_PASS - valueFrom: - secretKeyRef: - name: {{ required "Provide Secret for ADM/LicenseServer credentials" .Values.ADMSettings.loginSecret }} - key: password -{{- end }} -{{- if .Values.exporter.required }} - - name: "METRICS_EXPORTER_PORT" - value: {{ .Values.exporter.ports.containerPort | quote }} -{{- end }} - resources: - {{- toYaml .Values.resources | nindent 12 }} - volumeMounts: - - mountPath: /var/deviceinfo - name: shared-data - - mountPath: /cpx/ - name: cpx-volume -{{- if .Values.cic.required }} - # Add cic as a sidecar - - name: cic - image: "{{ tpl .Values.cic.image . }}" - imagePullPolicy: {{ .Values.cic.pullPolicy }} - env: - - name: "EULA" - value: "{{ .Values.license.accept }}" -{{- if .Values.cpxBgpRouter }} - - name: "NS_IP" - value: {{ .Values.nsIP | default "192.168.1.2" | quote }} -{{- else }} - - name: "NS_IP" - value: "127.0.0.1" -{{- end }} - - name: "NS_APPS_NAME_PREFIX" - value: {{ .Values.entityPrefix | default "k8s"}} - - name: "NS_DEPLOYMENT_MODE" - value: "SIDECAR" -{{- if and .Values.openshift .Values.routeLabels }} - - name: "ROUTE_LABELS" - value: {{ .Values.routeLabels | quote}} -{{- end }} -{{- if and .Values.openshift .Values.namespaceLabels }} - - name: "NAMESPACE_LABELS" - value: {{ .Values.namespaceLabels | quote }} -{{- end }} -{{- if .Values.cpxBgpRouter }} -{{- if eq (upper .Values.nsProtocol) "HTTPS" }} - - name: NS_PROTOCOL - value: HTTPS - - name: NS_PORT - value: "9443" -{{- else }} - - name: NS_PROTOCOL - value: HTTP - - name: NS_PORT - value: "9080" -{{- end }} -{{- if .Values.bgpPort }} - - name: "BGP_PORT" - value: {{ .Values.bgpPort | quote }} -{{- end }} -{{- end }} - - name: "NS_ENABLE_MONITORING" - value: "YES" -{{- if .Values.logProxy }} - - name: "NS_LOGPROXY" - value: {{ .Values.logProxy | quote }} -{{- end }} -{{- if .Values.ingressIP }} - - name: "NS_VIP" - value: {{ .Values.ingressIP | quote }} -{{- end }} -{{- if .Values.nitroReadTimeout }} - - name: "NS_NITRO_READ_TIMEOUT" - value: "{{ .Values.nitroReadTimeout }}" -{{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName -{{- if .Values.kubernetesURL }} - - name: "kubernetes_url" - value: "{{ .Values.kubernetesURL }}" -{{- end }} -{{- if .Values.disableOpenshiftRoutes }} - - name: "DISABLE_OPENSHIFT_ROUTES" - value: "{{ .Values.disableOpenshiftRoutes }}" -{{- end }} -{{- if .Values.nsConfigDnsRec }} - - name: "NS_CONFIG_DNS_REC" - value: "{{ .Values.nsConfigDnsRec }}" -{{- end }} -{{- if .Values.nsSvcLbDnsRec }} - - name: "NS_SVC_LB_DNS_REC" - value: "{{ .Values.nsSvcLbDnsRec }}" -{{- end }} -{{- if .Values.optimizeEndpointBinding }} - - name: "OPTIMIZE_ENDPOINT_BINDING" - value: "{{ .Values.optimizeEndpointBinding }}" -{{- end }} -{{- if .Values.cpxBgpRouter }} - securityContext: - runAsUser: 0 - capabilities: - add: - - NET_ADMIN -{{- end }} - args: - - --configmap - {{ .Release.Namespace }}/{{ include "cpxconfigmap.fullname" . }} -{{- if .Values.ipam }} - - --ipam - citrix-ipam-controller -{{- end }} -{{- if .Values.disableAPIServerCertVerify }} - - --disable-apiserver-cert-verify - {{ .Values.disableAPIServerCertVerify }} -{{- end }} -{{- if .Values.cpxBgpRouter }} - - --deployment-type - kube-bgp-router -{{- end }} -{{- if .Values.ingressClass }} - - --ingress-classes -{{- range .Values.ingressClass}} - {{.}} -{{- end }} -{{- end }} -{{- if .Values.defaultSSLCertSecret }} - - --default-ssl-certificate - {{ .Release.Namespace }}/{{ .Values.defaultSSLCertSecret }} -{{- end }} -{{- end }} -{{- if .Values.updateIngressStatus }} -{{- if .Values.cpxBgpRouter }} - - --update-ingress-status - yes -{{- else }} - - --cpx-service - {{ .Release.Namespace }}/{{ include "cpxservice.fullname" . }} -{{- end }} -{{- end }} - volumeMounts: - - mountPath: /var/deviceinfo - name: shared-data - resources: - {{- toYaml .Values.cic.resources | nindent 12 }} -{{- if .Values.exporter.required }} - - name: exporter - image: "{{ tpl .Values.exporter.image . }}" - imagePullPolicy: {{ .Values.exporter.pullPolicy }} - args: - - "--secure=no" -{{- if .Values.cpxBgpRouter }} - - --target-nsip={{ .Values.nsIP | default "192.168.1.2" }}:9080 -{{- else }} - - "--target-nsip=127.0.0.1" -{{- end }} - - "--port={{ .Values.exporter.ports.containerPort }}" - env: - - name: "NS_DEPLOYMENT_MODE" - value: "SIDECAR" - securityContext: - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /var/deviceinfo - name: shared-data - resources: - {{- toYaml .Values.exporter.resources | nindent 12 }} -{{- end }} - volumes: - - name: shared-data - emptyDir: {} - - name: cpx-volume - emptyDir: {} -{{- if and .Values.nodeSelector.key .Values.nodeSelector.value }} - nodeSelector: - {{ .Values.nodeSelector.key }}: {{ .Values.nodeSelector.value }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: {{ .Values.tolerations | toYaml | nindent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} -{{- end }} - ---- -{{- if .Values.cpxBgpRouter }} -{{- if .Values.exporter.required }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "cpxexporter.fullname" . }} - labels: - app: {{ include "cpxexporter.fullname" . }} - service-type: {{ include "cpxservicemonitorlabel" . }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port - selector: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} -{{- end }} -{{- else }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "cpxservice.fullname" . }} - labels: - app: cpx-service - service-type: {{ include "cpxservicemonitorlabel" . }} -{{- if .Values.serviceAnnotations }} - annotations: -{{- with .Values.serviceAnnotations }} -{{ toYaml . | indent 4 }} -{{- end }} -{{- end }} -spec: -{{- if or .Values.serviceType.loadBalancer.enabled ( and (.Values.updateIngressStatus) (not .Values.cpxBgpRouter)) }} - externalTrafficPolicy: {{ .Values.serviceSpec.externalTrafficPolicy }} - type: LoadBalancer -{{- if .Values.serviceSpec.loadBalancerIP }} - loadBalancerIP: {{ .Values.serviceSpec.loadBalancerIP }} -{{- end }} -{{- else if .Values.serviceType.nodePort.enabled }} - type: NodePort - externalTrafficPolicy: {{ .Values.serviceSpec.externalTrafficPolicy }} -{{- end }} -{{- if and .Values.serviceType.loadBalancer.enabled .Values.serviceSpec.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{- range .Values.serviceSpec.loadBalancerSourceRanges}} - - {{.}} -{{- end }} -{{- end }} - ports: -{{- if .Values.servicePorts }} -{{- with .Values.servicePorts }} -{{ toYaml . | indent 2 }} -{{- end }} -{{- else }} - - port: 80 - protocol: TCP - name: http -{{- if and .Values.serviceType.nodePort.enabled .Values.serviceType.nodePort.httpPort }} - nodePort: {{ .Values.serviceType.nodePort.httpPort }} -{{- end }} - - port: 443 - protocol: TCP - name: https -{{- if and .Values.serviceType.nodePort.enabled .Values.serviceType.nodePort.httpsPort }} - nodePort: {{ .Values.serviceType.nodePort.httpsPort}} -{{- end }} -{{- end }} -{{- if .Values.exporter.required }} - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port -{{- end }} - selector: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} -{{- end }} - ---- - -{{- if .Values.exporter.required }} - -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "cpxservicemonitor.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - servicemonitor: citrix-adc-cpx -spec: - endpoints: - - interval: 30s - port: exporter-port - selector: - matchLabels: - service-type: {{ include "cpxservicemonitorlabel" . }} - namespaceSelector: - matchNames: - - monitoring - - default - - {{ .Release.Namespace }} - -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/templates/configmap.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/templates/configmap.yaml deleted file mode 100644 index dff57083e9..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/templates/configmap.yaml +++ /dev/null @@ -1,71 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "cpxconfigmap.fullname" . }} - namespace: {{ .Release.Namespace }} -data: - LOGLEVEL: {{ .Values.logLevel | quote | lower }} - JSONLOG: {{ .Values.jsonLog | quote | lower }} -{{- if eq (upper .Values.nsProtocol) "HTTPS" }} - NS_PROTOCOL: "https" -{{- if .Values.cpxBgpRouter }} - NS_PORT: "9443" -{{- else }} - NS_PORT: "443" -{{- end }} -{{- else }} - NS_PROTOCOL: "http" -{{- if .Values.cpxBgpRouter }} - NS_PORT: "9080" -{{- else }} - NS_PORT: "80" -{{- end }} -{{- end }} - -{{- if ne (upper .Values.nsHTTP2ServerSide) "OFF" }} - NS_HTTP2_SERVER_SIDE: {{ .Values.nsHTTP2ServerSide | quote }} -{{- end }} -{{- if ne (toString .Values.nsCookieVersion) "0" }} - NS_COOKIE_VERSION: {{ .Values.nsCookieVersion | quote }} -{{- end }} -{{- if .Values.nsDnsNameserver }} - NS_DNS_NAMESERVER: {{ .Values.nsDnsNameserver }} -{{- end }} - -{{- if .Values.analyticsConfig.required }} - NS_ANALYTICS_CONFIG: | - distributed_tracing: - enable: {{ .Values.analyticsConfig.distributedTracing.enable | quote }} - samplingrate: {{ .Values.analyticsConfig.distributedTracing.samplingrate }} - endpoint: - server: {{ include "analytics.server" . | quote }} - service: {{ .Values.analyticsConfig.endpoint.service | quote }} - timeseries: - port: {{ .Values.analyticsConfig.timeseries.port }} - metrics: - enable: {{ .Values.analyticsConfig.timeseries.metrics.enable | quote }} - mode: {{ .Values.analyticsConfig.timeseries.metrics.mode | quote }} - auditlogs: - enable: {{ .Values.analyticsConfig.timeseries.auditlogs.enable | quote }} - events: - enable: {{ .Values.analyticsConfig.timeseries.events.enable | quote }} - transactions: - enable: {{ .Values.analyticsConfig.transactions.enable | quote }} - port: {{ .Values.analyticsConfig.transactions.port }} -{{- end }} - -{{- if .Values.cpxBgpRouter }} -{{- if .Values.bgpSettings.required }} - NS_BGP_CONFIG: | -{{- with .Values.bgpSettings.bgpConfig }} - bgpConfig: -{{ toYaml . | indent 4 }} -{{- end }} -{{- end }} -{{- end }} - -{{- if .Values.nsLbHashAlgo.required }} - NS_LB_HASH_ALGO: | - hashFingers: {{ .Values.nsLbHashAlgo.hashFingers }} - hashAlgorithm: {{ .Values.nsLbHashAlgo.hashAlgorithm | quote }} -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/templates/ingressclass.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/templates/ingressclass.yaml deleted file mode 100644 index d75537b79f..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/templates/ingressclass.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- $default := .Values.setAsDefaultIngressClass -}} -{{- if semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.GitVersion }} -{{- if .Values.ingressClass }} -{{- range .Values.ingressClass }} -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: {{ . | quote }} -{{- if $default }} - annotations: - ingressclass.kubernetes.io/is-default-class: "true" -{{- end }} -spec: - controller: citrix.com/ingress-controller ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/templates/rbac.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/templates/rbac.yaml deleted file mode 100644 index c7e46b1536..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/templates/rbac.yaml +++ /dev/null @@ -1,89 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -rules: - - apiGroups: [""] -{{- if .Values.openshift }} - resources: ["endpoints", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"] -{{- else }} - resources: ["endpoints", "pods", "secrets", "routes", "nodes", "namespaces", "configmaps", "services"] -{{- end }} - verbs: ["get", "list", "watch"] - # services/status is needed to update the loadbalancer IP in service status for integrating - # service of type LoadBalancer with external-dns - - apiGroups: [""] - resources: ["services/status"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["patch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "watch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"] - verbs: ["get", "list", "watch", "create", "delete", "patch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"] - verbs: ["patch"] - - apiGroups: ["citrix.com"] - resources: ["vips"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["crd.projectcalico.org"] - resources: ["ipamblocks"] - verbs: ["get", "list", "watch"] -{{- if .Values.openshift }} - - apiGroups: ["route.openshift.io"] - resources: ["routes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["network.openshift.io"] - resources: ["hostsubnets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["config.openshift.io"] - resources: ["networks"] - verbs: ["get", "list"] -{{- end }} - ---- - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- if .Values.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.imagePullSecrets }} -- name: {{.}} -{{- end }} -{{- end }} - ---- diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/values.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/values.yaml deleted file mode 100644 index 3a9ad26b5a..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.27.15/values.yaml +++ /dev/null @@ -1,221 +0,0 @@ -# Default values for citrix-cpx-with-ingress-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# Citrix ADC CPX config details -imageRegistry: quay.io -imageRepository: citrix/citrix-k8s-cpx-ingress -imageTag: 13.1-30.52 -image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}" -pullPolicy: IfNotPresent -imagePullSecrets: [] -daemonSet: False -nameOverride: "" -replicaCount: 1 -fullnameOverride: "" -mgmtHttpPort: 9080 -mgmtHttpsPort: 9443 -openshift: false -nsHTTP2ServerSide: "OFF" -nsCookieVersion: "0" -nsConfigDnsRec: -nsSvcLbDnsRec: -nsDnsNameserver: -optimizeEndpointBinding: -routeLabels: -namespaceLabels: - -# Service Type LoadBalancer and ingress support with CPX through BGP advertisement -# If you enable this, CPX is run as DaemonSet. Please edit the bgpSettings for configuring -# BGP neighbors for propgation of external IPs. -cpxBgpRouter: false - -# If cpxBgpRouter is true, then this is the NSIP used by CPX for internal communication -nsIP: 192.168.1.2 - -# If cpxBgpRouter is true, then this is the Gateway used by CPX for internal communication -nsGateway: 192.168.1.1 - -# Protocol used for communication between Citrix Ingress Controller sidecar and Citrix CPX -nsProtocol: http - -# External IP for ingress resource when bgpRouter is set to True -ingressIP: - -# If IPAM controller is used for auto allocation of the external IP for service of type LoadBalancer, set this option to true -ipam: False - -# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True -disableAPIServerCertVerify: False - -cpxLicenseAggregator: - -sslCertManagedByAWS: False - -nodeSelector: - key: - value: -tolerations: [] - -serviceType: - loadBalancer: - enabled: False - nodePort: - enabled: False - httpPort: - httpsPort: - -serviceAnnotations: {} - -serviceSpec: - externalTrafficPolicy: "Cluster" - loadBalancerIP: - loadBalancerSourceRanges: [] - -servicePorts: [] - -# Citrix Ingress Controller config details -cic: - imageRegistry: quay.io - imageRepository: citrix/citrix-k8s-ingress-controller - imageTag: 1.27.15 - image: "{{ .Values.cic.imageRegistry }}/{{ .Values.cic.imageRepository }}:{{ .Values.cic.imageTag }}" - pullPolicy: IfNotPresent - required: true - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # Following values depends on no of ingresses configured by Ingress Controllers, so it is - # advised to test with maximum no of ingresses to set these values. - # limits: - # cpu: 1000m - # memory: 1000Mi - # requests: - # cpu: 250m - # memory: 256Mi -entityPrefix: -license: - accept: no -ingressClass: -setAsDefaultIngressClass: False -# nitroReadTimeout is timeout value in seconds for nitro api read timeout(default is 20) -nitroReadTimeout: -logLevel: INFO -jsonLog: false -defaultSSLCertSecret: -updateIngressStatus: False -logProxy: -kubernetesURL: -disableOpenshiftRoutes: - -# Citrix ADM/License Server config details -ADMSettings: - licenseServerIP: - licenseServerPort: 27000 - ADMIP: - loginSecret: - bandWidthLicense: false - bandWidth: 1000 #bandwidth value shoule be in Mbps - vCPULicense: false - cpxCores: - analyticsServerPort: 5557 - licenseEdition: PLATINUM - -# Exporter config details -exporter: - required: false - imageRegistry: quay.io - imageRepository: citrix/citrix-adc-metrics-exporter - imageTag: 1.4.9 - image: "{{ .Values.exporter.imageRegistry }}/{{ .Values.exporter.imageRepository }}:{{ .Values.exporter.imageTag }}" - pullPolicy: IfNotPresent - ports: - containerPort: 8888 - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - - -# For CRDs supported by Citrix Ingress Controller -crds: - install: false - retainOnDelete: false - -# Config required to be done by Citrix Ingress Controller for sending metrics to Citrix Observability Exporter -analyticsConfig: - required: false - distributedTracing: - enable: false - samplingrate: 100 - endpoint: - server: - service: - timeseries: - port: 5563 - metrics: - enable: false - mode: 'avro' - auditlogs: - enable: false - events: - enable: false - transactions: - enable: false - port: 5557 - -# BGP configurations: local AS, remote AS and remote address is mandatory to provide. Please do the approrpiate changes with respect to your environment -bgpSettings: - # When bgpConfig is configured correctly, set the required to true for the configuration to be applied. - required: false - bgpConfig: - - bgpRouter: - # Local AS number for BGP advertisement - localAS: 100 - neighbor: - # Address of the nighbor router for BGP advertisement - - address: - # Remote AS number - remoteAS: 100 - advertisementInterval: 10 - ASOriginationInterval: 10 - -bgpPort: - -nsLbHashAlgo: - required: false - hashFingers: 256 - hashAlgorithm: 'DEFAULT' - -# Specifies whether a ServiceAccount should be created -serviceAccount: - create: true - # The name of the ServiceAccount to use. - # If not set and `create` is true, a name is generated using the fullname template - # name: - -podAnnotations: {} - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:' - # This is the resource for CPX container. - # limits: - # cpu: 500m - # memory: 512Mi - # requests: - # cpu: 100m - # memory: 128Mi - -affinity: {} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/Chart.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/Chart.yaml deleted file mode 100644 index d19226e358..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/Chart.yaml +++ /dev/null @@ -1,22 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Cpx with Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-cpx-with-ingress-controller -apiVersion: v2 -appVersion: 1.28.2 -deprecated: true -description: A Helm chart for Citrix ADC CPX with Citrix ingress Controller running - as sidecar. -home: https://www.citrix.com -icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png -kubeVersion: '>=v1.16.0-0' -maintainers: -- email: priyanka.sharma@citrix.com - name: priyankash-citrix -- email: subash.dangol@citrix.com - name: subashd -name: citrix-cpx-with-ingress-controller -sources: -- https://github.com/citrix/citrix-k8s-ingress-controller -version: 1.28.2 diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/README.md b/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/README.md deleted file mode 100644 index a5c39557eb..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/README.md +++ /dev/null @@ -1,573 +0,0 @@ -# Citrix ADC CPX with Citrix Ingress Controller running as sidecar. - -In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) with Citrix ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). The Citrix ADC CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar Citrix ingress controller configures the Citrix ADC CPX. - -## TL;DR; - -### For Kubernetes - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,crds.install=true - ``` - -### For OpenShift - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,crds.install=true - ``` - -> **Important:** -> -> The "license.accept" is a mandatory argument and should be set to "yes" to accept the terms of the Citrix license. - - -## Introduction -This Helm chart deploys a Citrix ADC CPX with Citrix ingress controller as a sidecar in the [Kubernetes](https://kubernetes.io/) or in the [Openshift](https://www.openshift.com) cluster using the [Helm](https://helm.sh/) package manager. - -### Prerequisites - -- The [Kubernetes](https://kubernetes.io/) version should be 1.16 and above if using Kubernetes environment. -- The [Openshift](https://www.openshift.com) version 4.8 or later if using OpenShift platform. -- The [Helm](https://helm.sh/) version 3.x or later. You can follow instruction given [here](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- You have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator), if you want to view the metrics of the Citrix ADC CPX collected by the [metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics). -- Registration of Citrix ADC CPX in ADM: You may want to register your CPX in ADM for licensing or to obtain [servicegraph](https://docs.citrix.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html). For this you will have to create a Kubernetes secret using ADM credentials and provide it while install the chart. Create a Kubernetes secret for the user name and password using the following command: - - ``` - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= -n citrix-system - ``` - -## Installing the Chart -Add the Citrix Ingress Controller helm chart repository using command: - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - ``` - -### For Kubernetes: -#### 1. Citrix ADC CPX with Citrix Ingress Controller running as side car. -To install the chart with the release name ``` my-release```: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,ingressClass[0]= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ADC CPX with Citrix ingress controller as a sidecar on the Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,ingressClass[0]=,exporter.required=true - ``` - -### For OpenShift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix ADC CPX with Citrix Ingress Controller running as side car. -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true - ``` - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,exporter.required=true - ``` - -### Installed components - -The following components are installed: - -- [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx/netscaler-cpx.html) -- [Citrix ingress controller](https://github.com/citrix/citrix-k8s-ingress-controller) (if enabled) -- [Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) (if enabled) - - -### Citrix ADC CPX Service Annotations: - - The parameter `serviceAnnotations` can be used to annotate CPX service while installing Citrix ADC CPX using this helm chart. - For example, if CPX is getting deployed in Azure and an Azure Internal Load Balancer is required before CPX then the annotation `service.beta.kubernetes.io/azure-load-balancer-internal:True` can be set in CPX service using Helm command: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceAnnotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal=True - ``` - - or the same can be provided in [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml): - - ``` - license: - accept: yes - serviceAnnotations: - service.beta.kubernetes.io/azure-load-balancer-internal: True - ``` - - which can be used to install Citrix ADC CPX using Helm command: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - - To know more about service annotations supported by Kubernetes on various platforms please see [this](https://kubernetes.io/docs/concepts/services-networking/service/). - -### Citrix ADC CPX Service Ports: - - By default, port 80 and 443 of CPX service will exposed when CPX is installed using this helm chart. If it is required to expose any other ports in CPX service then the parameter `servicePorts` can be used for it. - For example, if port 9999 is required to be exposed then below helm command can be used for installing Citrix ADC CPX: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,servicePorts[0].port=9999,servicePorts[0].protocol=TCP,servicePorts[0].name=https - ``` - - or the same can be provided in [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml): - - ``` - license: - accept: yes - servicePorts: - - port: 9090 - protocol: TCP - name: https - ``` - - which can be used to install Citrix ADC using Helm command: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - -> **Note:** If `servicePorts` parameters is used, only ports provided in this parameter will be exposed in CPX service. -> If you want to expose default ports 80 or 443, then you will need to explicity mention these also in this parameter. - -### Configuration for ServiceGraph: - If Citrix ADC CPX need to send data to the Citrix ADM to bring up the servicegraph, then the below steps can be followed to install Citrix ADC CPX with ingress controller. Citrix ingress controller configures Citrix ADC CPX with the configuration required for servicegraph. - - 1. Create secret using Citrix ADC Agent credentials, which will be used by Citrix ADC CPX to communicate with Citrix ADM Agent: - - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= - - 2. Deploy Citrix ADC CPX with Citrix ingress controller using helm command: - - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.distributedTracing.enable=true,analyticsConfig.endpoint.server=,ADMSettings.ADMIP=,ADMSettings.loginSecret= - -> **Note:** -> If container agent is being used here for Citrix ADM, please provide `svcIP` of container agent in the `analyticsConfig.endpoint.server` parameter. - -## Citrix ADC CPX DaemonSet with Citrix Ingress Controller as sidecar for BGP Advertisement - - The previous section of deploying CPX as a Deployment requires a Tier-1 Loadbalancer such as Citrix VPX or cloud loadbalancers to route the traffic to CPX instances running in Kubernetes cluster, but you can also leverage BGP network fabric in your on-prem environemnt to route the traffic to CPX instances in a Kubernetes or Openshift cluster. you need to deploy CPX with Citrix Ingress Controller as Daemonset to advertise the ExternalIPs of the K8s services of type LoadBalancer to your BGP Fabric. Citrix ADC CPX establishes a BGP peering session with your network routers, and uses that peering session to advertise the IP addresses of external cluster services. If your routers have ECMP capability, the traffic is load-balanced to multiple CPX instances by the upstream router, which in turn load-balances to actual application pods. When you deploy the Citrix ADC CPX with this mode, Citrix ADC CPX adds iptables rules for each service of type LoadBalancer on Kubernetes nodes. The traffic destined to the external IP address is routed to Citrix ADC CPX pods. You can also set the 'ingressIP' variable to an IP Address to advertise the External IP address for Ingress resources. Refer [documentation](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) for complete details about BGP advertisement with CPX. - -### Download the chart -You can download the chart usimg `helm pull` command. -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ -helm pull citrix/citrix-cpx-with-ingress-controller -tar -zxvf citrix-cpx-with-ingress-controller-x.y.z.tgz -``` - -### Edit the BGP configuration in values.yaml -BGP configurations enables CPX to peer with neighbor routers for advertisting the routes for Service of Type LoadBalancer. Citrix Ingress Controllers uses static IPs given in Service YAML or using an IPAM controller to allocate an External IP address, and same is advertisted to the neighbour router with the Gateway as Node IP. An example BGP configurations is given below. - -``` -# BGP configurations: local AS, remote AS and remote address is mandatory to provide. -bgpSettings: - required: true - bgpConfig: - - bgpRouter: - # Local AS number for BGP advertisement - localAS: - neighbor: - # Address of the nighbor router for BGP advertisement - - address: xx.xx.xx.xx - # Remote AS number - remoteAS: - advertisementInterval: 10 - ASOriginationInterval: 10 -``` -If the cluster spawns across multiple networks, you can also specify the NodeSelector to give different neighbors for different Cluster Nodes as shown below. - -``` -bgpSettings: - required: true - bgpConfig: - - nodeSelector: datacenter=ds1 - bgpRouter: - localAS: - neighbor: - - address: xx.xx.xx.xx - remoteAS: - advertisementInterval: 10 - ASOriginationInterval: 10 - - nodeSelector: datacenter=ds2 - bgpRouter: - localAS: - neighbor: - - address: yy.yy.yy.yy - remoteAS: - advertisementInterval: 10 - ASOriginationInterval: 10 -``` - -### Deploy the chart -#### For Kubernetes: -#### 1. Citrix ADC CPX DaemonSet with Citrix Ingress Controller running as side car for BGP Advertisement. - - -To install the chart with the release name ``` my-release```: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true - ``` -If you are running Citrix IPAM for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true - ``` -If you are using ingress resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ADC CPX Daemonset with Citrix ingress controller as a sidecar on the Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car for BGP Advertisement. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,exporter.required=true - ``` -If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,exporter.required=true - ``` -If you are using ingress resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=, exporter.required=true - ``` - -#### For OpenShift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix ADC CPX DaemonSet with Citrix Ingress Controller running as side car for BGP Advertisement. -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,openshift=true - ``` -If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,openshift=true - ``` - - If you are using ingress or Route resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=,openshift=true - ``` - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car for BGP Advertisement. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,openshift=true,exporter.required=true - ``` -If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,openshift=true,exporter.required=true - ``` - -If you are using ingress or Route resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=,openshift=true,exporter.required=true - ``` - -## CRDs configuration - -CRDs can be installed/upgraded when we install/upgrade Citrix ADC CPX with Citrix ingress controller using `crds.install=true` parameter in Helm. If you do not want to install CRDs, then set the option `crds.install` to `false`. By default, CRDs too get deleted if you uninstall through Helm. This means, even the CustomResource objects created by the customer will get deleted. If you want to avoid this data loss set `crds.retainOnDelete` to `true`. - -> **Note:** -> Installing again may fail due to the presence of CRDs. Make sure that you back up all CustomResource objects and clean up CRDs before re-installing Citrix ADC CPX with Citrix ingress controller. - -There are a few examples of how to use these CRDs, which are placed in the folder: [Example-CRDs](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds). Refer to them and install as needed, using the following command: -```kubectl create -f ``` - -### Details of the supported CRDs: - -#### authpolicies CRD: - -Authentication policies are used to enforce access restrictions to resources hosted by an application or an API server. - -Citrix provides a Kubernetes CustomResourceDefinitions (CRDs) called the [Auth CRD](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/auth) that you can use with the Citrix ingress controller to define authentication policies on the ingress Citrix ADC. - -Example file: [auth_example.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/auth_example.yaml) - -#### continuousdeployments CRD for canary: - -Canary release is a technique to reduce the risk of introducing a new software version in production by first rolling out the change to a small subset of users. After user validation, the application is rolled out to the larger set of users. Citrix ADC-Integrated [Canary Deployment solution](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/canary) stitches together all components of continuous delivery (CD) and makes canary deployment easier for the application developers. - -#### httproutes and listeners CRDs for contentrouting: - -[Content Routing (CR)](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/contentrouting) is the execution of defined rules that determine the placement and configuration of network traffic between users and web applications, based on the content being sent. For example, a pattern in the URL or header fields of the request. - -Example files: [HTTPRoute_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/HTTPRoute_crd.yaml), [Listener_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/Listener_crd.yaml) - -#### ratelimits CRD: - -In a Kubernetes deployment, you can [rate limit the requests](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/ratelimit) to the resources on the back end server or services using rate limiting feature provided by the ingress Citrix ADC. - -Example files: [ratelimit-example1.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example1.yaml), [ratelimit-example2.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example2.yaml) - -#### vips CRD: - -Citrix provides a CustomResourceDefinitions (CRD) called [VIP](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/vip) for asynchronous communication between the IPAM controller and Citrix ingress controller. - -The IPAM controller is provided by Citrix for IP address management. It allocates IP address to the service from a defined IP address range. The Citrix ingress controller configures the IP address allocated to the service as virtual IP (VIP) in Citrix ADX VPX. And, the service is exposed using the IP address. - -When a new service is created, the Citrix ingress controller creates a CRD object for the service with an empty IP address field. The IPAM Controller listens to addition, deletion, or modification of the CRD and updates it with an IP address to the CRD. Once the CRD object is updated, the Citrix ingress controller automatically configures Citrix ADC-specfic configuration in the tier-1 Citrix ADC VPX. - -#### rewritepolicies CRD: - -In kubernetes environment, to deploy specific layer 7 policies to handle scenarios such as, redirecting HTTP traffic to a specific URL, blocking a set of IP addresses to mitigate DDoS attacks, imposing HTTP to HTTPS and so on, requires you to add appropriate libraries within the microservices and manually configure the policies. Instead, you can use the [Rewrite and Responder features](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/crd/rewrite-responder-policies-deployment.yaml) provided by the Ingress Citrix ADC device to deploy these policies. - -Example files: [target-url-rewrite.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/target-url-rewrite.yaml) - -#### wafs CRD: - -[WAF CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/waf.md) can be used to configure the web application firewall policies with the Citrix ingress controller on the Citrix ADC VPX, MPX, SDX, and CPX. The WAF CRD enables communication between the Citrix ingress controller and Citrix ADC for enforcing web application firewall policies. - -In a Kubernetes deployment, you can enforce a web application firewall policy to protect the server using the WAF CRD. For more information about web application firewall, see [Web application security](https://docs.citrix.com/en-us/citrix-adc/13/application-firewall/introduction/web-application-security.html). - -Example files: [wafhtmlxsssql.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wafhtmlxsssql.yaml) - -#### CORS CRD: - -[CORS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) Cross-origin resource sharing (CORS) is a mechanism allows a web application running under one domain to securely access resources in another domain. You can configure CORS policies on Citrix ADC using Citrix ingress controller to allow one domain (the origin domain) to call APIs in another domain. For more information, see the [cross-origin resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) documentation. - -Example files: [cors-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/corspolicy-example.yaml) - -#### APPQOE CRD: - -[APPQOE CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) When a Citrix ADC appliance receives an HTTP request and forwards it to a back-end server, sometimes there may be connection failures with the back-end server. You can configure the request-retry feature on Citrix ADC to forward the request to the next available server, instead of sending the reset to the client. Hence, the client saves round trip time when Citrix ADC initiates the same request to the next available service. -For more information, see the AppQoE support documentation. [Appqoe resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) documentation. - -Example files: [appqoe-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/appqoe_example.yaml) - -#### WILDCARDDNS CRD: - -[WILDCARDDNS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) Wildcard DNS domains are used to handle requests for nonexistent domains and subdomains. In a zone, use wildcard domains to redirect queries for all nonexistent domains or subdomains to a particular server, instead of creating a separate Resource Record (RR) for each domain. The most common use of a wildcard DNS domain is to create a zone that can be used to forward mail from the internet to some other mail system. -For more information, see the Wild card DNS domains support documentation. [Wildcard DNS Entry CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) documentation. - -Example files: [wildcarddns-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wildcarddns-example.yaml) - -## Citrix ADC CPX servicetype LoadBalancer -Citrix ADC CPX can be installed with service having servicetype LoadBalancer. Following arguments can be used in the `helm install` command for the same: - -``` -helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceType.loadBalancer.enabled=True -``` - -## Citrix ADC CPX servicetype NodePort -Citrix ADC CPX can be installed with service having servicetype Nodeport. Following arguments can be used in the `helm install` command for the same: - -``` -helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceType.nodePort.enabled=True -``` - -Additionally, `serviceType.nodePort.httpPort` and `serviceType.nodePort.httpsPort` arguments can be used to select the nodePort for the CPX service for HTTP and HTTPS ports. - -### Tolerations - -Taints are applied on cluster nodes whereas tolerations are applied on pods. Tolerations enable pods to be scheduled on node with matching taints. For more information see [Taints and Tolerations in Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). - -Toleration can be applied to pod running Citrix ADC CPX and ingress controller containers using `tolerations` argument while deploying CPX+CIC using helm chart. This argument takes list of tolerations that user need to apply on the CPX+CIC pods. - -For example, following command can be used to apply toleration on the CPX+CIC pod: - -``` -helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,tolerations[0].key=,tolerations[0].value=,tolerations[0].operator=,tolerations[0].effect= -``` - -Here tolerations[0].key, tolerations[0].value and tolerations[0].effect are the key, value and effect that was used while tainting the node. -Effect represents what should happen to the pod if the pod don't have any matching toleration. It can have values `NoSchedule`, `NoExecute` and `PreferNoSchedule`. -Operator represents the operation to be used for key and value comparison between taint and tolerations. It can have values `Exists` and `Equal`. The default value for operator is `Equal`. - -## Configuration -The following table lists the configurable parameters of the Citrix ADC CPX with Citrix ingress controller as side car chart and their default values. - -| Parameters | Mandatory or Optional | Default value | Description | -| ---------- | --------------------- | ------------- | ----------- | -| license.accept | Mandatory | no | Set `yes` to accept the Citrix ingress controller end user license agreement. | -| imageRegistry | Mandatory | `quay.io` | The Citrix ADC CPX image registry | -| imageRepository | Mandatory | `citrix/citrix-k8s-cpx-ingress` | The Citrix ADC CPX image repository | -| imageTag | Mandatory | `13.1-30.52` | The Citrix ADC CPX image tag | -| pullPolicy | Mandatory | IfNotPresent | The Citrix ADC CPX image pull policy. | -| daemonSet | Optional | False | Set this to true if Citrix ADC CPX needs to be deployed as DaemonSet. | -| cic.imageRegistry | Mandatory | `quay.io` | The Citrix ingress controller image registry | -| cic.imageRepository | Mandatory | `citrix/citrix-k8s-ingress-controller` | The Citrix ingress controller image repository | -| cic.imageTag | Mandatory | `1.28.2` | The Citrix ingress controller image tag | -| cic.pullPolicy | Mandatory | IfNotPresent | The Citrix ingress controller image pull policy. | -| cic.required | Mandatory | true | CIC to be run as sidecar with Citrix ADC CPX | -| cic.resources | Optional | {} | CPU/Memory resource requests/limits for Citrix Ingress Controller container | -| cic.rbacRole | Optional | false | To deploy CIC with RBAC Role set rbacRole=true; by default CIC gets installed with RBAC ClusterRole(rbacRole=false)) | -| imagePullSecrets | Optional | N/A | Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret please see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). | -| nameOverride | Optional | N/A | String to partially override deployment fullname template with a string (will prepend the release name) | -| fullNameOverride | Optional | N/A | String to fully override deployment fullname template with a string | -| resources | Optional | {} | CPU/Memory resource requests/limits for Citrix CPX container | -| nitroReadTimeout | Optional | 20 | The nitro Read timeout in seconds, defaults to 20 | -| logLevel | Optional | DEBUG | The loglevel to control the logs generated by CIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG and TRACE. For more information, see [Logging](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).| -| jsonLog | Optional | false | Set this argument to true if log messages are required in JSON format | -| nsConfigDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Ingress | -| nsSvcLbDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Type Load Balancer Service | -| nsDnsNameserver | Optional | N/A | To add DNS Nameservers in ADC | -| optimizeEndpointBinding | Optional | false | To enable/disable binding of backend endpoints to servicegroup in a single API-call. Recommended when endpoints(pods) per application are large in number. Applicable only for Citrix ADC Version >=13.0-45.7 | -| defaultSSLCertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC. | -| nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for Citrix ADC service group configurations. | -| cpxLicenseAggregator | Optional | N/A | IP/FQDN of the CPX License Aggregator if it is being used to license the CPX. | -| nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). | -| logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter. | -| nsProtocol | Optional | http | Protocol http or https used for the communication between Citrix Ingress Controller and CPX | -| cpxBgpRouter | Optional | false| If set to true, this CPX is deployed as daemonset in BGP controller mode wherein BGP advertisements are done for attracting external traffic to Kubernetes clusters | -| replicaCount | Optional | 1 | Number of CPX-CIC pods to be deployed. With `cpxBgpRouter : true`, replicaCount is 1 since CPX will be deployed as DaemonSet | -| nsIP | Optional | 192.168.1.2 | NSIP used by CPX for internal communication when run in Host mode, i.e when cpxBgpRouter is set to true. A /24 internal network is created in this IP range which is used for internal communications withing the network namespace. | -| nsGateway | Optional | 192.168.1.1 | Gateway used by CPX for internal communication when run in Host mode, i.e when cpxBgpRouter is set to true. If not specified, first IP in the nsIP network is used as gateway. It must be in same network as nsIP | -| bgpPort | Optional | 179 | BGP port used by CPX for BGP advertisement if cpxBgpRouter is set to true| -| ingressIP | Optional | N/A | External IP address to be used by ingress resources if not overriden by ingress.com/frontend-ip annotation in Ingress resources. This is also advertised to external routers when pxBgpRouter is set to true| -| entityPrefix | Optional | k8s | The prefix for the resources on the Citrix ADC CPX. | -| ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify Citrix ingress controller to configure Citrix ADC associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here | -| setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 | -| updateIngressStatus | Optional | False | Set this argument if you want to update ingress status of the ingress resources exposed via CPX. This is only applicable if servicetype of CPX service is LoadBalancer. | -| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. | -| openshift | Optional | false | Set this argument if OpenShift environment is being used. | -| disableOpenshiftRoutes | false | By default Openshift routes are processed in openshift environment, this variable can be used to disable Ingress controller processing the openshift routes. | -| routeLabels | Optional | N/A | You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| namespaceLabels | Optional | N/A | You can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| sslCertManagedByAWS | Optional | False | Set this argument if SSL certs used is managed by AWS while deploying Citrix ADC CPX in AWS. | -| nodeSelector.key | Optional | N/A | Node label key to be used for nodeSelector option for CPX-CIC deployment. | -| nodeSelector.value | Optional | N/A | Node label value to be used for nodeSelector option in CPX-CIC deployment. | -| podAnnotations | Optional | N/A | Map of annotations to add to the pods. | -| affinity | Optional | N/A | Affinity labels for pod assignment. | -| tolerations | Optional | N/A | Specify the tolerations for the CPX-CIC deployment. | -| serviceType.loadBalancer.enabled | Optional | False | Set this argument if you want servicetype of CPX service to be LoadBalancer. | -| serviceType.nodePort.enabled | Optional | False | Set this argument if you want servicetype of CPX service to be NodePort. | -| serviceType.nodePort.httpPort | Optional | N/A | Specify the HTTP nodeport to be used for NodePort CPX service. | -| serviceType.nodePort.httpsPort | Optional | N/A | Specify the HTTPS nodeport to be used for NodePort CPX service. | -| serviceAnnotations | Optional | N/A | Dictionary of annotations to be used in CPX service. Key in this dictionary is the name of the annotation and Value is the required value of that annotation. For example, [see this](#citrix-adc-cpx-service-annotations). | -| serviceSpec.externalTrafficPolicy | Optional | Cluster | Use this parameter to provide externalTrafficPolicy for CPX service of type LoadBalancer or NodePort. `serviceType.loadBalancer.enabled` or `serviceType.nodePort.enabled` should be set to `true` according to your use case for using this parameter. | -| serviceSpec.loadBalancerIP | Optional | N/A | Use this parameter to provide LoadBalancer IP to CPX service of type LoadBalancer. `serviceType.loadBalancer.enabled` should be set to `true` for using this parameter. | -| serviceSpec.loadBalancerSourceRanges | Optional | N/A | Provide the list of IP Address or range which should be allowed to access the Network Load Balancer. `serviceType.loadBalancer.enabled` should be set to `true` for using this parameter. For details, see [Network Load Balancer support on AWS](https://kubernetes.io/docs/concepts/services-networking/service/#aws-nlb-support). | -| servicePorts | Optional | N/A | List of port. Each element in this list is a dictionary that contains information about the port. For example, [see this](#citrix-adc-cpx-service-ports). | -| ADMSettings.licenseServerIP | Optional | N/A | Provide the Citrix Application Delivery Management (ADM) IP address to license Citrix ADC CPX. For more information, see [Licensing](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/licensing/). | -| ADMSettings.licenseServerPort | Optional | 27000 | Citrix ADM port if non-default port is used. | -| ADMSettings.ADMIP | Optional | N/A | Citrix Application Delivery Management (ADM) IP address. | -| ADMSettings.loginSecret | Optional | N/A | The secret key to login to the ADM. For information on how to create the secret keys, see [Prerequisites](#prerequistes). | -| ADMSettings.bandWidthLicense | Optional | False | Set to true if you want to use bandwidth based licensing for Citrix ADC CPX. | -| ADMSettings.bandWidth | Optional | 1000 | Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps. | -| ADMSettings.vCPULicense | Optional | N/A | Set to true if you want to use vCPU based licensing for Citrix ADC CPX. | -| ADMSettings.licenseEdition| Optional | PLATINUM | License edition that can be Standard, Platinum and Enterprise . By default, Platinum is selected.| -| ADMSettings.cpxCores | Optional | 1 | Desired number of vCPU to be set for Citrix ADC CPX. | -| ADMSettings.analyticsServerPort | Optional | 5557 | Port used for Analytics by ADM. Required to plot ServiceGraph. | -| exporter.required | Optional | false | Use the argument if you want to run the [Exporter for Citrix ADC Stats](https://github.com/citrix/citrix-adc-metrics-exporter) along with Citrix ingress controller to pull metrics for the Citrix ADC CPX| -| exporter.imageRegistry | Optional | `quay.io` | The Exporter for Citrix ADC Stats image registry | -| exporter.imageRepository | Optional | `citrix/citrix-adc-metrics-exporter` | The Exporter for Citrix ADC Stats image repository | -| exporter.imageTag | Optional | `1.4.9` | The Exporter for Citrix ADC Stats image tag | -| exporter.pullPolicy | Optional | IfNotPresent | The Exporter for Citrix ADC Stats image pull policy. | -| exporter.resources | Optional | {} | CPU/Memory resource requests/limits for Metrics exporter container | -| exporter.ports.containerPort | Optional | 8888 | The Exporter for Citrix ADC Stats container port. | -| analyticsConfig.required | Mandatory | false | Set this to true if you want to configure Citrix ADC to send metrics and transaction records to analytics service. | -| analyticsConfig.distributedTracing.enable | Optional | false | Set this value to true to enable OpenTracing in Citrix ADC. | -| analyticsConfig.distributedTracing.samplingrate | Optional | 100 | Specifies the OpenTracing sampling rate in percentage. | -| analyticsConfig.endpoint.server | Optional | N/A | Set this value as the IP address or DNS address of the analytics server. | -| analyticsConfig.endpoint.service | Optional | N/A | Set this value as the IP address or service name with namespace of the analytics service deployed in Kuberenetes. Format: namespace/servicename| -| analyticsConfig.timeseries.port | Optional | 5563 | Specify the port used to expose analytics service for timeseries endpoint. | -| analyticsConfig.timeseries.metrics.enable | Optional | Set this value to true to enable sending metrics from Citrix ADC. | -| analyticsConfig.timeseries.metrics.mode | Optional | avro | Specifies the mode of metric endpoint. | -| analyticsConfig.timeseries.auditlogs.enable | Optional | false | Set this value to true to export audit log data from Citrix ADC. | -| analyticsConfig.timeseries.events.enable | Optional | false | Set this value to true to export events from the Citrix ADC. | -| analyticsConfig.transactions.enable | Optional | false | Set this value to true to export transactions from Citrix ADC. | -| analyticsConfig.transactions.port | Optional | 5557 | Specify the port used to expose analytics service for transaction endpoint. | -| crds.install | Optional | False | Unset this argument if you don't want to install CustomResourceDefinitions which are consumed by CIC. | -| crds.retainOnDelete | Optional | false | Set this argument if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation. | -| bgpSettings.required | Optional | false | Set this argument if you want to enable BGP configurations for exposing service of Type Loadbalancer through BGP fabric| -| bgpSettings.bgpConfig | Optional| N/A| This represents BGP configurations in YAML format. For the description about individual fields, please refer the [documentation](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) | -| nsLbHashAlgo.required | Optional | false | Set this value to set the LB consistent hashing Algorithm | -| nsLbHashAlgo.hashFingers | Optional |256 | Specifies the number of fingers to be used for hashing algorithm. Possible values are from 1 to 1024, Default value is 256 | -| nsLbHashAlgo.hashAlgorithm | Optional | 'default' | Specifies the supported algorithm. Supported algorithms are "default", "jarh", "prac", Default value is 'default' | - -> **Note:** -> -> If Citrix ADM related information is not provided during installation, Citrix ADC CPX will come up with the default license. - -Alternatively, you can define a YAML file with the values for the parameters and pass the values while installing the chart. - -For example: - ``` - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - -> **Tip:** -> -> The [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml) contains the default values of the parameters. - -## Uninstalling the Chart -To uninstall/delete the ```my-release``` deployment: - ``` - helm delete my-release - ``` - -## Related documentation - -- [Citrix ADC CPX Documentation](https://docs.citrix.com/en-us/citrix-adc-cpx/12-1/cpx-architecture-and-traffic-flow.html) -- [Citrix ingress controller Documentation](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/) -- [Citrix ingress controller GitHub](https://github.com/citrix/citrix-k8s-ingress-controller) -- [BGP advertisement for External IPs with CPX](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/app-readme.md b/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/app-readme.md deleted file mode 100644 index ef45a3d907..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/app-readme.md +++ /dev/null @@ -1,5 +0,0 @@ -# Citrix ADC CPX with Citrix Ingress Controller running as sidecar. - -In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) with Citrix ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). The Citrix ADC CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar Citrix ingress controller configures the Citrix ADC CPX. - -This Chart bootstraps deployment of Citrix ADC CPX with Citrix Ingress Controller as sidecar. diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/questions.yml b/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/questions.yml deleted file mode 100644 index 0c87144137..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/questions.yml +++ /dev/null @@ -1,211 +0,0 @@ -questions: -- variable: license.accept - required: true - default: "no" - type: enum - description: "Set to yes to accept the terms and conditions of the Citrix license." - label: Accept License - group: "Deployment Settings" - options: - - "yes" - - "no" -- variable: openshift - default: false - type: boolean - description: "openshift is set to true if charts are being deployed in OpenShift environment" - label: Openshift flag - group: "Deployment Settings" -- variable: nsNamespace - type: string - description: "Prefix for the resources on Citrix ADC" - label: Resource Prefix - group: "Deployment Settings" -- variable: ingressClass[0] - type: string - description: "ingressClass is the name of the Ingress Class" - label: Ingress Class - group: "Deployment Settings" -- variable: logLevel - default: "DEBUG" - type: enum - options: - - "TRACE" - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - description: "logLevel of Citrix Ingress Controller pod" - label: LogLevel - group: "Deployment Settings" -- variable: defaultSSLCert - type: string - description: "Secret containing the default ceritifcate for SSL vservers" - label: Default SSLCert - group: "ADC Settings" -- variable: logProxy - type: string - description: "Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporte" - label: LogProxy - group: "Deployment Settings" -- variable: http2ServerSide - default: "OFF" - type: enum - options: - - "ON" - - "OFF" - description: "Set to ON to enable HTTP2 for Citrix ADC service group configurations" - label: HTTP2 on ADC - group: "ADC Settings" -- variable: nodeSelector.key - type: string - label: NodeSelector Key - group: "Deployment Settings" -- variable: nodeSelector.value - type: string - label: NodeSelector Value - group: "Deployment Settings" - - -- variable: ADMSettings.licenseServerIP - type: string - label: ADM LicenseServerIP - group: "ADM Settings" -- variable: ADMSettings.licenseServerPort - default: 27000 - type: int - label: ADM LicenseServerPort - group: "ADM Settings" -- variable: ADMSettings.ADMIP - type: string - label: ADM IP - group: "ADM Settings" -- variable: ADMSettings.ADMFingerPrint - type: string - label: ADM FingerPrint - group: "ADM Settings" -- variable: ADMSettings.loginSecret - type: string - label: ADM Login Secret - group: "ADM Settings" -- variable: ADMSettings.bandWidthLicense - type: boolean - label: CPX Bandwidth License - group: "ADM Settings" -- variable: ADMSettings.bandWidth - type: int - label: CPX Bandwidth - group: "ADM Settings" -- variable: ADMSettings.vCPULicense - type: boolean - label: CPX vCPU License - group: "ADM Settings" -- variable: ADMSettings.cpxCores - type: int - label: CPX Cores - group: "ADM Settings" -- variable: cic.pullpolicy - default: "IfNotPresent" - type: enum - label: CIC Image Pullpolicy - group: "CIC/CPX Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: pullpolicy - default: "IfNotPresent" - type: enum - label: CPX Image Pullpolicy - group: "CIC/CPX Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: cic.image - default: "quay.io/citrix/citrix-k8s-ingress-controller:1.8.28" - type: string - label: CIC Image - group: "CIC/CPX Image Settings" -- variable: image - type: string - default: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-58.30" - label: CPX Image - group: "CIC/CPX Image Settings" -- variable: exporter.image - default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.5" - type: string - description: "Exporter Image to be used" - label: Exporter Image - group: "Exporter Settings" -- variable: exporter.pullPolicy - default: "IfNotPresent" - type: string - description: "Exporter Image pull policy" - label: Exporter Image PullPolicy - group: "Exporter Settings" -- variable: exporter.ports.containerPort - default: 8888 - type: int - label: Exporter ContainerPort - group: "Exporter Settings" -- variable: coeConfig.distributedTracing.enable - default: false - type: boolean - label: Enable distributedTracing - group: "COE Settings" -- variable: coeConfig.distributedTracing.samplingrate - default: 100 - type: int - label: COE Sampling Rate - group: "COE Settings" -- variable: coeConfig.endpoint.server - type: string - label: COE Endpoint Server - group: "COE Settings" -- variable: coeConfig.timeseries.port - default: 5563 - type: int - label: COE timeseries port - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.enable - default: false - type: boolean - label: Enable timeseries metrics - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.mode - default: 'avro' - type: string - label: COE timeseries metrics Mode - group: "COE Settings" -- variable: coeConfig.timeseries.auditlogs.enable - default: false - type: string - label: Enable timeseries auditlogs - group: "COE Settings" -- variable: coeConfig.timeseries.events.enable - default: false - type: string - label: Enable timeseries events - group: "COE Settings" -- variable: coeConfig.transactions.enable - default: false - type: string - label: Enable transactions - group: "COE Settings" -- variable: coeConfig.transactions.port - default: 5557 - type: int - label: COE transactions port - group: "COE Settings" -- variable: crds.install - default: true - type: boolean - description: "If set to true the charts will install CustomResourceDefinitions which are consumed by CIC." - label: CRD flag - group: "Deployment Settings" -- variable: crds.retainOnDelete - default: false - type: boolean - description: "Set this argument to true if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation." - label: CRD retainOnDelete flag - group: "Deployment Settings" diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/templates/NOTES.txt b/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/templates/NOTES.txt deleted file mode 100644 index bccfdf69a4..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/templates/NOTES.txt +++ /dev/null @@ -1,14 +0,0 @@ -Thank you for installing {{ .Chart.Name }}. - -Your release is named {{ .Release.Name }}. - - -To learn more about the release, try: - - $ helm status {{ .Release.Name }} - $ helm get {{ .Release.Name }} - - -To delete : - helm delete {{ .Release.Name }} - diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/templates/_helpers.tpl b/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/templates/_helpers.tpl deleted file mode 100644 index 92e636ce23..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/templates/_helpers.tpl +++ /dev/null @@ -1,97 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Analytics Server IP or DNS -*/}} -{{- define "analytics.server" -}} -{{- if .Values.analyticsConfig.endpoint.server -}} -{{- printf .Values.analyticsConfig.endpoint.server -}} -{{- else -}} -{{- printf "analytics.%s.svc.cluster.local" .Release.Namespace -}} -{{- end -}} -{{- end -}} - - -{{- define "citrix-cpx-ingress-controller.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "citrix-cpx-ingress-controller.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "cpxservice.fullname" -}} -{{- $name := default .Chart.Name "cpx-service" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxexporter.fullname" -}} -{{- $name := default .Chart.Name "exporter" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxservicemonitor.fullname" -}} -{{- $name := default .Chart.Name "citrix-adc-cpx-servicemonitor" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxservicemonitorlabel" -}} -{{- $name := default .Chart.Name "citrix-adc-cpx-svcmon" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxconfigmap.fullname" -}} -{{- $name := default .Chart.Name "cpx-cic-configmap" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "citrix-cpx-ingress-controller.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "citrix-cpx-ingress-controller.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "citrix-cpx-ingress-controller.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/templates/cic_crds.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/templates/cic_crds.yaml deleted file mode 100644 index 6ff58466f8..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/templates/cic_crds.yaml +++ /dev/null @@ -1,2515 +0,0 @@ -{{- if .Values.crds.install }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: rewritepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: rewritepolicy - plural: rewritepolicies - singular: rewritepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - rewrite-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to rewrite policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - rewrite-policy: - type: object - properties: - rewrite-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOREWRITE', 'RESET', 'DROP'] - operation: - description: 'Type of user-defined rewrite action.' - type: string - enum: ["noop", "delete", "insert_http_header", "delete_http_header", - "corrupt_http_header", "insert_before", "insert_after", "replace", - "replace_http_res", "delete_all", "replace_all", "insert_before_all", - "insert_after_all", "clientless_vpn_encode", "clientless_vpn_encode_all", - "clientless_vpn_decode", "clientless_vpn_decode_all", "insert_sip_header", - "delete_sip_header", "corrupt_sip_header", "replace_sip_res", "replace_diameter_header_field", - "replace_dns_header_field", "replace_dns_answer_section"] - target: - description: 'Default syntax expression that specifies which part of the request or response to rewrite.' - type: string - maxLength: 1229 - modify-expression: - description: 'Default syntax expression that specifies the content to insert into the request - or response at the specified location, or that replaces the specified string.' - type: string - maxLength: 7991 - multiple-occurence-modify: - description: 'Search facility that is used to match multiple strings in the request or response.' - type: string - maxLength: 171 - additional-multiple-occurence-modify: - description: 'Specify additional criteria to refine the results of the search. - Always starts with the "extend(m,n)" operation, where "m" specifies number of bytes to the left of selected data - and "n" specifies number of bytes to the right of selected data. - You can use refineSearch only on body expressions, and only when rewrite-criteria is any one of this: - INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - comment: - description: 'Any comments to preserve information about this rewrite policy.' - type: string - maxLength: 255 - required: [rewrite-criteria, operation, target, direction] - required: [rewrite-policy] - - responder-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to responder policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", - "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - responder-policy: - type: object - properties: - redirect: - type: object - description: 'Use this option when you want to Redirect the request when request matches to policy.' - properties: - url: - description: 'URL on which you want to redirect the request.' - type: string - maxLength: 7991 - redirect-status-code: - description: 'HTTP response status code, for example 200, 302, 404, etc.' - type: integer - minimum: 100 - maximum: 599 - redirect-reason: - description: 'Expression specifying the reason for redirecting the request.' - type: string - maxLength: 7991 - required: [url] - respondwith: - type: object - description: 'Use this parameter when you want to respond to the request when request matches to policy.' - properties: - http-payload-string: - description: 'Expression that you want to sent as response to the request.' - type: string - maxLength: 7991 - required: [http-payload-string] - noop: - type: string - description: 'Use this option when you want to send the request to the protected server instead of - responding to it when request matches to policy.' - properties: - target: - description: 'Default syntax expression that specifies to perform noop operation on' - type: string - maxLength: 1229 - reset: - type: string - description: 'Use this option when you want to Reset the client connection by closing it when request matches to policy.' - properties: - drop: - type: string - description: 'Use this option when you want to drop the request without sending a response to the user when request matches to policy.' - properties: - respond-criteria: - description: 'Default syntax expression that the policy uses to determine whether to respond to the specified request.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOOP', 'RESET', 'DROP'] - comment: - description: 'Any comments to preserve information about this responder policy.' - type: string - maxLength: 255 - required: [respond-criteria] - oneOf: [required: [redirect], required: [respondwith], required: [noop], required: [reset], required: [drop]] - required: [responder-policy] - - dataset: - type: array - items: - type: object - properties: - name: - description: 'Name of the dataset.' - type: string - maxLength: 32 - type: - description: 'Type of value to bind to the dataset.' - type: string - enum: ["ipv4", "number", "ipv6", "ulong", "double", "mac"] - comment: - description: 'Any comments to preserve information about this dataset.' - type: string - maxLength: 255 - values: - description: 'Value of the specified type that is associated with this dataset.' - type: array - items: - type: string - required: [name, type, values] - - patset: - type: array - items: - type: object - properties: - name: - description: 'Name of the Patset.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this patset.' - type: string - maxLength: 255 - values: - description: 'String of characters that constitutes a pattern and is associated with this patset.' - type: array - items: - type: string - required: [name, values] - - stringmap: - type: array - items: - type: object - properties: - name: - description: 'Name of the Stringmap.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this stringmap.' - type: string - maxLength: 255 - values: - description: 'List of (key,value) pairs to be bound to this string map.' - type: array - items: - type: object - properties: - key: - description: 'Character string constituting the key to be bound to this string map.' - type: string - maxLength: 2047 - value: - description: 'Character string constituting the value associated with the key.' - type: string - maxLength: 2047 - required: [name, values] - - httpcallout_policy: - type: array - items: - type: object - properties: - name: - description: 'httpcallout name' - type: string - maxLength: 32 - server_ip: - description: 'IP Address of the server(callout agent) to which the callout is sent.' - type: string - server_port: - description: 'Port of the server(callout agent) to which the callout is sent.' - type: integer - minimum: 1 - maximum: 65535 - http_method: - description: |+ - 'Method used in the HTTP request that this callout sends. - Default http method is GET' - type: string - enum: ['GET', 'POST'] - host_expr: - description: |+ - 'String expression to configure the Host header. Can contain a literal value - (for example, 10.101.10.11) or a derived value (for example, http.req.header("Host")). - The literal value can be an IP address or a fully qualified domain name. Mutually - exclusive with the full HTTP request expression.' - type: string - maxLength: 255 - url_stem_expr: - description: |+ - 'String expression for generating the URL stem. Can contain a literal string - (for example, "/mysite/index.html") or an expression that derives the value - (for example, http.req.url).' - type: string - maxLength: 8191 - headers: - type: array - description: |+ - 'One or more headers to insert into the HTTP request. Each header is represented by - name and expr, where expr is an expression that is evaluated at runtime to provide - the value for the named header. You can configure a maximum of eight headers for - an HTTP callout.' - items: - type: object - properties: - name: - description: 'header name' - type: string - expr: - description: 'header expression' - type: string - parameters: - type: array - description: |+ - 'One or more query parameters to insert into the HTTP request URL (for a GET request) - or into the request body (for a POST request). Each parameter is represented by - name and expr, where expr is an expression that is evaluated at run time to provide - the value for the named parameter (name=value). The parameter values are URL encoded.' - items: - type: object - properties: - name: - description: 'parameter name' - type: string - expr: - description: 'parameter expression' - type: string - body_expr: - description: |+ - 'An advanced string expression for generating the body of the request. - The expression can contain a literal string or an expression that derives - the value (for example, client.ip.src).' - type: string - full_req_expr: - description: |+ - 'Exact HTTP request, in the form of an expression, which the Citrix ADC sends - to the callout agent. The request expression is constrained by the feature - for which the callout is used. For example, an HTTP.RES expression cannot be - used in a request-time policy bank or in a TCP content switching policy bank.' - type: string - scheme: - description: |+ - 'Type of scheme for the callout server. - Default scheme is HTTP' - type: string - enum: ['HTTP', 'HTTPS'] - cache_for_secs: - description: |+ - 'Duration, in seconds, for which the callout response is cached. - The cached responses are stored in an integrated caching content - group named "calloutContentGroup". If no duration is configured, - the callout responses will not be cached unless normal caching - configuration is used to cache them. This parameter takes precedence over any - normal caching configuration that would otherwise apply to these responses.' - type: integer - minimum: 1 - maximum: 31536000 - return_type: - description: |+ - 'Type of data that the target callout agent returns in response to the callout - Available settings function as follows: - * TEXT - Treat the returned value as a text string. - * NUM - Treat the returned value as a number. - * BOOL - Treat the returned value as a Boolean value.' - type: string - enum: ['TEXT', 'NUM', 'BOOL'] - result_expr: - description: |+ - 'Expression that extracts the callout results from the response sent by the HTTP callout - agent. Must be a response based expression, that is, it must begin with HTTP.RES. The - operations in this expression must match the return type. For example, if you configure - a return type of TEXT, the result expression must be a text based expression. If the - return type is NUM, the result expression (resultExpr) must return a numeric value, - as in the following example: http.res.body(10000).length.' - type: string - maxLength: 8191 - comment: - description: 'Any comments to preserve information about this HTTP callout.' - type: string - maxLength: 255 - allOf: - - properties: - required: [name, server_ip, server_port] - - properties: - oneOf: - - properties: - required: [full_req_expr] - - properties: - anyOf: - - properties: - required: [http_method] - - properties: - required: [host_expr] - - properties: - required: [url_stem_expr] - - properties: - required: [headers] - - properties: - required: [parameters] - - properties: - required: [body_expr] - anyOf: [required: [rewrite-policies], required: [responder-policies]] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ratelimits.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: ratelimit - plural: ratelimits - singular: ratelimit - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the ratelimit policies are applied.' - type: array - items: - type: string - maxLength: 127 - selector_keys: - type: object - description: 'Traffic match criteria to which apply above rate-limit/throttling. All keys are applied as AND condition. If no keys are specified, rate-limit applies at service level' - properties: - basic: - type: object - description: "Basic traffic stream selection criteria to which to apply the ratelimit" - properties: - path: - type: array - description: "api resource path prefix match. e.g. /api/v1/products" - items: - type: string - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - header_name: - description: "HTTP header that identifies the unique API client for e.g. X-apikey" - type: string - per_client_ip: - description: "Setting this applies the throttling limit to each unique Client IP address accessing the API resource" - type: boolean - req_threshold: - description: 'Max requests per timeslice units to be allowed' - type: integer - timeslice: - description: 'Timeslice in miliseconds in multiple of 10. Defaults to 1000 miliseconds' - type: integer - limittype: - description: "Burst mode or smooth. Defaults to smooth limittype if not specified" - type: string - enum: ['BURSTY','SMOOTH'] - throttle_action: - type: string - enum: ['DROP', 'RESET','REDIRECT', 'RESPOND'] - description: "Drop will drop the requests exceeding limits, RESET will reset the client connection, Redirect will redirect to specified URL, respond will respond with 429 'Exceeded allowed rate of requests'" - redirect_url: - type: string - description: "Redirect-URL" - logpackets: - type: object - description: 'Adds an audit message action. The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - required: [req_threshold] ---- -#Sample CRD instance - -#apiVersion: citrix.com/v1 -#description: VIP for apache service -#kind: vip -#metadata: -# name: service-apache -# namespace: default -#spec: -# description: VIP for the apache Service -# ipaddress: 10.99.98.90 -# kind: service -# name: apache - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vips.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: vip - plural: vips - singular: vip - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - jsonPath: .spec.ipaddress - name: VIP - type: string - - name: Age - type: date - jsonPath: .metadata.creationTimestamp - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - ipaddress: - type: string - name: - type: string - kind: - type: string - enum: ["service", "ingress"] - description: - type: string - range-name: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: authpolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: authpolicy - plural: authpolicies - singular: authpolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: |+ - 'Name of the services for which the policies applied' - type: array - items: - type: string - maxLength: 63 - authentication_mechanism: - type: object - description: |+ - 'Authentication mechanism. Options: using forms or using request header. - Default is Authentication using request header, when no option is specified' - properties: - using_request_header: - description: |+ - 'Enable user authentication using request header. Use when the credentials - or api keys are passed in a header. For example, when using Basic, Digest, - Bearer authentication or api keys. - When authentication using forms is provided, this is set to OFF' - - type: string - using_forms: - type: object - description: 'Enables authentication using forms. Use with user/web authentication.' - properties: - authentication_host: - description: |+ - 'Fully qualified domain name (FQDN) for authentication. - This FQDN should be unique and should resolve to frontend IP of - ADC with Ingress/service type LoadBalancer (or) vip of Listener CRD' - type: string - maxLength: 255 - authentication_host_cert: - description: |+ - 'Name of the SSL certificate to be used with authentication_host. - This certificate is mandatory while using_forms' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - ingress_name: - description: |+ - 'Ingress name for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - lb_service_name: - description: |+ - 'Service of type LoadBalancer for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - listener_name: - description: |+ - 'Listener CRD name for which the authentication using forms is applicable.' - type: string - maxLength: 63 - vip: - description: |+ - 'Frontend IP of ingress for which the authentication - using forms is applicable. This refers to frontend-ip provided - with Ingress. It is suggested to use vip, if more than one Ingress - resource use the same frontend-ip' - type: string - required: [authentication_host, authentication_host_cert] - oneOf: - - properties: - required: [ingress_name] - - properties: - required: [lb_service_name] - - properties: - required: [listener_name] - - properties: - required: [vip] - oneOf: - - properties: - using_request_header: - enum: ['ON'] - required: [using_request_header] - - properties: - required: [using_forms] - - authentication_providers: - description: |+ - 'Authentication Configuration for required authentication providers/schemes. - One or more of these can be created' - type: array - items: - description: 'Create config for a single authentication provider of a particular type' - type: object - properties: - name: - description: 'Name for this provider, has to be unique, referenced by authentication policies' - type: string - maxLength: 127 - - oauth: - description: 'Authentication provided by external oAuth provider' - type: object - properties: - issuer: - description: 'Identity of the server whose tokens are to be accepted' - type: string - maxLength: 127 - audience: - description: 'Audience for which token sent by Authorization server is applicable' - type: array - items: - type: string - maxLength: 127 - jwks_uri: - description: |+ - 'URL of the endpoint that contains JWKs (Json Web Key) for - JWT (Json Web Token) verification' - type: string - maxLength: 127 - introspect_url: - description: ' URL of the introspection server' - type: string - maxLength: 127 - client_credentials: - description: |+ - 'secrets object that contains Client Id and secret as known - to Introspection server' - type: string - maxLength: 253 - token_in_hdr: - description: |+ - 'custom header name where token is present, - default is Authorization header' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - token_in_param: - description: 'query parameter name where token is present' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - signature_algorithms: - description: 'list of allowed signature algorithms, by default HS256, RS256, RS512 are allowed' - type: array - items: - type: string - enum: ['HS256', 'RS256', 'RS512'] - claims_to_save: - description: 'list of claims to be saved, used to create authorization policies' - type: array - items: - type: string - maxLength: 127 - metadata_url: - description: 'URL used to get OAUTH/OIDC provider metadata' - type: string - maxLength: 255 - user_field: - description: |+ - 'Attribute in the token from which username should be extracted. - by default, ADC looks at email attribute for user id' - type: string - maxLength: 127 - default_group: - description: |+ - 'group assigned to the request if authentication succeeds, - this is in addition to any extracted groups from token' - type: string - maxLength: 63 - grant_type: - description: 'used to specify the type of flow to the token end point, defaults to CODE' - type: array - items: - type: string - enum: ['CODE','PASSWORD'] - pkce: - description: 'specify whether to enable Proof Key Code Exchange, defaults to ENABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - token_ep_auth_method: - description: |+ - 'authentication method to be used with token end point, - defaults to client_secret_post' - type: string - enum: ['client_secret_post', 'client_secret_jwt'] - - anyOf: - - properties: - required : [jwks_uri] - - properties: - required : [introspect_url, client_credentials] - - properties: - required : [metadata_url] - - ldap: - description: 'LDAP authentication provider' - type: object - properties: - server_ip: - description: 'IP address assigned to the LDAP server' - type: string - server_name: - description: 'LDAP server name as a FQDN' - type: string - maxLength: 127 - server_port: - description: 'Port on which the LDAP server accepts connections. Default is 389' - type: integer - minimum: 1 - maximum: 65535 - base: - description: |+ - 'Base (node) from which to start LDAP searches. If the LDAP server is - running locally, the default value of base is dc=netscaler, dc=com' - type: string - maxLength: 127 - server_login_credentials: - description: |+ - 'Kubernetes secret object providing credentials to login to LDAP server, - The secret data should have username and password' - type: string - login_name: - description: |+ - 'LDAP login name attribute. The Citrix ADC uses the LDAP login name - to query external LDAP servers or Active Directories' - type: string - maxLength: 127 - security_type: - description: |+ - 'Type of security used for communications between the Citrix ADC - and the LDAP server. Default is TLS' - type: string - enum: ['PLAINTEXT', 'TLS', 'SSL'] - validate_server_cert: - description: 'Validate LDAP Server certs. Default is NO' - type: string - enum: ['YES', 'NO'] - hostname: - description: |+ - 'Hostname for the LDAP server. If validate_server_cert is ON, - this must be the host name on the certificate from the LDAP - A hostname mismatch will cause a connection failure' - type: string - maxLength: 127 - sub_attribute_name: - description: 'LDAP group sub-attribute name. Used for group extraction from the LDAP server.' - type: string - maxLength: 31 - group_attribute_name: - description: 'LDAP group attribute name. Used for group extraction on the LDAP server.' - type: string - maxLength: 31 - search_filter: - description: |+ - 'String to be combined with the default LDAP user search string to form the - search value. For example, if the search filter "vpnallowed=true" is combined - with the LDAP login name "samaccount" and the user-supplied username is "bob", - the result is the LDAP search string ""(&(vpnallowed=true)(samaccount=bob)"" - (Be sure to enclose the search string in two sets of double quotation marks)' - type: string - maxLength: 255 - auth_timeout: - description: |+ - 'Number of seconds the Citrix ADC waits for a response from the server - Default is 3' - type: integer - minimum: 1 - maximum: 4294967295 - password_change: - description: 'Allow password change requests. Default is DISABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be fetched - from LDAP server and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - oneOf: - - properties: - required: [server_ip] - - properties: - required: [server_name] - - saml: - description: |+ - 'SAML authentication provider. - Currently SAML is supported only with authentication mechanism using forms' - type: object - properties: - metadata_url: - description: 'URL is used for obtaining saml metadata.' - type: string - maxLength: 255 - metadata_refresh_interval: - description: |+ - 'Interval in minutes for fetching metadata from specified metadata URL. - Default is 36000' - type: integer - minimum: 1 - maximum: 4294967295 - signing_cert: - description: 'SSL certificate to sign requests from SP to IDP' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - audience: - description: 'Audience for which assertion sent by IdP is applicable' - type: string - maxLength: 127 - issuer_name: - description: 'The name to be used in requests sent from SP to IDP to identify citrix ADC' - type: string - maxLength: 63 - binding: - description: 'Specifies the transport mechanism of saml message. Default is POST' - type: string - enum: ['REDIRECT', 'POST', 'ARTIFACT'] - artifact_resolution_service_url: - description: 'URL of the Artifact Resolution Service on IdP' - type: string - maxLength: 255 - logout_binding: - description: 'Specifies the transport mechanism of saml logout. Default is POST' - type: string - enum: ['REDIRECT', 'POST'] - reject_unsigned_assertion: - description: |+ - 'Reject unsigned SAML assertions. ON, rejects assertion without signature. - STRICT ensure that both Response and Assertion are signed. Default is ON' - type: string - enum: ['ON', 'OFF', 'STRICT'] - user_field: - description: 'SAML user ID, as given in the SAML assertion' - type: string - maxLength: 63 - default_authentication_group: - description: |+ - 'This is the default group that is chosen when the authentication - succeeds in addition to extracted groups' - type: string - maxLength: 63 - skew_time: - description: |+ - 'Allowed clock skew in number of minutes on an incoming assertion. - Default is 5' - type: integer - minimum: 1 - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be extracted - and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - required: - - metadata_url - - basic_local_db: - type: object - description: |+ - 'Basic HTTP authentication supported by ADC, user data in local DB of ADC. - Users needs to be added on ADC' - properties: - use_local_auth: - description: 'Use ADC authentication' - type: string - enum: ['YES'] - - required: - - name - - authentication_policies: - description: 'Authentication policies' - type: array - items: - type: object - description: 'Authentication policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - required: - - path - expression: - description: 'ADC syntax expression for authentication' - type: string - maxLength: 1229 - provider: - description: 'name of the authentication provider for the policy, empty if no authentication required' - type: array - items: - type: string - maxLength: 127 - maxItems: 1 - oneOf: - - required: [resource, provider] - - required: [expression, provider] - - authorization_policies: - description: 'Authorization policies' - type: array - items: - type: object - description: 'Authorization policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - description: ' http method' - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - claims: - description: 'authorization scopes required for selected resource saved as claims or attributes' - type: array - items: - type: object - properties: - name: - description: 'name of the claim/attribute to check' - type: string - maxLength: 127 - values: - description: 'list of claim values required for the request' - type: array - items: - type: string - maxLength: 127 - minItems: 1 - required: - - name - - values - required: - - claims - expression: - description: 'ADC syntax expression for authorization' - type: string - maxLength: 1229 - oneOf: - - required: [resource] - - required: [expression] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: listeners.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - version: null - names: - kind: Listener - plural: listeners - singular: listener - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - required: [spec] - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [protocol] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - protocol: - type: string - enum: ["https", "http"] - description: "Protocol for this listener" - vip: - type: string - description: "VIP address, Optional for CPX, required for Tier-1 deployments" - secondaryVips: - type: array - description: "An array of Secondary VIPs. All the VIPs will be part of an ipset" - minItems: 1 - items: - type: string - redirectPort: - type: integer - minimum: 1 - maximum: 65535 - description: "Port from which http traffic should be redirected to https" - port: - type: integer - minimum: 1 - maximum: 65535 - certificates: - type: array - description: "certificates attached to the endpoints - Not applicable for HTTP" - minItems: 1 - items: - type: object - properties: - preconfigured: - type: string - description: "Preconfigured Certificate name on ADC " - secret: - type: object - description: "Kuberentes secret object" - required: [name] - properties: - name: - type: string - description: "name of the Kubernetes Secret object where Cert is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the kubernetes secret object; Default is same namespace where the Listener object is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - default: - type: boolean - description: "Only one of the certificate can be marked as default which will be presented if none of the cert matches with the hostname" - oneOf: - - required: ["preconfigured"] - - required: ["secret"] - policies: - type: object - description: "Policies attached to the Listener" - properties: - httpprofile: - type: object - description: "HTTP profile configurations for the Listener, HTTP level configurations" - properties: - preconfigured: - type: string - description: "Preconfigured or Built-in HTTP profile name" - config: - type: object - description: "HTTP profile configuration for the listener. For individual fields, refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nshttpprofile/nshttpprofile/ Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - tcpprofile: - type: object - description: "TCP level configurations, uses ns tcpprofile of citrix ADC" - properties: - preconfigured: - description: "Preconfigured or Built-in TCP profile name" - type: string - config: - type: object - description: "TCPprofile configurations for the listener. For individual fields refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nstcpprofile/ ; Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - csvserverConfig: - type: object - description: "CS Vserver configuration for the listener" - additionalProperties: - type: string - sslprofile: - type: object - description: "SSL profile configuration" - properties: - preconfigured: - type: string - description: "SSL profile which is preconfigured in ADC. Ciphers bound to the profile is not overriden" - config: - description: "Citrix ADC frontend SSL profile configurations. Refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ssl/sslprofile/ for all configurations; Name field is auto generated" - type: object - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - sslciphers: - type: array - description: "List of ciphers to be bound to the ssl profile for the listener. Priority is as per the order in the list. A cipher suite, predefined cipher group or User created cipher group can be mentioned" - minItems: 1 - items: - type: string - description: "Cipher suite, cipher group name" - analyticsprofile: - type: object - description: "Analytics profile configuration" - properties: - preconfigured: - type: array - description: "Preconfigured Analytics profile that needs to be bound to the vserver" - minItems: 1 - items: - type: string - description: "Name of the analytics profile preconfigured that will be bound to the Vserver" - config: - type: array - description: "An array of analytics to be enabled" - minItems: 1 - items: - type: object - description: "Anlytics to be enabled" - required: ['type'] - properties: - type: - description: "Analytics profile to be enabled, you can enable one or more of the webinsight, tcpinsight, securityinsight, videoinsight, hdxinsight, gatewayinsight, timeseries, lsninsight, botinsight " - type: string - enum: ["webinsight", "tcpinsight", "securityinsight", "videoinsight", "hdxinsight", "gatewayinsight", "timeseries", "lsninsight", "botinsight"] - parameters: - type: object - description: "Additional parameters for analytics profile. Please refer:https://developer-docs.citrix.com/projects/citrix-adc-nitro-api-reference/en/latest/configuration/analytics/analyticsprofile/" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - routes: - type: array - description: "List of route objects attached to the listener" - minItems: 1 - items: - type: object - properties: - name: - type: string - description: "Name of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - labelSelector: - description: "Labels key value pair, if the route carries the same labels, it is automatically attached" - type: object - additionalProperties: - type: string - oneOf: - - required: [name, namespace] - - required: [labelSelector] - defaultAction: - type: object - description: "Default action for the listener: One of Backend or Redirect" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - namespace: - description: "Service namespace" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - backendConfig: - description: "General backend service options" - type: object - properties: - secure_backend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: httproutes.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - version: null - names: - kind: HTTPRoute - plural: httproutes - singular: httproute - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [rules] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - hostname: - type: array - description: "List of domain names that share the same route, default is '*'" - minItems: 1 - items: - type: string - description: "Domain name" - rules: - type: array - description: "List Content routing rules with an action defined" - minItems: 1 - items: - type: object - required: [name, action] - properties: - name: - type: string - description: "A name to represent the rule, this is used as an identifier in content routing policy name in ADC" - minLength: 1 - maxLength: 20 - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - match: - type: array - description: "List of rules with same action" - minItems: 1 - items: - type: object - anyOf: - - required: [path] - - required: [headers] - - required: [cookies] - - required: [queryParams] - - required: [method] - - required: [policyExpression] - properties: - path: - type: object - description: "URL Path based content routing" - properties: - prefix: - type: string - description: "URL path matches the prefix expression" - exact: - type: string - description: "URL Path must match exact path" - regex: - type: string - description: "PCRE based regex expression for path matching" - headers: - type: array - description: "List of header for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Header details for content routing, Check for existence of a header or header name-value match" - properties: - headerName: - type: object - description: "Header name based content routing, Here existence of header is used for routing" - properties: - exact: - type: string - description: "Header Name - treated as exact must exist" - contains: - type: string - description: "Header Name - A header must exist that contain the string the name" - regex: - type: string - description: "header Name - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header name must not exist" - oneOf: - - required: [exact] - - required: [contains] - - required: [regex] - headerValue: - type: object - description: "Header Name and Value based match" - properties: - name: - type: string - description: "Header name that must match the value" - exact: - type: string - description: "Header value - treated as exact" - contains: - type: string - description: "Header value - treated as contains" - regex: - type: string - description: "header value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header if present must not match the value" - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - queryParams: - type: array - description: "List of Query parameters for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Query parameters Name and Value based match" - properties: - name: - type: string - description: "Query name that must match the value. If no value is specified, matches with any value" - exact: - type: string - description: "Query value - Exact match" - contains: - type: string - description: "Query value - value must have the string(substring)" - regex: - type: string - description: "Query value - Value must match this regex patterm" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e query if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - cookies: - type: array - description: "List of Cookie params for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Cookie based routing" - properties: - name: - type: string - description: "cookie name that must match the value. If no value specified, it matches with any value" - exact: - type: string - description: "cookie value - treated as exact" - contains: - type: string - description: "cookie value - treated as substring" - regex: - type: string - description: "cookie value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e cookie if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - method: - type: string - description: "HTTP method for content routing eg: POST, PUT, DELETE etc" - policyExpression: - type: string - description: "Citrix ADC policy expressions; refer: https://docs.citrix.com/en-us/netscaler/media/expression-prefix.pdf" - action: - type: object - description: "Action for the matched rule" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - backendConfig: - type: object - description: "General backend service options" - properties: - secureBackend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - # name must match the spec fields below, and be in the form: . - name: continuousdeployments.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: continuousdeployment - plural: continuousdeployments - singular: continuousdeployment - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - cronSpec: - type: integer - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wafs.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: waf - plural: wafs - singular: waf - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the waf policies are applied.' - type: array - items: - type: string - maxLength: 127 - application_type: - description: 'Type of applications to protect' - type: array - items: - type: string - enum: ['HTML', 'JSON', 'XML'] - signatures: - description: 'Location of external signature file' - type: string - redirect_url: - description: 'When a URL is blocked/down, redirect_url represents the alternate URL where the client requests should be sent.' - type: string - html_error_object: - description: 'Location of customized error page to respond when html or common violation are hit' - type: string - xml_error_object: - description: 'Location of customized error page to respond when xml violations are hit' - type: string - json_error_object: - description: 'Location of customized error page to respond when json violations are hit' - type: string - ip_reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - description: 'Enabling IP reputation feature' - target: - description: 'To control what traffic to be inspected by Web Application Firewall. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable application firewall security checks' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - settings: - description: 'To fine tune application firewall security checks default settings' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - relaxations: - description: 'Section which contains relaxation rules for known traffic and false positives' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - enforcements: - description: 'Section which contains enforcement or restriction rules' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: bots.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: bot - plural: bots - singular: bot - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the bot policies are applied.' - type: array - items: - type: string - maxLength: 127 - signatures: - description: 'Location of external bot signature file' - type: string - redirect_url: - description: 'url to redirect when bot violation is hit' - type: string - target: - description: 'To control what traffic to be inspected by BOT. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable bot ecurity checks' - type: object - properties: - allow_list: - type: string - enum: ['ON', 'OFF'] - block_list: - type: string - enum: ['ON', 'OFF'] - device_fingerprint: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: string - enum: ['ON', 'OFF'] - ratelimit: - type: string - enum: ['ON', 'OFF'] - tps: - type: string - enum: ['ON', 'OFF'] - trap: - type: object - x-kubernetes-preserve-unknown-fields: true - bindings: - description: 'Section which contains binding rules for bot security checks' - type: object - properties: - allow_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - - block_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - ratelimit: - type: array - items: - type: object - properties: - url: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - cookie: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - captcha: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - tps: - type: object - properties: - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - host: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - trapinsertion: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: apigatewaypolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: apigatewaypolicy - plural: apigatewaypolicies - singular: apigatewaypolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - api_definition: - type: object - properties: - repository: - type: string - branch: - type: string - oas_secret_ref: - type: string - files: - type: array - items: - type: string - maxLength: 127 - api_proxy: - type: object - properties: - ipaddress: - type: string - port: - type: integer - protocol: - type: string - secret: - type: string - policies: - type: array - items: - type: object - properties: - name: - type: string - selector: - type: array - items: - type: object - properties: - tags: - type: array - items: - type: string - api: - type: string - method: - type: array - items: - type: string - maxLength: 127 - upstream: - type: object - properties: - service: - type: string - port: - type: integer - policy_bindings: - type: object - properties: - ratelimit: - type: object - properties: - name: - type: string - waf: - type: object - properties: - name: - type: string - rewritepolicy: - type: object - properties: - name: - type: string - bot: - type: object - properties: - name: - type: string - aaa: - type: array - items: - type: object - properties: - crd_name: - type: string - mappings: - type: array - items: - type: object - properties: - petstore_auth: - type: string - api_key: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: corspolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: corspolicy - plural: corspolicies - singular: corspolicy - shortNames: - - cp - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'The list of Kubernetes services to which you want to apply the cors policies.' - type: array - items: - type: string - maxLength: 63 - allow_origin: - description: 'Represents list of allowed origins, it is used to screen the “origin” in the cors pre flight request' - type: array - items: - type: string - maxLength: 2083 - allow_methods: - description: 'Indicates which methods are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Methods in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - allow_headers: - description: 'Indicates which headers are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Headers in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - max_age: - description: 'Indicates the number of seconds (5 by default) the information provided by the `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` headers can be cached. This variable will be used to set Access-Control-Max-Age in the pre-flight cors response.' - type: integer - allow_credentials: - description: 'Indicates whether the response can be shared when the request’s credentials mode is "include". This variable will be set to Access-Control-Allow-Credentials in the rewrite action.' - type: boolean - required: [servicenames, allow_origin, allow_methods, allow_headers] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: appqoepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: appqoepolicy - plural: appqoepolicies - singular: appqoepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - appqoe-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to appqoe policy.' - type: array - items: - type: string - maxLength: 127 - appqoe-policy: - type: object - properties: - operation-retry: - type: object - properties: - on-reset: - description: "To set Retry on Connection Reset or Not" - type: string - enum: ['YES','NO'] - on-timeout: - description: "Time in milliseconds for retry" - type: integer - minimum: 30 - maximum: 2000 - number-of-retries: - description: "To set number of retries" - type: integer - minimum: 1 - maximum: 7 - required: [operation-retry] - appqoe-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - required: [appqoe-criteria, operation-retry] - required: [appqoe-policy] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wildcarddnsentries.citrix.com -spec: - group: citrix.com - names: - kind: wildcarddnsentry - plural: wildcarddnsentries - singular: wildcarddnsentry - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: Current Status of the CRD - jsonPath: .status.state - - name: Message - type: string - description: Status Message - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - zone: - type: object - description: DNS configuration for a zone - properties: - domain: - type: string - description: Domain name - dnsaddrec: - type: object - description: DNS Address record - properties: - domain-ip: - type: string - description: IPv4 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - dnsaaaarec: - type: object - description: DNS AAAA record - properties: - domain-ip: - type: string - description: IPv6 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - soarec: - type: object - description: SOA record - properties: - origin-server: - type: string - description: Origin server domain - contact: - type: string - description: Admin contact - serial: - type: integer - description: >- - The secondary server uses this parameter to - determine whether it requires a zone transfer from - the primary server. - refresh: - type: integer - description: >- - Time, in seconds, for which a secondary server must - wait between successive checks on the value of the - serial number. - retry: - type: integer - description: >- - Time, in seconds, between retries if a secondary server's - attempt to contact the primary server for a zone refresh fails. - expire: - type: integer - description: >- - Time, in seconds, after which the zone data on a secondary - nameserver can no longer be considered authoritative because - all refresh and retry attempts made during the period have failed." - nsrec: - type: object - description: Name server record - properties: - nameserver: - type: string - description: Host name of the name server to add to the domain. - ttl: - type: integer - description: >- - Time to Live (TTL), in seconds, for the record. TTL - is the time for which the record must be cached by - DNS proxies. The specified TTL is applied to all the - resource records that are of the same record type - and belong to the specified domain name ---- -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/templates/citrix-k8s-cpx-ingress.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/templates/citrix-k8s-cpx-ingress.yaml deleted file mode 100644 index 70ee6057bf..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/templates/citrix-k8s-cpx-ingress.yaml +++ /dev/null @@ -1,418 +0,0 @@ -apiVersion: apps/v1 -{{- if or .Values.cpxBgpRouter .Values.daemonSet }} -kind: DaemonSet -{{- else }} -kind: Deployment -{{- end }} -metadata: - name: {{ include "citrix-cpx-ingress-controller.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - selector: - matchLabels: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} -{{- if not ( or .Values.cpxBgpRouter .Values.daemonSet ) }} - replicas: {{ .Values.replicaCount }} -{{- end }} - template: - metadata: - name: {{ include "citrix-cpx-ingress-controller.fullname" . }} - labels: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} - adc: "citrix" -{{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} -{{- end }} - spec: - serviceAccountName: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -{{- if .Values.cpxBgpRouter }} - hostNetwork: true -{{- end }} - containers: - - name: cpx-ingress - image: "{{ tpl .Values.image . }}" - imagePullPolicy: {{ .Values.pullPolicy }} - tty: true - securityContext: - privileged: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace -{{- if .Values.cpxLicenseAggregator }} - - name: "CLA" - value: {{ .Values.cpxLicenseAggregator | quote }} -{{- else if .Values.ADMSettings.licenseServerIP }} - - name: "LS_IP" - value: {{ .Values.ADMSettings.licenseServerIP | quote }} - - name: "LS_PORT" - value: {{ .Values.ADMSettings.licenseServerPort | quote }} -{{- end }} - - name: "EULA" - value: "{{ .Values.license.accept }}" - - name: "KUBERNETES_TASK_ID" - value: "" -{{- if not .Values.cpxBgpRouter }} - - name: "MGMT_HTTP_PORT" - value: {{ .Values.mgmtHttpPort | quote }} - - name: "MGMT_HTTPS_PORT" - value: {{ .Values.mgmtHttpsPort | quote }} -{{- end }} -{{- if .Values.cpxBgpRouter }} - - name: NS_NETMODE - value: HOST -{{- if .Values.nsIP }} - - name: "NS_IP" - value: "{{ .Values.nsIP }}" -{{- end }} -{{- if .Values.nsGateway }} - - name: "NS_GATEWAY" - value: "{{ .Values.nsGateway }}" -{{- end }} -{{- end }} -{{- if .Values.ADMSettings.ADMIP }} - - name: "NS_MGMT_SERVER" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "NS_HTTP_PORT" - value: {{ .Values.mgmtHttpPort | quote }} - - name: "NS_HTTPS_PORT" - value: {{ .Values.mgmtHttpsPort | quote }} - - name: "LOGSTREAM_COLLECTOR_IP" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "ANALYTICS_SERVER" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "ANALYTICS_SERVER_PORT" - value: {{ .Values.ADMSettings.analyticsServerPort | quote }} -{{- end }} -##Need to set env var BANDWIDTH in order to provide Bandwidth license to Citrix ADC CPX from ADM or CPX License Aggregator -{{- if and ( or ( .Values.ADMSettings.licenseServerIP ) ( .Values.cpxLicenseAggregator ) ) ( eq .Values.ADMSettings.bandWidthLicense true ) }} - - name: "BANDWIDTH" - value: {{ .Values.ADMSettings.bandWidth | quote }} -{{- end }} -#for multiple-PE support, need to set CPX_CORES -{{- if or .Values.ADMSettings.licenseServerIP .Values.cpxLicenseAggregator }} -{{- if or ( eq .Values.ADMSettings.vCPULicense true ) ( eq .Values.ADMSettings.bandWidthLicense true ) }} - - name: "CPX_CORES" - value: {{ .Values.ADMSettings.cpxCores | default 1 | quote }} -{{- end }} -{{- end }} - - name: "EDITION" - value: {{ .Values.ADMSettings.licenseEdition }} -{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }} - - name: NS_MGMT_USER - valueFrom: - secretKeyRef: - name: {{ required "Provide Secret for ADM/LicenseServer credentials" .Values.ADMSettings.loginSecret }} - key: username - - name: NS_MGMT_PASS - valueFrom: - secretKeyRef: - name: {{ required "Provide Secret for ADM/LicenseServer credentials" .Values.ADMSettings.loginSecret }} - key: password -{{- end }} -{{- if .Values.exporter.required }} - - name: "METRICS_EXPORTER_PORT" - value: {{ .Values.exporter.ports.containerPort | quote }} -{{- end }} - resources: - {{- toYaml .Values.resources | nindent 12 }} - volumeMounts: - - mountPath: /var/deviceinfo - name: shared-data - - mountPath: /cpx/ - name: cpx-volume -{{- if .Values.cic.required }} - # Add cic as a sidecar - - name: cic - image: "{{ tpl .Values.cic.image . }}" - imagePullPolicy: {{ .Values.cic.pullPolicy }} - env: - - name: "EULA" - value: "{{ .Values.license.accept }}" -{{- if .Values.cpxBgpRouter }} - - name: "NS_IP" - value: {{ .Values.nsIP | default "192.168.1.2" | quote }} -{{- else }} - - name: "NS_IP" - value: "127.0.0.1" -{{- end }} -{{- if .Values.rbacRole }} - - name: "SCOPE" - value: "local" -{{- end }} - - name: "NS_APPS_NAME_PREFIX" - value: {{ .Values.entityPrefix | default "k8s"}} - - name: "NS_DEPLOYMENT_MODE" - value: "SIDECAR" -{{- if and .Values.openshift .Values.routeLabels }} - - name: "ROUTE_LABELS" - value: {{ .Values.routeLabels | quote}} -{{- end }} -{{- if and .Values.openshift .Values.namespaceLabels }} - - name: "NAMESPACE_LABELS" - value: {{ .Values.namespaceLabels | quote }} -{{- end }} -{{- if .Values.cpxBgpRouter }} -{{- if eq (upper .Values.nsProtocol) "HTTPS" }} - - name: NS_PROTOCOL - value: HTTPS - - name: NS_PORT - value: "9443" -{{- else }} - - name: NS_PROTOCOL - value: HTTP - - name: NS_PORT - value: "9080" -{{- end }} -{{- if .Values.bgpPort }} - - name: "BGP_PORT" - value: {{ .Values.bgpPort | quote }} -{{- end }} -{{- end }} - - name: "NS_ENABLE_MONITORING" - value: "YES" -{{- if .Values.logProxy }} - - name: "NS_LOGPROXY" - value: {{ .Values.logProxy | quote }} -{{- end }} -{{- if .Values.ingressIP }} - - name: "NS_VIP" - value: {{ .Values.ingressIP | quote }} -{{- end }} -{{- if .Values.nitroReadTimeout }} - - name: "NS_NITRO_READ_TIMEOUT" - value: "{{ .Values.nitroReadTimeout }}" -{{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName -{{- if .Values.kubernetesURL }} - - name: "kubernetes_url" - value: "{{ .Values.kubernetesURL }}" -{{- end }} -{{- if .Values.disableOpenshiftRoutes }} - - name: "DISABLE_OPENSHIFT_ROUTES" - value: "{{ .Values.disableOpenshiftRoutes }}" -{{- end }} -{{- if .Values.nsConfigDnsRec }} - - name: "NS_CONFIG_DNS_REC" - value: "{{ .Values.nsConfigDnsRec }}" -{{- end }} -{{- if .Values.nsSvcLbDnsRec }} - - name: "NS_SVC_LB_DNS_REC" - value: "{{ .Values.nsSvcLbDnsRec }}" -{{- end }} -{{- if .Values.optimizeEndpointBinding }} - - name: "OPTIMIZE_ENDPOINT_BINDING" - value: "{{ .Values.optimizeEndpointBinding }}" -{{- end }} -{{- if .Values.cpxBgpRouter }} - securityContext: - runAsUser: 0 - capabilities: - add: - - NET_ADMIN -{{- end }} - args: - - --configmap - {{ .Release.Namespace }}/{{ include "cpxconfigmap.fullname" . }} -{{- if .Values.ipam }} - - --ipam - citrix-ipam-controller -{{- end }} -{{- if .Values.disableAPIServerCertVerify }} - - --disable-apiserver-cert-verify - {{ .Values.disableAPIServerCertVerify }} -{{- end }} -{{- if .Values.cpxBgpRouter }} - - --deployment-type - kube-bgp-router -{{- end }} -{{- if .Values.ingressClass }} - - --ingress-classes -{{- range .Values.ingressClass}} - {{.}} -{{- end }} -{{- end }} -{{- if .Values.defaultSSLCertSecret }} - - --default-ssl-certificate - {{ .Release.Namespace }}/{{ .Values.defaultSSLCertSecret }} -{{- end }} -{{- end }} -{{- if .Values.updateIngressStatus }} -{{- if .Values.cpxBgpRouter }} - - --update-ingress-status - yes -{{- else }} - - --cpx-service - {{ .Release.Namespace }}/{{ include "cpxservice.fullname" . }} -{{- end }} -{{- end }} - volumeMounts: - - mountPath: /var/deviceinfo - name: shared-data - resources: - {{- toYaml .Values.cic.resources | nindent 12 }} -{{- if .Values.exporter.required }} - - name: exporter - image: "{{ tpl .Values.exporter.image . }}" - imagePullPolicy: {{ .Values.exporter.pullPolicy }} - args: - - "--secure=no" -{{- if .Values.cpxBgpRouter }} - - --target-nsip={{ .Values.nsIP | default "192.168.1.2" }}:9080 -{{- else }} - - "--target-nsip=127.0.0.1" -{{- end }} - - "--port={{ .Values.exporter.ports.containerPort }}" - env: - - name: "NS_DEPLOYMENT_MODE" - value: "SIDECAR" - securityContext: - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /var/deviceinfo - name: shared-data - resources: - {{- toYaml .Values.exporter.resources | nindent 12 }} -{{- end }} - volumes: - - name: shared-data - emptyDir: {} - - name: cpx-volume - emptyDir: {} -{{- if and .Values.nodeSelector.key .Values.nodeSelector.value }} - nodeSelector: - {{ .Values.nodeSelector.key }}: {{ .Values.nodeSelector.value }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: {{ .Values.tolerations | toYaml | nindent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} -{{- end }} - ---- -{{- if .Values.cpxBgpRouter }} -{{- if .Values.exporter.required }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "cpxexporter.fullname" . }} - labels: - app: {{ include "cpxexporter.fullname" . }} - service-type: {{ include "cpxservicemonitorlabel" . }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port - selector: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} -{{- end }} -{{- else }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "cpxservice.fullname" . }} - labels: - app: cpx-service - service-type: {{ include "cpxservicemonitorlabel" . }} -{{- if .Values.serviceAnnotations }} - annotations: -{{- with .Values.serviceAnnotations }} -{{ toYaml . | indent 4 }} -{{- end }} -{{- end }} -spec: -{{- if or .Values.serviceType.loadBalancer.enabled ( and (.Values.updateIngressStatus) (not .Values.cpxBgpRouter)) }} - externalTrafficPolicy: {{ .Values.serviceSpec.externalTrafficPolicy }} - type: LoadBalancer -{{- if .Values.serviceSpec.loadBalancerIP }} - loadBalancerIP: {{ .Values.serviceSpec.loadBalancerIP }} -{{- end }} -{{- else if .Values.serviceType.nodePort.enabled }} - type: NodePort - externalTrafficPolicy: {{ .Values.serviceSpec.externalTrafficPolicy }} -{{- end }} -{{- if and .Values.serviceType.loadBalancer.enabled .Values.serviceSpec.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{- range .Values.serviceSpec.loadBalancerSourceRanges}} - - {{.}} -{{- end }} -{{- end }} - ports: -{{- if .Values.servicePorts }} -{{- with .Values.servicePorts }} -{{ toYaml . | indent 2 }} -{{- end }} -{{- else }} - - port: 80 - protocol: TCP - name: http -{{- if and .Values.serviceType.nodePort.enabled .Values.serviceType.nodePort.httpPort }} - nodePort: {{ .Values.serviceType.nodePort.httpPort }} -{{- end }} - - port: 443 - protocol: TCP - name: https -{{- if and .Values.serviceType.nodePort.enabled .Values.serviceType.nodePort.httpsPort }} - nodePort: {{ .Values.serviceType.nodePort.httpsPort}} -{{- end }} -{{- end }} -{{- if .Values.exporter.required }} - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port -{{- end }} - selector: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} -{{- end }} - ---- - -{{- if .Values.exporter.required }} - -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "cpxservicemonitor.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - servicemonitor: citrix-adc-cpx -spec: - endpoints: - - interval: 30s - port: exporter-port - selector: - matchLabels: - service-type: {{ include "cpxservicemonitorlabel" . }} - namespaceSelector: - matchNames: - - monitoring - - default - - {{ .Release.Namespace }} - -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/templates/configmap.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/templates/configmap.yaml deleted file mode 100644 index dff57083e9..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/templates/configmap.yaml +++ /dev/null @@ -1,71 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "cpxconfigmap.fullname" . }} - namespace: {{ .Release.Namespace }} -data: - LOGLEVEL: {{ .Values.logLevel | quote | lower }} - JSONLOG: {{ .Values.jsonLog | quote | lower }} -{{- if eq (upper .Values.nsProtocol) "HTTPS" }} - NS_PROTOCOL: "https" -{{- if .Values.cpxBgpRouter }} - NS_PORT: "9443" -{{- else }} - NS_PORT: "443" -{{- end }} -{{- else }} - NS_PROTOCOL: "http" -{{- if .Values.cpxBgpRouter }} - NS_PORT: "9080" -{{- else }} - NS_PORT: "80" -{{- end }} -{{- end }} - -{{- if ne (upper .Values.nsHTTP2ServerSide) "OFF" }} - NS_HTTP2_SERVER_SIDE: {{ .Values.nsHTTP2ServerSide | quote }} -{{- end }} -{{- if ne (toString .Values.nsCookieVersion) "0" }} - NS_COOKIE_VERSION: {{ .Values.nsCookieVersion | quote }} -{{- end }} -{{- if .Values.nsDnsNameserver }} - NS_DNS_NAMESERVER: {{ .Values.nsDnsNameserver }} -{{- end }} - -{{- if .Values.analyticsConfig.required }} - NS_ANALYTICS_CONFIG: | - distributed_tracing: - enable: {{ .Values.analyticsConfig.distributedTracing.enable | quote }} - samplingrate: {{ .Values.analyticsConfig.distributedTracing.samplingrate }} - endpoint: - server: {{ include "analytics.server" . | quote }} - service: {{ .Values.analyticsConfig.endpoint.service | quote }} - timeseries: - port: {{ .Values.analyticsConfig.timeseries.port }} - metrics: - enable: {{ .Values.analyticsConfig.timeseries.metrics.enable | quote }} - mode: {{ .Values.analyticsConfig.timeseries.metrics.mode | quote }} - auditlogs: - enable: {{ .Values.analyticsConfig.timeseries.auditlogs.enable | quote }} - events: - enable: {{ .Values.analyticsConfig.timeseries.events.enable | quote }} - transactions: - enable: {{ .Values.analyticsConfig.transactions.enable | quote }} - port: {{ .Values.analyticsConfig.transactions.port }} -{{- end }} - -{{- if .Values.cpxBgpRouter }} -{{- if .Values.bgpSettings.required }} - NS_BGP_CONFIG: | -{{- with .Values.bgpSettings.bgpConfig }} - bgpConfig: -{{ toYaml . | indent 4 }} -{{- end }} -{{- end }} -{{- end }} - -{{- if .Values.nsLbHashAlgo.required }} - NS_LB_HASH_ALGO: | - hashFingers: {{ .Values.nsLbHashAlgo.hashFingers }} - hashAlgorithm: {{ .Values.nsLbHashAlgo.hashAlgorithm | quote }} -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/templates/ingressclass.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/templates/ingressclass.yaml deleted file mode 100644 index d75537b79f..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/templates/ingressclass.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- $default := .Values.setAsDefaultIngressClass -}} -{{- if semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.GitVersion }} -{{- if .Values.ingressClass }} -{{- range .Values.ingressClass }} -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: {{ . | quote }} -{{- if $default }} - annotations: - ingressclass.kubernetes.io/is-default-class: "true" -{{- end }} -spec: - controller: citrix.com/ingress-controller ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/templates/rbac.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/templates/rbac.yaml deleted file mode 100644 index d812e76751..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/templates/rbac.yaml +++ /dev/null @@ -1,106 +0,0 @@ -{{- if not .Values.rbacRole }} -kind: ClusterRole -{{- else }} -kind: Role -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -rules: - - apiGroups: [""] -{{- if .Values.openshift }} - resources: ["endpoints", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"] -{{- else }} - resources: ["endpoints", "pods", "secrets", "routes", "nodes", "namespaces", "configmaps", "services"] -{{- end }} - verbs: ["get", "list", "watch"] - # services/status is needed to update the loadbalancer IP in service status for integrating - # service of type LoadBalancer with external-dns - - apiGroups: [""] - resources: ["services/status"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions","networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["patch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "watch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"] - verbs: ["get", "list", "watch", "create", "delete", "patch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"] - verbs: ["patch"] - - apiGroups: ["citrix.com"] - resources: ["vips"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["crd.projectcalico.org"] - resources: ["ipamblocks"] - verbs: ["get", "list", "watch"] -{{- if .Values.openshift }} - - apiGroups: ["route.openshift.io"] - resources: ["routes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["network.openshift.io"] - resources: ["hostsubnets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["config.openshift.io"] - resources: ["networks"] - verbs: ["get", "list"] -{{- end }} - ---- - -{{- if not .Values.rbacRole }} -kind: ClusterRoleBinding -{{- else }} -kind: RoleBinding -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io -{{- if not .Values.rbacRole }} - kind: ClusterRole -{{- else }} - kind: Role -{{- end }} - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- if .Values.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.imagePullSecrets }} -- name: {{.}} -{{- end }} -{{- end }} - diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/values.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/values.yaml deleted file mode 100644 index cc236087c1..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.28.2/values.yaml +++ /dev/null @@ -1,225 +0,0 @@ -# Default values for citrix-cpx-with-ingress-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# Citrix ADC CPX config details -imageRegistry: quay.io -imageRepository: citrix/citrix-k8s-cpx-ingress -imageTag: 13.1-30.52 -image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}" -pullPolicy: IfNotPresent -imagePullSecrets: [] -daemonSet: False -nameOverride: "" -replicaCount: 1 -fullnameOverride: "" -mgmtHttpPort: 9080 -mgmtHttpsPort: 9443 -openshift: false -nsHTTP2ServerSide: "OFF" -nsCookieVersion: "0" -nsConfigDnsRec: -nsSvcLbDnsRec: -nsDnsNameserver: -optimizeEndpointBinding: -routeLabels: -namespaceLabels: - -# Service Type LoadBalancer and ingress support with CPX through BGP advertisement -# If you enable this, CPX is run as DaemonSet. Please edit the bgpSettings for configuring -# BGP neighbors for propgation of external IPs. -cpxBgpRouter: false - -# If cpxBgpRouter is true, then this is the NSIP used by CPX for internal communication -nsIP: 192.168.1.2 - -# If cpxBgpRouter is true, then this is the Gateway used by CPX for internal communication -nsGateway: 192.168.1.1 - -# Protocol used for communication between Citrix Ingress Controller sidecar and Citrix CPX -nsProtocol: http - -# External IP for ingress resource when bgpRouter is set to True -ingressIP: - -# If IPAM controller is used for auto allocation of the external IP for service of type LoadBalancer, set this option to true -ipam: False - -# Enable RBAC role (so called local role), by default CIC deployed with ClusterRole. -# below variable to deploy CIC with RBAC role, only ingress service supported with this config -rbacRole: False - -# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True -disableAPIServerCertVerify: False - -cpxLicenseAggregator: - -sslCertManagedByAWS: False - -nodeSelector: - key: - value: -tolerations: [] - -serviceType: - loadBalancer: - enabled: False - nodePort: - enabled: False - httpPort: - httpsPort: - -serviceAnnotations: {} - -serviceSpec: - externalTrafficPolicy: "Cluster" - loadBalancerIP: - loadBalancerSourceRanges: [] - -servicePorts: [] - -# Citrix Ingress Controller config details -cic: - imageRegistry: quay.io - imageRepository: citrix/citrix-k8s-ingress-controller - imageTag: 1.28.2 - image: "{{ .Values.cic.imageRegistry }}/{{ .Values.cic.imageRepository }}:{{ .Values.cic.imageTag }}" - pullPolicy: IfNotPresent - required: true - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # Following values depends on no of ingresses configured by Ingress Controllers, so it is - # advised to test with maximum no of ingresses to set these values. - # limits: - # cpu: 1000m - # memory: 1000Mi - # requests: - # cpu: 250m - # memory: 256Mi -entityPrefix: -license: - accept: no -ingressClass: -setAsDefaultIngressClass: False -# nitroReadTimeout is timeout value in seconds for nitro api read timeout(default is 20) -nitroReadTimeout: -logLevel: INFO -jsonLog: false -defaultSSLCertSecret: -updateIngressStatus: False -logProxy: -kubernetesURL: -disableOpenshiftRoutes: - -# Citrix ADM/License Server config details -ADMSettings: - licenseServerIP: - licenseServerPort: 27000 - ADMIP: - loginSecret: - bandWidthLicense: false - bandWidth: 1000 #bandwidth value shoule be in Mbps - vCPULicense: false - cpxCores: - analyticsServerPort: 5557 - licenseEdition: PLATINUM - -# Exporter config details -exporter: - required: false - imageRegistry: quay.io - imageRepository: citrix/citrix-adc-metrics-exporter - imageTag: 1.4.9 - image: "{{ .Values.exporter.imageRegistry }}/{{ .Values.exporter.imageRepository }}:{{ .Values.exporter.imageTag }}" - pullPolicy: IfNotPresent - ports: - containerPort: 8888 - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - - -# For CRDs supported by Citrix Ingress Controller -crds: - install: false - retainOnDelete: false - -# Config required to be done by Citrix Ingress Controller for sending metrics to Citrix Observability Exporter -analyticsConfig: - required: false - distributedTracing: - enable: false - samplingrate: 100 - endpoint: - server: - service: - timeseries: - port: 5563 - metrics: - enable: false - mode: 'avro' - auditlogs: - enable: false - events: - enable: false - transactions: - enable: false - port: 5557 - -# BGP configurations: local AS, remote AS and remote address is mandatory to provide. Please do the approrpiate changes with respect to your environment -bgpSettings: - # When bgpConfig is configured correctly, set the required to true for the configuration to be applied. - required: false - bgpConfig: - - bgpRouter: - # Local AS number for BGP advertisement - localAS: 100 - neighbor: - # Address of the nighbor router for BGP advertisement - - address: - # Remote AS number - remoteAS: 100 - advertisementInterval: 10 - ASOriginationInterval: 10 - -bgpPort: - -nsLbHashAlgo: - required: false - hashFingers: 256 - hashAlgorithm: 'DEFAULT' - -# Specifies whether a ServiceAccount should be created -serviceAccount: - create: true - # The name of the ServiceAccount to use. - # If not set and `create` is true, a name is generated using the fullname template - # name: - -podAnnotations: {} - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:' - # This is the resource for CPX container. - # limits: - # cpu: 500m - # memory: 512Mi - # requests: - # cpu: 100m - # memory: 128Mi - -affinity: {} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/Chart.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/Chart.yaml deleted file mode 100644 index 7feb1aa607..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/Chart.yaml +++ /dev/null @@ -1,22 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Cpx with Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-cpx-with-ingress-controller -apiVersion: v2 -appVersion: 1.29.5 -deprecated: true -description: A Helm chart for Citrix ADC CPX with Citrix ingress Controller running - as sidecar. -home: https://www.citrix.com -icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png -kubeVersion: '>=v1.16.0-0' -maintainers: -- email: priyanka.sharma@citrix.com - name: priyankash-citrix -- email: subash.dangol@citrix.com - name: subashd -name: citrix-cpx-with-ingress-controller -sources: -- https://github.com/citrix/citrix-k8s-ingress-controller -version: 1.29.5 diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/README.md b/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/README.md deleted file mode 100644 index accfd0af31..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/README.md +++ /dev/null @@ -1,576 +0,0 @@ -# Citrix ADC CPX with Citrix Ingress Controller running as sidecar. - -In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) with Citrix ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). The Citrix ADC CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar Citrix ingress controller configures the Citrix ADC CPX. - -## TL;DR; - -### For Kubernetes - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,crds.install=true - ``` - -### For OpenShift - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,crds.install=true - ``` - -> **Important:** -> -> The "license.accept" is a mandatory argument and should be set to "yes" to accept the terms of the Citrix license. - - -## Introduction -This Helm chart deploys a Citrix ADC CPX with Citrix ingress controller as a sidecar in the [Kubernetes](https://kubernetes.io/) or in the [Openshift](https://www.openshift.com) cluster using the [Helm](https://helm.sh/) package manager. - -### Prerequisites - -- The [Kubernetes](https://kubernetes.io/) version should be 1.16 and above if using Kubernetes environment. -- The [Openshift](https://www.openshift.com) version 4.8 or later if using OpenShift platform. -- The [Helm](https://helm.sh/) version 3.x or later. You can follow instruction given [here](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- You have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator), if you want to view the metrics of the Citrix ADC CPX collected by the [metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics). -- Registration of Citrix ADC CPX in ADM: You may want to register your CPX in ADM for licensing or to obtain [servicegraph](https://docs.citrix.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html). For this you will have to create a Kubernetes secret using ADM credentials and provide it while install the chart. Create a Kubernetes secret for the user name and password using the following command: - - ``` - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= -n citrix-system - ``` - -## Installing the Chart -Add the Citrix Ingress Controller helm chart repository using command: - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - ``` - -### For Kubernetes: -#### 1. Citrix ADC CPX with Citrix Ingress Controller running as side car. -To install the chart with the release name ``` my-release```: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,ingressClass[0]= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ADC CPX with Citrix ingress controller as a sidecar on the Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,ingressClass[0]=,exporter.required=true - ``` - -### For OpenShift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix ADC CPX with Citrix Ingress Controller running as side car. -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true - ``` - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,exporter.required=true - ``` - -### Installed components - -The following components are installed: - -- [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx/netscaler-cpx.html) -- [Citrix ingress controller](https://github.com/citrix/citrix-k8s-ingress-controller) (if enabled) -- [Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) (if enabled) - - -### Citrix ADC CPX Service Annotations: - - The parameter `serviceAnnotations` can be used to annotate CPX service while installing Citrix ADC CPX using this helm chart. - For example, if CPX is getting deployed in Azure and an Azure Internal Load Balancer is required before CPX then the annotation `service.beta.kubernetes.io/azure-load-balancer-internal:True` can be set in CPX service using Helm command: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceAnnotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal=True - ``` - - or the same can be provided in [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml): - - ``` - license: - accept: yes - serviceAnnotations: - service.beta.kubernetes.io/azure-load-balancer-internal: True - ``` - - which can be used to install Citrix ADC CPX using Helm command: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - - To know more about service annotations supported by Kubernetes on various platforms please see [this](https://kubernetes.io/docs/concepts/services-networking/service/). - -### Citrix ADC CPX Service Ports: - - By default, port 80 and 443 of CPX service will exposed when CPX is installed using this helm chart. If it is required to expose any other ports in CPX service then the parameter `servicePorts` can be used for it. - For example, if port 9999 is required to be exposed then below helm command can be used for installing Citrix ADC CPX: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,servicePorts[0].port=9999,servicePorts[0].protocol=TCP,servicePorts[0].name=https - ``` - - or the same can be provided in [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml): - - ``` - license: - accept: yes - servicePorts: - - port: 9090 - protocol: TCP - name: https - ``` - - which can be used to install Citrix ADC using Helm command: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - -> **Note:** If `servicePorts` parameters is used, only ports provided in this parameter will be exposed in CPX service. -> If you want to expose default ports 80 or 443, then you will need to explicity mention these also in this parameter. - -### Configuration for ServiceGraph: - If Citrix ADC CPX need to send data to the Citrix ADM to bring up the servicegraph, then the below steps can be followed to install Citrix ADC CPX with ingress controller. Citrix ingress controller configures Citrix ADC CPX with the configuration required for servicegraph. - - 1. Create secret using Citrix ADC Agent credentials, which will be used by Citrix ADC CPX to communicate with Citrix ADM Agent: - - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= - - 2. Deploy Citrix ADC CPX with Citrix ingress controller using helm command: - - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.distributedTracing.enable=true,analyticsConfig.endpoint.server=,ADMSettings.ADMIP=,ADMSettings.loginSecret= - -> **Note:** -> If container agent is being used here for Citrix ADM, please provide `svcIP` of container agent in the `analyticsConfig.endpoint.server` parameter. - -## Citrix ADC CPX DaemonSet with Citrix Ingress Controller as sidecar for BGP Advertisement - - The previous section of deploying CPX as a Deployment requires a Tier-1 Loadbalancer such as Citrix VPX or cloud loadbalancers to route the traffic to CPX instances running in Kubernetes cluster, but you can also leverage BGP network fabric in your on-prem environemnt to route the traffic to CPX instances in a Kubernetes or Openshift cluster. you need to deploy CPX with Citrix Ingress Controller as Daemonset to advertise the ExternalIPs of the K8s services of type LoadBalancer to your BGP Fabric. Citrix ADC CPX establishes a BGP peering session with your network routers, and uses that peering session to advertise the IP addresses of external cluster services. If your routers have ECMP capability, the traffic is load-balanced to multiple CPX instances by the upstream router, which in turn load-balances to actual application pods. When you deploy the Citrix ADC CPX with this mode, Citrix ADC CPX adds iptables rules for each service of type LoadBalancer on Kubernetes nodes. The traffic destined to the external IP address is routed to Citrix ADC CPX pods. You can also set the 'ingressIP' variable to an IP Address to advertise the External IP address for Ingress resources. Refer [documentation](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) for complete details about BGP advertisement with CPX. - -### Download the chart -You can download the chart usimg `helm pull` command. -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ -helm pull citrix/citrix-cpx-with-ingress-controller -tar -zxvf citrix-cpx-with-ingress-controller-x.y.z.tgz -``` - -### Edit the BGP configuration in values.yaml -BGP configurations enables CPX to peer with neighbor routers for advertisting the routes for Service of Type LoadBalancer. Citrix Ingress Controllers uses static IPs given in Service YAML or using an IPAM controller to allocate an External IP address, and same is advertisted to the neighbour router with the Gateway as Node IP. An example BGP configurations is given below. - -``` -# BGP configurations: local AS, remote AS and remote address is mandatory to provide. -bgpSettings: - required: true - bgpConfig: - - bgpRouter: - # Local AS number for BGP advertisement - localAS: - neighbor: - # Address of the nighbor router for BGP advertisement - - address: xx.xx.xx.xx - # Remote AS number - remoteAS: - advertisementInterval: 10 - ASOriginationInterval: 10 -``` -If the cluster spawns across multiple networks, you can also specify the NodeSelector to give different neighbors for different Cluster Nodes as shown below. - -``` -bgpSettings: - required: true - bgpConfig: - - nodeSelector: datacenter=ds1 - bgpRouter: - localAS: - neighbor: - - address: xx.xx.xx.xx - remoteAS: - advertisementInterval: 10 - ASOriginationInterval: 10 - - nodeSelector: datacenter=ds2 - bgpRouter: - localAS: - neighbor: - - address: yy.yy.yy.yy - remoteAS: - advertisementInterval: 10 - ASOriginationInterval: 10 -``` - -### Deploy the chart -#### For Kubernetes: -#### 1. Citrix ADC CPX DaemonSet with Citrix Ingress Controller running as side car for BGP Advertisement. - - -To install the chart with the release name ``` my-release```: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true - ``` -If you are running Citrix IPAM for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true - ``` -If you are using ingress resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ADC CPX Daemonset with Citrix ingress controller as a sidecar on the Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car for BGP Advertisement. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,exporter.required=true - ``` -If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,exporter.required=true - ``` -If you are using ingress resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=, exporter.required=true - ``` - -#### For OpenShift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix ADC CPX DaemonSet with Citrix Ingress Controller running as side car for BGP Advertisement. -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,openshift=true - ``` -If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,openshift=true - ``` - - If you are using ingress or Route resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=,openshift=true - ``` - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car for BGP Advertisement. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,openshift=true,exporter.required=true - ``` -If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,openshift=true,exporter.required=true - ``` - -If you are using ingress or Route resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=,openshift=true,exporter.required=true - ``` - -## CRDs configuration - -CRDs can be installed/upgraded when we install/upgrade Citrix ADC CPX with Citrix ingress controller using `crds.install=true` parameter in Helm. If you do not want to install CRDs, then set the option `crds.install` to `false`. By default, CRDs too get deleted if you uninstall through Helm. This means, even the CustomResource objects created by the customer will get deleted. If you want to avoid this data loss set `crds.retainOnDelete` to `true`. - -> **Note:** -> Installing again may fail due to the presence of CRDs. Make sure that you back up all CustomResource objects and clean up CRDs before re-installing Citrix ADC CPX with Citrix ingress controller. - -There are a few examples of how to use these CRDs, which are placed in the folder: [Example-CRDs](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds). Refer to them and install as needed, using the following command: -```kubectl create -f ``` - -### Details of the supported CRDs: - -#### authpolicies CRD: - -Authentication policies are used to enforce access restrictions to resources hosted by an application or an API server. - -Citrix provides a Kubernetes CustomResourceDefinitions (CRDs) called the [Auth CRD](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/auth) that you can use with the Citrix ingress controller to define authentication policies on the ingress Citrix ADC. - -Example file: [auth_example.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/auth_example.yaml) - -#### continuousdeployments CRD for canary: - -Canary release is a technique to reduce the risk of introducing a new software version in production by first rolling out the change to a small subset of users. After user validation, the application is rolled out to the larger set of users. Citrix ADC-Integrated [Canary Deployment solution](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/canary) stitches together all components of continuous delivery (CD) and makes canary deployment easier for the application developers. - -#### httproutes and listeners CRDs for contentrouting: - -[Content Routing (CR)](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/contentrouting) is the execution of defined rules that determine the placement and configuration of network traffic between users and web applications, based on the content being sent. For example, a pattern in the URL or header fields of the request. - -Example files: [HTTPRoute_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/HTTPRoute_crd.yaml), [Listener_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/Listener_crd.yaml) - -#### ratelimits CRD: - -In a Kubernetes deployment, you can [rate limit the requests](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/ratelimit) to the resources on the back end server or services using rate limiting feature provided by the ingress Citrix ADC. - -Example files: [ratelimit-example1.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example1.yaml), [ratelimit-example2.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example2.yaml) - -#### vips CRD: - -Citrix provides a CustomResourceDefinitions (CRD) called [VIP](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/vip) for asynchronous communication between the IPAM controller and Citrix ingress controller. - -The IPAM controller is provided by Citrix for IP address management. It allocates IP address to the service from a defined IP address range. The Citrix ingress controller configures the IP address allocated to the service as virtual IP (VIP) in Citrix ADX VPX. And, the service is exposed using the IP address. - -When a new service is created, the Citrix ingress controller creates a CRD object for the service with an empty IP address field. The IPAM Controller listens to addition, deletion, or modification of the CRD and updates it with an IP address to the CRD. Once the CRD object is updated, the Citrix ingress controller automatically configures Citrix ADC-specfic configuration in the tier-1 Citrix ADC VPX. - -#### rewritepolicies CRD: - -In kubernetes environment, to deploy specific layer 7 policies to handle scenarios such as, redirecting HTTP traffic to a specific URL, blocking a set of IP addresses to mitigate DDoS attacks, imposing HTTP to HTTPS and so on, requires you to add appropriate libraries within the microservices and manually configure the policies. Instead, you can use the [Rewrite and Responder features](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/crd/rewrite-responder-policies-deployment.yaml) provided by the Ingress Citrix ADC device to deploy these policies. - -Example files: [target-url-rewrite.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/target-url-rewrite.yaml) - -#### wafs CRD: - -[WAF CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/waf.md) can be used to configure the web application firewall policies with the Citrix ingress controller on the Citrix ADC VPX, MPX, SDX, and CPX. The WAF CRD enables communication between the Citrix ingress controller and Citrix ADC for enforcing web application firewall policies. - -In a Kubernetes deployment, you can enforce a web application firewall policy to protect the server using the WAF CRD. For more information about web application firewall, see [Web application security](https://docs.citrix.com/en-us/citrix-adc/13/application-firewall/introduction/web-application-security.html). - -Example files: [wafhtmlxsssql.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wafhtmlxsssql.yaml) - -#### CORS CRD: - -[CORS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) Cross-origin resource sharing (CORS) is a mechanism allows a web application running under one domain to securely access resources in another domain. You can configure CORS policies on Citrix ADC using Citrix ingress controller to allow one domain (the origin domain) to call APIs in another domain. For more information, see the [cross-origin resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) documentation. - -Example files: [cors-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/corspolicy-example.yaml) - -#### APPQOE CRD: - -[APPQOE CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) When a Citrix ADC appliance receives an HTTP request and forwards it to a back-end server, sometimes there may be connection failures with the back-end server. You can configure the request-retry feature on Citrix ADC to forward the request to the next available server, instead of sending the reset to the client. Hence, the client saves round trip time when Citrix ADC initiates the same request to the next available service. -For more information, see the AppQoE support documentation. [Appqoe resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) documentation. - -Example files: [appqoe-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/appqoe_example.yaml) - -#### WILDCARDDNS CRD: - -[WILDCARDDNS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) Wildcard DNS domains are used to handle requests for nonexistent domains and subdomains. In a zone, use wildcard domains to redirect queries for all nonexistent domains or subdomains to a particular server, instead of creating a separate Resource Record (RR) for each domain. The most common use of a wildcard DNS domain is to create a zone that can be used to forward mail from the internet to some other mail system. -For more information, see the Wild card DNS domains support documentation. [Wildcard DNS Entry CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) documentation. - -Example files: [wildcarddns-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wildcarddns-example.yaml) - -## Citrix ADC CPX servicetype LoadBalancer -Citrix ADC CPX can be installed with service having servicetype LoadBalancer. Following arguments can be used in the `helm install` command for the same: - -``` -helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceType.loadBalancer.enabled=True -``` - -## Citrix ADC CPX servicetype NodePort -Citrix ADC CPX can be installed with service having servicetype Nodeport. Following arguments can be used in the `helm install` command for the same: - -``` -helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceType.nodePort.enabled=True -``` - -Additionally, `serviceType.nodePort.httpPort` and `serviceType.nodePort.httpsPort` arguments can be used to select the nodePort for the CPX service for HTTP and HTTPS ports. - -### Tolerations - -Taints are applied on cluster nodes whereas tolerations are applied on pods. Tolerations enable pods to be scheduled on node with matching taints. For more information see [Taints and Tolerations in Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). - -Toleration can be applied to pod running Citrix ADC CPX and ingress controller containers using `tolerations` argument while deploying CPX+CIC using helm chart. This argument takes list of tolerations that user need to apply on the CPX+CIC pods. - -For example, following command can be used to apply toleration on the CPX+CIC pod: - -``` -helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,tolerations[0].key=,tolerations[0].value=,tolerations[0].operator=,tolerations[0].effect= -``` - -Here tolerations[0].key, tolerations[0].value and tolerations[0].effect are the key, value and effect that was used while tainting the node. -Effect represents what should happen to the pod if the pod don't have any matching toleration. It can have values `NoSchedule`, `NoExecute` and `PreferNoSchedule`. -Operator represents the operation to be used for key and value comparison between taint and tolerations. It can have values `Exists` and `Equal`. The default value for operator is `Equal`. - -## Configuration -The following table lists the configurable parameters of the Citrix ADC CPX with Citrix ingress controller as side car chart and their default values. - -| Parameters | Mandatory or Optional | Default value | Description | -| ---------- | --------------------- | ------------- | ----------- | -| license.accept | Mandatory | no | Set `yes` to accept the Citrix ingress controller end user license agreement. | -| imageRegistry | Mandatory | `quay.io` | The Citrix ADC CPX image registry | -| imageRepository | Mandatory | `citrix/citrix-k8s-cpx-ingress` | The Citrix ADC CPX image repository | -| imageTag | Mandatory | `13.1-30.52` | The Citrix ADC CPX image tag | -| pullPolicy | Mandatory | IfNotPresent | The Citrix ADC CPX image pull policy. | -| daemonSet | Optional | False | Set this to true if Citrix ADC CPX needs to be deployed as DaemonSet. | -| cic.imageRegistry | Mandatory | `quay.io` | The Citrix ingress controller image registry | -| cic.imageRepository | Mandatory | `citrix/citrix-k8s-ingress-controller` | The Citrix ingress controller image repository | -| cic.imageTag | Mandatory | `1.29.5` | The Citrix ingress controller image tag | -| cic.pullPolicy | Mandatory | IfNotPresent | The Citrix ingress controller image pull policy. | -| cic.required | Mandatory | true | CIC to be run as sidecar with Citrix ADC CPX | -| cic.resources | Optional | {} | CPU/Memory resource requests/limits for Citrix Ingress Controller container | -| cic.rbacRole | Optional | false | To deploy CIC with RBAC Role set rbacRole=true; by default CIC gets installed with RBAC ClusterRole(rbacRole=false)) | -| imagePullSecrets | Optional | N/A | Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret please see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). | -| nameOverride | Optional | N/A | String to partially override deployment fullname template with a string (will prepend the release name) | -| fullNameOverride | Optional | N/A | String to fully override deployment fullname template with a string | -| resources | Optional | {} | CPU/Memory resource requests/limits for Citrix CPX container | -| nitroReadTimeout | Optional | 20 | The nitro Read timeout in seconds, defaults to 20 | -| logLevel | Optional | DEBUG | The loglevel to control the logs generated by CIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG and TRACE. For more information, see [Logging](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).| -| jsonLog | Optional | false | Set this argument to true if log messages are required in JSON format | -| nsConfigDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Ingress | -| nsSvcLbDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Type Load Balancer Service | -| nsDnsNameserver | Optional | N/A | To add DNS Nameservers in ADC | -| optimizeEndpointBinding | Optional | false | To enable/disable binding of backend endpoints to servicegroup in a single API-call. Recommended when endpoints(pods) per application are large in number. Applicable only for Citrix ADC Version >=13.0-45.7 | -| defaultSSLCertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC. | -| nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for Citrix ADC service group configurations. | -| cpxLicenseAggregator | Optional | N/A | IP/FQDN of the CPX License Aggregator if it is being used to license the CPX. | -| nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). | -| profileSslFrontend | Optional | N/A | Specify the frontend SSL profile. For Details see [Configuration using FRONTEND_SSL_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| profileTcpFrontend | Optional | N/A | Specify the frontend TCP profile. For Details see [Configuration using FRONTEND_TCP_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| profileHttpFrontend | Optional | N/A | Specify the frontend HTTP profile. For Details see [Configuration using FRONTEND_HTTP_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter. | -| nsProtocol | Optional | http | Protocol http or https used for the communication between Citrix Ingress Controller and CPX | -| cpxBgpRouter | Optional | false| If set to true, this CPX is deployed as daemonset in BGP controller mode wherein BGP advertisements are done for attracting external traffic to Kubernetes clusters | -| replicaCount | Optional | 1 | Number of CPX-CIC pods to be deployed. With `cpxBgpRouter : true`, replicaCount is 1 since CPX will be deployed as DaemonSet | -| nsIP | Optional | 192.168.1.2 | NSIP used by CPX for internal communication when run in Host mode, i.e when cpxBgpRouter is set to true. A /24 internal network is created in this IP range which is used for internal communications withing the network namespace. | -| nsGateway | Optional | 192.168.1.1 | Gateway used by CPX for internal communication when run in Host mode, i.e when cpxBgpRouter is set to true. If not specified, first IP in the nsIP network is used as gateway. It must be in same network as nsIP | -| bgpPort | Optional | 179 | BGP port used by CPX for BGP advertisement if cpxBgpRouter is set to true| -| ingressIP | Optional | N/A | External IP address to be used by ingress resources if not overriden by ingress.com/frontend-ip annotation in Ingress resources. This is also advertised to external routers when pxBgpRouter is set to true| -| entityPrefix | Optional | k8s | The prefix for the resources on the Citrix ADC CPX. | -| ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify Citrix ingress controller to configure Citrix ADC associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here | -| setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 | -| updateIngressStatus | Optional | False | Set this argument if you want to update ingress status of the ingress resources exposed via CPX. This is only applicable if servicetype of CPX service is LoadBalancer. | -| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. | -| openshift | Optional | false | Set this argument if OpenShift environment is being used. | -| disableOpenshiftRoutes | false | By default Openshift routes are processed in openshift environment, this variable can be used to disable Ingress controller processing the openshift routes. | -| routeLabels | Optional | N/A | You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| namespaceLabels | Optional | N/A | You can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| sslCertManagedByAWS | Optional | False | Set this argument if SSL certs used is managed by AWS while deploying Citrix ADC CPX in AWS. | -| nodeSelector.key | Optional | N/A | Node label key to be used for nodeSelector option for CPX-CIC deployment. | -| nodeSelector.value | Optional | N/A | Node label value to be used for nodeSelector option in CPX-CIC deployment. | -| podAnnotations | Optional | N/A | Map of annotations to add to the pods. | -| affinity | Optional | N/A | Affinity labels for pod assignment. | -| tolerations | Optional | N/A | Specify the tolerations for the CPX-CIC deployment. | -| serviceType.loadBalancer.enabled | Optional | False | Set this argument if you want servicetype of CPX service to be LoadBalancer. | -| serviceType.nodePort.enabled | Optional | False | Set this argument if you want servicetype of CPX service to be NodePort. | -| serviceType.nodePort.httpPort | Optional | N/A | Specify the HTTP nodeport to be used for NodePort CPX service. | -| serviceType.nodePort.httpsPort | Optional | N/A | Specify the HTTPS nodeport to be used for NodePort CPX service. | -| serviceAnnotations | Optional | N/A | Dictionary of annotations to be used in CPX service. Key in this dictionary is the name of the annotation and Value is the required value of that annotation. For example, [see this](#citrix-adc-cpx-service-annotations). | -| serviceSpec.externalTrafficPolicy | Optional | Cluster | Use this parameter to provide externalTrafficPolicy for CPX service of type LoadBalancer or NodePort. `serviceType.loadBalancer.enabled` or `serviceType.nodePort.enabled` should be set to `true` according to your use case for using this parameter. | -| serviceSpec.loadBalancerIP | Optional | N/A | Use this parameter to provide LoadBalancer IP to CPX service of type LoadBalancer. `serviceType.loadBalancer.enabled` should be set to `true` for using this parameter. | -| serviceSpec.loadBalancerSourceRanges | Optional | N/A | Provide the list of IP Address or range which should be allowed to access the Network Load Balancer. `serviceType.loadBalancer.enabled` should be set to `true` for using this parameter. For details, see [Network Load Balancer support on AWS](https://kubernetes.io/docs/concepts/services-networking/service/#aws-nlb-support). | -| servicePorts | Optional | N/A | List of port. Each element in this list is a dictionary that contains information about the port. For example, [see this](#citrix-adc-cpx-service-ports). | -| ADMSettings.licenseServerIP | Optional | N/A | Provide the Citrix Application Delivery Management (ADM) IP address to license Citrix ADC CPX. For more information, see [Licensing](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/licensing/). | -| ADMSettings.licenseServerPort | Optional | 27000 | Citrix ADM port if non-default port is used. | -| ADMSettings.ADMIP | Optional | N/A | Citrix Application Delivery Management (ADM) IP address. | -| ADMSettings.loginSecret | Optional | N/A | The secret key to login to the ADM. For information on how to create the secret keys, see [Prerequisites](#prerequistes). | -| ADMSettings.bandWidthLicense | Optional | False | Set to true if you want to use bandwidth based licensing for Citrix ADC CPX. | -| ADMSettings.bandWidth | Optional | 1000 | Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps. | -| ADMSettings.vCPULicense | Optional | N/A | Set to true if you want to use vCPU based licensing for Citrix ADC CPX. | -| ADMSettings.licenseEdition| Optional | PLATINUM | License edition that can be Standard, Platinum and Enterprise . By default, Platinum is selected.| -| ADMSettings.cpxCores | Optional | 1 | Desired number of vCPU to be set for Citrix ADC CPX. | -| ADMSettings.analyticsServerPort | Optional | 5557 | Port used for Analytics by ADM. Required to plot ServiceGraph. | -| exporter.required | Optional | false | Use the argument if you want to run the [Exporter for Citrix ADC Stats](https://github.com/citrix/citrix-adc-metrics-exporter) along with Citrix ingress controller to pull metrics for the Citrix ADC CPX| -| exporter.imageRegistry | Optional | `quay.io` | The Exporter for Citrix ADC Stats image registry | -| exporter.imageRepository | Optional | `citrix/citrix-adc-metrics-exporter` | The Exporter for Citrix ADC Stats image repository | -| exporter.imageTag | Optional | `1.4.9` | The Exporter for Citrix ADC Stats image tag | -| exporter.pullPolicy | Optional | IfNotPresent | The Exporter for Citrix ADC Stats image pull policy. | -| exporter.resources | Optional | {} | CPU/Memory resource requests/limits for Metrics exporter container | -| exporter.ports.containerPort | Optional | 8888 | The Exporter for Citrix ADC Stats container port. | -| analyticsConfig.required | Mandatory | false | Set this to true if you want to configure Citrix ADC to send metrics and transaction records to analytics service. | -| analyticsConfig.distributedTracing.enable | Optional | false | Set this value to true to enable OpenTracing in Citrix ADC. | -| analyticsConfig.distributedTracing.samplingrate | Optional | 100 | Specifies the OpenTracing sampling rate in percentage. | -| analyticsConfig.endpoint.server | Optional | N/A | Set this value as the IP address or DNS address of the analytics server. | -| analyticsConfig.endpoint.service | Optional | N/A | Set this value as the IP address or service name with namespace of the analytics service deployed in Kuberenetes. Format: namespace/servicename| -| analyticsConfig.timeseries.port | Optional | 5563 | Specify the port used to expose analytics service for timeseries endpoint. | -| analyticsConfig.timeseries.metrics.enable | Optional | Set this value to true to enable sending metrics from Citrix ADC. | -| analyticsConfig.timeseries.metrics.mode | Optional | avro | Specifies the mode of metric endpoint. | -| analyticsConfig.timeseries.auditlogs.enable | Optional | false | Set this value to true to export audit log data from Citrix ADC. | -| analyticsConfig.timeseries.events.enable | Optional | false | Set this value to true to export events from the Citrix ADC. | -| analyticsConfig.transactions.enable | Optional | false | Set this value to true to export transactions from Citrix ADC. | -| analyticsConfig.transactions.port | Optional | 5557 | Specify the port used to expose analytics service for transaction endpoint. | -| crds.install | Optional | False | Unset this argument if you don't want to install CustomResourceDefinitions which are consumed by CIC. | -| crds.retainOnDelete | Optional | false | Set this argument if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation. | -| bgpSettings.required | Optional | false | Set this argument if you want to enable BGP configurations for exposing service of Type Loadbalancer through BGP fabric| -| bgpSettings.bgpConfig | Optional| N/A| This represents BGP configurations in YAML format. For the description about individual fields, please refer the [documentation](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) | -| nsLbHashAlgo.required | Optional | false | Set this value to set the LB consistent hashing Algorithm | -| nsLbHashAlgo.hashFingers | Optional |256 | Specifies the number of fingers to be used for hashing algorithm. Possible values are from 1 to 1024, Default value is 256 | -| nsLbHashAlgo.hashAlgorithm | Optional | 'default' | Specifies the supported algorithm. Supported algorithms are "default", "jarh", "prac", Default value is 'default' | - -> **Note:** -> -> If Citrix ADM related information is not provided during installation, Citrix ADC CPX will come up with the default license. - -Alternatively, you can define a YAML file with the values for the parameters and pass the values while installing the chart. - -For example: - ``` - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - -> **Tip:** -> -> The [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml) contains the default values of the parameters. - -## Uninstalling the Chart -To uninstall/delete the ```my-release``` deployment: - ``` - helm delete my-release - ``` - -## Related documentation - -- [Citrix ADC CPX Documentation](https://docs.citrix.com/en-us/citrix-adc-cpx/12-1/cpx-architecture-and-traffic-flow.html) -- [Citrix ingress controller Documentation](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/) -- [Citrix ingress controller GitHub](https://github.com/citrix/citrix-k8s-ingress-controller) -- [BGP advertisement for External IPs with CPX](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/app-readme.md b/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/app-readme.md deleted file mode 100644 index ef45a3d907..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/app-readme.md +++ /dev/null @@ -1,5 +0,0 @@ -# Citrix ADC CPX with Citrix Ingress Controller running as sidecar. - -In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) with Citrix ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). The Citrix ADC CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar Citrix ingress controller configures the Citrix ADC CPX. - -This Chart bootstraps deployment of Citrix ADC CPX with Citrix Ingress Controller as sidecar. diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/questions.yml b/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/questions.yml deleted file mode 100644 index 0c87144137..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/questions.yml +++ /dev/null @@ -1,211 +0,0 @@ -questions: -- variable: license.accept - required: true - default: "no" - type: enum - description: "Set to yes to accept the terms and conditions of the Citrix license." - label: Accept License - group: "Deployment Settings" - options: - - "yes" - - "no" -- variable: openshift - default: false - type: boolean - description: "openshift is set to true if charts are being deployed in OpenShift environment" - label: Openshift flag - group: "Deployment Settings" -- variable: nsNamespace - type: string - description: "Prefix for the resources on Citrix ADC" - label: Resource Prefix - group: "Deployment Settings" -- variable: ingressClass[0] - type: string - description: "ingressClass is the name of the Ingress Class" - label: Ingress Class - group: "Deployment Settings" -- variable: logLevel - default: "DEBUG" - type: enum - options: - - "TRACE" - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - description: "logLevel of Citrix Ingress Controller pod" - label: LogLevel - group: "Deployment Settings" -- variable: defaultSSLCert - type: string - description: "Secret containing the default ceritifcate for SSL vservers" - label: Default SSLCert - group: "ADC Settings" -- variable: logProxy - type: string - description: "Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporte" - label: LogProxy - group: "Deployment Settings" -- variable: http2ServerSide - default: "OFF" - type: enum - options: - - "ON" - - "OFF" - description: "Set to ON to enable HTTP2 for Citrix ADC service group configurations" - label: HTTP2 on ADC - group: "ADC Settings" -- variable: nodeSelector.key - type: string - label: NodeSelector Key - group: "Deployment Settings" -- variable: nodeSelector.value - type: string - label: NodeSelector Value - group: "Deployment Settings" - - -- variable: ADMSettings.licenseServerIP - type: string - label: ADM LicenseServerIP - group: "ADM Settings" -- variable: ADMSettings.licenseServerPort - default: 27000 - type: int - label: ADM LicenseServerPort - group: "ADM Settings" -- variable: ADMSettings.ADMIP - type: string - label: ADM IP - group: "ADM Settings" -- variable: ADMSettings.ADMFingerPrint - type: string - label: ADM FingerPrint - group: "ADM Settings" -- variable: ADMSettings.loginSecret - type: string - label: ADM Login Secret - group: "ADM Settings" -- variable: ADMSettings.bandWidthLicense - type: boolean - label: CPX Bandwidth License - group: "ADM Settings" -- variable: ADMSettings.bandWidth - type: int - label: CPX Bandwidth - group: "ADM Settings" -- variable: ADMSettings.vCPULicense - type: boolean - label: CPX vCPU License - group: "ADM Settings" -- variable: ADMSettings.cpxCores - type: int - label: CPX Cores - group: "ADM Settings" -- variable: cic.pullpolicy - default: "IfNotPresent" - type: enum - label: CIC Image Pullpolicy - group: "CIC/CPX Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: pullpolicy - default: "IfNotPresent" - type: enum - label: CPX Image Pullpolicy - group: "CIC/CPX Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: cic.image - default: "quay.io/citrix/citrix-k8s-ingress-controller:1.8.28" - type: string - label: CIC Image - group: "CIC/CPX Image Settings" -- variable: image - type: string - default: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-58.30" - label: CPX Image - group: "CIC/CPX Image Settings" -- variable: exporter.image - default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.5" - type: string - description: "Exporter Image to be used" - label: Exporter Image - group: "Exporter Settings" -- variable: exporter.pullPolicy - default: "IfNotPresent" - type: string - description: "Exporter Image pull policy" - label: Exporter Image PullPolicy - group: "Exporter Settings" -- variable: exporter.ports.containerPort - default: 8888 - type: int - label: Exporter ContainerPort - group: "Exporter Settings" -- variable: coeConfig.distributedTracing.enable - default: false - type: boolean - label: Enable distributedTracing - group: "COE Settings" -- variable: coeConfig.distributedTracing.samplingrate - default: 100 - type: int - label: COE Sampling Rate - group: "COE Settings" -- variable: coeConfig.endpoint.server - type: string - label: COE Endpoint Server - group: "COE Settings" -- variable: coeConfig.timeseries.port - default: 5563 - type: int - label: COE timeseries port - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.enable - default: false - type: boolean - label: Enable timeseries metrics - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.mode - default: 'avro' - type: string - label: COE timeseries metrics Mode - group: "COE Settings" -- variable: coeConfig.timeseries.auditlogs.enable - default: false - type: string - label: Enable timeseries auditlogs - group: "COE Settings" -- variable: coeConfig.timeseries.events.enable - default: false - type: string - label: Enable timeseries events - group: "COE Settings" -- variable: coeConfig.transactions.enable - default: false - type: string - label: Enable transactions - group: "COE Settings" -- variable: coeConfig.transactions.port - default: 5557 - type: int - label: COE transactions port - group: "COE Settings" -- variable: crds.install - default: true - type: boolean - description: "If set to true the charts will install CustomResourceDefinitions which are consumed by CIC." - label: CRD flag - group: "Deployment Settings" -- variable: crds.retainOnDelete - default: false - type: boolean - description: "Set this argument to true if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation." - label: CRD retainOnDelete flag - group: "Deployment Settings" diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/templates/NOTES.txt b/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/templates/NOTES.txt deleted file mode 100644 index bccfdf69a4..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/templates/NOTES.txt +++ /dev/null @@ -1,14 +0,0 @@ -Thank you for installing {{ .Chart.Name }}. - -Your release is named {{ .Release.Name }}. - - -To learn more about the release, try: - - $ helm status {{ .Release.Name }} - $ helm get {{ .Release.Name }} - - -To delete : - helm delete {{ .Release.Name }} - diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/templates/_helpers.tpl b/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/templates/_helpers.tpl deleted file mode 100644 index 92e636ce23..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/templates/_helpers.tpl +++ /dev/null @@ -1,97 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Analytics Server IP or DNS -*/}} -{{- define "analytics.server" -}} -{{- if .Values.analyticsConfig.endpoint.server -}} -{{- printf .Values.analyticsConfig.endpoint.server -}} -{{- else -}} -{{- printf "analytics.%s.svc.cluster.local" .Release.Namespace -}} -{{- end -}} -{{- end -}} - - -{{- define "citrix-cpx-ingress-controller.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "citrix-cpx-ingress-controller.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "cpxservice.fullname" -}} -{{- $name := default .Chart.Name "cpx-service" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxexporter.fullname" -}} -{{- $name := default .Chart.Name "exporter" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxservicemonitor.fullname" -}} -{{- $name := default .Chart.Name "citrix-adc-cpx-servicemonitor" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxservicemonitorlabel" -}} -{{- $name := default .Chart.Name "citrix-adc-cpx-svcmon" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxconfigmap.fullname" -}} -{{- $name := default .Chart.Name "cpx-cic-configmap" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "citrix-cpx-ingress-controller.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "citrix-cpx-ingress-controller.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "citrix-cpx-ingress-controller.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/templates/cic_crds.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/templates/cic_crds.yaml deleted file mode 100644 index 54c7c448dd..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/templates/cic_crds.yaml +++ /dev/null @@ -1,2515 +0,0 @@ -{{- if .Values.crds.install }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: rewritepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: rewritepolicy - plural: rewritepolicies - singular: rewritepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - rewrite-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to rewrite policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - rewrite-policy: - type: object - properties: - rewrite-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOREWRITE', 'RESET', 'DROP'] - operation: - description: 'Type of user-defined rewrite action.' - type: string - enum: ["noop", "delete", "insert_http_header", "delete_http_header", - "corrupt_http_header", "insert_before", "insert_after", "replace", - "replace_http_res", "delete_all", "replace_all", "insert_before_all", - "insert_after_all", "clientless_vpn_encode", "clientless_vpn_encode_all", - "clientless_vpn_decode", "clientless_vpn_decode_all", "insert_sip_header", - "delete_sip_header", "corrupt_sip_header", "replace_sip_res", "replace_diameter_header_field", - "replace_dns_header_field", "replace_dns_answer_section"] - target: - description: 'Default syntax expression that specifies which part of the request or response to rewrite.' - type: string - maxLength: 1229 - modify-expression: - description: 'Default syntax expression that specifies the content to insert into the request - or response at the specified location, or that replaces the specified string.' - type: string - maxLength: 7991 - multiple-occurence-modify: - description: 'Search facility that is used to match multiple strings in the request or response.' - type: string - maxLength: 171 - additional-multiple-occurence-modify: - description: 'Specify additional criteria to refine the results of the search. - Always starts with the "extend(m,n)" operation, where "m" specifies number of bytes to the left of selected data - and "n" specifies number of bytes to the right of selected data. - You can use refineSearch only on body expressions, and only when rewrite-criteria is any one of this: - INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - comment: - description: 'Any comments to preserve information about this rewrite policy.' - type: string - maxLength: 255 - required: [rewrite-criteria, operation, target, direction] - required: [rewrite-policy] - - responder-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to responder policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", - "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - responder-policy: - type: object - properties: - redirect: - type: object - description: 'Use this option when you want to Redirect the request when request matches to policy.' - properties: - url: - description: 'URL on which you want to redirect the request.' - type: string - maxLength: 7991 - redirect-status-code: - description: 'HTTP response status code, for example 200, 302, 404, etc.' - type: integer - minimum: 100 - maximum: 599 - redirect-reason: - description: 'Expression specifying the reason for redirecting the request.' - type: string - maxLength: 7991 - required: [url] - respondwith: - type: object - description: 'Use this parameter when you want to respond to the request when request matches to policy.' - properties: - http-payload-string: - description: 'Expression that you want to sent as response to the request.' - type: string - maxLength: 7991 - required: [http-payload-string] - noop: - type: string - description: 'Use this option when you want to send the request to the protected server instead of - responding to it when request matches to policy.' - properties: - target: - description: 'Default syntax expression that specifies to perform noop operation on' - type: string - maxLength: 1229 - reset: - type: string - description: 'Use this option when you want to Reset the client connection by closing it when request matches to policy.' - properties: - drop: - type: string - description: 'Use this option when you want to drop the request without sending a response to the user when request matches to policy.' - properties: - respond-criteria: - description: 'Default syntax expression that the policy uses to determine whether to respond to the specified request.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOOP', 'RESET', 'DROP'] - comment: - description: 'Any comments to preserve information about this responder policy.' - type: string - maxLength: 255 - required: [respond-criteria] - oneOf: [required: [redirect], required: [respondwith], required: [noop], required: [reset], required: [drop]] - required: [responder-policy] - - dataset: - type: array - items: - type: object - properties: - name: - description: 'Name of the dataset.' - type: string - maxLength: 32 - type: - description: 'Type of value to bind to the dataset.' - type: string - enum: ["ipv4", "number", "ipv6", "ulong", "double", "mac"] - comment: - description: 'Any comments to preserve information about this dataset.' - type: string - maxLength: 255 - values: - description: 'Value of the specified type that is associated with this dataset.' - type: array - items: - type: string - required: [name, type, values] - - patset: - type: array - items: - type: object - properties: - name: - description: 'Name of the Patset.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this patset.' - type: string - maxLength: 255 - values: - description: 'String of characters that constitutes a pattern and is associated with this patset.' - type: array - items: - type: string - required: [name, values] - - stringmap: - type: array - items: - type: object - properties: - name: - description: 'Name of the Stringmap.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this stringmap.' - type: string - maxLength: 255 - values: - description: 'List of (key,value) pairs to be bound to this string map.' - type: array - items: - type: object - properties: - key: - description: 'Character string constituting the key to be bound to this string map.' - type: string - maxLength: 2047 - value: - description: 'Character string constituting the value associated with the key.' - type: string - maxLength: 2047 - required: [name, values] - - httpcallout_policy: - type: array - items: - type: object - properties: - name: - description: 'httpcallout name' - type: string - maxLength: 32 - server_ip: - description: 'IP Address of the server(callout agent) to which the callout is sent.' - type: string - server_port: - description: 'Port of the server(callout agent) to which the callout is sent.' - type: integer - minimum: 1 - maximum: 65535 - http_method: - description: |+ - 'Method used in the HTTP request that this callout sends. - Default http method is GET' - type: string - enum: ['GET', 'POST'] - host_expr: - description: |+ - 'String expression to configure the Host header. Can contain a literal value - (for example, 10.101.10.11) or a derived value (for example, http.req.header("Host")). - The literal value can be an IP address or a fully qualified domain name. Mutually - exclusive with the full HTTP request expression.' - type: string - maxLength: 255 - url_stem_expr: - description: |+ - 'String expression for generating the URL stem. Can contain a literal string - (for example, "/mysite/index.html") or an expression that derives the value - (for example, http.req.url).' - type: string - maxLength: 8191 - headers: - type: array - description: |+ - 'One or more headers to insert into the HTTP request. Each header is represented by - name and expr, where expr is an expression that is evaluated at runtime to provide - the value for the named header. You can configure a maximum of eight headers for - an HTTP callout.' - items: - type: object - properties: - name: - description: 'header name' - type: string - expr: - description: 'header expression' - type: string - parameters: - type: array - description: |+ - 'One or more query parameters to insert into the HTTP request URL (for a GET request) - or into the request body (for a POST request). Each parameter is represented by - name and expr, where expr is an expression that is evaluated at run time to provide - the value for the named parameter (name=value). The parameter values are URL encoded.' - items: - type: object - properties: - name: - description: 'parameter name' - type: string - expr: - description: 'parameter expression' - type: string - body_expr: - description: |+ - 'An advanced string expression for generating the body of the request. - The expression can contain a literal string or an expression that derives - the value (for example, client.ip.src).' - type: string - full_req_expr: - description: |+ - 'Exact HTTP request, in the form of an expression, which the Citrix ADC sends - to the callout agent. The request expression is constrained by the feature - for which the callout is used. For example, an HTTP.RES expression cannot be - used in a request-time policy bank or in a TCP content switching policy bank.' - type: string - scheme: - description: |+ - 'Type of scheme for the callout server. - Default scheme is HTTP' - type: string - enum: ['HTTP', 'HTTPS'] - cache_for_secs: - description: |+ - 'Duration, in seconds, for which the callout response is cached. - The cached responses are stored in an integrated caching content - group named "calloutContentGroup". If no duration is configured, - the callout responses will not be cached unless normal caching - configuration is used to cache them. This parameter takes precedence over any - normal caching configuration that would otherwise apply to these responses.' - type: integer - minimum: 1 - maximum: 31536000 - return_type: - description: |+ - 'Type of data that the target callout agent returns in response to the callout - Available settings function as follows: - * TEXT - Treat the returned value as a text string. - * NUM - Treat the returned value as a number. - * BOOL - Treat the returned value as a Boolean value.' - type: string - enum: ['TEXT', 'NUM', 'BOOL'] - result_expr: - description: |+ - 'Expression that extracts the callout results from the response sent by the HTTP callout - agent. Must be a response based expression, that is, it must begin with HTTP.RES. The - operations in this expression must match the return type. For example, if you configure - a return type of TEXT, the result expression must be a text based expression. If the - return type is NUM, the result expression (resultExpr) must return a numeric value, - as in the following example: http.res.body(10000).length.' - type: string - maxLength: 8191 - comment: - description: 'Any comments to preserve information about this HTTP callout.' - type: string - maxLength: 255 - allOf: - - properties: - required: [name, server_ip, server_port] - - properties: - oneOf: - - properties: - required: [full_req_expr] - - properties: - anyOf: - - properties: - required: [http_method] - - properties: - required: [host_expr] - - properties: - required: [url_stem_expr] - - properties: - required: [headers] - - properties: - required: [parameters] - - properties: - required: [body_expr] - anyOf: [required: [rewrite-policies], required: [responder-policies]] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ratelimits.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: ratelimit - plural: ratelimits - singular: ratelimit - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the ratelimit policies are applied.' - type: array - items: - type: string - maxLength: 127 - selector_keys: - type: object - description: 'Traffic match criteria to which apply above rate-limit/throttling. All keys are applied as AND condition. If no keys are specified, rate-limit applies at service level' - properties: - basic: - type: object - description: "Basic traffic stream selection criteria to which to apply the ratelimit" - properties: - path: - type: array - description: "api resource path prefix match. e.g. /api/v1/products" - items: - type: string - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - header_name: - description: "HTTP header that identifies the unique API client for e.g. X-apikey" - type: string - per_client_ip: - description: "Setting this applies the throttling limit to each unique Client IP address accessing the API resource" - type: boolean - req_threshold: - description: 'Max requests per timeslice units to be allowed' - type: integer - timeslice: - description: 'Timeslice in miliseconds in multiple of 10. Defaults to 1000 miliseconds' - type: integer - limittype: - description: "Burst mode or smooth. Defaults to smooth limittype if not specified" - type: string - enum: ['BURSTY','SMOOTH'] - throttle_action: - type: string - enum: ['DROP', 'RESET','REDIRECT', 'RESPOND'] - description: "Drop will drop the requests exceeding limits, RESET will reset the client connection, Redirect will redirect to specified URL, respond will respond with 429 'Exceeded allowed rate of requests'" - redirect_url: - type: string - description: "Redirect-URL" - logpackets: - type: object - description: 'Adds an audit message action. The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - required: [req_threshold] ---- -#Sample CRD instance - -#apiVersion: citrix.com/v1 -#description: VIP for apache service -#kind: vip -#metadata: -# name: service-apache -# namespace: default -#spec: -# description: VIP for the apache Service -# ipaddress: 10.99.98.90 -# kind: service -# name: apache - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vips.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: vip - plural: vips - singular: vip - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - jsonPath: .spec.ipaddress - name: VIP - type: string - - name: Age - type: date - jsonPath: .metadata.creationTimestamp - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - ipaddress: - type: string - name: - type: string - kind: - type: string - enum: ["service", "ingress"] - description: - type: string - range-name: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: authpolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: authpolicy - plural: authpolicies - singular: authpolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: |+ - 'Name of the services for which the policies applied' - type: array - items: - type: string - maxLength: 63 - authentication_mechanism: - type: object - description: |+ - 'Authentication mechanism. Options: using forms or using request header. - Default is Authentication using request header, when no option is specified' - properties: - using_request_header: - description: |+ - 'Enable user authentication using request header. Use when the credentials - or api keys are passed in a header. For example, when using Basic, Digest, - Bearer authentication or api keys. - When authentication using forms is provided, this is set to OFF' - - type: string - using_forms: - type: object - description: 'Enables authentication using forms. Use with user/web authentication.' - properties: - authentication_host: - description: |+ - 'Fully qualified domain name (FQDN) for authentication. - This FQDN should be unique and should resolve to frontend IP of - ADC with Ingress/service type LoadBalancer (or) vip of Listener CRD' - type: string - maxLength: 255 - authentication_host_cert: - description: |+ - 'Name of the SSL certificate to be used with authentication_host. - This certificate is mandatory while using_forms' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - ingress_name: - description: |+ - 'Ingress name for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - lb_service_name: - description: |+ - 'Service of type LoadBalancer for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - listener_name: - description: |+ - 'Listener CRD name for which the authentication using forms is applicable.' - type: string - maxLength: 63 - vip: - description: |+ - 'Frontend IP of ingress for which the authentication - using forms is applicable. This refers to frontend-ip provided - with Ingress. It is suggested to use vip, if more than one Ingress - resource use the same frontend-ip' - type: string - required: [authentication_host, authentication_host_cert] - oneOf: - - properties: - required: [ingress_name] - - properties: - required: [lb_service_name] - - properties: - required: [listener_name] - - properties: - required: [vip] - oneOf: - - properties: - using_request_header: - enum: ['ON'] - required: [using_request_header] - - properties: - required: [using_forms] - - authentication_providers: - description: |+ - 'Authentication Configuration for required authentication providers/schemes. - One or more of these can be created' - type: array - items: - description: 'Create config for a single authentication provider of a particular type' - type: object - properties: - name: - description: 'Name for this provider, has to be unique, referenced by authentication policies' - type: string - maxLength: 127 - - oauth: - description: 'Authentication provided by external oAuth provider' - type: object - properties: - issuer: - description: 'Identity of the server whose tokens are to be accepted' - type: string - maxLength: 127 - audience: - description: 'Audience for which token sent by Authorization server is applicable' - type: array - items: - type: string - maxLength: 127 - jwks_uri: - description: |+ - 'URL of the endpoint that contains JWKs (Json Web Key) for - JWT (Json Web Token) verification' - type: string - maxLength: 127 - introspect_url: - description: ' URL of the introspection server' - type: string - maxLength: 127 - client_credentials: - description: |+ - 'secrets object that contains Client Id and secret as known - to Introspection server' - type: string - maxLength: 253 - token_in_hdr: - description: |+ - 'custom header name where token is present, - default is Authorization header' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - token_in_param: - description: 'query parameter name where token is present' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - signature_algorithms: - description: 'list of allowed signature algorithms, by default HS256, RS256, RS512 are allowed' - type: array - items: - type: string - enum: ['HS256', 'RS256', 'RS512'] - claims_to_save: - description: 'list of claims to be saved, used to create authorization policies' - type: array - items: - type: string - maxLength: 127 - metadata_url: - description: 'URL used to get OAUTH/OIDC provider metadata' - type: string - maxLength: 255 - user_field: - description: |+ - 'Attribute in the token from which username should be extracted. - by default, ADC looks at email attribute for user id' - type: string - maxLength: 127 - default_group: - description: |+ - 'group assigned to the request if authentication succeeds, - this is in addition to any extracted groups from token' - type: string - maxLength: 63 - grant_type: - description: 'used to specify the type of flow to the token end point, defaults to CODE' - type: array - items: - type: string - enum: ['CODE','PASSWORD'] - pkce: - description: 'specify whether to enable Proof Key Code Exchange, defaults to ENABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - token_ep_auth_method: - description: |+ - 'authentication method to be used with token end point, - defaults to client_secret_post' - type: string - enum: ['client_secret_post', 'client_secret_jwt'] - - anyOf: - - properties: - required : [jwks_uri] - - properties: - required : [introspect_url, client_credentials] - - properties: - required : [metadata_url] - - ldap: - description: 'LDAP authentication provider' - type: object - properties: - server_ip: - description: 'IP address assigned to the LDAP server' - type: string - server_name: - description: 'LDAP server name as a FQDN' - type: string - maxLength: 127 - server_port: - description: 'Port on which the LDAP server accepts connections. Default is 389' - type: integer - minimum: 1 - maximum: 65535 - base: - description: |+ - 'Base (node) from which to start LDAP searches. If the LDAP server is - running locally, the default value of base is dc=netscaler, dc=com' - type: string - maxLength: 127 - server_login_credentials: - description: |+ - 'Kubernetes secret object providing credentials to login to LDAP server, - The secret data should have username and password' - type: string - login_name: - description: |+ - 'LDAP login name attribute. The Citrix ADC uses the LDAP login name - to query external LDAP servers or Active Directories' - type: string - maxLength: 127 - security_type: - description: |+ - 'Type of security used for communications between the Citrix ADC - and the LDAP server. Default is TLS' - type: string - enum: ['PLAINTEXT', 'TLS', 'SSL'] - validate_server_cert: - description: 'Validate LDAP Server certs. Default is NO' - type: string - enum: ['YES', 'NO'] - hostname: - description: |+ - 'Hostname for the LDAP server. If validate_server_cert is ON, - this must be the host name on the certificate from the LDAP - A hostname mismatch will cause a connection failure' - type: string - maxLength: 127 - sub_attribute_name: - description: 'LDAP group sub-attribute name. Used for group extraction from the LDAP server.' - type: string - maxLength: 31 - group_attribute_name: - description: 'LDAP group attribute name. Used for group extraction on the LDAP server.' - type: string - maxLength: 31 - search_filter: - description: |+ - 'String to be combined with the default LDAP user search string to form the - search value. For example, if the search filter "vpnallowed=true" is combined - with the LDAP login name "samaccount" and the user-supplied username is "bob", - the result is the LDAP search string ""(&(vpnallowed=true)(samaccount=bob)"" - (Be sure to enclose the search string in two sets of double quotation marks)' - type: string - maxLength: 255 - auth_timeout: - description: |+ - 'Number of seconds the Citrix ADC waits for a response from the server - Default is 3' - type: integer - minimum: 1 - maximum: 4294967295 - password_change: - description: 'Allow password change requests. Default is DISABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be fetched - from LDAP server and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - oneOf: - - properties: - required: [server_ip] - - properties: - required: [server_name] - - saml: - description: |+ - 'SAML authentication provider. - Currently SAML is supported only with authentication mechanism using forms' - type: object - properties: - metadata_url: - description: 'URL is used for obtaining saml metadata.' - type: string - maxLength: 255 - metadata_refresh_interval: - description: |+ - 'Interval in minutes for fetching metadata from specified metadata URL. - Default is 36000' - type: integer - minimum: 1 - maximum: 4294967295 - signing_cert: - description: 'SSL certificate to sign requests from SP to IDP' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - audience: - description: 'Audience for which assertion sent by IdP is applicable' - type: string - maxLength: 127 - issuer_name: - description: 'The name to be used in requests sent from SP to IDP to identify citrix ADC' - type: string - maxLength: 63 - binding: - description: 'Specifies the transport mechanism of saml message. Default is POST' - type: string - enum: ['REDIRECT', 'POST', 'ARTIFACT'] - artifact_resolution_service_url: - description: 'URL of the Artifact Resolution Service on IdP' - type: string - maxLength: 255 - logout_binding: - description: 'Specifies the transport mechanism of saml logout. Default is POST' - type: string - enum: ['REDIRECT', 'POST'] - reject_unsigned_assertion: - description: |+ - 'Reject unsigned SAML assertions. ON, rejects assertion without signature. - STRICT ensure that both Response and Assertion are signed. Default is ON' - type: string - enum: ['ON', 'OFF', 'STRICT'] - user_field: - description: 'SAML user ID, as given in the SAML assertion' - type: string - maxLength: 63 - default_authentication_group: - description: |+ - 'This is the default group that is chosen when the authentication - succeeds in addition to extracted groups' - type: string - maxLength: 63 - skew_time: - description: |+ - 'Allowed clock skew in number of minutes on an incoming assertion. - Default is 5' - type: integer - minimum: 1 - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be extracted - and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - required: - - metadata_url - - basic_local_db: - type: object - description: |+ - 'Basic HTTP authentication supported by ADC, user data in local DB of ADC. - Users needs to be added on ADC' - properties: - use_local_auth: - description: 'Use ADC authentication' - type: string - enum: ['YES'] - - required: - - name - - authentication_policies: - description: 'Authentication policies' - type: array - items: - type: object - description: 'Authentication policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - required: - - path - expression: - description: 'ADC syntax expression for authentication' - type: string - maxLength: 1229 - provider: - description: 'name of the authentication provider for the policy, empty if no authentication required' - type: array - items: - type: string - maxLength: 127 - maxItems: 1 - oneOf: - - required: [resource, provider] - - required: [expression, provider] - - authorization_policies: - description: 'Authorization policies' - type: array - items: - type: object - description: 'Authorization policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - description: ' http method' - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - claims: - description: 'authorization scopes required for selected resource saved as claims or attributes' - type: array - items: - type: object - properties: - name: - description: 'name of the claim/attribute to check' - type: string - maxLength: 127 - values: - description: 'list of claim values required for the request' - type: array - items: - type: string - maxLength: 127 - minItems: 1 - required: - - name - - values - required: - - claims - expression: - description: 'ADC syntax expression for authorization' - type: string - maxLength: 1229 - oneOf: - - required: [resource] - - required: [expression] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: listeners.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - version: null - names: - kind: Listener - plural: listeners - singular: listener - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - required: [spec] - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [protocol] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - protocol: - type: string - enum: ["https", "http"] - description: "Protocol for this listener" - vip: - type: string - description: "VIP address, Optional for CPX, required for Tier-1 deployments" - secondaryVips: - type: array - description: "An array of Secondary VIPs. All the VIPs will be part of an ipset" - minItems: 1 - items: - type: string - redirectPort: - type: integer - minimum: 1 - maximum: 65535 - description: "Port from which http traffic should be redirected to https" - port: - type: integer - minimum: 1 - maximum: 65535 - certificates: - type: array - description: "certificates attached to the endpoints - Not applicable for HTTP" - minItems: 1 - items: - type: object - properties: - preconfigured: - type: string - description: "Preconfigured Certificate name on ADC " - secret: - type: object - description: "Kuberentes secret object" - required: [name] - properties: - name: - type: string - description: "name of the Kubernetes Secret object where Cert is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the kubernetes secret object; Default is same namespace where the Listener object is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - default: - type: boolean - description: "Only one of the certificate can be marked as default which will be presented if none of the cert matches with the hostname" - oneOf: - - required: ["preconfigured"] - - required: ["secret"] - policies: - type: object - description: "Policies attached to the Listener" - properties: - httpprofile: - type: object - description: "HTTP profile configurations for the Listener, HTTP level configurations" - properties: - preconfigured: - type: string - description: "Preconfigured or Built-in HTTP profile name" - config: - type: object - description: "HTTP profile configuration for the listener. For individual fields, refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nshttpprofile/nshttpprofile/ Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - tcpprofile: - type: object - description: "TCP level configurations, uses ns tcpprofile of citrix ADC" - properties: - preconfigured: - description: "Preconfigured or Built-in TCP profile name" - type: string - config: - type: object - description: "TCPprofile configurations for the listener. For individual fields refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nstcpprofile/ ; Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - csvserverConfig: - type: object - description: "CS Vserver configuration for the listener" - additionalProperties: - type: string - sslprofile: - type: object - description: "SSL profile configuration" - properties: - preconfigured: - type: string - description: "SSL profile which is preconfigured in ADC. Ciphers bound to the profile is not overriden" - config: - description: "Citrix ADC frontend SSL profile configurations. Refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ssl/sslprofile/ for all configurations; Name field is auto generated" - type: object - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - sslciphers: - type: array - description: "List of ciphers to be bound to the ssl profile for the listener. Priority is as per the order in the list. A cipher suite, predefined cipher group or User created cipher group can be mentioned" - minItems: 1 - items: - type: string - description: "Cipher suite, cipher group name" - analyticsprofile: - type: object - description: "Analytics profile configuration" - properties: - preconfigured: - type: array - description: "Preconfigured Analytics profile that needs to be bound to the vserver" - minItems: 1 - items: - type: string - description: "Name of the analytics profile preconfigured that will be bound to the Vserver" - config: - type: array - description: "An array of analytics to be enabled" - minItems: 1 - items: - type: object - description: "Anlytics to be enabled" - required: ['type'] - properties: - type: - description: "Analytics profile to be enabled, you can enable one or more of the webinsight, tcpinsight, securityinsight, videoinsight, hdxinsight, gatewayinsight, timeseries, lsninsight, botinsight " - type: string - enum: ["webinsight", "tcpinsight", "securityinsight", "videoinsight", "hdxinsight", "gatewayinsight", "timeseries", "lsninsight", "botinsight"] - parameters: - type: object - description: "Additional parameters for analytics profile. Please refer:https://developer-docs.citrix.com/projects/citrix-adc-nitro-api-reference/en/latest/configuration/analytics/analyticsprofile/" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - routes: - type: array - description: "List of route objects attached to the listener" - minItems: 1 - items: - type: object - properties: - name: - type: string - description: "Name of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - labelSelector: - description: "Labels key value pair, if the route carries the same labels, it is automatically attached" - type: object - additionalProperties: - type: string - oneOf: - - required: [name, namespace] - - required: [labelSelector] - defaultAction: - type: object - description: "Default action for the listener: One of Backend or Redirect" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - namespace: - description: "Service namespace" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - backendConfig: - description: "General backend service options" - type: object - properties: - secure_backend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: httproutes.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - version: null - names: - kind: HTTPRoute - plural: httproutes - singular: httproute - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [rules] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - hostname: - type: array - description: "List of domain names that share the same route, default is '*'" - minItems: 1 - items: - type: string - description: "Domain name" - rules: - type: array - description: "List Content routing rules with an action defined" - minItems: 1 - items: - type: object - required: [name, action] - properties: - name: - type: string - description: "A name to represent the rule, this is used as an identifier in content routing policy name in ADC" - minLength: 1 - maxLength: 20 - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - match: - type: array - description: "List of rules with same action" - minItems: 1 - items: - type: object - anyOf: - - required: [path] - - required: [headers] - - required: [cookies] - - required: [queryParams] - - required: [method] - - required: [policyExpression] - properties: - path: - type: object - description: "URL Path based content routing" - properties: - prefix: - type: string - description: "URL path matches the prefix expression" - exact: - type: string - description: "URL Path must match exact path" - regex: - type: string - description: "PCRE based regex expression for path matching" - headers: - type: array - description: "List of header for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Header details for content routing, Check for existence of a header or header name-value match" - properties: - headerName: - type: object - description: "Header name based content routing, Here existence of header is used for routing" - properties: - exact: - type: string - description: "Header Name - treated as exact must exist" - contains: - type: string - description: "Header Name - A header must exist that contain the string the name" - regex: - type: string - description: "header Name - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header name must not exist" - oneOf: - - required: [exact] - - required: [contains] - - required: [regex] - headerValue: - type: object - description: "Header Name and Value based match" - properties: - name: - type: string - description: "Header name that must match the value" - exact: - type: string - description: "Header value - treated as exact" - contains: - type: string - description: "Header value - treated as contains" - regex: - type: string - description: "header value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header if present must not match the value" - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - queryParams: - type: array - description: "List of Query parameters for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Query parameters Name and Value based match" - properties: - name: - type: string - description: "Query name that must match the value. If no value is specified, matches with any value" - exact: - type: string - description: "Query value - Exact match" - contains: - type: string - description: "Query value - value must have the string(substring)" - regex: - type: string - description: "Query value - Value must match this regex patterm" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e query if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - cookies: - type: array - description: "List of Cookie params for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Cookie based routing" - properties: - name: - type: string - description: "cookie name that must match the value. If no value specified, it matches with any value" - exact: - type: string - description: "cookie value - treated as exact" - contains: - type: string - description: "cookie value - treated as substring" - regex: - type: string - description: "cookie value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e cookie if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - method: - type: string - description: "HTTP method for content routing eg: POST, PUT, DELETE etc" - policyExpression: - type: string - description: "Citrix ADC policy expressions; refer: https://docs.citrix.com/en-us/netscaler/media/expression-prefix.pdf" - action: - type: object - description: "Action for the matched rule" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - backendConfig: - type: object - description: "General backend service options" - properties: - secureBackend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - # name must match the spec fields below, and be in the form: . - name: continuousdeployments.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: continuousdeployment - plural: continuousdeployments - singular: continuousdeployment - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - cronSpec: - type: integer - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wafs.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: waf - plural: wafs - singular: waf - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the waf policies are applied.' - type: array - items: - type: string - maxLength: 127 - application_type: - description: 'Type of applications to protect' - type: array - items: - type: string - enum: ['HTML', 'JSON', 'XML'] - signatures: - description: 'Location of external signature file' - type: string - redirect_url: - description: 'When a URL is blocked/down, redirect_url represents the alternate URL where the client requests should be sent.' - type: string - html_error_object: - description: 'Location of customized error page to respond when html or common violation are hit' - type: string - xml_error_object: - description: 'Location of customized error page to respond when xml violations are hit' - type: string - json_error_object: - description: 'Location of customized error page to respond when json violations are hit' - type: string - ip_reputation: - type: string - x-kubernetes-preserve-unknown-fields: true - description: 'Enabling IP reputation feature' - target: - description: 'To control what traffic to be inspected by Web Application Firewall. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable application firewall security checks' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - settings: - description: 'To fine tune application firewall security checks default settings' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - relaxations: - description: 'Section which contains relaxation rules for known traffic and false positives' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - enforcements: - description: 'Section which contains enforcement or restriction rules' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: bots.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: bot - plural: bots - singular: bot - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the bot policies are applied.' - type: array - items: - type: string - maxLength: 127 - signatures: - description: 'Location of external bot signature file' - type: string - redirect_url: - description: 'url to redirect when bot violation is hit' - type: string - target: - description: 'To control what traffic to be inspected by BOT. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable bot ecurity checks' - type: object - properties: - allow_list: - type: string - enum: ['ON', 'OFF'] - block_list: - type: string - enum: ['ON', 'OFF'] - device_fingerprint: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: string - enum: ['ON', 'OFF'] - ratelimit: - type: string - enum: ['ON', 'OFF'] - tps: - type: string - enum: ['ON', 'OFF'] - trap: - type: object - x-kubernetes-preserve-unknown-fields: true - bindings: - description: 'Section which contains binding rules for bot security checks' - type: object - properties: - allow_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - - block_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - ratelimit: - type: array - items: - type: object - properties: - url: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - cookie: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - captcha: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - tps: - type: object - properties: - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - host: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - trapinsertion: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: apigatewaypolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: apigatewaypolicy - plural: apigatewaypolicies - singular: apigatewaypolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - api_definition: - type: object - properties: - repository: - type: string - branch: - type: string - oas_secret_ref: - type: string - files: - type: array - items: - type: string - maxLength: 127 - api_proxy: - type: object - properties: - ipaddress: - type: string - port: - type: integer - protocol: - type: string - secret: - type: string - policies: - type: array - items: - type: object - properties: - name: - type: string - selector: - type: array - items: - type: object - properties: - tags: - type: array - items: - type: string - api: - type: string - method: - type: array - items: - type: string - maxLength: 127 - upstream: - type: object - properties: - service: - type: string - port: - type: integer - policy_bindings: - type: object - properties: - ratelimit: - type: object - properties: - name: - type: string - waf: - type: object - properties: - name: - type: string - rewritepolicy: - type: object - properties: - name: - type: string - bot: - type: object - properties: - name: - type: string - aaa: - type: array - items: - type: object - properties: - crd_name: - type: string - mappings: - type: array - items: - type: object - properties: - petstore_auth: - type: string - api_key: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: corspolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: corspolicy - plural: corspolicies - singular: corspolicy - shortNames: - - cp - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'The list of Kubernetes services to which you want to apply the cors policies.' - type: array - items: - type: string - maxLength: 63 - allow_origin: - description: 'Represents list of allowed origins, it is used to screen the “origin” in the cors pre flight request' - type: array - items: - type: string - maxLength: 2083 - allow_methods: - description: 'Indicates which methods are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Methods in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - allow_headers: - description: 'Indicates which headers are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Headers in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - max_age: - description: 'Indicates the number of seconds (5 by default) the information provided by the `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` headers can be cached. This variable will be used to set Access-Control-Max-Age in the pre-flight cors response.' - type: integer - allow_credentials: - description: 'Indicates whether the response can be shared when the request’s credentials mode is "include". This variable will be set to Access-Control-Allow-Credentials in the rewrite action.' - type: boolean - required: [servicenames, allow_origin, allow_methods, allow_headers] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: appqoepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: appqoepolicy - plural: appqoepolicies - singular: appqoepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - appqoe-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to appqoe policy.' - type: array - items: - type: string - maxLength: 127 - appqoe-policy: - type: object - properties: - operation-retry: - type: object - properties: - on-reset: - description: "To set Retry on Connection Reset or Not" - type: string - enum: ['YES','NO'] - on-timeout: - description: "Time in milliseconds for retry" - type: integer - minimum: 30 - maximum: 2000 - number-of-retries: - description: "To set number of retries" - type: integer - minimum: 1 - maximum: 7 - required: [operation-retry] - appqoe-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - required: [appqoe-criteria, operation-retry] - required: [appqoe-policy] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wildcarddnsentries.citrix.com -spec: - group: citrix.com - names: - kind: wildcarddnsentry - plural: wildcarddnsentries - singular: wildcarddnsentry - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: Current Status of the CRD - jsonPath: .status.state - - name: Message - type: string - description: Status Message - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - zone: - type: object - description: DNS configuration for a zone - properties: - domain: - type: string - description: Domain name - dnsaddrec: - type: object - description: DNS Address record - properties: - domain-ip: - type: string - description: IPv4 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - dnsaaaarec: - type: object - description: DNS AAAA record - properties: - domain-ip: - type: string - description: IPv6 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - soarec: - type: object - description: SOA record - properties: - origin-server: - type: string - description: Origin server domain - contact: - type: string - description: Admin contact - serial: - type: integer - description: >- - The secondary server uses this parameter to - determine whether it requires a zone transfer from - the primary server. - refresh: - type: integer - description: >- - Time, in seconds, for which a secondary server must - wait between successive checks on the value of the - serial number. - retry: - type: integer - description: >- - Time, in seconds, between retries if a secondary server's - attempt to contact the primary server for a zone refresh fails. - expire: - type: integer - description: >- - Time, in seconds, after which the zone data on a secondary - nameserver can no longer be considered authoritative because - all refresh and retry attempts made during the period have failed." - nsrec: - type: object - description: Name server record - properties: - nameserver: - type: string - description: Host name of the name server to add to the domain. - ttl: - type: integer - description: >- - Time to Live (TTL), in seconds, for the record. TTL - is the time for which the record must be cached by - DNS proxies. The specified TTL is applied to all the - resource records that are of the same record type - and belong to the specified domain name ---- -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/templates/citrix-k8s-cpx-ingress.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/templates/citrix-k8s-cpx-ingress.yaml deleted file mode 100644 index 815fe6bd38..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/templates/citrix-k8s-cpx-ingress.yaml +++ /dev/null @@ -1,422 +0,0 @@ -apiVersion: apps/v1 -{{- if or .Values.cpxBgpRouter .Values.daemonSet }} -kind: DaemonSet -{{- else }} -kind: Deployment -{{- end }} -metadata: - name: {{ include "citrix-cpx-ingress-controller.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - selector: - matchLabels: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} -{{- if not ( or .Values.cpxBgpRouter .Values.daemonSet ) }} - replicas: {{ .Values.replicaCount }} -{{- end }} - template: - metadata: - name: {{ include "citrix-cpx-ingress-controller.fullname" . }} - labels: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} - adc: "citrix" -{{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} -{{- end }} - spec: - serviceAccountName: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -{{- if .Values.cpxBgpRouter }} - hostNetwork: true -{{- end }} - containers: - - name: cpx-ingress - image: "{{ tpl .Values.image . }}" - imagePullPolicy: {{ .Values.pullPolicy }} - tty: true - securityContext: - privileged: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace -{{- if .Values.cpxLicenseAggregator }} - - name: "CLA" - value: {{ .Values.cpxLicenseAggregator | quote }} -{{- else if .Values.ADMSettings.licenseServerIP }} - - name: "LS_IP" - value: {{ .Values.ADMSettings.licenseServerIP | quote }} - - name: "LS_PORT" - value: {{ .Values.ADMSettings.licenseServerPort | quote }} -{{- end }} - - name: "EULA" - value: "{{ .Values.license.accept }}" - - name: "KUBERNETES_TASK_ID" - value: "" -{{- if not .Values.cpxBgpRouter }} - - name: "MGMT_HTTP_PORT" - value: {{ .Values.mgmtHttpPort | quote }} - - name: "MGMT_HTTPS_PORT" - value: {{ .Values.mgmtHttpsPort | quote }} -{{- end }} -{{- if .Values.cpxBgpRouter }} - - name: NS_NETMODE - value: HOST -{{- if .Values.nsIP }} - - name: "NS_IP" - value: "{{ .Values.nsIP }}" -{{- end }} -{{- if .Values.nsGateway }} - - name: "NS_GATEWAY" - value: "{{ .Values.nsGateway }}" -{{- end }} -{{- end }} -{{- if .Values.ADMSettings.ADMIP }} - - name: "NS_MGMT_SERVER" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "NS_HTTP_PORT" - value: {{ .Values.mgmtHttpPort | quote }} - - name: "NS_HTTPS_PORT" - value: {{ .Values.mgmtHttpsPort | quote }} - - name: "LOGSTREAM_COLLECTOR_IP" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "ANALYTICS_SERVER" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "ANALYTICS_SERVER_PORT" - value: {{ .Values.ADMSettings.analyticsServerPort | quote }} -{{- end }} -##Need to set env var BANDWIDTH in order to provide Bandwidth license to Citrix ADC CPX from ADM or CPX License Aggregator -{{- if and ( or ( .Values.ADMSettings.licenseServerIP ) ( .Values.cpxLicenseAggregator ) ) ( eq .Values.ADMSettings.bandWidthLicense true ) }} - - name: "BANDWIDTH" - value: {{ .Values.ADMSettings.bandWidth | quote }} -{{- end }} -#for multiple-PE support, need to set CPX_CORES -{{- if or .Values.ADMSettings.licenseServerIP .Values.cpxLicenseAggregator }} -{{- if or ( eq .Values.ADMSettings.vCPULicense true ) ( eq .Values.ADMSettings.bandWidthLicense true ) }} - - name: "CPX_CORES" - value: {{ .Values.ADMSettings.cpxCores | default 1 | quote }} -{{- end }} -{{- end }} - - name: "EDITION" - value: {{ .Values.ADMSettings.licenseEdition }} -{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }} - - name: NS_MGMT_USER - valueFrom: - secretKeyRef: - name: {{ required "Provide Secret for ADM/LicenseServer credentials" .Values.ADMSettings.loginSecret }} - key: username - - name: NS_MGMT_PASS - valueFrom: - secretKeyRef: - name: {{ required "Provide Secret for ADM/LicenseServer credentials" .Values.ADMSettings.loginSecret }} - key: password -{{- end }} -{{- if .Values.exporter.required }} - - name: "METRICS_EXPORTER_PORT" - value: {{ .Values.exporter.ports.containerPort | quote }} -{{- end }} - resources: - {{- toYaml .Values.resources | nindent 12 }} - volumeMounts: - - mountPath: /var/deviceinfo - name: shared-data - - mountPath: /cpx/ - name: cpx-volume - - mountPath: /cpx/conf - name: cpx-volume-conf -{{- if .Values.cic.required }} - # Add cic as a sidecar - - name: cic - image: "{{ tpl .Values.cic.image . }}" - imagePullPolicy: {{ .Values.cic.pullPolicy }} - env: - - name: "EULA" - value: "{{ .Values.license.accept }}" -{{- if .Values.cpxBgpRouter }} - - name: "NS_IP" - value: {{ .Values.nsIP | default "192.168.1.2" | quote }} -{{- else }} - - name: "NS_IP" - value: "127.0.0.1" -{{- end }} -{{- if .Values.rbacRole }} - - name: "SCOPE" - value: "local" -{{- end }} - - name: "NS_APPS_NAME_PREFIX" - value: {{ .Values.entityPrefix | default "k8s"}} - - name: "NS_DEPLOYMENT_MODE" - value: "SIDECAR" -{{- if and .Values.openshift .Values.routeLabels }} - - name: "ROUTE_LABELS" - value: {{ .Values.routeLabels | quote}} -{{- end }} -{{- if and .Values.openshift .Values.namespaceLabels }} - - name: "NAMESPACE_LABELS" - value: {{ .Values.namespaceLabels | quote }} -{{- end }} -{{- if .Values.cpxBgpRouter }} -{{- if eq (upper .Values.nsProtocol) "HTTPS" }} - - name: NS_PROTOCOL - value: HTTPS - - name: NS_PORT - value: "9443" -{{- else }} - - name: NS_PROTOCOL - value: HTTP - - name: NS_PORT - value: "9080" -{{- end }} -{{- if .Values.bgpPort }} - - name: "BGP_PORT" - value: {{ .Values.bgpPort | quote }} -{{- end }} -{{- end }} - - name: "NS_ENABLE_MONITORING" - value: "YES" -{{- if .Values.logProxy }} - - name: "NS_LOGPROXY" - value: {{ .Values.logProxy | quote }} -{{- end }} -{{- if .Values.ingressIP }} - - name: "NS_VIP" - value: {{ .Values.ingressIP | quote }} -{{- end }} -{{- if .Values.nitroReadTimeout }} - - name: "NS_NITRO_READ_TIMEOUT" - value: "{{ .Values.nitroReadTimeout }}" -{{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName -{{- if .Values.kubernetesURL }} - - name: "kubernetes_url" - value: "{{ .Values.kubernetesURL }}" -{{- end }} -{{- if .Values.disableOpenshiftRoutes }} - - name: "DISABLE_OPENSHIFT_ROUTES" - value: "{{ .Values.disableOpenshiftRoutes }}" -{{- end }} -{{- if .Values.nsConfigDnsRec }} - - name: "NS_CONFIG_DNS_REC" - value: "{{ .Values.nsConfigDnsRec }}" -{{- end }} -{{- if .Values.nsSvcLbDnsRec }} - - name: "NS_SVC_LB_DNS_REC" - value: "{{ .Values.nsSvcLbDnsRec }}" -{{- end }} -{{- if .Values.optimizeEndpointBinding }} - - name: "OPTIMIZE_ENDPOINT_BINDING" - value: "{{ .Values.optimizeEndpointBinding }}" -{{- end }} -{{- if .Values.cpxBgpRouter }} - securityContext: - runAsUser: 0 - capabilities: - add: - - NET_ADMIN -{{- end }} - args: - - --configmap - {{ .Release.Namespace }}/{{ include "cpxconfigmap.fullname" . }} -{{- if .Values.ipam }} - - --ipam - citrix-ipam-controller -{{- end }} -{{- if .Values.disableAPIServerCertVerify }} - - --disable-apiserver-cert-verify - {{ .Values.disableAPIServerCertVerify }} -{{- end }} -{{- if .Values.cpxBgpRouter }} - - --deployment-type - kube-bgp-router -{{- end }} -{{- if .Values.ingressClass }} - - --ingress-classes -{{- range .Values.ingressClass}} - {{.}} -{{- end }} -{{- end }} -{{- if .Values.defaultSSLCertSecret }} - - --default-ssl-certificate - {{ .Release.Namespace }}/{{ .Values.defaultSSLCertSecret }} -{{- end }} -{{- end }} -{{- if .Values.updateIngressStatus }} -{{- if .Values.cpxBgpRouter }} - - --update-ingress-status - yes -{{- else }} - - --cpx-service - {{ .Release.Namespace }}/{{ include "cpxservice.fullname" . }} -{{- end }} -{{- end }} - volumeMounts: - - mountPath: /var/deviceinfo - name: shared-data - resources: - {{- toYaml .Values.cic.resources | nindent 12 }} -{{- if .Values.exporter.required }} - - name: exporter - image: "{{ tpl .Values.exporter.image . }}" - imagePullPolicy: {{ .Values.exporter.pullPolicy }} - args: - - "--secure=no" -{{- if .Values.cpxBgpRouter }} - - --target-nsip={{ .Values.nsIP | default "192.168.1.2" }}:9080 -{{- else }} - - "--target-nsip=127.0.0.1" -{{- end }} - - "--port={{ .Values.exporter.ports.containerPort }}" - env: - - name: "NS_DEPLOYMENT_MODE" - value: "SIDECAR" - securityContext: - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /var/deviceinfo - name: shared-data - resources: - {{- toYaml .Values.exporter.resources | nindent 12 }} -{{- end }} - volumes: - - name: shared-data - emptyDir: {} - - name: cpx-volume - emptyDir: {} - - name: cpx-volume-conf - emptyDir: {} -{{- if and .Values.nodeSelector.key .Values.nodeSelector.value }} - nodeSelector: - {{ .Values.nodeSelector.key }}: {{ .Values.nodeSelector.value }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: {{ .Values.tolerations | toYaml | nindent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} -{{- end }} - ---- -{{- if .Values.cpxBgpRouter }} -{{- if .Values.exporter.required }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "cpxexporter.fullname" . }} - labels: - app: {{ include "cpxexporter.fullname" . }} - service-type: {{ include "cpxservicemonitorlabel" . }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port - selector: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} -{{- end }} -{{- else }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "cpxservice.fullname" . }} - labels: - app: cpx-service - service-type: {{ include "cpxservicemonitorlabel" . }} -{{- if .Values.serviceAnnotations }} - annotations: -{{- with .Values.serviceAnnotations }} -{{ toYaml . | indent 4 }} -{{- end }} -{{- end }} -spec: -{{- if or .Values.serviceType.loadBalancer.enabled ( and (.Values.updateIngressStatus) (not .Values.cpxBgpRouter)) }} - externalTrafficPolicy: {{ .Values.serviceSpec.externalTrafficPolicy }} - type: LoadBalancer -{{- if .Values.serviceSpec.loadBalancerIP }} - loadBalancerIP: {{ .Values.serviceSpec.loadBalancerIP }} -{{- end }} -{{- else if .Values.serviceType.nodePort.enabled }} - type: NodePort - externalTrafficPolicy: {{ .Values.serviceSpec.externalTrafficPolicy }} -{{- end }} -{{- if and .Values.serviceType.loadBalancer.enabled .Values.serviceSpec.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{- range .Values.serviceSpec.loadBalancerSourceRanges}} - - {{.}} -{{- end }} -{{- end }} - ports: -{{- if .Values.servicePorts }} -{{- with .Values.servicePorts }} -{{ toYaml . | indent 2 }} -{{- end }} -{{- else }} - - port: 80 - protocol: TCP - name: http -{{- if and .Values.serviceType.nodePort.enabled .Values.serviceType.nodePort.httpPort }} - nodePort: {{ .Values.serviceType.nodePort.httpPort }} -{{- end }} - - port: 443 - protocol: TCP - name: https -{{- if and .Values.serviceType.nodePort.enabled .Values.serviceType.nodePort.httpsPort }} - nodePort: {{ .Values.serviceType.nodePort.httpsPort}} -{{- end }} -{{- end }} -{{- if .Values.exporter.required }} - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port -{{- end }} - selector: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} -{{- end }} - ---- - -{{- if .Values.exporter.required }} - -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "cpxservicemonitor.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - servicemonitor: citrix-adc-cpx -spec: - endpoints: - - interval: 30s - port: exporter-port - selector: - matchLabels: - service-type: {{ include "cpxservicemonitorlabel" . }} - namespaceSelector: - matchNames: - - monitoring - - default - - {{ .Release.Namespace }} - -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/templates/configmap.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/templates/configmap.yaml deleted file mode 100644 index ac7aab2a29..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/templates/configmap.yaml +++ /dev/null @@ -1,86 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "cpxconfigmap.fullname" . }} - namespace: {{ .Release.Namespace }} -data: - LOGLEVEL: {{ .Values.logLevel | quote | lower }} - JSONLOG: {{ .Values.jsonLog | quote | lower }} -{{- if eq (upper .Values.nsProtocol) "HTTPS" }} - NS_PROTOCOL: "https" -{{- if .Values.cpxBgpRouter }} - NS_PORT: "9443" -{{- else }} - NS_PORT: "443" -{{- end }} -{{- else }} - NS_PROTOCOL: "http" -{{- if .Values.cpxBgpRouter }} - NS_PORT: "9080" -{{- else }} - NS_PORT: "80" -{{- end }} -{{- end }} - -{{- if ne (upper .Values.nsHTTP2ServerSide) "OFF" }} - NS_HTTP2_SERVER_SIDE: {{ .Values.nsHTTP2ServerSide | quote }} -{{- end }} -{{- if ne (toString .Values.nsCookieVersion) "0" }} - NS_COOKIE_VERSION: {{ .Values.nsCookieVersion | quote }} -{{- end }} -{{- if .Values.nsDnsNameserver }} - NS_DNS_NAMESERVER: {{ .Values.nsDnsNameserver }} -{{- end }} - -{{- if .Values.analyticsConfig.required }} - NS_ANALYTICS_CONFIG: | - distributed_tracing: - enable: {{ .Values.analyticsConfig.distributedTracing.enable | quote }} - samplingrate: {{ .Values.analyticsConfig.distributedTracing.samplingrate }} - endpoint: - server: {{ include "analytics.server" . | quote }} - service: {{ .Values.analyticsConfig.endpoint.service | quote }} - timeseries: - port: {{ .Values.analyticsConfig.timeseries.port }} - metrics: - enable: {{ .Values.analyticsConfig.timeseries.metrics.enable | quote }} - mode: {{ .Values.analyticsConfig.timeseries.metrics.mode | quote }} - auditlogs: - enable: {{ .Values.analyticsConfig.timeseries.auditlogs.enable | quote }} - events: - enable: {{ .Values.analyticsConfig.timeseries.events.enable | quote }} - transactions: - enable: {{ .Values.analyticsConfig.transactions.enable | quote }} - port: {{ .Values.analyticsConfig.transactions.port }} -{{- end }} - -{{- if .Values.cpxBgpRouter }} -{{- if .Values.bgpSettings.required }} - NS_BGP_CONFIG: | -{{- with .Values.bgpSettings.bgpConfig }} - bgpConfig: -{{ toYaml . | indent 4 }} -{{- end }} -{{- end }} -{{- end }} - -{{- if .Values.nsLbHashAlgo.required }} - NS_LB_HASH_ALGO: | - hashFingers: {{ .Values.nsLbHashAlgo.hashFingers }} - hashAlgorithm: {{ .Values.nsLbHashAlgo.hashAlgorithm | quote }} -{{- end }} - -{{- if .Values.profileSslFrontend }} - FRONTEND_SSL_PROFILE: | - {{- toYaml .Values.profileSslFrontend | nindent 4 }} -{{- end }} - -{{- if .Values.profileTcpFrontend }} - FRONTEND_TCP_PROFILE: | - {{- toYaml .Values.profileTcpFrontend | nindent 4 }} -{{- end }} - -{{- if .Values.profileHttpFrontend }} - FRONTEND_HTTP_PROFILE: | - {{- toYaml .Values.profileHttpFrontend | nindent 4 }} -{{- end }} \ No newline at end of file diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/templates/ingressclass.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/templates/ingressclass.yaml deleted file mode 100644 index d75537b79f..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/templates/ingressclass.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- $default := .Values.setAsDefaultIngressClass -}} -{{- if semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.GitVersion }} -{{- if .Values.ingressClass }} -{{- range .Values.ingressClass }} -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: {{ . | quote }} -{{- if $default }} - annotations: - ingressclass.kubernetes.io/is-default-class: "true" -{{- end }} -spec: - controller: citrix.com/ingress-controller ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/templates/rbac.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/templates/rbac.yaml deleted file mode 100644 index d812e76751..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/templates/rbac.yaml +++ /dev/null @@ -1,106 +0,0 @@ -{{- if not .Values.rbacRole }} -kind: ClusterRole -{{- else }} -kind: Role -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -rules: - - apiGroups: [""] -{{- if .Values.openshift }} - resources: ["endpoints", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"] -{{- else }} - resources: ["endpoints", "pods", "secrets", "routes", "nodes", "namespaces", "configmaps", "services"] -{{- end }} - verbs: ["get", "list", "watch"] - # services/status is needed to update the loadbalancer IP in service status for integrating - # service of type LoadBalancer with external-dns - - apiGroups: [""] - resources: ["services/status"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions","networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["patch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "watch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"] - verbs: ["get", "list", "watch", "create", "delete", "patch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"] - verbs: ["patch"] - - apiGroups: ["citrix.com"] - resources: ["vips"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["crd.projectcalico.org"] - resources: ["ipamblocks"] - verbs: ["get", "list", "watch"] -{{- if .Values.openshift }} - - apiGroups: ["route.openshift.io"] - resources: ["routes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["network.openshift.io"] - resources: ["hostsubnets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["config.openshift.io"] - resources: ["networks"] - verbs: ["get", "list"] -{{- end }} - ---- - -{{- if not .Values.rbacRole }} -kind: ClusterRoleBinding -{{- else }} -kind: RoleBinding -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io -{{- if not .Values.rbacRole }} - kind: ClusterRole -{{- else }} - kind: Role -{{- end }} - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- if .Values.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.imagePullSecrets }} -- name: {{.}} -{{- end }} -{{- end }} - diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/values.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/values.yaml deleted file mode 100644 index 65a8dc2ef0..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.29.5/values.yaml +++ /dev/null @@ -1,244 +0,0 @@ -# Default values for citrix-cpx-with-ingress-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# Citrix ADC CPX config details -imageRegistry: quay.io -imageRepository: citrix/citrix-k8s-cpx-ingress -imageTag: 13.1-37.38 -image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}" -pullPolicy: IfNotPresent -imagePullSecrets: [] -daemonSet: False -nameOverride: "" -replicaCount: 1 -fullnameOverride: "" -mgmtHttpPort: 9080 -mgmtHttpsPort: 9443 -openshift: false -nsHTTP2ServerSide: "OFF" -nsCookieVersion: "0" -nsConfigDnsRec: -nsSvcLbDnsRec: -nsDnsNameserver: -optimizeEndpointBinding: -routeLabels: -namespaceLabels: - -# Service Type LoadBalancer and ingress support with CPX through BGP advertisement -# If you enable this, CPX is run as DaemonSet. Please edit the bgpSettings for configuring -# BGP neighbors for propgation of external IPs. -cpxBgpRouter: false - -# If cpxBgpRouter is true, then this is the NSIP used by CPX for internal communication -nsIP: 192.168.1.2 - -# If cpxBgpRouter is true, then this is the Gateway used by CPX for internal communication -nsGateway: 192.168.1.1 - -# Protocol used for communication between Citrix Ingress Controller sidecar and Citrix CPX -nsProtocol: http - -# External IP for ingress resource when bgpRouter is set to True -ingressIP: - -# If IPAM controller is used for auto allocation of the external IP for service of type LoadBalancer, set this option to true -ipam: False - -# Enable RBAC role (so called local role), by default CIC deployed with ClusterRole. -# below variable to deploy CIC with RBAC role, only ingress service supported with this config -rbacRole: False - -# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True -disableAPIServerCertVerify: False - -cpxLicenseAggregator: - -sslCertManagedByAWS: False - -nodeSelector: - key: - value: -tolerations: [] - -serviceType: - loadBalancer: - enabled: False - nodePort: - enabled: False - httpPort: - httpsPort: - -serviceAnnotations: {} - -serviceSpec: - externalTrafficPolicy: "Cluster" - loadBalancerIP: - loadBalancerSourceRanges: [] - -servicePorts: [] - -# Citrix Ingress Controller config details -cic: - imageRegistry: quay.io - imageRepository: citrix/citrix-k8s-ingress-controller - imageTag: 1.29.5 - image: "{{ .Values.cic.imageRegistry }}/{{ .Values.cic.imageRepository }}:{{ .Values.cic.imageTag }}" - pullPolicy: IfNotPresent - required: true - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # Following values depends on no of ingresses configured by Ingress Controllers, so it is - # advised to test with maximum no of ingresses to set these values. - # limits: - # cpu: 1000m - # memory: 1000Mi - # requests: - # cpu: 250m - # memory: 256Mi -entityPrefix: -license: - accept: no -ingressClass: -setAsDefaultIngressClass: False -# nitroReadTimeout is timeout value in seconds for nitro api read timeout(default is 20) -nitroReadTimeout: -logLevel: INFO -jsonLog: false -defaultSSLCertSecret: -updateIngressStatus: False -logProxy: -kubernetesURL: -disableOpenshiftRoutes: -profileSslFrontend: {} - # preconfigured: my_ssl_profile - # OR - # config: - # tls13: 'ENABLED' - # hsts: 'ENABLED' -profileHttpFrontend: {} - # preconfigured: my_http_profile - # OR - # config: - # dropinvalreqs: 'ENABLED' - # websocket: 'ENABLED' -profileTcpFrontend: {} - # preconfigured: my_tcp_profile - # OR - # config: - # sack: 'ENABLED' - # nagle: 'ENABLED' - - -# Citrix ADM/License Server config details -ADMSettings: - licenseServerIP: - licenseServerPort: 27000 - ADMIP: - loginSecret: - bandWidthLicense: false - bandWidth: 1000 #bandwidth value shoule be in Mbps - vCPULicense: false - cpxCores: - analyticsServerPort: 5557 - licenseEdition: PLATINUM - -# Exporter config details -exporter: - required: false - imageRegistry: quay.io - imageRepository: citrix/citrix-adc-metrics-exporter - imageTag: 1.4.9 - image: "{{ .Values.exporter.imageRegistry }}/{{ .Values.exporter.imageRepository }}:{{ .Values.exporter.imageTag }}" - pullPolicy: IfNotPresent - ports: - containerPort: 8888 - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - - -# For CRDs supported by Citrix Ingress Controller -crds: - install: false - retainOnDelete: false - -# Config required to be done by Citrix Ingress Controller for sending metrics to Citrix Observability Exporter -analyticsConfig: - required: false - distributedTracing: - enable: false - samplingrate: 100 - endpoint: - server: - service: - timeseries: - port: 5563 - metrics: - enable: false - mode: 'avro' - auditlogs: - enable: false - events: - enable: false - transactions: - enable: false - port: 5557 - -# BGP configurations: local AS, remote AS and remote address is mandatory to provide. Please do the approrpiate changes with respect to your environment -bgpSettings: - # When bgpConfig is configured correctly, set the required to true for the configuration to be applied. - required: false - bgpConfig: - - bgpRouter: - # Local AS number for BGP advertisement - localAS: 100 - neighbor: - # Address of the nighbor router for BGP advertisement - - address: - # Remote AS number - remoteAS: 100 - advertisementInterval: 10 - ASOriginationInterval: 10 - -bgpPort: - -nsLbHashAlgo: - required: false - hashFingers: 256 - hashAlgorithm: 'DEFAULT' - -# Specifies whether a ServiceAccount should be created -serviceAccount: - create: true - # The name of the ServiceAccount to use. - # If not set and `create` is true, a name is generated using the fullname template - # name: - -podAnnotations: {} - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:' - # This is the resource for CPX container. - # limits: - # cpu: 500m - # memory: 512Mi - # requests: - # cpu: 100m - # memory: 128Mi - -affinity: {} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/Chart.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/Chart.yaml deleted file mode 100644 index 1176e25e49..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/Chart.yaml +++ /dev/null @@ -1,22 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Cpx with Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-cpx-with-ingress-controller -apiVersion: v2 -appVersion: 1.30.1 -deprecated: true -description: A Helm chart for Citrix ADC CPX with Citrix ingress Controller running - as sidecar. -home: https://www.cloud.com -icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png -kubeVersion: '>=v1.16.0-0' -maintainers: -- email: priyanka.sharma@cloud.com - name: priyankash-citrix -- email: subash.dangol@cloud.com - name: subashd -name: citrix-cpx-with-ingress-controller -sources: -- https://github.com/citrix/citrix-k8s-ingress-controller -version: 1.30.1 diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/README.md b/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/README.md deleted file mode 100644 index 99d6891316..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/README.md +++ /dev/null @@ -1,576 +0,0 @@ -# Citrix ADC CPX with Citrix Ingress Controller running as sidecar. - -In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) with Citrix ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). The Citrix ADC CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar Citrix ingress controller configures the Citrix ADC CPX. - -## TL;DR; - -### For Kubernetes - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,crds.install=true - ``` - -### For OpenShift - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,crds.install=true - ``` - -> **Important:** -> -> The "license.accept" is a mandatory argument and should be set to "yes" to accept the terms of the Citrix license. - - -## Introduction -This Helm chart deploys a Citrix ADC CPX with Citrix ingress controller as a sidecar in the [Kubernetes](https://kubernetes.io/) or in the [Openshift](https://www.openshift.com) cluster using the [Helm](https://helm.sh/) package manager. - -### Prerequisites - -- The [Kubernetes](https://kubernetes.io/) version should be 1.16 and above if using Kubernetes environment. -- The [Openshift](https://www.openshift.com) version 4.8 or later if using OpenShift platform. -- The [Helm](https://helm.sh/) version 3.x or later. You can follow instruction given [here](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- You have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator), if you want to view the metrics of the Citrix ADC CPX collected by the [metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics). -- Registration of Citrix ADC CPX in ADM: You may want to register your CPX in ADM for licensing or to obtain [servicegraph](https://docs.citrix.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html). For this you will have to create a Kubernetes secret using ADM credentials and provide it while install the chart. Create a Kubernetes secret for the user name and password using the following command: - - ``` - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= -n citrix-system - ``` - -## Installing the Chart -Add the Citrix Ingress Controller helm chart repository using command: - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - ``` - -### For Kubernetes: -#### 1. Citrix ADC CPX with Citrix Ingress Controller running as side car. -To install the chart with the release name ``` my-release```: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,ingressClass[0]= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ADC CPX with Citrix ingress controller as a sidecar on the Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,ingressClass[0]=,exporter.required=true - ``` - -### For OpenShift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix ADC CPX with Citrix Ingress Controller running as side car. -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true - ``` - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,exporter.required=true - ``` - -### Installed components - -The following components are installed: - -- [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx/netscaler-cpx.html) -- [Citrix ingress controller](https://github.com/citrix/citrix-k8s-ingress-controller) (if enabled) -- [Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) (if enabled) - - -### Citrix ADC CPX Service Annotations: - - The parameter `serviceAnnotations` can be used to annotate CPX service while installing Citrix ADC CPX using this helm chart. - For example, if CPX is getting deployed in Azure and an Azure Internal Load Balancer is required before CPX then the annotation `service.beta.kubernetes.io/azure-load-balancer-internal:True` can be set in CPX service using Helm command: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceAnnotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal=True - ``` - - or the same can be provided in [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml): - - ``` - license: - accept: yes - serviceAnnotations: - service.beta.kubernetes.io/azure-load-balancer-internal: True - ``` - - which can be used to install Citrix ADC CPX using Helm command: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - - To know more about service annotations supported by Kubernetes on various platforms please see [this](https://kubernetes.io/docs/concepts/services-networking/service/). - -### Citrix ADC CPX Service Ports: - - By default, port 80 and 443 of CPX service will exposed when CPX is installed using this helm chart. If it is required to expose any other ports in CPX service then the parameter `servicePorts` can be used for it. - For example, if port 9999 is required to be exposed then below helm command can be used for installing Citrix ADC CPX: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,servicePorts[0].port=9999,servicePorts[0].protocol=TCP,servicePorts[0].name=https - ``` - - or the same can be provided in [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml): - - ``` - license: - accept: yes - servicePorts: - - port: 9090 - protocol: TCP - name: https - ``` - - which can be used to install Citrix ADC using Helm command: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - -> **Note:** If `servicePorts` parameters is used, only ports provided in this parameter will be exposed in CPX service. -> If you want to expose default ports 80 or 443, then you will need to explicity mention these also in this parameter. - -### Configuration for ServiceGraph: - If Citrix ADC CPX need to send data to the Citrix ADM to bring up the servicegraph, then the below steps can be followed to install Citrix ADC CPX with ingress controller. Citrix ingress controller configures Citrix ADC CPX with the configuration required for servicegraph. - - 1. Create secret using Citrix ADC Agent credentials, which will be used by Citrix ADC CPX to communicate with Citrix ADM Agent: - - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= - - 2. Deploy Citrix ADC CPX with Citrix ingress controller using helm command: - - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.distributedTracing.enable=true,analyticsConfig.endpoint.server=,ADMSettings.ADMIP=,ADMSettings.loginSecret= - -> **Note:** -> If container agent is being used here for Citrix ADM, please provide `svcIP` of container agent in the `analyticsConfig.endpoint.server` parameter. - -## Citrix ADC CPX DaemonSet with Citrix Ingress Controller as sidecar for BGP Advertisement - - The previous section of deploying CPX as a Deployment requires a Tier-1 Loadbalancer such as Citrix VPX or cloud loadbalancers to route the traffic to CPX instances running in Kubernetes cluster, but you can also leverage BGP network fabric in your on-prem environemnt to route the traffic to CPX instances in a Kubernetes or Openshift cluster. you need to deploy CPX with Citrix Ingress Controller as Daemonset to advertise the ExternalIPs of the K8s services of type LoadBalancer to your BGP Fabric. Citrix ADC CPX establishes a BGP peering session with your network routers, and uses that peering session to advertise the IP addresses of external cluster services. If your routers have ECMP capability, the traffic is load-balanced to multiple CPX instances by the upstream router, which in turn load-balances to actual application pods. When you deploy the Citrix ADC CPX with this mode, Citrix ADC CPX adds iptables rules for each service of type LoadBalancer on Kubernetes nodes. The traffic destined to the external IP address is routed to Citrix ADC CPX pods. You can also set the 'ingressIP' variable to an IP Address to advertise the External IP address for Ingress resources. Refer [documentation](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) for complete details about BGP advertisement with CPX. - -### Download the chart -You can download the chart usimg `helm pull` command. -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ -helm pull citrix/citrix-cpx-with-ingress-controller -tar -zxvf citrix-cpx-with-ingress-controller-x.y.z.tgz -``` - -### Edit the BGP configuration in values.yaml -BGP configurations enables CPX to peer with neighbor routers for advertisting the routes for Service of Type LoadBalancer. Citrix Ingress Controllers uses static IPs given in Service YAML or using an IPAM controller to allocate an External IP address, and same is advertisted to the neighbour router with the Gateway as Node IP. An example BGP configurations is given below. - -``` -# BGP configurations: local AS, remote AS and remote address is mandatory to provide. -bgpSettings: - required: true - bgpConfig: - - bgpRouter: - # Local AS number for BGP advertisement - localAS: - neighbor: - # Address of the nighbor router for BGP advertisement - - address: xx.xx.xx.xx - # Remote AS number - remoteAS: - advertisementInterval: 10 - ASOriginationInterval: 10 -``` -If the cluster spawns across multiple networks, you can also specify the NodeSelector to give different neighbors for different Cluster Nodes as shown below. - -``` -bgpSettings: - required: true - bgpConfig: - - nodeSelector: datacenter=ds1 - bgpRouter: - localAS: - neighbor: - - address: xx.xx.xx.xx - remoteAS: - advertisementInterval: 10 - ASOriginationInterval: 10 - - nodeSelector: datacenter=ds2 - bgpRouter: - localAS: - neighbor: - - address: yy.yy.yy.yy - remoteAS: - advertisementInterval: 10 - ASOriginationInterval: 10 -``` - -### Deploy the chart -#### For Kubernetes: -#### 1. Citrix ADC CPX DaemonSet with Citrix Ingress Controller running as side car for BGP Advertisement. - - -To install the chart with the release name ``` my-release```: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true - ``` -If you are running Citrix IPAM for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true - ``` -If you are using ingress resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ADC CPX Daemonset with Citrix ingress controller as a sidecar on the Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car for BGP Advertisement. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,exporter.required=true - ``` -If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,exporter.required=true - ``` -If you are using ingress resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=, exporter.required=true - ``` - -#### For OpenShift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix ADC CPX DaemonSet with Citrix Ingress Controller running as side car for BGP Advertisement. -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,openshift=true - ``` -If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,openshift=true - ``` - - If you are using ingress or Route resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=,openshift=true - ``` - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car for BGP Advertisement. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,openshift=true,exporter.required=true - ``` -If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,openshift=true,exporter.required=true - ``` - -If you are using ingress or Route resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=,openshift=true,exporter.required=true - ``` - -## CRDs configuration - -CRDs can be installed/upgraded when we install/upgrade Citrix ADC CPX with Citrix ingress controller using `crds.install=true` parameter in Helm. If you do not want to install CRDs, then set the option `crds.install` to `false`. By default, CRDs too get deleted if you uninstall through Helm. This means, even the CustomResource objects created by the customer will get deleted. If you want to avoid this data loss set `crds.retainOnDelete` to `true`. - -> **Note:** -> Installing again may fail due to the presence of CRDs. Make sure that you back up all CustomResource objects and clean up CRDs before re-installing Citrix ADC CPX with Citrix ingress controller. - -There are a few examples of how to use these CRDs, which are placed in the folder: [Example-CRDs](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds). Refer to them and install as needed, using the following command: -```kubectl create -f ``` - -### Details of the supported CRDs: - -#### authpolicies CRD: - -Authentication policies are used to enforce access restrictions to resources hosted by an application or an API server. - -Citrix provides a Kubernetes CustomResourceDefinitions (CRDs) called the [Auth CRD](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/auth) that you can use with the Citrix ingress controller to define authentication policies on the ingress Citrix ADC. - -Example file: [auth_example.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/auth_example.yaml) - -#### continuousdeployments CRD for canary: - -Canary release is a technique to reduce the risk of introducing a new software version in production by first rolling out the change to a small subset of users. After user validation, the application is rolled out to the larger set of users. Citrix ADC-Integrated [Canary Deployment solution](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/canary) stitches together all components of continuous delivery (CD) and makes canary deployment easier for the application developers. - -#### httproutes and listeners CRDs for contentrouting: - -[Content Routing (CR)](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/contentrouting) is the execution of defined rules that determine the placement and configuration of network traffic between users and web applications, based on the content being sent. For example, a pattern in the URL or header fields of the request. - -Example files: [HTTPRoute_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/HTTPRoute_crd.yaml), [Listener_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/Listener_crd.yaml) - -#### ratelimits CRD: - -In a Kubernetes deployment, you can [rate limit the requests](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/ratelimit) to the resources on the back end server or services using rate limiting feature provided by the ingress Citrix ADC. - -Example files: [ratelimit-example1.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example1.yaml), [ratelimit-example2.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example2.yaml) - -#### vips CRD: - -Citrix provides a CustomResourceDefinitions (CRD) called [VIP](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/vip) for asynchronous communication between the IPAM controller and Citrix ingress controller. - -The IPAM controller is provided by Citrix for IP address management. It allocates IP address to the service from a defined IP address range. The Citrix ingress controller configures the IP address allocated to the service as virtual IP (VIP) in Citrix ADX VPX. And, the service is exposed using the IP address. - -When a new service is created, the Citrix ingress controller creates a CRD object for the service with an empty IP address field. The IPAM Controller listens to addition, deletion, or modification of the CRD and updates it with an IP address to the CRD. Once the CRD object is updated, the Citrix ingress controller automatically configures Citrix ADC-specfic configuration in the tier-1 Citrix ADC VPX. - -#### rewritepolicies CRD: - -In kubernetes environment, to deploy specific layer 7 policies to handle scenarios such as, redirecting HTTP traffic to a specific URL, blocking a set of IP addresses to mitigate DDoS attacks, imposing HTTP to HTTPS and so on, requires you to add appropriate libraries within the microservices and manually configure the policies. Instead, you can use the [Rewrite and Responder features](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/crd/rewrite-responder-policies-deployment.yaml) provided by the Ingress Citrix ADC device to deploy these policies. - -Example files: [target-url-rewrite.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/target-url-rewrite.yaml) - -#### wafs CRD: - -[WAF CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/waf.md) can be used to configure the web application firewall policies with the Citrix ingress controller on the Citrix ADC VPX, MPX, SDX, and CPX. The WAF CRD enables communication between the Citrix ingress controller and Citrix ADC for enforcing web application firewall policies. - -In a Kubernetes deployment, you can enforce a web application firewall policy to protect the server using the WAF CRD. For more information about web application firewall, see [Web application security](https://docs.citrix.com/en-us/citrix-adc/13/application-firewall/introduction/web-application-security.html). - -Example files: [wafhtmlxsssql.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wafhtmlxsssql.yaml) - -#### CORS CRD: - -[CORS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) Cross-origin resource sharing (CORS) is a mechanism allows a web application running under one domain to securely access resources in another domain. You can configure CORS policies on Citrix ADC using Citrix ingress controller to allow one domain (the origin domain) to call APIs in another domain. For more information, see the [cross-origin resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) documentation. - -Example files: [cors-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/corspolicy-example.yaml) - -#### APPQOE CRD: - -[APPQOE CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) When a Citrix ADC appliance receives an HTTP request and forwards it to a back-end server, sometimes there may be connection failures with the back-end server. You can configure the request-retry feature on Citrix ADC to forward the request to the next available server, instead of sending the reset to the client. Hence, the client saves round trip time when Citrix ADC initiates the same request to the next available service. -For more information, see the AppQoE support documentation. [Appqoe resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) documentation. - -Example files: [appqoe-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/appqoe_example.yaml) - -#### WILDCARDDNS CRD: - -[WILDCARDDNS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) Wildcard DNS domains are used to handle requests for nonexistent domains and subdomains. In a zone, use wildcard domains to redirect queries for all nonexistent domains or subdomains to a particular server, instead of creating a separate Resource Record (RR) for each domain. The most common use of a wildcard DNS domain is to create a zone that can be used to forward mail from the internet to some other mail system. -For more information, see the Wild card DNS domains support documentation. [Wildcard DNS Entry CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) documentation. - -Example files: [wildcarddns-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wildcarddns-example.yaml) - -## Citrix ADC CPX servicetype LoadBalancer -Citrix ADC CPX can be installed with service having servicetype LoadBalancer. Following arguments can be used in the `helm install` command for the same: - -``` -helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceType.loadBalancer.enabled=True -``` - -## Citrix ADC CPX servicetype NodePort -Citrix ADC CPX can be installed with service having servicetype Nodeport. Following arguments can be used in the `helm install` command for the same: - -``` -helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceType.nodePort.enabled=True -``` - -Additionally, `serviceType.nodePort.httpPort` and `serviceType.nodePort.httpsPort` arguments can be used to select the nodePort for the CPX service for HTTP and HTTPS ports. - -### Tolerations - -Taints are applied on cluster nodes whereas tolerations are applied on pods. Tolerations enable pods to be scheduled on node with matching taints. For more information see [Taints and Tolerations in Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). - -Toleration can be applied to pod running Citrix ADC CPX and ingress controller containers using `tolerations` argument while deploying CPX+CIC using helm chart. This argument takes list of tolerations that user need to apply on the CPX+CIC pods. - -For example, following command can be used to apply toleration on the CPX+CIC pod: - -``` -helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,tolerations[0].key=,tolerations[0].value=,tolerations[0].operator=,tolerations[0].effect= -``` - -Here tolerations[0].key, tolerations[0].value and tolerations[0].effect are the key, value and effect that was used while tainting the node. -Effect represents what should happen to the pod if the pod don't have any matching toleration. It can have values `NoSchedule`, `NoExecute` and `PreferNoSchedule`. -Operator represents the operation to be used for key and value comparison between taint and tolerations. It can have values `Exists` and `Equal`. The default value for operator is `Equal`. - -## Configuration -The following table lists the configurable parameters of the Citrix ADC CPX with Citrix ingress controller as side car chart and their default values. - -| Parameters | Mandatory or Optional | Default value | Description | -| ---------- | --------------------- | ------------- | ----------- | -| license.accept | Mandatory | no | Set `yes` to accept the Citrix ingress controller end user license agreement. | -| imageRegistry | Mandatory | `quay.io` | The Citrix ADC CPX image registry | -| imageRepository | Mandatory | `citrix/citrix-k8s-cpx-ingress` | The Citrix ADC CPX image repository | -| imageTag | Mandatory | `13.1-30.52` | The Citrix ADC CPX image tag | -| pullPolicy | Mandatory | IfNotPresent | The Citrix ADC CPX image pull policy. | -| daemonSet | Optional | False | Set this to true if Citrix ADC CPX needs to be deployed as DaemonSet. | -| cic.imageRegistry | Mandatory | `quay.io` | The Citrix ingress controller image registry | -| cic.imageRepository | Mandatory | `citrix/citrix-k8s-ingress-controller` | The Citrix ingress controller image repository | -| cic.imageTag | Mandatory | `1.30.1` | The Citrix ingress controller image tag | -| cic.pullPolicy | Mandatory | IfNotPresent | The Citrix ingress controller image pull policy. | -| cic.required | Mandatory | true | CIC to be run as sidecar with Citrix ADC CPX | -| cic.resources | Optional | {} | CPU/Memory resource requests/limits for Citrix Ingress Controller container | -| cic.rbacRole | Optional | false | To deploy CIC with RBAC Role set rbacRole=true; by default CIC gets installed with RBAC ClusterRole(rbacRole=false)) | -| imagePullSecrets | Optional | N/A | Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret please see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). | -| nameOverride | Optional | N/A | String to partially override deployment fullname template with a string (will prepend the release name) | -| fullNameOverride | Optional | N/A | String to fully override deployment fullname template with a string | -| resources | Optional | {} | CPU/Memory resource requests/limits for Citrix CPX container | -| nitroReadTimeout | Optional | 20 | The nitro Read timeout in seconds, defaults to 20 | -| logLevel | Optional | DEBUG | The loglevel to control the logs generated by CIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG and TRACE. For more information, see [Logging](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).| -| jsonLog | Optional | false | Set this argument to true if log messages are required in JSON format | -| nsConfigDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Ingress | -| nsSvcLbDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Type Load Balancer Service | -| nsDnsNameserver | Optional | N/A | To add DNS Nameservers in ADC | -| optimizeEndpointBinding | Optional | false | To enable/disable binding of backend endpoints to servicegroup in a single API-call. Recommended when endpoints(pods) per application are large in number. Applicable only for Citrix ADC Version >=13.0-45.7 | -| defaultSSLCertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC. | -| nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for Citrix ADC service group configurations. | -| cpxLicenseAggregator | Optional | N/A | IP/FQDN of the CPX License Aggregator if it is being used to license the CPX. | -| nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). | -| profileSslFrontend | Optional | N/A | Specify the frontend SSL profile. For Details see [Configuration using FRONTEND_SSL_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| profileTcpFrontend | Optional | N/A | Specify the frontend TCP profile. For Details see [Configuration using FRONTEND_TCP_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| profileHttpFrontend | Optional | N/A | Specify the frontend HTTP profile. For Details see [Configuration using FRONTEND_HTTP_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter. | -| nsProtocol | Optional | http | Protocol http or https used for the communication between Citrix Ingress Controller and CPX | -| cpxBgpRouter | Optional | false| If set to true, this CPX is deployed as daemonset in BGP controller mode wherein BGP advertisements are done for attracting external traffic to Kubernetes clusters | -| replicaCount | Optional | 1 | Number of CPX-CIC pods to be deployed. With `cpxBgpRouter : true`, replicaCount is 1 since CPX will be deployed as DaemonSet | -| nsIP | Optional | 192.168.1.2 | NSIP used by CPX for internal communication when run in Host mode, i.e when cpxBgpRouter is set to true. A /24 internal network is created in this IP range which is used for internal communications withing the network namespace. | -| nsGateway | Optional | 192.168.1.1 | Gateway used by CPX for internal communication when run in Host mode, i.e when cpxBgpRouter is set to true. If not specified, first IP in the nsIP network is used as gateway. It must be in same network as nsIP | -| bgpPort | Optional | 179 | BGP port used by CPX for BGP advertisement if cpxBgpRouter is set to true| -| ingressIP | Optional | N/A | External IP address to be used by ingress resources if not overriden by ingress.com/frontend-ip annotation in Ingress resources. This is also advertised to external routers when pxBgpRouter is set to true| -| entityPrefix | Optional | k8s | The prefix for the resources on the Citrix ADC CPX. | -| ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify Citrix ingress controller to configure Citrix ADC associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here | -| setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 | -| updateIngressStatus | Optional | False | Set this argument if you want to update ingress status of the ingress resources exposed via CPX. This is only applicable if servicetype of CPX service is LoadBalancer. | -| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. | -| openshift | Optional | false | Set this argument if OpenShift environment is being used. | -| disableOpenshiftRoutes | false | By default Openshift routes are processed in openshift environment, this variable can be used to disable Ingress controller processing the openshift routes. | -| routeLabels | Optional | N/A | You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| namespaceLabels | Optional | N/A | You can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| sslCertManagedByAWS | Optional | False | Set this argument if SSL certs used is managed by AWS while deploying Citrix ADC CPX in AWS. | -| nodeSelector.key | Optional | N/A | Node label key to be used for nodeSelector option for CPX-CIC deployment. | -| nodeSelector.value | Optional | N/A | Node label value to be used for nodeSelector option in CPX-CIC deployment. | -| podAnnotations | Optional | N/A | Map of annotations to add to the pods. | -| affinity | Optional | N/A | Affinity labels for pod assignment. | -| tolerations | Optional | N/A | Specify the tolerations for the CPX-CIC deployment. | -| serviceType.loadBalancer.enabled | Optional | False | Set this argument if you want servicetype of CPX service to be LoadBalancer. | -| serviceType.nodePort.enabled | Optional | False | Set this argument if you want servicetype of CPX service to be NodePort. | -| serviceType.nodePort.httpPort | Optional | N/A | Specify the HTTP nodeport to be used for NodePort CPX service. | -| serviceType.nodePort.httpsPort | Optional | N/A | Specify the HTTPS nodeport to be used for NodePort CPX service. | -| serviceAnnotations | Optional | N/A | Dictionary of annotations to be used in CPX service. Key in this dictionary is the name of the annotation and Value is the required value of that annotation. For example, [see this](#citrix-adc-cpx-service-annotations). | -| serviceSpec.externalTrafficPolicy | Optional | Cluster | Use this parameter to provide externalTrafficPolicy for CPX service of type LoadBalancer or NodePort. `serviceType.loadBalancer.enabled` or `serviceType.nodePort.enabled` should be set to `true` according to your use case for using this parameter. | -| serviceSpec.loadBalancerIP | Optional | N/A | Use this parameter to provide LoadBalancer IP to CPX service of type LoadBalancer. `serviceType.loadBalancer.enabled` should be set to `true` for using this parameter. | -| serviceSpec.loadBalancerSourceRanges | Optional | N/A | Provide the list of IP Address or range which should be allowed to access the Network Load Balancer. `serviceType.loadBalancer.enabled` should be set to `true` for using this parameter. For details, see [Network Load Balancer support on AWS](https://kubernetes.io/docs/concepts/services-networking/service/#aws-nlb-support). | -| servicePorts | Optional | N/A | List of port. Each element in this list is a dictionary that contains information about the port. For example, [see this](#citrix-adc-cpx-service-ports). | -| ADMSettings.licenseServerIP | Optional | N/A | Provide the Citrix Application Delivery Management (ADM) IP address to license Citrix ADC CPX. For more information, see [Licensing](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/licensing/). | -| ADMSettings.licenseServerPort | Optional | 27000 | Citrix ADM port if non-default port is used. | -| ADMSettings.ADMIP | Optional | N/A | Citrix Application Delivery Management (ADM) IP address. | -| ADMSettings.loginSecret | Optional | N/A | The secret key to login to the ADM. For information on how to create the secret keys, see [Prerequisites](#prerequistes). | -| ADMSettings.bandWidthLicense | Optional | False | Set to true if you want to use bandwidth based licensing for Citrix ADC CPX. | -| ADMSettings.bandWidth | Optional | 1000 | Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps. | -| ADMSettings.vCPULicense | Optional | N/A | Set to true if you want to use vCPU based licensing for Citrix ADC CPX. | -| ADMSettings.licenseEdition| Optional | PLATINUM | License edition that can be Standard, Platinum and Enterprise . By default, Platinum is selected.| -| ADMSettings.cpxCores | Optional | 1 | Desired number of vCPU to be set for Citrix ADC CPX. | -| ADMSettings.analyticsServerPort | Optional | 5557 | Port used for Analytics by ADM. Required to plot ServiceGraph. | -| exporter.required | Optional | false | Use the argument if you want to run the [Exporter for Citrix ADC Stats](https://github.com/citrix/citrix-adc-metrics-exporter) along with Citrix ingress controller to pull metrics for the Citrix ADC CPX| -| exporter.imageRegistry | Optional | `quay.io` | The Exporter for Citrix ADC Stats image registry | -| exporter.imageRepository | Optional | `citrix/citrix-adc-metrics-exporter` | The Exporter for Citrix ADC Stats image repository | -| exporter.imageTag | Optional | `1.4.9` | The Exporter for Citrix ADC Stats image tag | -| exporter.pullPolicy | Optional | IfNotPresent | The Exporter for Citrix ADC Stats image pull policy. | -| exporter.resources | Optional | {} | CPU/Memory resource requests/limits for Metrics exporter container | -| exporter.ports.containerPort | Optional | 8888 | The Exporter for Citrix ADC Stats container port. | -| analyticsConfig.required | Mandatory | false | Set this to true if you want to configure Citrix ADC to send metrics and transaction records to analytics service. | -| analyticsConfig.distributedTracing.enable | Optional | false | Set this value to true to enable OpenTracing in Citrix ADC. | -| analyticsConfig.distributedTracing.samplingrate | Optional | 100 | Specifies the OpenTracing sampling rate in percentage. | -| analyticsConfig.endpoint.server | Optional | N/A | Set this value as the IP address or DNS address of the analytics server. | -| analyticsConfig.endpoint.service | Optional | N/A | Set this value as the IP address or service name with namespace of the analytics service deployed in Kuberenetes. Format: namespace/servicename| -| analyticsConfig.timeseries.port | Optional | 5563 | Specify the port used to expose analytics service for timeseries endpoint. | -| analyticsConfig.timeseries.metrics.enable | Optional | Set this value to true to enable sending metrics from Citrix ADC. | -| analyticsConfig.timeseries.metrics.mode | Optional | avro | Specifies the mode of metric endpoint. | -| analyticsConfig.timeseries.auditlogs.enable | Optional | false | Set this value to true to export audit log data from Citrix ADC. | -| analyticsConfig.timeseries.events.enable | Optional | false | Set this value to true to export events from the Citrix ADC. | -| analyticsConfig.transactions.enable | Optional | false | Set this value to true to export transactions from Citrix ADC. | -| analyticsConfig.transactions.port | Optional | 5557 | Specify the port used to expose analytics service for transaction endpoint. | -| crds.install | Optional | False | Unset this argument if you don't want to install CustomResourceDefinitions which are consumed by CIC. | -| crds.retainOnDelete | Optional | false | Set this argument if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation. | -| bgpSettings.required | Optional | false | Set this argument if you want to enable BGP configurations for exposing service of Type Loadbalancer through BGP fabric| -| bgpSettings.bgpConfig | Optional| N/A| This represents BGP configurations in YAML format. For the description about individual fields, please refer the [documentation](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) | -| nsLbHashAlgo.required | Optional | false | Set this value to set the LB consistent hashing Algorithm | -| nsLbHashAlgo.hashFingers | Optional |256 | Specifies the number of fingers to be used for hashing algorithm. Possible values are from 1 to 1024, Default value is 256 | -| nsLbHashAlgo.hashAlgorithm | Optional | 'default' | Specifies the supported algorithm. Supported algorithms are "default", "jarh", "prac", Default value is 'default' | - -> **Note:** -> -> If Citrix ADM related information is not provided during installation, Citrix ADC CPX will come up with the default license. - -Alternatively, you can define a YAML file with the values for the parameters and pass the values while installing the chart. - -For example: - ``` - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - -> **Tip:** -> -> The [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml) contains the default values of the parameters. - -## Uninstalling the Chart -To uninstall/delete the ```my-release``` deployment: - ``` - helm delete my-release - ``` - -## Related documentation - -- [Citrix ADC CPX Documentation](https://docs.citrix.com/en-us/citrix-adc-cpx/12-1/cpx-architecture-and-traffic-flow.html) -- [Citrix ingress controller Documentation](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/) -- [Citrix ingress controller GitHub](https://github.com/citrix/citrix-k8s-ingress-controller) -- [BGP advertisement for External IPs with CPX](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/app-readme.md b/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/app-readme.md deleted file mode 100644 index ef45a3d907..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/app-readme.md +++ /dev/null @@ -1,5 +0,0 @@ -# Citrix ADC CPX with Citrix Ingress Controller running as sidecar. - -In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) with Citrix ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). The Citrix ADC CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar Citrix ingress controller configures the Citrix ADC CPX. - -This Chart bootstraps deployment of Citrix ADC CPX with Citrix Ingress Controller as sidecar. diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/questions.yml b/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/questions.yml deleted file mode 100644 index 0c87144137..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/questions.yml +++ /dev/null @@ -1,211 +0,0 @@ -questions: -- variable: license.accept - required: true - default: "no" - type: enum - description: "Set to yes to accept the terms and conditions of the Citrix license." - label: Accept License - group: "Deployment Settings" - options: - - "yes" - - "no" -- variable: openshift - default: false - type: boolean - description: "openshift is set to true if charts are being deployed in OpenShift environment" - label: Openshift flag - group: "Deployment Settings" -- variable: nsNamespace - type: string - description: "Prefix for the resources on Citrix ADC" - label: Resource Prefix - group: "Deployment Settings" -- variable: ingressClass[0] - type: string - description: "ingressClass is the name of the Ingress Class" - label: Ingress Class - group: "Deployment Settings" -- variable: logLevel - default: "DEBUG" - type: enum - options: - - "TRACE" - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - description: "logLevel of Citrix Ingress Controller pod" - label: LogLevel - group: "Deployment Settings" -- variable: defaultSSLCert - type: string - description: "Secret containing the default ceritifcate for SSL vservers" - label: Default SSLCert - group: "ADC Settings" -- variable: logProxy - type: string - description: "Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporte" - label: LogProxy - group: "Deployment Settings" -- variable: http2ServerSide - default: "OFF" - type: enum - options: - - "ON" - - "OFF" - description: "Set to ON to enable HTTP2 for Citrix ADC service group configurations" - label: HTTP2 on ADC - group: "ADC Settings" -- variable: nodeSelector.key - type: string - label: NodeSelector Key - group: "Deployment Settings" -- variable: nodeSelector.value - type: string - label: NodeSelector Value - group: "Deployment Settings" - - -- variable: ADMSettings.licenseServerIP - type: string - label: ADM LicenseServerIP - group: "ADM Settings" -- variable: ADMSettings.licenseServerPort - default: 27000 - type: int - label: ADM LicenseServerPort - group: "ADM Settings" -- variable: ADMSettings.ADMIP - type: string - label: ADM IP - group: "ADM Settings" -- variable: ADMSettings.ADMFingerPrint - type: string - label: ADM FingerPrint - group: "ADM Settings" -- variable: ADMSettings.loginSecret - type: string - label: ADM Login Secret - group: "ADM Settings" -- variable: ADMSettings.bandWidthLicense - type: boolean - label: CPX Bandwidth License - group: "ADM Settings" -- variable: ADMSettings.bandWidth - type: int - label: CPX Bandwidth - group: "ADM Settings" -- variable: ADMSettings.vCPULicense - type: boolean - label: CPX vCPU License - group: "ADM Settings" -- variable: ADMSettings.cpxCores - type: int - label: CPX Cores - group: "ADM Settings" -- variable: cic.pullpolicy - default: "IfNotPresent" - type: enum - label: CIC Image Pullpolicy - group: "CIC/CPX Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: pullpolicy - default: "IfNotPresent" - type: enum - label: CPX Image Pullpolicy - group: "CIC/CPX Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: cic.image - default: "quay.io/citrix/citrix-k8s-ingress-controller:1.8.28" - type: string - label: CIC Image - group: "CIC/CPX Image Settings" -- variable: image - type: string - default: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-58.30" - label: CPX Image - group: "CIC/CPX Image Settings" -- variable: exporter.image - default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.5" - type: string - description: "Exporter Image to be used" - label: Exporter Image - group: "Exporter Settings" -- variable: exporter.pullPolicy - default: "IfNotPresent" - type: string - description: "Exporter Image pull policy" - label: Exporter Image PullPolicy - group: "Exporter Settings" -- variable: exporter.ports.containerPort - default: 8888 - type: int - label: Exporter ContainerPort - group: "Exporter Settings" -- variable: coeConfig.distributedTracing.enable - default: false - type: boolean - label: Enable distributedTracing - group: "COE Settings" -- variable: coeConfig.distributedTracing.samplingrate - default: 100 - type: int - label: COE Sampling Rate - group: "COE Settings" -- variable: coeConfig.endpoint.server - type: string - label: COE Endpoint Server - group: "COE Settings" -- variable: coeConfig.timeseries.port - default: 5563 - type: int - label: COE timeseries port - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.enable - default: false - type: boolean - label: Enable timeseries metrics - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.mode - default: 'avro' - type: string - label: COE timeseries metrics Mode - group: "COE Settings" -- variable: coeConfig.timeseries.auditlogs.enable - default: false - type: string - label: Enable timeseries auditlogs - group: "COE Settings" -- variable: coeConfig.timeseries.events.enable - default: false - type: string - label: Enable timeseries events - group: "COE Settings" -- variable: coeConfig.transactions.enable - default: false - type: string - label: Enable transactions - group: "COE Settings" -- variable: coeConfig.transactions.port - default: 5557 - type: int - label: COE transactions port - group: "COE Settings" -- variable: crds.install - default: true - type: boolean - description: "If set to true the charts will install CustomResourceDefinitions which are consumed by CIC." - label: CRD flag - group: "Deployment Settings" -- variable: crds.retainOnDelete - default: false - type: boolean - description: "Set this argument to true if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation." - label: CRD retainOnDelete flag - group: "Deployment Settings" diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/templates/NOTES.txt b/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/templates/NOTES.txt deleted file mode 100644 index bccfdf69a4..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/templates/NOTES.txt +++ /dev/null @@ -1,14 +0,0 @@ -Thank you for installing {{ .Chart.Name }}. - -Your release is named {{ .Release.Name }}. - - -To learn more about the release, try: - - $ helm status {{ .Release.Name }} - $ helm get {{ .Release.Name }} - - -To delete : - helm delete {{ .Release.Name }} - diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/templates/_helpers.tpl b/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/templates/_helpers.tpl deleted file mode 100644 index 92e636ce23..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/templates/_helpers.tpl +++ /dev/null @@ -1,97 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Analytics Server IP or DNS -*/}} -{{- define "analytics.server" -}} -{{- if .Values.analyticsConfig.endpoint.server -}} -{{- printf .Values.analyticsConfig.endpoint.server -}} -{{- else -}} -{{- printf "analytics.%s.svc.cluster.local" .Release.Namespace -}} -{{- end -}} -{{- end -}} - - -{{- define "citrix-cpx-ingress-controller.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "citrix-cpx-ingress-controller.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "cpxservice.fullname" -}} -{{- $name := default .Chart.Name "cpx-service" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxexporter.fullname" -}} -{{- $name := default .Chart.Name "exporter" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxservicemonitor.fullname" -}} -{{- $name := default .Chart.Name "citrix-adc-cpx-servicemonitor" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxservicemonitorlabel" -}} -{{- $name := default .Chart.Name "citrix-adc-cpx-svcmon" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxconfigmap.fullname" -}} -{{- $name := default .Chart.Name "cpx-cic-configmap" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "citrix-cpx-ingress-controller.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "citrix-cpx-ingress-controller.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "citrix-cpx-ingress-controller.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/templates/cic_crds.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/templates/cic_crds.yaml deleted file mode 100644 index b1c287d233..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/templates/cic_crds.yaml +++ /dev/null @@ -1,2513 +0,0 @@ -{{- if .Values.crds.install }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: rewritepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: rewritepolicy - plural: rewritepolicies - singular: rewritepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - rewrite-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to rewrite policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - rewrite-policy: - type: object - properties: - rewrite-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOREWRITE', 'RESET', 'DROP'] - operation: - description: 'Type of user-defined rewrite action.' - type: string - enum: ["noop", "delete", "insert_http_header", "delete_http_header", - "corrupt_http_header", "insert_before", "insert_after", "replace", - "replace_http_res", "delete_all", "replace_all", "insert_before_all", - "insert_after_all", "clientless_vpn_encode", "clientless_vpn_encode_all", - "clientless_vpn_decode", "clientless_vpn_decode_all", "insert_sip_header", - "delete_sip_header", "corrupt_sip_header", "replace_sip_res", "replace_diameter_header_field", - "replace_dns_header_field", "replace_dns_answer_section"] - target: - description: 'Default syntax expression that specifies which part of the request or response to rewrite.' - type: string - maxLength: 1229 - modify-expression: - description: 'Default syntax expression that specifies the content to insert into the request - or response at the specified location, or that replaces the specified string.' - type: string - maxLength: 7991 - multiple-occurence-modify: - description: 'Search facility that is used to match multiple strings in the request or response.' - type: string - maxLength: 171 - additional-multiple-occurence-modify: - description: 'Specify additional criteria to refine the results of the search. - Always starts with the "extend(m,n)" operation, where "m" specifies number of bytes to the left of selected data - and "n" specifies number of bytes to the right of selected data. - You can use refineSearch only on body expressions, and only when rewrite-criteria is any one of this: - INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - comment: - description: 'Any comments to preserve information about this rewrite policy.' - type: string - maxLength: 255 - required: [rewrite-criteria, operation, target, direction] - required: [rewrite-policy] - - responder-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to responder policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", - "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - responder-policy: - type: object - properties: - redirect: - type: object - description: 'Use this option when you want to Redirect the request when request matches to policy.' - properties: - url: - description: 'URL on which you want to redirect the request.' - type: string - maxLength: 7991 - redirect-status-code: - description: 'HTTP response status code, for example 200, 302, 404, etc.' - type: integer - minimum: 100 - maximum: 599 - redirect-reason: - description: 'Expression specifying the reason for redirecting the request.' - type: string - maxLength: 7991 - required: [url] - respondwith: - type: object - description: 'Use this parameter when you want to respond to the request when request matches to policy.' - properties: - http-payload-string: - description: 'Expression that you want to sent as response to the request.' - type: string - maxLength: 7991 - required: [http-payload-string] - noop: - type: string - description: 'Use this option when you want to send the request to the protected server instead of - responding to it when request matches to policy.' - properties: - target: - description: 'Default syntax expression that specifies to perform noop operation on' - type: string - maxLength: 1229 - reset: - type: string - description: 'Use this option when you want to Reset the client connection by closing it when request matches to policy.' - properties: - drop: - type: string - description: 'Use this option when you want to drop the request without sending a response to the user when request matches to policy.' - properties: - respond-criteria: - description: 'Default syntax expression that the policy uses to determine whether to respond to the specified request.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOOP', 'RESET', 'DROP'] - comment: - description: 'Any comments to preserve information about this responder policy.' - type: string - maxLength: 255 - required: [respond-criteria] - oneOf: [required: [redirect], required: [respondwith], required: [noop], required: [reset], required: [drop]] - required: [responder-policy] - - dataset: - type: array - items: - type: object - properties: - name: - description: 'Name of the dataset.' - type: string - maxLength: 32 - type: - description: 'Type of value to bind to the dataset.' - type: string - enum: ["ipv4", "number", "ipv6", "ulong", "double", "mac"] - comment: - description: 'Any comments to preserve information about this dataset.' - type: string - maxLength: 255 - values: - description: 'Value of the specified type that is associated with this dataset.' - type: array - items: - type: string - required: [name, type, values] - - patset: - type: array - items: - type: object - properties: - name: - description: 'Name of the Patset.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this patset.' - type: string - maxLength: 255 - values: - description: 'String of characters that constitutes a pattern and is associated with this patset.' - type: array - items: - type: string - required: [name, values] - - stringmap: - type: array - items: - type: object - properties: - name: - description: 'Name of the Stringmap.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this stringmap.' - type: string - maxLength: 255 - values: - description: 'List of (key,value) pairs to be bound to this string map.' - type: array - items: - type: object - properties: - key: - description: 'Character string constituting the key to be bound to this string map.' - type: string - maxLength: 2047 - value: - description: 'Character string constituting the value associated with the key.' - type: string - maxLength: 2047 - required: [name, values] - - httpcallout_policy: - type: array - items: - type: object - properties: - name: - description: 'httpcallout name' - type: string - maxLength: 32 - server_ip: - description: 'IP Address of the server(callout agent) to which the callout is sent.' - type: string - server_port: - description: 'Port of the server(callout agent) to which the callout is sent.' - type: integer - minimum: 1 - maximum: 65535 - http_method: - description: |+ - 'Method used in the HTTP request that this callout sends. - Default http method is GET' - type: string - enum: ['GET', 'POST'] - host_expr: - description: |+ - 'String expression to configure the Host header. Can contain a literal value - (for example, 10.101.10.11) or a derived value (for example, http.req.header("Host")). - The literal value can be an IP address or a fully qualified domain name. Mutually - exclusive with the full HTTP request expression.' - type: string - maxLength: 255 - url_stem_expr: - description: |+ - 'String expression for generating the URL stem. Can contain a literal string - (for example, "/mysite/index.html") or an expression that derives the value - (for example, http.req.url).' - type: string - maxLength: 8191 - headers: - type: array - description: |+ - 'One or more headers to insert into the HTTP request. Each header is represented by - name and expr, where expr is an expression that is evaluated at runtime to provide - the value for the named header. You can configure a maximum of eight headers for - an HTTP callout.' - items: - type: object - properties: - name: - description: 'header name' - type: string - expr: - description: 'header expression' - type: string - parameters: - type: array - description: |+ - 'One or more query parameters to insert into the HTTP request URL (for a GET request) - or into the request body (for a POST request). Each parameter is represented by - name and expr, where expr is an expression that is evaluated at run time to provide - the value for the named parameter (name=value). The parameter values are URL encoded.' - items: - type: object - properties: - name: - description: 'parameter name' - type: string - expr: - description: 'parameter expression' - type: string - body_expr: - description: |+ - 'An advanced string expression for generating the body of the request. - The expression can contain a literal string or an expression that derives - the value (for example, client.ip.src).' - type: string - full_req_expr: - description: |+ - 'Exact HTTP request, in the form of an expression, which the Citrix ADC sends - to the callout agent. The request expression is constrained by the feature - for which the callout is used. For example, an HTTP.RES expression cannot be - used in a request-time policy bank or in a TCP content switching policy bank.' - type: string - scheme: - description: |+ - 'Type of scheme for the callout server. - Default scheme is HTTP' - type: string - enum: ['HTTP', 'HTTPS'] - cache_for_secs: - description: |+ - 'Duration, in seconds, for which the callout response is cached. - The cached responses are stored in an integrated caching content - group named "calloutContentGroup". If no duration is configured, - the callout responses will not be cached unless normal caching - configuration is used to cache them. This parameter takes precedence over any - normal caching configuration that would otherwise apply to these responses.' - type: integer - minimum: 1 - maximum: 31536000 - return_type: - description: |+ - 'Type of data that the target callout agent returns in response to the callout - Available settings function as follows: - * TEXT - Treat the returned value as a text string. - * NUM - Treat the returned value as a number. - * BOOL - Treat the returned value as a Boolean value.' - type: string - enum: ['TEXT', 'NUM', 'BOOL'] - result_expr: - description: |+ - 'Expression that extracts the callout results from the response sent by the HTTP callout - agent. Must be a response based expression, that is, it must begin with HTTP.RES. The - operations in this expression must match the return type. For example, if you configure - a return type of TEXT, the result expression must be a text based expression. If the - return type is NUM, the result expression (resultExpr) must return a numeric value, - as in the following example: http.res.body(10000).length.' - type: string - maxLength: 8191 - comment: - description: 'Any comments to preserve information about this HTTP callout.' - type: string - maxLength: 255 - allOf: - - properties: - required: [name, server_ip, server_port] - - properties: - oneOf: - - properties: - required: [full_req_expr] - - properties: - anyOf: - - properties: - required: [http_method] - - properties: - required: [host_expr] - - properties: - required: [url_stem_expr] - - properties: - required: [headers] - - properties: - required: [parameters] - - properties: - required: [body_expr] - anyOf: [required: [rewrite-policies], required: [responder-policies]] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ratelimits.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: ratelimit - plural: ratelimits - singular: ratelimit - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the ratelimit policies are applied.' - type: array - items: - type: string - maxLength: 127 - selector_keys: - type: object - description: 'Traffic match criteria to which apply above rate-limit/throttling. All keys are applied as AND condition. If no keys are specified, rate-limit applies at service level' - properties: - basic: - type: object - description: "Basic traffic stream selection criteria to which to apply the ratelimit" - properties: - path: - type: array - description: "api resource path prefix match. e.g. /api/v1/products" - items: - type: string - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT', 'UNKNOWN_METHOD'] - header_name: - description: "HTTP header that identifies the unique API client for e.g. X-apikey" - type: string - per_client_ip: - description: "Setting this applies the throttling limit to each unique Client IP address accessing the API resource" - type: boolean - req_threshold: - description: 'Max requests per timeslice units to be allowed' - type: integer - timeslice: - description: 'Timeslice in miliseconds in multiple of 10. Defaults to 1000 miliseconds' - type: integer - limittype: - description: "Burst mode or smooth. Defaults to smooth limittype if not specified" - type: string - enum: ['BURSTY','SMOOTH'] - throttle_action: - type: string - enum: ['DROP', 'RESET','REDIRECT', 'RESPOND'] - description: "Drop will drop the requests exceeding limits, RESET will reset the client connection, Redirect will redirect to specified URL, respond will respond with 429 'Exceeded allowed rate of requests'" - redirect_url: - type: string - description: "Redirect-URL" - logpackets: - type: object - description: 'Adds an audit message action. The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - required: [req_threshold] ---- -#Sample CRD instance - -#apiVersion: citrix.com/v1 -#description: VIP for apache service -#kind: vip -#metadata: -# name: service-apache -# namespace: default -#spec: -# description: VIP for the apache Service -# ipaddress: 10.99.98.90 -# kind: service -# name: apache - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vips.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: vip - plural: vips - singular: vip - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - jsonPath: .spec.ipaddress - name: VIP - type: string - - name: Age - type: date - jsonPath: .metadata.creationTimestamp - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - ipaddress: - type: string - name: - type: string - kind: - type: string - enum: ["service", "ingress"] - description: - type: string - range-name: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: authpolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: authpolicy - plural: authpolicies - singular: authpolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: |+ - 'Name of the services for which the policies applied' - type: array - items: - type: string - maxLength: 63 - authentication_mechanism: - type: object - description: |+ - 'Authentication mechanism. Options: using forms or using request header. - Default is Authentication using request header, when no option is specified' - properties: - using_request_header: - description: |+ - 'Enable user authentication using request header. Use when the credentials - or api keys are passed in a header. For example, when using Basic, Digest, - Bearer authentication or api keys. - When authentication using forms is provided, this is set to OFF' - - type: string - using_forms: - type: object - description: 'Enables authentication using forms. Use with user/web authentication.' - properties: - authentication_host: - description: |+ - 'Fully qualified domain name (FQDN) for authentication. - This FQDN should be unique and should resolve to frontend IP of - ADC with Ingress/service type LoadBalancer (or) vip of Listener CRD' - type: string - maxLength: 255 - authentication_host_cert: - description: |+ - 'Name of the SSL certificate to be used with authentication_host. - This certificate is mandatory while using_forms' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - ingress_name: - description: |+ - 'Ingress name for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - lb_service_name: - description: |+ - 'Service of type LoadBalancer for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - listener_name: - description: |+ - 'Listener CRD name for which the authentication using forms is applicable.' - type: string - maxLength: 63 - vip: - description: |+ - 'Frontend IP of ingress for which the authentication - using forms is applicable. This refers to frontend-ip provided - with Ingress. It is suggested to use vip, if more than one Ingress - resource use the same frontend-ip' - type: string - required: [authentication_host, authentication_host_cert] - oneOf: - - properties: - required: [ingress_name] - - properties: - required: [lb_service_name] - - properties: - required: [listener_name] - - properties: - required: [vip] - oneOf: - - properties: - using_request_header: - enum: ['ON'] - required: [using_request_header] - - properties: - required: [using_forms] - - authentication_providers: - description: |+ - 'Authentication Configuration for required authentication providers/schemes. - One or more of these can be created' - type: array - items: - description: 'Create config for a single authentication provider of a particular type' - type: object - properties: - name: - description: 'Name for this provider, has to be unique, referenced by authentication policies' - type: string - maxLength: 127 - - oauth: - description: 'Authentication provided by external oAuth provider' - type: object - properties: - issuer: - description: 'Identity of the server whose tokens are to be accepted' - type: string - maxLength: 127 - audience: - description: 'Audience for which token sent by Authorization server is applicable' - type: array - items: - type: string - maxLength: 127 - jwks_uri: - description: |+ - 'URL of the endpoint that contains JWKs (Json Web Key) for - JWT (Json Web Token) verification' - type: string - maxLength: 127 - introspect_url: - description: ' URL of the introspection server' - type: string - maxLength: 127 - client_credentials: - description: |+ - 'secrets object that contains Client Id and secret as known - to Introspection server' - type: string - maxLength: 253 - token_in_hdr: - description: |+ - 'custom header name where token is present, - default is Authorization header' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - token_in_param: - description: 'query parameter name where token is present' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - signature_algorithms: - description: 'list of allowed signature algorithms, by default HS256, RS256, RS512 are allowed' - type: array - items: - type: string - enum: ['HS256', 'RS256', 'RS512'] - claims_to_save: - description: 'list of claims to be saved, used to create authorization policies' - type: array - items: - type: string - maxLength: 127 - metadata_url: - description: 'URL used to get OAUTH/OIDC provider metadata' - type: string - maxLength: 255 - user_field: - description: |+ - 'Attribute in the token from which username should be extracted. - by default, ADC looks at email attribute for user id' - type: string - maxLength: 127 - default_group: - description: |+ - 'group assigned to the request if authentication succeeds, - this is in addition to any extracted groups from token' - type: string - maxLength: 63 - grant_type: - description: 'used to specify the type of flow to the token end point, defaults to CODE' - type: array - items: - type: string - enum: ['CODE','PASSWORD'] - pkce: - description: 'specify whether to enable Proof Key Code Exchange, defaults to ENABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - token_ep_auth_method: - description: |+ - 'authentication method to be used with token end point, - defaults to client_secret_post' - type: string - enum: ['client_secret_post', 'client_secret_jwt'] - - anyOf: - - properties: - required : [jwks_uri] - - properties: - required : [introspect_url, client_credentials] - - properties: - required : [metadata_url] - - ldap: - description: 'LDAP authentication provider' - type: object - properties: - server_ip: - description: 'IP address assigned to the LDAP server' - type: string - server_name: - description: 'LDAP server name as a FQDN' - type: string - maxLength: 127 - server_port: - description: 'Port on which the LDAP server accepts connections. Default is 389' - type: integer - minimum: 1 - maximum: 65535 - base: - description: |+ - 'Base (node) from which to start LDAP searches. If the LDAP server is - running locally, the default value of base is dc=netscaler, dc=com' - type: string - maxLength: 127 - server_login_credentials: - description: |+ - 'Kubernetes secret object providing credentials to login to LDAP server, - The secret data should have username and password' - type: string - login_name: - description: |+ - 'LDAP login name attribute. The Citrix ADC uses the LDAP login name - to query external LDAP servers or Active Directories' - type: string - maxLength: 127 - security_type: - description: |+ - 'Type of security used for communications between the Citrix ADC - and the LDAP server. Default is TLS' - type: string - enum: ['PLAINTEXT', 'TLS', 'SSL'] - validate_server_cert: - description: 'Validate LDAP Server certs. Default is NO' - type: string - enum: ['YES', 'NO'] - hostname: - description: |+ - 'Hostname for the LDAP server. If validate_server_cert is ON, - this must be the host name on the certificate from the LDAP - A hostname mismatch will cause a connection failure' - type: string - maxLength: 127 - sub_attribute_name: - description: 'LDAP group sub-attribute name. Used for group extraction from the LDAP server.' - type: string - maxLength: 31 - group_attribute_name: - description: 'LDAP group attribute name. Used for group extraction on the LDAP server.' - type: string - maxLength: 31 - search_filter: - description: |+ - 'String to be combined with the default LDAP user search string to form the - search value. For example, if the search filter "vpnallowed=true" is combined - with the LDAP login name "samaccount" and the user-supplied username is "bob", - the result is the LDAP search string ""(&(vpnallowed=true)(samaccount=bob)"" - (Be sure to enclose the search string in two sets of double quotation marks)' - type: string - maxLength: 255 - auth_timeout: - description: |+ - 'Number of seconds the Citrix ADC waits for a response from the server - Default is 3' - type: integer - minimum: 1 - maximum: 4294967295 - password_change: - description: 'Allow password change requests. Default is DISABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be fetched - from LDAP server and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - oneOf: - - properties: - required: [server_ip] - - properties: - required: [server_name] - - saml: - description: |+ - 'SAML authentication provider. - Currently SAML is supported only with authentication mechanism using forms' - type: object - properties: - metadata_url: - description: 'URL is used for obtaining saml metadata.' - type: string - maxLength: 255 - metadata_refresh_interval: - description: |+ - 'Interval in minutes for fetching metadata from specified metadata URL. - Default is 36000' - type: integer - minimum: 1 - maximum: 4294967295 - signing_cert: - description: 'SSL certificate to sign requests from SP to IDP' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - audience: - description: 'Audience for which assertion sent by IdP is applicable' - type: string - maxLength: 127 - issuer_name: - description: 'The name to be used in requests sent from SP to IDP to identify citrix ADC' - type: string - maxLength: 63 - binding: - description: 'Specifies the transport mechanism of saml message. Default is POST' - type: string - enum: ['REDIRECT', 'POST', 'ARTIFACT'] - artifact_resolution_service_url: - description: 'URL of the Artifact Resolution Service on IdP' - type: string - maxLength: 255 - logout_binding: - description: 'Specifies the transport mechanism of saml logout. Default is POST' - type: string - enum: ['REDIRECT', 'POST'] - reject_unsigned_assertion: - description: |+ - 'Reject unsigned SAML assertions. ON, rejects assertion without signature. - STRICT ensure that both Response and Assertion are signed. Default is ON' - type: string - enum: ['ON', 'OFF', 'STRICT'] - user_field: - description: 'SAML user ID, as given in the SAML assertion' - type: string - maxLength: 63 - default_authentication_group: - description: |+ - 'This is the default group that is chosen when the authentication - succeeds in addition to extracted groups' - type: string - maxLength: 63 - skew_time: - description: |+ - 'Allowed clock skew in number of minutes on an incoming assertion. - Default is 5' - type: integer - minimum: 1 - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be extracted - and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - required: - - metadata_url - - basic_local_db: - type: object - description: |+ - 'Basic HTTP authentication supported by ADC, user data in local DB of ADC. - Users needs to be added on ADC' - properties: - use_local_auth: - description: 'Use ADC authentication' - type: string - enum: ['YES'] - - required: - - name - - authentication_policies: - description: 'Authentication policies' - type: array - items: - type: object - description: 'Authentication policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT', 'UNKNOWN_METHOD'] - required: - - path - expression: - description: 'ADC syntax expression for authentication' - type: string - maxLength: 1229 - provider: - description: 'name of the authentication provider for the policy, empty if no authentication required' - type: array - items: - type: string - maxLength: 127 - maxItems: 1 - oneOf: - - required: [resource, provider] - - required: [expression, provider] - - authorization_policies: - description: 'Authorization policies' - type: array - items: - type: object - description: 'Authorization policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - description: ' http method' - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT', 'UNKNOWN_METHOD'] - claims: - description: 'authorization scopes required for selected resource saved as claims or attributes' - type: array - items: - type: object - properties: - name: - description: 'name of the claim/attribute to check' - type: string - maxLength: 127 - values: - description: 'list of claim values required for the request' - type: array - items: - type: string - maxLength: 127 - minItems: 1 - required: - - name - - values - required: - - claims - expression: - description: 'ADC syntax expression for authorization' - type: string - maxLength: 1229 - oneOf: - - required: [resource] - - required: [expression] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: listeners.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: Listener - plural: listeners - singular: listener - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - required: [spec] - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [protocol] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - protocol: - type: string - enum: ["https", "http"] - description: "Protocol for this listener" - vip: - type: string - description: "VIP address, Optional for CPX, required for Tier-1 deployments" - secondaryVips: - type: array - description: "An array of Secondary VIPs. All the VIPs will be part of an ipset" - minItems: 1 - items: - type: string - redirectPort: - type: integer - minimum: 1 - maximum: 65535 - description: "Port from which http traffic should be redirected to https" - port: - type: integer - minimum: 1 - maximum: 65535 - certificates: - type: array - description: "certificates attached to the endpoints - Not applicable for HTTP" - minItems: 1 - items: - type: object - properties: - preconfigured: - type: string - description: "Preconfigured Certificate name on ADC " - secret: - type: object - description: "Kuberentes secret object" - required: [name] - properties: - name: - type: string - description: "name of the Kubernetes Secret object where Cert is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the kubernetes secret object; Default is same namespace where the Listener object is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - default: - type: boolean - description: "Only one of the certificate can be marked as default which will be presented if none of the cert matches with the hostname" - oneOf: - - required: ["preconfigured"] - - required: ["secret"] - policies: - type: object - description: "Policies attached to the Listener" - properties: - httpprofile: - type: object - description: "HTTP profile configurations for the Listener, HTTP level configurations" - properties: - preconfigured: - type: string - description: "Preconfigured or Built-in HTTP profile name" - config: - type: object - description: "HTTP profile configuration for the listener. For individual fields, refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nshttpprofile/nshttpprofile/ Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - tcpprofile: - type: object - description: "TCP level configurations, uses ns tcpprofile of citrix ADC" - properties: - preconfigured: - description: "Preconfigured or Built-in TCP profile name" - type: string - config: - type: object - description: "TCPprofile configurations for the listener. For individual fields refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nstcpprofile/ ; Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - csvserverConfig: - type: object - description: "CS Vserver configuration for the listener" - additionalProperties: - type: string - sslprofile: - type: object - description: "SSL profile configuration" - properties: - preconfigured: - type: string - description: "SSL profile which is preconfigured in ADC. Ciphers bound to the profile is not overriden" - config: - description: "Citrix ADC frontend SSL profile configurations. Refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ssl/sslprofile/ for all configurations; Name field is auto generated" - type: object - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - sslciphers: - type: array - description: "List of ciphers to be bound to the ssl profile for the listener. Priority is as per the order in the list. A cipher suite, predefined cipher group or User created cipher group can be mentioned" - minItems: 1 - items: - type: string - description: "Cipher suite, cipher group name" - analyticsprofile: - type: object - description: "Analytics profile configuration" - properties: - preconfigured: - type: array - description: "Preconfigured Analytics profile that needs to be bound to the vserver" - minItems: 1 - items: - type: string - description: "Name of the analytics profile preconfigured that will be bound to the Vserver" - config: - type: array - description: "An array of analytics to be enabled" - minItems: 1 - items: - type: object - description: "Anlytics to be enabled" - required: ['type'] - properties: - type: - description: "Analytics profile to be enabled, you can enable one or more of the webinsight, tcpinsight, securityinsight, videoinsight, hdxinsight, gatewayinsight, timeseries, lsninsight, botinsight " - type: string - enum: ["webinsight", "tcpinsight", "securityinsight", "videoinsight", "hdxinsight", "gatewayinsight", "timeseries", "lsninsight", "botinsight"] - parameters: - type: object - description: "Additional parameters for analytics profile. Please refer:https://developer-docs.citrix.com/projects/citrix-adc-nitro-api-reference/en/latest/configuration/analytics/analyticsprofile/" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - routes: - type: array - description: "List of route objects attached to the listener" - minItems: 1 - items: - type: object - properties: - name: - type: string - description: "Name of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - labelSelector: - description: "Labels key value pair, if the route carries the same labels, it is automatically attached" - type: object - additionalProperties: - type: string - oneOf: - - required: [name, namespace] - - required: [labelSelector] - defaultAction: - type: object - description: "Default action for the listener: One of Backend or Redirect" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - namespace: - description: "Service namespace" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - backendConfig: - description: "General backend service options" - type: object - properties: - secure_backend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: httproutes.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: HTTPRoute - plural: httproutes - singular: httproute - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [rules] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - hostname: - type: array - description: "List of domain names that share the same route, default is '*'" - minItems: 1 - items: - type: string - description: "Domain name" - rules: - type: array - description: "List Content routing rules with an action defined" - minItems: 1 - items: - type: object - required: [name, action] - properties: - name: - type: string - description: "A name to represent the rule, this is used as an identifier in content routing policy name in ADC" - minLength: 1 - maxLength: 20 - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - match: - type: array - description: "List of rules with same action" - minItems: 1 - items: - type: object - anyOf: - - required: [path] - - required: [headers] - - required: [cookies] - - required: [queryParams] - - required: [method] - - required: [policyExpression] - properties: - path: - type: object - description: "URL Path based content routing" - properties: - prefix: - type: string - description: "URL path matches the prefix expression" - exact: - type: string - description: "URL Path must match exact path" - regex: - type: string - description: "PCRE based regex expression for path matching" - headers: - type: array - description: "List of header for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Header details for content routing, Check for existence of a header or header name-value match" - properties: - headerName: - type: object - description: "Header name based content routing, Here existence of header is used for routing" - properties: - exact: - type: string - description: "Header Name - treated as exact must exist" - contains: - type: string - description: "Header Name - A header must exist that contain the string the name" - regex: - type: string - description: "header Name - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header name must not exist" - oneOf: - - required: [exact] - - required: [contains] - - required: [regex] - headerValue: - type: object - description: "Header Name and Value based match" - properties: - name: - type: string - description: "Header name that must match the value" - exact: - type: string - description: "Header value - treated as exact" - contains: - type: string - description: "Header value - treated as contains" - regex: - type: string - description: "header value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header if present must not match the value" - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - queryParams: - type: array - description: "List of Query parameters for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Query parameters Name and Value based match" - properties: - name: - type: string - description: "Query name that must match the value. If no value is specified, matches with any value" - exact: - type: string - description: "Query value - Exact match" - contains: - type: string - description: "Query value - value must have the string(substring)" - regex: - type: string - description: "Query value - Value must match this regex patterm" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e query if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - cookies: - type: array - description: "List of Cookie params for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Cookie based routing" - properties: - name: - type: string - description: "cookie name that must match the value. If no value specified, it matches with any value" - exact: - type: string - description: "cookie value - treated as exact" - contains: - type: string - description: "cookie value - treated as substring" - regex: - type: string - description: "cookie value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e cookie if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - method: - type: string - description: "HTTP method for content routing eg: POST, PUT, DELETE etc" - policyExpression: - type: string - description: "Citrix ADC policy expressions; refer: https://docs.citrix.com/en-us/netscaler/media/expression-prefix.pdf" - action: - type: object - description: "Action for the matched rule" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - backendConfig: - type: object - description: "General backend service options" - properties: - secureBackend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - # name must match the spec fields below, and be in the form: . - name: continuousdeployments.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: continuousdeployment - plural: continuousdeployments - singular: continuousdeployment - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - cronSpec: - type: integer - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wafs.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: waf - plural: wafs - singular: waf - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the waf policies are applied.' - type: array - items: - type: string - maxLength: 127 - application_type: - description: 'Type of applications to protect' - type: array - items: - type: string - enum: ['HTML', 'JSON', 'XML'] - signatures: - description: 'Location of external signature file' - type: string - redirect_url: - description: 'When a URL is blocked/down, redirect_url represents the alternate URL where the client requests should be sent.' - type: string - html_error_object: - description: 'Location of customized error page to respond when html or common violation are hit' - type: string - xml_error_object: - description: 'Location of customized error page to respond when xml violations are hit' - type: string - json_error_object: - description: 'Location of customized error page to respond when json violations are hit' - type: string - ip_reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - description: 'Enabling IP reputation feature' - target: - description: 'To control what traffic to be inspected by Web Application Firewall. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT', 'UNKNOWN_METHOD'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable application firewall security checks' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - settings: - description: 'To fine tune application firewall security checks default settings' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - relaxations: - description: 'Section which contains relaxation rules for known traffic and false positives' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - enforcements: - description: 'Section which contains enforcement or restriction rules' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: bots.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: bot - plural: bots - singular: bot - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the bot policies are applied.' - type: array - items: - type: string - maxLength: 127 - signatures: - description: 'Location of external bot signature file' - type: string - redirect_url: - description: 'url to redirect when bot violation is hit' - type: string - target: - description: 'To control what traffic to be inspected by BOT. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT', 'UNKNOWN_METHOD'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable bot ecurity checks' - type: object - properties: - allow_list: - type: string - enum: ['ON', 'OFF'] - block_list: - type: string - enum: ['ON', 'OFF'] - device_fingerprint: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: string - enum: ['ON', 'OFF'] - ratelimit: - type: string - enum: ['ON', 'OFF'] - tps: - type: string - enum: ['ON', 'OFF'] - trap: - type: object - x-kubernetes-preserve-unknown-fields: true - bindings: - description: 'Section which contains binding rules for bot security checks' - type: object - properties: - allow_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - - block_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - ratelimit: - type: array - items: - type: object - properties: - url: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - cookie: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - captcha: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - tps: - type: object - properties: - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - host: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - trapinsertion: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: apigatewaypolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: apigatewaypolicy - plural: apigatewaypolicies - singular: apigatewaypolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - api_definition: - type: object - properties: - repository: - type: string - branch: - type: string - oas_secret_ref: - type: string - files: - type: array - items: - type: string - maxLength: 127 - api_proxy: - type: object - properties: - ipaddress: - type: string - port: - type: integer - protocol: - type: string - secret: - type: string - policies: - type: array - items: - type: object - properties: - name: - type: string - selector: - type: array - items: - type: object - properties: - tags: - type: array - items: - type: string - api: - type: string - method: - type: array - items: - type: string - maxLength: 127 - upstream: - type: object - properties: - service: - type: string - port: - type: integer - policy_bindings: - type: object - properties: - ratelimit: - type: object - properties: - name: - type: string - waf: - type: object - properties: - name: - type: string - rewritepolicy: - type: object - properties: - name: - type: string - bot: - type: object - properties: - name: - type: string - aaa: - type: array - items: - type: object - properties: - crd_name: - type: string - mappings: - type: array - items: - type: object - properties: - petstore_auth: - type: string - api_key: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: corspolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: corspolicy - plural: corspolicies - singular: corspolicy - shortNames: - - cp - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'The list of Kubernetes services to which you want to apply the cors policies.' - type: array - items: - type: string - maxLength: 63 - allow_origin: - description: 'Represents list of allowed origins, it is used to screen the “origin” in the cors pre flight request' - type: array - items: - type: string - maxLength: 2083 - allow_methods: - description: 'Indicates which methods are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Methods in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - allow_headers: - description: 'Indicates which headers are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Headers in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - max_age: - description: 'Indicates the number of seconds (5 by default) the information provided by the `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` headers can be cached. This variable will be used to set Access-Control-Max-Age in the pre-flight cors response.' - type: integer - allow_credentials: - description: 'Indicates whether the response can be shared when the request’s credentials mode is "include". This variable will be set to Access-Control-Allow-Credentials in the rewrite action.' - type: boolean - required: [servicenames, allow_origin, allow_methods, allow_headers] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: appqoepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: appqoepolicy - plural: appqoepolicies - singular: appqoepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - appqoe-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to appqoe policy.' - type: array - items: - type: string - maxLength: 127 - appqoe-policy: - type: object - properties: - operation-retry: - type: object - properties: - on-reset: - description: "To set Retry on Connection Reset or Not" - type: string - enum: ['YES','NO'] - on-timeout: - description: "Time in milliseconds for retry" - type: integer - minimum: 30 - maximum: 2000 - number-of-retries: - description: "To set number of retries" - type: integer - minimum: 1 - maximum: 7 - required: [operation-retry] - appqoe-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - required: [appqoe-criteria, operation-retry] - required: [appqoe-policy] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wildcarddnsentries.citrix.com -spec: - group: citrix.com - names: - kind: wildcarddnsentry - plural: wildcarddnsentries - singular: wildcarddnsentry - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: Current Status of the CRD - jsonPath: .status.state - - name: Message - type: string - description: Status Message - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - zone: - type: object - description: DNS configuration for a zone - properties: - domain: - type: string - description: Domain name - dnsaddrec: - type: object - description: DNS Address record - properties: - domain-ip: - type: string - description: IPv4 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - dnsaaaarec: - type: object - description: DNS AAAA record - properties: - domain-ip: - type: string - description: IPv6 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - soarec: - type: object - description: SOA record - properties: - origin-server: - type: string - description: Origin server domain - contact: - type: string - description: Admin contact - serial: - type: integer - description: >- - The secondary server uses this parameter to - determine whether it requires a zone transfer from - the primary server. - refresh: - type: integer - description: >- - Time, in seconds, for which a secondary server must - wait between successive checks on the value of the - serial number. - retry: - type: integer - description: >- - Time, in seconds, between retries if a secondary server's - attempt to contact the primary server for a zone refresh fails. - expire: - type: integer - description: >- - Time, in seconds, after which the zone data on a secondary - nameserver can no longer be considered authoritative because - all refresh and retry attempts made during the period have failed." - nsrec: - type: object - description: Name server record - properties: - nameserver: - type: string - description: Host name of the name server to add to the domain. - ttl: - type: integer - description: >- - Time to Live (TTL), in seconds, for the record. TTL - is the time for which the record must be cached by - DNS proxies. The specified TTL is applied to all the - resource records that are of the same record type - and belong to the specified domain name ---- -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/templates/citrix-k8s-cpx-ingress.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/templates/citrix-k8s-cpx-ingress.yaml deleted file mode 100644 index d7d610ea01..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/templates/citrix-k8s-cpx-ingress.yaml +++ /dev/null @@ -1,422 +0,0 @@ -apiVersion: apps/v1 -{{- if or .Values.cpxBgpRouter .Values.daemonSet }} -kind: DaemonSet -{{- else }} -kind: Deployment -{{- end }} -metadata: - name: {{ include "citrix-cpx-ingress-controller.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - selector: - matchLabels: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} -{{- if not ( or .Values.cpxBgpRouter .Values.daemonSet ) }} - replicas: {{ .Values.replicaCount }} -{{- end }} - template: - metadata: - name: {{ include "citrix-cpx-ingress-controller.fullname" . }} - labels: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} - adc: "citrix" -{{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} -{{- end }} - spec: - serviceAccountName: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -{{- if .Values.cpxBgpRouter }} - hostNetwork: true -{{- end }} - containers: - - name: cpx-ingress - image: "{{ tpl .Values.image . }}" - imagePullPolicy: {{ .Values.pullPolicy }} - tty: true - securityContext: - privileged: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace -{{- if .Values.cpxLicenseAggregator }} - - name: "CLA" - value: {{ .Values.cpxLicenseAggregator | quote }} -{{- else if .Values.ADMSettings.licenseServerIP }} - - name: "LS_IP" - value: {{ .Values.ADMSettings.licenseServerIP | quote }} - - name: "LS_PORT" - value: {{ .Values.ADMSettings.licenseServerPort | quote }} -{{- end }} - - name: "EULA" - value: "{{ .Values.license.accept }}" - - name: "KUBERNETES_TASK_ID" - value: "" -{{- if not .Values.cpxBgpRouter }} - - name: "MGMT_HTTP_PORT" - value: {{ .Values.mgmtHttpPort | quote }} - - name: "MGMT_HTTPS_PORT" - value: {{ .Values.mgmtHttpsPort | quote }} -{{- end }} -{{- if .Values.cpxBgpRouter }} - - name: NS_NETMODE - value: HOST -{{- if .Values.nsIP }} - - name: "NS_IP" - value: "{{ .Values.nsIP }}" -{{- end }} -{{- if .Values.nsGateway }} - - name: "NS_GATEWAY" - value: "{{ .Values.nsGateway }}" -{{- end }} -{{- end }} -{{- if .Values.ADMSettings.ADMIP }} - - name: "NS_MGMT_SERVER" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "NS_HTTP_PORT" - value: {{ .Values.mgmtHttpPort | quote }} - - name: "NS_HTTPS_PORT" - value: {{ .Values.mgmtHttpsPort | quote }} - - name: "LOGSTREAM_COLLECTOR_IP" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "ANALYTICS_SERVER" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "ANALYTICS_SERVER_PORT" - value: {{ .Values.ADMSettings.analyticsServerPort | quote }} -{{- end }} -##Need to set env var BANDWIDTH in order to provide Bandwidth license to Citrix ADC CPX from ADM or CPX License Aggregator -{{- if and ( or ( .Values.ADMSettings.licenseServerIP ) ( .Values.cpxLicenseAggregator ) ) ( eq .Values.ADMSettings.bandWidthLicense true ) }} - - name: "BANDWIDTH" - value: {{ .Values.ADMSettings.bandWidth | quote }} -{{- end }} -#for multiple-PE support, need to set CPX_CORES -{{- if or .Values.ADMSettings.licenseServerIP .Values.cpxLicenseAggregator }} -{{- if or ( eq .Values.ADMSettings.vCPULicense true ) ( eq .Values.ADMSettings.bandWidthLicense true ) }} - - name: "CPX_CORES" - value: {{ .Values.ADMSettings.cpxCores | default 1 | quote }} -{{- end }} -{{- end }} - - name: "EDITION" - value: {{ .Values.ADMSettings.licenseEdition }} -{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }} - - name: NS_MGMT_USER - valueFrom: - secretKeyRef: - name: {{ required "Provide Secret for ADM/LicenseServer credentials" .Values.ADMSettings.loginSecret }} - key: username - - name: NS_MGMT_PASS - valueFrom: - secretKeyRef: - name: {{ required "Provide Secret for ADM/LicenseServer credentials" .Values.ADMSettings.loginSecret }} - key: password -{{- end }} -{{- if .Values.exporter.required }} - - name: "METRICS_EXPORTER_PORT" - value: {{ .Values.exporter.ports.containerPort | quote }} -{{- end }} - resources: - {{- toYaml .Values.resources | nindent 12 }} - volumeMounts: - - mountPath: /var/deviceinfo - name: shared-data - - mountPath: /cpx/ - name: cpx-volume - - mountPath: /cpx/conf - name: cpx-volume-conf -{{- if .Values.cic.required }} - # Add cic as a sidecar - - name: cic - image: "{{ tpl .Values.cic.image . }}" - imagePullPolicy: {{ .Values.cic.pullPolicy }} - env: - - name: "EULA" - value: "{{ .Values.license.accept }}" -{{- if .Values.cpxBgpRouter }} - - name: "NS_IP" - value: {{ .Values.nsIP | default "192.168.1.2" | quote }} -{{- else }} - - name: "NS_IP" - value: "127.0.0.1" -{{- end }} -{{- if .Values.rbacRole }} - - name: "SCOPE" - value: "local" -{{- end }} - - name: "NS_APPS_NAME_PREFIX" - value: {{ .Values.entityPrefix | default "k8s"| quote }} - - name: "NS_DEPLOYMENT_MODE" - value: "SIDECAR" -{{- if and .Values.openshift .Values.routeLabels }} - - name: "ROUTE_LABELS" - value: {{ .Values.routeLabels | quote}} -{{- end }} -{{- if and .Values.openshift .Values.namespaceLabels }} - - name: "NAMESPACE_LABELS" - value: {{ .Values.namespaceLabels | quote }} -{{- end }} -{{- if .Values.cpxBgpRouter }} -{{- if eq (upper .Values.nsProtocol) "HTTPS" }} - - name: NS_PROTOCOL - value: HTTPS - - name: NS_PORT - value: "9443" -{{- else }} - - name: NS_PROTOCOL - value: HTTP - - name: NS_PORT - value: "9080" -{{- end }} -{{- if .Values.bgpPort }} - - name: "BGP_PORT" - value: {{ .Values.bgpPort | quote }} -{{- end }} -{{- end }} - - name: "NS_ENABLE_MONITORING" - value: "YES" -{{- if .Values.logProxy }} - - name: "NS_LOGPROXY" - value: {{ .Values.logProxy | quote }} -{{- end }} -{{- if .Values.ingressIP }} - - name: "NS_VIP" - value: {{ .Values.ingressIP | quote }} -{{- end }} -{{- if .Values.nitroReadTimeout }} - - name: "NS_NITRO_READ_TIMEOUT" - value: "{{ .Values.nitroReadTimeout }}" -{{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName -{{- if .Values.kubernetesURL }} - - name: "kubernetes_url" - value: "{{ .Values.kubernetesURL }}" -{{- end }} -{{- if .Values.disableOpenshiftRoutes }} - - name: "DISABLE_OPENSHIFT_ROUTES" - value: "{{ .Values.disableOpenshiftRoutes }}" -{{- end }} -{{- if .Values.nsConfigDnsRec }} - - name: "NS_CONFIG_DNS_REC" - value: "{{ .Values.nsConfigDnsRec }}" -{{- end }} -{{- if .Values.nsSvcLbDnsRec }} - - name: "NS_SVC_LB_DNS_REC" - value: "{{ .Values.nsSvcLbDnsRec }}" -{{- end }} -{{- if .Values.optimizeEndpointBinding }} - - name: "OPTIMIZE_ENDPOINT_BINDING" - value: "{{ .Values.optimizeEndpointBinding }}" -{{- end }} -{{- if .Values.cpxBgpRouter }} - securityContext: - runAsUser: 0 - capabilities: - add: - - NET_ADMIN -{{- end }} - args: - - --configmap - {{ .Release.Namespace }}/{{ include "cpxconfigmap.fullname" . }} -{{- if .Values.ipam }} - - --ipam - citrix-ipam-controller -{{- end }} -{{- if .Values.disableAPIServerCertVerify }} - - --disable-apiserver-cert-verify - {{ .Values.disableAPIServerCertVerify }} -{{- end }} -{{- if .Values.cpxBgpRouter }} - - --deployment-type - kube-bgp-router -{{- end }} -{{- if .Values.ingressClass }} - - --ingress-classes -{{- range .Values.ingressClass}} - {{.}} -{{- end }} -{{- end }} -{{- if .Values.defaultSSLCertSecret }} - - --default-ssl-certificate - {{ .Release.Namespace }}/{{ .Values.defaultSSLCertSecret }} -{{- end }} -{{- end }} -{{- if .Values.updateIngressStatus }} -{{- if .Values.cpxBgpRouter }} - - --update-ingress-status - yes -{{- else }} - - --cpx-service - {{ .Release.Namespace }}/{{ include "cpxservice.fullname" . }} -{{- end }} -{{- end }} - volumeMounts: - - mountPath: /var/deviceinfo - name: shared-data - resources: - {{- toYaml .Values.cic.resources | nindent 12 }} -{{- if .Values.exporter.required }} - - name: exporter - image: "{{ tpl .Values.exporter.image . }}" - imagePullPolicy: {{ .Values.exporter.pullPolicy }} - args: - - "--secure=no" -{{- if .Values.cpxBgpRouter }} - - --target-nsip={{ .Values.nsIP | default "192.168.1.2" }}:9080 -{{- else }} - - "--target-nsip=127.0.0.1" -{{- end }} - - "--port={{ .Values.exporter.ports.containerPort }}" - env: - - name: "NS_DEPLOYMENT_MODE" - value: "SIDECAR" - securityContext: - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /var/deviceinfo - name: shared-data - resources: - {{- toYaml .Values.exporter.resources | nindent 12 }} -{{- end }} - volumes: - - name: shared-data - emptyDir: {} - - name: cpx-volume - emptyDir: {} - - name: cpx-volume-conf - emptyDir: {} -{{- if and .Values.nodeSelector.key .Values.nodeSelector.value }} - nodeSelector: - {{ .Values.nodeSelector.key }}: {{ .Values.nodeSelector.value }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: {{ .Values.tolerations | toYaml | nindent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} -{{- end }} - ---- -{{- if .Values.cpxBgpRouter }} -{{- if .Values.exporter.required }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "cpxexporter.fullname" . }} - labels: - app: {{ include "cpxexporter.fullname" . }} - service-type: {{ include "cpxservicemonitorlabel" . }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port - selector: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} -{{- end }} -{{- else }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "cpxservice.fullname" . }} - labels: - app: cpx-service - service-type: {{ include "cpxservicemonitorlabel" . }} -{{- if .Values.serviceAnnotations }} - annotations: -{{- with .Values.serviceAnnotations }} -{{ toYaml . | indent 4 }} -{{- end }} -{{- end }} -spec: -{{- if or .Values.serviceType.loadBalancer.enabled ( and (.Values.updateIngressStatus) (not .Values.cpxBgpRouter)) }} - externalTrafficPolicy: {{ .Values.serviceSpec.externalTrafficPolicy }} - type: LoadBalancer -{{- if .Values.serviceSpec.loadBalancerIP }} - loadBalancerIP: {{ .Values.serviceSpec.loadBalancerIP }} -{{- end }} -{{- else if .Values.serviceType.nodePort.enabled }} - type: NodePort - externalTrafficPolicy: {{ .Values.serviceSpec.externalTrafficPolicy }} -{{- end }} -{{- if and .Values.serviceType.loadBalancer.enabled .Values.serviceSpec.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{- range .Values.serviceSpec.loadBalancerSourceRanges}} - - {{.}} -{{- end }} -{{- end }} - ports: -{{- if .Values.servicePorts }} -{{- with .Values.servicePorts }} -{{ toYaml . | indent 2 }} -{{- end }} -{{- else }} - - port: 80 - protocol: TCP - name: http -{{- if and .Values.serviceType.nodePort.enabled .Values.serviceType.nodePort.httpPort }} - nodePort: {{ .Values.serviceType.nodePort.httpPort }} -{{- end }} - - port: 443 - protocol: TCP - name: https -{{- if and .Values.serviceType.nodePort.enabled .Values.serviceType.nodePort.httpsPort }} - nodePort: {{ .Values.serviceType.nodePort.httpsPort}} -{{- end }} -{{- end }} -{{- if .Values.exporter.required }} - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port -{{- end }} - selector: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} -{{- end }} - ---- - -{{- if .Values.exporter.required }} - -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "cpxservicemonitor.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - servicemonitor: citrix-adc-cpx -spec: - endpoints: - - interval: 30s - port: exporter-port - selector: - matchLabels: - service-type: {{ include "cpxservicemonitorlabel" . }} - namespaceSelector: - matchNames: - - monitoring - - default - - {{ .Release.Namespace }} - -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/templates/configmap.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/templates/configmap.yaml deleted file mode 100644 index ac7aab2a29..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/templates/configmap.yaml +++ /dev/null @@ -1,86 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "cpxconfigmap.fullname" . }} - namespace: {{ .Release.Namespace }} -data: - LOGLEVEL: {{ .Values.logLevel | quote | lower }} - JSONLOG: {{ .Values.jsonLog | quote | lower }} -{{- if eq (upper .Values.nsProtocol) "HTTPS" }} - NS_PROTOCOL: "https" -{{- if .Values.cpxBgpRouter }} - NS_PORT: "9443" -{{- else }} - NS_PORT: "443" -{{- end }} -{{- else }} - NS_PROTOCOL: "http" -{{- if .Values.cpxBgpRouter }} - NS_PORT: "9080" -{{- else }} - NS_PORT: "80" -{{- end }} -{{- end }} - -{{- if ne (upper .Values.nsHTTP2ServerSide) "OFF" }} - NS_HTTP2_SERVER_SIDE: {{ .Values.nsHTTP2ServerSide | quote }} -{{- end }} -{{- if ne (toString .Values.nsCookieVersion) "0" }} - NS_COOKIE_VERSION: {{ .Values.nsCookieVersion | quote }} -{{- end }} -{{- if .Values.nsDnsNameserver }} - NS_DNS_NAMESERVER: {{ .Values.nsDnsNameserver }} -{{- end }} - -{{- if .Values.analyticsConfig.required }} - NS_ANALYTICS_CONFIG: | - distributed_tracing: - enable: {{ .Values.analyticsConfig.distributedTracing.enable | quote }} - samplingrate: {{ .Values.analyticsConfig.distributedTracing.samplingrate }} - endpoint: - server: {{ include "analytics.server" . | quote }} - service: {{ .Values.analyticsConfig.endpoint.service | quote }} - timeseries: - port: {{ .Values.analyticsConfig.timeseries.port }} - metrics: - enable: {{ .Values.analyticsConfig.timeseries.metrics.enable | quote }} - mode: {{ .Values.analyticsConfig.timeseries.metrics.mode | quote }} - auditlogs: - enable: {{ .Values.analyticsConfig.timeseries.auditlogs.enable | quote }} - events: - enable: {{ .Values.analyticsConfig.timeseries.events.enable | quote }} - transactions: - enable: {{ .Values.analyticsConfig.transactions.enable | quote }} - port: {{ .Values.analyticsConfig.transactions.port }} -{{- end }} - -{{- if .Values.cpxBgpRouter }} -{{- if .Values.bgpSettings.required }} - NS_BGP_CONFIG: | -{{- with .Values.bgpSettings.bgpConfig }} - bgpConfig: -{{ toYaml . | indent 4 }} -{{- end }} -{{- end }} -{{- end }} - -{{- if .Values.nsLbHashAlgo.required }} - NS_LB_HASH_ALGO: | - hashFingers: {{ .Values.nsLbHashAlgo.hashFingers }} - hashAlgorithm: {{ .Values.nsLbHashAlgo.hashAlgorithm | quote }} -{{- end }} - -{{- if .Values.profileSslFrontend }} - FRONTEND_SSL_PROFILE: | - {{- toYaml .Values.profileSslFrontend | nindent 4 }} -{{- end }} - -{{- if .Values.profileTcpFrontend }} - FRONTEND_TCP_PROFILE: | - {{- toYaml .Values.profileTcpFrontend | nindent 4 }} -{{- end }} - -{{- if .Values.profileHttpFrontend }} - FRONTEND_HTTP_PROFILE: | - {{- toYaml .Values.profileHttpFrontend | nindent 4 }} -{{- end }} \ No newline at end of file diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/templates/ingressclass.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/templates/ingressclass.yaml deleted file mode 100644 index d75537b79f..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/templates/ingressclass.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- $default := .Values.setAsDefaultIngressClass -}} -{{- if semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.GitVersion }} -{{- if .Values.ingressClass }} -{{- range .Values.ingressClass }} -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: {{ . | quote }} -{{- if $default }} - annotations: - ingressclass.kubernetes.io/is-default-class: "true" -{{- end }} -spec: - controller: citrix.com/ingress-controller ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/templates/rbac.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/templates/rbac.yaml deleted file mode 100644 index d812e76751..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/templates/rbac.yaml +++ /dev/null @@ -1,106 +0,0 @@ -{{- if not .Values.rbacRole }} -kind: ClusterRole -{{- else }} -kind: Role -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -rules: - - apiGroups: [""] -{{- if .Values.openshift }} - resources: ["endpoints", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"] -{{- else }} - resources: ["endpoints", "pods", "secrets", "routes", "nodes", "namespaces", "configmaps", "services"] -{{- end }} - verbs: ["get", "list", "watch"] - # services/status is needed to update the loadbalancer IP in service status for integrating - # service of type LoadBalancer with external-dns - - apiGroups: [""] - resources: ["services/status"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions","networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["patch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "watch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"] - verbs: ["get", "list", "watch", "create", "delete", "patch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"] - verbs: ["patch"] - - apiGroups: ["citrix.com"] - resources: ["vips"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["crd.projectcalico.org"] - resources: ["ipamblocks"] - verbs: ["get", "list", "watch"] -{{- if .Values.openshift }} - - apiGroups: ["route.openshift.io"] - resources: ["routes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["network.openshift.io"] - resources: ["hostsubnets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["config.openshift.io"] - resources: ["networks"] - verbs: ["get", "list"] -{{- end }} - ---- - -{{- if not .Values.rbacRole }} -kind: ClusterRoleBinding -{{- else }} -kind: RoleBinding -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io -{{- if not .Values.rbacRole }} - kind: ClusterRole -{{- else }} - kind: Role -{{- end }} - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- if .Values.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.imagePullSecrets }} -- name: {{.}} -{{- end }} -{{- end }} - diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/values.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/values.yaml deleted file mode 100644 index 0adcb9205e..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.30.1/values.yaml +++ /dev/null @@ -1,244 +0,0 @@ -# Default values for citrix-cpx-with-ingress-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# Citrix ADC CPX config details -imageRegistry: quay.io -imageRepository: citrix/citrix-k8s-cpx-ingress -imageTag: 13.1-37.38 -image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}" -pullPolicy: IfNotPresent -imagePullSecrets: [] -daemonSet: False -nameOverride: "" -replicaCount: 1 -fullnameOverride: "" -mgmtHttpPort: 9080 -mgmtHttpsPort: 9443 -openshift: false -nsHTTP2ServerSide: "OFF" -nsCookieVersion: "0" -nsConfigDnsRec: -nsSvcLbDnsRec: -nsDnsNameserver: -optimizeEndpointBinding: -routeLabels: -namespaceLabels: - -# Service Type LoadBalancer and ingress support with CPX through BGP advertisement -# If you enable this, CPX is run as DaemonSet. Please edit the bgpSettings for configuring -# BGP neighbors for propgation of external IPs. -cpxBgpRouter: false - -# If cpxBgpRouter is true, then this is the NSIP used by CPX for internal communication -nsIP: 192.168.1.2 - -# If cpxBgpRouter is true, then this is the Gateway used by CPX for internal communication -nsGateway: 192.168.1.1 - -# Protocol used for communication between Citrix Ingress Controller sidecar and Citrix CPX -nsProtocol: http - -# External IP for ingress resource when bgpRouter is set to True -ingressIP: - -# If IPAM controller is used for auto allocation of the external IP for service of type LoadBalancer, set this option to true -ipam: False - -# Enable RBAC role (so called local role), by default CIC deployed with ClusterRole. -# below variable to deploy CIC with RBAC role, only ingress service supported with this config -rbacRole: False - -# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True -disableAPIServerCertVerify: False - -cpxLicenseAggregator: - -sslCertManagedByAWS: False - -nodeSelector: - key: - value: -tolerations: [] - -serviceType: - loadBalancer: - enabled: False - nodePort: - enabled: False - httpPort: - httpsPort: - -serviceAnnotations: {} - -serviceSpec: - externalTrafficPolicy: "Cluster" - loadBalancerIP: - loadBalancerSourceRanges: [] - -servicePorts: [] - -# Citrix Ingress Controller config details -cic: - imageRegistry: quay.io - imageRepository: citrix/citrix-k8s-ingress-controller - imageTag: 1.30.1 - image: "{{ .Values.cic.imageRegistry }}/{{ .Values.cic.imageRepository }}:{{ .Values.cic.imageTag }}" - pullPolicy: IfNotPresent - required: true - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # Following values depends on no of ingresses configured by Ingress Controllers, so it is - # advised to test with maximum no of ingresses to set these values. - # limits: - # cpu: 1000m - # memory: 1000Mi - # requests: - # cpu: 250m - # memory: 256Mi -entityPrefix: -license: - accept: no -ingressClass: -setAsDefaultIngressClass: False -# nitroReadTimeout is timeout value in seconds for nitro api read timeout(default is 20) -nitroReadTimeout: -logLevel: INFO -jsonLog: false -defaultSSLCertSecret: -updateIngressStatus: False -logProxy: -kubernetesURL: -disableOpenshiftRoutes: -profileSslFrontend: {} - # preconfigured: my_ssl_profile - # OR - # config: - # tls13: 'ENABLED' - # hsts: 'ENABLED' -profileHttpFrontend: {} - # preconfigured: my_http_profile - # OR - # config: - # dropinvalreqs: 'ENABLED' - # websocket: 'ENABLED' -profileTcpFrontend: {} - # preconfigured: my_tcp_profile - # OR - # config: - # sack: 'ENABLED' - # nagle: 'ENABLED' - - -# Citrix ADM/License Server config details -ADMSettings: - licenseServerIP: - licenseServerPort: 27000 - ADMIP: - loginSecret: - bandWidthLicense: false - bandWidth: 1000 #bandwidth value shoule be in Mbps - vCPULicense: false - cpxCores: - analyticsServerPort: 5557 - licenseEdition: PLATINUM - -# Exporter config details -exporter: - required: false - imageRegistry: quay.io - imageRepository: citrix/citrix-adc-metrics-exporter - imageTag: 1.4.9 - image: "{{ .Values.exporter.imageRegistry }}/{{ .Values.exporter.imageRepository }}:{{ .Values.exporter.imageTag }}" - pullPolicy: IfNotPresent - ports: - containerPort: 8888 - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - - -# For CRDs supported by Citrix Ingress Controller -crds: - install: false - retainOnDelete: false - -# Config required to be done by Citrix Ingress Controller for sending metrics to Citrix Observability Exporter -analyticsConfig: - required: false - distributedTracing: - enable: false - samplingrate: 100 - endpoint: - server: - service: - timeseries: - port: 5563 - metrics: - enable: false - mode: 'avro' - auditlogs: - enable: false - events: - enable: false - transactions: - enable: false - port: 5557 - -# BGP configurations: local AS, remote AS and remote address is mandatory to provide. Please do the approrpiate changes with respect to your environment -bgpSettings: - # When bgpConfig is configured correctly, set the required to true for the configuration to be applied. - required: false - bgpConfig: - - bgpRouter: - # Local AS number for BGP advertisement - localAS: 100 - neighbor: - # Address of the nighbor router for BGP advertisement - - address: - # Remote AS number - remoteAS: 100 - advertisementInterval: 10 - ASOriginationInterval: 10 - -bgpPort: - -nsLbHashAlgo: - required: false - hashFingers: 256 - hashAlgorithm: 'DEFAULT' - -# Specifies whether a ServiceAccount should be created -serviceAccount: - create: true - # The name of the ServiceAccount to use. - # If not set and `create` is true, a name is generated using the fullname template - # name: - -podAnnotations: {} - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:' - # This is the resource for CPX container. - # limits: - # cpu: 500m - # memory: 512Mi - # requests: - # cpu: 100m - # memory: 128Mi - -affinity: {} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/Chart.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/Chart.yaml deleted file mode 100644 index fc5d979c55..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/Chart.yaml +++ /dev/null @@ -1,22 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Cpx with Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-cpx-with-ingress-controller -apiVersion: v2 -appVersion: 1.32.7 -deprecated: true -description: A Helm chart for Citrix ADC CPX with Citrix ingress Controller running - as sidecar. -home: https://www.cloud.com -icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png -kubeVersion: '>=v1.16.0-0' -maintainers: -- email: priyanka.sharma@cloud.com - name: priyankash-citrix -- email: subash.dangol@cloud.com - name: subashd -name: citrix-cpx-with-ingress-controller -sources: -- https://github.com/citrix/citrix-k8s-ingress-controller -version: 1.32.7 diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/README.md b/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/README.md deleted file mode 100644 index f363d2f195..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/README.md +++ /dev/null @@ -1,576 +0,0 @@ -# Citrix ADC CPX with Citrix Ingress Controller running as sidecar. - -In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) with Citrix ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). The Citrix ADC CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar Citrix ingress controller configures the Citrix ADC CPX. - -## TL;DR; - -### For Kubernetes - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,crds.install=true - ``` - -### For OpenShift - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,crds.install=true - ``` - -> **Important:** -> -> The "license.accept" is a mandatory argument and should be set to "yes" to accept the terms of the Citrix license. - - -## Introduction -This Helm chart deploys a Citrix ADC CPX with Citrix ingress controller as a sidecar in the [Kubernetes](https://kubernetes.io/) or in the [Openshift](https://www.openshift.com) cluster using the [Helm](https://helm.sh/) package manager. - -### Prerequisites - -- The [Kubernetes](https://kubernetes.io/) version should be 1.16 and above if using Kubernetes environment. -- The [Openshift](https://www.openshift.com) version 4.8 or later if using OpenShift platform. -- The [Helm](https://helm.sh/) version 3.x or later. You can follow instruction given [here](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- You have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator), if you want to view the metrics of the Citrix ADC CPX collected by the [metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics). -- Registration of Citrix ADC CPX in ADM: You may want to register your CPX in ADM for licensing or to obtain [servicegraph](https://docs.citrix.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html). For this you will have to create a Kubernetes secret using ADM credentials and provide it while install the chart. Create a Kubernetes secret for the user name and password using the following command: - - ``` - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= -n citrix-system - ``` - -## Installing the Chart -Add the Citrix Ingress Controller helm chart repository using command: - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - ``` - -### For Kubernetes: -#### 1. Citrix ADC CPX with Citrix Ingress Controller running as side car. -To install the chart with the release name ``` my-release```: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,ingressClass[0]= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ADC CPX with Citrix ingress controller as a sidecar on the Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,ingressClass[0]=,exporter.required=true - ``` - -### For OpenShift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix ADC CPX with Citrix Ingress Controller running as side car. -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true - ``` - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,exporter.required=true - ``` - -### Installed components - -The following components are installed: - -- [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx/netscaler-cpx.html) -- [Citrix ingress controller](https://github.com/citrix/citrix-k8s-ingress-controller) (if enabled) -- [Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) (if enabled) - - -### Citrix ADC CPX Service Annotations: - - The parameter `serviceAnnotations` can be used to annotate CPX service while installing Citrix ADC CPX using this helm chart. - For example, if CPX is getting deployed in Azure and an Azure Internal Load Balancer is required before CPX then the annotation `service.beta.kubernetes.io/azure-load-balancer-internal:True` can be set in CPX service using Helm command: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceAnnotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal=True - ``` - - or the same can be provided in [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml): - - ``` - license: - accept: yes - serviceAnnotations: - service.beta.kubernetes.io/azure-load-balancer-internal: True - ``` - - which can be used to install Citrix ADC CPX using Helm command: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - - To know more about service annotations supported by Kubernetes on various platforms please see [this](https://kubernetes.io/docs/concepts/services-networking/service/). - -### Citrix ADC CPX Service Ports: - - By default, port 80 and 443 of CPX service will exposed when CPX is installed using this helm chart. If it is required to expose any other ports in CPX service then the parameter `servicePorts` can be used for it. - For example, if port 9999 is required to be exposed then below helm command can be used for installing Citrix ADC CPX: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,servicePorts[0].port=9999,servicePorts[0].protocol=TCP,servicePorts[0].name=https - ``` - - or the same can be provided in [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml): - - ``` - license: - accept: yes - servicePorts: - - port: 9090 - protocol: TCP - name: https - ``` - - which can be used to install Citrix ADC using Helm command: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - -> **Note:** If `servicePorts` parameters is used, only ports provided in this parameter will be exposed in CPX service. -> If you want to expose default ports 80 or 443, then you will need to explicity mention these also in this parameter. - -### Configuration for ServiceGraph: - If Citrix ADC CPX need to send data to the Citrix ADM to bring up the servicegraph, then the below steps can be followed to install Citrix ADC CPX with ingress controller. Citrix ingress controller configures Citrix ADC CPX with the configuration required for servicegraph. - - 1. Create secret using Citrix ADC Agent credentials, which will be used by Citrix ADC CPX to communicate with Citrix ADM Agent: - - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= - - 2. Deploy Citrix ADC CPX with Citrix ingress controller using helm command: - - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.distributedTracing.enable=true,analyticsConfig.endpoint.server=,ADMSettings.ADMIP=,ADMSettings.loginSecret= - -> **Note:** -> If container agent is being used here for Citrix ADM, please provide `svcIP` of container agent in the `analyticsConfig.endpoint.server` parameter. - -## Citrix ADC CPX DaemonSet with Citrix Ingress Controller as sidecar for BGP Advertisement - - The previous section of deploying CPX as a Deployment requires a Tier-1 Loadbalancer such as Citrix VPX or cloud loadbalancers to route the traffic to CPX instances running in Kubernetes cluster, but you can also leverage BGP network fabric in your on-prem environemnt to route the traffic to CPX instances in a Kubernetes or Openshift cluster. you need to deploy CPX with Citrix Ingress Controller as Daemonset to advertise the ExternalIPs of the K8s services of type LoadBalancer to your BGP Fabric. Citrix ADC CPX establishes a BGP peering session with your network routers, and uses that peering session to advertise the IP addresses of external cluster services. If your routers have ECMP capability, the traffic is load-balanced to multiple CPX instances by the upstream router, which in turn load-balances to actual application pods. When you deploy the Citrix ADC CPX with this mode, Citrix ADC CPX adds iptables rules for each service of type LoadBalancer on Kubernetes nodes. The traffic destined to the external IP address is routed to Citrix ADC CPX pods. You can also set the 'ingressIP' variable to an IP Address to advertise the External IP address for Ingress resources. Refer [documentation](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) for complete details about BGP advertisement with CPX. - -### Download the chart -You can download the chart usimg `helm pull` command. -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ -helm pull citrix/citrix-cpx-with-ingress-controller -tar -zxvf citrix-cpx-with-ingress-controller-x.y.z.tgz -``` - -### Edit the BGP configuration in values.yaml -BGP configurations enables CPX to peer with neighbor routers for advertisting the routes for Service of Type LoadBalancer. Citrix Ingress Controllers uses static IPs given in Service YAML or using an IPAM controller to allocate an External IP address, and same is advertisted to the neighbour router with the Gateway as Node IP. An example BGP configurations is given below. - -``` -# BGP configurations: local AS, remote AS and remote address is mandatory to provide. -bgpSettings: - required: true - bgpConfig: - - bgpRouter: - # Local AS number for BGP advertisement - localAS: - neighbor: - # Address of the nighbor router for BGP advertisement - - address: xx.xx.xx.xx - # Remote AS number - remoteAS: - advertisementInterval: 10 - ASOriginationInterval: 10 -``` -If the cluster spawns across multiple networks, you can also specify the NodeSelector to give different neighbors for different Cluster Nodes as shown below. - -``` -bgpSettings: - required: true - bgpConfig: - - nodeSelector: datacenter=ds1 - bgpRouter: - localAS: - neighbor: - - address: xx.xx.xx.xx - remoteAS: - advertisementInterval: 10 - ASOriginationInterval: 10 - - nodeSelector: datacenter=ds2 - bgpRouter: - localAS: - neighbor: - - address: yy.yy.yy.yy - remoteAS: - advertisementInterval: 10 - ASOriginationInterval: 10 -``` - -### Deploy the chart -#### For Kubernetes: -#### 1. Citrix ADC CPX DaemonSet with Citrix Ingress Controller running as side car for BGP Advertisement. - - -To install the chart with the release name ``` my-release```: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true - ``` -If you are running Citrix IPAM for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true - ``` -If you are using ingress resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ADC CPX Daemonset with Citrix ingress controller as a sidecar on the Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car for BGP Advertisement. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,exporter.required=true - ``` -If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,exporter.required=true - ``` -If you are using ingress resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=, exporter.required=true - ``` - -#### For OpenShift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix ADC CPX DaemonSet with Citrix Ingress Controller running as side car for BGP Advertisement. -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,openshift=true - ``` -If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,openshift=true - ``` - - If you are using ingress or Route resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=,openshift=true - ``` - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car for BGP Advertisement. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,openshift=true,exporter.required=true - ``` -If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,openshift=true,exporter.required=true - ``` - -If you are using ingress or Route resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=,openshift=true,exporter.required=true - ``` - -## CRDs configuration - -CRDs can be installed/upgraded when we install/upgrade Citrix ADC CPX with Citrix ingress controller using `crds.install=true` parameter in Helm. If you do not want to install CRDs, then set the option `crds.install` to `false`. By default, CRDs too get deleted if you uninstall through Helm. This means, even the CustomResource objects created by the customer will get deleted. If you want to avoid this data loss set `crds.retainOnDelete` to `true`. - -> **Note:** -> Installing again may fail due to the presence of CRDs. Make sure that you back up all CustomResource objects and clean up CRDs before re-installing Citrix ADC CPX with Citrix ingress controller. - -There are a few examples of how to use these CRDs, which are placed in the folder: [Example-CRDs](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds). Refer to them and install as needed, using the following command: -```kubectl create -f ``` - -### Details of the supported CRDs: - -#### authpolicies CRD: - -Authentication policies are used to enforce access restrictions to resources hosted by an application or an API server. - -Citrix provides a Kubernetes CustomResourceDefinitions (CRDs) called the [Auth CRD](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/auth) that you can use with the Citrix ingress controller to define authentication policies on the ingress Citrix ADC. - -Example file: [auth_example.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/auth_example.yaml) - -#### continuousdeployments CRD for canary: - -Canary release is a technique to reduce the risk of introducing a new software version in production by first rolling out the change to a small subset of users. After user validation, the application is rolled out to the larger set of users. Citrix ADC-Integrated [Canary Deployment solution](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/canary) stitches together all components of continuous delivery (CD) and makes canary deployment easier for the application developers. - -#### httproutes and listeners CRDs for contentrouting: - -[Content Routing (CR)](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/contentrouting) is the execution of defined rules that determine the placement and configuration of network traffic between users and web applications, based on the content being sent. For example, a pattern in the URL or header fields of the request. - -Example files: [HTTPRoute_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/HTTPRoute_crd.yaml), [Listener_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/Listener_crd.yaml) - -#### ratelimits CRD: - -In a Kubernetes deployment, you can [rate limit the requests](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/ratelimit) to the resources on the back end server or services using rate limiting feature provided by the ingress Citrix ADC. - -Example files: [ratelimit-example1.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example1.yaml), [ratelimit-example2.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example2.yaml) - -#### vips CRD: - -Citrix provides a CustomResourceDefinitions (CRD) called [VIP](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/vip) for asynchronous communication between the IPAM controller and Citrix ingress controller. - -The IPAM controller is provided by Citrix for IP address management. It allocates IP address to the service from a defined IP address range. The Citrix ingress controller configures the IP address allocated to the service as virtual IP (VIP) in Citrix ADX VPX. And, the service is exposed using the IP address. - -When a new service is created, the Citrix ingress controller creates a CRD object for the service with an empty IP address field. The IPAM Controller listens to addition, deletion, or modification of the CRD and updates it with an IP address to the CRD. Once the CRD object is updated, the Citrix ingress controller automatically configures Citrix ADC-specfic configuration in the tier-1 Citrix ADC VPX. - -#### rewritepolicies CRD: - -In kubernetes environment, to deploy specific layer 7 policies to handle scenarios such as, redirecting HTTP traffic to a specific URL, blocking a set of IP addresses to mitigate DDoS attacks, imposing HTTP to HTTPS and so on, requires you to add appropriate libraries within the microservices and manually configure the policies. Instead, you can use the [Rewrite and Responder features](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/crd/rewrite-responder-policies-deployment.yaml) provided by the Ingress Citrix ADC device to deploy these policies. - -Example files: [target-url-rewrite.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/target-url-rewrite.yaml) - -#### wafs CRD: - -[WAF CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/waf.md) can be used to configure the web application firewall policies with the Citrix ingress controller on the Citrix ADC VPX, MPX, SDX, and CPX. The WAF CRD enables communication between the Citrix ingress controller and Citrix ADC for enforcing web application firewall policies. - -In a Kubernetes deployment, you can enforce a web application firewall policy to protect the server using the WAF CRD. For more information about web application firewall, see [Web application security](https://docs.citrix.com/en-us/citrix-adc/13/application-firewall/introduction/web-application-security.html). - -Example files: [wafhtmlxsssql.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wafhtmlxsssql.yaml) - -#### CORS CRD: - -[CORS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) Cross-origin resource sharing (CORS) is a mechanism allows a web application running under one domain to securely access resources in another domain. You can configure CORS policies on Citrix ADC using Citrix ingress controller to allow one domain (the origin domain) to call APIs in another domain. For more information, see the [cross-origin resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) documentation. - -Example files: [cors-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/corspolicy-example.yaml) - -#### APPQOE CRD: - -[APPQOE CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) When a Citrix ADC appliance receives an HTTP request and forwards it to a back-end server, sometimes there may be connection failures with the back-end server. You can configure the request-retry feature on Citrix ADC to forward the request to the next available server, instead of sending the reset to the client. Hence, the client saves round trip time when Citrix ADC initiates the same request to the next available service. -For more information, see the AppQoE support documentation. [Appqoe resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) documentation. - -Example files: [appqoe-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/appqoe_example.yaml) - -#### WILDCARDDNS CRD: - -[WILDCARDDNS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) Wildcard DNS domains are used to handle requests for nonexistent domains and subdomains. In a zone, use wildcard domains to redirect queries for all nonexistent domains or subdomains to a particular server, instead of creating a separate Resource Record (RR) for each domain. The most common use of a wildcard DNS domain is to create a zone that can be used to forward mail from the internet to some other mail system. -For more information, see the Wild card DNS domains support documentation. [Wildcard DNS Entry CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) documentation. - -Example files: [wildcarddns-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wildcarddns-example.yaml) - -## Citrix ADC CPX servicetype LoadBalancer -Citrix ADC CPX can be installed with service having servicetype LoadBalancer. Following arguments can be used in the `helm install` command for the same: - -``` -helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceType.loadBalancer.enabled=True -``` - -## Citrix ADC CPX servicetype NodePort -Citrix ADC CPX can be installed with service having servicetype Nodeport. Following arguments can be used in the `helm install` command for the same: - -``` -helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceType.nodePort.enabled=True -``` - -Additionally, `serviceType.nodePort.httpPort` and `serviceType.nodePort.httpsPort` arguments can be used to select the nodePort for the CPX service for HTTP and HTTPS ports. - -### Tolerations - -Taints are applied on cluster nodes whereas tolerations are applied on pods. Tolerations enable pods to be scheduled on node with matching taints. For more information see [Taints and Tolerations in Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). - -Toleration can be applied to pod running Citrix ADC CPX and ingress controller containers using `tolerations` argument while deploying CPX+CIC using helm chart. This argument takes list of tolerations that user need to apply on the CPX+CIC pods. - -For example, following command can be used to apply toleration on the CPX+CIC pod: - -``` -helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,tolerations[0].key=,tolerations[0].value=,tolerations[0].operator=,tolerations[0].effect= -``` - -Here tolerations[0].key, tolerations[0].value and tolerations[0].effect are the key, value and effect that was used while tainting the node. -Effect represents what should happen to the pod if the pod don't have any matching toleration. It can have values `NoSchedule`, `NoExecute` and `PreferNoSchedule`. -Operator represents the operation to be used for key and value comparison between taint and tolerations. It can have values `Exists` and `Equal`. The default value for operator is `Equal`. - -## Configuration -The following table lists the configurable parameters of the Citrix ADC CPX with Citrix ingress controller as side car chart and their default values. - -| Parameters | Mandatory or Optional | Default value | Description | -| ---------- | --------------------- | ------------- | ----------- | -| license.accept | Mandatory | no | Set `yes` to accept the Citrix ingress controller end user license agreement. | -| imageRegistry | Mandatory | `quay.io` | The Citrix ADC CPX image registry | -| imageRepository | Mandatory | `citrix/citrix-k8s-cpx-ingress` | The Citrix ADC CPX image repository | -| imageTag | Mandatory | `13.1-30.52` | The Citrix ADC CPX image tag | -| pullPolicy | Mandatory | IfNotPresent | The Citrix ADC CPX image pull policy. | -| daemonSet | Optional | False | Set this to true if Citrix ADC CPX needs to be deployed as DaemonSet. | -| cic.imageRegistry | Mandatory | `quay.io` | The Citrix ingress controller image registry | -| cic.imageRepository | Mandatory | `citrix/citrix-k8s-ingress-controller` | The Citrix ingress controller image repository | -| cic.imageTag | Mandatory | `1.32.7` | The Citrix ingress controller image tag | -| cic.pullPolicy | Mandatory | IfNotPresent | The Citrix ingress controller image pull policy. | -| cic.required | Mandatory | true | CIC to be run as sidecar with Citrix ADC CPX | -| cic.resources | Optional | {} | CPU/Memory resource requests/limits for Citrix Ingress Controller container | -| cic.rbacRole | Optional | false | To deploy CIC with RBAC Role set rbacRole=true; by default CIC gets installed with RBAC ClusterRole(rbacRole=false)) | -| imagePullSecrets | Optional | N/A | Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret please see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). | -| nameOverride | Optional | N/A | String to partially override deployment fullname template with a string (will prepend the release name) | -| fullNameOverride | Optional | N/A | String to fully override deployment fullname template with a string | -| resources | Optional | {} | CPU/Memory resource requests/limits for Citrix CPX container | -| nitroReadTimeout | Optional | 20 | The nitro Read timeout in seconds, defaults to 20 | -| logLevel | Optional | DEBUG | The loglevel to control the logs generated by CIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG and TRACE. For more information, see [Logging](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).| -| jsonLog | Optional | false | Set this argument to true if log messages are required in JSON format | -| nsConfigDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Ingress | -| nsSvcLbDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Type Load Balancer Service | -| nsDnsNameserver | Optional | N/A | To add DNS Nameservers in ADC | -| optimizeEndpointBinding | Optional | false | To enable/disable binding of backend endpoints to servicegroup in a single API-call. Recommended when endpoints(pods) per application are large in number. Applicable only for Citrix ADC Version >=13.0-45.7 | -| defaultSSLCertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC. | -| nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for Citrix ADC service group configurations. | -| cpxLicenseAggregator | Optional | N/A | IP/FQDN of the CPX License Aggregator if it is being used to license the CPX. | -| nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). | -| profileSslFrontend | Optional | N/A | Specify the frontend SSL profile. For Details see [Configuration using FRONTEND_SSL_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| profileTcpFrontend | Optional | N/A | Specify the frontend TCP profile. For Details see [Configuration using FRONTEND_TCP_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| profileHttpFrontend | Optional | N/A | Specify the frontend HTTP profile. For Details see [Configuration using FRONTEND_HTTP_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter. | -| nsProtocol | Optional | http | Protocol http or https used for the communication between Citrix Ingress Controller and CPX | -| cpxBgpRouter | Optional | false| If set to true, this CPX is deployed as daemonset in BGP controller mode wherein BGP advertisements are done for attracting external traffic to Kubernetes clusters | -| replicaCount | Optional | 1 | Number of CPX-CIC pods to be deployed. With `cpxBgpRouter : true`, replicaCount is 1 since CPX will be deployed as DaemonSet | -| nsIP | Optional | 192.168.1.2 | NSIP used by CPX for internal communication when run in Host mode, i.e when cpxBgpRouter is set to true. A /24 internal network is created in this IP range which is used for internal communications withing the network namespace. | -| nsGateway | Optional | 192.168.1.1 | Gateway used by CPX for internal communication when run in Host mode, i.e when cpxBgpRouter is set to true. If not specified, first IP in the nsIP network is used as gateway. It must be in same network as nsIP | -| bgpPort | Optional | 179 | BGP port used by CPX for BGP advertisement if cpxBgpRouter is set to true| -| ingressIP | Optional | N/A | External IP address to be used by ingress resources if not overriden by ingress.com/frontend-ip annotation in Ingress resources. This is also advertised to external routers when pxBgpRouter is set to true| -| entityPrefix | Optional | k8s | The prefix for the resources on the Citrix ADC CPX. | -| ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify Citrix ingress controller to configure Citrix ADC associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here | -| setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 | -| updateIngressStatus | Optional | False | Set this argument if you want to update ingress status of the ingress resources exposed via CPX. This is only applicable if servicetype of CPX service is LoadBalancer. | -| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. | -| openshift | Optional | false | Set this argument if OpenShift environment is being used. | -| disableOpenshiftRoutes | false | By default Openshift routes are processed in openshift environment, this variable can be used to disable Ingress controller processing the openshift routes. | -| routeLabels | Optional | N/A | You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| namespaceLabels | Optional | N/A | You can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| sslCertManagedByAWS | Optional | False | Set this argument if SSL certs used is managed by AWS while deploying Citrix ADC CPX in AWS. | -| nodeSelector.key | Optional | N/A | Node label key to be used for nodeSelector option for CPX-CIC deployment. | -| nodeSelector.value | Optional | N/A | Node label value to be used for nodeSelector option in CPX-CIC deployment. | -| podAnnotations | Optional | N/A | Map of annotations to add to the pods. | -| affinity | Optional | N/A | Affinity labels for pod assignment. | -| tolerations | Optional | N/A | Specify the tolerations for the CPX-CIC deployment. | -| serviceType.loadBalancer.enabled | Optional | False | Set this argument if you want servicetype of CPX service to be LoadBalancer. | -| serviceType.nodePort.enabled | Optional | False | Set this argument if you want servicetype of CPX service to be NodePort. | -| serviceType.nodePort.httpPort | Optional | N/A | Specify the HTTP nodeport to be used for NodePort CPX service. | -| serviceType.nodePort.httpsPort | Optional | N/A | Specify the HTTPS nodeport to be used for NodePort CPX service. | -| serviceAnnotations | Optional | N/A | Dictionary of annotations to be used in CPX service. Key in this dictionary is the name of the annotation and Value is the required value of that annotation. For example, [see this](#citrix-adc-cpx-service-annotations). | -| serviceSpec.externalTrafficPolicy | Optional | Cluster | Use this parameter to provide externalTrafficPolicy for CPX service of type LoadBalancer or NodePort. `serviceType.loadBalancer.enabled` or `serviceType.nodePort.enabled` should be set to `true` according to your use case for using this parameter. | -| serviceSpec.loadBalancerIP | Optional | N/A | Use this parameter to provide LoadBalancer IP to CPX service of type LoadBalancer. `serviceType.loadBalancer.enabled` should be set to `true` for using this parameter. | -| serviceSpec.loadBalancerSourceRanges | Optional | N/A | Provide the list of IP Address or range which should be allowed to access the Network Load Balancer. `serviceType.loadBalancer.enabled` should be set to `true` for using this parameter. For details, see [Network Load Balancer support on AWS](https://kubernetes.io/docs/concepts/services-networking/service/#aws-nlb-support). | -| servicePorts | Optional | N/A | List of port. Each element in this list is a dictionary that contains information about the port. For example, [see this](#citrix-adc-cpx-service-ports). | -| ADMSettings.licenseServerIP | Optional | N/A | Provide the Citrix Application Delivery Management (ADM) IP address to license Citrix ADC CPX. For more information, see [Licensing](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/licensing/). | -| ADMSettings.licenseServerPort | Optional | 27000 | Citrix ADM port if non-default port is used. | -| ADMSettings.ADMIP | Optional | N/A | Citrix Application Delivery Management (ADM) IP address. | -| ADMSettings.loginSecret | Optional | N/A | The secret key to login to the ADM. For information on how to create the secret keys, see [Prerequisites](#prerequistes). | -| ADMSettings.bandWidthLicense | Optional | False | Set to true if you want to use bandwidth based licensing for Citrix ADC CPX. | -| ADMSettings.bandWidth | Optional | 1000 | Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps. | -| ADMSettings.vCPULicense | Optional | N/A | Set to true if you want to use vCPU based licensing for Citrix ADC CPX. | -| ADMSettings.licenseEdition| Optional | PLATINUM | License edition that can be Standard, Platinum and Enterprise . By default, Platinum is selected.| -| ADMSettings.cpxCores | Optional | 1 | Desired number of vCPU to be set for Citrix ADC CPX. | -| ADMSettings.analyticsServerPort | Optional | 5557 | Port used for Analytics by ADM. Required to plot ServiceGraph. | -| exporter.required | Optional | false | Use the argument if you want to run the [Exporter for Citrix ADC Stats](https://github.com/citrix/citrix-adc-metrics-exporter) along with Citrix ingress controller to pull metrics for the Citrix ADC CPX| -| exporter.imageRegistry | Optional | `quay.io` | The Exporter for Citrix ADC Stats image registry | -| exporter.imageRepository | Optional | `citrix/citrix-adc-metrics-exporter` | The Exporter for Citrix ADC Stats image repository | -| exporter.imageTag | Optional | `1.4.9` | The Exporter for Citrix ADC Stats image tag | -| exporter.pullPolicy | Optional | IfNotPresent | The Exporter for Citrix ADC Stats image pull policy. | -| exporter.resources | Optional | {} | CPU/Memory resource requests/limits for Metrics exporter container | -| exporter.ports.containerPort | Optional | 8888 | The Exporter for Citrix ADC Stats container port. | -| analyticsConfig.required | Mandatory | false | Set this to true if you want to configure Citrix ADC to send metrics and transaction records to analytics service. | -| analyticsConfig.distributedTracing.enable | Optional | false | Set this value to true to enable OpenTracing in Citrix ADC. | -| analyticsConfig.distributedTracing.samplingrate | Optional | 100 | Specifies the OpenTracing sampling rate in percentage. | -| analyticsConfig.endpoint.server | Optional | N/A | Set this value as the IP address or DNS address of the analytics server. | -| analyticsConfig.endpoint.service | Optional | N/A | Set this value as the IP address or service name with namespace of the analytics service deployed in Kuberenetes. Format: namespace/servicename| -| analyticsConfig.timeseries.port | Optional | 5563 | Specify the port used to expose analytics service for timeseries endpoint. | -| analyticsConfig.timeseries.metrics.enable | Optional | Set this value to true to enable sending metrics from Citrix ADC. | -| analyticsConfig.timeseries.metrics.mode | Optional | avro | Specifies the mode of metric endpoint. | -| analyticsConfig.timeseries.auditlogs.enable | Optional | false | Set this value to true to export audit log data from Citrix ADC. | -| analyticsConfig.timeseries.events.enable | Optional | false | Set this value to true to export events from the Citrix ADC. | -| analyticsConfig.transactions.enable | Optional | false | Set this value to true to export transactions from Citrix ADC. | -| analyticsConfig.transactions.port | Optional | 5557 | Specify the port used to expose analytics service for transaction endpoint. | -| crds.install | Optional | False | Unset this argument if you don't want to install CustomResourceDefinitions which are consumed by CIC. | -| crds.retainOnDelete | Optional | false | Set this argument if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation. | -| bgpSettings.required | Optional | false | Set this argument if you want to enable BGP configurations for exposing service of Type Loadbalancer through BGP fabric| -| bgpSettings.bgpConfig | Optional| N/A| This represents BGP configurations in YAML format. For the description about individual fields, please refer the [documentation](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) | -| nsLbHashAlgo.required | Optional | false | Set this value to set the LB consistent hashing Algorithm | -| nsLbHashAlgo.hashFingers | Optional |256 | Specifies the number of fingers to be used for hashing algorithm. Possible values are from 1 to 1024, Default value is 256 | -| nsLbHashAlgo.hashAlgorithm | Optional | 'default' | Specifies the supported algorithm. Supported algorithms are "default", "jarh", "prac", Default value is 'default' | - -> **Note:** -> -> If Citrix ADM related information is not provided during installation, Citrix ADC CPX will come up with the default license. - -Alternatively, you can define a YAML file with the values for the parameters and pass the values while installing the chart. - -For example: - ``` - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - -> **Tip:** -> -> The [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml) contains the default values of the parameters. - -## Uninstalling the Chart -To uninstall/delete the ```my-release``` deployment: - ``` - helm delete my-release - ``` - -## Related documentation - -- [Citrix ADC CPX Documentation](https://docs.citrix.com/en-us/citrix-adc-cpx/12-1/cpx-architecture-and-traffic-flow.html) -- [Citrix ingress controller Documentation](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/) -- [Citrix ingress controller GitHub](https://github.com/citrix/citrix-k8s-ingress-controller) -- [BGP advertisement for External IPs with CPX](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/app-readme.md b/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/app-readme.md deleted file mode 100644 index ef45a3d907..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/app-readme.md +++ /dev/null @@ -1,5 +0,0 @@ -# Citrix ADC CPX with Citrix Ingress Controller running as sidecar. - -In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) with Citrix ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). The Citrix ADC CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar Citrix ingress controller configures the Citrix ADC CPX. - -This Chart bootstraps deployment of Citrix ADC CPX with Citrix Ingress Controller as sidecar. diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/questions.yml b/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/questions.yml deleted file mode 100644 index 0c87144137..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/questions.yml +++ /dev/null @@ -1,211 +0,0 @@ -questions: -- variable: license.accept - required: true - default: "no" - type: enum - description: "Set to yes to accept the terms and conditions of the Citrix license." - label: Accept License - group: "Deployment Settings" - options: - - "yes" - - "no" -- variable: openshift - default: false - type: boolean - description: "openshift is set to true if charts are being deployed in OpenShift environment" - label: Openshift flag - group: "Deployment Settings" -- variable: nsNamespace - type: string - description: "Prefix for the resources on Citrix ADC" - label: Resource Prefix - group: "Deployment Settings" -- variable: ingressClass[0] - type: string - description: "ingressClass is the name of the Ingress Class" - label: Ingress Class - group: "Deployment Settings" -- variable: logLevel - default: "DEBUG" - type: enum - options: - - "TRACE" - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - description: "logLevel of Citrix Ingress Controller pod" - label: LogLevel - group: "Deployment Settings" -- variable: defaultSSLCert - type: string - description: "Secret containing the default ceritifcate for SSL vservers" - label: Default SSLCert - group: "ADC Settings" -- variable: logProxy - type: string - description: "Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporte" - label: LogProxy - group: "Deployment Settings" -- variable: http2ServerSide - default: "OFF" - type: enum - options: - - "ON" - - "OFF" - description: "Set to ON to enable HTTP2 for Citrix ADC service group configurations" - label: HTTP2 on ADC - group: "ADC Settings" -- variable: nodeSelector.key - type: string - label: NodeSelector Key - group: "Deployment Settings" -- variable: nodeSelector.value - type: string - label: NodeSelector Value - group: "Deployment Settings" - - -- variable: ADMSettings.licenseServerIP - type: string - label: ADM LicenseServerIP - group: "ADM Settings" -- variable: ADMSettings.licenseServerPort - default: 27000 - type: int - label: ADM LicenseServerPort - group: "ADM Settings" -- variable: ADMSettings.ADMIP - type: string - label: ADM IP - group: "ADM Settings" -- variable: ADMSettings.ADMFingerPrint - type: string - label: ADM FingerPrint - group: "ADM Settings" -- variable: ADMSettings.loginSecret - type: string - label: ADM Login Secret - group: "ADM Settings" -- variable: ADMSettings.bandWidthLicense - type: boolean - label: CPX Bandwidth License - group: "ADM Settings" -- variable: ADMSettings.bandWidth - type: int - label: CPX Bandwidth - group: "ADM Settings" -- variable: ADMSettings.vCPULicense - type: boolean - label: CPX vCPU License - group: "ADM Settings" -- variable: ADMSettings.cpxCores - type: int - label: CPX Cores - group: "ADM Settings" -- variable: cic.pullpolicy - default: "IfNotPresent" - type: enum - label: CIC Image Pullpolicy - group: "CIC/CPX Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: pullpolicy - default: "IfNotPresent" - type: enum - label: CPX Image Pullpolicy - group: "CIC/CPX Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: cic.image - default: "quay.io/citrix/citrix-k8s-ingress-controller:1.8.28" - type: string - label: CIC Image - group: "CIC/CPX Image Settings" -- variable: image - type: string - default: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-58.30" - label: CPX Image - group: "CIC/CPX Image Settings" -- variable: exporter.image - default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.5" - type: string - description: "Exporter Image to be used" - label: Exporter Image - group: "Exporter Settings" -- variable: exporter.pullPolicy - default: "IfNotPresent" - type: string - description: "Exporter Image pull policy" - label: Exporter Image PullPolicy - group: "Exporter Settings" -- variable: exporter.ports.containerPort - default: 8888 - type: int - label: Exporter ContainerPort - group: "Exporter Settings" -- variable: coeConfig.distributedTracing.enable - default: false - type: boolean - label: Enable distributedTracing - group: "COE Settings" -- variable: coeConfig.distributedTracing.samplingrate - default: 100 - type: int - label: COE Sampling Rate - group: "COE Settings" -- variable: coeConfig.endpoint.server - type: string - label: COE Endpoint Server - group: "COE Settings" -- variable: coeConfig.timeseries.port - default: 5563 - type: int - label: COE timeseries port - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.enable - default: false - type: boolean - label: Enable timeseries metrics - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.mode - default: 'avro' - type: string - label: COE timeseries metrics Mode - group: "COE Settings" -- variable: coeConfig.timeseries.auditlogs.enable - default: false - type: string - label: Enable timeseries auditlogs - group: "COE Settings" -- variable: coeConfig.timeseries.events.enable - default: false - type: string - label: Enable timeseries events - group: "COE Settings" -- variable: coeConfig.transactions.enable - default: false - type: string - label: Enable transactions - group: "COE Settings" -- variable: coeConfig.transactions.port - default: 5557 - type: int - label: COE transactions port - group: "COE Settings" -- variable: crds.install - default: true - type: boolean - description: "If set to true the charts will install CustomResourceDefinitions which are consumed by CIC." - label: CRD flag - group: "Deployment Settings" -- variable: crds.retainOnDelete - default: false - type: boolean - description: "Set this argument to true if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation." - label: CRD retainOnDelete flag - group: "Deployment Settings" diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/templates/NOTES.txt b/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/templates/NOTES.txt deleted file mode 100644 index bccfdf69a4..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/templates/NOTES.txt +++ /dev/null @@ -1,14 +0,0 @@ -Thank you for installing {{ .Chart.Name }}. - -Your release is named {{ .Release.Name }}. - - -To learn more about the release, try: - - $ helm status {{ .Release.Name }} - $ helm get {{ .Release.Name }} - - -To delete : - helm delete {{ .Release.Name }} - diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/templates/_helpers.tpl b/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/templates/_helpers.tpl deleted file mode 100644 index 92e636ce23..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/templates/_helpers.tpl +++ /dev/null @@ -1,97 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Analytics Server IP or DNS -*/}} -{{- define "analytics.server" -}} -{{- if .Values.analyticsConfig.endpoint.server -}} -{{- printf .Values.analyticsConfig.endpoint.server -}} -{{- else -}} -{{- printf "analytics.%s.svc.cluster.local" .Release.Namespace -}} -{{- end -}} -{{- end -}} - - -{{- define "citrix-cpx-ingress-controller.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "citrix-cpx-ingress-controller.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "cpxservice.fullname" -}} -{{- $name := default .Chart.Name "cpx-service" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxexporter.fullname" -}} -{{- $name := default .Chart.Name "exporter" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxservicemonitor.fullname" -}} -{{- $name := default .Chart.Name "citrix-adc-cpx-servicemonitor" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxservicemonitorlabel" -}} -{{- $name := default .Chart.Name "citrix-adc-cpx-svcmon" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxconfigmap.fullname" -}} -{{- $name := default .Chart.Name "cpx-cic-configmap" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "citrix-cpx-ingress-controller.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "citrix-cpx-ingress-controller.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "citrix-cpx-ingress-controller.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/templates/cic_crds.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/templates/cic_crds.yaml deleted file mode 100644 index 04ab366055..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/templates/cic_crds.yaml +++ /dev/null @@ -1,2549 +0,0 @@ -{{- if .Values.crds.install }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: rewritepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: rewritepolicy - plural: rewritepolicies - singular: rewritepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - rewrite-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to rewrite policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - rewrite-policy: - type: object - properties: - rewrite-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOREWRITE', 'RESET', 'DROP'] - operation: - description: 'Type of user-defined rewrite action.' - type: string - enum: ["noop", "delete", "insert_http_header", "delete_http_header", - "corrupt_http_header", "insert_before", "insert_after", "replace", - "replace_http_res", "delete_all", "replace_all", "insert_before_all", - "insert_after_all", "clientless_vpn_encode", "clientless_vpn_encode_all", - "clientless_vpn_decode", "clientless_vpn_decode_all", "insert_sip_header", - "delete_sip_header", "corrupt_sip_header", "replace_sip_res", "replace_diameter_header_field", - "replace_dns_header_field", "replace_dns_answer_section"] - target: - description: 'Default syntax expression that specifies which part of the request or response to rewrite.' - type: string - maxLength: 1229 - modify-expression: - description: 'Default syntax expression that specifies the content to insert into the request - or response at the specified location, or that replaces the specified string.' - type: string - maxLength: 7991 - multiple-occurence-modify: - description: 'Search facility that is used to match multiple strings in the request or response.' - type: string - maxLength: 171 - additional-multiple-occurence-modify: - description: 'Specify additional criteria to refine the results of the search. - Always starts with the "extend(m,n)" operation, where "m" specifies number of bytes to the left of selected data - and "n" specifies number of bytes to the right of selected data. - You can use refineSearch only on body expressions, and only when rewrite-criteria is any one of this: - INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - comment: - description: 'Any comments to preserve information about this rewrite policy.' - type: string - maxLength: 255 - required: [rewrite-criteria, operation, target, direction] - required: [rewrite-policy] - - responder-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to responder policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", - "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - responder-policy: - type: object - properties: - redirect: - type: object - description: 'Use this option when you want to Redirect the request when request matches to policy.' - properties: - url: - description: 'URL on which you want to redirect the request.' - type: string - maxLength: 7991 - redirect-status-code: - description: 'HTTP response status code, for example 200, 302, 404, etc.' - type: integer - minimum: 100 - maximum: 599 - redirect-reason: - description: 'Expression specifying the reason for redirecting the request.' - type: string - maxLength: 7991 - required: [url] - respondwith: - type: object - description: 'Use this parameter when you want to respond to the request when request matches to policy.' - properties: - http-payload-string: - description: 'Expression that you want to sent as response to the request.' - type: string - maxLength: 7991 - required: [http-payload-string] - noop: - type: string - description: 'Use this option when you want to send the request to the protected server instead of - responding to it when request matches to policy.' - properties: - target: - description: 'Default syntax expression that specifies to perform noop operation on' - type: string - maxLength: 1229 - reset: - type: string - description: 'Use this option when you want to Reset the client connection by closing it when request matches to policy.' - properties: - drop: - type: string - description: 'Use this option when you want to drop the request without sending a response to the user when request matches to policy.' - properties: - respond-criteria: - description: 'Default syntax expression that the policy uses to determine whether to respond to the specified request.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOOP', 'RESET', 'DROP'] - comment: - description: 'Any comments to preserve information about this responder policy.' - type: string - maxLength: 255 - required: [respond-criteria] - oneOf: [required: [redirect], required: [respondwith], required: [noop], required: [reset], required: [drop]] - required: [responder-policy] - - dataset: - type: array - items: - type: object - properties: - name: - description: 'Name of the dataset.' - type: string - maxLength: 32 - type: - description: 'Type of value to bind to the dataset.' - type: string - enum: ["ipv4", "number", "ipv6", "ulong", "double", "mac"] - comment: - description: 'Any comments to preserve information about this dataset.' - type: string - maxLength: 255 - values: - description: 'Value of the specified type that is associated with this dataset.' - type: array - items: - type: string - required: [name, type, values] - - patset: - type: array - items: - type: object - properties: - name: - description: 'Name of the Patset.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this patset.' - type: string - maxLength: 255 - values: - description: 'String of characters that constitutes a pattern and is associated with this patset.' - type: array - items: - type: string - required: [name, values] - - stringmap: - type: array - items: - type: object - properties: - name: - description: 'Name of the Stringmap.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this stringmap.' - type: string - maxLength: 255 - values: - description: 'List of (key,value) pairs to be bound to this string map.' - type: array - items: - type: object - properties: - key: - description: 'Character string constituting the key to be bound to this string map.' - type: string - maxLength: 2047 - value: - description: 'Character string constituting the value associated with the key.' - type: string - maxLength: 2047 - required: [name, values] - - httpcallout_policy: - type: array - items: - type: object - properties: - name: - description: 'httpcallout name' - type: string - maxLength: 32 - server_ip: - description: 'IP Address of the server(callout agent) to which the callout is sent.' - type: string - server_port: - description: 'Port of the server(callout agent) to which the callout is sent.' - type: integer - minimum: 1 - maximum: 65535 - http_method: - description: |+ - 'Method used in the HTTP request that this callout sends. - Default http method is GET' - type: string - enum: ['GET', 'POST'] - host_expr: - description: |+ - 'String expression to configure the Host header. Can contain a literal value - (for example, 10.101.10.11) or a derived value (for example, http.req.header("Host")). - The literal value can be an IP address or a fully qualified domain name. Mutually - exclusive with the full HTTP request expression.' - type: string - maxLength: 255 - url_stem_expr: - description: |+ - 'String expression for generating the URL stem. Can contain a literal string - (for example, "/mysite/index.html") or an expression that derives the value - (for example, http.req.url).' - type: string - maxLength: 8191 - headers: - type: array - description: |+ - 'One or more headers to insert into the HTTP request. Each header is represented by - name and expr, where expr is an expression that is evaluated at runtime to provide - the value for the named header. You can configure a maximum of eight headers for - an HTTP callout.' - items: - type: object - properties: - name: - description: 'header name' - type: string - expr: - description: 'header expression' - type: string - parameters: - type: array - description: |+ - 'One or more query parameters to insert into the HTTP request URL (for a GET request) - or into the request body (for a POST request). Each parameter is represented by - name and expr, where expr is an expression that is evaluated at run time to provide - the value for the named parameter (name=value). The parameter values are URL encoded.' - items: - type: object - properties: - name: - description: 'parameter name' - type: string - expr: - description: 'parameter expression' - type: string - body_expr: - description: |+ - 'An advanced string expression for generating the body of the request. - The expression can contain a literal string or an expression that derives - the value (for example, client.ip.src).' - type: string - full_req_expr: - description: |+ - 'Exact HTTP request, in the form of an expression, which the Citrix ADC sends - to the callout agent. The request expression is constrained by the feature - for which the callout is used. For example, an HTTP.RES expression cannot be - used in a request-time policy bank or in a TCP content switching policy bank.' - type: string - scheme: - description: |+ - 'Type of scheme for the callout server. - Default scheme is HTTP' - type: string - enum: ['HTTP', 'HTTPS'] - cache_for_secs: - description: |+ - 'Duration, in seconds, for which the callout response is cached. - The cached responses are stored in an integrated caching content - group named "calloutContentGroup". If no duration is configured, - the callout responses will not be cached unless normal caching - configuration is used to cache them. This parameter takes precedence over any - normal caching configuration that would otherwise apply to these responses.' - type: integer - minimum: 1 - maximum: 31536000 - return_type: - description: |+ - 'Type of data that the target callout agent returns in response to the callout - Available settings function as follows: - * TEXT - Treat the returned value as a text string. - * NUM - Treat the returned value as a number. - * BOOL - Treat the returned value as a Boolean value.' - type: string - enum: ['TEXT', 'NUM', 'BOOL'] - result_expr: - description: |+ - 'Expression that extracts the callout results from the response sent by the HTTP callout - agent. Must be a response based expression, that is, it must begin with HTTP.RES. The - operations in this expression must match the return type. For example, if you configure - a return type of TEXT, the result expression must be a text based expression. If the - return type is NUM, the result expression (resultExpr) must return a numeric value, - as in the following example: http.res.body(10000).length.' - type: string - maxLength: 8191 - comment: - description: 'Any comments to preserve information about this HTTP callout.' - type: string - maxLength: 255 - allOf: - - properties: - required: [name, server_ip, server_port] - - properties: - oneOf: - - properties: - required: [full_req_expr] - - properties: - anyOf: - - properties: - required: [http_method] - - properties: - required: [host_expr] - - properties: - required: [url_stem_expr] - - properties: - required: [headers] - - properties: - required: [parameters] - - properties: - required: [body_expr] - anyOf: [required: [rewrite-policies], required: [responder-policies]] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ratelimits.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: ratelimit - plural: ratelimits - singular: ratelimit - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the ratelimit policies are applied.' - type: array - items: - type: string - maxLength: 127 - selector_keys: - type: object - description: 'Traffic match criteria to which apply above rate-limit/throttling. All keys are applied as AND condition. If no keys are specified, rate-limit applies at service level' - properties: - basic: - type: object - description: "Basic traffic stream selection criteria to which to apply the ratelimit" - properties: - path: - type: array - description: "api resource path prefix match. e.g. /api/v1/products" - items: - type: string - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT', 'UNKNOWN_METHOD'] - header_name: - description: "HTTP header that identifies the unique API client for e.g. X-apikey" - type: string - per_client_ip: - description: "Setting this applies the throttling limit to each unique Client IP address accessing the API resource" - type: boolean - req_threshold: - description: 'Max requests per timeslice units to be allowed' - type: integer - timeslice: - description: 'Timeslice in miliseconds in multiple of 10. Defaults to 1000 miliseconds' - type: integer - limittype: - description: "Burst mode or smooth. Defaults to smooth limittype if not specified" - type: string - enum: ['BURSTY','SMOOTH'] - throttle_action: - type: string - enum: ['DROP', 'RESET','REDIRECT', 'RESPOND'] - description: "Drop will drop the requests exceeding limits, RESET will reset the client connection, Redirect will redirect to specified URL, respond will respond with 429 'Exceeded allowed rate of requests'" - redirect_url: - type: string - description: "Redirect-URL" - logpackets: - type: object - description: 'Adds an audit message action. The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - required: [req_threshold] ---- -#Sample CRD instance - -#apiVersion: citrix.com/v1 -#description: VIP for apache service -#kind: vip -#metadata: -# name: service-apache -# namespace: default -#spec: -# description: VIP for the apache Service -# ipaddress: 10.99.98.90 -# kind: service -# name: apache - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vips.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: vip - plural: vips - singular: vip - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - jsonPath: .spec.ipaddress - name: VIP - type: string - - name: Age - type: date - jsonPath: .metadata.creationTimestamp - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - ipaddress: - type: string - name: - type: string - kind: - type: string - enum: ["service", "ingress"] - description: - type: string - range-name: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: authpolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: authpolicy - plural: authpolicies - singular: authpolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: |+ - 'Name of the services for which the policies applied' - type: array - items: - type: string - maxLength: 63 - authentication_mechanism: - type: object - description: |+ - 'Authentication mechanism. Options: using forms or using request header. - Default is Authentication using request header, when no option is specified' - properties: - using_request_header: - description: |+ - 'Enable user authentication using request header. Use when the credentials - or api keys are passed in a header. For example, when using Basic, Digest, - Bearer authentication or api keys. - When authentication using forms is provided, this is set to OFF' - - type: string - using_forms: - type: object - description: 'Enables authentication using forms. Use with user/web authentication.' - properties: - authentication_host: - description: |+ - 'Fully qualified domain name (FQDN) for authentication. - This FQDN should be unique and should resolve to frontend IP of - ADC with Ingress/service type LoadBalancer (or) vip of Listener CRD' - type: string - maxLength: 255 - authentication_host_cert: - description: |+ - 'Name of the SSL certificate to be used with authentication_host. - This certificate is mandatory while using_forms' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - ingress_name: - description: |+ - 'Ingress name for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - lb_service_name: - description: |+ - 'Service of type LoadBalancer for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - listener_name: - description: |+ - 'Listener CRD name for which the authentication using forms is applicable.' - type: string - maxLength: 63 - vip: - description: |+ - 'Frontend IP of ingress for which the authentication - using forms is applicable. This refers to frontend-ip provided - with Ingress. It is suggested to use vip, if more than one Ingress - resource use the same frontend-ip' - type: string - required: [authentication_host, authentication_host_cert] - oneOf: - - properties: - required: [ingress_name] - - properties: - required: [lb_service_name] - - properties: - required: [listener_name] - - properties: - required: [vip] - oneOf: - - properties: - using_request_header: - enum: ['ON'] - required: [using_request_header] - - properties: - required: [using_forms] - - authentication_providers: - description: |+ - 'Authentication Configuration for required authentication providers/schemes. - One or more of these can be created' - type: array - items: - description: 'Create config for a single authentication provider of a particular type' - type: object - properties: - name: - description: 'Name for this provider, has to be unique, referenced by authentication policies' - type: string - maxLength: 127 - - oauth: - description: 'Authentication provided by external oAuth provider' - type: object - properties: - issuer: - description: 'Identity of the server whose tokens are to be accepted' - type: string - maxLength: 127 - audience: - description: 'Audience for which token sent by Authorization server is applicable' - type: array - items: - type: string - maxLength: 127 - jwks_uri: - description: |+ - 'URL of the endpoint that contains JWKs (Json Web Key) for - JWT (Json Web Token) verification' - type: string - maxLength: 127 - introspect_url: - description: ' URL of the introspection server' - type: string - maxLength: 127 - client_credentials: - description: |+ - 'secrets object that contains Client Id and secret as known - to Introspection server' - type: string - maxLength: 253 - token_in_hdr: - description: |+ - 'custom header name where token is present, - default is Authorization header' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - token_in_param: - description: 'query parameter name where token is present' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - signature_algorithms: - description: 'list of allowed signature algorithms, by default HS256, RS256, RS512 are allowed' - type: array - items: - type: string - enum: ['HS256', 'RS256', 'RS512'] - claims_to_save: - description: 'list of claims to be saved, used to create authorization policies' - type: array - items: - type: string - maxLength: 127 - metadata_url: - description: 'URL used to get OAUTH/OIDC provider metadata' - type: string - maxLength: 255 - user_field: - description: |+ - 'Attribute in the token from which username should be extracted. - by default, ADC looks at email attribute for user id' - type: string - maxLength: 127 - default_group: - description: |+ - 'group assigned to the request if authentication succeeds, - this is in addition to any extracted groups from token' - type: string - maxLength: 63 - grant_type: - description: 'used to specify the type of flow to the token end point, defaults to CODE' - type: array - items: - type: string - enum: ['CODE','PASSWORD'] - pkce: - description: 'specify whether to enable Proof Key Code Exchange, defaults to ENABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - token_ep_auth_method: - description: |+ - 'authentication method to be used with token end point, - defaults to client_secret_post' - type: string - enum: ['client_secret_post', 'client_secret_jwt'] - - anyOf: - - properties: - required : [jwks_uri] - - properties: - required : [introspect_url, client_credentials] - - properties: - required : [metadata_url] - - ldap: - description: 'LDAP authentication provider' - type: object - properties: - server_ip: - description: 'IP address assigned to the LDAP server' - type: string - server_name: - description: 'LDAP server name as a FQDN' - type: string - maxLength: 127 - server_port: - description: 'Port on which the LDAP server accepts connections. Default is 389' - type: integer - minimum: 1 - maximum: 65535 - base: - description: |+ - 'Base (node) from which to start LDAP searches. If the LDAP server is - running locally, the default value of base is dc=netscaler, dc=com' - type: string - maxLength: 127 - server_login_credentials: - description: |+ - 'Kubernetes secret object providing credentials to login to LDAP server, - The secret data should have username and password' - type: string - login_name: - description: |+ - 'LDAP login name attribute. The Citrix ADC uses the LDAP login name - to query external LDAP servers or Active Directories' - type: string - maxLength: 127 - security_type: - description: |+ - 'Type of security used for communications between the Citrix ADC - and the LDAP server. Default is TLS' - type: string - enum: ['PLAINTEXT', 'TLS', 'SSL'] - validate_server_cert: - description: 'Validate LDAP Server certs. Default is NO' - type: string - enum: ['YES', 'NO'] - hostname: - description: |+ - 'Hostname for the LDAP server. If validate_server_cert is ON, - this must be the host name on the certificate from the LDAP - A hostname mismatch will cause a connection failure' - type: string - maxLength: 127 - sub_attribute_name: - description: 'LDAP group sub-attribute name. Used for group extraction from the LDAP server.' - type: string - maxLength: 31 - group_attribute_name: - description: 'LDAP group attribute name. Used for group extraction on the LDAP server.' - type: string - maxLength: 31 - search_filter: - description: |+ - 'String to be combined with the default LDAP user search string to form the - search value. For example, if the search filter "vpnallowed=true" is combined - with the LDAP login name "samaccount" and the user-supplied username is "bob", - the result is the LDAP search string ""(&(vpnallowed=true)(samaccount=bob)"" - (Be sure to enclose the search string in two sets of double quotation marks)' - type: string - maxLength: 255 - auth_timeout: - description: |+ - 'Number of seconds the Citrix ADC waits for a response from the server - Default is 3' - type: integer - minimum: 1 - maximum: 4294967295 - password_change: - description: 'Allow password change requests. Default is DISABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be fetched - from LDAP server and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - oneOf: - - properties: - required: [server_ip] - - properties: - required: [server_name] - - saml: - description: |+ - 'SAML authentication provider. - Currently SAML is supported only with authentication mechanism using forms' - type: object - properties: - metadata_url: - description: 'URL is used for obtaining saml metadata.' - type: string - maxLength: 255 - metadata_refresh_interval: - description: |+ - 'Interval in minutes for fetching metadata from specified metadata URL. - Default is 36000' - type: integer - minimum: 1 - maximum: 4294967295 - signing_cert: - description: 'SSL certificate to sign requests from SP to IDP' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - audience: - description: 'Audience for which assertion sent by IdP is applicable' - type: string - maxLength: 127 - issuer_name: - description: 'The name to be used in requests sent from SP to IDP to identify citrix ADC' - type: string - maxLength: 63 - binding: - description: 'Specifies the transport mechanism of saml message. Default is POST' - type: string - enum: ['REDIRECT', 'POST', 'ARTIFACT'] - artifact_resolution_service_url: - description: 'URL of the Artifact Resolution Service on IdP' - type: string - maxLength: 255 - logout_binding: - description: 'Specifies the transport mechanism of saml logout. Default is POST' - type: string - enum: ['REDIRECT', 'POST'] - reject_unsigned_assertion: - description: |+ - 'Reject unsigned SAML assertions. ON, rejects assertion without signature. - STRICT ensure that both Response and Assertion are signed. Default is ON' - type: string - enum: ['ON', 'OFF', 'STRICT'] - user_field: - description: 'SAML user ID, as given in the SAML assertion' - type: string - maxLength: 63 - default_authentication_group: - description: |+ - 'This is the default group that is chosen when the authentication - succeeds in addition to extracted groups' - type: string - maxLength: 63 - skew_time: - description: |+ - 'Allowed clock skew in number of minutes on an incoming assertion. - Default is 5' - type: integer - minimum: 1 - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be extracted - and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - required: - - metadata_url - - basic_local_db: - type: object - description: |+ - 'Basic HTTP authentication supported by ADC, user data in local DB of ADC. - Users needs to be added on ADC' - properties: - use_local_auth: - description: 'Use ADC authentication' - type: string - enum: ['YES'] - - required: - - name - - authentication_policies: - description: 'Authentication policies' - type: array - items: - type: object - description: 'Authentication policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT', 'UNKNOWN_METHOD'] - required: - - path - expression: - description: 'ADC syntax expression for authentication' - type: string - maxLength: 1229 - provider: - description: 'name of the authentication provider for the policy, empty if no authentication required' - type: array - items: - type: string - maxLength: 127 - maxItems: 1 - oneOf: - - required: [resource, provider] - - required: [expression, provider] - - authorization_policies: - description: 'Authorization policies' - type: array - items: - type: object - description: 'Authorization policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - description: ' http method' - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT', 'UNKNOWN_METHOD'] - claims: - description: 'authorization scopes required for selected resource saved as claims or attributes' - type: array - items: - type: object - properties: - name: - description: 'name of the claim/attribute to check' - type: string - maxLength: 127 - values: - description: 'list of claim values required for the request' - type: array - items: - type: string - maxLength: 127 - minItems: 1 - required: - - name - - values - required: - - claims - expression: - description: 'ADC syntax expression for authorization' - type: string - maxLength: 1229 - oneOf: - - required: [resource] - - required: [expression] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: listeners.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: Listener - plural: listeners - singular: listener - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - required: [spec] - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [protocol] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - protocol: - type: string - enum: ["https", "http"] - description: "Protocol for this listener" - vip: - type: string - description: "VIP address, Optional for CPX, required for Tier-1 deployments" - secondaryVips: - type: array - description: "An array of Secondary VIPs. All the VIPs will be part of an ipset" - minItems: 1 - items: - type: string - redirectPort: - type: integer - minimum: 1 - maximum: 65535 - description: "Port from which http traffic should be redirected to https" - port: - type: integer - minimum: 1 - maximum: 65535 - certificates: - type: array - description: "certificates attached to the endpoints - Not applicable for HTTP" - minItems: 1 - items: - type: object - properties: - preconfigured: - type: string - description: "Preconfigured Certificate name on ADC " - secret: - type: object - description: "Kuberentes secret object" - required: [name] - properties: - name: - type: string - description: "name of the Kubernetes Secret object where Cert is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the kubernetes secret object; Default is same namespace where the Listener object is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - default: - type: boolean - description: "Only one of the certificate can be marked as default which will be presented if none of the cert matches with the hostname" - oneOf: - - required: ["preconfigured"] - - required: ["secret"] - policies: - type: object - description: "Policies attached to the Listener" - properties: - httpprofile: - type: object - description: "HTTP profile configurations for the Listener, HTTP level configurations" - properties: - preconfigured: - type: string - description: "Preconfigured or Built-in HTTP profile name" - config: - type: object - description: "HTTP profile configuration for the listener. For individual fields, refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nshttpprofile/nshttpprofile/ Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - tcpprofile: - type: object - description: "TCP level configurations, uses ns tcpprofile of citrix ADC" - properties: - preconfigured: - description: "Preconfigured or Built-in TCP profile name" - type: string - config: - type: object - description: "TCPprofile configurations for the listener. For individual fields refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nstcpprofile/ ; Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - csvserverConfig: - type: object - description: "CS Vserver configuration for the listener" - additionalProperties: - type: string - sslprofile: - type: object - description: "SSL profile configuration" - properties: - preconfigured: - type: string - description: "SSL profile which is preconfigured in ADC. Ciphers bound to the profile is not overriden" - config: - description: "Citrix ADC frontend SSL profile configurations. Refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ssl/sslprofile/ for all configurations; Name field is auto generated" - type: object - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - sslciphers: - type: array - description: "List of ciphers to be bound to the ssl profile for the listener. Priority is as per the order in the list. A cipher suite, predefined cipher group or User created cipher group can be mentioned" - minItems: 1 - items: - type: string - description: "Cipher suite, cipher group name" - analyticsprofile: - type: object - description: "Analytics profile configuration" - properties: - preconfigured: - type: array - description: "Preconfigured Analytics profile that needs to be bound to the vserver" - minItems: 1 - items: - type: string - description: "Name of the analytics profile preconfigured that will be bound to the Vserver" - config: - type: array - description: "An array of analytics to be enabled" - minItems: 1 - items: - type: object - description: "Anlytics to be enabled" - required: ['type'] - properties: - type: - description: "Analytics profile to be enabled, you can enable one or more of the webinsight, tcpinsight, securityinsight, videoinsight, hdxinsight, gatewayinsight, timeseries, lsninsight, botinsight " - type: string - enum: ["webinsight", "tcpinsight", "securityinsight", "videoinsight", "hdxinsight", "gatewayinsight", "timeseries", "lsninsight", "botinsight"] - parameters: - type: object - description: "Additional parameters for analytics profile. Please refer:https://developer-docs.citrix.com/projects/citrix-adc-nitro-api-reference/en/latest/configuration/analytics/analyticsprofile/" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - routes: - type: array - description: "List of route objects attached to the listener" - minItems: 1 - items: - type: object - properties: - name: - type: string - description: "Name of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - labelSelector: - description: "Labels key value pair, if the route carries the same labels, it is automatically attached" - type: object - additionalProperties: - type: string - oneOf: - - required: [name, namespace] - - required: [labelSelector] - defaultAction: - type: object - description: "Default action for the listener: One of Backend or Redirect" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - namespace: - description: "Service namespace" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - backendConfig: - description: "General backend service options" - type: object - properties: - secure_backend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: httproutes.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: HTTPRoute - plural: httproutes - singular: httproute - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [rules] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - hostname: - type: array - description: "List of domain names that share the same route, default is '*'" - minItems: 1 - items: - type: string - description: "Domain name" - rules: - type: array - description: "List Content routing rules with an action defined" - minItems: 1 - items: - type: object - required: [name, action] - properties: - name: - type: string - description: "A name to represent the rule, this is used as an identifier in content routing policy name in ADC" - minLength: 1 - maxLength: 20 - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - match: - type: array - description: "List of rules with same action" - minItems: 1 - items: - type: object - anyOf: - - required: [path] - - required: [headers] - - required: [cookies] - - required: [queryParams] - - required: [method] - - required: [policyExpression] - properties: - path: - type: object - description: "URL Path based content routing" - properties: - prefix: - type: string - description: "URL path matches the prefix expression" - exact: - type: string - description: "URL Path must match exact path" - regex: - type: string - description: "PCRE based regex expression for path matching" - headers: - type: array - description: "List of header for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Header details for content routing, Check for existence of a header or header name-value match" - properties: - headerName: - type: object - description: "Header name based content routing, Here existence of header is used for routing" - properties: - exact: - type: string - description: "Header Name - treated as exact must exist" - contains: - type: string - description: "Header Name - A header must exist that contain the string the name" - regex: - type: string - description: "header Name - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header name must not exist" - oneOf: - - required: [exact] - - required: [contains] - - required: [regex] - headerValue: - type: object - description: "Header Name and Value based match" - properties: - name: - type: string - description: "Header name that must match the value" - exact: - type: string - description: "Header value - treated as exact" - contains: - type: string - description: "Header value - treated as contains" - regex: - type: string - description: "header value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header if present must not match the value" - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - queryParams: - type: array - description: "List of Query parameters for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Query parameters Name and Value based match" - properties: - name: - type: string - description: "Query name that must match the value. If no value is specified, matches with any value" - exact: - type: string - description: "Query value - Exact match" - contains: - type: string - description: "Query value - value must have the string(substring)" - regex: - type: string - description: "Query value - Value must match this regex patterm" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e query if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - cookies: - type: array - description: "List of Cookie params for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Cookie based routing" - properties: - name: - type: string - description: "cookie name that must match the value. If no value specified, it matches with any value" - exact: - type: string - description: "cookie value - treated as exact" - contains: - type: string - description: "cookie value - treated as substring" - regex: - type: string - description: "cookie value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e cookie if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - method: - type: string - description: "HTTP method for content routing eg: POST, PUT, DELETE etc" - policyExpression: - type: string - description: "Citrix ADC policy expressions; refer: https://docs.citrix.com/en-us/netscaler/media/expression-prefix.pdf" - action: - type: object - description: "Action for the matched rule" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - backendConfig: - type: object - description: "General backend service options" - properties: - secureBackend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - # name must match the spec fields below, and be in the form: . - name: continuousdeployments.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: continuousdeployment - plural: continuousdeployments - singular: continuousdeployment - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - cronSpec: - type: integer - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wafs.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: waf - plural: wafs - singular: waf - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the waf policies are applied.' - type: array - items: - type: string - maxLength: 127 - application_type: - description: 'Type of applications to protect' - type: array - items: - type: string - enum: ['HTML', 'JSON', 'XML'] - signatures: - description: 'Location of external signature file' - type: string - redirect_url: - description: 'When a URL is blocked/down, redirect_url represents the alternate URL where the client requests should be sent.' - type: string - html_error_object: - description: 'Location of customized error page to respond when html or common violation are hit' - type: string - xml_error_object: - description: 'Location of customized error page to respond when xml violations are hit' - type: string - json_error_object: - description: 'Location of customized error page to respond when json violations are hit' - type: string - ip_reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - description: 'Enabling IP reputation feature' - target: - description: 'To control what traffic to be inspected by Web Application Firewall. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT', 'UNKNOWN_METHOD'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable application firewall security checks' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - settings: - description: 'To fine tune application firewall security checks default settings' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - relaxations: - description: 'Section which contains relaxation rules for known traffic and false positives' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - enforcements: - description: 'Section which contains enforcement or restriction rules' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: bots.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: bot - plural: bots - singular: bot - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the bot policies are applied.' - type: array - items: - type: string - maxLength: 127 - signatures: - description: 'Location of external bot signature file' - type: string - redirect_url: - description: 'url to redirect when bot violation is hit' - type: string - target: - description: 'To control what traffic to be inspected by BOT. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT', 'UNKNOWN_METHOD'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable bot ecurity checks' - type: object - properties: - allow_list: - type: string - enum: ['ON', 'OFF'] - block_list: - type: string - enum: ['ON', 'OFF'] - device_fingerprint: - type: string - enum: ['ON', 'OFF'] - device_fingerprint_action: - type: object - x-kubernetes-preserve-unknown-fields: true - headless_browser: - type: string - enum: ['ON','OFF'] - reputation: - type: string - enum: ['ON', 'OFF'] - ratelimit: - type: string - enum: ['ON', 'OFF'] - tps: - type: string - enum: ['ON', 'OFF'] - trap: - type: object - x-kubernetes-preserve-unknown-fields: true - bindings: - description: 'Section which contains binding rules for bot security checks' - type: object - properties: - allow_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6_subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - - block_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6_subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - ratelimit: - type: array - items: - type: object - properties: - url: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - cookie: - type: object - x-kubernetes-preserve-unknown-fields: true - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - captcha: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - logexp: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - kbmexpr: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - tps: - type: object - properties: - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - host: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - url: - type: object - x-kubernetes-preserve-unknown-fields: true - trapinsertion: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: apigatewaypolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: apigatewaypolicy - plural: apigatewaypolicies - singular: apigatewaypolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - api_definition: - type: object - properties: - repository: - type: string - branch: - type: string - oas_secret_ref: - type: string - files: - type: array - items: - type: string - maxLength: 127 - api_proxy: - type: object - properties: - ipaddress: - type: string - port: - type: integer - protocol: - type: string - secret: - type: string - policies: - type: array - items: - type: object - properties: - name: - type: string - selector: - type: array - items: - type: object - properties: - tags: - type: array - items: - type: string - api: - type: string - method: - type: array - items: - type: string - maxLength: 127 - upstream: - type: object - properties: - service: - type: string - port: - type: integer - policy_bindings: - type: object - properties: - ratelimit: - type: object - properties: - name: - type: string - waf: - type: object - properties: - name: - type: string - rewritepolicy: - type: object - properties: - name: - type: string - bot: - type: object - properties: - name: - type: string - aaa: - type: array - items: - type: object - properties: - crd_name: - type: string - mappings: - type: array - items: - type: object - properties: - petstore_auth: - type: string - api_key: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: corspolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: corspolicy - plural: corspolicies - singular: corspolicy - shortNames: - - cp - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'The list of Kubernetes services to which you want to apply the cors policies.' - type: array - items: - type: string - maxLength: 63 - allow_origin: - description: 'Represents list of allowed origins, it is used to screen the “origin” in the cors pre flight request' - type: array - items: - type: string - maxLength: 2083 - allow_methods: - description: 'Indicates which methods are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Methods in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - allow_headers: - description: 'Indicates which headers are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Headers in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - max_age: - description: 'Indicates the number of seconds (5 by default) the information provided by the `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` headers can be cached. This variable will be used to set Access-Control-Max-Age in the pre-flight cors response.' - type: integer - allow_credentials: - description: 'Indicates whether the response can be shared when the request’s credentials mode is "include". This variable will be set to Access-Control-Allow-Credentials in the rewrite action.' - type: boolean - required: [servicenames, allow_origin, allow_methods, allow_headers] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: appqoepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: appqoepolicy - plural: appqoepolicies - singular: appqoepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - appqoe-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to appqoe policy.' - type: array - items: - type: string - maxLength: 127 - appqoe-policy: - type: object - properties: - operation-retry: - type: object - properties: - on-reset: - description: "To set Retry on Connection Reset or Not" - type: string - enum: ['YES','NO'] - on-timeout: - description: "Time in milliseconds for retry" - type: integer - minimum: 30 - maximum: 2000 - number-of-retries: - description: "To set number of retries" - type: integer - minimum: 1 - maximum: 7 - required: [operation-retry] - appqoe-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - required: [appqoe-criteria, operation-retry] - required: [appqoe-policy] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wildcarddnsentries.citrix.com -spec: - group: citrix.com - names: - kind: wildcarddnsentry - plural: wildcarddnsentries - singular: wildcarddnsentry - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: Current Status of the CRD - jsonPath: .status.state - - name: Message - type: string - description: Status Message - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - zone: - type: object - description: DNS configuration for a zone - properties: - domain: - type: string - description: Domain name - dnsaddrec: - type: object - description: DNS Address record - properties: - domain-ip: - type: string - description: IPv4 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - dnsaaaarec: - type: object - description: DNS AAAA record - properties: - domain-ip: - type: string - description: IPv6 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - soarec: - type: object - description: SOA record - properties: - origin-server: - type: string - description: Origin server domain - contact: - type: string - description: Admin contact - serial: - type: integer - description: >- - The secondary server uses this parameter to - determine whether it requires a zone transfer from - the primary server. - refresh: - type: integer - description: >- - Time, in seconds, for which a secondary server must - wait between successive checks on the value of the - serial number. - retry: - type: integer - description: >- - Time, in seconds, between retries if a secondary server's - attempt to contact the primary server for a zone refresh fails. - expire: - type: integer - description: >- - Time, in seconds, after which the zone data on a secondary - nameserver can no longer be considered authoritative because - all refresh and retry attempts made during the period have failed." - nsrec: - type: object - description: Name server record - properties: - nameserver: - type: string - description: Host name of the name server to add to the domain. - ttl: - type: integer - description: >- - Time to Live (TTL), in seconds, for the record. TTL - is the time for which the record must be cached by - DNS proxies. The specified TTL is applied to all the - resource records that are of the same record type - and belong to the specified domain name ---- -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/templates/citrix-k8s-cpx-ingress.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/templates/citrix-k8s-cpx-ingress.yaml deleted file mode 100644 index d7d610ea01..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/templates/citrix-k8s-cpx-ingress.yaml +++ /dev/null @@ -1,422 +0,0 @@ -apiVersion: apps/v1 -{{- if or .Values.cpxBgpRouter .Values.daemonSet }} -kind: DaemonSet -{{- else }} -kind: Deployment -{{- end }} -metadata: - name: {{ include "citrix-cpx-ingress-controller.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - selector: - matchLabels: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} -{{- if not ( or .Values.cpxBgpRouter .Values.daemonSet ) }} - replicas: {{ .Values.replicaCount }} -{{- end }} - template: - metadata: - name: {{ include "citrix-cpx-ingress-controller.fullname" . }} - labels: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} - adc: "citrix" -{{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} -{{- end }} - spec: - serviceAccountName: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -{{- if .Values.cpxBgpRouter }} - hostNetwork: true -{{- end }} - containers: - - name: cpx-ingress - image: "{{ tpl .Values.image . }}" - imagePullPolicy: {{ .Values.pullPolicy }} - tty: true - securityContext: - privileged: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace -{{- if .Values.cpxLicenseAggregator }} - - name: "CLA" - value: {{ .Values.cpxLicenseAggregator | quote }} -{{- else if .Values.ADMSettings.licenseServerIP }} - - name: "LS_IP" - value: {{ .Values.ADMSettings.licenseServerIP | quote }} - - name: "LS_PORT" - value: {{ .Values.ADMSettings.licenseServerPort | quote }} -{{- end }} - - name: "EULA" - value: "{{ .Values.license.accept }}" - - name: "KUBERNETES_TASK_ID" - value: "" -{{- if not .Values.cpxBgpRouter }} - - name: "MGMT_HTTP_PORT" - value: {{ .Values.mgmtHttpPort | quote }} - - name: "MGMT_HTTPS_PORT" - value: {{ .Values.mgmtHttpsPort | quote }} -{{- end }} -{{- if .Values.cpxBgpRouter }} - - name: NS_NETMODE - value: HOST -{{- if .Values.nsIP }} - - name: "NS_IP" - value: "{{ .Values.nsIP }}" -{{- end }} -{{- if .Values.nsGateway }} - - name: "NS_GATEWAY" - value: "{{ .Values.nsGateway }}" -{{- end }} -{{- end }} -{{- if .Values.ADMSettings.ADMIP }} - - name: "NS_MGMT_SERVER" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "NS_HTTP_PORT" - value: {{ .Values.mgmtHttpPort | quote }} - - name: "NS_HTTPS_PORT" - value: {{ .Values.mgmtHttpsPort | quote }} - - name: "LOGSTREAM_COLLECTOR_IP" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "ANALYTICS_SERVER" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "ANALYTICS_SERVER_PORT" - value: {{ .Values.ADMSettings.analyticsServerPort | quote }} -{{- end }} -##Need to set env var BANDWIDTH in order to provide Bandwidth license to Citrix ADC CPX from ADM or CPX License Aggregator -{{- if and ( or ( .Values.ADMSettings.licenseServerIP ) ( .Values.cpxLicenseAggregator ) ) ( eq .Values.ADMSettings.bandWidthLicense true ) }} - - name: "BANDWIDTH" - value: {{ .Values.ADMSettings.bandWidth | quote }} -{{- end }} -#for multiple-PE support, need to set CPX_CORES -{{- if or .Values.ADMSettings.licenseServerIP .Values.cpxLicenseAggregator }} -{{- if or ( eq .Values.ADMSettings.vCPULicense true ) ( eq .Values.ADMSettings.bandWidthLicense true ) }} - - name: "CPX_CORES" - value: {{ .Values.ADMSettings.cpxCores | default 1 | quote }} -{{- end }} -{{- end }} - - name: "EDITION" - value: {{ .Values.ADMSettings.licenseEdition }} -{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }} - - name: NS_MGMT_USER - valueFrom: - secretKeyRef: - name: {{ required "Provide Secret for ADM/LicenseServer credentials" .Values.ADMSettings.loginSecret }} - key: username - - name: NS_MGMT_PASS - valueFrom: - secretKeyRef: - name: {{ required "Provide Secret for ADM/LicenseServer credentials" .Values.ADMSettings.loginSecret }} - key: password -{{- end }} -{{- if .Values.exporter.required }} - - name: "METRICS_EXPORTER_PORT" - value: {{ .Values.exporter.ports.containerPort | quote }} -{{- end }} - resources: - {{- toYaml .Values.resources | nindent 12 }} - volumeMounts: - - mountPath: /var/deviceinfo - name: shared-data - - mountPath: /cpx/ - name: cpx-volume - - mountPath: /cpx/conf - name: cpx-volume-conf -{{- if .Values.cic.required }} - # Add cic as a sidecar - - name: cic - image: "{{ tpl .Values.cic.image . }}" - imagePullPolicy: {{ .Values.cic.pullPolicy }} - env: - - name: "EULA" - value: "{{ .Values.license.accept }}" -{{- if .Values.cpxBgpRouter }} - - name: "NS_IP" - value: {{ .Values.nsIP | default "192.168.1.2" | quote }} -{{- else }} - - name: "NS_IP" - value: "127.0.0.1" -{{- end }} -{{- if .Values.rbacRole }} - - name: "SCOPE" - value: "local" -{{- end }} - - name: "NS_APPS_NAME_PREFIX" - value: {{ .Values.entityPrefix | default "k8s"| quote }} - - name: "NS_DEPLOYMENT_MODE" - value: "SIDECAR" -{{- if and .Values.openshift .Values.routeLabels }} - - name: "ROUTE_LABELS" - value: {{ .Values.routeLabels | quote}} -{{- end }} -{{- if and .Values.openshift .Values.namespaceLabels }} - - name: "NAMESPACE_LABELS" - value: {{ .Values.namespaceLabels | quote }} -{{- end }} -{{- if .Values.cpxBgpRouter }} -{{- if eq (upper .Values.nsProtocol) "HTTPS" }} - - name: NS_PROTOCOL - value: HTTPS - - name: NS_PORT - value: "9443" -{{- else }} - - name: NS_PROTOCOL - value: HTTP - - name: NS_PORT - value: "9080" -{{- end }} -{{- if .Values.bgpPort }} - - name: "BGP_PORT" - value: {{ .Values.bgpPort | quote }} -{{- end }} -{{- end }} - - name: "NS_ENABLE_MONITORING" - value: "YES" -{{- if .Values.logProxy }} - - name: "NS_LOGPROXY" - value: {{ .Values.logProxy | quote }} -{{- end }} -{{- if .Values.ingressIP }} - - name: "NS_VIP" - value: {{ .Values.ingressIP | quote }} -{{- end }} -{{- if .Values.nitroReadTimeout }} - - name: "NS_NITRO_READ_TIMEOUT" - value: "{{ .Values.nitroReadTimeout }}" -{{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName -{{- if .Values.kubernetesURL }} - - name: "kubernetes_url" - value: "{{ .Values.kubernetesURL }}" -{{- end }} -{{- if .Values.disableOpenshiftRoutes }} - - name: "DISABLE_OPENSHIFT_ROUTES" - value: "{{ .Values.disableOpenshiftRoutes }}" -{{- end }} -{{- if .Values.nsConfigDnsRec }} - - name: "NS_CONFIG_DNS_REC" - value: "{{ .Values.nsConfigDnsRec }}" -{{- end }} -{{- if .Values.nsSvcLbDnsRec }} - - name: "NS_SVC_LB_DNS_REC" - value: "{{ .Values.nsSvcLbDnsRec }}" -{{- end }} -{{- if .Values.optimizeEndpointBinding }} - - name: "OPTIMIZE_ENDPOINT_BINDING" - value: "{{ .Values.optimizeEndpointBinding }}" -{{- end }} -{{- if .Values.cpxBgpRouter }} - securityContext: - runAsUser: 0 - capabilities: - add: - - NET_ADMIN -{{- end }} - args: - - --configmap - {{ .Release.Namespace }}/{{ include "cpxconfigmap.fullname" . }} -{{- if .Values.ipam }} - - --ipam - citrix-ipam-controller -{{- end }} -{{- if .Values.disableAPIServerCertVerify }} - - --disable-apiserver-cert-verify - {{ .Values.disableAPIServerCertVerify }} -{{- end }} -{{- if .Values.cpxBgpRouter }} - - --deployment-type - kube-bgp-router -{{- end }} -{{- if .Values.ingressClass }} - - --ingress-classes -{{- range .Values.ingressClass}} - {{.}} -{{- end }} -{{- end }} -{{- if .Values.defaultSSLCertSecret }} - - --default-ssl-certificate - {{ .Release.Namespace }}/{{ .Values.defaultSSLCertSecret }} -{{- end }} -{{- end }} -{{- if .Values.updateIngressStatus }} -{{- if .Values.cpxBgpRouter }} - - --update-ingress-status - yes -{{- else }} - - --cpx-service - {{ .Release.Namespace }}/{{ include "cpxservice.fullname" . }} -{{- end }} -{{- end }} - volumeMounts: - - mountPath: /var/deviceinfo - name: shared-data - resources: - {{- toYaml .Values.cic.resources | nindent 12 }} -{{- if .Values.exporter.required }} - - name: exporter - image: "{{ tpl .Values.exporter.image . }}" - imagePullPolicy: {{ .Values.exporter.pullPolicy }} - args: - - "--secure=no" -{{- if .Values.cpxBgpRouter }} - - --target-nsip={{ .Values.nsIP | default "192.168.1.2" }}:9080 -{{- else }} - - "--target-nsip=127.0.0.1" -{{- end }} - - "--port={{ .Values.exporter.ports.containerPort }}" - env: - - name: "NS_DEPLOYMENT_MODE" - value: "SIDECAR" - securityContext: - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /var/deviceinfo - name: shared-data - resources: - {{- toYaml .Values.exporter.resources | nindent 12 }} -{{- end }} - volumes: - - name: shared-data - emptyDir: {} - - name: cpx-volume - emptyDir: {} - - name: cpx-volume-conf - emptyDir: {} -{{- if and .Values.nodeSelector.key .Values.nodeSelector.value }} - nodeSelector: - {{ .Values.nodeSelector.key }}: {{ .Values.nodeSelector.value }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: {{ .Values.tolerations | toYaml | nindent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} -{{- end }} - ---- -{{- if .Values.cpxBgpRouter }} -{{- if .Values.exporter.required }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "cpxexporter.fullname" . }} - labels: - app: {{ include "cpxexporter.fullname" . }} - service-type: {{ include "cpxservicemonitorlabel" . }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port - selector: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} -{{- end }} -{{- else }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "cpxservice.fullname" . }} - labels: - app: cpx-service - service-type: {{ include "cpxservicemonitorlabel" . }} -{{- if .Values.serviceAnnotations }} - annotations: -{{- with .Values.serviceAnnotations }} -{{ toYaml . | indent 4 }} -{{- end }} -{{- end }} -spec: -{{- if or .Values.serviceType.loadBalancer.enabled ( and (.Values.updateIngressStatus) (not .Values.cpxBgpRouter)) }} - externalTrafficPolicy: {{ .Values.serviceSpec.externalTrafficPolicy }} - type: LoadBalancer -{{- if .Values.serviceSpec.loadBalancerIP }} - loadBalancerIP: {{ .Values.serviceSpec.loadBalancerIP }} -{{- end }} -{{- else if .Values.serviceType.nodePort.enabled }} - type: NodePort - externalTrafficPolicy: {{ .Values.serviceSpec.externalTrafficPolicy }} -{{- end }} -{{- if and .Values.serviceType.loadBalancer.enabled .Values.serviceSpec.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{- range .Values.serviceSpec.loadBalancerSourceRanges}} - - {{.}} -{{- end }} -{{- end }} - ports: -{{- if .Values.servicePorts }} -{{- with .Values.servicePorts }} -{{ toYaml . | indent 2 }} -{{- end }} -{{- else }} - - port: 80 - protocol: TCP - name: http -{{- if and .Values.serviceType.nodePort.enabled .Values.serviceType.nodePort.httpPort }} - nodePort: {{ .Values.serviceType.nodePort.httpPort }} -{{- end }} - - port: 443 - protocol: TCP - name: https -{{- if and .Values.serviceType.nodePort.enabled .Values.serviceType.nodePort.httpsPort }} - nodePort: {{ .Values.serviceType.nodePort.httpsPort}} -{{- end }} -{{- end }} -{{- if .Values.exporter.required }} - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port -{{- end }} - selector: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} -{{- end }} - ---- - -{{- if .Values.exporter.required }} - -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "cpxservicemonitor.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - servicemonitor: citrix-adc-cpx -spec: - endpoints: - - interval: 30s - port: exporter-port - selector: - matchLabels: - service-type: {{ include "cpxservicemonitorlabel" . }} - namespaceSelector: - matchNames: - - monitoring - - default - - {{ .Release.Namespace }} - -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/templates/configmap.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/templates/configmap.yaml deleted file mode 100644 index ac7aab2a29..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/templates/configmap.yaml +++ /dev/null @@ -1,86 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "cpxconfigmap.fullname" . }} - namespace: {{ .Release.Namespace }} -data: - LOGLEVEL: {{ .Values.logLevel | quote | lower }} - JSONLOG: {{ .Values.jsonLog | quote | lower }} -{{- if eq (upper .Values.nsProtocol) "HTTPS" }} - NS_PROTOCOL: "https" -{{- if .Values.cpxBgpRouter }} - NS_PORT: "9443" -{{- else }} - NS_PORT: "443" -{{- end }} -{{- else }} - NS_PROTOCOL: "http" -{{- if .Values.cpxBgpRouter }} - NS_PORT: "9080" -{{- else }} - NS_PORT: "80" -{{- end }} -{{- end }} - -{{- if ne (upper .Values.nsHTTP2ServerSide) "OFF" }} - NS_HTTP2_SERVER_SIDE: {{ .Values.nsHTTP2ServerSide | quote }} -{{- end }} -{{- if ne (toString .Values.nsCookieVersion) "0" }} - NS_COOKIE_VERSION: {{ .Values.nsCookieVersion | quote }} -{{- end }} -{{- if .Values.nsDnsNameserver }} - NS_DNS_NAMESERVER: {{ .Values.nsDnsNameserver }} -{{- end }} - -{{- if .Values.analyticsConfig.required }} - NS_ANALYTICS_CONFIG: | - distributed_tracing: - enable: {{ .Values.analyticsConfig.distributedTracing.enable | quote }} - samplingrate: {{ .Values.analyticsConfig.distributedTracing.samplingrate }} - endpoint: - server: {{ include "analytics.server" . | quote }} - service: {{ .Values.analyticsConfig.endpoint.service | quote }} - timeseries: - port: {{ .Values.analyticsConfig.timeseries.port }} - metrics: - enable: {{ .Values.analyticsConfig.timeseries.metrics.enable | quote }} - mode: {{ .Values.analyticsConfig.timeseries.metrics.mode | quote }} - auditlogs: - enable: {{ .Values.analyticsConfig.timeseries.auditlogs.enable | quote }} - events: - enable: {{ .Values.analyticsConfig.timeseries.events.enable | quote }} - transactions: - enable: {{ .Values.analyticsConfig.transactions.enable | quote }} - port: {{ .Values.analyticsConfig.transactions.port }} -{{- end }} - -{{- if .Values.cpxBgpRouter }} -{{- if .Values.bgpSettings.required }} - NS_BGP_CONFIG: | -{{- with .Values.bgpSettings.bgpConfig }} - bgpConfig: -{{ toYaml . | indent 4 }} -{{- end }} -{{- end }} -{{- end }} - -{{- if .Values.nsLbHashAlgo.required }} - NS_LB_HASH_ALGO: | - hashFingers: {{ .Values.nsLbHashAlgo.hashFingers }} - hashAlgorithm: {{ .Values.nsLbHashAlgo.hashAlgorithm | quote }} -{{- end }} - -{{- if .Values.profileSslFrontend }} - FRONTEND_SSL_PROFILE: | - {{- toYaml .Values.profileSslFrontend | nindent 4 }} -{{- end }} - -{{- if .Values.profileTcpFrontend }} - FRONTEND_TCP_PROFILE: | - {{- toYaml .Values.profileTcpFrontend | nindent 4 }} -{{- end }} - -{{- if .Values.profileHttpFrontend }} - FRONTEND_HTTP_PROFILE: | - {{- toYaml .Values.profileHttpFrontend | nindent 4 }} -{{- end }} \ No newline at end of file diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/templates/ingressclass.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/templates/ingressclass.yaml deleted file mode 100644 index d75537b79f..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/templates/ingressclass.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- $default := .Values.setAsDefaultIngressClass -}} -{{- if semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.GitVersion }} -{{- if .Values.ingressClass }} -{{- range .Values.ingressClass }} -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: {{ . | quote }} -{{- if $default }} - annotations: - ingressclass.kubernetes.io/is-default-class: "true" -{{- end }} -spec: - controller: citrix.com/ingress-controller ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/templates/rbac.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/templates/rbac.yaml deleted file mode 100644 index d812e76751..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/templates/rbac.yaml +++ /dev/null @@ -1,106 +0,0 @@ -{{- if not .Values.rbacRole }} -kind: ClusterRole -{{- else }} -kind: Role -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -rules: - - apiGroups: [""] -{{- if .Values.openshift }} - resources: ["endpoints", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"] -{{- else }} - resources: ["endpoints", "pods", "secrets", "routes", "nodes", "namespaces", "configmaps", "services"] -{{- end }} - verbs: ["get", "list", "watch"] - # services/status is needed to update the loadbalancer IP in service status for integrating - # service of type LoadBalancer with external-dns - - apiGroups: [""] - resources: ["services/status"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions","networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["patch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "watch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"] - verbs: ["get", "list", "watch", "create", "delete", "patch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"] - verbs: ["patch"] - - apiGroups: ["citrix.com"] - resources: ["vips"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["crd.projectcalico.org"] - resources: ["ipamblocks"] - verbs: ["get", "list", "watch"] -{{- if .Values.openshift }} - - apiGroups: ["route.openshift.io"] - resources: ["routes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["network.openshift.io"] - resources: ["hostsubnets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["config.openshift.io"] - resources: ["networks"] - verbs: ["get", "list"] -{{- end }} - ---- - -{{- if not .Values.rbacRole }} -kind: ClusterRoleBinding -{{- else }} -kind: RoleBinding -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io -{{- if not .Values.rbacRole }} - kind: ClusterRole -{{- else }} - kind: Role -{{- end }} - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- if .Values.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.imagePullSecrets }} -- name: {{.}} -{{- end }} -{{- end }} - diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/values.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/values.yaml deleted file mode 100644 index da75965bf7..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.32.7/values.yaml +++ /dev/null @@ -1,244 +0,0 @@ -# Default values for citrix-cpx-with-ingress-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# Citrix ADC CPX config details -imageRegistry: quay.io -imageRepository: citrix/citrix-k8s-cpx-ingress -imageTag: 13.1-37.38 -image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}" -pullPolicy: IfNotPresent -imagePullSecrets: [] -daemonSet: False -nameOverride: "" -replicaCount: 1 -fullnameOverride: "" -mgmtHttpPort: 9080 -mgmtHttpsPort: 9443 -openshift: false -nsHTTP2ServerSide: "OFF" -nsCookieVersion: "0" -nsConfigDnsRec: -nsSvcLbDnsRec: -nsDnsNameserver: -optimizeEndpointBinding: -routeLabels: -namespaceLabels: - -# Service Type LoadBalancer and ingress support with CPX through BGP advertisement -# If you enable this, CPX is run as DaemonSet. Please edit the bgpSettings for configuring -# BGP neighbors for propgation of external IPs. -cpxBgpRouter: false - -# If cpxBgpRouter is true, then this is the NSIP used by CPX for internal communication -nsIP: 192.168.1.2 - -# If cpxBgpRouter is true, then this is the Gateway used by CPX for internal communication -nsGateway: 192.168.1.1 - -# Protocol used for communication between Citrix Ingress Controller sidecar and Citrix CPX -nsProtocol: http - -# External IP for ingress resource when bgpRouter is set to True -ingressIP: - -# If IPAM controller is used for auto allocation of the external IP for service of type LoadBalancer, set this option to true -ipam: False - -# Enable RBAC role (so called local role), by default CIC deployed with ClusterRole. -# below variable to deploy CIC with RBAC role, only ingress service supported with this config -rbacRole: False - -# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True -disableAPIServerCertVerify: False - -cpxLicenseAggregator: - -sslCertManagedByAWS: False - -nodeSelector: - key: - value: -tolerations: [] - -serviceType: - loadBalancer: - enabled: False - nodePort: - enabled: False - httpPort: - httpsPort: - -serviceAnnotations: {} - -serviceSpec: - externalTrafficPolicy: "Cluster" - loadBalancerIP: - loadBalancerSourceRanges: [] - -servicePorts: [] - -# Citrix Ingress Controller config details -cic: - imageRegistry: quay.io - imageRepository: citrix/citrix-k8s-ingress-controller - imageTag: 1.32.7 - image: "{{ .Values.cic.imageRegistry }}/{{ .Values.cic.imageRepository }}:{{ .Values.cic.imageTag }}" - pullPolicy: IfNotPresent - required: true - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # Following values depends on no of ingresses configured by Ingress Controllers, so it is - # advised to test with maximum no of ingresses to set these values. - # limits: - # cpu: 1000m - # memory: 1000Mi - # requests: - # cpu: 250m - # memory: 256Mi -entityPrefix: -license: - accept: no -ingressClass: -setAsDefaultIngressClass: False -# nitroReadTimeout is timeout value in seconds for nitro api read timeout(default is 20) -nitroReadTimeout: -logLevel: INFO -jsonLog: false -defaultSSLCertSecret: -updateIngressStatus: False -logProxy: -kubernetesURL: -disableOpenshiftRoutes: -profileSslFrontend: {} - # preconfigured: my_ssl_profile - # OR - # config: - # tls13: 'ENABLED' - # hsts: 'ENABLED' -profileHttpFrontend: {} - # preconfigured: my_http_profile - # OR - # config: - # dropinvalreqs: 'ENABLED' - # websocket: 'ENABLED' -profileTcpFrontend: {} - # preconfigured: my_tcp_profile - # OR - # config: - # sack: 'ENABLED' - # nagle: 'ENABLED' - - -# Citrix ADM/License Server config details -ADMSettings: - licenseServerIP: - licenseServerPort: 27000 - ADMIP: - loginSecret: - bandWidthLicense: false - bandWidth: 1000 #bandwidth value shoule be in Mbps - vCPULicense: false - cpxCores: - analyticsServerPort: 5557 - licenseEdition: PLATINUM - -# Exporter config details -exporter: - required: false - imageRegistry: quay.io - imageRepository: citrix/citrix-adc-metrics-exporter - imageTag: 1.4.9 - image: "{{ .Values.exporter.imageRegistry }}/{{ .Values.exporter.imageRepository }}:{{ .Values.exporter.imageTag }}" - pullPolicy: IfNotPresent - ports: - containerPort: 8888 - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - - -# For CRDs supported by Citrix Ingress Controller -crds: - install: false - retainOnDelete: false - -# Config required to be done by Citrix Ingress Controller for sending metrics to Citrix Observability Exporter -analyticsConfig: - required: false - distributedTracing: - enable: false - samplingrate: 100 - endpoint: - server: - service: - timeseries: - port: 5563 - metrics: - enable: false - mode: 'avro' - auditlogs: - enable: false - events: - enable: false - transactions: - enable: false - port: 5557 - -# BGP configurations: local AS, remote AS and remote address is mandatory to provide. Please do the approrpiate changes with respect to your environment -bgpSettings: - # When bgpConfig is configured correctly, set the required to true for the configuration to be applied. - required: false - bgpConfig: - - bgpRouter: - # Local AS number for BGP advertisement - localAS: 100 - neighbor: - # Address of the nighbor router for BGP advertisement - - address: - # Remote AS number - remoteAS: 100 - advertisementInterval: 10 - ASOriginationInterval: 10 - -bgpPort: - -nsLbHashAlgo: - required: false - hashFingers: 256 - hashAlgorithm: 'DEFAULT' - -# Specifies whether a ServiceAccount should be created -serviceAccount: - create: true - # The name of the ServiceAccount to use. - # If not set and `create` is true, a name is generated using the fullname template - # name: - -podAnnotations: {} - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:' - # This is the resource for CPX container. - # limits: - # cpu: 500m - # memory: 512Mi - # requests: - # cpu: 100m - # memory: 128Mi - -affinity: {} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/Chart.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/Chart.yaml deleted file mode 100644 index 68c777ae0f..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/Chart.yaml +++ /dev/null @@ -1,22 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Cpx with Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-cpx-with-ingress-controller -apiVersion: v2 -appVersion: 1.33.4 -deprecated: true -description: A Helm chart for Citrix ADC CPX with Citrix ingress Controller running - as sidecar. -home: https://www.cloud.com -icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png -kubeVersion: '>=v1.16.0-0' -maintainers: -- email: priyanka.sharma@cloud.com - name: priyankash-citrix -- email: subash.dangol@cloud.com - name: subashd -name: citrix-cpx-with-ingress-controller -sources: -- https://github.com/citrix/citrix-k8s-ingress-controller -version: 1.33.4 diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/README.md b/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/README.md deleted file mode 100644 index e05568851f..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/README.md +++ /dev/null @@ -1,576 +0,0 @@ -# Citrix ADC CPX with Citrix Ingress Controller running as sidecar. - -In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) with Citrix ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). The Citrix ADC CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar Citrix ingress controller configures the Citrix ADC CPX. - -## TL;DR; - -### For Kubernetes - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,crds.install=true - ``` - -### For OpenShift - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,crds.install=true - ``` - -> **Important:** -> -> The "license.accept" is a mandatory argument and should be set to "yes" to accept the terms of the Citrix license. - - -## Introduction -This Helm chart deploys a Citrix ADC CPX with Citrix ingress controller as a sidecar in the [Kubernetes](https://kubernetes.io/) or in the [Openshift](https://www.openshift.com) cluster using the [Helm](https://helm.sh/) package manager. - -### Prerequisites - -- The [Kubernetes](https://kubernetes.io/) version should be 1.16 and above if using Kubernetes environment. -- The [Openshift](https://www.openshift.com) version 4.8 or later if using OpenShift platform. -- The [Helm](https://helm.sh/) version 3.x or later. You can follow instruction given [here](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- You have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator), if you want to view the metrics of the Citrix ADC CPX collected by the [metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics). -- Registration of Citrix ADC CPX in ADM: You may want to register your CPX in ADM for licensing or to obtain [servicegraph](https://docs.citrix.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html). For this you will have to create a Kubernetes secret using ADM credentials and provide it while install the chart. Create a Kubernetes secret for the user name and password using the following command: - - ``` - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= -n citrix-system - ``` - -## Installing the Chart -Add the Citrix Ingress Controller helm chart repository using command: - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - ``` - -### For Kubernetes: -#### 1. Citrix ADC CPX with Citrix Ingress Controller running as side car. -To install the chart with the release name ``` my-release```: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,ingressClass[0]= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ADC CPX with Citrix ingress controller as a sidecar on the Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,ingressClass[0]=,exporter.required=true - ``` - -### For OpenShift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix ADC CPX with Citrix Ingress Controller running as side car. -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true - ``` - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,exporter.required=true - ``` - -### Installed components - -The following components are installed: - -- [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx/netscaler-cpx.html) -- [Citrix ingress controller](https://github.com/citrix/citrix-k8s-ingress-controller) (if enabled) -- [Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) (if enabled) - - -### Citrix ADC CPX Service Annotations: - - The parameter `serviceAnnotations` can be used to annotate CPX service while installing Citrix ADC CPX using this helm chart. - For example, if CPX is getting deployed in Azure and an Azure Internal Load Balancer is required before CPX then the annotation `service.beta.kubernetes.io/azure-load-balancer-internal:True` can be set in CPX service using Helm command: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceAnnotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal=True - ``` - - or the same can be provided in [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml): - - ``` - license: - accept: yes - serviceAnnotations: - service.beta.kubernetes.io/azure-load-balancer-internal: True - ``` - - which can be used to install Citrix ADC CPX using Helm command: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - - To know more about service annotations supported by Kubernetes on various platforms please see [this](https://kubernetes.io/docs/concepts/services-networking/service/). - -### Citrix ADC CPX Service Ports: - - By default, port 80 and 443 of CPX service will exposed when CPX is installed using this helm chart. If it is required to expose any other ports in CPX service then the parameter `servicePorts` can be used for it. - For example, if port 9999 is required to be exposed then below helm command can be used for installing Citrix ADC CPX: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,servicePorts[0].port=9999,servicePorts[0].protocol=TCP,servicePorts[0].name=https - ``` - - or the same can be provided in [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml): - - ``` - license: - accept: yes - servicePorts: - - port: 9090 - protocol: TCP - name: https - ``` - - which can be used to install Citrix ADC using Helm command: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - -> **Note:** If `servicePorts` parameters is used, only ports provided in this parameter will be exposed in CPX service. -> If you want to expose default ports 80 or 443, then you will need to explicity mention these also in this parameter. - -### Configuration for ServiceGraph: - If Citrix ADC CPX need to send data to the Citrix ADM to bring up the servicegraph, then the below steps can be followed to install Citrix ADC CPX with ingress controller. Citrix ingress controller configures Citrix ADC CPX with the configuration required for servicegraph. - - 1. Create secret using Citrix ADC Agent credentials, which will be used by Citrix ADC CPX to communicate with Citrix ADM Agent: - - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= - - 2. Deploy Citrix ADC CPX with Citrix ingress controller using helm command: - - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.distributedTracing.enable=true,analyticsConfig.endpoint.server=,ADMSettings.ADMIP=,ADMSettings.loginSecret= - -> **Note:** -> If container agent is being used here for Citrix ADM, please provide `svcIP` of container agent in the `analyticsConfig.endpoint.server` parameter. - -## Citrix ADC CPX DaemonSet with Citrix Ingress Controller as sidecar for BGP Advertisement - - The previous section of deploying CPX as a Deployment requires a Tier-1 Loadbalancer such as Citrix VPX or cloud loadbalancers to route the traffic to CPX instances running in Kubernetes cluster, but you can also leverage BGP network fabric in your on-prem environemnt to route the traffic to CPX instances in a Kubernetes or Openshift cluster. you need to deploy CPX with Citrix Ingress Controller as Daemonset to advertise the ExternalIPs of the K8s services of type LoadBalancer to your BGP Fabric. Citrix ADC CPX establishes a BGP peering session with your network routers, and uses that peering session to advertise the IP addresses of external cluster services. If your routers have ECMP capability, the traffic is load-balanced to multiple CPX instances by the upstream router, which in turn load-balances to actual application pods. When you deploy the Citrix ADC CPX with this mode, Citrix ADC CPX adds iptables rules for each service of type LoadBalancer on Kubernetes nodes. The traffic destined to the external IP address is routed to Citrix ADC CPX pods. You can also set the 'ingressIP' variable to an IP Address to advertise the External IP address for Ingress resources. Refer [documentation](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) for complete details about BGP advertisement with CPX. - -### Download the chart -You can download the chart usimg `helm pull` command. -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ -helm pull citrix/citrix-cpx-with-ingress-controller -tar -zxvf citrix-cpx-with-ingress-controller-x.y.z.tgz -``` - -### Edit the BGP configuration in values.yaml -BGP configurations enables CPX to peer with neighbor routers for advertisting the routes for Service of Type LoadBalancer. Citrix Ingress Controllers uses static IPs given in Service YAML or using an IPAM controller to allocate an External IP address, and same is advertisted to the neighbour router with the Gateway as Node IP. An example BGP configurations is given below. - -``` -# BGP configurations: local AS, remote AS and remote address is mandatory to provide. -bgpSettings: - required: true - bgpConfig: - - bgpRouter: - # Local AS number for BGP advertisement - localAS: - neighbor: - # Address of the nighbor router for BGP advertisement - - address: xx.xx.xx.xx - # Remote AS number - remoteAS: - advertisementInterval: 10 - ASOriginationInterval: 10 -``` -If the cluster spawns across multiple networks, you can also specify the NodeSelector to give different neighbors for different Cluster Nodes as shown below. - -``` -bgpSettings: - required: true - bgpConfig: - - nodeSelector: datacenter=ds1 - bgpRouter: - localAS: - neighbor: - - address: xx.xx.xx.xx - remoteAS: - advertisementInterval: 10 - ASOriginationInterval: 10 - - nodeSelector: datacenter=ds2 - bgpRouter: - localAS: - neighbor: - - address: yy.yy.yy.yy - remoteAS: - advertisementInterval: 10 - ASOriginationInterval: 10 -``` - -### Deploy the chart -#### For Kubernetes: -#### 1. Citrix ADC CPX DaemonSet with Citrix Ingress Controller running as side car for BGP Advertisement. - - -To install the chart with the release name ``` my-release```: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true - ``` -If you are running Citrix IPAM for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true - ``` -If you are using ingress resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ADC CPX Daemonset with Citrix ingress controller as a sidecar on the Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car for BGP Advertisement. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,exporter.required=true - ``` -If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,exporter.required=true - ``` -If you are using ingress resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=, exporter.required=true - ``` - -#### For OpenShift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix ADC CPX DaemonSet with Citrix Ingress Controller running as side car for BGP Advertisement. -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,openshift=true - ``` -If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,openshift=true - ``` - - If you are using ingress or Route resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=,openshift=true - ``` - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car for BGP Advertisement. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,openshift=true,exporter.required=true - ``` -If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,openshift=true,exporter.required=true - ``` - -If you are using ingress or Route resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=,openshift=true,exporter.required=true - ``` - -## CRDs configuration - -CRDs can be installed/upgraded when we install/upgrade Citrix ADC CPX with Citrix ingress controller using `crds.install=true` parameter in Helm. If you do not want to install CRDs, then set the option `crds.install` to `false`. By default, CRDs too get deleted if you uninstall through Helm. This means, even the CustomResource objects created by the customer will get deleted. If you want to avoid this data loss set `crds.retainOnDelete` to `true`. - -> **Note:** -> Installing again may fail due to the presence of CRDs. Make sure that you back up all CustomResource objects and clean up CRDs before re-installing Citrix ADC CPX with Citrix ingress controller. - -There are a few examples of how to use these CRDs, which are placed in the folder: [Example-CRDs](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds). Refer to them and install as needed, using the following command: -```kubectl create -f ``` - -### Details of the supported CRDs: - -#### authpolicies CRD: - -Authentication policies are used to enforce access restrictions to resources hosted by an application or an API server. - -Citrix provides a Kubernetes CustomResourceDefinitions (CRDs) called the [Auth CRD](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/auth) that you can use with the Citrix ingress controller to define authentication policies on the ingress Citrix ADC. - -Example file: [auth_example.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/auth_example.yaml) - -#### continuousdeployments CRD for canary: - -Canary release is a technique to reduce the risk of introducing a new software version in production by first rolling out the change to a small subset of users. After user validation, the application is rolled out to the larger set of users. Citrix ADC-Integrated [Canary Deployment solution](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/canary) stitches together all components of continuous delivery (CD) and makes canary deployment easier for the application developers. - -#### httproutes and listeners CRDs for contentrouting: - -[Content Routing (CR)](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/contentrouting) is the execution of defined rules that determine the placement and configuration of network traffic between users and web applications, based on the content being sent. For example, a pattern in the URL or header fields of the request. - -Example files: [HTTPRoute_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/HTTPRoute_crd.yaml), [Listener_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/Listener_crd.yaml) - -#### ratelimits CRD: - -In a Kubernetes deployment, you can [rate limit the requests](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/ratelimit) to the resources on the back end server or services using rate limiting feature provided by the ingress Citrix ADC. - -Example files: [ratelimit-example1.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example1.yaml), [ratelimit-example2.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example2.yaml) - -#### vips CRD: - -Citrix provides a CustomResourceDefinitions (CRD) called [VIP](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/vip) for asynchronous communication between the IPAM controller and Citrix ingress controller. - -The IPAM controller is provided by Citrix for IP address management. It allocates IP address to the service from a defined IP address range. The Citrix ingress controller configures the IP address allocated to the service as virtual IP (VIP) in Citrix ADX VPX. And, the service is exposed using the IP address. - -When a new service is created, the Citrix ingress controller creates a CRD object for the service with an empty IP address field. The IPAM Controller listens to addition, deletion, or modification of the CRD and updates it with an IP address to the CRD. Once the CRD object is updated, the Citrix ingress controller automatically configures Citrix ADC-specfic configuration in the tier-1 Citrix ADC VPX. - -#### rewritepolicies CRD: - -In kubernetes environment, to deploy specific layer 7 policies to handle scenarios such as, redirecting HTTP traffic to a specific URL, blocking a set of IP addresses to mitigate DDoS attacks, imposing HTTP to HTTPS and so on, requires you to add appropriate libraries within the microservices and manually configure the policies. Instead, you can use the [Rewrite and Responder features](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/crd/rewrite-responder-policies-deployment.yaml) provided by the Ingress Citrix ADC device to deploy these policies. - -Example files: [target-url-rewrite.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/target-url-rewrite.yaml) - -#### wafs CRD: - -[WAF CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/waf.md) can be used to configure the web application firewall policies with the Citrix ingress controller on the Citrix ADC VPX, MPX, SDX, and CPX. The WAF CRD enables communication between the Citrix ingress controller and Citrix ADC for enforcing web application firewall policies. - -In a Kubernetes deployment, you can enforce a web application firewall policy to protect the server using the WAF CRD. For more information about web application firewall, see [Web application security](https://docs.citrix.com/en-us/citrix-adc/13/application-firewall/introduction/web-application-security.html). - -Example files: [wafhtmlxsssql.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wafhtmlxsssql.yaml) - -#### CORS CRD: - -[CORS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) Cross-origin resource sharing (CORS) is a mechanism allows a web application running under one domain to securely access resources in another domain. You can configure CORS policies on Citrix ADC using Citrix ingress controller to allow one domain (the origin domain) to call APIs in another domain. For more information, see the [cross-origin resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) documentation. - -Example files: [cors-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/corspolicy-example.yaml) - -#### APPQOE CRD: - -[APPQOE CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) When a Citrix ADC appliance receives an HTTP request and forwards it to a back-end server, sometimes there may be connection failures with the back-end server. You can configure the request-retry feature on Citrix ADC to forward the request to the next available server, instead of sending the reset to the client. Hence, the client saves round trip time when Citrix ADC initiates the same request to the next available service. -For more information, see the AppQoE support documentation. [Appqoe resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) documentation. - -Example files: [appqoe-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/appqoe_example.yaml) - -#### WILDCARDDNS CRD: - -[WILDCARDDNS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) Wildcard DNS domains are used to handle requests for nonexistent domains and subdomains. In a zone, use wildcard domains to redirect queries for all nonexistent domains or subdomains to a particular server, instead of creating a separate Resource Record (RR) for each domain. The most common use of a wildcard DNS domain is to create a zone that can be used to forward mail from the internet to some other mail system. -For more information, see the Wild card DNS domains support documentation. [Wildcard DNS Entry CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) documentation. - -Example files: [wildcarddns-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wildcarddns-example.yaml) - -## Citrix ADC CPX servicetype LoadBalancer -Citrix ADC CPX can be installed with service having servicetype LoadBalancer. Following arguments can be used in the `helm install` command for the same: - -``` -helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceType.loadBalancer.enabled=True -``` - -## Citrix ADC CPX servicetype NodePort -Citrix ADC CPX can be installed with service having servicetype Nodeport. Following arguments can be used in the `helm install` command for the same: - -``` -helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceType.nodePort.enabled=True -``` - -Additionally, `serviceType.nodePort.httpPort` and `serviceType.nodePort.httpsPort` arguments can be used to select the nodePort for the CPX service for HTTP and HTTPS ports. - -### Tolerations - -Taints are applied on cluster nodes whereas tolerations are applied on pods. Tolerations enable pods to be scheduled on node with matching taints. For more information see [Taints and Tolerations in Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). - -Toleration can be applied to pod running Citrix ADC CPX and ingress controller containers using `tolerations` argument while deploying CPX+CIC using helm chart. This argument takes list of tolerations that user need to apply on the CPX+CIC pods. - -For example, following command can be used to apply toleration on the CPX+CIC pod: - -``` -helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,tolerations[0].key=,tolerations[0].value=,tolerations[0].operator=,tolerations[0].effect= -``` - -Here tolerations[0].key, tolerations[0].value and tolerations[0].effect are the key, value and effect that was used while tainting the node. -Effect represents what should happen to the pod if the pod don't have any matching toleration. It can have values `NoSchedule`, `NoExecute` and `PreferNoSchedule`. -Operator represents the operation to be used for key and value comparison between taint and tolerations. It can have values `Exists` and `Equal`. The default value for operator is `Equal`. - -## Configuration -The following table lists the configurable parameters of the Citrix ADC CPX with Citrix ingress controller as side car chart and their default values. - -| Parameters | Mandatory or Optional | Default value | Description | -| ---------- | --------------------- | ------------- | ----------- | -| license.accept | Mandatory | no | Set `yes` to accept the Citrix ingress controller end user license agreement. | -| imageRegistry | Mandatory | `quay.io` | The Citrix ADC CPX image registry | -| imageRepository | Mandatory | `citrix/citrix-k8s-cpx-ingress` | The Citrix ADC CPX image repository | -| imageTag | Mandatory | `13.1-30.52` | The Citrix ADC CPX image tag | -| pullPolicy | Mandatory | IfNotPresent | The Citrix ADC CPX image pull policy. | -| daemonSet | Optional | False | Set this to true if Citrix ADC CPX needs to be deployed as DaemonSet. | -| cic.imageRegistry | Mandatory | `quay.io` | The Citrix ingress controller image registry | -| cic.imageRepository | Mandatory | `citrix/citrix-k8s-ingress-controller` | The Citrix ingress controller image repository | -| cic.imageTag | Mandatory | `1.33.4` | The Citrix ingress controller image tag | -| cic.pullPolicy | Mandatory | IfNotPresent | The Citrix ingress controller image pull policy. | -| cic.required | Mandatory | true | CIC to be run as sidecar with Citrix ADC CPX | -| cic.resources | Optional | {} | CPU/Memory resource requests/limits for Citrix Ingress Controller container | -| cic.rbacRole | Optional | false | To deploy CIC with RBAC Role set rbacRole=true; by default CIC gets installed with RBAC ClusterRole(rbacRole=false)) | -| imagePullSecrets | Optional | N/A | Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret please see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). | -| nameOverride | Optional | N/A | String to partially override deployment fullname template with a string (will prepend the release name) | -| fullNameOverride | Optional | N/A | String to fully override deployment fullname template with a string | -| resources | Optional | {} | CPU/Memory resource requests/limits for Citrix CPX container | -| nitroReadTimeout | Optional | 20 | The nitro Read timeout in seconds, defaults to 20 | -| logLevel | Optional | DEBUG | The loglevel to control the logs generated by CIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG and TRACE. For more information, see [Logging](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).| -| jsonLog | Optional | false | Set this argument to true if log messages are required in JSON format | -| nsConfigDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Ingress | -| nsSvcLbDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Type Load Balancer Service | -| nsDnsNameserver | Optional | N/A | To add DNS Nameservers in ADC | -| optimizeEndpointBinding | Optional | false | To enable/disable binding of backend endpoints to servicegroup in a single API-call. Recommended when endpoints(pods) per application are large in number. Applicable only for Citrix ADC Version >=13.0-45.7 | -| defaultSSLCertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC. | -| nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for Citrix ADC service group configurations. | -| cpxLicenseAggregator | Optional | N/A | IP/FQDN of the CPX License Aggregator if it is being used to license the CPX. | -| nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). | -| profileSslFrontend | Optional | N/A | Specify the frontend SSL profile. For Details see [Configuration using FRONTEND_SSL_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| profileTcpFrontend | Optional | N/A | Specify the frontend TCP profile. For Details see [Configuration using FRONTEND_TCP_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| profileHttpFrontend | Optional | N/A | Specify the frontend HTTP profile. For Details see [Configuration using FRONTEND_HTTP_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter. | -| nsProtocol | Optional | http | Protocol http or https used for the communication between Citrix Ingress Controller and CPX | -| cpxBgpRouter | Optional | false| If set to true, this CPX is deployed as daemonset in BGP controller mode wherein BGP advertisements are done for attracting external traffic to Kubernetes clusters | -| replicaCount | Optional | 1 | Number of CPX-CIC pods to be deployed. With `cpxBgpRouter : true`, replicaCount is 1 since CPX will be deployed as DaemonSet | -| nsIP | Optional | 192.168.1.2 | NSIP used by CPX for internal communication when run in Host mode, i.e when cpxBgpRouter is set to true. A /24 internal network is created in this IP range which is used for internal communications withing the network namespace. | -| nsGateway | Optional | 192.168.1.1 | Gateway used by CPX for internal communication when run in Host mode, i.e when cpxBgpRouter is set to true. If not specified, first IP in the nsIP network is used as gateway. It must be in same network as nsIP | -| bgpPort | Optional | 179 | BGP port used by CPX for BGP advertisement if cpxBgpRouter is set to true| -| ingressIP | Optional | N/A | External IP address to be used by ingress resources if not overriden by ingress.com/frontend-ip annotation in Ingress resources. This is also advertised to external routers when pxBgpRouter is set to true| -| entityPrefix | Optional | k8s | The prefix for the resources on the Citrix ADC CPX. | -| ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify Citrix ingress controller to configure Citrix ADC associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here | -| setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 | -| updateIngressStatus | Optional | False | Set this argument if you want to update ingress status of the ingress resources exposed via CPX. This is only applicable if servicetype of CPX service is LoadBalancer. | -| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. | -| openshift | Optional | false | Set this argument if OpenShift environment is being used. | -| disableOpenshiftRoutes | false | By default Openshift routes are processed in openshift environment, this variable can be used to disable Ingress controller processing the openshift routes. | -| routeLabels | Optional | N/A | You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| namespaceLabels | Optional | N/A | You can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| sslCertManagedByAWS | Optional | False | Set this argument if SSL certs used is managed by AWS while deploying Citrix ADC CPX in AWS. | -| nodeSelector.key | Optional | N/A | Node label key to be used for nodeSelector option for CPX-CIC deployment. | -| nodeSelector.value | Optional | N/A | Node label value to be used for nodeSelector option in CPX-CIC deployment. | -| podAnnotations | Optional | N/A | Map of annotations to add to the pods. | -| affinity | Optional | N/A | Affinity labels for pod assignment. | -| tolerations | Optional | N/A | Specify the tolerations for the CPX-CIC deployment. | -| serviceType.loadBalancer.enabled | Optional | False | Set this argument if you want servicetype of CPX service to be LoadBalancer. | -| serviceType.nodePort.enabled | Optional | False | Set this argument if you want servicetype of CPX service to be NodePort. | -| serviceType.nodePort.httpPort | Optional | N/A | Specify the HTTP nodeport to be used for NodePort CPX service. | -| serviceType.nodePort.httpsPort | Optional | N/A | Specify the HTTPS nodeport to be used for NodePort CPX service. | -| serviceAnnotations | Optional | N/A | Dictionary of annotations to be used in CPX service. Key in this dictionary is the name of the annotation and Value is the required value of that annotation. For example, [see this](#citrix-adc-cpx-service-annotations). | -| serviceSpec.externalTrafficPolicy | Optional | Cluster | Use this parameter to provide externalTrafficPolicy for CPX service of type LoadBalancer or NodePort. `serviceType.loadBalancer.enabled` or `serviceType.nodePort.enabled` should be set to `true` according to your use case for using this parameter. | -| serviceSpec.loadBalancerIP | Optional | N/A | Use this parameter to provide LoadBalancer IP to CPX service of type LoadBalancer. `serviceType.loadBalancer.enabled` should be set to `true` for using this parameter. | -| serviceSpec.loadBalancerSourceRanges | Optional | N/A | Provide the list of IP Address or range which should be allowed to access the Network Load Balancer. `serviceType.loadBalancer.enabled` should be set to `true` for using this parameter. For details, see [Network Load Balancer support on AWS](https://kubernetes.io/docs/concepts/services-networking/service/#aws-nlb-support). | -| servicePorts | Optional | N/A | List of port. Each element in this list is a dictionary that contains information about the port. For example, [see this](#citrix-adc-cpx-service-ports). | -| ADMSettings.licenseServerIP | Optional | N/A | Provide the Citrix Application Delivery Management (ADM) IP address to license Citrix ADC CPX. For more information, see [Licensing](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/licensing/). | -| ADMSettings.licenseServerPort | Optional | 27000 | Citrix ADM port if non-default port is used. | -| ADMSettings.ADMIP | Optional | N/A | Citrix Application Delivery Management (ADM) IP address. | -| ADMSettings.loginSecret | Optional | N/A | The secret key to login to the ADM. For information on how to create the secret keys, see [Prerequisites](#prerequistes). | -| ADMSettings.bandWidthLicense | Optional | False | Set to true if you want to use bandwidth based licensing for Citrix ADC CPX. | -| ADMSettings.bandWidth | Optional | 1000 | Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps. | -| ADMSettings.vCPULicense | Optional | N/A | Set to true if you want to use vCPU based licensing for Citrix ADC CPX. | -| ADMSettings.licenseEdition| Optional | PLATINUM | License edition that can be Standard, Platinum and Enterprise . By default, Platinum is selected.| -| ADMSettings.cpxCores | Optional | 1 | Desired number of vCPU to be set for Citrix ADC CPX. | -| ADMSettings.analyticsServerPort | Optional | 5557 | Port used for Analytics by ADM. Required to plot ServiceGraph. | -| exporter.required | Optional | false | Use the argument if you want to run the [Exporter for Citrix ADC Stats](https://github.com/citrix/citrix-adc-metrics-exporter) along with Citrix ingress controller to pull metrics for the Citrix ADC CPX| -| exporter.imageRegistry | Optional | `quay.io` | The Exporter for Citrix ADC Stats image registry | -| exporter.imageRepository | Optional | `citrix/citrix-adc-metrics-exporter` | The Exporter for Citrix ADC Stats image repository | -| exporter.imageTag | Optional | `1.4.9` | The Exporter for Citrix ADC Stats image tag | -| exporter.pullPolicy | Optional | IfNotPresent | The Exporter for Citrix ADC Stats image pull policy. | -| exporter.resources | Optional | {} | CPU/Memory resource requests/limits for Metrics exporter container | -| exporter.ports.containerPort | Optional | 8888 | The Exporter for Citrix ADC Stats container port. | -| analyticsConfig.required | Mandatory | false | Set this to true if you want to configure Citrix ADC to send metrics and transaction records to analytics service. | -| analyticsConfig.distributedTracing.enable | Optional | false | Set this value to true to enable OpenTracing in Citrix ADC. | -| analyticsConfig.distributedTracing.samplingrate | Optional | 100 | Specifies the OpenTracing sampling rate in percentage. | -| analyticsConfig.endpoint.server | Optional | N/A | Set this value as the IP address or DNS address of the analytics server. | -| analyticsConfig.endpoint.service | Optional | N/A | Set this value as the IP address or service name with namespace of the analytics service deployed in Kuberenetes. Format: namespace/servicename| -| analyticsConfig.timeseries.port | Optional | 5563 | Specify the port used to expose analytics service for timeseries endpoint. | -| analyticsConfig.timeseries.metrics.enable | Optional | Set this value to true to enable sending metrics from Citrix ADC. | -| analyticsConfig.timeseries.metrics.mode | Optional | avro | Specifies the mode of metric endpoint. | -| analyticsConfig.timeseries.auditlogs.enable | Optional | false | Set this value to true to export audit log data from Citrix ADC. | -| analyticsConfig.timeseries.events.enable | Optional | false | Set this value to true to export events from the Citrix ADC. | -| analyticsConfig.transactions.enable | Optional | false | Set this value to true to export transactions from Citrix ADC. | -| analyticsConfig.transactions.port | Optional | 5557 | Specify the port used to expose analytics service for transaction endpoint. | -| crds.install | Optional | False | Unset this argument if you don't want to install CustomResourceDefinitions which are consumed by CIC. | -| crds.retainOnDelete | Optional | false | Set this argument if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation. | -| bgpSettings.required | Optional | false | Set this argument if you want to enable BGP configurations for exposing service of Type Loadbalancer through BGP fabric| -| bgpSettings.bgpConfig | Optional| N/A| This represents BGP configurations in YAML format. For the description about individual fields, please refer the [documentation](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) | -| nsLbHashAlgo.required | Optional | false | Set this value to set the LB consistent hashing Algorithm | -| nsLbHashAlgo.hashFingers | Optional |256 | Specifies the number of fingers to be used for hashing algorithm. Possible values are from 1 to 1024, Default value is 256 | -| nsLbHashAlgo.hashAlgorithm | Optional | 'default' | Specifies the supported algorithm. Supported algorithms are "default", "jarh", "prac", Default value is 'default' | - -> **Note:** -> -> If Citrix ADM related information is not provided during installation, Citrix ADC CPX will come up with the default license. - -Alternatively, you can define a YAML file with the values for the parameters and pass the values while installing the chart. - -For example: - ``` - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - -> **Tip:** -> -> The [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml) contains the default values of the parameters. - -## Uninstalling the Chart -To uninstall/delete the ```my-release``` deployment: - ``` - helm delete my-release - ``` - -## Related documentation - -- [Citrix ADC CPX Documentation](https://docs.citrix.com/en-us/citrix-adc-cpx/12-1/cpx-architecture-and-traffic-flow.html) -- [Citrix ingress controller Documentation](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/) -- [Citrix ingress controller GitHub](https://github.com/citrix/citrix-k8s-ingress-controller) -- [BGP advertisement for External IPs with CPX](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/app-readme.md b/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/app-readme.md deleted file mode 100644 index ef45a3d907..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/app-readme.md +++ /dev/null @@ -1,5 +0,0 @@ -# Citrix ADC CPX with Citrix Ingress Controller running as sidecar. - -In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) with Citrix ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). The Citrix ADC CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar Citrix ingress controller configures the Citrix ADC CPX. - -This Chart bootstraps deployment of Citrix ADC CPX with Citrix Ingress Controller as sidecar. diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/questions.yml b/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/questions.yml deleted file mode 100644 index 0c87144137..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/questions.yml +++ /dev/null @@ -1,211 +0,0 @@ -questions: -- variable: license.accept - required: true - default: "no" - type: enum - description: "Set to yes to accept the terms and conditions of the Citrix license." - label: Accept License - group: "Deployment Settings" - options: - - "yes" - - "no" -- variable: openshift - default: false - type: boolean - description: "openshift is set to true if charts are being deployed in OpenShift environment" - label: Openshift flag - group: "Deployment Settings" -- variable: nsNamespace - type: string - description: "Prefix for the resources on Citrix ADC" - label: Resource Prefix - group: "Deployment Settings" -- variable: ingressClass[0] - type: string - description: "ingressClass is the name of the Ingress Class" - label: Ingress Class - group: "Deployment Settings" -- variable: logLevel - default: "DEBUG" - type: enum - options: - - "TRACE" - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - description: "logLevel of Citrix Ingress Controller pod" - label: LogLevel - group: "Deployment Settings" -- variable: defaultSSLCert - type: string - description: "Secret containing the default ceritifcate for SSL vservers" - label: Default SSLCert - group: "ADC Settings" -- variable: logProxy - type: string - description: "Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporte" - label: LogProxy - group: "Deployment Settings" -- variable: http2ServerSide - default: "OFF" - type: enum - options: - - "ON" - - "OFF" - description: "Set to ON to enable HTTP2 for Citrix ADC service group configurations" - label: HTTP2 on ADC - group: "ADC Settings" -- variable: nodeSelector.key - type: string - label: NodeSelector Key - group: "Deployment Settings" -- variable: nodeSelector.value - type: string - label: NodeSelector Value - group: "Deployment Settings" - - -- variable: ADMSettings.licenseServerIP - type: string - label: ADM LicenseServerIP - group: "ADM Settings" -- variable: ADMSettings.licenseServerPort - default: 27000 - type: int - label: ADM LicenseServerPort - group: "ADM Settings" -- variable: ADMSettings.ADMIP - type: string - label: ADM IP - group: "ADM Settings" -- variable: ADMSettings.ADMFingerPrint - type: string - label: ADM FingerPrint - group: "ADM Settings" -- variable: ADMSettings.loginSecret - type: string - label: ADM Login Secret - group: "ADM Settings" -- variable: ADMSettings.bandWidthLicense - type: boolean - label: CPX Bandwidth License - group: "ADM Settings" -- variable: ADMSettings.bandWidth - type: int - label: CPX Bandwidth - group: "ADM Settings" -- variable: ADMSettings.vCPULicense - type: boolean - label: CPX vCPU License - group: "ADM Settings" -- variable: ADMSettings.cpxCores - type: int - label: CPX Cores - group: "ADM Settings" -- variable: cic.pullpolicy - default: "IfNotPresent" - type: enum - label: CIC Image Pullpolicy - group: "CIC/CPX Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: pullpolicy - default: "IfNotPresent" - type: enum - label: CPX Image Pullpolicy - group: "CIC/CPX Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: cic.image - default: "quay.io/citrix/citrix-k8s-ingress-controller:1.8.28" - type: string - label: CIC Image - group: "CIC/CPX Image Settings" -- variable: image - type: string - default: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-58.30" - label: CPX Image - group: "CIC/CPX Image Settings" -- variable: exporter.image - default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.5" - type: string - description: "Exporter Image to be used" - label: Exporter Image - group: "Exporter Settings" -- variable: exporter.pullPolicy - default: "IfNotPresent" - type: string - description: "Exporter Image pull policy" - label: Exporter Image PullPolicy - group: "Exporter Settings" -- variable: exporter.ports.containerPort - default: 8888 - type: int - label: Exporter ContainerPort - group: "Exporter Settings" -- variable: coeConfig.distributedTracing.enable - default: false - type: boolean - label: Enable distributedTracing - group: "COE Settings" -- variable: coeConfig.distributedTracing.samplingrate - default: 100 - type: int - label: COE Sampling Rate - group: "COE Settings" -- variable: coeConfig.endpoint.server - type: string - label: COE Endpoint Server - group: "COE Settings" -- variable: coeConfig.timeseries.port - default: 5563 - type: int - label: COE timeseries port - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.enable - default: false - type: boolean - label: Enable timeseries metrics - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.mode - default: 'avro' - type: string - label: COE timeseries metrics Mode - group: "COE Settings" -- variable: coeConfig.timeseries.auditlogs.enable - default: false - type: string - label: Enable timeseries auditlogs - group: "COE Settings" -- variable: coeConfig.timeseries.events.enable - default: false - type: string - label: Enable timeseries events - group: "COE Settings" -- variable: coeConfig.transactions.enable - default: false - type: string - label: Enable transactions - group: "COE Settings" -- variable: coeConfig.transactions.port - default: 5557 - type: int - label: COE transactions port - group: "COE Settings" -- variable: crds.install - default: true - type: boolean - description: "If set to true the charts will install CustomResourceDefinitions which are consumed by CIC." - label: CRD flag - group: "Deployment Settings" -- variable: crds.retainOnDelete - default: false - type: boolean - description: "Set this argument to true if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation." - label: CRD retainOnDelete flag - group: "Deployment Settings" diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/templates/NOTES.txt b/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/templates/NOTES.txt deleted file mode 100644 index bccfdf69a4..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/templates/NOTES.txt +++ /dev/null @@ -1,14 +0,0 @@ -Thank you for installing {{ .Chart.Name }}. - -Your release is named {{ .Release.Name }}. - - -To learn more about the release, try: - - $ helm status {{ .Release.Name }} - $ helm get {{ .Release.Name }} - - -To delete : - helm delete {{ .Release.Name }} - diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/templates/_helpers.tpl b/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/templates/_helpers.tpl deleted file mode 100644 index 92e636ce23..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/templates/_helpers.tpl +++ /dev/null @@ -1,97 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Analytics Server IP or DNS -*/}} -{{- define "analytics.server" -}} -{{- if .Values.analyticsConfig.endpoint.server -}} -{{- printf .Values.analyticsConfig.endpoint.server -}} -{{- else -}} -{{- printf "analytics.%s.svc.cluster.local" .Release.Namespace -}} -{{- end -}} -{{- end -}} - - -{{- define "citrix-cpx-ingress-controller.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "citrix-cpx-ingress-controller.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "cpxservice.fullname" -}} -{{- $name := default .Chart.Name "cpx-service" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxexporter.fullname" -}} -{{- $name := default .Chart.Name "exporter" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxservicemonitor.fullname" -}} -{{- $name := default .Chart.Name "citrix-adc-cpx-servicemonitor" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxservicemonitorlabel" -}} -{{- $name := default .Chart.Name "citrix-adc-cpx-svcmon" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxconfigmap.fullname" -}} -{{- $name := default .Chart.Name "cpx-cic-configmap" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "citrix-cpx-ingress-controller.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "citrix-cpx-ingress-controller.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "citrix-cpx-ingress-controller.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/templates/cic_crds.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/templates/cic_crds.yaml deleted file mode 100644 index 085d7d271d..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/templates/cic_crds.yaml +++ /dev/null @@ -1,2549 +0,0 @@ -{{- if .Values.crds.install }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: rewritepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: rewritepolicy - plural: rewritepolicies - singular: rewritepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - rewrite-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to rewrite policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - rewrite-policy: - type: object - properties: - rewrite-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOREWRITE', 'RESET', 'DROP'] - operation: - description: 'Type of user-defined rewrite action.' - type: string - enum: ["noop", "delete", "insert_http_header", "delete_http_header", - "corrupt_http_header", "insert_before", "insert_after", "replace", - "replace_http_res", "delete_all", "replace_all", "insert_before_all", - "insert_after_all", "clientless_vpn_encode", "clientless_vpn_encode_all", - "clientless_vpn_decode", "clientless_vpn_decode_all", "insert_sip_header", - "delete_sip_header", "corrupt_sip_header", "replace_sip_res", "replace_diameter_header_field", - "replace_dns_header_field", "replace_dns_answer_section"] - target: - description: 'Default syntax expression that specifies which part of the request or response to rewrite.' - type: string - maxLength: 1229 - modify-expression: - description: 'Default syntax expression that specifies the content to insert into the request - or response at the specified location, or that replaces the specified string.' - type: string - maxLength: 7991 - multiple-occurence-modify: - description: 'Search facility that is used to match multiple strings in the request or response.' - type: string - maxLength: 171 - additional-multiple-occurence-modify: - description: 'Specify additional criteria to refine the results of the search. - Always starts with the "extend(m,n)" operation, where "m" specifies number of bytes to the left of selected data - and "n" specifies number of bytes to the right of selected data. - You can use refineSearch only on body expressions, and only when rewrite-criteria is any one of this: - INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - comment: - description: 'Any comments to preserve information about this rewrite policy.' - type: string - maxLength: 255 - required: [rewrite-criteria, operation, target, direction] - required: [rewrite-policy] - - responder-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to responder policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", - "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - responder-policy: - type: object - properties: - redirect: - type: object - description: 'Use this option when you want to Redirect the request when request matches to policy.' - properties: - url: - description: 'URL on which you want to redirect the request.' - type: string - maxLength: 7991 - redirect-status-code: - description: 'HTTP response status code, for example 200, 302, 404, etc.' - type: integer - minimum: 100 - maximum: 599 - redirect-reason: - description: 'Expression specifying the reason for redirecting the request.' - type: string - maxLength: 7991 - required: [url] - respondwith: - type: object - description: 'Use this parameter when you want to respond to the request when request matches to policy.' - properties: - http-payload-string: - description: 'Expression that you want to sent as response to the request.' - type: string - maxLength: 7991 - required: [http-payload-string] - noop: - type: string - description: 'Use this option when you want to send the request to the protected server instead of - responding to it when request matches to policy.' - properties: - target: - description: 'Default syntax expression that specifies to perform noop operation on' - type: string - maxLength: 1229 - reset: - type: string - description: 'Use this option when you want to Reset the client connection by closing it when request matches to policy.' - properties: - drop: - type: string - description: 'Use this option when you want to drop the request without sending a response to the user when request matches to policy.' - properties: - respond-criteria: - description: 'Default syntax expression that the policy uses to determine whether to respond to the specified request.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOOP', 'RESET', 'DROP'] - comment: - description: 'Any comments to preserve information about this responder policy.' - type: string - maxLength: 255 - required: [respond-criteria] - oneOf: [required: [redirect], required: [respondwith], required: [noop], required: [reset], required: [drop]] - required: [responder-policy] - - dataset: - type: array - items: - type: object - properties: - name: - description: 'Name of the dataset.' - type: string - maxLength: 32 - type: - description: 'Type of value to bind to the dataset.' - type: string - enum: ["ipv4", "number", "ipv6", "ulong", "double", "mac"] - comment: - description: 'Any comments to preserve information about this dataset.' - type: string - maxLength: 255 - values: - description: 'Value of the specified type that is associated with this dataset.' - type: array - items: - type: string - required: [name, type, values] - - patset: - type: array - items: - type: object - properties: - name: - description: 'Name of the Patset.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this patset.' - type: string - maxLength: 255 - values: - description: 'String of characters that constitutes a pattern and is associated with this patset.' - type: array - items: - type: string - required: [name, values] - - stringmap: - type: array - items: - type: object - properties: - name: - description: 'Name of the Stringmap.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this stringmap.' - type: string - maxLength: 255 - values: - description: 'List of (key,value) pairs to be bound to this string map.' - type: array - items: - type: object - properties: - key: - description: 'Character string constituting the key to be bound to this string map.' - type: string - maxLength: 2047 - value: - description: 'Character string constituting the value associated with the key.' - type: string - maxLength: 2047 - required: [name, values] - - httpcallout_policy: - type: array - items: - type: object - properties: - name: - description: 'httpcallout name' - type: string - maxLength: 32 - server_ip: - description: 'IP Address of the server(callout agent) to which the callout is sent.' - type: string - server_port: - description: 'Port of the server(callout agent) to which the callout is sent.' - type: integer - minimum: 1 - maximum: 65535 - http_method: - description: |+ - 'Method used in the HTTP request that this callout sends. - Default http method is GET' - type: string - enum: ['GET', 'POST'] - host_expr: - description: |+ - 'String expression to configure the Host header. Can contain a literal value - (for example, 10.101.10.11) or a derived value (for example, http.req.header("Host")). - The literal value can be an IP address or a fully qualified domain name. Mutually - exclusive with the full HTTP request expression.' - type: string - maxLength: 255 - url_stem_expr: - description: |+ - 'String expression for generating the URL stem. Can contain a literal string - (for example, "/mysite/index.html") or an expression that derives the value - (for example, http.req.url).' - type: string - maxLength: 8191 - headers: - type: array - description: |+ - 'One or more headers to insert into the HTTP request. Each header is represented by - name and expr, where expr is an expression that is evaluated at runtime to provide - the value for the named header. You can configure a maximum of eight headers for - an HTTP callout.' - items: - type: object - properties: - name: - description: 'header name' - type: string - expr: - description: 'header expression' - type: string - parameters: - type: array - description: |+ - 'One or more query parameters to insert into the HTTP request URL (for a GET request) - or into the request body (for a POST request). Each parameter is represented by - name and expr, where expr is an expression that is evaluated at run time to provide - the value for the named parameter (name=value). The parameter values are URL encoded.' - items: - type: object - properties: - name: - description: 'parameter name' - type: string - expr: - description: 'parameter expression' - type: string - body_expr: - description: |+ - 'An advanced string expression for generating the body of the request. - The expression can contain a literal string or an expression that derives - the value (for example, client.ip.src).' - type: string - full_req_expr: - description: |+ - 'Exact HTTP request, in the form of an expression, which the Citrix ADC sends - to the callout agent. The request expression is constrained by the feature - for which the callout is used. For example, an HTTP.RES expression cannot be - used in a request-time policy bank or in a TCP content switching policy bank.' - type: string - scheme: - description: |+ - 'Type of scheme for the callout server. - Default scheme is HTTP' - type: string - enum: ['HTTP', 'HTTPS'] - cache_for_secs: - description: |+ - 'Duration, in seconds, for which the callout response is cached. - The cached responses are stored in an integrated caching content - group named "calloutContentGroup". If no duration is configured, - the callout responses will not be cached unless normal caching - configuration is used to cache them. This parameter takes precedence over any - normal caching configuration that would otherwise apply to these responses.' - type: integer - minimum: 1 - maximum: 31536000 - return_type: - description: |+ - 'Type of data that the target callout agent returns in response to the callout - Available settings function as follows: - * TEXT - Treat the returned value as a text string. - * NUM - Treat the returned value as a number. - * BOOL - Treat the returned value as a Boolean value.' - type: string - enum: ['TEXT', 'NUM', 'BOOL'] - result_expr: - description: |+ - 'Expression that extracts the callout results from the response sent by the HTTP callout - agent. Must be a response based expression, that is, it must begin with HTTP.RES. The - operations in this expression must match the return type. For example, if you configure - a return type of TEXT, the result expression must be a text based expression. If the - return type is NUM, the result expression (resultExpr) must return a numeric value, - as in the following example: http.res.body(10000).length.' - type: string - maxLength: 8191 - comment: - description: 'Any comments to preserve information about this HTTP callout.' - type: string - maxLength: 255 - allOf: - - properties: - required: [name, server_ip, server_port] - - properties: - oneOf: - - properties: - required: [full_req_expr] - - properties: - anyOf: - - properties: - required: [http_method] - - properties: - required: [host_expr] - - properties: - required: [url_stem_expr] - - properties: - required: [headers] - - properties: - required: [parameters] - - properties: - required: [body_expr] - anyOf: [required: [rewrite-policies], required: [responder-policies]] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ratelimits.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: ratelimit - plural: ratelimits - singular: ratelimit - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the ratelimit policies are applied.' - type: array - items: - type: string - maxLength: 127 - selector_keys: - type: object - description: 'Traffic match criteria to which apply above rate-limit/throttling. All keys are applied as AND condition. If no keys are specified, rate-limit applies at service level' - properties: - basic: - type: object - description: "Basic traffic stream selection criteria to which to apply the ratelimit" - properties: - path: - type: array - description: "api resource path prefix match. e.g. /api/v1/products" - items: - type: string - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - header_name: - description: "HTTP header that identifies the unique API client for e.g. X-apikey" - type: string - per_client_ip: - description: "Setting this applies the throttling limit to each unique Client IP address accessing the API resource" - type: boolean - req_threshold: - description: 'Max requests per timeslice units to be allowed' - type: integer - timeslice: - description: 'Timeslice in miliseconds in multiple of 10. Defaults to 1000 miliseconds' - type: integer - limittype: - description: "Burst mode or smooth. Defaults to smooth limittype if not specified" - type: string - enum: ['BURSTY','SMOOTH'] - throttle_action: - type: string - enum: ['DROP', 'RESET','REDIRECT', 'RESPOND'] - description: "Drop will drop the requests exceeding limits, RESET will reset the client connection, Redirect will redirect to specified URL, respond will respond with 429 'Exceeded allowed rate of requests'" - redirect_url: - type: string - description: "Redirect-URL" - logpackets: - type: object - description: 'Adds an audit message action. The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - required: [req_threshold] ---- -#Sample CRD instance - -#apiVersion: citrix.com/v1 -#description: VIP for apache service -#kind: vip -#metadata: -# name: service-apache -# namespace: default -#spec: -# description: VIP for the apache Service -# ipaddress: 10.99.98.90 -# kind: service -# name: apache - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vips.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: vip - plural: vips - singular: vip - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - jsonPath: .spec.ipaddress - name: VIP - type: string - - name: Age - type: date - jsonPath: .metadata.creationTimestamp - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - ipaddress: - type: string - name: - type: string - kind: - type: string - enum: ["service", "ingress"] - description: - type: string - range-name: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: authpolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: authpolicy - plural: authpolicies - singular: authpolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: |+ - 'Name of the services for which the policies applied' - type: array - items: - type: string - maxLength: 63 - authentication_mechanism: - type: object - description: |+ - 'Authentication mechanism. Options: using forms or using request header. - Default is Authentication using request header, when no option is specified' - properties: - using_request_header: - description: |+ - 'Enable user authentication using request header. Use when the credentials - or api keys are passed in a header. For example, when using Basic, Digest, - Bearer authentication or api keys. - When authentication using forms is provided, this is set to OFF' - - type: string - using_forms: - type: object - description: 'Enables authentication using forms. Use with user/web authentication.' - properties: - authentication_host: - description: |+ - 'Fully qualified domain name (FQDN) for authentication. - This FQDN should be unique and should resolve to frontend IP of - ADC with Ingress/service type LoadBalancer (or) vip of Listener CRD' - type: string - maxLength: 255 - authentication_host_cert: - description: |+ - 'Name of the SSL certificate to be used with authentication_host. - This certificate is mandatory while using_forms' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - ingress_name: - description: |+ - 'Ingress name for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - lb_service_name: - description: |+ - 'Service of type LoadBalancer for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - listener_name: - description: |+ - 'Listener CRD name for which the authentication using forms is applicable.' - type: string - maxLength: 63 - vip: - description: |+ - 'Frontend IP of ingress for which the authentication - using forms is applicable. This refers to frontend-ip provided - with Ingress. It is suggested to use vip, if more than one Ingress - resource use the same frontend-ip' - type: string - required: [authentication_host, authentication_host_cert] - oneOf: - - properties: - required: [ingress_name] - - properties: - required: [lb_service_name] - - properties: - required: [listener_name] - - properties: - required: [vip] - oneOf: - - properties: - using_request_header: - enum: ['ON'] - required: [using_request_header] - - properties: - required: [using_forms] - - authentication_providers: - description: |+ - 'Authentication Configuration for required authentication providers/schemes. - One or more of these can be created' - type: array - items: - description: 'Create config for a single authentication provider of a particular type' - type: object - properties: - name: - description: 'Name for this provider, has to be unique, referenced by authentication policies' - type: string - maxLength: 127 - - oauth: - description: 'Authentication provided by external oAuth provider' - type: object - properties: - issuer: - description: 'Identity of the server whose tokens are to be accepted' - type: string - maxLength: 127 - audience: - description: 'Audience for which token sent by Authorization server is applicable' - type: array - items: - type: string - maxLength: 127 - jwks_uri: - description: |+ - 'URL of the endpoint that contains JWKs (Json Web Key) for - JWT (Json Web Token) verification' - type: string - maxLength: 127 - introspect_url: - description: ' URL of the introspection server' - type: string - maxLength: 127 - client_credentials: - description: |+ - 'secrets object that contains Client Id and secret as known - to Introspection server' - type: string - maxLength: 253 - token_in_hdr: - description: |+ - 'custom header name where token is present, - default is Authorization header' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - token_in_param: - description: 'query parameter name where token is present' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - signature_algorithms: - description: 'list of allowed signature algorithms, by default HS256, RS256, RS512 are allowed' - type: array - items: - type: string - enum: ['HS256', 'RS256', 'RS512'] - claims_to_save: - description: 'list of claims to be saved, used to create authorization policies' - type: array - items: - type: string - maxLength: 127 - metadata_url: - description: 'URL used to get OAUTH/OIDC provider metadata' - type: string - maxLength: 255 - user_field: - description: |+ - 'Attribute in the token from which username should be extracted. - by default, ADC looks at email attribute for user id' - type: string - maxLength: 127 - default_group: - description: |+ - 'group assigned to the request if authentication succeeds, - this is in addition to any extracted groups from token' - type: string - maxLength: 63 - grant_type: - description: 'used to specify the type of flow to the token end point, defaults to CODE' - type: array - items: - type: string - enum: ['CODE','PASSWORD'] - pkce: - description: 'specify whether to enable Proof Key Code Exchange, defaults to ENABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - token_ep_auth_method: - description: |+ - 'authentication method to be used with token end point, - defaults to client_secret_post' - type: string - enum: ['client_secret_post', 'client_secret_jwt'] - - anyOf: - - properties: - required : [jwks_uri] - - properties: - required : [introspect_url, client_credentials] - - properties: - required : [metadata_url] - - ldap: - description: 'LDAP authentication provider' - type: object - properties: - server_ip: - description: 'IP address assigned to the LDAP server' - type: string - server_name: - description: 'LDAP server name as a FQDN' - type: string - maxLength: 127 - server_port: - description: 'Port on which the LDAP server accepts connections. Default is 389' - type: integer - minimum: 1 - maximum: 65535 - base: - description: |+ - 'Base (node) from which to start LDAP searches. If the LDAP server is - running locally, the default value of base is dc=netscaler, dc=com' - type: string - maxLength: 127 - server_login_credentials: - description: |+ - 'Kubernetes secret object providing credentials to login to LDAP server, - The secret data should have username and password' - type: string - login_name: - description: |+ - 'LDAP login name attribute. The Citrix ADC uses the LDAP login name - to query external LDAP servers or Active Directories' - type: string - maxLength: 127 - security_type: - description: |+ - 'Type of security used for communications between the Citrix ADC - and the LDAP server. Default is TLS' - type: string - enum: ['PLAINTEXT', 'TLS', 'SSL'] - validate_server_cert: - description: 'Validate LDAP Server certs. Default is NO' - type: string - enum: ['YES', 'NO'] - hostname: - description: |+ - 'Hostname for the LDAP server. If validate_server_cert is ON, - this must be the host name on the certificate from the LDAP - A hostname mismatch will cause a connection failure' - type: string - maxLength: 127 - sub_attribute_name: - description: 'LDAP group sub-attribute name. Used for group extraction from the LDAP server.' - type: string - maxLength: 31 - group_attribute_name: - description: 'LDAP group attribute name. Used for group extraction on the LDAP server.' - type: string - maxLength: 31 - search_filter: - description: |+ - 'String to be combined with the default LDAP user search string to form the - search value. For example, if the search filter "vpnallowed=true" is combined - with the LDAP login name "samaccount" and the user-supplied username is "bob", - the result is the LDAP search string ""(&(vpnallowed=true)(samaccount=bob)"" - (Be sure to enclose the search string in two sets of double quotation marks)' - type: string - maxLength: 255 - auth_timeout: - description: |+ - 'Number of seconds the Citrix ADC waits for a response from the server - Default is 3' - type: integer - minimum: 1 - maximum: 4294967295 - password_change: - description: 'Allow password change requests. Default is DISABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be fetched - from LDAP server and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - oneOf: - - properties: - required: [server_ip] - - properties: - required: [server_name] - - saml: - description: |+ - 'SAML authentication provider. - Currently SAML is supported only with authentication mechanism using forms' - type: object - properties: - metadata_url: - description: 'URL is used for obtaining saml metadata.' - type: string - maxLength: 255 - metadata_refresh_interval: - description: |+ - 'Interval in minutes for fetching metadata from specified metadata URL. - Default is 36000' - type: integer - minimum: 1 - maximum: 4294967295 - signing_cert: - description: 'SSL certificate to sign requests from SP to IDP' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - audience: - description: 'Audience for which assertion sent by IdP is applicable' - type: string - maxLength: 127 - issuer_name: - description: 'The name to be used in requests sent from SP to IDP to identify citrix ADC' - type: string - maxLength: 63 - binding: - description: 'Specifies the transport mechanism of saml message. Default is POST' - type: string - enum: ['REDIRECT', 'POST', 'ARTIFACT'] - artifact_resolution_service_url: - description: 'URL of the Artifact Resolution Service on IdP' - type: string - maxLength: 255 - logout_binding: - description: 'Specifies the transport mechanism of saml logout. Default is POST' - type: string - enum: ['REDIRECT', 'POST'] - reject_unsigned_assertion: - description: |+ - 'Reject unsigned SAML assertions. ON, rejects assertion without signature. - STRICT ensure that both Response and Assertion are signed. Default is ON' - type: string - enum: ['ON', 'OFF', 'STRICT'] - user_field: - description: 'SAML user ID, as given in the SAML assertion' - type: string - maxLength: 63 - default_authentication_group: - description: |+ - 'This is the default group that is chosen when the authentication - succeeds in addition to extracted groups' - type: string - maxLength: 63 - skew_time: - description: |+ - 'Allowed clock skew in number of minutes on an incoming assertion. - Default is 5' - type: integer - minimum: 1 - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be extracted - and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - required: - - metadata_url - - basic_local_db: - type: object - description: |+ - 'Basic HTTP authentication supported by ADC, user data in local DB of ADC. - Users needs to be added on ADC' - properties: - use_local_auth: - description: 'Use ADC authentication' - type: string - enum: ['YES'] - - required: - - name - - authentication_policies: - description: 'Authentication policies' - type: array - items: - type: object - description: 'Authentication policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - required: - - path - expression: - description: 'ADC syntax expression for authentication' - type: string - maxLength: 1229 - provider: - description: 'name of the authentication provider for the policy, empty if no authentication required' - type: array - items: - type: string - maxLength: 127 - maxItems: 1 - oneOf: - - required: [resource, provider] - - required: [expression, provider] - - authorization_policies: - description: 'Authorization policies' - type: array - items: - type: object - description: 'Authorization policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - description: ' http method' - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - claims: - description: 'authorization scopes required for selected resource saved as claims or attributes' - type: array - items: - type: object - properties: - name: - description: 'name of the claim/attribute to check' - type: string - maxLength: 127 - values: - description: 'list of claim values required for the request' - type: array - items: - type: string - maxLength: 127 - minItems: 1 - required: - - name - - values - required: - - claims - expression: - description: 'ADC syntax expression for authorization' - type: string - maxLength: 1229 - oneOf: - - required: [resource] - - required: [expression] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: listeners.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: Listener - plural: listeners - singular: listener - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - required: [spec] - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [protocol] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - protocol: - type: string - enum: ["https", "http"] - description: "Protocol for this listener" - vip: - type: string - description: "VIP address, Optional for CPX, required for Tier-1 deployments" - secondaryVips: - type: array - description: "An array of Secondary VIPs. All the VIPs will be part of an ipset" - minItems: 1 - items: - type: string - redirectPort: - type: integer - minimum: 1 - maximum: 65535 - description: "Port from which http traffic should be redirected to https" - port: - type: integer - minimum: 1 - maximum: 65535 - certificates: - type: array - description: "certificates attached to the endpoints - Not applicable for HTTP" - minItems: 1 - items: - type: object - properties: - preconfigured: - type: string - description: "Preconfigured Certificate name on ADC " - secret: - type: object - description: "Kuberentes secret object" - required: [name] - properties: - name: - type: string - description: "name of the Kubernetes Secret object where Cert is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the kubernetes secret object; Default is same namespace where the Listener object is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - default: - type: boolean - description: "Only one of the certificate can be marked as default which will be presented if none of the cert matches with the hostname" - oneOf: - - required: ["preconfigured"] - - required: ["secret"] - policies: - type: object - description: "Policies attached to the Listener" - properties: - httpprofile: - type: object - description: "HTTP profile configurations for the Listener, HTTP level configurations" - properties: - preconfigured: - type: string - description: "Preconfigured or Built-in HTTP profile name" - config: - type: object - description: "HTTP profile configuration for the listener. For individual fields, refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nshttpprofile/nshttpprofile/ Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - tcpprofile: - type: object - description: "TCP level configurations, uses ns tcpprofile of citrix ADC" - properties: - preconfigured: - description: "Preconfigured or Built-in TCP profile name" - type: string - config: - type: object - description: "TCPprofile configurations for the listener. For individual fields refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nstcpprofile/ ; Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - csvserverConfig: - type: object - description: "CS Vserver configuration for the listener" - additionalProperties: - type: string - sslprofile: - type: object - description: "SSL profile configuration" - properties: - preconfigured: - type: string - description: "SSL profile which is preconfigured in ADC. Ciphers bound to the profile is not overriden" - config: - description: "Citrix ADC frontend SSL profile configurations. Refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ssl/sslprofile/ for all configurations; Name field is auto generated" - type: object - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - sslciphers: - type: array - description: "List of ciphers to be bound to the ssl profile for the listener. Priority is as per the order in the list. A cipher suite, predefined cipher group or User created cipher group can be mentioned" - minItems: 1 - items: - type: string - description: "Cipher suite, cipher group name" - analyticsprofile: - type: object - description: "Analytics profile configuration" - properties: - preconfigured: - type: array - description: "Preconfigured Analytics profile that needs to be bound to the vserver" - minItems: 1 - items: - type: string - description: "Name of the analytics profile preconfigured that will be bound to the Vserver" - config: - type: array - description: "An array of analytics to be enabled" - minItems: 1 - items: - type: object - description: "Anlytics to be enabled" - required: ['type'] - properties: - type: - description: "Analytics profile to be enabled, you can enable one or more of the webinsight, tcpinsight, securityinsight, videoinsight, hdxinsight, gatewayinsight, timeseries, lsninsight, botinsight " - type: string - enum: ["webinsight", "tcpinsight", "securityinsight", "videoinsight", "hdxinsight", "gatewayinsight", "timeseries", "lsninsight", "botinsight"] - parameters: - type: object - description: "Additional parameters for analytics profile. Please refer:https://developer-docs.citrix.com/projects/citrix-adc-nitro-api-reference/en/latest/configuration/analytics/analyticsprofile/" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - routes: - type: array - description: "List of route objects attached to the listener" - minItems: 1 - items: - type: object - properties: - name: - type: string - description: "Name of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - labelSelector: - description: "Labels key value pair, if the route carries the same labels, it is automatically attached" - type: object - additionalProperties: - type: string - oneOf: - - required: [name, namespace] - - required: [labelSelector] - defaultAction: - type: object - description: "Default action for the listener: One of Backend or Redirect" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - namespace: - description: "Service namespace" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - backendConfig: - description: "General backend service options" - type: object - properties: - secure_backend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: httproutes.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: HTTPRoute - plural: httproutes - singular: httproute - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [rules] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - hostname: - type: array - description: "List of domain names that share the same route, default is '*'" - minItems: 1 - items: - type: string - description: "Domain name" - rules: - type: array - description: "List Content routing rules with an action defined" - minItems: 1 - items: - type: object - required: [name, action] - properties: - name: - type: string - description: "A name to represent the rule, this is used as an identifier in content routing policy name in ADC" - minLength: 1 - maxLength: 20 - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - match: - type: array - description: "List of rules with same action" - minItems: 1 - items: - type: object - anyOf: - - required: [path] - - required: [headers] - - required: [cookies] - - required: [queryParams] - - required: [method] - - required: [policyExpression] - properties: - path: - type: object - description: "URL Path based content routing" - properties: - prefix: - type: string - description: "URL path matches the prefix expression" - exact: - type: string - description: "URL Path must match exact path" - regex: - type: string - description: "PCRE based regex expression for path matching" - headers: - type: array - description: "List of header for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Header details for content routing, Check for existence of a header or header name-value match" - properties: - headerName: - type: object - description: "Header name based content routing, Here existence of header is used for routing" - properties: - exact: - type: string - description: "Header Name - treated as exact must exist" - contains: - type: string - description: "Header Name - A header must exist that contain the string the name" - regex: - type: string - description: "header Name - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header name must not exist" - oneOf: - - required: [exact] - - required: [contains] - - required: [regex] - headerValue: - type: object - description: "Header Name and Value based match" - properties: - name: - type: string - description: "Header name that must match the value" - exact: - type: string - description: "Header value - treated as exact" - contains: - type: string - description: "Header value - treated as contains" - regex: - type: string - description: "header value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header if present must not match the value" - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - queryParams: - type: array - description: "List of Query parameters for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Query parameters Name and Value based match" - properties: - name: - type: string - description: "Query name that must match the value. If no value is specified, matches with any value" - exact: - type: string - description: "Query value - Exact match" - contains: - type: string - description: "Query value - value must have the string(substring)" - regex: - type: string - description: "Query value - Value must match this regex patterm" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e query if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - cookies: - type: array - description: "List of Cookie params for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Cookie based routing" - properties: - name: - type: string - description: "cookie name that must match the value. If no value specified, it matches with any value" - exact: - type: string - description: "cookie value - treated as exact" - contains: - type: string - description: "cookie value - treated as substring" - regex: - type: string - description: "cookie value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e cookie if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - method: - type: string - description: "HTTP method for content routing eg: POST, PUT, DELETE etc" - policyExpression: - type: string - description: "Citrix ADC policy expressions; refer: https://docs.citrix.com/en-us/netscaler/media/expression-prefix.pdf" - action: - type: object - description: "Action for the matched rule" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - backendConfig: - type: object - description: "General backend service options" - properties: - secureBackend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - # name must match the spec fields below, and be in the form: . - name: continuousdeployments.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: continuousdeployment - plural: continuousdeployments - singular: continuousdeployment - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - cronSpec: - type: integer - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wafs.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: waf - plural: wafs - singular: waf - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the waf policies are applied.' - type: array - items: - type: string - maxLength: 127 - application_type: - description: 'Type of applications to protect' - type: array - items: - type: string - enum: ['HTML', 'JSON', 'XML'] - signatures: - description: 'Location of external signature file' - type: string - redirect_url: - description: 'When a URL is blocked/down, redirect_url represents the alternate URL where the client requests should be sent.' - type: string - html_error_object: - description: 'Location of customized error page to respond when html or common violation are hit' - type: string - xml_error_object: - description: 'Location of customized error page to respond when xml violations are hit' - type: string - json_error_object: - description: 'Location of customized error page to respond when json violations are hit' - type: string - ip_reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - description: 'Enabling IP reputation feature' - target: - description: 'To control what traffic to be inspected by Web Application Firewall. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable application firewall security checks' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - settings: - description: 'To fine tune application firewall security checks default settings' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - relaxations: - description: 'Section which contains relaxation rules for known traffic and false positives' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - enforcements: - description: 'Section which contains enforcement or restriction rules' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: bots.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: bot - plural: bots - singular: bot - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the bot policies are applied.' - type: array - items: - type: string - maxLength: 127 - signatures: - description: 'Location of external bot signature file' - type: string - redirect_url: - description: 'url to redirect when bot violation is hit' - type: string - target: - description: 'To control what traffic to be inspected by BOT. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable bot ecurity checks' - type: object - properties: - allow_list: - type: string - enum: ['ON', 'OFF'] - block_list: - type: string - enum: ['ON', 'OFF'] - device_fingerprint: - type: string - enum: ['ON', 'OFF'] - device_fingerprint_action: - type: object - x-kubernetes-preserve-unknown-fields: true - headless_browser: - type: string - enum: ['ON','OFF'] - reputation: - type: string - enum: ['ON', 'OFF'] - ratelimit: - type: string - enum: ['ON', 'OFF'] - tps: - type: string - enum: ['ON', 'OFF'] - trap: - type: object - x-kubernetes-preserve-unknown-fields: true - bindings: - description: 'Section which contains binding rules for bot security checks' - type: object - properties: - allow_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6_subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - - block_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6_subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - ratelimit: - type: array - items: - type: object - properties: - url: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - cookie: - type: object - x-kubernetes-preserve-unknown-fields: true - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - captcha: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - logexp: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - kbmexpr: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - tps: - type: object - properties: - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - host: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - url: - type: object - x-kubernetes-preserve-unknown-fields: true - trapinsertion: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: apigatewaypolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: apigatewaypolicy - plural: apigatewaypolicies - singular: apigatewaypolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - api_definition: - type: object - properties: - repository: - type: string - branch: - type: string - oas_secret_ref: - type: string - files: - type: array - items: - type: string - maxLength: 127 - api_proxy: - type: object - properties: - ipaddress: - type: string - port: - type: integer - protocol: - type: string - secret: - type: string - policies: - type: array - items: - type: object - properties: - name: - type: string - selector: - type: array - items: - type: object - properties: - tags: - type: array - items: - type: string - api: - type: string - method: - type: array - items: - type: string - maxLength: 127 - upstream: - type: object - properties: - service: - type: string - port: - type: integer - policy_bindings: - type: object - properties: - ratelimit: - type: object - properties: - name: - type: string - waf: - type: object - properties: - name: - type: string - rewritepolicy: - type: object - properties: - name: - type: string - bot: - type: object - properties: - name: - type: string - aaa: - type: array - items: - type: object - properties: - crd_name: - type: string - mappings: - type: array - items: - type: object - properties: - petstore_auth: - type: string - api_key: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: corspolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: corspolicy - plural: corspolicies - singular: corspolicy - shortNames: - - cp - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'The list of Kubernetes services to which you want to apply the cors policies.' - type: array - items: - type: string - maxLength: 63 - allow_origin: - description: 'Represents list of allowed origins, it is used to screen the “origin” in the cors pre flight request' - type: array - items: - type: string - maxLength: 2083 - allow_methods: - description: 'Indicates which methods are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Methods in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - allow_headers: - description: 'Indicates which headers are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Headers in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - max_age: - description: 'Indicates the number of seconds (5 by default) the information provided by the `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` headers can be cached. This variable will be used to set Access-Control-Max-Age in the pre-flight cors response.' - type: integer - allow_credentials: - description: 'Indicates whether the response can be shared when the request’s credentials mode is "include". This variable will be set to Access-Control-Allow-Credentials in the rewrite action.' - type: boolean - required: [servicenames, allow_origin, allow_methods, allow_headers] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: appqoepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: appqoepolicy - plural: appqoepolicies - singular: appqoepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - appqoe-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to appqoe policy.' - type: array - items: - type: string - maxLength: 127 - appqoe-policy: - type: object - properties: - operation-retry: - type: object - properties: - on-reset: - description: "To set Retry on Connection Reset or Not" - type: string - enum: ['YES','NO'] - on-timeout: - description: "Time in milliseconds for retry" - type: integer - minimum: 30 - maximum: 2000 - number-of-retries: - description: "To set number of retries" - type: integer - minimum: 1 - maximum: 7 - required: [operation-retry] - appqoe-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - required: [appqoe-criteria, operation-retry] - required: [appqoe-policy] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wildcarddnsentries.citrix.com -spec: - group: citrix.com - names: - kind: wildcarddnsentry - plural: wildcarddnsentries - singular: wildcarddnsentry - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: Current Status of the CRD - jsonPath: .status.state - - name: Message - type: string - description: Status Message - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - zone: - type: object - description: DNS configuration for a zone - properties: - domain: - type: string - description: Domain name - dnsaddrec: - type: object - description: DNS Address record - properties: - domain-ip: - type: string - description: IPv4 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - dnsaaaarec: - type: object - description: DNS AAAA record - properties: - domain-ip: - type: string - description: IPv6 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - soarec: - type: object - description: SOA record - properties: - origin-server: - type: string - description: Origin server domain - contact: - type: string - description: Admin contact - serial: - type: integer - description: >- - The secondary server uses this parameter to - determine whether it requires a zone transfer from - the primary server. - refresh: - type: integer - description: >- - Time, in seconds, for which a secondary server must - wait between successive checks on the value of the - serial number. - retry: - type: integer - description: >- - Time, in seconds, between retries if a secondary server's - attempt to contact the primary server for a zone refresh fails. - expire: - type: integer - description: >- - Time, in seconds, after which the zone data on a secondary - nameserver can no longer be considered authoritative because - all refresh and retry attempts made during the period have failed." - nsrec: - type: object - description: Name server record - properties: - nameserver: - type: string - description: Host name of the name server to add to the domain. - ttl: - type: integer - description: >- - Time to Live (TTL), in seconds, for the record. TTL - is the time for which the record must be cached by - DNS proxies. The specified TTL is applied to all the - resource records that are of the same record type - and belong to the specified domain name ---- -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/templates/citrix-k8s-cpx-ingress.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/templates/citrix-k8s-cpx-ingress.yaml deleted file mode 100644 index d7d610ea01..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/templates/citrix-k8s-cpx-ingress.yaml +++ /dev/null @@ -1,422 +0,0 @@ -apiVersion: apps/v1 -{{- if or .Values.cpxBgpRouter .Values.daemonSet }} -kind: DaemonSet -{{- else }} -kind: Deployment -{{- end }} -metadata: - name: {{ include "citrix-cpx-ingress-controller.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - selector: - matchLabels: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} -{{- if not ( or .Values.cpxBgpRouter .Values.daemonSet ) }} - replicas: {{ .Values.replicaCount }} -{{- end }} - template: - metadata: - name: {{ include "citrix-cpx-ingress-controller.fullname" . }} - labels: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} - adc: "citrix" -{{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} -{{- end }} - spec: - serviceAccountName: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -{{- if .Values.cpxBgpRouter }} - hostNetwork: true -{{- end }} - containers: - - name: cpx-ingress - image: "{{ tpl .Values.image . }}" - imagePullPolicy: {{ .Values.pullPolicy }} - tty: true - securityContext: - privileged: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace -{{- if .Values.cpxLicenseAggregator }} - - name: "CLA" - value: {{ .Values.cpxLicenseAggregator | quote }} -{{- else if .Values.ADMSettings.licenseServerIP }} - - name: "LS_IP" - value: {{ .Values.ADMSettings.licenseServerIP | quote }} - - name: "LS_PORT" - value: {{ .Values.ADMSettings.licenseServerPort | quote }} -{{- end }} - - name: "EULA" - value: "{{ .Values.license.accept }}" - - name: "KUBERNETES_TASK_ID" - value: "" -{{- if not .Values.cpxBgpRouter }} - - name: "MGMT_HTTP_PORT" - value: {{ .Values.mgmtHttpPort | quote }} - - name: "MGMT_HTTPS_PORT" - value: {{ .Values.mgmtHttpsPort | quote }} -{{- end }} -{{- if .Values.cpxBgpRouter }} - - name: NS_NETMODE - value: HOST -{{- if .Values.nsIP }} - - name: "NS_IP" - value: "{{ .Values.nsIP }}" -{{- end }} -{{- if .Values.nsGateway }} - - name: "NS_GATEWAY" - value: "{{ .Values.nsGateway }}" -{{- end }} -{{- end }} -{{- if .Values.ADMSettings.ADMIP }} - - name: "NS_MGMT_SERVER" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "NS_HTTP_PORT" - value: {{ .Values.mgmtHttpPort | quote }} - - name: "NS_HTTPS_PORT" - value: {{ .Values.mgmtHttpsPort | quote }} - - name: "LOGSTREAM_COLLECTOR_IP" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "ANALYTICS_SERVER" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "ANALYTICS_SERVER_PORT" - value: {{ .Values.ADMSettings.analyticsServerPort | quote }} -{{- end }} -##Need to set env var BANDWIDTH in order to provide Bandwidth license to Citrix ADC CPX from ADM or CPX License Aggregator -{{- if and ( or ( .Values.ADMSettings.licenseServerIP ) ( .Values.cpxLicenseAggregator ) ) ( eq .Values.ADMSettings.bandWidthLicense true ) }} - - name: "BANDWIDTH" - value: {{ .Values.ADMSettings.bandWidth | quote }} -{{- end }} -#for multiple-PE support, need to set CPX_CORES -{{- if or .Values.ADMSettings.licenseServerIP .Values.cpxLicenseAggregator }} -{{- if or ( eq .Values.ADMSettings.vCPULicense true ) ( eq .Values.ADMSettings.bandWidthLicense true ) }} - - name: "CPX_CORES" - value: {{ .Values.ADMSettings.cpxCores | default 1 | quote }} -{{- end }} -{{- end }} - - name: "EDITION" - value: {{ .Values.ADMSettings.licenseEdition }} -{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }} - - name: NS_MGMT_USER - valueFrom: - secretKeyRef: - name: {{ required "Provide Secret for ADM/LicenseServer credentials" .Values.ADMSettings.loginSecret }} - key: username - - name: NS_MGMT_PASS - valueFrom: - secretKeyRef: - name: {{ required "Provide Secret for ADM/LicenseServer credentials" .Values.ADMSettings.loginSecret }} - key: password -{{- end }} -{{- if .Values.exporter.required }} - - name: "METRICS_EXPORTER_PORT" - value: {{ .Values.exporter.ports.containerPort | quote }} -{{- end }} - resources: - {{- toYaml .Values.resources | nindent 12 }} - volumeMounts: - - mountPath: /var/deviceinfo - name: shared-data - - mountPath: /cpx/ - name: cpx-volume - - mountPath: /cpx/conf - name: cpx-volume-conf -{{- if .Values.cic.required }} - # Add cic as a sidecar - - name: cic - image: "{{ tpl .Values.cic.image . }}" - imagePullPolicy: {{ .Values.cic.pullPolicy }} - env: - - name: "EULA" - value: "{{ .Values.license.accept }}" -{{- if .Values.cpxBgpRouter }} - - name: "NS_IP" - value: {{ .Values.nsIP | default "192.168.1.2" | quote }} -{{- else }} - - name: "NS_IP" - value: "127.0.0.1" -{{- end }} -{{- if .Values.rbacRole }} - - name: "SCOPE" - value: "local" -{{- end }} - - name: "NS_APPS_NAME_PREFIX" - value: {{ .Values.entityPrefix | default "k8s"| quote }} - - name: "NS_DEPLOYMENT_MODE" - value: "SIDECAR" -{{- if and .Values.openshift .Values.routeLabels }} - - name: "ROUTE_LABELS" - value: {{ .Values.routeLabels | quote}} -{{- end }} -{{- if and .Values.openshift .Values.namespaceLabels }} - - name: "NAMESPACE_LABELS" - value: {{ .Values.namespaceLabels | quote }} -{{- end }} -{{- if .Values.cpxBgpRouter }} -{{- if eq (upper .Values.nsProtocol) "HTTPS" }} - - name: NS_PROTOCOL - value: HTTPS - - name: NS_PORT - value: "9443" -{{- else }} - - name: NS_PROTOCOL - value: HTTP - - name: NS_PORT - value: "9080" -{{- end }} -{{- if .Values.bgpPort }} - - name: "BGP_PORT" - value: {{ .Values.bgpPort | quote }} -{{- end }} -{{- end }} - - name: "NS_ENABLE_MONITORING" - value: "YES" -{{- if .Values.logProxy }} - - name: "NS_LOGPROXY" - value: {{ .Values.logProxy | quote }} -{{- end }} -{{- if .Values.ingressIP }} - - name: "NS_VIP" - value: {{ .Values.ingressIP | quote }} -{{- end }} -{{- if .Values.nitroReadTimeout }} - - name: "NS_NITRO_READ_TIMEOUT" - value: "{{ .Values.nitroReadTimeout }}" -{{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName -{{- if .Values.kubernetesURL }} - - name: "kubernetes_url" - value: "{{ .Values.kubernetesURL }}" -{{- end }} -{{- if .Values.disableOpenshiftRoutes }} - - name: "DISABLE_OPENSHIFT_ROUTES" - value: "{{ .Values.disableOpenshiftRoutes }}" -{{- end }} -{{- if .Values.nsConfigDnsRec }} - - name: "NS_CONFIG_DNS_REC" - value: "{{ .Values.nsConfigDnsRec }}" -{{- end }} -{{- if .Values.nsSvcLbDnsRec }} - - name: "NS_SVC_LB_DNS_REC" - value: "{{ .Values.nsSvcLbDnsRec }}" -{{- end }} -{{- if .Values.optimizeEndpointBinding }} - - name: "OPTIMIZE_ENDPOINT_BINDING" - value: "{{ .Values.optimizeEndpointBinding }}" -{{- end }} -{{- if .Values.cpxBgpRouter }} - securityContext: - runAsUser: 0 - capabilities: - add: - - NET_ADMIN -{{- end }} - args: - - --configmap - {{ .Release.Namespace }}/{{ include "cpxconfigmap.fullname" . }} -{{- if .Values.ipam }} - - --ipam - citrix-ipam-controller -{{- end }} -{{- if .Values.disableAPIServerCertVerify }} - - --disable-apiserver-cert-verify - {{ .Values.disableAPIServerCertVerify }} -{{- end }} -{{- if .Values.cpxBgpRouter }} - - --deployment-type - kube-bgp-router -{{- end }} -{{- if .Values.ingressClass }} - - --ingress-classes -{{- range .Values.ingressClass}} - {{.}} -{{- end }} -{{- end }} -{{- if .Values.defaultSSLCertSecret }} - - --default-ssl-certificate - {{ .Release.Namespace }}/{{ .Values.defaultSSLCertSecret }} -{{- end }} -{{- end }} -{{- if .Values.updateIngressStatus }} -{{- if .Values.cpxBgpRouter }} - - --update-ingress-status - yes -{{- else }} - - --cpx-service - {{ .Release.Namespace }}/{{ include "cpxservice.fullname" . }} -{{- end }} -{{- end }} - volumeMounts: - - mountPath: /var/deviceinfo - name: shared-data - resources: - {{- toYaml .Values.cic.resources | nindent 12 }} -{{- if .Values.exporter.required }} - - name: exporter - image: "{{ tpl .Values.exporter.image . }}" - imagePullPolicy: {{ .Values.exporter.pullPolicy }} - args: - - "--secure=no" -{{- if .Values.cpxBgpRouter }} - - --target-nsip={{ .Values.nsIP | default "192.168.1.2" }}:9080 -{{- else }} - - "--target-nsip=127.0.0.1" -{{- end }} - - "--port={{ .Values.exporter.ports.containerPort }}" - env: - - name: "NS_DEPLOYMENT_MODE" - value: "SIDECAR" - securityContext: - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /var/deviceinfo - name: shared-data - resources: - {{- toYaml .Values.exporter.resources | nindent 12 }} -{{- end }} - volumes: - - name: shared-data - emptyDir: {} - - name: cpx-volume - emptyDir: {} - - name: cpx-volume-conf - emptyDir: {} -{{- if and .Values.nodeSelector.key .Values.nodeSelector.value }} - nodeSelector: - {{ .Values.nodeSelector.key }}: {{ .Values.nodeSelector.value }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: {{ .Values.tolerations | toYaml | nindent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} -{{- end }} - ---- -{{- if .Values.cpxBgpRouter }} -{{- if .Values.exporter.required }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "cpxexporter.fullname" . }} - labels: - app: {{ include "cpxexporter.fullname" . }} - service-type: {{ include "cpxservicemonitorlabel" . }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port - selector: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} -{{- end }} -{{- else }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "cpxservice.fullname" . }} - labels: - app: cpx-service - service-type: {{ include "cpxservicemonitorlabel" . }} -{{- if .Values.serviceAnnotations }} - annotations: -{{- with .Values.serviceAnnotations }} -{{ toYaml . | indent 4 }} -{{- end }} -{{- end }} -spec: -{{- if or .Values.serviceType.loadBalancer.enabled ( and (.Values.updateIngressStatus) (not .Values.cpxBgpRouter)) }} - externalTrafficPolicy: {{ .Values.serviceSpec.externalTrafficPolicy }} - type: LoadBalancer -{{- if .Values.serviceSpec.loadBalancerIP }} - loadBalancerIP: {{ .Values.serviceSpec.loadBalancerIP }} -{{- end }} -{{- else if .Values.serviceType.nodePort.enabled }} - type: NodePort - externalTrafficPolicy: {{ .Values.serviceSpec.externalTrafficPolicy }} -{{- end }} -{{- if and .Values.serviceType.loadBalancer.enabled .Values.serviceSpec.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{- range .Values.serviceSpec.loadBalancerSourceRanges}} - - {{.}} -{{- end }} -{{- end }} - ports: -{{- if .Values.servicePorts }} -{{- with .Values.servicePorts }} -{{ toYaml . | indent 2 }} -{{- end }} -{{- else }} - - port: 80 - protocol: TCP - name: http -{{- if and .Values.serviceType.nodePort.enabled .Values.serviceType.nodePort.httpPort }} - nodePort: {{ .Values.serviceType.nodePort.httpPort }} -{{- end }} - - port: 443 - protocol: TCP - name: https -{{- if and .Values.serviceType.nodePort.enabled .Values.serviceType.nodePort.httpsPort }} - nodePort: {{ .Values.serviceType.nodePort.httpsPort}} -{{- end }} -{{- end }} -{{- if .Values.exporter.required }} - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port -{{- end }} - selector: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} -{{- end }} - ---- - -{{- if .Values.exporter.required }} - -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "cpxservicemonitor.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - servicemonitor: citrix-adc-cpx -spec: - endpoints: - - interval: 30s - port: exporter-port - selector: - matchLabels: - service-type: {{ include "cpxservicemonitorlabel" . }} - namespaceSelector: - matchNames: - - monitoring - - default - - {{ .Release.Namespace }} - -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/templates/configmap.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/templates/configmap.yaml deleted file mode 100644 index ac7aab2a29..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/templates/configmap.yaml +++ /dev/null @@ -1,86 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "cpxconfigmap.fullname" . }} - namespace: {{ .Release.Namespace }} -data: - LOGLEVEL: {{ .Values.logLevel | quote | lower }} - JSONLOG: {{ .Values.jsonLog | quote | lower }} -{{- if eq (upper .Values.nsProtocol) "HTTPS" }} - NS_PROTOCOL: "https" -{{- if .Values.cpxBgpRouter }} - NS_PORT: "9443" -{{- else }} - NS_PORT: "443" -{{- end }} -{{- else }} - NS_PROTOCOL: "http" -{{- if .Values.cpxBgpRouter }} - NS_PORT: "9080" -{{- else }} - NS_PORT: "80" -{{- end }} -{{- end }} - -{{- if ne (upper .Values.nsHTTP2ServerSide) "OFF" }} - NS_HTTP2_SERVER_SIDE: {{ .Values.nsHTTP2ServerSide | quote }} -{{- end }} -{{- if ne (toString .Values.nsCookieVersion) "0" }} - NS_COOKIE_VERSION: {{ .Values.nsCookieVersion | quote }} -{{- end }} -{{- if .Values.nsDnsNameserver }} - NS_DNS_NAMESERVER: {{ .Values.nsDnsNameserver }} -{{- end }} - -{{- if .Values.analyticsConfig.required }} - NS_ANALYTICS_CONFIG: | - distributed_tracing: - enable: {{ .Values.analyticsConfig.distributedTracing.enable | quote }} - samplingrate: {{ .Values.analyticsConfig.distributedTracing.samplingrate }} - endpoint: - server: {{ include "analytics.server" . | quote }} - service: {{ .Values.analyticsConfig.endpoint.service | quote }} - timeseries: - port: {{ .Values.analyticsConfig.timeseries.port }} - metrics: - enable: {{ .Values.analyticsConfig.timeseries.metrics.enable | quote }} - mode: {{ .Values.analyticsConfig.timeseries.metrics.mode | quote }} - auditlogs: - enable: {{ .Values.analyticsConfig.timeseries.auditlogs.enable | quote }} - events: - enable: {{ .Values.analyticsConfig.timeseries.events.enable | quote }} - transactions: - enable: {{ .Values.analyticsConfig.transactions.enable | quote }} - port: {{ .Values.analyticsConfig.transactions.port }} -{{- end }} - -{{- if .Values.cpxBgpRouter }} -{{- if .Values.bgpSettings.required }} - NS_BGP_CONFIG: | -{{- with .Values.bgpSettings.bgpConfig }} - bgpConfig: -{{ toYaml . | indent 4 }} -{{- end }} -{{- end }} -{{- end }} - -{{- if .Values.nsLbHashAlgo.required }} - NS_LB_HASH_ALGO: | - hashFingers: {{ .Values.nsLbHashAlgo.hashFingers }} - hashAlgorithm: {{ .Values.nsLbHashAlgo.hashAlgorithm | quote }} -{{- end }} - -{{- if .Values.profileSslFrontend }} - FRONTEND_SSL_PROFILE: | - {{- toYaml .Values.profileSslFrontend | nindent 4 }} -{{- end }} - -{{- if .Values.profileTcpFrontend }} - FRONTEND_TCP_PROFILE: | - {{- toYaml .Values.profileTcpFrontend | nindent 4 }} -{{- end }} - -{{- if .Values.profileHttpFrontend }} - FRONTEND_HTTP_PROFILE: | - {{- toYaml .Values.profileHttpFrontend | nindent 4 }} -{{- end }} \ No newline at end of file diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/templates/ingressclass.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/templates/ingressclass.yaml deleted file mode 100644 index d75537b79f..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/templates/ingressclass.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- $default := .Values.setAsDefaultIngressClass -}} -{{- if semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.GitVersion }} -{{- if .Values.ingressClass }} -{{- range .Values.ingressClass }} -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: {{ . | quote }} -{{- if $default }} - annotations: - ingressclass.kubernetes.io/is-default-class: "true" -{{- end }} -spec: - controller: citrix.com/ingress-controller ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/templates/rbac.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/templates/rbac.yaml deleted file mode 100644 index d812e76751..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/templates/rbac.yaml +++ /dev/null @@ -1,106 +0,0 @@ -{{- if not .Values.rbacRole }} -kind: ClusterRole -{{- else }} -kind: Role -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -rules: - - apiGroups: [""] -{{- if .Values.openshift }} - resources: ["endpoints", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"] -{{- else }} - resources: ["endpoints", "pods", "secrets", "routes", "nodes", "namespaces", "configmaps", "services"] -{{- end }} - verbs: ["get", "list", "watch"] - # services/status is needed to update the loadbalancer IP in service status for integrating - # service of type LoadBalancer with external-dns - - apiGroups: [""] - resources: ["services/status"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions","networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["patch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "watch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"] - verbs: ["get", "list", "watch", "create", "delete", "patch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"] - verbs: ["patch"] - - apiGroups: ["citrix.com"] - resources: ["vips"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["crd.projectcalico.org"] - resources: ["ipamblocks"] - verbs: ["get", "list", "watch"] -{{- if .Values.openshift }} - - apiGroups: ["route.openshift.io"] - resources: ["routes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["network.openshift.io"] - resources: ["hostsubnets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["config.openshift.io"] - resources: ["networks"] - verbs: ["get", "list"] -{{- end }} - ---- - -{{- if not .Values.rbacRole }} -kind: ClusterRoleBinding -{{- else }} -kind: RoleBinding -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io -{{- if not .Values.rbacRole }} - kind: ClusterRole -{{- else }} - kind: Role -{{- end }} - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- if .Values.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.imagePullSecrets }} -- name: {{.}} -{{- end }} -{{- end }} - diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/values.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/values.yaml deleted file mode 100644 index 9f20aa04c0..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.33.4/values.yaml +++ /dev/null @@ -1,244 +0,0 @@ -# Default values for citrix-cpx-with-ingress-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# Citrix ADC CPX config details -imageRegistry: quay.io -imageRepository: citrix/citrix-k8s-cpx-ingress -imageTag: 13.1-37.38 -image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}" -pullPolicy: IfNotPresent -imagePullSecrets: [] -daemonSet: False -nameOverride: "" -replicaCount: 1 -fullnameOverride: "" -mgmtHttpPort: 9080 -mgmtHttpsPort: 9443 -openshift: false -nsHTTP2ServerSide: "OFF" -nsCookieVersion: "0" -nsConfigDnsRec: -nsSvcLbDnsRec: -nsDnsNameserver: -optimizeEndpointBinding: -routeLabels: -namespaceLabels: - -# Service Type LoadBalancer and ingress support with CPX through BGP advertisement -# If you enable this, CPX is run as DaemonSet. Please edit the bgpSettings for configuring -# BGP neighbors for propgation of external IPs. -cpxBgpRouter: false - -# If cpxBgpRouter is true, then this is the NSIP used by CPX for internal communication -nsIP: 192.168.1.2 - -# If cpxBgpRouter is true, then this is the Gateway used by CPX for internal communication -nsGateway: 192.168.1.1 - -# Protocol used for communication between Citrix Ingress Controller sidecar and Citrix CPX -nsProtocol: http - -# External IP for ingress resource when bgpRouter is set to True -ingressIP: - -# If IPAM controller is used for auto allocation of the external IP for service of type LoadBalancer, set this option to true -ipam: False - -# Enable RBAC role (so called local role), by default CIC deployed with ClusterRole. -# below variable to deploy CIC with RBAC role, only ingress service supported with this config -rbacRole: False - -# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True -disableAPIServerCertVerify: False - -cpxLicenseAggregator: - -sslCertManagedByAWS: False - -nodeSelector: - key: - value: -tolerations: [] - -serviceType: - loadBalancer: - enabled: False - nodePort: - enabled: False - httpPort: - httpsPort: - -serviceAnnotations: {} - -serviceSpec: - externalTrafficPolicy: "Cluster" - loadBalancerIP: - loadBalancerSourceRanges: [] - -servicePorts: [] - -# Citrix Ingress Controller config details -cic: - imageRegistry: quay.io - imageRepository: citrix/citrix-k8s-ingress-controller - imageTag: 1.33.4 - image: "{{ .Values.cic.imageRegistry }}/{{ .Values.cic.imageRepository }}:{{ .Values.cic.imageTag }}" - pullPolicy: IfNotPresent - required: true - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # Following values depends on no of ingresses configured by Ingress Controllers, so it is - # advised to test with maximum no of ingresses to set these values. - # limits: - # cpu: 1000m - # memory: 1000Mi - # requests: - # cpu: 250m - # memory: 256Mi -entityPrefix: -license: - accept: no -ingressClass: -setAsDefaultIngressClass: False -# nitroReadTimeout is timeout value in seconds for nitro api read timeout(default is 20) -nitroReadTimeout: -logLevel: INFO -jsonLog: false -defaultSSLCertSecret: -updateIngressStatus: False -logProxy: -kubernetesURL: -disableOpenshiftRoutes: -profileSslFrontend: {} - # preconfigured: my_ssl_profile - # OR - # config: - # tls13: 'ENABLED' - # hsts: 'ENABLED' -profileHttpFrontend: {} - # preconfigured: my_http_profile - # OR - # config: - # dropinvalreqs: 'ENABLED' - # websocket: 'ENABLED' -profileTcpFrontend: {} - # preconfigured: my_tcp_profile - # OR - # config: - # sack: 'ENABLED' - # nagle: 'ENABLED' - - -# Citrix ADM/License Server config details -ADMSettings: - licenseServerIP: - licenseServerPort: 27000 - ADMIP: - loginSecret: - bandWidthLicense: false - bandWidth: 1000 #bandwidth value shoule be in Mbps - vCPULicense: false - cpxCores: - analyticsServerPort: 5557 - licenseEdition: PLATINUM - -# Exporter config details -exporter: - required: false - imageRegistry: quay.io - imageRepository: citrix/citrix-adc-metrics-exporter - imageTag: 1.4.9 - image: "{{ .Values.exporter.imageRegistry }}/{{ .Values.exporter.imageRepository }}:{{ .Values.exporter.imageTag }}" - pullPolicy: IfNotPresent - ports: - containerPort: 8888 - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - - -# For CRDs supported by Citrix Ingress Controller -crds: - install: false - retainOnDelete: false - -# Config required to be done by Citrix Ingress Controller for sending metrics to Citrix Observability Exporter -analyticsConfig: - required: false - distributedTracing: - enable: false - samplingrate: 100 - endpoint: - server: - service: - timeseries: - port: 5563 - metrics: - enable: false - mode: 'avro' - auditlogs: - enable: false - events: - enable: false - transactions: - enable: false - port: 5557 - -# BGP configurations: local AS, remote AS and remote address is mandatory to provide. Please do the approrpiate changes with respect to your environment -bgpSettings: - # When bgpConfig is configured correctly, set the required to true for the configuration to be applied. - required: false - bgpConfig: - - bgpRouter: - # Local AS number for BGP advertisement - localAS: 100 - neighbor: - # Address of the nighbor router for BGP advertisement - - address: - # Remote AS number - remoteAS: 100 - advertisementInterval: 10 - ASOriginationInterval: 10 - -bgpPort: - -nsLbHashAlgo: - required: false - hashFingers: 256 - hashAlgorithm: 'DEFAULT' - -# Specifies whether a ServiceAccount should be created -serviceAccount: - create: true - # The name of the ServiceAccount to use. - # If not set and `create` is true, a name is generated using the fullname template - # name: - -podAnnotations: {} - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:' - # This is the resource for CPX container. - # limits: - # cpu: 500m - # memory: 512Mi - # requests: - # cpu: 100m - # memory: 128Mi - -affinity: {} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/Chart.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/Chart.yaml deleted file mode 100644 index 6a88b2b623..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/Chart.yaml +++ /dev/null @@ -1,22 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Cpx with Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-cpx-with-ingress-controller -apiVersion: v2 -appVersion: 1.34.16 -deprecated: true -description: A Helm chart for Citrix ADC CPX with Citrix ingress Controller running - as sidecar. -home: https://www.cloud.com -icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png -kubeVersion: '>=v1.16.0-0' -maintainers: -- email: priyanka.sharma@cloud.com - name: priyankash-citrix -- email: subash.dangol@cloud.com - name: subashd -name: citrix-cpx-with-ingress-controller -sources: -- https://github.com/citrix/citrix-k8s-ingress-controller -version: 1.34.16 diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/README.md b/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/README.md deleted file mode 100644 index 478a45149e..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/README.md +++ /dev/null @@ -1,577 +0,0 @@ -# Citrix ADC CPX with Citrix Ingress Controller running as sidecar. - -In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) with Citrix ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). The Citrix ADC CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar Citrix ingress controller configures the Citrix ADC CPX. - -## TL;DR; - -### For Kubernetes - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,crds.install=true - ``` - -### For OpenShift - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,crds.install=true - ``` - -> **Important:** -> -> The "license.accept" is a mandatory argument and should be set to "yes" to accept the terms of the Citrix license. - - -## Introduction -This Helm chart deploys a Citrix ADC CPX with Citrix ingress controller as a sidecar in the [Kubernetes](https://kubernetes.io/) or in the [Openshift](https://www.openshift.com) cluster using the [Helm](https://helm.sh/) package manager. - -### Prerequisites - -- The [Kubernetes](https://kubernetes.io/) version should be 1.16 and above if using Kubernetes environment. -- The [Openshift](https://www.openshift.com) version 4.8 or later if using OpenShift platform. -- The [Helm](https://helm.sh/) version 3.x or later. You can follow instruction given [here](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- You have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator), if you want to view the metrics of the Citrix ADC CPX collected by the [metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics). -- Registration of Citrix ADC CPX in ADM: You may want to register your CPX in ADM for licensing or to obtain [servicegraph](https://docs.citrix.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html). For this you will have to create a Kubernetes secret using ADM credentials and provide it while install the chart. Create a Kubernetes secret for the user name and password using the following command: - - ``` - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= -n citrix-system - ``` - -## Installing the Chart -Add the Citrix Ingress Controller helm chart repository using command: - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - ``` - -### For Kubernetes: -#### 1. Citrix ADC CPX with Citrix Ingress Controller running as side car. -To install the chart with the release name ``` my-release```: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,ingressClass[0]= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ADC CPX with Citrix ingress controller as a sidecar on the Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,ingressClass[0]=,exporter.required=true - ``` - -### For OpenShift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix ADC CPX with Citrix Ingress Controller running as side car. -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true - ``` - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,exporter.required=true - ``` - -### Installed components - -The following components are installed: - -- [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx/netscaler-cpx.html) -- [Citrix ingress controller](https://github.com/citrix/citrix-k8s-ingress-controller) (if enabled) -- [Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) (if enabled) - - -### Citrix ADC CPX Service Annotations: - - The parameter `serviceAnnotations` can be used to annotate CPX service while installing Citrix ADC CPX using this helm chart. - For example, if CPX is getting deployed in Azure and an Azure Internal Load Balancer is required before CPX then the annotation `service.beta.kubernetes.io/azure-load-balancer-internal:True` can be set in CPX service using Helm command: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceAnnotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal=True - ``` - - or the same can be provided in [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml): - - ``` - license: - accept: yes - serviceAnnotations: - service.beta.kubernetes.io/azure-load-balancer-internal: True - ``` - - which can be used to install Citrix ADC CPX using Helm command: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - - To know more about service annotations supported by Kubernetes on various platforms please see [this](https://kubernetes.io/docs/concepts/services-networking/service/). - -### Citrix ADC CPX Service Ports: - - By default, port 80 and 443 of CPX service will exposed when CPX is installed using this helm chart. If it is required to expose any other ports in CPX service then the parameter `servicePorts` can be used for it. - For example, if port 9999 is required to be exposed then below helm command can be used for installing Citrix ADC CPX: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,servicePorts[0].port=9999,servicePorts[0].protocol=TCP,servicePorts[0].name=https - ``` - - or the same can be provided in [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml): - - ``` - license: - accept: yes - servicePorts: - - port: 9090 - protocol: TCP - name: https - ``` - - which can be used to install Citrix ADC using Helm command: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - -> **Note:** If `servicePorts` parameters is used, only ports provided in this parameter will be exposed in CPX service. -> If you want to expose default ports 80 or 443, then you will need to explicity mention these also in this parameter. - -### Configuration for ServiceGraph: - If Citrix ADC CPX need to send data to the Citrix ADM to bring up the servicegraph, then the below steps can be followed to install Citrix ADC CPX with ingress controller. Citrix ingress controller configures Citrix ADC CPX with the configuration required for servicegraph. - - 1. Create secret using Citrix ADC Agent credentials, which will be used by Citrix ADC CPX to communicate with Citrix ADM Agent: - - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= - - 2. Deploy Citrix ADC CPX with Citrix ingress controller using helm command: - - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.distributedTracing.enable=true,analyticsConfig.endpoint.server=,ADMSettings.ADMIP=,ADMSettings.loginSecret= - -> **Note:** -> If container agent is being used here for Citrix ADM, please provide `svcIP` of container agent in the `analyticsConfig.endpoint.server` parameter. - -## Citrix ADC CPX DaemonSet with Citrix Ingress Controller as sidecar for BGP Advertisement - - The previous section of deploying CPX as a Deployment requires a Tier-1 Loadbalancer such as Citrix VPX or cloud loadbalancers to route the traffic to CPX instances running in Kubernetes cluster, but you can also leverage BGP network fabric in your on-prem environemnt to route the traffic to CPX instances in a Kubernetes or Openshift cluster. you need to deploy CPX with Citrix Ingress Controller as Daemonset to advertise the ExternalIPs of the K8s services of type LoadBalancer to your BGP Fabric. Citrix ADC CPX establishes a BGP peering session with your network routers, and uses that peering session to advertise the IP addresses of external cluster services. If your routers have ECMP capability, the traffic is load-balanced to multiple CPX instances by the upstream router, which in turn load-balances to actual application pods. When you deploy the Citrix ADC CPX with this mode, Citrix ADC CPX adds iptables rules for each service of type LoadBalancer on Kubernetes nodes. The traffic destined to the external IP address is routed to Citrix ADC CPX pods. You can also set the 'ingressIP' variable to an IP Address to advertise the External IP address for Ingress resources. Refer [documentation](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) for complete details about BGP advertisement with CPX. - -### Download the chart -You can download the chart usimg `helm pull` command. -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ -helm pull citrix/citrix-cpx-with-ingress-controller -tar -zxvf citrix-cpx-with-ingress-controller-x.y.z.tgz -``` - -### Edit the BGP configuration in values.yaml -BGP configurations enables CPX to peer with neighbor routers for advertisting the routes for Service of Type LoadBalancer. Citrix Ingress Controllers uses static IPs given in Service YAML or using an IPAM controller to allocate an External IP address, and same is advertisted to the neighbour router with the Gateway as Node IP. An example BGP configurations is given below. - -``` -# BGP configurations: local AS, remote AS and remote address is mandatory to provide. -bgpSettings: - required: true - bgpConfig: - - bgpRouter: - # Local AS number for BGP advertisement - localAS: - neighbor: - # Address of the nighbor router for BGP advertisement - - address: xx.xx.xx.xx - # Remote AS number - remoteAS: - advertisementInterval: 10 - ASOriginationInterval: 10 -``` -If the cluster spawns across multiple networks, you can also specify the NodeSelector to give different neighbors for different Cluster Nodes as shown below. - -``` -bgpSettings: - required: true - bgpConfig: - - nodeSelector: datacenter=ds1 - bgpRouter: - localAS: - neighbor: - - address: xx.xx.xx.xx - remoteAS: - advertisementInterval: 10 - ASOriginationInterval: 10 - - nodeSelector: datacenter=ds2 - bgpRouter: - localAS: - neighbor: - - address: yy.yy.yy.yy - remoteAS: - advertisementInterval: 10 - ASOriginationInterval: 10 -``` - -### Deploy the chart -#### For Kubernetes: -#### 1. Citrix ADC CPX DaemonSet with Citrix Ingress Controller running as side car for BGP Advertisement. - - -To install the chart with the release name ``` my-release```: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true - ``` -If you are running Citrix IPAM for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true - ``` -If you are using ingress resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ADC CPX Daemonset with Citrix ingress controller as a sidecar on the Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car for BGP Advertisement. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,exporter.required=true - ``` -If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,exporter.required=true - ``` -If you are using ingress resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=, exporter.required=true - ``` - -#### For OpenShift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix ADC CPX DaemonSet with Citrix Ingress Controller running as side car for BGP Advertisement. -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,openshift=true - ``` -If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,openshift=true - ``` - - If you are using ingress or Route resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=,openshift=true - ``` - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car for BGP Advertisement. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,openshift=true,exporter.required=true - ``` -If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,openshift=true,exporter.required=true - ``` - -If you are using ingress or Route resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=,openshift=true,exporter.required=true - ``` - -## CRDs configuration - -CRDs can be installed/upgraded when we install/upgrade Citrix ADC CPX with Citrix ingress controller using `crds.install=true` parameter in Helm. If you do not want to install CRDs, then set the option `crds.install` to `false`. By default, CRDs too get deleted if you uninstall through Helm. This means, even the CustomResource objects created by the customer will get deleted. If you want to avoid this data loss set `crds.retainOnDelete` to `true`. - -> **Note:** -> Installing again may fail due to the presence of CRDs. Make sure that you back up all CustomResource objects and clean up CRDs before re-installing Citrix ADC CPX with Citrix ingress controller. - -There are a few examples of how to use these CRDs, which are placed in the folder: [Example-CRDs](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds). Refer to them and install as needed, using the following command: -```kubectl create -f ``` - -### Details of the supported CRDs: - -#### authpolicies CRD: - -Authentication policies are used to enforce access restrictions to resources hosted by an application or an API server. - -Citrix provides a Kubernetes CustomResourceDefinitions (CRDs) called the [Auth CRD](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/auth) that you can use with the Citrix ingress controller to define authentication policies on the ingress Citrix ADC. - -Example file: [auth_example.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/auth_example.yaml) - -#### continuousdeployments CRD for canary: - -Canary release is a technique to reduce the risk of introducing a new software version in production by first rolling out the change to a small subset of users. After user validation, the application is rolled out to the larger set of users. Citrix ADC-Integrated [Canary Deployment solution](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/canary) stitches together all components of continuous delivery (CD) and makes canary deployment easier for the application developers. - -#### httproutes and listeners CRDs for contentrouting: - -[Content Routing (CR)](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/contentrouting) is the execution of defined rules that determine the placement and configuration of network traffic between users and web applications, based on the content being sent. For example, a pattern in the URL or header fields of the request. - -Example files: [HTTPRoute_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/HTTPRoute_crd.yaml), [Listener_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/Listener_crd.yaml) - -#### ratelimits CRD: - -In a Kubernetes deployment, you can [rate limit the requests](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/ratelimit) to the resources on the back end server or services using rate limiting feature provided by the ingress Citrix ADC. - -Example files: [ratelimit-example1.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example1.yaml), [ratelimit-example2.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example2.yaml) - -#### vips CRD: - -Citrix provides a CustomResourceDefinitions (CRD) called [VIP](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/vip) for asynchronous communication between the IPAM controller and Citrix ingress controller. - -The IPAM controller is provided by Citrix for IP address management. It allocates IP address to the service from a defined IP address range. The Citrix ingress controller configures the IP address allocated to the service as virtual IP (VIP) in Citrix ADX VPX. And, the service is exposed using the IP address. - -When a new service is created, the Citrix ingress controller creates a CRD object for the service with an empty IP address field. The IPAM Controller listens to addition, deletion, or modification of the CRD and updates it with an IP address to the CRD. Once the CRD object is updated, the Citrix ingress controller automatically configures Citrix ADC-specfic configuration in the tier-1 Citrix ADC VPX. - -#### rewritepolicies CRD: - -In kubernetes environment, to deploy specific layer 7 policies to handle scenarios such as, redirecting HTTP traffic to a specific URL, blocking a set of IP addresses to mitigate DDoS attacks, imposing HTTP to HTTPS and so on, requires you to add appropriate libraries within the microservices and manually configure the policies. Instead, you can use the [Rewrite and Responder features](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/crd/rewrite-responder-policies-deployment.yaml) provided by the Ingress Citrix ADC device to deploy these policies. - -Example files: [target-url-rewrite.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/target-url-rewrite.yaml) - -#### wafs CRD: - -[WAF CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/waf.md) can be used to configure the web application firewall policies with the Citrix ingress controller on the Citrix ADC VPX, MPX, SDX, and CPX. The WAF CRD enables communication between the Citrix ingress controller and Citrix ADC for enforcing web application firewall policies. - -In a Kubernetes deployment, you can enforce a web application firewall policy to protect the server using the WAF CRD. For more information about web application firewall, see [Web application security](https://docs.citrix.com/en-us/citrix-adc/13/application-firewall/introduction/web-application-security.html). - -Example files: [wafhtmlxsssql.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wafhtmlxsssql.yaml) - -#### CORS CRD: - -[CORS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) Cross-origin resource sharing (CORS) is a mechanism allows a web application running under one domain to securely access resources in another domain. You can configure CORS policies on Citrix ADC using Citrix ingress controller to allow one domain (the origin domain) to call APIs in another domain. For more information, see the [cross-origin resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) documentation. - -Example files: [cors-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/corspolicy-example.yaml) - -#### APPQOE CRD: - -[APPQOE CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) When a Citrix ADC appliance receives an HTTP request and forwards it to a back-end server, sometimes there may be connection failures with the back-end server. You can configure the request-retry feature on Citrix ADC to forward the request to the next available server, instead of sending the reset to the client. Hence, the client saves round trip time when Citrix ADC initiates the same request to the next available service. -For more information, see the AppQoE support documentation. [Appqoe resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) documentation. - -Example files: [appqoe-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/appqoe_example.yaml) - -#### WILDCARDDNS CRD: - -[WILDCARDDNS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) Wildcard DNS domains are used to handle requests for nonexistent domains and subdomains. In a zone, use wildcard domains to redirect queries for all nonexistent domains or subdomains to a particular server, instead of creating a separate Resource Record (RR) for each domain. The most common use of a wildcard DNS domain is to create a zone that can be used to forward mail from the internet to some other mail system. -For more information, see the Wild card DNS domains support documentation. [Wildcard DNS Entry CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) documentation. - -Example files: [wildcarddns-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wildcarddns-example.yaml) - -## Citrix ADC CPX servicetype LoadBalancer -Citrix ADC CPX can be installed with service having servicetype LoadBalancer. Following arguments can be used in the `helm install` command for the same: - -``` -helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceType.loadBalancer.enabled=True -``` - -## Citrix ADC CPX servicetype NodePort -Citrix ADC CPX can be installed with service having servicetype Nodeport. Following arguments can be used in the `helm install` command for the same: - -``` -helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceType.nodePort.enabled=True -``` - -Additionally, `serviceType.nodePort.httpPort` and `serviceType.nodePort.httpsPort` arguments can be used to select the nodePort for the CPX service for HTTP and HTTPS ports. - -### Tolerations - -Taints are applied on cluster nodes whereas tolerations are applied on pods. Tolerations enable pods to be scheduled on node with matching taints. For more information see [Taints and Tolerations in Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). - -Toleration can be applied to pod running Citrix ADC CPX and ingress controller containers using `tolerations` argument while deploying CPX+CIC using helm chart. This argument takes list of tolerations that user need to apply on the CPX+CIC pods. - -For example, following command can be used to apply toleration on the CPX+CIC pod: - -``` -helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,tolerations[0].key=,tolerations[0].value=,tolerations[0].operator=,tolerations[0].effect= -``` - -Here tolerations[0].key, tolerations[0].value and tolerations[0].effect are the key, value and effect that was used while tainting the node. -Effect represents what should happen to the pod if the pod don't have any matching toleration. It can have values `NoSchedule`, `NoExecute` and `PreferNoSchedule`. -Operator represents the operation to be used for key and value comparison between taint and tolerations. It can have values `Exists` and `Equal`. The default value for operator is `Equal`. - -## Configuration -The following table lists the configurable parameters of the Citrix ADC CPX with Citrix ingress controller as side car chart and their default values. - -| Parameters | Mandatory or Optional | Default value | Description | -| ---------- | --------------------- | ------------- | ----------- | -| license.accept | Mandatory | no | Set `yes` to accept the Citrix ingress controller end user license agreement. | -| imageRegistry | Mandatory | `quay.io` | The Citrix ADC CPX image registry | -| imageRepository | Mandatory | `citrix/citrix-k8s-cpx-ingress` | The Citrix ADC CPX image repository | -| imageTag | Mandatory | `13.1-49.13` | The Citrix ADC CPX image tag | -| pullPolicy | Mandatory | IfNotPresent | The Citrix ADC CPX image pull policy. | -| daemonSet | Optional | False | Set this to true if Citrix ADC CPX needs to be deployed as DaemonSet. | -| cic.imageRegistry | Mandatory | `quay.io` | The Citrix ingress controller image registry | -| cic.imageRepository | Mandatory | `citrix/citrix-k8s-ingress-controller` | The Citrix ingress controller image repository | -| cic.imageTag | Mandatory | `1.34.16` | The Citrix ingress controller image tag | -| cic.pullPolicy | Mandatory | IfNotPresent | The Citrix ingress controller image pull policy. | -| cic.required | Mandatory | true | CIC to be run as sidecar with Citrix ADC CPX | -| cic.resources | Optional | {} | CPU/Memory resource requests/limits for Citrix Ingress Controller container | -| cic.rbacRole | Optional | false | To deploy CIC with RBAC Role set rbacRole=true; by default CIC gets installed with RBAC ClusterRole(rbacRole=false)) | -| imagePullSecrets | Optional | N/A | Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret please see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). | -| nameOverride | Optional | N/A | String to partially override deployment fullname template with a string (will prepend the release name) | -| fullNameOverride | Optional | N/A | String to fully override deployment fullname template with a string | -| resources | Optional | {} | CPU/Memory resource requests/limits for Citrix CPX container | -| nitroReadTimeout | Optional | 20 | The nitro Read timeout in seconds, defaults to 20 | -| logLevel | Optional | DEBUG | The loglevel to control the logs generated by CIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG and TRACE. For more information, see [Logging](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).| -| jsonLog | Optional | false | Set this argument to true if log messages are required in JSON format | -| nsConfigDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Ingress | -| nsSvcLbDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Type Load Balancer Service | -| nsDnsNameserver | Optional | N/A | To add DNS Nameservers in ADC | -| optimizeEndpointBinding | Optional | false | To enable/disable binding of backend endpoints to servicegroup in a single API-call. Recommended when endpoints(pods) per application are large in number. Applicable only for Citrix ADC Version >=13.0-45.7 | -| defaultSSLCertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC. | -| nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for Citrix ADC service group configurations. | -| cpxLicenseAggregator | Optional | N/A | IP/FQDN of the CPX License Aggregator if it is being used to license the CPX. | -| nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). | -| profileSslFrontend | Optional | N/A | Specify the frontend SSL profile. For Details see [Configuration using FRONTEND_SSL_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| profileTcpFrontend | Optional | N/A | Specify the frontend TCP profile. For Details see [Configuration using FRONTEND_TCP_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| profileHttpFrontend | Optional | N/A | Specify the frontend HTTP profile. For Details see [Configuration using FRONTEND_HTTP_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter. | -| nsProtocol | Optional | http | Protocol http or https used for the communication between Citrix Ingress Controller and CPX | -| cpxBgpRouter | Optional | false| If set to true, this CPX is deployed as daemonset in BGP controller mode wherein BGP advertisements are done for attracting external traffic to Kubernetes clusters | -| replicaCount | Optional | 1 | Number of CPX-CIC pods to be deployed. With `cpxBgpRouter : true`, replicaCount is 1 since CPX will be deployed as DaemonSet | -| nsIP | Optional | 192.168.1.2 | NSIP used by CPX for internal communication when run in Host mode, i.e when cpxBgpRouter is set to true. A /24 internal network is created in this IP range which is used for internal communications withing the network namespace. | -| nsGateway | Optional | 192.168.1.1 | Gateway used by CPX for internal communication when run in Host mode, i.e when cpxBgpRouter is set to true. If not specified, first IP in the nsIP network is used as gateway. It must be in same network as nsIP | -| bgpPort | Optional | 179 | BGP port used by CPX for BGP advertisement if cpxBgpRouter is set to true| -| ingressIP | Optional | N/A | External IP address to be used by ingress resources if not overriden by ingress.com/frontend-ip annotation in Ingress resources. This is also advertised to external routers when pxBgpRouter is set to true| -| entityPrefix | Optional | k8s | The prefix for the resources on the Citrix ADC CPX. | -| ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify Citrix ingress controller to configure Citrix ADC associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here | -| setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 | -| updateIngressStatus | Optional | False | Set this argument if you want to update ingress status of the ingress resources exposed via CPX. This is only applicable if servicetype of CPX service is LoadBalancer. | -| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. | -| openshift | Optional | false | Set this argument if OpenShift environment is being used. | -| disableOpenshiftRoutes | false | By default Openshift routes are processed in openshift environment, this variable can be used to disable Ingress controller processing the openshift routes. | -| routeLabels | Optional | N/A | You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| namespaceLabels | Optional | N/A | You can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| sslCertManagedByAWS | Optional | False | Set this argument if SSL certs used is managed by AWS while deploying Citrix ADC CPX in AWS. | -| nodeSelector.key | Optional | N/A | Node label key to be used for nodeSelector option for CPX-CIC deployment. | -| nodeSelector.value | Optional | N/A | Node label value to be used for nodeSelector option in CPX-CIC deployment. | -| podAnnotations | Optional | N/A | Map of annotations to add to the pods. | -| affinity | Optional | N/A | Affinity labels for pod assignment. | -| tolerations | Optional | N/A | Specify the tolerations for the CPX-CIC deployment. | -| serviceType.loadBalancer.enabled | Optional | False | Set this argument if you want servicetype of CPX service to be LoadBalancer. | -| serviceType.nodePort.enabled | Optional | False | Set this argument if you want servicetype of CPX service to be NodePort. | -| serviceType.nodePort.httpPort | Optional | N/A | Specify the HTTP nodeport to be used for NodePort CPX service. | -| serviceType.nodePort.httpsPort | Optional | N/A | Specify the HTTPS nodeport to be used for NodePort CPX service. | -| serviceAnnotations | Optional | N/A | Dictionary of annotations to be used in CPX service. Key in this dictionary is the name of the annotation and Value is the required value of that annotation. For example, [see this](#citrix-adc-cpx-service-annotations). | -| serviceSpec.externalTrafficPolicy | Optional | Cluster | Use this parameter to provide externalTrafficPolicy for CPX service of type LoadBalancer or NodePort. `serviceType.loadBalancer.enabled` or `serviceType.nodePort.enabled` should be set to `true` according to your use case for using this parameter. | -| serviceSpec.loadBalancerIP | Optional | N/A | Use this parameter to provide LoadBalancer IP to CPX service of type LoadBalancer. `serviceType.loadBalancer.enabled` should be set to `true` for using this parameter. | -| serviceSpec.loadBalancerSourceRanges | Optional | N/A | Provide the list of IP Address or range which should be allowed to access the Network Load Balancer. `serviceType.loadBalancer.enabled` should be set to `true` for using this parameter. For details, see [Network Load Balancer support on AWS](https://kubernetes.io/docs/concepts/services-networking/service/#aws-nlb-support). | -| servicePorts | Optional | N/A | List of port. Each element in this list is a dictionary that contains information about the port. For example, [see this](#citrix-adc-cpx-service-ports). | -| ADMSettings.licenseServerIP | Optional | N/A | Provide the Citrix Application Delivery Management (ADM) IP address to license Citrix ADC CPX. For more information, see [Licensing](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/licensing/). | -| ADMSettings.licenseServerPort | Optional | 27000 | Citrix ADM port if non-default port is used. | -| ADMSettings.ADMIP | Optional | N/A | Citrix Application Delivery Management (ADM) IP address. | -| ADMSettings.loginSecret | Optional | N/A | The secret key to login to the ADM. For information on how to create the secret keys, see [Prerequisites](#prerequistes). | -| ADMSettings.bandWidthLicense | Optional | False | Set to true if you want to use bandwidth based licensing for Citrix ADC CPX. | -| ADMSettings.bandWidth | Optional | 1000 | Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps. | -| ADMSettings.vCPULicense | Optional | N/A | Set to true if you want to use vCPU based licensing for Citrix ADC CPX. | -| ADMSettings.licenseEdition| Optional | PLATINUM | License edition that can be Standard, Platinum and Enterprise . By default, Platinum is selected.| -| ADMSettings.cpxCores | Optional | 1 | Desired number of vCPU to be set for Citrix ADC CPX. | -| ADMSettings.analyticsServerPort | Optional | 5557 | Port used for Analytics by ADM. Required to plot ServiceGraph. | -| exporter.required | Optional | false | Use the argument if you want to run the [Exporter for Citrix ADC Stats](https://github.com/citrix/citrix-adc-metrics-exporter) along with Citrix ingress controller to pull metrics for the Citrix ADC CPX| -| exporter.imageRegistry | Optional | `quay.io` | The Exporter for Citrix ADC Stats image registry | -| exporter.imageRepository | Optional | `citrix/citrix-adc-metrics-exporter` | The Exporter for Citrix ADC Stats image repository | -| exporter.imageTag | Optional | `1.4.9` | The Exporter for Citrix ADC Stats image tag | -| exporter.pullPolicy | Optional | IfNotPresent | The Exporter for Citrix ADC Stats image pull policy. | -| exporter.resources | Optional | {} | CPU/Memory resource requests/limits for Metrics exporter container | -| exporter.ports.containerPort | Optional | 8888 | The Exporter for Citrix ADC Stats container port. | -| exporter.serviceMonitorExtraLabels | Optional | | Extra labels for service monitor whem Citrix-adc-metrics-exporter is enabled. | -| analyticsConfig.required | Mandatory | false | Set this to true if you want to configure Citrix ADC to send metrics and transaction records to analytics service. | -| analyticsConfig.distributedTracing.enable | Optional | false | Set this value to true to enable OpenTracing in Citrix ADC. | -| analyticsConfig.distributedTracing.samplingrate | Optional | 100 | Specifies the OpenTracing sampling rate in percentage. | -| analyticsConfig.endpoint.server | Optional | N/A | Set this value as the IP address or DNS address of the analytics server. | -| analyticsConfig.endpoint.service | Optional | N/A | Set this value as the IP address or service name with namespace of the analytics service deployed in Kuberenetes. Format: namespace/servicename| -| analyticsConfig.timeseries.port | Optional | 5563 | Specify the port used to expose analytics service for timeseries endpoint. | -| analyticsConfig.timeseries.metrics.enable | Optional | Set this value to true to enable sending metrics from Citrix ADC. | -| analyticsConfig.timeseries.metrics.mode | Optional | avro | Specifies the mode of metric endpoint. | -| analyticsConfig.timeseries.auditlogs.enable | Optional | false | Set this value to true to export audit log data from Citrix ADC. | -| analyticsConfig.timeseries.events.enable | Optional | false | Set this value to true to export events from the Citrix ADC. | -| analyticsConfig.transactions.enable | Optional | false | Set this value to true to export transactions from Citrix ADC. | -| analyticsConfig.transactions.port | Optional | 5557 | Specify the port used to expose analytics service for transaction endpoint. | -| crds.install | Optional | False | Unset this argument if you don't want to install CustomResourceDefinitions which are consumed by CIC. | -| crds.retainOnDelete | Optional | false | Set this argument if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation. | -| bgpSettings.required | Optional | false | Set this argument if you want to enable BGP configurations for exposing service of Type Loadbalancer through BGP fabric| -| bgpSettings.bgpConfig | Optional| N/A| This represents BGP configurations in YAML format. For the description about individual fields, please refer the [documentation](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) | -| nsLbHashAlgo.required | Optional | false | Set this value to set the LB consistent hashing Algorithm | -| nsLbHashAlgo.hashFingers | Optional |256 | Specifies the number of fingers to be used for hashing algorithm. Possible values are from 1 to 1024, Default value is 256 | -| nsLbHashAlgo.hashAlgorithm | Optional | 'default' | Specifies the supported algorithm. Supported algorithms are "default", "jarh", "prac", Default value is 'default' | - -> **Note:** -> -> If Citrix ADM related information is not provided during installation, Citrix ADC CPX will come up with the default license. - -Alternatively, you can define a YAML file with the values for the parameters and pass the values while installing the chart. - -For example: - ``` - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - -> **Tip:** -> -> The [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml) contains the default values of the parameters. - -## Uninstalling the Chart -To uninstall/delete the ```my-release``` deployment: - ``` - helm delete my-release - ``` - -## Related documentation - -- [Citrix ADC CPX Documentation](https://docs.citrix.com/en-us/citrix-adc-cpx/12-1/cpx-architecture-and-traffic-flow.html) -- [Citrix ingress controller Documentation](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/) -- [Citrix ingress controller GitHub](https://github.com/citrix/citrix-k8s-ingress-controller) -- [BGP advertisement for External IPs with CPX](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/app-readme.md b/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/app-readme.md deleted file mode 100644 index ef45a3d907..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/app-readme.md +++ /dev/null @@ -1,5 +0,0 @@ -# Citrix ADC CPX with Citrix Ingress Controller running as sidecar. - -In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) with Citrix ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). The Citrix ADC CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar Citrix ingress controller configures the Citrix ADC CPX. - -This Chart bootstraps deployment of Citrix ADC CPX with Citrix Ingress Controller as sidecar. diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/questions.yml b/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/questions.yml deleted file mode 100644 index 0c87144137..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/questions.yml +++ /dev/null @@ -1,211 +0,0 @@ -questions: -- variable: license.accept - required: true - default: "no" - type: enum - description: "Set to yes to accept the terms and conditions of the Citrix license." - label: Accept License - group: "Deployment Settings" - options: - - "yes" - - "no" -- variable: openshift - default: false - type: boolean - description: "openshift is set to true if charts are being deployed in OpenShift environment" - label: Openshift flag - group: "Deployment Settings" -- variable: nsNamespace - type: string - description: "Prefix for the resources on Citrix ADC" - label: Resource Prefix - group: "Deployment Settings" -- variable: ingressClass[0] - type: string - description: "ingressClass is the name of the Ingress Class" - label: Ingress Class - group: "Deployment Settings" -- variable: logLevel - default: "DEBUG" - type: enum - options: - - "TRACE" - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - description: "logLevel of Citrix Ingress Controller pod" - label: LogLevel - group: "Deployment Settings" -- variable: defaultSSLCert - type: string - description: "Secret containing the default ceritifcate for SSL vservers" - label: Default SSLCert - group: "ADC Settings" -- variable: logProxy - type: string - description: "Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporte" - label: LogProxy - group: "Deployment Settings" -- variable: http2ServerSide - default: "OFF" - type: enum - options: - - "ON" - - "OFF" - description: "Set to ON to enable HTTP2 for Citrix ADC service group configurations" - label: HTTP2 on ADC - group: "ADC Settings" -- variable: nodeSelector.key - type: string - label: NodeSelector Key - group: "Deployment Settings" -- variable: nodeSelector.value - type: string - label: NodeSelector Value - group: "Deployment Settings" - - -- variable: ADMSettings.licenseServerIP - type: string - label: ADM LicenseServerIP - group: "ADM Settings" -- variable: ADMSettings.licenseServerPort - default: 27000 - type: int - label: ADM LicenseServerPort - group: "ADM Settings" -- variable: ADMSettings.ADMIP - type: string - label: ADM IP - group: "ADM Settings" -- variable: ADMSettings.ADMFingerPrint - type: string - label: ADM FingerPrint - group: "ADM Settings" -- variable: ADMSettings.loginSecret - type: string - label: ADM Login Secret - group: "ADM Settings" -- variable: ADMSettings.bandWidthLicense - type: boolean - label: CPX Bandwidth License - group: "ADM Settings" -- variable: ADMSettings.bandWidth - type: int - label: CPX Bandwidth - group: "ADM Settings" -- variable: ADMSettings.vCPULicense - type: boolean - label: CPX vCPU License - group: "ADM Settings" -- variable: ADMSettings.cpxCores - type: int - label: CPX Cores - group: "ADM Settings" -- variable: cic.pullpolicy - default: "IfNotPresent" - type: enum - label: CIC Image Pullpolicy - group: "CIC/CPX Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: pullpolicy - default: "IfNotPresent" - type: enum - label: CPX Image Pullpolicy - group: "CIC/CPX Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: cic.image - default: "quay.io/citrix/citrix-k8s-ingress-controller:1.8.28" - type: string - label: CIC Image - group: "CIC/CPX Image Settings" -- variable: image - type: string - default: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-58.30" - label: CPX Image - group: "CIC/CPX Image Settings" -- variable: exporter.image - default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.5" - type: string - description: "Exporter Image to be used" - label: Exporter Image - group: "Exporter Settings" -- variable: exporter.pullPolicy - default: "IfNotPresent" - type: string - description: "Exporter Image pull policy" - label: Exporter Image PullPolicy - group: "Exporter Settings" -- variable: exporter.ports.containerPort - default: 8888 - type: int - label: Exporter ContainerPort - group: "Exporter Settings" -- variable: coeConfig.distributedTracing.enable - default: false - type: boolean - label: Enable distributedTracing - group: "COE Settings" -- variable: coeConfig.distributedTracing.samplingrate - default: 100 - type: int - label: COE Sampling Rate - group: "COE Settings" -- variable: coeConfig.endpoint.server - type: string - label: COE Endpoint Server - group: "COE Settings" -- variable: coeConfig.timeseries.port - default: 5563 - type: int - label: COE timeseries port - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.enable - default: false - type: boolean - label: Enable timeseries metrics - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.mode - default: 'avro' - type: string - label: COE timeseries metrics Mode - group: "COE Settings" -- variable: coeConfig.timeseries.auditlogs.enable - default: false - type: string - label: Enable timeseries auditlogs - group: "COE Settings" -- variable: coeConfig.timeseries.events.enable - default: false - type: string - label: Enable timeseries events - group: "COE Settings" -- variable: coeConfig.transactions.enable - default: false - type: string - label: Enable transactions - group: "COE Settings" -- variable: coeConfig.transactions.port - default: 5557 - type: int - label: COE transactions port - group: "COE Settings" -- variable: crds.install - default: true - type: boolean - description: "If set to true the charts will install CustomResourceDefinitions which are consumed by CIC." - label: CRD flag - group: "Deployment Settings" -- variable: crds.retainOnDelete - default: false - type: boolean - description: "Set this argument to true if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation." - label: CRD retainOnDelete flag - group: "Deployment Settings" diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/templates/NOTES.txt b/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/templates/NOTES.txt deleted file mode 100644 index bccfdf69a4..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/templates/NOTES.txt +++ /dev/null @@ -1,14 +0,0 @@ -Thank you for installing {{ .Chart.Name }}. - -Your release is named {{ .Release.Name }}. - - -To learn more about the release, try: - - $ helm status {{ .Release.Name }} - $ helm get {{ .Release.Name }} - - -To delete : - helm delete {{ .Release.Name }} - diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/templates/_helpers.tpl b/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/templates/_helpers.tpl deleted file mode 100644 index 92e636ce23..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/templates/_helpers.tpl +++ /dev/null @@ -1,97 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Analytics Server IP or DNS -*/}} -{{- define "analytics.server" -}} -{{- if .Values.analyticsConfig.endpoint.server -}} -{{- printf .Values.analyticsConfig.endpoint.server -}} -{{- else -}} -{{- printf "analytics.%s.svc.cluster.local" .Release.Namespace -}} -{{- end -}} -{{- end -}} - - -{{- define "citrix-cpx-ingress-controller.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "citrix-cpx-ingress-controller.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "cpxservice.fullname" -}} -{{- $name := default .Chart.Name "cpx-service" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxexporter.fullname" -}} -{{- $name := default .Chart.Name "exporter" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxservicemonitor.fullname" -}} -{{- $name := default .Chart.Name "citrix-adc-cpx-servicemonitor" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxservicemonitorlabel" -}} -{{- $name := default .Chart.Name "citrix-adc-cpx-svcmon" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxconfigmap.fullname" -}} -{{- $name := default .Chart.Name "cpx-cic-configmap" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "citrix-cpx-ingress-controller.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "citrix-cpx-ingress-controller.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "citrix-cpx-ingress-controller.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/templates/cic_crds.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/templates/cic_crds.yaml deleted file mode 100644 index 085d7d271d..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/templates/cic_crds.yaml +++ /dev/null @@ -1,2549 +0,0 @@ -{{- if .Values.crds.install }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: rewritepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: rewritepolicy - plural: rewritepolicies - singular: rewritepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - rewrite-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to rewrite policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - rewrite-policy: - type: object - properties: - rewrite-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOREWRITE', 'RESET', 'DROP'] - operation: - description: 'Type of user-defined rewrite action.' - type: string - enum: ["noop", "delete", "insert_http_header", "delete_http_header", - "corrupt_http_header", "insert_before", "insert_after", "replace", - "replace_http_res", "delete_all", "replace_all", "insert_before_all", - "insert_after_all", "clientless_vpn_encode", "clientless_vpn_encode_all", - "clientless_vpn_decode", "clientless_vpn_decode_all", "insert_sip_header", - "delete_sip_header", "corrupt_sip_header", "replace_sip_res", "replace_diameter_header_field", - "replace_dns_header_field", "replace_dns_answer_section"] - target: - description: 'Default syntax expression that specifies which part of the request or response to rewrite.' - type: string - maxLength: 1229 - modify-expression: - description: 'Default syntax expression that specifies the content to insert into the request - or response at the specified location, or that replaces the specified string.' - type: string - maxLength: 7991 - multiple-occurence-modify: - description: 'Search facility that is used to match multiple strings in the request or response.' - type: string - maxLength: 171 - additional-multiple-occurence-modify: - description: 'Specify additional criteria to refine the results of the search. - Always starts with the "extend(m,n)" operation, where "m" specifies number of bytes to the left of selected data - and "n" specifies number of bytes to the right of selected data. - You can use refineSearch only on body expressions, and only when rewrite-criteria is any one of this: - INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - comment: - description: 'Any comments to preserve information about this rewrite policy.' - type: string - maxLength: 255 - required: [rewrite-criteria, operation, target, direction] - required: [rewrite-policy] - - responder-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to responder policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", - "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - responder-policy: - type: object - properties: - redirect: - type: object - description: 'Use this option when you want to Redirect the request when request matches to policy.' - properties: - url: - description: 'URL on which you want to redirect the request.' - type: string - maxLength: 7991 - redirect-status-code: - description: 'HTTP response status code, for example 200, 302, 404, etc.' - type: integer - minimum: 100 - maximum: 599 - redirect-reason: - description: 'Expression specifying the reason for redirecting the request.' - type: string - maxLength: 7991 - required: [url] - respondwith: - type: object - description: 'Use this parameter when you want to respond to the request when request matches to policy.' - properties: - http-payload-string: - description: 'Expression that you want to sent as response to the request.' - type: string - maxLength: 7991 - required: [http-payload-string] - noop: - type: string - description: 'Use this option when you want to send the request to the protected server instead of - responding to it when request matches to policy.' - properties: - target: - description: 'Default syntax expression that specifies to perform noop operation on' - type: string - maxLength: 1229 - reset: - type: string - description: 'Use this option when you want to Reset the client connection by closing it when request matches to policy.' - properties: - drop: - type: string - description: 'Use this option when you want to drop the request without sending a response to the user when request matches to policy.' - properties: - respond-criteria: - description: 'Default syntax expression that the policy uses to determine whether to respond to the specified request.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOOP', 'RESET', 'DROP'] - comment: - description: 'Any comments to preserve information about this responder policy.' - type: string - maxLength: 255 - required: [respond-criteria] - oneOf: [required: [redirect], required: [respondwith], required: [noop], required: [reset], required: [drop]] - required: [responder-policy] - - dataset: - type: array - items: - type: object - properties: - name: - description: 'Name of the dataset.' - type: string - maxLength: 32 - type: - description: 'Type of value to bind to the dataset.' - type: string - enum: ["ipv4", "number", "ipv6", "ulong", "double", "mac"] - comment: - description: 'Any comments to preserve information about this dataset.' - type: string - maxLength: 255 - values: - description: 'Value of the specified type that is associated with this dataset.' - type: array - items: - type: string - required: [name, type, values] - - patset: - type: array - items: - type: object - properties: - name: - description: 'Name of the Patset.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this patset.' - type: string - maxLength: 255 - values: - description: 'String of characters that constitutes a pattern and is associated with this patset.' - type: array - items: - type: string - required: [name, values] - - stringmap: - type: array - items: - type: object - properties: - name: - description: 'Name of the Stringmap.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this stringmap.' - type: string - maxLength: 255 - values: - description: 'List of (key,value) pairs to be bound to this string map.' - type: array - items: - type: object - properties: - key: - description: 'Character string constituting the key to be bound to this string map.' - type: string - maxLength: 2047 - value: - description: 'Character string constituting the value associated with the key.' - type: string - maxLength: 2047 - required: [name, values] - - httpcallout_policy: - type: array - items: - type: object - properties: - name: - description: 'httpcallout name' - type: string - maxLength: 32 - server_ip: - description: 'IP Address of the server(callout agent) to which the callout is sent.' - type: string - server_port: - description: 'Port of the server(callout agent) to which the callout is sent.' - type: integer - minimum: 1 - maximum: 65535 - http_method: - description: |+ - 'Method used in the HTTP request that this callout sends. - Default http method is GET' - type: string - enum: ['GET', 'POST'] - host_expr: - description: |+ - 'String expression to configure the Host header. Can contain a literal value - (for example, 10.101.10.11) or a derived value (for example, http.req.header("Host")). - The literal value can be an IP address or a fully qualified domain name. Mutually - exclusive with the full HTTP request expression.' - type: string - maxLength: 255 - url_stem_expr: - description: |+ - 'String expression for generating the URL stem. Can contain a literal string - (for example, "/mysite/index.html") or an expression that derives the value - (for example, http.req.url).' - type: string - maxLength: 8191 - headers: - type: array - description: |+ - 'One or more headers to insert into the HTTP request. Each header is represented by - name and expr, where expr is an expression that is evaluated at runtime to provide - the value for the named header. You can configure a maximum of eight headers for - an HTTP callout.' - items: - type: object - properties: - name: - description: 'header name' - type: string - expr: - description: 'header expression' - type: string - parameters: - type: array - description: |+ - 'One or more query parameters to insert into the HTTP request URL (for a GET request) - or into the request body (for a POST request). Each parameter is represented by - name and expr, where expr is an expression that is evaluated at run time to provide - the value for the named parameter (name=value). The parameter values are URL encoded.' - items: - type: object - properties: - name: - description: 'parameter name' - type: string - expr: - description: 'parameter expression' - type: string - body_expr: - description: |+ - 'An advanced string expression for generating the body of the request. - The expression can contain a literal string or an expression that derives - the value (for example, client.ip.src).' - type: string - full_req_expr: - description: |+ - 'Exact HTTP request, in the form of an expression, which the Citrix ADC sends - to the callout agent. The request expression is constrained by the feature - for which the callout is used. For example, an HTTP.RES expression cannot be - used in a request-time policy bank or in a TCP content switching policy bank.' - type: string - scheme: - description: |+ - 'Type of scheme for the callout server. - Default scheme is HTTP' - type: string - enum: ['HTTP', 'HTTPS'] - cache_for_secs: - description: |+ - 'Duration, in seconds, for which the callout response is cached. - The cached responses are stored in an integrated caching content - group named "calloutContentGroup". If no duration is configured, - the callout responses will not be cached unless normal caching - configuration is used to cache them. This parameter takes precedence over any - normal caching configuration that would otherwise apply to these responses.' - type: integer - minimum: 1 - maximum: 31536000 - return_type: - description: |+ - 'Type of data that the target callout agent returns in response to the callout - Available settings function as follows: - * TEXT - Treat the returned value as a text string. - * NUM - Treat the returned value as a number. - * BOOL - Treat the returned value as a Boolean value.' - type: string - enum: ['TEXT', 'NUM', 'BOOL'] - result_expr: - description: |+ - 'Expression that extracts the callout results from the response sent by the HTTP callout - agent. Must be a response based expression, that is, it must begin with HTTP.RES. The - operations in this expression must match the return type. For example, if you configure - a return type of TEXT, the result expression must be a text based expression. If the - return type is NUM, the result expression (resultExpr) must return a numeric value, - as in the following example: http.res.body(10000).length.' - type: string - maxLength: 8191 - comment: - description: 'Any comments to preserve information about this HTTP callout.' - type: string - maxLength: 255 - allOf: - - properties: - required: [name, server_ip, server_port] - - properties: - oneOf: - - properties: - required: [full_req_expr] - - properties: - anyOf: - - properties: - required: [http_method] - - properties: - required: [host_expr] - - properties: - required: [url_stem_expr] - - properties: - required: [headers] - - properties: - required: [parameters] - - properties: - required: [body_expr] - anyOf: [required: [rewrite-policies], required: [responder-policies]] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ratelimits.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: ratelimit - plural: ratelimits - singular: ratelimit - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the ratelimit policies are applied.' - type: array - items: - type: string - maxLength: 127 - selector_keys: - type: object - description: 'Traffic match criteria to which apply above rate-limit/throttling. All keys are applied as AND condition. If no keys are specified, rate-limit applies at service level' - properties: - basic: - type: object - description: "Basic traffic stream selection criteria to which to apply the ratelimit" - properties: - path: - type: array - description: "api resource path prefix match. e.g. /api/v1/products" - items: - type: string - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - header_name: - description: "HTTP header that identifies the unique API client for e.g. X-apikey" - type: string - per_client_ip: - description: "Setting this applies the throttling limit to each unique Client IP address accessing the API resource" - type: boolean - req_threshold: - description: 'Max requests per timeslice units to be allowed' - type: integer - timeslice: - description: 'Timeslice in miliseconds in multiple of 10. Defaults to 1000 miliseconds' - type: integer - limittype: - description: "Burst mode or smooth. Defaults to smooth limittype if not specified" - type: string - enum: ['BURSTY','SMOOTH'] - throttle_action: - type: string - enum: ['DROP', 'RESET','REDIRECT', 'RESPOND'] - description: "Drop will drop the requests exceeding limits, RESET will reset the client connection, Redirect will redirect to specified URL, respond will respond with 429 'Exceeded allowed rate of requests'" - redirect_url: - type: string - description: "Redirect-URL" - logpackets: - type: object - description: 'Adds an audit message action. The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - required: [req_threshold] ---- -#Sample CRD instance - -#apiVersion: citrix.com/v1 -#description: VIP for apache service -#kind: vip -#metadata: -# name: service-apache -# namespace: default -#spec: -# description: VIP for the apache Service -# ipaddress: 10.99.98.90 -# kind: service -# name: apache - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vips.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: vip - plural: vips - singular: vip - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - jsonPath: .spec.ipaddress - name: VIP - type: string - - name: Age - type: date - jsonPath: .metadata.creationTimestamp - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - ipaddress: - type: string - name: - type: string - kind: - type: string - enum: ["service", "ingress"] - description: - type: string - range-name: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: authpolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: authpolicy - plural: authpolicies - singular: authpolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: |+ - 'Name of the services for which the policies applied' - type: array - items: - type: string - maxLength: 63 - authentication_mechanism: - type: object - description: |+ - 'Authentication mechanism. Options: using forms or using request header. - Default is Authentication using request header, when no option is specified' - properties: - using_request_header: - description: |+ - 'Enable user authentication using request header. Use when the credentials - or api keys are passed in a header. For example, when using Basic, Digest, - Bearer authentication or api keys. - When authentication using forms is provided, this is set to OFF' - - type: string - using_forms: - type: object - description: 'Enables authentication using forms. Use with user/web authentication.' - properties: - authentication_host: - description: |+ - 'Fully qualified domain name (FQDN) for authentication. - This FQDN should be unique and should resolve to frontend IP of - ADC with Ingress/service type LoadBalancer (or) vip of Listener CRD' - type: string - maxLength: 255 - authentication_host_cert: - description: |+ - 'Name of the SSL certificate to be used with authentication_host. - This certificate is mandatory while using_forms' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - ingress_name: - description: |+ - 'Ingress name for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - lb_service_name: - description: |+ - 'Service of type LoadBalancer for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - listener_name: - description: |+ - 'Listener CRD name for which the authentication using forms is applicable.' - type: string - maxLength: 63 - vip: - description: |+ - 'Frontend IP of ingress for which the authentication - using forms is applicable. This refers to frontend-ip provided - with Ingress. It is suggested to use vip, if more than one Ingress - resource use the same frontend-ip' - type: string - required: [authentication_host, authentication_host_cert] - oneOf: - - properties: - required: [ingress_name] - - properties: - required: [lb_service_name] - - properties: - required: [listener_name] - - properties: - required: [vip] - oneOf: - - properties: - using_request_header: - enum: ['ON'] - required: [using_request_header] - - properties: - required: [using_forms] - - authentication_providers: - description: |+ - 'Authentication Configuration for required authentication providers/schemes. - One or more of these can be created' - type: array - items: - description: 'Create config for a single authentication provider of a particular type' - type: object - properties: - name: - description: 'Name for this provider, has to be unique, referenced by authentication policies' - type: string - maxLength: 127 - - oauth: - description: 'Authentication provided by external oAuth provider' - type: object - properties: - issuer: - description: 'Identity of the server whose tokens are to be accepted' - type: string - maxLength: 127 - audience: - description: 'Audience for which token sent by Authorization server is applicable' - type: array - items: - type: string - maxLength: 127 - jwks_uri: - description: |+ - 'URL of the endpoint that contains JWKs (Json Web Key) for - JWT (Json Web Token) verification' - type: string - maxLength: 127 - introspect_url: - description: ' URL of the introspection server' - type: string - maxLength: 127 - client_credentials: - description: |+ - 'secrets object that contains Client Id and secret as known - to Introspection server' - type: string - maxLength: 253 - token_in_hdr: - description: |+ - 'custom header name where token is present, - default is Authorization header' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - token_in_param: - description: 'query parameter name where token is present' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - signature_algorithms: - description: 'list of allowed signature algorithms, by default HS256, RS256, RS512 are allowed' - type: array - items: - type: string - enum: ['HS256', 'RS256', 'RS512'] - claims_to_save: - description: 'list of claims to be saved, used to create authorization policies' - type: array - items: - type: string - maxLength: 127 - metadata_url: - description: 'URL used to get OAUTH/OIDC provider metadata' - type: string - maxLength: 255 - user_field: - description: |+ - 'Attribute in the token from which username should be extracted. - by default, ADC looks at email attribute for user id' - type: string - maxLength: 127 - default_group: - description: |+ - 'group assigned to the request if authentication succeeds, - this is in addition to any extracted groups from token' - type: string - maxLength: 63 - grant_type: - description: 'used to specify the type of flow to the token end point, defaults to CODE' - type: array - items: - type: string - enum: ['CODE','PASSWORD'] - pkce: - description: 'specify whether to enable Proof Key Code Exchange, defaults to ENABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - token_ep_auth_method: - description: |+ - 'authentication method to be used with token end point, - defaults to client_secret_post' - type: string - enum: ['client_secret_post', 'client_secret_jwt'] - - anyOf: - - properties: - required : [jwks_uri] - - properties: - required : [introspect_url, client_credentials] - - properties: - required : [metadata_url] - - ldap: - description: 'LDAP authentication provider' - type: object - properties: - server_ip: - description: 'IP address assigned to the LDAP server' - type: string - server_name: - description: 'LDAP server name as a FQDN' - type: string - maxLength: 127 - server_port: - description: 'Port on which the LDAP server accepts connections. Default is 389' - type: integer - minimum: 1 - maximum: 65535 - base: - description: |+ - 'Base (node) from which to start LDAP searches. If the LDAP server is - running locally, the default value of base is dc=netscaler, dc=com' - type: string - maxLength: 127 - server_login_credentials: - description: |+ - 'Kubernetes secret object providing credentials to login to LDAP server, - The secret data should have username and password' - type: string - login_name: - description: |+ - 'LDAP login name attribute. The Citrix ADC uses the LDAP login name - to query external LDAP servers or Active Directories' - type: string - maxLength: 127 - security_type: - description: |+ - 'Type of security used for communications between the Citrix ADC - and the LDAP server. Default is TLS' - type: string - enum: ['PLAINTEXT', 'TLS', 'SSL'] - validate_server_cert: - description: 'Validate LDAP Server certs. Default is NO' - type: string - enum: ['YES', 'NO'] - hostname: - description: |+ - 'Hostname for the LDAP server. If validate_server_cert is ON, - this must be the host name on the certificate from the LDAP - A hostname mismatch will cause a connection failure' - type: string - maxLength: 127 - sub_attribute_name: - description: 'LDAP group sub-attribute name. Used for group extraction from the LDAP server.' - type: string - maxLength: 31 - group_attribute_name: - description: 'LDAP group attribute name. Used for group extraction on the LDAP server.' - type: string - maxLength: 31 - search_filter: - description: |+ - 'String to be combined with the default LDAP user search string to form the - search value. For example, if the search filter "vpnallowed=true" is combined - with the LDAP login name "samaccount" and the user-supplied username is "bob", - the result is the LDAP search string ""(&(vpnallowed=true)(samaccount=bob)"" - (Be sure to enclose the search string in two sets of double quotation marks)' - type: string - maxLength: 255 - auth_timeout: - description: |+ - 'Number of seconds the Citrix ADC waits for a response from the server - Default is 3' - type: integer - minimum: 1 - maximum: 4294967295 - password_change: - description: 'Allow password change requests. Default is DISABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be fetched - from LDAP server and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - oneOf: - - properties: - required: [server_ip] - - properties: - required: [server_name] - - saml: - description: |+ - 'SAML authentication provider. - Currently SAML is supported only with authentication mechanism using forms' - type: object - properties: - metadata_url: - description: 'URL is used for obtaining saml metadata.' - type: string - maxLength: 255 - metadata_refresh_interval: - description: |+ - 'Interval in minutes for fetching metadata from specified metadata URL. - Default is 36000' - type: integer - minimum: 1 - maximum: 4294967295 - signing_cert: - description: 'SSL certificate to sign requests from SP to IDP' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - audience: - description: 'Audience for which assertion sent by IdP is applicable' - type: string - maxLength: 127 - issuer_name: - description: 'The name to be used in requests sent from SP to IDP to identify citrix ADC' - type: string - maxLength: 63 - binding: - description: 'Specifies the transport mechanism of saml message. Default is POST' - type: string - enum: ['REDIRECT', 'POST', 'ARTIFACT'] - artifact_resolution_service_url: - description: 'URL of the Artifact Resolution Service on IdP' - type: string - maxLength: 255 - logout_binding: - description: 'Specifies the transport mechanism of saml logout. Default is POST' - type: string - enum: ['REDIRECT', 'POST'] - reject_unsigned_assertion: - description: |+ - 'Reject unsigned SAML assertions. ON, rejects assertion without signature. - STRICT ensure that both Response and Assertion are signed. Default is ON' - type: string - enum: ['ON', 'OFF', 'STRICT'] - user_field: - description: 'SAML user ID, as given in the SAML assertion' - type: string - maxLength: 63 - default_authentication_group: - description: |+ - 'This is the default group that is chosen when the authentication - succeeds in addition to extracted groups' - type: string - maxLength: 63 - skew_time: - description: |+ - 'Allowed clock skew in number of minutes on an incoming assertion. - Default is 5' - type: integer - minimum: 1 - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be extracted - and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - required: - - metadata_url - - basic_local_db: - type: object - description: |+ - 'Basic HTTP authentication supported by ADC, user data in local DB of ADC. - Users needs to be added on ADC' - properties: - use_local_auth: - description: 'Use ADC authentication' - type: string - enum: ['YES'] - - required: - - name - - authentication_policies: - description: 'Authentication policies' - type: array - items: - type: object - description: 'Authentication policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - required: - - path - expression: - description: 'ADC syntax expression for authentication' - type: string - maxLength: 1229 - provider: - description: 'name of the authentication provider for the policy, empty if no authentication required' - type: array - items: - type: string - maxLength: 127 - maxItems: 1 - oneOf: - - required: [resource, provider] - - required: [expression, provider] - - authorization_policies: - description: 'Authorization policies' - type: array - items: - type: object - description: 'Authorization policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - description: ' http method' - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - claims: - description: 'authorization scopes required for selected resource saved as claims or attributes' - type: array - items: - type: object - properties: - name: - description: 'name of the claim/attribute to check' - type: string - maxLength: 127 - values: - description: 'list of claim values required for the request' - type: array - items: - type: string - maxLength: 127 - minItems: 1 - required: - - name - - values - required: - - claims - expression: - description: 'ADC syntax expression for authorization' - type: string - maxLength: 1229 - oneOf: - - required: [resource] - - required: [expression] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: listeners.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: Listener - plural: listeners - singular: listener - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - required: [spec] - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [protocol] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - protocol: - type: string - enum: ["https", "http"] - description: "Protocol for this listener" - vip: - type: string - description: "VIP address, Optional for CPX, required for Tier-1 deployments" - secondaryVips: - type: array - description: "An array of Secondary VIPs. All the VIPs will be part of an ipset" - minItems: 1 - items: - type: string - redirectPort: - type: integer - minimum: 1 - maximum: 65535 - description: "Port from which http traffic should be redirected to https" - port: - type: integer - minimum: 1 - maximum: 65535 - certificates: - type: array - description: "certificates attached to the endpoints - Not applicable for HTTP" - minItems: 1 - items: - type: object - properties: - preconfigured: - type: string - description: "Preconfigured Certificate name on ADC " - secret: - type: object - description: "Kuberentes secret object" - required: [name] - properties: - name: - type: string - description: "name of the Kubernetes Secret object where Cert is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the kubernetes secret object; Default is same namespace where the Listener object is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - default: - type: boolean - description: "Only one of the certificate can be marked as default which will be presented if none of the cert matches with the hostname" - oneOf: - - required: ["preconfigured"] - - required: ["secret"] - policies: - type: object - description: "Policies attached to the Listener" - properties: - httpprofile: - type: object - description: "HTTP profile configurations for the Listener, HTTP level configurations" - properties: - preconfigured: - type: string - description: "Preconfigured or Built-in HTTP profile name" - config: - type: object - description: "HTTP profile configuration for the listener. For individual fields, refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nshttpprofile/nshttpprofile/ Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - tcpprofile: - type: object - description: "TCP level configurations, uses ns tcpprofile of citrix ADC" - properties: - preconfigured: - description: "Preconfigured or Built-in TCP profile name" - type: string - config: - type: object - description: "TCPprofile configurations for the listener. For individual fields refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nstcpprofile/ ; Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - csvserverConfig: - type: object - description: "CS Vserver configuration for the listener" - additionalProperties: - type: string - sslprofile: - type: object - description: "SSL profile configuration" - properties: - preconfigured: - type: string - description: "SSL profile which is preconfigured in ADC. Ciphers bound to the profile is not overriden" - config: - description: "Citrix ADC frontend SSL profile configurations. Refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ssl/sslprofile/ for all configurations; Name field is auto generated" - type: object - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - sslciphers: - type: array - description: "List of ciphers to be bound to the ssl profile for the listener. Priority is as per the order in the list. A cipher suite, predefined cipher group or User created cipher group can be mentioned" - minItems: 1 - items: - type: string - description: "Cipher suite, cipher group name" - analyticsprofile: - type: object - description: "Analytics profile configuration" - properties: - preconfigured: - type: array - description: "Preconfigured Analytics profile that needs to be bound to the vserver" - minItems: 1 - items: - type: string - description: "Name of the analytics profile preconfigured that will be bound to the Vserver" - config: - type: array - description: "An array of analytics to be enabled" - minItems: 1 - items: - type: object - description: "Anlytics to be enabled" - required: ['type'] - properties: - type: - description: "Analytics profile to be enabled, you can enable one or more of the webinsight, tcpinsight, securityinsight, videoinsight, hdxinsight, gatewayinsight, timeseries, lsninsight, botinsight " - type: string - enum: ["webinsight", "tcpinsight", "securityinsight", "videoinsight", "hdxinsight", "gatewayinsight", "timeseries", "lsninsight", "botinsight"] - parameters: - type: object - description: "Additional parameters for analytics profile. Please refer:https://developer-docs.citrix.com/projects/citrix-adc-nitro-api-reference/en/latest/configuration/analytics/analyticsprofile/" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - routes: - type: array - description: "List of route objects attached to the listener" - minItems: 1 - items: - type: object - properties: - name: - type: string - description: "Name of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - labelSelector: - description: "Labels key value pair, if the route carries the same labels, it is automatically attached" - type: object - additionalProperties: - type: string - oneOf: - - required: [name, namespace] - - required: [labelSelector] - defaultAction: - type: object - description: "Default action for the listener: One of Backend or Redirect" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - namespace: - description: "Service namespace" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - backendConfig: - description: "General backend service options" - type: object - properties: - secure_backend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: httproutes.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: HTTPRoute - plural: httproutes - singular: httproute - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [rules] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - hostname: - type: array - description: "List of domain names that share the same route, default is '*'" - minItems: 1 - items: - type: string - description: "Domain name" - rules: - type: array - description: "List Content routing rules with an action defined" - minItems: 1 - items: - type: object - required: [name, action] - properties: - name: - type: string - description: "A name to represent the rule, this is used as an identifier in content routing policy name in ADC" - minLength: 1 - maxLength: 20 - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - match: - type: array - description: "List of rules with same action" - minItems: 1 - items: - type: object - anyOf: - - required: [path] - - required: [headers] - - required: [cookies] - - required: [queryParams] - - required: [method] - - required: [policyExpression] - properties: - path: - type: object - description: "URL Path based content routing" - properties: - prefix: - type: string - description: "URL path matches the prefix expression" - exact: - type: string - description: "URL Path must match exact path" - regex: - type: string - description: "PCRE based regex expression for path matching" - headers: - type: array - description: "List of header for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Header details for content routing, Check for existence of a header or header name-value match" - properties: - headerName: - type: object - description: "Header name based content routing, Here existence of header is used for routing" - properties: - exact: - type: string - description: "Header Name - treated as exact must exist" - contains: - type: string - description: "Header Name - A header must exist that contain the string the name" - regex: - type: string - description: "header Name - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header name must not exist" - oneOf: - - required: [exact] - - required: [contains] - - required: [regex] - headerValue: - type: object - description: "Header Name and Value based match" - properties: - name: - type: string - description: "Header name that must match the value" - exact: - type: string - description: "Header value - treated as exact" - contains: - type: string - description: "Header value - treated as contains" - regex: - type: string - description: "header value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header if present must not match the value" - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - queryParams: - type: array - description: "List of Query parameters for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Query parameters Name and Value based match" - properties: - name: - type: string - description: "Query name that must match the value. If no value is specified, matches with any value" - exact: - type: string - description: "Query value - Exact match" - contains: - type: string - description: "Query value - value must have the string(substring)" - regex: - type: string - description: "Query value - Value must match this regex patterm" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e query if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - cookies: - type: array - description: "List of Cookie params for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Cookie based routing" - properties: - name: - type: string - description: "cookie name that must match the value. If no value specified, it matches with any value" - exact: - type: string - description: "cookie value - treated as exact" - contains: - type: string - description: "cookie value - treated as substring" - regex: - type: string - description: "cookie value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e cookie if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - method: - type: string - description: "HTTP method for content routing eg: POST, PUT, DELETE etc" - policyExpression: - type: string - description: "Citrix ADC policy expressions; refer: https://docs.citrix.com/en-us/netscaler/media/expression-prefix.pdf" - action: - type: object - description: "Action for the matched rule" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - backendConfig: - type: object - description: "General backend service options" - properties: - secureBackend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - # name must match the spec fields below, and be in the form: . - name: continuousdeployments.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: continuousdeployment - plural: continuousdeployments - singular: continuousdeployment - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - cronSpec: - type: integer - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wafs.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: waf - plural: wafs - singular: waf - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the waf policies are applied.' - type: array - items: - type: string - maxLength: 127 - application_type: - description: 'Type of applications to protect' - type: array - items: - type: string - enum: ['HTML', 'JSON', 'XML'] - signatures: - description: 'Location of external signature file' - type: string - redirect_url: - description: 'When a URL is blocked/down, redirect_url represents the alternate URL where the client requests should be sent.' - type: string - html_error_object: - description: 'Location of customized error page to respond when html or common violation are hit' - type: string - xml_error_object: - description: 'Location of customized error page to respond when xml violations are hit' - type: string - json_error_object: - description: 'Location of customized error page to respond when json violations are hit' - type: string - ip_reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - description: 'Enabling IP reputation feature' - target: - description: 'To control what traffic to be inspected by Web Application Firewall. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable application firewall security checks' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - settings: - description: 'To fine tune application firewall security checks default settings' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - relaxations: - description: 'Section which contains relaxation rules for known traffic and false positives' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - enforcements: - description: 'Section which contains enforcement or restriction rules' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: bots.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: bot - plural: bots - singular: bot - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the bot policies are applied.' - type: array - items: - type: string - maxLength: 127 - signatures: - description: 'Location of external bot signature file' - type: string - redirect_url: - description: 'url to redirect when bot violation is hit' - type: string - target: - description: 'To control what traffic to be inspected by BOT. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable bot ecurity checks' - type: object - properties: - allow_list: - type: string - enum: ['ON', 'OFF'] - block_list: - type: string - enum: ['ON', 'OFF'] - device_fingerprint: - type: string - enum: ['ON', 'OFF'] - device_fingerprint_action: - type: object - x-kubernetes-preserve-unknown-fields: true - headless_browser: - type: string - enum: ['ON','OFF'] - reputation: - type: string - enum: ['ON', 'OFF'] - ratelimit: - type: string - enum: ['ON', 'OFF'] - tps: - type: string - enum: ['ON', 'OFF'] - trap: - type: object - x-kubernetes-preserve-unknown-fields: true - bindings: - description: 'Section which contains binding rules for bot security checks' - type: object - properties: - allow_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6_subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - - block_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6_subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - ratelimit: - type: array - items: - type: object - properties: - url: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - cookie: - type: object - x-kubernetes-preserve-unknown-fields: true - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - captcha: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - logexp: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - kbmexpr: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - tps: - type: object - properties: - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - host: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - url: - type: object - x-kubernetes-preserve-unknown-fields: true - trapinsertion: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: apigatewaypolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: apigatewaypolicy - plural: apigatewaypolicies - singular: apigatewaypolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - api_definition: - type: object - properties: - repository: - type: string - branch: - type: string - oas_secret_ref: - type: string - files: - type: array - items: - type: string - maxLength: 127 - api_proxy: - type: object - properties: - ipaddress: - type: string - port: - type: integer - protocol: - type: string - secret: - type: string - policies: - type: array - items: - type: object - properties: - name: - type: string - selector: - type: array - items: - type: object - properties: - tags: - type: array - items: - type: string - api: - type: string - method: - type: array - items: - type: string - maxLength: 127 - upstream: - type: object - properties: - service: - type: string - port: - type: integer - policy_bindings: - type: object - properties: - ratelimit: - type: object - properties: - name: - type: string - waf: - type: object - properties: - name: - type: string - rewritepolicy: - type: object - properties: - name: - type: string - bot: - type: object - properties: - name: - type: string - aaa: - type: array - items: - type: object - properties: - crd_name: - type: string - mappings: - type: array - items: - type: object - properties: - petstore_auth: - type: string - api_key: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: corspolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: corspolicy - plural: corspolicies - singular: corspolicy - shortNames: - - cp - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'The list of Kubernetes services to which you want to apply the cors policies.' - type: array - items: - type: string - maxLength: 63 - allow_origin: - description: 'Represents list of allowed origins, it is used to screen the “origin” in the cors pre flight request' - type: array - items: - type: string - maxLength: 2083 - allow_methods: - description: 'Indicates which methods are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Methods in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - allow_headers: - description: 'Indicates which headers are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Headers in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - max_age: - description: 'Indicates the number of seconds (5 by default) the information provided by the `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` headers can be cached. This variable will be used to set Access-Control-Max-Age in the pre-flight cors response.' - type: integer - allow_credentials: - description: 'Indicates whether the response can be shared when the request’s credentials mode is "include". This variable will be set to Access-Control-Allow-Credentials in the rewrite action.' - type: boolean - required: [servicenames, allow_origin, allow_methods, allow_headers] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: appqoepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: appqoepolicy - plural: appqoepolicies - singular: appqoepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - appqoe-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to appqoe policy.' - type: array - items: - type: string - maxLength: 127 - appqoe-policy: - type: object - properties: - operation-retry: - type: object - properties: - on-reset: - description: "To set Retry on Connection Reset or Not" - type: string - enum: ['YES','NO'] - on-timeout: - description: "Time in milliseconds for retry" - type: integer - minimum: 30 - maximum: 2000 - number-of-retries: - description: "To set number of retries" - type: integer - minimum: 1 - maximum: 7 - required: [operation-retry] - appqoe-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - required: [appqoe-criteria, operation-retry] - required: [appqoe-policy] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wildcarddnsentries.citrix.com -spec: - group: citrix.com - names: - kind: wildcarddnsentry - plural: wildcarddnsentries - singular: wildcarddnsentry - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: Current Status of the CRD - jsonPath: .status.state - - name: Message - type: string - description: Status Message - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - zone: - type: object - description: DNS configuration for a zone - properties: - domain: - type: string - description: Domain name - dnsaddrec: - type: object - description: DNS Address record - properties: - domain-ip: - type: string - description: IPv4 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - dnsaaaarec: - type: object - description: DNS AAAA record - properties: - domain-ip: - type: string - description: IPv6 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - soarec: - type: object - description: SOA record - properties: - origin-server: - type: string - description: Origin server domain - contact: - type: string - description: Admin contact - serial: - type: integer - description: >- - The secondary server uses this parameter to - determine whether it requires a zone transfer from - the primary server. - refresh: - type: integer - description: >- - Time, in seconds, for which a secondary server must - wait between successive checks on the value of the - serial number. - retry: - type: integer - description: >- - Time, in seconds, between retries if a secondary server's - attempt to contact the primary server for a zone refresh fails. - expire: - type: integer - description: >- - Time, in seconds, after which the zone data on a secondary - nameserver can no longer be considered authoritative because - all refresh and retry attempts made during the period have failed." - nsrec: - type: object - description: Name server record - properties: - nameserver: - type: string - description: Host name of the name server to add to the domain. - ttl: - type: integer - description: >- - Time to Live (TTL), in seconds, for the record. TTL - is the time for which the record must be cached by - DNS proxies. The specified TTL is applied to all the - resource records that are of the same record type - and belong to the specified domain name ---- -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/templates/citrix-k8s-cpx-ingress.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/templates/citrix-k8s-cpx-ingress.yaml deleted file mode 100644 index f265d4e3ac..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/templates/citrix-k8s-cpx-ingress.yaml +++ /dev/null @@ -1,425 +0,0 @@ -apiVersion: apps/v1 -{{- if or .Values.cpxBgpRouter .Values.daemonSet }} -kind: DaemonSet -{{- else }} -kind: Deployment -{{- end }} -metadata: - name: {{ include "citrix-cpx-ingress-controller.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - selector: - matchLabels: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} -{{- if not ( or .Values.cpxBgpRouter .Values.daemonSet ) }} - replicas: {{ .Values.replicaCount }} -{{- end }} - template: - metadata: - name: {{ include "citrix-cpx-ingress-controller.fullname" . }} - labels: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} - adc: "citrix" -{{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} -{{- end }} - spec: - serviceAccountName: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -{{- if .Values.cpxBgpRouter }} - hostNetwork: true -{{- end }} - containers: - - name: cpx-ingress - image: "{{ tpl .Values.image . }}" - imagePullPolicy: {{ .Values.pullPolicy }} - tty: true - securityContext: - privileged: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace -{{- if .Values.cpxLicenseAggregator }} - - name: "CLA" - value: {{ .Values.cpxLicenseAggregator | quote }} -{{- else if .Values.ADMSettings.licenseServerIP }} - - name: "LS_IP" - value: {{ .Values.ADMSettings.licenseServerIP | quote }} - - name: "LS_PORT" - value: {{ .Values.ADMSettings.licenseServerPort | quote }} -{{- end }} - - name: "EULA" - value: "{{ .Values.license.accept }}" - - name: "KUBERNETES_TASK_ID" - value: "" -{{- if not .Values.cpxBgpRouter }} - - name: "MGMT_HTTP_PORT" - value: {{ .Values.mgmtHttpPort | quote }} - - name: "MGMT_HTTPS_PORT" - value: {{ .Values.mgmtHttpsPort | quote }} -{{- end }} -{{- if .Values.cpxBgpRouter }} - - name: NS_NETMODE - value: HOST -{{- if .Values.nsIP }} - - name: "NS_IP" - value: "{{ .Values.nsIP }}" -{{- end }} -{{- if .Values.nsGateway }} - - name: "NS_GATEWAY" - value: "{{ .Values.nsGateway }}" -{{- end }} -{{- end }} -{{- if .Values.ADMSettings.ADMIP }} - - name: "NS_MGMT_SERVER" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "NS_HTTP_PORT" - value: {{ .Values.mgmtHttpPort | quote }} - - name: "NS_HTTPS_PORT" - value: {{ .Values.mgmtHttpsPort | quote }} - - name: "LOGSTREAM_COLLECTOR_IP" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "ANALYTICS_SERVER" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "ANALYTICS_SERVER_PORT" - value: {{ .Values.ADMSettings.analyticsServerPort | quote }} -{{- end }} -##Need to set env var BANDWIDTH in order to provide Bandwidth license to Citrix ADC CPX from ADM or CPX License Aggregator -{{- if and ( or ( .Values.ADMSettings.licenseServerIP ) ( .Values.cpxLicenseAggregator ) ) ( eq .Values.ADMSettings.bandWidthLicense true ) }} - - name: "BANDWIDTH" - value: {{ .Values.ADMSettings.bandWidth | quote }} -{{- end }} -#for multiple-PE support, need to set CPX_CORES -{{- if or .Values.ADMSettings.licenseServerIP .Values.cpxLicenseAggregator }} -{{- if or ( eq .Values.ADMSettings.vCPULicense true ) ( eq .Values.ADMSettings.bandWidthLicense true ) }} - - name: "CPX_CORES" - value: {{ .Values.ADMSettings.cpxCores | default 1 | quote }} -{{- end }} -{{- end }} - - name: "EDITION" - value: {{ .Values.ADMSettings.licenseEdition }} -{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }} - - name: NS_MGMT_USER - valueFrom: - secretKeyRef: - name: {{ required "Provide Secret for ADM/LicenseServer credentials" .Values.ADMSettings.loginSecret }} - key: username - - name: NS_MGMT_PASS - valueFrom: - secretKeyRef: - name: {{ required "Provide Secret for ADM/LicenseServer credentials" .Values.ADMSettings.loginSecret }} - key: password -{{- end }} -{{- if .Values.exporter.required }} - - name: "METRICS_EXPORTER_PORT" - value: {{ .Values.exporter.ports.containerPort | quote }} -{{- end }} - resources: - {{- toYaml .Values.resources | nindent 12 }} - volumeMounts: - - mountPath: /var/deviceinfo - name: shared-data - - mountPath: /cpx/ - name: cpx-volume - - mountPath: /cpx/conf - name: cpx-volume-conf -{{- if .Values.cic.required }} - # Add cic as a sidecar - - name: cic - image: "{{ tpl .Values.cic.image . }}" - imagePullPolicy: {{ .Values.cic.pullPolicy }} - env: - - name: "EULA" - value: "{{ .Values.license.accept }}" -{{- if .Values.cpxBgpRouter }} - - name: "NS_IP" - value: {{ .Values.nsIP | default "192.168.1.2" | quote }} -{{- else }} - - name: "NS_IP" - value: "127.0.0.1" -{{- end }} -{{- if .Values.rbacRole }} - - name: "SCOPE" - value: "local" -{{- end }} - - name: "NS_APPS_NAME_PREFIX" - value: {{ .Values.entityPrefix | default "k8s"| quote }} - - name: "NS_DEPLOYMENT_MODE" - value: "SIDECAR" -{{- if and .Values.openshift .Values.routeLabels }} - - name: "ROUTE_LABELS" - value: {{ .Values.routeLabels | quote}} -{{- end }} -{{- if and .Values.openshift .Values.namespaceLabels }} - - name: "NAMESPACE_LABELS" - value: {{ .Values.namespaceLabels | quote }} -{{- end }} -{{- if .Values.cpxBgpRouter }} -{{- if eq (upper .Values.nsProtocol) "HTTPS" }} - - name: NS_PROTOCOL - value: HTTPS - - name: NS_PORT - value: "9443" -{{- else }} - - name: NS_PROTOCOL - value: HTTP - - name: NS_PORT - value: "9080" -{{- end }} -{{- if .Values.bgpPort }} - - name: "BGP_PORT" - value: {{ .Values.bgpPort | quote }} -{{- end }} -{{- end }} - - name: "NS_ENABLE_MONITORING" - value: "YES" -{{- if .Values.logProxy }} - - name: "NS_LOGPROXY" - value: {{ .Values.logProxy | quote }} -{{- end }} -{{- if .Values.ingressIP }} - - name: "NS_VIP" - value: {{ .Values.ingressIP | quote }} -{{- end }} -{{- if .Values.nitroReadTimeout }} - - name: "NS_NITRO_READ_TIMEOUT" - value: "{{ .Values.nitroReadTimeout }}" -{{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName -{{- if .Values.kubernetesURL }} - - name: "kubernetes_url" - value: "{{ .Values.kubernetesURL }}" -{{- end }} -{{- if .Values.disableOpenshiftRoutes }} - - name: "DISABLE_OPENSHIFT_ROUTES" - value: "{{ .Values.disableOpenshiftRoutes }}" -{{- end }} -{{- if .Values.nsConfigDnsRec }} - - name: "NS_CONFIG_DNS_REC" - value: "{{ .Values.nsConfigDnsRec }}" -{{- end }} -{{- if .Values.nsSvcLbDnsRec }} - - name: "NS_SVC_LB_DNS_REC" - value: "{{ .Values.nsSvcLbDnsRec }}" -{{- end }} -{{- if .Values.optimizeEndpointBinding }} - - name: "OPTIMIZE_ENDPOINT_BINDING" - value: "{{ .Values.optimizeEndpointBinding }}" -{{- end }} -{{- if .Values.cpxBgpRouter }} - securityContext: - runAsUser: 0 - capabilities: - add: - - NET_ADMIN -{{- end }} - args: - - --configmap - {{ .Release.Namespace }}/{{ include "cpxconfigmap.fullname" . }} -{{- if .Values.ipam }} - - --ipam - citrix-ipam-controller -{{- end }} -{{- if .Values.disableAPIServerCertVerify }} - - --disable-apiserver-cert-verify - {{ .Values.disableAPIServerCertVerify }} -{{- end }} -{{- if .Values.cpxBgpRouter }} - - --deployment-type - kube-bgp-router -{{- end }} -{{- if .Values.ingressClass }} - - --ingress-classes -{{- range .Values.ingressClass}} - {{.}} -{{- end }} -{{- end }} -{{- if .Values.defaultSSLCertSecret }} - - --default-ssl-certificate - {{ .Release.Namespace }}/{{ .Values.defaultSSLCertSecret }} -{{- end }} -{{- end }} -{{- if .Values.updateIngressStatus }} -{{- if .Values.cpxBgpRouter }} - - --update-ingress-status - yes -{{- else }} - - --cpx-service - {{ .Release.Namespace }}/{{ include "cpxservice.fullname" . }} -{{- end }} -{{- end }} - volumeMounts: - - mountPath: /var/deviceinfo - name: shared-data - resources: - {{- toYaml .Values.cic.resources | nindent 12 }} -{{- if .Values.exporter.required }} - - name: exporter - image: "{{ tpl .Values.exporter.image . }}" - imagePullPolicy: {{ .Values.exporter.pullPolicy }} - args: - - "--secure=no" -{{- if .Values.cpxBgpRouter }} - - --target-nsip={{ .Values.nsIP | default "192.168.1.2" }}:9080 -{{- else }} - - "--target-nsip=127.0.0.1" -{{- end }} - - "--port={{ .Values.exporter.ports.containerPort }}" - env: - - name: "NS_DEPLOYMENT_MODE" - value: "SIDECAR" - securityContext: - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /var/deviceinfo - name: shared-data - resources: - {{- toYaml .Values.exporter.resources | nindent 12 }} -{{- end }} - volumes: - - name: shared-data - emptyDir: {} - - name: cpx-volume - emptyDir: {} - - name: cpx-volume-conf - emptyDir: {} -{{- if and .Values.nodeSelector.key .Values.nodeSelector.value }} - nodeSelector: - {{ .Values.nodeSelector.key }}: {{ .Values.nodeSelector.value }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: {{ .Values.tolerations | toYaml | nindent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} -{{- end }} - ---- -{{- if .Values.cpxBgpRouter }} -{{- if .Values.exporter.required }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "cpxexporter.fullname" . }} - labels: - app: {{ include "cpxexporter.fullname" . }} - service-type: {{ include "cpxservicemonitorlabel" . }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port - selector: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} -{{- end }} -{{- else }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "cpxservice.fullname" . }} - labels: - app: cpx-service - service-type: {{ include "cpxservicemonitorlabel" . }} -{{- if .Values.serviceAnnotations }} - annotations: -{{- with .Values.serviceAnnotations }} -{{ toYaml . | indent 4 }} -{{- end }} -{{- end }} -spec: -{{- if or .Values.serviceType.loadBalancer.enabled ( and (.Values.updateIngressStatus) (not .Values.cpxBgpRouter)) }} - externalTrafficPolicy: {{ .Values.serviceSpec.externalTrafficPolicy }} - type: LoadBalancer -{{- if .Values.serviceSpec.loadBalancerIP }} - loadBalancerIP: {{ .Values.serviceSpec.loadBalancerIP }} -{{- end }} -{{- else if .Values.serviceType.nodePort.enabled }} - type: NodePort - externalTrafficPolicy: {{ .Values.serviceSpec.externalTrafficPolicy }} -{{- end }} -{{- if and .Values.serviceType.loadBalancer.enabled .Values.serviceSpec.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{- range .Values.serviceSpec.loadBalancerSourceRanges}} - - {{.}} -{{- end }} -{{- end }} - ports: -{{- if .Values.servicePorts }} -{{- with .Values.servicePorts }} -{{ toYaml . | indent 2 }} -{{- end }} -{{- else }} - - port: 80 - protocol: TCP - name: http -{{- if and .Values.serviceType.nodePort.enabled .Values.serviceType.nodePort.httpPort }} - nodePort: {{ .Values.serviceType.nodePort.httpPort }} -{{- end }} - - port: 443 - protocol: TCP - name: https -{{- if and .Values.serviceType.nodePort.enabled .Values.serviceType.nodePort.httpsPort }} - nodePort: {{ .Values.serviceType.nodePort.httpsPort}} -{{- end }} -{{- end }} -{{- if .Values.exporter.required }} - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port -{{- end }} - selector: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} -{{- end }} - ---- - -{{- if .Values.exporter.required }} - -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "cpxservicemonitor.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - servicemonitor: citrix-adc-cpx - {{- with .Values.exporter.serviceMonitorExtraLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - endpoints: - - interval: 30s - port: exporter-port - selector: - matchLabels: - service-type: {{ include "cpxservicemonitorlabel" . }} - namespaceSelector: - matchNames: - - monitoring - - default - - {{ .Release.Namespace }} - -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/templates/configmap.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/templates/configmap.yaml deleted file mode 100644 index ac7aab2a29..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/templates/configmap.yaml +++ /dev/null @@ -1,86 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "cpxconfigmap.fullname" . }} - namespace: {{ .Release.Namespace }} -data: - LOGLEVEL: {{ .Values.logLevel | quote | lower }} - JSONLOG: {{ .Values.jsonLog | quote | lower }} -{{- if eq (upper .Values.nsProtocol) "HTTPS" }} - NS_PROTOCOL: "https" -{{- if .Values.cpxBgpRouter }} - NS_PORT: "9443" -{{- else }} - NS_PORT: "443" -{{- end }} -{{- else }} - NS_PROTOCOL: "http" -{{- if .Values.cpxBgpRouter }} - NS_PORT: "9080" -{{- else }} - NS_PORT: "80" -{{- end }} -{{- end }} - -{{- if ne (upper .Values.nsHTTP2ServerSide) "OFF" }} - NS_HTTP2_SERVER_SIDE: {{ .Values.nsHTTP2ServerSide | quote }} -{{- end }} -{{- if ne (toString .Values.nsCookieVersion) "0" }} - NS_COOKIE_VERSION: {{ .Values.nsCookieVersion | quote }} -{{- end }} -{{- if .Values.nsDnsNameserver }} - NS_DNS_NAMESERVER: {{ .Values.nsDnsNameserver }} -{{- end }} - -{{- if .Values.analyticsConfig.required }} - NS_ANALYTICS_CONFIG: | - distributed_tracing: - enable: {{ .Values.analyticsConfig.distributedTracing.enable | quote }} - samplingrate: {{ .Values.analyticsConfig.distributedTracing.samplingrate }} - endpoint: - server: {{ include "analytics.server" . | quote }} - service: {{ .Values.analyticsConfig.endpoint.service | quote }} - timeseries: - port: {{ .Values.analyticsConfig.timeseries.port }} - metrics: - enable: {{ .Values.analyticsConfig.timeseries.metrics.enable | quote }} - mode: {{ .Values.analyticsConfig.timeseries.metrics.mode | quote }} - auditlogs: - enable: {{ .Values.analyticsConfig.timeseries.auditlogs.enable | quote }} - events: - enable: {{ .Values.analyticsConfig.timeseries.events.enable | quote }} - transactions: - enable: {{ .Values.analyticsConfig.transactions.enable | quote }} - port: {{ .Values.analyticsConfig.transactions.port }} -{{- end }} - -{{- if .Values.cpxBgpRouter }} -{{- if .Values.bgpSettings.required }} - NS_BGP_CONFIG: | -{{- with .Values.bgpSettings.bgpConfig }} - bgpConfig: -{{ toYaml . | indent 4 }} -{{- end }} -{{- end }} -{{- end }} - -{{- if .Values.nsLbHashAlgo.required }} - NS_LB_HASH_ALGO: | - hashFingers: {{ .Values.nsLbHashAlgo.hashFingers }} - hashAlgorithm: {{ .Values.nsLbHashAlgo.hashAlgorithm | quote }} -{{- end }} - -{{- if .Values.profileSslFrontend }} - FRONTEND_SSL_PROFILE: | - {{- toYaml .Values.profileSslFrontend | nindent 4 }} -{{- end }} - -{{- if .Values.profileTcpFrontend }} - FRONTEND_TCP_PROFILE: | - {{- toYaml .Values.profileTcpFrontend | nindent 4 }} -{{- end }} - -{{- if .Values.profileHttpFrontend }} - FRONTEND_HTTP_PROFILE: | - {{- toYaml .Values.profileHttpFrontend | nindent 4 }} -{{- end }} \ No newline at end of file diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/templates/ingressclass.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/templates/ingressclass.yaml deleted file mode 100644 index d75537b79f..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/templates/ingressclass.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- $default := .Values.setAsDefaultIngressClass -}} -{{- if semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.GitVersion }} -{{- if .Values.ingressClass }} -{{- range .Values.ingressClass }} -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: {{ . | quote }} -{{- if $default }} - annotations: - ingressclass.kubernetes.io/is-default-class: "true" -{{- end }} -spec: - controller: citrix.com/ingress-controller ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/templates/rbac.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/templates/rbac.yaml deleted file mode 100644 index d812e76751..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/templates/rbac.yaml +++ /dev/null @@ -1,106 +0,0 @@ -{{- if not .Values.rbacRole }} -kind: ClusterRole -{{- else }} -kind: Role -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -rules: - - apiGroups: [""] -{{- if .Values.openshift }} - resources: ["endpoints", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"] -{{- else }} - resources: ["endpoints", "pods", "secrets", "routes", "nodes", "namespaces", "configmaps", "services"] -{{- end }} - verbs: ["get", "list", "watch"] - # services/status is needed to update the loadbalancer IP in service status for integrating - # service of type LoadBalancer with external-dns - - apiGroups: [""] - resources: ["services/status"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions","networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["patch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "watch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"] - verbs: ["get", "list", "watch", "create", "delete", "patch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"] - verbs: ["patch"] - - apiGroups: ["citrix.com"] - resources: ["vips"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["crd.projectcalico.org"] - resources: ["ipamblocks"] - verbs: ["get", "list", "watch"] -{{- if .Values.openshift }} - - apiGroups: ["route.openshift.io"] - resources: ["routes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["network.openshift.io"] - resources: ["hostsubnets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["config.openshift.io"] - resources: ["networks"] - verbs: ["get", "list"] -{{- end }} - ---- - -{{- if not .Values.rbacRole }} -kind: ClusterRoleBinding -{{- else }} -kind: RoleBinding -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io -{{- if not .Values.rbacRole }} - kind: ClusterRole -{{- else }} - kind: Role -{{- end }} - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- if .Values.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.imagePullSecrets }} -- name: {{.}} -{{- end }} -{{- end }} - diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/values.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/values.yaml deleted file mode 100644 index bb9e1f951d..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.34.16/values.yaml +++ /dev/null @@ -1,244 +0,0 @@ -# Default values for citrix-cpx-with-ingress-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# Citrix ADC CPX config details -imageRegistry: quay.io -imageRepository: citrix/citrix-k8s-cpx-ingress -imageTag: 13.1-49.13 -image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}" -pullPolicy: IfNotPresent -imagePullSecrets: [] -daemonSet: False -nameOverride: "" -replicaCount: 1 -fullnameOverride: "" -mgmtHttpPort: 9080 -mgmtHttpsPort: 9443 -openshift: false -nsHTTP2ServerSide: "OFF" -nsCookieVersion: "0" -nsConfigDnsRec: -nsSvcLbDnsRec: -nsDnsNameserver: -optimizeEndpointBinding: -routeLabels: -namespaceLabels: - -# Service Type LoadBalancer and ingress support with CPX through BGP advertisement -# If you enable this, CPX is run as DaemonSet. Please edit the bgpSettings for configuring -# BGP neighbors for propgation of external IPs. -cpxBgpRouter: false - -# If cpxBgpRouter is true, then this is the NSIP used by CPX for internal communication -nsIP: 192.168.1.2 - -# If cpxBgpRouter is true, then this is the Gateway used by CPX for internal communication -nsGateway: 192.168.1.1 - -# Protocol used for communication between Citrix Ingress Controller sidecar and Citrix CPX -nsProtocol: http - -# External IP for ingress resource when bgpRouter is set to True -ingressIP: - -# If IPAM controller is used for auto allocation of the external IP for service of type LoadBalancer, set this option to true -ipam: False - -# Enable RBAC role (so called local role), by default CIC deployed with ClusterRole. -# below variable to deploy CIC with RBAC role, only ingress service supported with this config -rbacRole: False - -# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True -disableAPIServerCertVerify: False - -cpxLicenseAggregator: - -sslCertManagedByAWS: False - -nodeSelector: - key: - value: -tolerations: [] - -serviceType: - loadBalancer: - enabled: False - nodePort: - enabled: False - httpPort: - httpsPort: - -serviceAnnotations: {} - -serviceSpec: - externalTrafficPolicy: "Cluster" - loadBalancerIP: - loadBalancerSourceRanges: [] - -servicePorts: [] - -# Citrix Ingress Controller config details -cic: - imageRegistry: quay.io - imageRepository: citrix/citrix-k8s-ingress-controller - imageTag: 1.34.16 - image: "{{ .Values.cic.imageRegistry }}/{{ .Values.cic.imageRepository }}:{{ .Values.cic.imageTag }}" - pullPolicy: IfNotPresent - required: true - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # Following values depends on no of ingresses configured by Ingress Controllers, so it is - # advised to test with maximum no of ingresses to set these values. - # limits: - # cpu: 1000m - # memory: 1000Mi - # requests: - # cpu: 250m - # memory: 256Mi -entityPrefix: -license: - accept: no -ingressClass: -setAsDefaultIngressClass: False -# nitroReadTimeout is timeout value in seconds for nitro api read timeout(default is 20) -nitroReadTimeout: -logLevel: INFO -jsonLog: false -defaultSSLCertSecret: -updateIngressStatus: False -logProxy: -kubernetesURL: -disableOpenshiftRoutes: -profileSslFrontend: {} - # preconfigured: my_ssl_profile - # OR - # config: - # tls13: 'ENABLED' - # hsts: 'ENABLED' -profileHttpFrontend: {} - # preconfigured: my_http_profile - # OR - # config: - # dropinvalreqs: 'ENABLED' - # websocket: 'ENABLED' -profileTcpFrontend: {} - # preconfigured: my_tcp_profile - # OR - # config: - # sack: 'ENABLED' - # nagle: 'ENABLED' - - -# Citrix ADM/License Server config details -ADMSettings: - licenseServerIP: - licenseServerPort: 27000 - ADMIP: - loginSecret: - bandWidthLicense: false - bandWidth: 1000 #bandwidth value shoule be in Mbps - vCPULicense: false - cpxCores: - analyticsServerPort: 5557 - licenseEdition: PLATINUM - -# Exporter config details -exporter: - required: false - imageRegistry: quay.io - imageRepository: citrix/citrix-adc-metrics-exporter - imageTag: 1.4.9 - image: "{{ .Values.exporter.imageRegistry }}/{{ .Values.exporter.imageRepository }}:{{ .Values.exporter.imageTag }}" - pullPolicy: IfNotPresent - ports: - containerPort: 8888 - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - serviceMonitorExtraLabels: {} - -# For CRDs supported by Citrix Ingress Controller -crds: - install: false - retainOnDelete: false - -# Config required to be done by Citrix Ingress Controller for sending metrics to Citrix Observability Exporter -analyticsConfig: - required: false - distributedTracing: - enable: false - samplingrate: 100 - endpoint: - server: - service: - timeseries: - port: 5563 - metrics: - enable: false - mode: 'avro' - auditlogs: - enable: false - events: - enable: false - transactions: - enable: false - port: 5557 - -# BGP configurations: local AS, remote AS and remote address is mandatory to provide. Please do the approrpiate changes with respect to your environment -bgpSettings: - # When bgpConfig is configured correctly, set the required to true for the configuration to be applied. - required: false - bgpConfig: - - bgpRouter: - # Local AS number for BGP advertisement - localAS: 100 - neighbor: - # Address of the nighbor router for BGP advertisement - - address: - # Remote AS number - remoteAS: 100 - advertisementInterval: 10 - ASOriginationInterval: 10 - -bgpPort: - -nsLbHashAlgo: - required: false - hashFingers: 256 - hashAlgorithm: 'DEFAULT' - -# Specifies whether a ServiceAccount should be created -serviceAccount: - create: true - # The name of the ServiceAccount to use. - # If not set and `create` is true, a name is generated using the fullname template - # name: - -podAnnotations: {} - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:' - # This is the resource for CPX container. - # limits: - # cpu: 500m - # memory: 512Mi - # requests: - # cpu: 100m - # memory: 128Mi - -affinity: {} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/Chart.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/Chart.yaml deleted file mode 100644 index dec381e5b2..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/Chart.yaml +++ /dev/null @@ -1,22 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Cpx with Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-cpx-with-ingress-controller -apiVersion: v2 -appVersion: 1.35.6 -deprecated: true -description: A Helm chart for Citrix ADC CPX with Citrix ingress Controller running - as sidecar. -home: https://www.cloud.com -icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png -kubeVersion: '>=v1.16.0-0' -maintainers: -- email: priyanka.sharma@cloud.com - name: priyankash-citrix -- email: subash.dangol@cloud.com - name: subashd -name: citrix-cpx-with-ingress-controller -sources: -- https://github.com/citrix/citrix-k8s-ingress-controller -version: 1.35.6 diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/README.md b/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/README.md deleted file mode 100644 index 258899a376..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/README.md +++ /dev/null @@ -1,601 +0,0 @@ -# Citrix ADC CPX with Citrix Ingress Controller running as sidecar. - -In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) with Citrix ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). The Citrix ADC CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar Citrix ingress controller configures the Citrix ADC CPX. - -## TL;DR; - -### For Kubernetes - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,crds.install=true - ``` - -### For OpenShift - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,crds.install=true - ``` - -> **Important:** -> -> The "license.accept" is a mandatory argument and should be set to "yes" to accept the terms of the Citrix license. - - -## Introduction -This Helm chart deploys a Citrix ADC CPX with Citrix ingress controller as a sidecar in the [Kubernetes](https://kubernetes.io/) or in the [Openshift](https://www.openshift.com) cluster using the [Helm](https://helm.sh/) package manager. - -### Prerequisites - -- The [Kubernetes](https://kubernetes.io/) version should be 1.16 and above if using Kubernetes environment. -- The [Openshift](https://www.openshift.com) version 4.8 or later if using OpenShift platform. -- The [Helm](https://helm.sh/) version 3.x or later. You can follow instruction given [here](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- You have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator), if you want to view the metrics of the Citrix ADC CPX collected by the [metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics). -- Registration of Citrix ADC CPX in ADM: You may want to register your CPX in ADM for licensing or to obtain [servicegraph](https://docs.citrix.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html). For this you will have to create a Kubernetes secret using ADM credentials and provide it while install the chart. Create a Kubernetes secret for the user name and password using the following command: - - ``` - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= -n citrix-system - ``` - -## Installing the Chart -Add the Citrix Ingress Controller helm chart repository using command: - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - ``` - -### For Kubernetes: -#### 1. Citrix ADC CPX with Citrix Ingress Controller running as side car. -To install the chart with the release name ``` my-release```: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,ingressClass[0]= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ADC CPX with Citrix ingress controller as a sidecar on the Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,ingressClass[0]=,exporter.required=true - ``` - -### For OpenShift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix ADC CPX with Citrix Ingress Controller running as side car. -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true - ``` - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,exporter.required=true - ``` - -### Installed components - -The following components are installed: - -- [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx/netscaler-cpx.html) -- [Citrix ingress controller](https://github.com/citrix/citrix-k8s-ingress-controller) (if enabled) -- [Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) (if enabled) - - -### Citrix ADC CPX Service Annotations: - - The parameter `serviceAnnotations` can be used to annotate CPX service while installing Citrix ADC CPX using this helm chart. - For example, if CPX is getting deployed in Azure and an Azure Internal Load Balancer is required before CPX then the annotation `service.beta.kubernetes.io/azure-load-balancer-internal:True` can be set in CPX service using Helm command: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceAnnotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal=True - ``` - - or the same can be provided in [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml): - - ``` - license: - accept: yes - serviceAnnotations: - service.beta.kubernetes.io/azure-load-balancer-internal: True - ``` - - which can be used to install Citrix ADC CPX using Helm command: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - - To know more about service annotations supported by Kubernetes on various platforms please see [this](https://kubernetes.io/docs/concepts/services-networking/service/). - -### Citrix ADC CPX Service Ports: - - By default, port 80 and 443 of CPX service will exposed when CPX is installed using this helm chart. If it is required to expose any other ports in CPX service then the parameter `servicePorts` can be used for it. - For example, if port 9999 is required to be exposed then below helm command can be used for installing Citrix ADC CPX: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,servicePorts[0].port=9999,servicePorts[0].protocol=TCP,servicePorts[0].name=https - ``` - - or the same can be provided in [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml): - - ``` - license: - accept: yes - servicePorts: - - port: 9090 - protocol: TCP - name: https - ``` - - which can be used to install Citrix ADC using Helm command: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - -> **Note:** If `servicePorts` parameters is used, only ports provided in this parameter will be exposed in CPX service. -> If you want to expose default ports 80 or 443, then you will need to explicity mention these also in this parameter. - -### Configuration for ServiceGraph: - If Citrix ADC CPX need to send data to the Citrix ADM to bring up the servicegraph, then the below steps can be followed to install Citrix ADC CPX with ingress controller. Citrix ingress controller configures Citrix ADC CPX with the configuration required for servicegraph. - - 1. Create secret using Citrix ADC Agent credentials, which will be used by Citrix ADC CPX to communicate with Citrix ADM Agent: - - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= - - 2. Deploy Citrix ADC CPX with Citrix ingress controller using helm command: - - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.distributedTracing.enable=true,analyticsConfig.endpoint.server=,ADMSettings.ADMIP=,ADMSettings.loginSecret= - -> **Note:** -> If container agent is being used here for Citrix ADM, please provide `svcIP` of container agent in the `analyticsConfig.endpoint.server` parameter. - -## Citrix ADC CPX DaemonSet with Citrix Ingress Controller as sidecar for BGP Advertisement - - The previous section of deploying CPX as a Deployment requires a Tier-1 Loadbalancer such as Citrix VPX or cloud loadbalancers to route the traffic to CPX instances running in Kubernetes cluster, but you can also leverage BGP network fabric in your on-prem environemnt to route the traffic to CPX instances in a Kubernetes or Openshift cluster. you need to deploy CPX with Citrix Ingress Controller as Daemonset to advertise the ExternalIPs of the K8s services of type LoadBalancer to your BGP Fabric. Citrix ADC CPX establishes a BGP peering session with your network routers, and uses that peering session to advertise the IP addresses of external cluster services. If your routers have ECMP capability, the traffic is load-balanced to multiple CPX instances by the upstream router, which in turn load-balances to actual application pods. When you deploy the Citrix ADC CPX with this mode, Citrix ADC CPX adds iptables rules for each service of type LoadBalancer on Kubernetes nodes. The traffic destined to the external IP address is routed to Citrix ADC CPX pods. You can also set the 'ingressIP' variable to an IP Address to advertise the External IP address for Ingress resources. Refer [documentation](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) for complete details about BGP advertisement with CPX. - -### Download the chart -You can download the chart usimg `helm pull` command. -``` -helm repo add citrix https://citrix.github.io/citrix-helm-charts/ -helm pull citrix/citrix-cpx-with-ingress-controller -tar -zxvf citrix-cpx-with-ingress-controller-x.y.z.tgz -``` - -### Edit the BGP configuration in values.yaml -BGP configurations enables CPX to peer with neighbor routers for advertisting the routes for Service of Type LoadBalancer. Citrix Ingress Controllers uses static IPs given in Service YAML or using an IPAM controller to allocate an External IP address, and same is advertisted to the neighbour router with the Gateway as Node IP. An example BGP configurations is given below. - -``` -# BGP configurations: local AS, remote AS and remote address is mandatory to provide. -bgpSettings: - required: true - bgpConfig: - - bgpRouter: - # Local AS number for BGP advertisement - localAS: - neighbor: - # Address of the nighbor router for BGP advertisement - - address: xx.xx.xx.xx - # Remote AS number - remoteAS: - advertisementInterval: 10 - ASOriginationInterval: 10 -``` -If the cluster spawns across multiple networks, you can also specify the NodeSelector to give different neighbors for different Cluster Nodes as shown below. - -``` -bgpSettings: - required: true - bgpConfig: - - nodeSelector: datacenter=ds1 - bgpRouter: - localAS: - neighbor: - - address: xx.xx.xx.xx - remoteAS: - advertisementInterval: 10 - ASOriginationInterval: 10 - - nodeSelector: datacenter=ds2 - bgpRouter: - localAS: - neighbor: - - address: yy.yy.yy.yy - remoteAS: - advertisementInterval: 10 - ASOriginationInterval: 10 -``` - -### Deploy the chart -#### For Kubernetes: -#### 1. Citrix ADC CPX DaemonSet with Citrix Ingress Controller running as side car for BGP Advertisement. - - -To install the chart with the release name ``` my-release```: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true - ``` -If you are running Citrix IPAM for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true - ``` -If you are using ingress resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ADC CPX Daemonset with Citrix ingress controller as a sidecar on the Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car for BGP Advertisement. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,exporter.required=true - ``` -If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,exporter.required=true - ``` -If you are using ingress resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=, exporter.required=true - ``` - -#### For OpenShift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix ADC CPX DaemonSet with Citrix Ingress Controller running as side car for BGP Advertisement. -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,openshift=true - ``` -If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,openshift=true - ``` - - If you are using ingress or Route resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=,openshift=true - ``` - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car for BGP Advertisement. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true,openshift=true,exporter.required=true - ``` -If you are running Citrix IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in Citrix Ingress Controller as show below: - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,openshift=true,exporter.required=true - ``` - -If you are using ingress or Route resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. - - ``` - helm install my-release ./citrix-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=,openshift=true,exporter.required=true - ``` - -## CRDs configuration - -CRDs can be installed/upgraded when we install/upgrade Citrix ADC CPX with Citrix ingress controller using `crds.install=true` parameter in Helm. If you do not want to install CRDs, then set the option `crds.install` to `false`. By default, CRDs too get deleted if you uninstall through Helm. This means, even the CustomResource objects created by the customer will get deleted. If you want to avoid this data loss set `crds.retainOnDelete` to `true`. - -> **Note:** -> Installing again may fail due to the presence of CRDs. Make sure that you back up all CustomResource objects and clean up CRDs before re-installing Citrix ADC CPX with Citrix ingress controller. - -There are a few examples of how to use these CRDs, which are placed in the folder: [Example-CRDs](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds). Refer to them and install as needed, using the following command: -```kubectl create -f ``` - -### Details of the supported CRDs: - -#### authpolicies CRD: - -Authentication policies are used to enforce access restrictions to resources hosted by an application or an API server. - -Citrix provides a Kubernetes CustomResourceDefinitions (CRDs) called the [Auth CRD](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/auth) that you can use with the Citrix ingress controller to define authentication policies on the ingress Citrix ADC. - -Example file: [auth_example.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/auth_example.yaml) - -#### continuousdeployments CRD for canary: - -Canary release is a technique to reduce the risk of introducing a new software version in production by first rolling out the change to a small subset of users. After user validation, the application is rolled out to the larger set of users. Citrix ADC-Integrated [Canary Deployment solution](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/canary) stitches together all components of continuous delivery (CD) and makes canary deployment easier for the application developers. - -#### httproutes and listeners CRDs for contentrouting: - -[Content Routing (CR)](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/contentrouting) is the execution of defined rules that determine the placement and configuration of network traffic between users and web applications, based on the content being sent. For example, a pattern in the URL or header fields of the request. - -Example files: [HTTPRoute_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/HTTPRoute_crd.yaml), [Listener_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/Listener_crd.yaml) - -#### ratelimits CRD: - -In a Kubernetes deployment, you can [rate limit the requests](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/ratelimit) to the resources on the back end server or services using rate limiting feature provided by the ingress Citrix ADC. - -Example files: [ratelimit-example1.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example1.yaml), [ratelimit-example2.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example2.yaml) - -#### vips CRD: - -Citrix provides a CustomResourceDefinitions (CRD) called [VIP](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/vip) for asynchronous communication between the IPAM controller and Citrix ingress controller. - -The IPAM controller is provided by Citrix for IP address management. It allocates IP address to the service from a defined IP address range. The Citrix ingress controller configures the IP address allocated to the service as virtual IP (VIP) in Citrix ADX VPX. And, the service is exposed using the IP address. - -When a new service is created, the Citrix ingress controller creates a CRD object for the service with an empty IP address field. The IPAM Controller listens to addition, deletion, or modification of the CRD and updates it with an IP address to the CRD. Once the CRD object is updated, the Citrix ingress controller automatically configures Citrix ADC-specfic configuration in the tier-1 Citrix ADC VPX. - -#### rewritepolicies CRD: - -In kubernetes environment, to deploy specific layer 7 policies to handle scenarios such as, redirecting HTTP traffic to a specific URL, blocking a set of IP addresses to mitigate DDoS attacks, imposing HTTP to HTTPS and so on, requires you to add appropriate libraries within the microservices and manually configure the policies. Instead, you can use the [Rewrite and Responder features](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/crd/rewrite-responder-policies-deployment.yaml) provided by the Ingress Citrix ADC device to deploy these policies. - -Example files: [target-url-rewrite.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/target-url-rewrite.yaml) - -#### wafs CRD: - -[WAF CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/waf.md) can be used to configure the web application firewall policies with the Citrix ingress controller on the Citrix ADC VPX, MPX, SDX, and CPX. The WAF CRD enables communication between the Citrix ingress controller and Citrix ADC for enforcing web application firewall policies. - -In a Kubernetes deployment, you can enforce a web application firewall policy to protect the server using the WAF CRD. For more information about web application firewall, see [Web application security](https://docs.citrix.com/en-us/citrix-adc/13/application-firewall/introduction/web-application-security.html). - -Example files: [wafhtmlxsssql.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wafhtmlxsssql.yaml) - -#### CORS CRD: - -[CORS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) Cross-origin resource sharing (CORS) is a mechanism allows a web application running under one domain to securely access resources in another domain. You can configure CORS policies on Citrix ADC using Citrix ingress controller to allow one domain (the origin domain) to call APIs in another domain. For more information, see the [cross-origin resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) documentation. - -Example files: [cors-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/corspolicy-example.yaml) - -#### APPQOE CRD: - -[APPQOE CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) When a Citrix ADC appliance receives an HTTP request and forwards it to a back-end server, sometimes there may be connection failures with the back-end server. You can configure the request-retry feature on Citrix ADC to forward the request to the next available server, instead of sending the reset to the client. Hence, the client saves round trip time when Citrix ADC initiates the same request to the next available service. -For more information, see the AppQoE support documentation. [Appqoe resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) documentation. - -Example files: [appqoe-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/appqoe_example.yaml) - -#### WILDCARDDNS CRD: - -[WILDCARDDNS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) Wildcard DNS domains are used to handle requests for nonexistent domains and subdomains. In a zone, use wildcard domains to redirect queries for all nonexistent domains or subdomains to a particular server, instead of creating a separate Resource Record (RR) for each domain. The most common use of a wildcard DNS domain is to create a zone that can be used to forward mail from the internet to some other mail system. -For more information, see the Wild card DNS domains support documentation. [Wildcard DNS Entry CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) documentation. - -Example files: [wildcarddns-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wildcarddns-example.yaml) - -## Citrix ADC CPX servicetype LoadBalancer -Citrix ADC CPX can be installed with service having servicetype LoadBalancer. Following arguments can be used in the `helm install` command for the same: - -``` -helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceType.loadBalancer.enabled=True -``` - -## Citrix ADC CPX servicetype NodePort -Citrix ADC CPX can be installed with service having servicetype Nodeport. Following arguments can be used in the `helm install` command for the same: - -``` -helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,serviceType.nodePort.enabled=True -``` - -Additionally, `serviceType.nodePort.httpPort` and `serviceType.nodePort.httpsPort` arguments can be used to select the nodePort for the CPX service for HTTP and HTTPS ports. - -### Tolerations - -Taints are applied on cluster nodes whereas tolerations are applied on pods. Tolerations enable pods to be scheduled on node with matching taints. For more information see [Taints and Tolerations in Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). - -Toleration can be applied to pod running Citrix ADC CPX and ingress controller containers using `tolerations` argument while deploying CPX+CIC using helm chart. This argument takes list of tolerations that user need to apply on the CPX+CIC pods. - -For example, following command can be used to apply toleration on the CPX+CIC pod: - -``` -helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,tolerations[0].key=,tolerations[0].value=,tolerations[0].operator=,tolerations[0].effect= -``` - -Here tolerations[0].key, tolerations[0].value and tolerations[0].effect are the key, value and effect that was used while tainting the node. -Effect represents what should happen to the pod if the pod don't have any matching toleration. It can have values `NoSchedule`, `NoExecute` and `PreferNoSchedule`. -Operator represents the operation to be used for key and value comparison between taint and tolerations. It can have values `Exists` and `Equal`. The default value for operator is `Equal`. - -### Resource Quotas -There are various use-cases when resource quotas are configured on the Kubernetes cluster. If quota is enabled in a namespace for compute resources like cpu and memory, users must specify requests or limits for those values; otherwise, the quota system may reject pod creation. The resource quotas for the CIC and CPX containers can be provided explicitly in the helm chart. - -To set requests and limits for the CIC container, use the variables `cic.resources.requests` and `cic.resources.limits` respectively. -Similarly, to set requests and limits for the CPX container, use the variable `resources.requests` and `resources.limits` respectively. - -Below is an example of the helm command that configures -``` -A) For CIC container: - CPU request for 500milli CPUs - CPU limit at 1000m - Memory request for 512M - Memory limit at 1000M -B) For CPX container: - CPU request for 250milli CPUs - CPU limit at 500m - Memory request for 256M - Memory limit at 512M -``` -``` -helm install cpx citrix/citrix-cpx-with-ingress-controller --set license.accept=yes --set cic.resources.requests.cpu=500m,cic.resources.requests.memory=512Mi,cic.resources.limits.cpu=1000m,cic.resources.limits.memory=1000Mi --set resources.limits.cpu=500m,resources.limits.memory=512Mi,resources.requests.cpu=250m,resources.requests.memory=256Mi -``` - -## Configuration -The following table lists the configurable parameters of the Citrix ADC CPX with Citrix ingress controller as side car chart and their default values. - -| Parameters | Mandatory or Optional | Default value | Description | -| ---------- | --------------------- | ------------- | ----------- | -| license.accept | Mandatory | no | Set `yes` to accept the Citrix ingress controller end user license agreement. | -| imageRegistry | Mandatory | `quay.io` | The Citrix ADC CPX image registry | -| imageRepository | Mandatory | `citrix/citrix-k8s-cpx-ingress` | The Citrix ADC CPX image repository | -| imageTag | Mandatory | `13.1-49.13` | The Citrix ADC CPX image tag | -| pullPolicy | Mandatory | IfNotPresent | The Citrix ADC CPX image pull policy. | -| daemonSet | Optional | False | Set this to true if Citrix ADC CPX needs to be deployed as DaemonSet. | -| cic.imageRegistry | Mandatory | `quay.io` | The Citrix ingress controller image registry | -| cic.imageRepository | Mandatory | `citrix/citrix-k8s-ingress-controller` | The Citrix ingress controller image repository | -| cic.imageTag | Mandatory | `1.35.6` | The Citrix ingress controller image tag | -| cic.pullPolicy | Mandatory | IfNotPresent | The Citrix ingress controller image pull policy. | -| cic.required | Mandatory | true | CIC to be run as sidecar with Citrix ADC CPX | -| cic.resources | Optional | {} | CPU/Memory resource requests/limits for Citrix Ingress Controller container | -| cic.rbacRole | Optional | false | To deploy CIC with RBAC Role set rbacRole=true; by default CIC gets installed with RBAC ClusterRole(rbacRole=false)) | -| imagePullSecrets | Optional | N/A | Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret please see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). | -| nameOverride | Optional | N/A | String to partially override deployment fullname template with a string (will prepend the release name) | -| fullNameOverride | Optional | N/A | String to fully override deployment fullname template with a string | -| resources | Optional | {} | CPU/Memory resource requests/limits for Citrix CPX container | -| nitroReadTimeout | Optional | 20 | The nitro Read timeout in seconds, defaults to 20 | -| logLevel | Optional | DEBUG | The loglevel to control the logs generated by CIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG and TRACE. For more information, see [Logging](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).| -| jsonLog | Optional | false | Set this argument to true if log messages are required in JSON format | -| nsConfigDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Ingress | -| nsSvcLbDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Type Load Balancer Service | -| nsDnsNameserver | Optional | N/A | To add DNS Nameservers in ADC | -| optimizeEndpointBinding | Optional | false | To enable/disable binding of backend endpoints to servicegroup in a single API-call. Recommended when endpoints(pods) per application are large in number. Applicable only for Citrix ADC Version >=13.0-45.7 | -| defaultSSLCertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC. | -| nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for Citrix ADC service group configurations. | -| cpxLicenseAggregator | Optional | N/A | IP/FQDN of the CPX License Aggregator if it is being used to license the CPX. | -| nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). | -| profileSslFrontend | Optional | N/A | Specify the frontend SSL profile. For Details see [Configuration using FRONTEND_SSL_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| profileTcpFrontend | Optional | N/A | Specify the frontend TCP profile. For Details see [Configuration using FRONTEND_TCP_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| profileHttpFrontend | Optional | N/A | Specify the frontend HTTP profile. For Details see [Configuration using FRONTEND_HTTP_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter. | -| nsProtocol | Optional | http | Protocol http or https used for the communication between Citrix Ingress Controller and CPX | -| cpxBgpRouter | Optional | false| If set to true, this CPX is deployed as daemonset in BGP controller mode wherein BGP advertisements are done for attracting external traffic to Kubernetes clusters | -| replicaCount | Optional | 1 | Number of CPX-CIC pods to be deployed. With `cpxBgpRouter : true`, replicaCount is 1 since CPX will be deployed as DaemonSet | -| nsIP | Optional | 192.168.1.2 | NSIP used by CPX for internal communication when run in Host mode, i.e when cpxBgpRouter is set to true. A /24 internal network is created in this IP range which is used for internal communications withing the network namespace. | -| nsGateway | Optional | 192.168.1.1 | Gateway used by CPX for internal communication when run in Host mode, i.e when cpxBgpRouter is set to true. If not specified, first IP in the nsIP network is used as gateway. It must be in same network as nsIP | -| bgpPort | Optional | 179 | BGP port used by CPX for BGP advertisement if cpxBgpRouter is set to true| -| ingressIP | Optional | N/A | External IP address to be used by ingress resources if not overriden by ingress.com/frontend-ip annotation in Ingress resources. This is also advertised to external routers when pxBgpRouter is set to true| -| entityPrefix | Optional | k8s | The prefix for the resources on the Citrix ADC CPX. | -| ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify Citrix ingress controller to configure Citrix ADC associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here | -| setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 | -| updateIngressStatus | Optional | False | Set this argument if you want to update ingress status of the ingress resources exposed via CPX. This is only applicable if servicetype of CPX service is LoadBalancer. | -| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. | -| openshift | Optional | false | Set this argument if OpenShift environment is being used. | -| disableOpenshiftRoutes | false | By default Openshift routes are processed in openshift environment, this variable can be used to disable Ingress controller processing the openshift routes. | -| routeLabels | Optional | N/A | You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| namespaceLabels | Optional | N/A | You can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| sslCertManagedByAWS | Optional | False | Set this argument if SSL certs used is managed by AWS while deploying Citrix ADC CPX in AWS. | -| nodeSelector.key | Optional | N/A | Node label key to be used for nodeSelector option for CPX-CIC deployment. | -| nodeSelector.value | Optional | N/A | Node label value to be used for nodeSelector option in CPX-CIC deployment. | -| podAnnotations | Optional | N/A | Map of annotations to add to the pods. | -| affinity | Optional | N/A | Affinity labels for pod assignment. | -| tolerations | Optional | N/A | Specify the tolerations for the CPX-CIC deployment. | -| serviceType.loadBalancer.enabled | Optional | False | Set this argument if you want servicetype of CPX service to be LoadBalancer. | -| serviceType.nodePort.enabled | Optional | False | Set this argument if you want servicetype of CPX service to be NodePort. | -| serviceType.nodePort.httpPort | Optional | N/A | Specify the HTTP nodeport to be used for NodePort CPX service. | -| serviceType.nodePort.httpsPort | Optional | N/A | Specify the HTTPS nodeport to be used for NodePort CPX service. | -| serviceAnnotations | Optional | N/A | Dictionary of annotations to be used in CPX service. Key in this dictionary is the name of the annotation and Value is the required value of that annotation. For example, [see this](#citrix-adc-cpx-service-annotations). | -| serviceSpec.externalTrafficPolicy | Optional | Cluster | Use this parameter to provide externalTrafficPolicy for CPX service of type LoadBalancer or NodePort. `serviceType.loadBalancer.enabled` or `serviceType.nodePort.enabled` should be set to `true` according to your use case for using this parameter. | -| serviceSpec.loadBalancerIP | Optional | N/A | Use this parameter to provide LoadBalancer IP to CPX service of type LoadBalancer. `serviceType.loadBalancer.enabled` should be set to `true` for using this parameter. | -| serviceSpec.loadBalancerSourceRanges | Optional | N/A | Provide the list of IP Address or range which should be allowed to access the Network Load Balancer. `serviceType.loadBalancer.enabled` should be set to `true` for using this parameter. For details, see [Network Load Balancer support on AWS](https://kubernetes.io/docs/concepts/services-networking/service/#aws-nlb-support). | -| servicePorts | Optional | N/A | List of port. Each element in this list is a dictionary that contains information about the port. For example, [see this](#citrix-adc-cpx-service-ports). | -| ADMSettings.licenseServerIP | Optional | N/A | Provide the Citrix Application Delivery Management (ADM) IP address to license Citrix ADC CPX. For more information, see [Licensing](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/licensing/). | -| ADMSettings.licenseServerPort | Optional | 27000 | Citrix ADM port if non-default port is used. | -| ADMSettings.ADMIP | Optional | N/A | Citrix Application Delivery Management (ADM) IP address. | -| ADMSettings.loginSecret | Optional | N/A | The secret key to login to the ADM. For information on how to create the secret keys, see [Prerequisites](#prerequistes). | -| ADMSettings.bandWidthLicense | Optional | False | Set to true if you want to use bandwidth based licensing for Citrix ADC CPX. | -| ADMSettings.bandWidth | Optional | 1000 | Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps. | -| ADMSettings.vCPULicense | Optional | N/A | Set to true if you want to use vCPU based licensing for Citrix ADC CPX. | -| ADMSettings.licenseEdition| Optional | PLATINUM | License edition that can be Standard, Platinum and Enterprise . By default, Platinum is selected.| -| ADMSettings.cpxCores | Optional | 1 | Desired number of vCPU to be set for Citrix ADC CPX. | -| exporter.required | Optional | false | Use the argument if you want to run the [Exporter for Citrix ADC Stats](https://github.com/citrix/citrix-adc-metrics-exporter) along with Citrix ingress controller to pull metrics for the Citrix ADC CPX| -| exporter.imageRegistry | Optional | `quay.io` | The Exporter for Citrix ADC Stats image registry | -| exporter.imageRepository | Optional | `citrix/citrix-adc-metrics-exporter` | The Exporter for Citrix ADC Stats image repository | -| exporter.imageTag | Optional | `1.4.9` | The Exporter for Citrix ADC Stats image tag | -| exporter.pullPolicy | Optional | IfNotPresent | The Exporter for Citrix ADC Stats image pull policy. | -| exporter.resources | Optional | {} | CPU/Memory resource requests/limits for Metrics exporter container | -| exporter.ports.containerPort | Optional | 8888 | The Exporter for Citrix ADC Stats container port. | -| exporter.serviceMonitorExtraLabels | Optional | | Extra labels for service monitor whem Citrix-adc-metrics-exporter is enabled. | -| analyticsConfig.required | Mandatory | false | Set this to true if you want to configure Citrix ADC to send metrics and transaction records to analytics service. | -| analyticsConfig.distributedTracing.enable | Optional | false | Set this value to true to enable OpenTracing in Citrix ADC. | -| analyticsConfig.distributedTracing.samplingrate | Optional | 100 | Specifies the OpenTracing sampling rate in percentage. | -| analyticsConfig.endpoint.server | Optional | N/A | Set this value as the IP address or DNS address of the analytics server. | -| analyticsConfig.endpoint.service | Optional | N/A | Set this value as the IP address or service name with namespace of the analytics service deployed in Kuberenetes. Format: namespace/servicename| -| analyticsConfig.timeseries.port | Optional | 5563 | Specify the port used to expose analytics service for timeseries endpoint. | -| analyticsConfig.timeseries.metrics.enable | Optional | Set this value to true to enable sending metrics from Citrix ADC. | -| analyticsConfig.timeseries.metrics.mode | Optional | avro | Specifies the mode of metric endpoint. | -| analyticsConfig.timeseries.auditlogs.enable | Optional | false | Set this value to true to export audit log data from Citrix ADC. | -| analyticsConfig.timeseries.events.enable | Optional | false | Set this value to true to export events from the Citrix ADC. | -| analyticsConfig.transactions.enable | Optional | false | Set this value to true to export transactions from Citrix ADC. | -| analyticsConfig.transactions.port | Optional | 5557 | Specify the port used to expose analytics service for transaction endpoint. | -| crds.install | Optional | False | Unset this argument if you don't want to install CustomResourceDefinitions which are consumed by CIC. | -| crds.retainOnDelete | Optional | false | Set this argument if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation. | -| bgpSettings.required | Optional | false | Set this argument if you want to enable BGP configurations for exposing service of Type Loadbalancer through BGP fabric| -| bgpSettings.bgpConfig | Optional| N/A| This represents BGP configurations in YAML format. For the description about individual fields, please refer the [documentation](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) | -| nsLbHashAlgo.required | Optional | false | Set this value to set the LB consistent hashing Algorithm | -| nsLbHashAlgo.hashFingers | Optional |256 | Specifies the number of fingers to be used for hashing algorithm. Possible values are from 1 to 1024, Default value is 256 | -| nsLbHashAlgo.hashAlgorithm | Optional | 'default' | Specifies the supported algorithm. Supported algorithms are "default", "jarh", "prac", Default value is 'default' | -| cpxCommands| Optional | N/A | This argument accepts user-provided bootup NetScaler config that is applied as soon as the CPX is instantiated. Please note that this is not a dynamic config, and any subsequent changes to the configmap don't reflect in the CPX config unless the pod is restarted. For more info, please refer the [documentation](https://docs.netscaler.com/en-us/citrix-adc-cpx/current-release/configure-cpx-kubernetes-using-configmaps.html). | -| cpxShellCommands| Optional | N/A | This argument accepts user-provided bootup config that is applied as soon as the CPX is instantiated. Please note that this is not a dynamic config, and any subsequent changes to the configmap don't reflect in the CPX config unless the pod is restarted. For more info, please refer the [documentation](https://docs.netscaler.com/en-us/citrix-adc-cpx/current-release/configure-cpx-kubernetes-using-configmaps.html). | - -> **Note:** -> -> If Citrix ADM related information is not provided during installation, Citrix ADC CPX will come up with the default license. - -Alternatively, you can define a YAML file with the values for the parameters and pass the values while installing the chart. - -For example: - ``` - helm install citrix-cpx-with-ingress-controller citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - -> **Tip:** -> -> The [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml) contains the default values of the parameters. - -## Uninstalling the Chart -To uninstall/delete the ```my-release``` deployment: - ``` - helm delete my-release - ``` - -## Related documentation - -- [Citrix ADC CPX Documentation](https://docs.citrix.com/en-us/citrix-adc-cpx/12-1/cpx-architecture-and-traffic-flow.html) -- [Citrix ingress controller Documentation](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/) -- [Citrix ingress controller GitHub](https://github.com/citrix/citrix-k8s-ingress-controller) -- [BGP advertisement for External IPs with CPX](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/cpx-bgp-router.md) diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/app-readme.md b/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/app-readme.md deleted file mode 100644 index ef45a3d907..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/app-readme.md +++ /dev/null @@ -1,5 +0,0 @@ -# Citrix ADC CPX with Citrix Ingress Controller running as sidecar. - -In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) with Citrix ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). The Citrix ADC CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar Citrix ingress controller configures the Citrix ADC CPX. - -This Chart bootstraps deployment of Citrix ADC CPX with Citrix Ingress Controller as sidecar. diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/questions.yml b/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/questions.yml deleted file mode 100644 index 0c87144137..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/questions.yml +++ /dev/null @@ -1,211 +0,0 @@ -questions: -- variable: license.accept - required: true - default: "no" - type: enum - description: "Set to yes to accept the terms and conditions of the Citrix license." - label: Accept License - group: "Deployment Settings" - options: - - "yes" - - "no" -- variable: openshift - default: false - type: boolean - description: "openshift is set to true if charts are being deployed in OpenShift environment" - label: Openshift flag - group: "Deployment Settings" -- variable: nsNamespace - type: string - description: "Prefix for the resources on Citrix ADC" - label: Resource Prefix - group: "Deployment Settings" -- variable: ingressClass[0] - type: string - description: "ingressClass is the name of the Ingress Class" - label: Ingress Class - group: "Deployment Settings" -- variable: logLevel - default: "DEBUG" - type: enum - options: - - "TRACE" - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - description: "logLevel of Citrix Ingress Controller pod" - label: LogLevel - group: "Deployment Settings" -- variable: defaultSSLCert - type: string - description: "Secret containing the default ceritifcate for SSL vservers" - label: Default SSLCert - group: "ADC Settings" -- variable: logProxy - type: string - description: "Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporte" - label: LogProxy - group: "Deployment Settings" -- variable: http2ServerSide - default: "OFF" - type: enum - options: - - "ON" - - "OFF" - description: "Set to ON to enable HTTP2 for Citrix ADC service group configurations" - label: HTTP2 on ADC - group: "ADC Settings" -- variable: nodeSelector.key - type: string - label: NodeSelector Key - group: "Deployment Settings" -- variable: nodeSelector.value - type: string - label: NodeSelector Value - group: "Deployment Settings" - - -- variable: ADMSettings.licenseServerIP - type: string - label: ADM LicenseServerIP - group: "ADM Settings" -- variable: ADMSettings.licenseServerPort - default: 27000 - type: int - label: ADM LicenseServerPort - group: "ADM Settings" -- variable: ADMSettings.ADMIP - type: string - label: ADM IP - group: "ADM Settings" -- variable: ADMSettings.ADMFingerPrint - type: string - label: ADM FingerPrint - group: "ADM Settings" -- variable: ADMSettings.loginSecret - type: string - label: ADM Login Secret - group: "ADM Settings" -- variable: ADMSettings.bandWidthLicense - type: boolean - label: CPX Bandwidth License - group: "ADM Settings" -- variable: ADMSettings.bandWidth - type: int - label: CPX Bandwidth - group: "ADM Settings" -- variable: ADMSettings.vCPULicense - type: boolean - label: CPX vCPU License - group: "ADM Settings" -- variable: ADMSettings.cpxCores - type: int - label: CPX Cores - group: "ADM Settings" -- variable: cic.pullpolicy - default: "IfNotPresent" - type: enum - label: CIC Image Pullpolicy - group: "CIC/CPX Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: pullpolicy - default: "IfNotPresent" - type: enum - label: CPX Image Pullpolicy - group: "CIC/CPX Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: cic.image - default: "quay.io/citrix/citrix-k8s-ingress-controller:1.8.28" - type: string - label: CIC Image - group: "CIC/CPX Image Settings" -- variable: image - type: string - default: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-58.30" - label: CPX Image - group: "CIC/CPX Image Settings" -- variable: exporter.image - default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.5" - type: string - description: "Exporter Image to be used" - label: Exporter Image - group: "Exporter Settings" -- variable: exporter.pullPolicy - default: "IfNotPresent" - type: string - description: "Exporter Image pull policy" - label: Exporter Image PullPolicy - group: "Exporter Settings" -- variable: exporter.ports.containerPort - default: 8888 - type: int - label: Exporter ContainerPort - group: "Exporter Settings" -- variable: coeConfig.distributedTracing.enable - default: false - type: boolean - label: Enable distributedTracing - group: "COE Settings" -- variable: coeConfig.distributedTracing.samplingrate - default: 100 - type: int - label: COE Sampling Rate - group: "COE Settings" -- variable: coeConfig.endpoint.server - type: string - label: COE Endpoint Server - group: "COE Settings" -- variable: coeConfig.timeseries.port - default: 5563 - type: int - label: COE timeseries port - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.enable - default: false - type: boolean - label: Enable timeseries metrics - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.mode - default: 'avro' - type: string - label: COE timeseries metrics Mode - group: "COE Settings" -- variable: coeConfig.timeseries.auditlogs.enable - default: false - type: string - label: Enable timeseries auditlogs - group: "COE Settings" -- variable: coeConfig.timeseries.events.enable - default: false - type: string - label: Enable timeseries events - group: "COE Settings" -- variable: coeConfig.transactions.enable - default: false - type: string - label: Enable transactions - group: "COE Settings" -- variable: coeConfig.transactions.port - default: 5557 - type: int - label: COE transactions port - group: "COE Settings" -- variable: crds.install - default: true - type: boolean - description: "If set to true the charts will install CustomResourceDefinitions which are consumed by CIC." - label: CRD flag - group: "Deployment Settings" -- variable: crds.retainOnDelete - default: false - type: boolean - description: "Set this argument to true if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation." - label: CRD retainOnDelete flag - group: "Deployment Settings" diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/templates/NOTES.txt b/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/templates/NOTES.txt deleted file mode 100644 index bccfdf69a4..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/templates/NOTES.txt +++ /dev/null @@ -1,14 +0,0 @@ -Thank you for installing {{ .Chart.Name }}. - -Your release is named {{ .Release.Name }}. - - -To learn more about the release, try: - - $ helm status {{ .Release.Name }} - $ helm get {{ .Release.Name }} - - -To delete : - helm delete {{ .Release.Name }} - diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/templates/_helpers.tpl b/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/templates/_helpers.tpl deleted file mode 100644 index 06e65215c7..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/templates/_helpers.tpl +++ /dev/null @@ -1,106 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Analytics Server IP or DNS -*/}} -{{- define "analytics.server" -}} -{{- if .Values.analyticsConfig.endpoint.server -}} -{{- printf .Values.analyticsConfig.endpoint.server -}} -{{- else -}} -{{- printf "analytics.%s.svc.cluster.local" .Release.Namespace -}} -{{- end -}} -{{- end -}} - - -{{- define "citrix-cpx-ingress-controller.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "citrix-cpx-ingress-controller.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "cpxservice.fullname" -}} -{{- $name := default .Chart.Name "cpx-service" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxexporter.fullname" -}} -{{- $name := default .Chart.Name "exporter" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxservicemonitor.fullname" -}} -{{- $name := default .Chart.Name "citrix-adc-cpx-servicemonitor" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxservicemonitorlabel" -}} -{{- $name := default .Chart.Name "citrix-adc-cpx-svcmon" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cpxconfigmap.fullname" -}} -{{- $name := default .Chart.Name "cpx-cic-configmap" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "bootupconfigmap.fullname" -}} -{{- $name := default .Chart.Name "cpx-bootup-configmap" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "citrix-cpx-ingress-controller.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "citrix-cpx-ingress-controller.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "citrix-cpx-ingress-controller.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/templates/cic_crds.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/templates/cic_crds.yaml deleted file mode 100644 index 085d7d271d..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/templates/cic_crds.yaml +++ /dev/null @@ -1,2549 +0,0 @@ -{{- if .Values.crds.install }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: rewritepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: rewritepolicy - plural: rewritepolicies - singular: rewritepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - rewrite-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to rewrite policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - rewrite-policy: - type: object - properties: - rewrite-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOREWRITE', 'RESET', 'DROP'] - operation: - description: 'Type of user-defined rewrite action.' - type: string - enum: ["noop", "delete", "insert_http_header", "delete_http_header", - "corrupt_http_header", "insert_before", "insert_after", "replace", - "replace_http_res", "delete_all", "replace_all", "insert_before_all", - "insert_after_all", "clientless_vpn_encode", "clientless_vpn_encode_all", - "clientless_vpn_decode", "clientless_vpn_decode_all", "insert_sip_header", - "delete_sip_header", "corrupt_sip_header", "replace_sip_res", "replace_diameter_header_field", - "replace_dns_header_field", "replace_dns_answer_section"] - target: - description: 'Default syntax expression that specifies which part of the request or response to rewrite.' - type: string - maxLength: 1229 - modify-expression: - description: 'Default syntax expression that specifies the content to insert into the request - or response at the specified location, or that replaces the specified string.' - type: string - maxLength: 7991 - multiple-occurence-modify: - description: 'Search facility that is used to match multiple strings in the request or response.' - type: string - maxLength: 171 - additional-multiple-occurence-modify: - description: 'Specify additional criteria to refine the results of the search. - Always starts with the "extend(m,n)" operation, where "m" specifies number of bytes to the left of selected data - and "n" specifies number of bytes to the right of selected data. - You can use refineSearch only on body expressions, and only when rewrite-criteria is any one of this: - INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - comment: - description: 'Any comments to preserve information about this rewrite policy.' - type: string - maxLength: 255 - required: [rewrite-criteria, operation, target, direction] - required: [rewrite-policy] - - responder-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to responder policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", - "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - responder-policy: - type: object - properties: - redirect: - type: object - description: 'Use this option when you want to Redirect the request when request matches to policy.' - properties: - url: - description: 'URL on which you want to redirect the request.' - type: string - maxLength: 7991 - redirect-status-code: - description: 'HTTP response status code, for example 200, 302, 404, etc.' - type: integer - minimum: 100 - maximum: 599 - redirect-reason: - description: 'Expression specifying the reason for redirecting the request.' - type: string - maxLength: 7991 - required: [url] - respondwith: - type: object - description: 'Use this parameter when you want to respond to the request when request matches to policy.' - properties: - http-payload-string: - description: 'Expression that you want to sent as response to the request.' - type: string - maxLength: 7991 - required: [http-payload-string] - noop: - type: string - description: 'Use this option when you want to send the request to the protected server instead of - responding to it when request matches to policy.' - properties: - target: - description: 'Default syntax expression that specifies to perform noop operation on' - type: string - maxLength: 1229 - reset: - type: string - description: 'Use this option when you want to Reset the client connection by closing it when request matches to policy.' - properties: - drop: - type: string - description: 'Use this option when you want to drop the request without sending a response to the user when request matches to policy.' - properties: - respond-criteria: - description: 'Default syntax expression that the policy uses to determine whether to respond to the specified request.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOOP', 'RESET', 'DROP'] - comment: - description: 'Any comments to preserve information about this responder policy.' - type: string - maxLength: 255 - required: [respond-criteria] - oneOf: [required: [redirect], required: [respondwith], required: [noop], required: [reset], required: [drop]] - required: [responder-policy] - - dataset: - type: array - items: - type: object - properties: - name: - description: 'Name of the dataset.' - type: string - maxLength: 32 - type: - description: 'Type of value to bind to the dataset.' - type: string - enum: ["ipv4", "number", "ipv6", "ulong", "double", "mac"] - comment: - description: 'Any comments to preserve information about this dataset.' - type: string - maxLength: 255 - values: - description: 'Value of the specified type that is associated with this dataset.' - type: array - items: - type: string - required: [name, type, values] - - patset: - type: array - items: - type: object - properties: - name: - description: 'Name of the Patset.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this patset.' - type: string - maxLength: 255 - values: - description: 'String of characters that constitutes a pattern and is associated with this patset.' - type: array - items: - type: string - required: [name, values] - - stringmap: - type: array - items: - type: object - properties: - name: - description: 'Name of the Stringmap.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this stringmap.' - type: string - maxLength: 255 - values: - description: 'List of (key,value) pairs to be bound to this string map.' - type: array - items: - type: object - properties: - key: - description: 'Character string constituting the key to be bound to this string map.' - type: string - maxLength: 2047 - value: - description: 'Character string constituting the value associated with the key.' - type: string - maxLength: 2047 - required: [name, values] - - httpcallout_policy: - type: array - items: - type: object - properties: - name: - description: 'httpcallout name' - type: string - maxLength: 32 - server_ip: - description: 'IP Address of the server(callout agent) to which the callout is sent.' - type: string - server_port: - description: 'Port of the server(callout agent) to which the callout is sent.' - type: integer - minimum: 1 - maximum: 65535 - http_method: - description: |+ - 'Method used in the HTTP request that this callout sends. - Default http method is GET' - type: string - enum: ['GET', 'POST'] - host_expr: - description: |+ - 'String expression to configure the Host header. Can contain a literal value - (for example, 10.101.10.11) or a derived value (for example, http.req.header("Host")). - The literal value can be an IP address or a fully qualified domain name. Mutually - exclusive with the full HTTP request expression.' - type: string - maxLength: 255 - url_stem_expr: - description: |+ - 'String expression for generating the URL stem. Can contain a literal string - (for example, "/mysite/index.html") or an expression that derives the value - (for example, http.req.url).' - type: string - maxLength: 8191 - headers: - type: array - description: |+ - 'One or more headers to insert into the HTTP request. Each header is represented by - name and expr, where expr is an expression that is evaluated at runtime to provide - the value for the named header. You can configure a maximum of eight headers for - an HTTP callout.' - items: - type: object - properties: - name: - description: 'header name' - type: string - expr: - description: 'header expression' - type: string - parameters: - type: array - description: |+ - 'One or more query parameters to insert into the HTTP request URL (for a GET request) - or into the request body (for a POST request). Each parameter is represented by - name and expr, where expr is an expression that is evaluated at run time to provide - the value for the named parameter (name=value). The parameter values are URL encoded.' - items: - type: object - properties: - name: - description: 'parameter name' - type: string - expr: - description: 'parameter expression' - type: string - body_expr: - description: |+ - 'An advanced string expression for generating the body of the request. - The expression can contain a literal string or an expression that derives - the value (for example, client.ip.src).' - type: string - full_req_expr: - description: |+ - 'Exact HTTP request, in the form of an expression, which the Citrix ADC sends - to the callout agent. The request expression is constrained by the feature - for which the callout is used. For example, an HTTP.RES expression cannot be - used in a request-time policy bank or in a TCP content switching policy bank.' - type: string - scheme: - description: |+ - 'Type of scheme for the callout server. - Default scheme is HTTP' - type: string - enum: ['HTTP', 'HTTPS'] - cache_for_secs: - description: |+ - 'Duration, in seconds, for which the callout response is cached. - The cached responses are stored in an integrated caching content - group named "calloutContentGroup". If no duration is configured, - the callout responses will not be cached unless normal caching - configuration is used to cache them. This parameter takes precedence over any - normal caching configuration that would otherwise apply to these responses.' - type: integer - minimum: 1 - maximum: 31536000 - return_type: - description: |+ - 'Type of data that the target callout agent returns in response to the callout - Available settings function as follows: - * TEXT - Treat the returned value as a text string. - * NUM - Treat the returned value as a number. - * BOOL - Treat the returned value as a Boolean value.' - type: string - enum: ['TEXT', 'NUM', 'BOOL'] - result_expr: - description: |+ - 'Expression that extracts the callout results from the response sent by the HTTP callout - agent. Must be a response based expression, that is, it must begin with HTTP.RES. The - operations in this expression must match the return type. For example, if you configure - a return type of TEXT, the result expression must be a text based expression. If the - return type is NUM, the result expression (resultExpr) must return a numeric value, - as in the following example: http.res.body(10000).length.' - type: string - maxLength: 8191 - comment: - description: 'Any comments to preserve information about this HTTP callout.' - type: string - maxLength: 255 - allOf: - - properties: - required: [name, server_ip, server_port] - - properties: - oneOf: - - properties: - required: [full_req_expr] - - properties: - anyOf: - - properties: - required: [http_method] - - properties: - required: [host_expr] - - properties: - required: [url_stem_expr] - - properties: - required: [headers] - - properties: - required: [parameters] - - properties: - required: [body_expr] - anyOf: [required: [rewrite-policies], required: [responder-policies]] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ratelimits.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: ratelimit - plural: ratelimits - singular: ratelimit - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the ratelimit policies are applied.' - type: array - items: - type: string - maxLength: 127 - selector_keys: - type: object - description: 'Traffic match criteria to which apply above rate-limit/throttling. All keys are applied as AND condition. If no keys are specified, rate-limit applies at service level' - properties: - basic: - type: object - description: "Basic traffic stream selection criteria to which to apply the ratelimit" - properties: - path: - type: array - description: "api resource path prefix match. e.g. /api/v1/products" - items: - type: string - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - header_name: - description: "HTTP header that identifies the unique API client for e.g. X-apikey" - type: string - per_client_ip: - description: "Setting this applies the throttling limit to each unique Client IP address accessing the API resource" - type: boolean - req_threshold: - description: 'Max requests per timeslice units to be allowed' - type: integer - timeslice: - description: 'Timeslice in miliseconds in multiple of 10. Defaults to 1000 miliseconds' - type: integer - limittype: - description: "Burst mode or smooth. Defaults to smooth limittype if not specified" - type: string - enum: ['BURSTY','SMOOTH'] - throttle_action: - type: string - enum: ['DROP', 'RESET','REDIRECT', 'RESPOND'] - description: "Drop will drop the requests exceeding limits, RESET will reset the client connection, Redirect will redirect to specified URL, respond will respond with 429 'Exceeded allowed rate of requests'" - redirect_url: - type: string - description: "Redirect-URL" - logpackets: - type: object - description: 'Adds an audit message action. The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - required: [req_threshold] ---- -#Sample CRD instance - -#apiVersion: citrix.com/v1 -#description: VIP for apache service -#kind: vip -#metadata: -# name: service-apache -# namespace: default -#spec: -# description: VIP for the apache Service -# ipaddress: 10.99.98.90 -# kind: service -# name: apache - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vips.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: vip - plural: vips - singular: vip - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - jsonPath: .spec.ipaddress - name: VIP - type: string - - name: Age - type: date - jsonPath: .metadata.creationTimestamp - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - ipaddress: - type: string - name: - type: string - kind: - type: string - enum: ["service", "ingress"] - description: - type: string - range-name: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: authpolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: authpolicy - plural: authpolicies - singular: authpolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: |+ - 'Name of the services for which the policies applied' - type: array - items: - type: string - maxLength: 63 - authentication_mechanism: - type: object - description: |+ - 'Authentication mechanism. Options: using forms or using request header. - Default is Authentication using request header, when no option is specified' - properties: - using_request_header: - description: |+ - 'Enable user authentication using request header. Use when the credentials - or api keys are passed in a header. For example, when using Basic, Digest, - Bearer authentication or api keys. - When authentication using forms is provided, this is set to OFF' - - type: string - using_forms: - type: object - description: 'Enables authentication using forms. Use with user/web authentication.' - properties: - authentication_host: - description: |+ - 'Fully qualified domain name (FQDN) for authentication. - This FQDN should be unique and should resolve to frontend IP of - ADC with Ingress/service type LoadBalancer (or) vip of Listener CRD' - type: string - maxLength: 255 - authentication_host_cert: - description: |+ - 'Name of the SSL certificate to be used with authentication_host. - This certificate is mandatory while using_forms' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - ingress_name: - description: |+ - 'Ingress name for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - lb_service_name: - description: |+ - 'Service of type LoadBalancer for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - listener_name: - description: |+ - 'Listener CRD name for which the authentication using forms is applicable.' - type: string - maxLength: 63 - vip: - description: |+ - 'Frontend IP of ingress for which the authentication - using forms is applicable. This refers to frontend-ip provided - with Ingress. It is suggested to use vip, if more than one Ingress - resource use the same frontend-ip' - type: string - required: [authentication_host, authentication_host_cert] - oneOf: - - properties: - required: [ingress_name] - - properties: - required: [lb_service_name] - - properties: - required: [listener_name] - - properties: - required: [vip] - oneOf: - - properties: - using_request_header: - enum: ['ON'] - required: [using_request_header] - - properties: - required: [using_forms] - - authentication_providers: - description: |+ - 'Authentication Configuration for required authentication providers/schemes. - One or more of these can be created' - type: array - items: - description: 'Create config for a single authentication provider of a particular type' - type: object - properties: - name: - description: 'Name for this provider, has to be unique, referenced by authentication policies' - type: string - maxLength: 127 - - oauth: - description: 'Authentication provided by external oAuth provider' - type: object - properties: - issuer: - description: 'Identity of the server whose tokens are to be accepted' - type: string - maxLength: 127 - audience: - description: 'Audience for which token sent by Authorization server is applicable' - type: array - items: - type: string - maxLength: 127 - jwks_uri: - description: |+ - 'URL of the endpoint that contains JWKs (Json Web Key) for - JWT (Json Web Token) verification' - type: string - maxLength: 127 - introspect_url: - description: ' URL of the introspection server' - type: string - maxLength: 127 - client_credentials: - description: |+ - 'secrets object that contains Client Id and secret as known - to Introspection server' - type: string - maxLength: 253 - token_in_hdr: - description: |+ - 'custom header name where token is present, - default is Authorization header' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - token_in_param: - description: 'query parameter name where token is present' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - signature_algorithms: - description: 'list of allowed signature algorithms, by default HS256, RS256, RS512 are allowed' - type: array - items: - type: string - enum: ['HS256', 'RS256', 'RS512'] - claims_to_save: - description: 'list of claims to be saved, used to create authorization policies' - type: array - items: - type: string - maxLength: 127 - metadata_url: - description: 'URL used to get OAUTH/OIDC provider metadata' - type: string - maxLength: 255 - user_field: - description: |+ - 'Attribute in the token from which username should be extracted. - by default, ADC looks at email attribute for user id' - type: string - maxLength: 127 - default_group: - description: |+ - 'group assigned to the request if authentication succeeds, - this is in addition to any extracted groups from token' - type: string - maxLength: 63 - grant_type: - description: 'used to specify the type of flow to the token end point, defaults to CODE' - type: array - items: - type: string - enum: ['CODE','PASSWORD'] - pkce: - description: 'specify whether to enable Proof Key Code Exchange, defaults to ENABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - token_ep_auth_method: - description: |+ - 'authentication method to be used with token end point, - defaults to client_secret_post' - type: string - enum: ['client_secret_post', 'client_secret_jwt'] - - anyOf: - - properties: - required : [jwks_uri] - - properties: - required : [introspect_url, client_credentials] - - properties: - required : [metadata_url] - - ldap: - description: 'LDAP authentication provider' - type: object - properties: - server_ip: - description: 'IP address assigned to the LDAP server' - type: string - server_name: - description: 'LDAP server name as a FQDN' - type: string - maxLength: 127 - server_port: - description: 'Port on which the LDAP server accepts connections. Default is 389' - type: integer - minimum: 1 - maximum: 65535 - base: - description: |+ - 'Base (node) from which to start LDAP searches. If the LDAP server is - running locally, the default value of base is dc=netscaler, dc=com' - type: string - maxLength: 127 - server_login_credentials: - description: |+ - 'Kubernetes secret object providing credentials to login to LDAP server, - The secret data should have username and password' - type: string - login_name: - description: |+ - 'LDAP login name attribute. The Citrix ADC uses the LDAP login name - to query external LDAP servers or Active Directories' - type: string - maxLength: 127 - security_type: - description: |+ - 'Type of security used for communications between the Citrix ADC - and the LDAP server. Default is TLS' - type: string - enum: ['PLAINTEXT', 'TLS', 'SSL'] - validate_server_cert: - description: 'Validate LDAP Server certs. Default is NO' - type: string - enum: ['YES', 'NO'] - hostname: - description: |+ - 'Hostname for the LDAP server. If validate_server_cert is ON, - this must be the host name on the certificate from the LDAP - A hostname mismatch will cause a connection failure' - type: string - maxLength: 127 - sub_attribute_name: - description: 'LDAP group sub-attribute name. Used for group extraction from the LDAP server.' - type: string - maxLength: 31 - group_attribute_name: - description: 'LDAP group attribute name. Used for group extraction on the LDAP server.' - type: string - maxLength: 31 - search_filter: - description: |+ - 'String to be combined with the default LDAP user search string to form the - search value. For example, if the search filter "vpnallowed=true" is combined - with the LDAP login name "samaccount" and the user-supplied username is "bob", - the result is the LDAP search string ""(&(vpnallowed=true)(samaccount=bob)"" - (Be sure to enclose the search string in two sets of double quotation marks)' - type: string - maxLength: 255 - auth_timeout: - description: |+ - 'Number of seconds the Citrix ADC waits for a response from the server - Default is 3' - type: integer - minimum: 1 - maximum: 4294967295 - password_change: - description: 'Allow password change requests. Default is DISABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be fetched - from LDAP server and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - oneOf: - - properties: - required: [server_ip] - - properties: - required: [server_name] - - saml: - description: |+ - 'SAML authentication provider. - Currently SAML is supported only with authentication mechanism using forms' - type: object - properties: - metadata_url: - description: 'URL is used for obtaining saml metadata.' - type: string - maxLength: 255 - metadata_refresh_interval: - description: |+ - 'Interval in minutes for fetching metadata from specified metadata URL. - Default is 36000' - type: integer - minimum: 1 - maximum: 4294967295 - signing_cert: - description: 'SSL certificate to sign requests from SP to IDP' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - audience: - description: 'Audience for which assertion sent by IdP is applicable' - type: string - maxLength: 127 - issuer_name: - description: 'The name to be used in requests sent from SP to IDP to identify citrix ADC' - type: string - maxLength: 63 - binding: - description: 'Specifies the transport mechanism of saml message. Default is POST' - type: string - enum: ['REDIRECT', 'POST', 'ARTIFACT'] - artifact_resolution_service_url: - description: 'URL of the Artifact Resolution Service on IdP' - type: string - maxLength: 255 - logout_binding: - description: 'Specifies the transport mechanism of saml logout. Default is POST' - type: string - enum: ['REDIRECT', 'POST'] - reject_unsigned_assertion: - description: |+ - 'Reject unsigned SAML assertions. ON, rejects assertion without signature. - STRICT ensure that both Response and Assertion are signed. Default is ON' - type: string - enum: ['ON', 'OFF', 'STRICT'] - user_field: - description: 'SAML user ID, as given in the SAML assertion' - type: string - maxLength: 63 - default_authentication_group: - description: |+ - 'This is the default group that is chosen when the authentication - succeeds in addition to extracted groups' - type: string - maxLength: 63 - skew_time: - description: |+ - 'Allowed clock skew in number of minutes on an incoming assertion. - Default is 5' - type: integer - minimum: 1 - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be extracted - and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - required: - - metadata_url - - basic_local_db: - type: object - description: |+ - 'Basic HTTP authentication supported by ADC, user data in local DB of ADC. - Users needs to be added on ADC' - properties: - use_local_auth: - description: 'Use ADC authentication' - type: string - enum: ['YES'] - - required: - - name - - authentication_policies: - description: 'Authentication policies' - type: array - items: - type: object - description: 'Authentication policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - required: - - path - expression: - description: 'ADC syntax expression for authentication' - type: string - maxLength: 1229 - provider: - description: 'name of the authentication provider for the policy, empty if no authentication required' - type: array - items: - type: string - maxLength: 127 - maxItems: 1 - oneOf: - - required: [resource, provider] - - required: [expression, provider] - - authorization_policies: - description: 'Authorization policies' - type: array - items: - type: object - description: 'Authorization policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - description: ' http method' - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - claims: - description: 'authorization scopes required for selected resource saved as claims or attributes' - type: array - items: - type: object - properties: - name: - description: 'name of the claim/attribute to check' - type: string - maxLength: 127 - values: - description: 'list of claim values required for the request' - type: array - items: - type: string - maxLength: 127 - minItems: 1 - required: - - name - - values - required: - - claims - expression: - description: 'ADC syntax expression for authorization' - type: string - maxLength: 1229 - oneOf: - - required: [resource] - - required: [expression] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: listeners.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: Listener - plural: listeners - singular: listener - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - required: [spec] - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [protocol] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - protocol: - type: string - enum: ["https", "http"] - description: "Protocol for this listener" - vip: - type: string - description: "VIP address, Optional for CPX, required for Tier-1 deployments" - secondaryVips: - type: array - description: "An array of Secondary VIPs. All the VIPs will be part of an ipset" - minItems: 1 - items: - type: string - redirectPort: - type: integer - minimum: 1 - maximum: 65535 - description: "Port from which http traffic should be redirected to https" - port: - type: integer - minimum: 1 - maximum: 65535 - certificates: - type: array - description: "certificates attached to the endpoints - Not applicable for HTTP" - minItems: 1 - items: - type: object - properties: - preconfigured: - type: string - description: "Preconfigured Certificate name on ADC " - secret: - type: object - description: "Kuberentes secret object" - required: [name] - properties: - name: - type: string - description: "name of the Kubernetes Secret object where Cert is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the kubernetes secret object; Default is same namespace where the Listener object is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - default: - type: boolean - description: "Only one of the certificate can be marked as default which will be presented if none of the cert matches with the hostname" - oneOf: - - required: ["preconfigured"] - - required: ["secret"] - policies: - type: object - description: "Policies attached to the Listener" - properties: - httpprofile: - type: object - description: "HTTP profile configurations for the Listener, HTTP level configurations" - properties: - preconfigured: - type: string - description: "Preconfigured or Built-in HTTP profile name" - config: - type: object - description: "HTTP profile configuration for the listener. For individual fields, refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nshttpprofile/nshttpprofile/ Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - tcpprofile: - type: object - description: "TCP level configurations, uses ns tcpprofile of citrix ADC" - properties: - preconfigured: - description: "Preconfigured or Built-in TCP profile name" - type: string - config: - type: object - description: "TCPprofile configurations for the listener. For individual fields refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nstcpprofile/ ; Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - csvserverConfig: - type: object - description: "CS Vserver configuration for the listener" - additionalProperties: - type: string - sslprofile: - type: object - description: "SSL profile configuration" - properties: - preconfigured: - type: string - description: "SSL profile which is preconfigured in ADC. Ciphers bound to the profile is not overriden" - config: - description: "Citrix ADC frontend SSL profile configurations. Refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ssl/sslprofile/ for all configurations; Name field is auto generated" - type: object - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - sslciphers: - type: array - description: "List of ciphers to be bound to the ssl profile for the listener. Priority is as per the order in the list. A cipher suite, predefined cipher group or User created cipher group can be mentioned" - minItems: 1 - items: - type: string - description: "Cipher suite, cipher group name" - analyticsprofile: - type: object - description: "Analytics profile configuration" - properties: - preconfigured: - type: array - description: "Preconfigured Analytics profile that needs to be bound to the vserver" - minItems: 1 - items: - type: string - description: "Name of the analytics profile preconfigured that will be bound to the Vserver" - config: - type: array - description: "An array of analytics to be enabled" - minItems: 1 - items: - type: object - description: "Anlytics to be enabled" - required: ['type'] - properties: - type: - description: "Analytics profile to be enabled, you can enable one or more of the webinsight, tcpinsight, securityinsight, videoinsight, hdxinsight, gatewayinsight, timeseries, lsninsight, botinsight " - type: string - enum: ["webinsight", "tcpinsight", "securityinsight", "videoinsight", "hdxinsight", "gatewayinsight", "timeseries", "lsninsight", "botinsight"] - parameters: - type: object - description: "Additional parameters for analytics profile. Please refer:https://developer-docs.citrix.com/projects/citrix-adc-nitro-api-reference/en/latest/configuration/analytics/analyticsprofile/" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - routes: - type: array - description: "List of route objects attached to the listener" - minItems: 1 - items: - type: object - properties: - name: - type: string - description: "Name of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - labelSelector: - description: "Labels key value pair, if the route carries the same labels, it is automatically attached" - type: object - additionalProperties: - type: string - oneOf: - - required: [name, namespace] - - required: [labelSelector] - defaultAction: - type: object - description: "Default action for the listener: One of Backend or Redirect" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - namespace: - description: "Service namespace" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - backendConfig: - description: "General backend service options" - type: object - properties: - secure_backend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: httproutes.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: HTTPRoute - plural: httproutes - singular: httproute - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [rules] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - hostname: - type: array - description: "List of domain names that share the same route, default is '*'" - minItems: 1 - items: - type: string - description: "Domain name" - rules: - type: array - description: "List Content routing rules with an action defined" - minItems: 1 - items: - type: object - required: [name, action] - properties: - name: - type: string - description: "A name to represent the rule, this is used as an identifier in content routing policy name in ADC" - minLength: 1 - maxLength: 20 - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - match: - type: array - description: "List of rules with same action" - minItems: 1 - items: - type: object - anyOf: - - required: [path] - - required: [headers] - - required: [cookies] - - required: [queryParams] - - required: [method] - - required: [policyExpression] - properties: - path: - type: object - description: "URL Path based content routing" - properties: - prefix: - type: string - description: "URL path matches the prefix expression" - exact: - type: string - description: "URL Path must match exact path" - regex: - type: string - description: "PCRE based regex expression for path matching" - headers: - type: array - description: "List of header for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Header details for content routing, Check for existence of a header or header name-value match" - properties: - headerName: - type: object - description: "Header name based content routing, Here existence of header is used for routing" - properties: - exact: - type: string - description: "Header Name - treated as exact must exist" - contains: - type: string - description: "Header Name - A header must exist that contain the string the name" - regex: - type: string - description: "header Name - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header name must not exist" - oneOf: - - required: [exact] - - required: [contains] - - required: [regex] - headerValue: - type: object - description: "Header Name and Value based match" - properties: - name: - type: string - description: "Header name that must match the value" - exact: - type: string - description: "Header value - treated as exact" - contains: - type: string - description: "Header value - treated as contains" - regex: - type: string - description: "header value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header if present must not match the value" - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - queryParams: - type: array - description: "List of Query parameters for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Query parameters Name and Value based match" - properties: - name: - type: string - description: "Query name that must match the value. If no value is specified, matches with any value" - exact: - type: string - description: "Query value - Exact match" - contains: - type: string - description: "Query value - value must have the string(substring)" - regex: - type: string - description: "Query value - Value must match this regex patterm" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e query if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - cookies: - type: array - description: "List of Cookie params for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Cookie based routing" - properties: - name: - type: string - description: "cookie name that must match the value. If no value specified, it matches with any value" - exact: - type: string - description: "cookie value - treated as exact" - contains: - type: string - description: "cookie value - treated as substring" - regex: - type: string - description: "cookie value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e cookie if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - method: - type: string - description: "HTTP method for content routing eg: POST, PUT, DELETE etc" - policyExpression: - type: string - description: "Citrix ADC policy expressions; refer: https://docs.citrix.com/en-us/netscaler/media/expression-prefix.pdf" - action: - type: object - description: "Action for the matched rule" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - backendConfig: - type: object - description: "General backend service options" - properties: - secureBackend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - # name must match the spec fields below, and be in the form: . - name: continuousdeployments.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: continuousdeployment - plural: continuousdeployments - singular: continuousdeployment - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - cronSpec: - type: integer - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wafs.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: waf - plural: wafs - singular: waf - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the waf policies are applied.' - type: array - items: - type: string - maxLength: 127 - application_type: - description: 'Type of applications to protect' - type: array - items: - type: string - enum: ['HTML', 'JSON', 'XML'] - signatures: - description: 'Location of external signature file' - type: string - redirect_url: - description: 'When a URL is blocked/down, redirect_url represents the alternate URL where the client requests should be sent.' - type: string - html_error_object: - description: 'Location of customized error page to respond when html or common violation are hit' - type: string - xml_error_object: - description: 'Location of customized error page to respond when xml violations are hit' - type: string - json_error_object: - description: 'Location of customized error page to respond when json violations are hit' - type: string - ip_reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - description: 'Enabling IP reputation feature' - target: - description: 'To control what traffic to be inspected by Web Application Firewall. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable application firewall security checks' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - settings: - description: 'To fine tune application firewall security checks default settings' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - relaxations: - description: 'Section which contains relaxation rules for known traffic and false positives' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - enforcements: - description: 'Section which contains enforcement or restriction rules' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: bots.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: bot - plural: bots - singular: bot - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the bot policies are applied.' - type: array - items: - type: string - maxLength: 127 - signatures: - description: 'Location of external bot signature file' - type: string - redirect_url: - description: 'url to redirect when bot violation is hit' - type: string - target: - description: 'To control what traffic to be inspected by BOT. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable bot ecurity checks' - type: object - properties: - allow_list: - type: string - enum: ['ON', 'OFF'] - block_list: - type: string - enum: ['ON', 'OFF'] - device_fingerprint: - type: string - enum: ['ON', 'OFF'] - device_fingerprint_action: - type: object - x-kubernetes-preserve-unknown-fields: true - headless_browser: - type: string - enum: ['ON','OFF'] - reputation: - type: string - enum: ['ON', 'OFF'] - ratelimit: - type: string - enum: ['ON', 'OFF'] - tps: - type: string - enum: ['ON', 'OFF'] - trap: - type: object - x-kubernetes-preserve-unknown-fields: true - bindings: - description: 'Section which contains binding rules for bot security checks' - type: object - properties: - allow_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6_subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - - block_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6_subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - ratelimit: - type: array - items: - type: object - properties: - url: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - cookie: - type: object - x-kubernetes-preserve-unknown-fields: true - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - captcha: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - logexp: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - kbmexpr: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - tps: - type: object - properties: - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - host: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - url: - type: object - x-kubernetes-preserve-unknown-fields: true - trapinsertion: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: apigatewaypolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: apigatewaypolicy - plural: apigatewaypolicies - singular: apigatewaypolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - api_definition: - type: object - properties: - repository: - type: string - branch: - type: string - oas_secret_ref: - type: string - files: - type: array - items: - type: string - maxLength: 127 - api_proxy: - type: object - properties: - ipaddress: - type: string - port: - type: integer - protocol: - type: string - secret: - type: string - policies: - type: array - items: - type: object - properties: - name: - type: string - selector: - type: array - items: - type: object - properties: - tags: - type: array - items: - type: string - api: - type: string - method: - type: array - items: - type: string - maxLength: 127 - upstream: - type: object - properties: - service: - type: string - port: - type: integer - policy_bindings: - type: object - properties: - ratelimit: - type: object - properties: - name: - type: string - waf: - type: object - properties: - name: - type: string - rewritepolicy: - type: object - properties: - name: - type: string - bot: - type: object - properties: - name: - type: string - aaa: - type: array - items: - type: object - properties: - crd_name: - type: string - mappings: - type: array - items: - type: object - properties: - petstore_auth: - type: string - api_key: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: corspolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: corspolicy - plural: corspolicies - singular: corspolicy - shortNames: - - cp - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'The list of Kubernetes services to which you want to apply the cors policies.' - type: array - items: - type: string - maxLength: 63 - allow_origin: - description: 'Represents list of allowed origins, it is used to screen the “origin” in the cors pre flight request' - type: array - items: - type: string - maxLength: 2083 - allow_methods: - description: 'Indicates which methods are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Methods in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - allow_headers: - description: 'Indicates which headers are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Headers in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - max_age: - description: 'Indicates the number of seconds (5 by default) the information provided by the `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` headers can be cached. This variable will be used to set Access-Control-Max-Age in the pre-flight cors response.' - type: integer - allow_credentials: - description: 'Indicates whether the response can be shared when the request’s credentials mode is "include". This variable will be set to Access-Control-Allow-Credentials in the rewrite action.' - type: boolean - required: [servicenames, allow_origin, allow_methods, allow_headers] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: appqoepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: appqoepolicy - plural: appqoepolicies - singular: appqoepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - appqoe-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to appqoe policy.' - type: array - items: - type: string - maxLength: 127 - appqoe-policy: - type: object - properties: - operation-retry: - type: object - properties: - on-reset: - description: "To set Retry on Connection Reset or Not" - type: string - enum: ['YES','NO'] - on-timeout: - description: "Time in milliseconds for retry" - type: integer - minimum: 30 - maximum: 2000 - number-of-retries: - description: "To set number of retries" - type: integer - minimum: 1 - maximum: 7 - required: [operation-retry] - appqoe-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - required: [appqoe-criteria, operation-retry] - required: [appqoe-policy] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wildcarddnsentries.citrix.com -spec: - group: citrix.com - names: - kind: wildcarddnsentry - plural: wildcarddnsentries - singular: wildcarddnsentry - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: Current Status of the CRD - jsonPath: .status.state - - name: Message - type: string - description: Status Message - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - zone: - type: object - description: DNS configuration for a zone - properties: - domain: - type: string - description: Domain name - dnsaddrec: - type: object - description: DNS Address record - properties: - domain-ip: - type: string - description: IPv4 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - dnsaaaarec: - type: object - description: DNS AAAA record - properties: - domain-ip: - type: string - description: IPv6 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - soarec: - type: object - description: SOA record - properties: - origin-server: - type: string - description: Origin server domain - contact: - type: string - description: Admin contact - serial: - type: integer - description: >- - The secondary server uses this parameter to - determine whether it requires a zone transfer from - the primary server. - refresh: - type: integer - description: >- - Time, in seconds, for which a secondary server must - wait between successive checks on the value of the - serial number. - retry: - type: integer - description: >- - Time, in seconds, between retries if a secondary server's - attempt to contact the primary server for a zone refresh fails. - expire: - type: integer - description: >- - Time, in seconds, after which the zone data on a secondary - nameserver can no longer be considered authoritative because - all refresh and retry attempts made during the period have failed." - nsrec: - type: object - description: Name server record - properties: - nameserver: - type: string - description: Host name of the name server to add to the domain. - ttl: - type: integer - description: >- - Time to Live (TTL), in seconds, for the record. TTL - is the time for which the record must be cached by - DNS proxies. The specified TTL is applied to all the - resource records that are of the same record type - and belong to the specified domain name ---- -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/templates/citrix-k8s-cpx-ingress.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/templates/citrix-k8s-cpx-ingress.yaml deleted file mode 100644 index 2bb161a2a8..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/templates/citrix-k8s-cpx-ingress.yaml +++ /dev/null @@ -1,424 +0,0 @@ -apiVersion: apps/v1 -{{- if or .Values.cpxBgpRouter .Values.daemonSet }} -kind: DaemonSet -{{- else }} -kind: Deployment -{{- end }} -metadata: - name: {{ include "citrix-cpx-ingress-controller.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - selector: - matchLabels: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} -{{- if not ( or .Values.cpxBgpRouter .Values.daemonSet ) }} - replicas: {{ .Values.replicaCount }} -{{- end }} - template: - metadata: - name: {{ include "citrix-cpx-ingress-controller.fullname" . }} - labels: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} - adc: "citrix" -{{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} -{{- end }} - spec: - serviceAccountName: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -{{- if .Values.cpxBgpRouter }} - hostNetwork: true -{{- end }} - containers: - - name: cpx-ingress - image: "{{ tpl .Values.image . }}" - imagePullPolicy: {{ .Values.pullPolicy }} - tty: true - securityContext: - privileged: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace -{{- if .Values.cpxLicenseAggregator }} - - name: "CLA" - value: {{ .Values.cpxLicenseAggregator | quote }} -{{- else if .Values.ADMSettings.licenseServerIP }} - - name: "LS_IP" - value: {{ .Values.ADMSettings.licenseServerIP | quote }} - - name: "LS_PORT" - value: {{ .Values.ADMSettings.licenseServerPort | quote }} -{{- end }} - - name: "EULA" - value: "{{ .Values.license.accept }}" - - name: "KUBERNETES_TASK_ID" - value: "" -{{- if not .Values.cpxBgpRouter }} - - name: "MGMT_HTTP_PORT" - value: {{ .Values.mgmtHttpPort | quote }} - - name: "MGMT_HTTPS_PORT" - value: {{ .Values.mgmtHttpsPort | quote }} -{{- end }} -{{- if .Values.cpxBgpRouter }} - - name: NS_NETMODE - value: HOST -{{- if .Values.nsIP }} - - name: "NS_IP" - value: "{{ .Values.nsIP }}" -{{- end }} -{{- if .Values.nsGateway }} - - name: "NS_GATEWAY" - value: "{{ .Values.nsGateway }}" -{{- end }} -{{- end }} -{{- if .Values.ADMSettings.ADMIP }} - - name: "NS_MGMT_SERVER" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "NS_HTTP_PORT" - value: {{ .Values.mgmtHttpPort | quote }} - - name: "NS_HTTPS_PORT" - value: {{ .Values.mgmtHttpsPort | quote }} -{{- end }} -##Need to set env var BANDWIDTH in order to provide Bandwidth license to Citrix ADC CPX from ADM or CPX License Aggregator -{{- if and ( or ( .Values.ADMSettings.licenseServerIP ) ( .Values.cpxLicenseAggregator ) ) ( eq .Values.ADMSettings.bandWidthLicense true ) }} - - name: "BANDWIDTH" - value: {{ .Values.ADMSettings.bandWidth | quote }} -{{- end }} -#for multiple-PE support, need to set CPX_CORES -{{- if or .Values.ADMSettings.licenseServerIP .Values.cpxLicenseAggregator }} -{{- if or ( eq .Values.ADMSettings.vCPULicense true ) ( eq .Values.ADMSettings.bandWidthLicense true ) }} - - name: "CPX_CORES" - value: {{ .Values.ADMSettings.cpxCores | default 1 | quote }} -{{- end }} -{{- end }} - - name: "EDITION" - value: {{ .Values.ADMSettings.licenseEdition }} -{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }} - - name: NS_MGMT_USER - valueFrom: - secretKeyRef: - name: {{ required "Provide Secret for ADM/LicenseServer credentials" .Values.ADMSettings.loginSecret }} - key: username - - name: NS_MGMT_PASS - valueFrom: - secretKeyRef: - name: {{ required "Provide Secret for ADM/LicenseServer credentials" .Values.ADMSettings.loginSecret }} - key: password -{{- end }} -{{- if .Values.exporter.required }} - - name: "METRICS_EXPORTER_PORT" - value: {{ .Values.exporter.ports.containerPort | quote }} -{{- end }} - resources: - {{- toYaml .Values.resources | nindent 12 }} - volumeMounts: - - mountPath: /var/deviceinfo - name: shared-data - - mountPath: /cpx/ - name: cpx-volume - - mountPath: /cpx/conf - name: cpx-volume-conf - - mountPath: /cpx/bootup_conf - name: bootupconfig-volume -{{- if .Values.cic.required }} - # Add cic as a sidecar - - name: cic - image: "{{ tpl .Values.cic.image . }}" - imagePullPolicy: {{ .Values.cic.pullPolicy }} - env: - - name: "EULA" - value: "{{ .Values.license.accept }}" -{{- if .Values.cpxBgpRouter }} - - name: "NS_IP" - value: {{ .Values.nsIP | default "192.168.1.2" | quote }} -{{- else }} - - name: "NS_IP" - value: "127.0.0.1" -{{- end }} -{{- if .Values.rbacRole }} - - name: "SCOPE" - value: "local" -{{- end }} - - name: "NS_APPS_NAME_PREFIX" - value: {{ .Values.entityPrefix | default "k8s"| quote }} - - name: "NS_DEPLOYMENT_MODE" - value: "SIDECAR" -{{- if and .Values.openshift .Values.routeLabels }} - - name: "ROUTE_LABELS" - value: {{ .Values.routeLabels | quote}} -{{- end }} -{{- if and .Values.openshift .Values.namespaceLabels }} - - name: "NAMESPACE_LABELS" - value: {{ .Values.namespaceLabels | quote }} -{{- end }} -{{- if .Values.cpxBgpRouter }} -{{- if eq (upper .Values.nsProtocol) "HTTPS" }} - - name: NS_PROTOCOL - value: HTTPS - - name: NS_PORT - value: "9443" -{{- else }} - - name: NS_PROTOCOL - value: HTTP - - name: NS_PORT - value: "9080" -{{- end }} -{{- if .Values.bgpPort }} - - name: "BGP_PORT" - value: {{ .Values.bgpPort | quote }} -{{- end }} -{{- end }} - - name: "NS_ENABLE_MONITORING" - value: "YES" -{{- if .Values.logProxy }} - - name: "NS_LOGPROXY" - value: {{ .Values.logProxy | quote }} -{{- end }} -{{- if .Values.ingressIP }} - - name: "NS_VIP" - value: {{ .Values.ingressIP | quote }} -{{- end }} -{{- if .Values.nitroReadTimeout }} - - name: "NS_NITRO_READ_TIMEOUT" - value: "{{ .Values.nitroReadTimeout }}" -{{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName -{{- if .Values.kubernetesURL }} - - name: "kubernetes_url" - value: "{{ .Values.kubernetesURL }}" -{{- end }} -{{- if .Values.disableOpenshiftRoutes }} - - name: "DISABLE_OPENSHIFT_ROUTES" - value: "{{ .Values.disableOpenshiftRoutes }}" -{{- end }} -{{- if .Values.nsConfigDnsRec }} - - name: "NS_CONFIG_DNS_REC" - value: "{{ .Values.nsConfigDnsRec }}" -{{- end }} -{{- if .Values.nsSvcLbDnsRec }} - - name: "NS_SVC_LB_DNS_REC" - value: "{{ .Values.nsSvcLbDnsRec }}" -{{- end }} -{{- if .Values.optimizeEndpointBinding }} - - name: "OPTIMIZE_ENDPOINT_BINDING" - value: "{{ .Values.optimizeEndpointBinding }}" -{{- end }} -{{- if .Values.cpxBgpRouter }} - securityContext: - runAsUser: 0 - capabilities: - add: - - NET_ADMIN -{{- end }} - args: - - --configmap - {{ .Release.Namespace }}/{{ include "cpxconfigmap.fullname" . }} -{{- if .Values.ipam }} - - --ipam - citrix-ipam-controller -{{- end }} -{{- if .Values.disableAPIServerCertVerify }} - - --disable-apiserver-cert-verify - {{ .Values.disableAPIServerCertVerify }} -{{- end }} -{{- if .Values.cpxBgpRouter }} - - --deployment-type - kube-bgp-router -{{- end }} -{{- if .Values.ingressClass }} - - --ingress-classes -{{- range .Values.ingressClass}} - {{.}} -{{- end }} -{{- end }} -{{- if .Values.defaultSSLCertSecret }} - - --default-ssl-certificate - {{ .Release.Namespace }}/{{ .Values.defaultSSLCertSecret }} -{{- end }} -{{- end }} -{{- if .Values.updateIngressStatus }} -{{- if .Values.cpxBgpRouter }} - - --update-ingress-status - yes -{{- else }} - - --cpx-service - {{ .Release.Namespace }}/{{ include "cpxservice.fullname" . }} -{{- end }} -{{- end }} - volumeMounts: - - mountPath: /var/deviceinfo - name: shared-data - resources: - {{- toYaml .Values.cic.resources | nindent 12 }} -{{- if .Values.exporter.required }} - - name: exporter - image: "{{ tpl .Values.exporter.image . }}" - imagePullPolicy: {{ .Values.exporter.pullPolicy }} - args: - - "--secure=no" -{{- if .Values.cpxBgpRouter }} - - --target-nsip={{ .Values.nsIP | default "192.168.1.2" }}:9080 -{{- else }} - - "--target-nsip=127.0.0.1" -{{- end }} - - "--port={{ .Values.exporter.ports.containerPort }}" - env: - - name: "NS_DEPLOYMENT_MODE" - value: "SIDECAR" - securityContext: - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /var/deviceinfo - name: shared-data - resources: - {{- toYaml .Values.exporter.resources | nindent 12 }} -{{- end }} - volumes: - - name: shared-data - emptyDir: {} - - name: cpx-volume - emptyDir: {} - - name: cpx-volume-conf - emptyDir: {} - - name: bootupconfig-volume - configMap: - name: {{ include "bootupconfigmap.fullname" . }} -{{- if and .Values.nodeSelector.key .Values.nodeSelector.value }} - nodeSelector: - {{ .Values.nodeSelector.key }}: {{ .Values.nodeSelector.value }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: {{ .Values.tolerations | toYaml | nindent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} -{{- end }} - ---- -{{- if .Values.cpxBgpRouter }} -{{- if .Values.exporter.required }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "cpxexporter.fullname" . }} - labels: - app: {{ include "cpxexporter.fullname" . }} - service-type: {{ include "cpxservicemonitorlabel" . }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port - selector: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} -{{- end }} -{{- else }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "cpxservice.fullname" . }} - labels: - app: cpx-service - service-type: {{ include "cpxservicemonitorlabel" . }} -{{- if .Values.serviceAnnotations }} - annotations: -{{- with .Values.serviceAnnotations }} -{{ toYaml . | indent 4 }} -{{- end }} -{{- end }} -spec: -{{- if or .Values.serviceType.loadBalancer.enabled ( and (.Values.updateIngressStatus) (not .Values.cpxBgpRouter)) }} - externalTrafficPolicy: {{ .Values.serviceSpec.externalTrafficPolicy }} - type: LoadBalancer -{{- if .Values.serviceSpec.loadBalancerIP }} - loadBalancerIP: {{ .Values.serviceSpec.loadBalancerIP }} -{{- end }} -{{- else if .Values.serviceType.nodePort.enabled }} - type: NodePort - externalTrafficPolicy: {{ .Values.serviceSpec.externalTrafficPolicy }} -{{- end }} -{{- if and .Values.serviceType.loadBalancer.enabled .Values.serviceSpec.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{- range .Values.serviceSpec.loadBalancerSourceRanges}} - - {{.}} -{{- end }} -{{- end }} - ports: -{{- if .Values.servicePorts }} -{{- with .Values.servicePorts }} -{{ toYaml . | indent 2 }} -{{- end }} -{{- else }} - - port: 80 - protocol: TCP - name: http -{{- if and .Values.serviceType.nodePort.enabled .Values.serviceType.nodePort.httpPort }} - nodePort: {{ .Values.serviceType.nodePort.httpPort }} -{{- end }} - - port: 443 - protocol: TCP - name: https -{{- if and .Values.serviceType.nodePort.enabled .Values.serviceType.nodePort.httpsPort }} - nodePort: {{ .Values.serviceType.nodePort.httpsPort}} -{{- end }} -{{- end }} -{{- if .Values.exporter.required }} - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port -{{- end }} - selector: - app: {{ include "citrix-cpx-ingress-controller.fullname" . }} -{{- end }} - ---- - -{{- if .Values.exporter.required }} - -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "cpxservicemonitor.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - servicemonitor: citrix-adc-cpx - {{- with .Values.exporter.serviceMonitorExtraLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - endpoints: - - interval: 30s - port: exporter-port - selector: - matchLabels: - service-type: {{ include "cpxservicemonitorlabel" . }} - namespaceSelector: - matchNames: - - monitoring - - default - - {{ .Release.Namespace }} - -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/templates/configmap.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/templates/configmap.yaml deleted file mode 100644 index cd621fbfc2..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/templates/configmap.yaml +++ /dev/null @@ -1,101 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "cpxconfigmap.fullname" . }} - namespace: {{ .Release.Namespace }} -data: - LOGLEVEL: {{ .Values.logLevel | quote | lower }} - JSONLOG: {{ .Values.jsonLog | quote | lower }} -{{- if eq (upper .Values.nsProtocol) "HTTPS" }} - NS_PROTOCOL: "https" -{{- if .Values.cpxBgpRouter }} - NS_PORT: "9443" -{{- else }} - NS_PORT: "443" -{{- end }} -{{- else }} - NS_PROTOCOL: "http" -{{- if .Values.cpxBgpRouter }} - NS_PORT: "9080" -{{- else }} - NS_PORT: "80" -{{- end }} -{{- end }} - -{{- if ne (upper .Values.nsHTTP2ServerSide) "OFF" }} - NS_HTTP2_SERVER_SIDE: {{ .Values.nsHTTP2ServerSide | quote }} -{{- end }} -{{- if ne (toString .Values.nsCookieVersion) "0" }} - NS_COOKIE_VERSION: {{ .Values.nsCookieVersion | quote }} -{{- end }} -{{- if .Values.nsDnsNameserver }} - NS_DNS_NAMESERVER: {{ .Values.nsDnsNameserver }} -{{- end }} - -{{- if .Values.analyticsConfig.required }} - NS_ANALYTICS_CONFIG: | - distributed_tracing: - enable: {{ .Values.analyticsConfig.distributedTracing.enable | quote }} - samplingrate: {{ .Values.analyticsConfig.distributedTracing.samplingrate }} - endpoint: - server: {{ include "analytics.server" . | quote }} - service: {{ .Values.analyticsConfig.endpoint.service | quote }} - timeseries: - port: {{ .Values.analyticsConfig.timeseries.port }} - metrics: - enable: {{ .Values.analyticsConfig.timeseries.metrics.enable | quote }} - mode: {{ .Values.analyticsConfig.timeseries.metrics.mode | quote }} - auditlogs: - enable: {{ .Values.analyticsConfig.timeseries.auditlogs.enable | quote }} - events: - enable: {{ .Values.analyticsConfig.timeseries.events.enable | quote }} - transactions: - enable: {{ .Values.analyticsConfig.transactions.enable | quote }} - port: {{ .Values.analyticsConfig.transactions.port }} -{{- end }} - -{{- if .Values.cpxBgpRouter }} -{{- if .Values.bgpSettings.required }} - NS_BGP_CONFIG: | -{{- with .Values.bgpSettings.bgpConfig }} - bgpConfig: -{{ toYaml . | indent 4 }} -{{- end }} -{{- end }} -{{- end }} - -{{- if .Values.nsLbHashAlgo.required }} - NS_LB_HASH_ALGO: | - hashFingers: {{ .Values.nsLbHashAlgo.hashFingers }} - hashAlgorithm: {{ .Values.nsLbHashAlgo.hashAlgorithm | quote }} -{{- end }} - -{{- if .Values.profileSslFrontend }} - FRONTEND_SSL_PROFILE: | - {{- toYaml .Values.profileSslFrontend | nindent 4 }} -{{- end }} - -{{- if .Values.profileTcpFrontend }} - FRONTEND_TCP_PROFILE: | - {{- toYaml .Values.profileTcpFrontend | nindent 4 }} -{{- end }} - -{{- if .Values.profileHttpFrontend }} - FRONTEND_HTTP_PROFILE: | - {{- toYaml .Values.profileHttpFrontend | nindent 4 }} -{{- end }} - ---- - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "bootupconfigmap.fullname" . }} - namespace: {{ .Release.Namespace }} -data: - cpx.conf: | - #NetScaler commands - {{- .Values.cpxCommands | nindent 6 -}} - #Shell commands - {{- .Values.cpxShellCommands | nindent 6 -}} - # end of file \ No newline at end of file diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/templates/ingressclass.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/templates/ingressclass.yaml deleted file mode 100644 index d75537b79f..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/templates/ingressclass.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- $default := .Values.setAsDefaultIngressClass -}} -{{- if semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.GitVersion }} -{{- if .Values.ingressClass }} -{{- range .Values.ingressClass }} -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: {{ . | quote }} -{{- if $default }} - annotations: - ingressclass.kubernetes.io/is-default-class: "true" -{{- end }} -spec: - controller: citrix.com/ingress-controller ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/templates/rbac.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/templates/rbac.yaml deleted file mode 100644 index d812e76751..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/templates/rbac.yaml +++ /dev/null @@ -1,106 +0,0 @@ -{{- if not .Values.rbacRole }} -kind: ClusterRole -{{- else }} -kind: Role -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -rules: - - apiGroups: [""] -{{- if .Values.openshift }} - resources: ["endpoints", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"] -{{- else }} - resources: ["endpoints", "pods", "secrets", "routes", "nodes", "namespaces", "configmaps", "services"] -{{- end }} - verbs: ["get", "list", "watch"] - # services/status is needed to update the loadbalancer IP in service status for integrating - # service of type LoadBalancer with external-dns - - apiGroups: [""] - resources: ["services/status"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions","networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["patch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "watch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"] - verbs: ["get", "list", "watch", "create", "delete", "patch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"] - verbs: ["patch"] - - apiGroups: ["citrix.com"] - resources: ["vips"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["crd.projectcalico.org"] - resources: ["ipamblocks"] - verbs: ["get", "list", "watch"] -{{- if .Values.openshift }} - - apiGroups: ["route.openshift.io"] - resources: ["routes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["network.openshift.io"] - resources: ["hostsubnets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["config.openshift.io"] - resources: ["networks"] - verbs: ["get", "list"] -{{- end }} - ---- - -{{- if not .Values.rbacRole }} -kind: ClusterRoleBinding -{{- else }} -kind: RoleBinding -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io -{{- if not .Values.rbacRole }} - kind: ClusterRole -{{- else }} - kind: Role -{{- end }} - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "citrix-cpx-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- if .Values.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.imagePullSecrets }} -- name: {{.}} -{{- end }} -{{- end }} - diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/values.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/values.yaml deleted file mode 100644 index b4c1c9d372..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.35.6/values.yaml +++ /dev/null @@ -1,256 +0,0 @@ -# Default values for citrix-cpx-with-ingress-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# Citrix ADC CPX config details -imageRegistry: quay.io -imageRepository: citrix/citrix-k8s-cpx-ingress -imageTag: 13.1-49.13 -image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}" -pullPolicy: IfNotPresent -imagePullSecrets: [] -daemonSet: False -nameOverride: "" -replicaCount: 1 -fullnameOverride: "" -mgmtHttpPort: 9080 -mgmtHttpsPort: 9443 -openshift: false -nsHTTP2ServerSide: "OFF" -nsCookieVersion: "0" -nsConfigDnsRec: -nsSvcLbDnsRec: -nsDnsNameserver: -optimizeEndpointBinding: -routeLabels: -namespaceLabels: - -# Service Type LoadBalancer and ingress support with CPX through BGP advertisement -# If you enable this, CPX is run as DaemonSet. Please edit the bgpSettings for configuring -# BGP neighbors for propgation of external IPs. -cpxBgpRouter: false - -# If cpxBgpRouter is true, then this is the NSIP used by CPX for internal communication -nsIP: 192.168.1.2 - -# If cpxBgpRouter is true, then this is the Gateway used by CPX for internal communication -nsGateway: 192.168.1.1 - -# Protocol used for communication between Citrix Ingress Controller sidecar and Citrix CPX -nsProtocol: http - -# External IP for ingress resource when bgpRouter is set to True -ingressIP: - -# If IPAM controller is used for auto allocation of the external IP for service of type LoadBalancer, set this option to true -ipam: False - -# Enable RBAC role (so called local role), by default CIC deployed with ClusterRole. -# below variable to deploy CIC with RBAC role, only ingress service supported with this config -rbacRole: False - -# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True -disableAPIServerCertVerify: False - -cpxLicenseAggregator: - -sslCertManagedByAWS: False - -nodeSelector: - key: - value: -tolerations: [] - -serviceType: - loadBalancer: - enabled: False - nodePort: - enabled: False - httpPort: - httpsPort: - -serviceAnnotations: {} - -serviceSpec: - externalTrafficPolicy: "Cluster" - loadBalancerIP: - loadBalancerSourceRanges: [] - -servicePorts: [] - -# Citrix Ingress Controller config details -cic: - imageRegistry: quay.io - imageRepository: citrix/citrix-k8s-ingress-controller - imageTag: 1.35.6 - image: "{{ .Values.cic.imageRegistry }}/{{ .Values.cic.imageRepository }}:{{ .Values.cic.imageTag }}" - pullPolicy: IfNotPresent - required: true - resources: - requests: - cpu: 32m - memory: 128Mi - # Following values depends on no of ingresses configured by Ingress Controllers, so it is - # advised to test with maximum no of ingresses to set these values. - # limits: - # cpu: 1000m - # memory: 1000Mi - limits: {} - # Following values depends on no of ingresses configured by Ingress Controllers, so it is - # advised to test with maximum no of ingresses to set these values. - # limits: - # cpu: 1000m - # memory: 1000Mi - -entityPrefix: -license: - accept: no -ingressClass: -setAsDefaultIngressClass: False -# nitroReadTimeout is timeout value in seconds for nitro api read timeout(default is 20) -nitroReadTimeout: -logLevel: INFO -jsonLog: false -defaultSSLCertSecret: -updateIngressStatus: False -logProxy: -kubernetesURL: -disableOpenshiftRoutes: -profileSslFrontend: {} - # preconfigured: my_ssl_profile - # OR - # config: - # tls13: 'ENABLED' - # hsts: 'ENABLED' -profileHttpFrontend: {} - # preconfigured: my_http_profile - # OR - # config: - # dropinvalreqs: 'ENABLED' - # websocket: 'ENABLED' -profileTcpFrontend: {} - # preconfigured: my_tcp_profile - # OR - # config: - # sack: 'ENABLED' - # nagle: 'ENABLED' - - -# Citrix ADM/License Server config details -ADMSettings: - licenseServerIP: - licenseServerPort: 27000 - ADMIP: - loginSecret: - bandWidthLicense: false - bandWidth: 1000 #bandwidth value shoule be in Mbps - vCPULicense: false - cpxCores: - licenseEdition: PLATINUM - -# Exporter config details -exporter: - required: false - imageRegistry: quay.io - imageRepository: citrix/citrix-adc-metrics-exporter - imageTag: 1.4.9 - image: "{{ .Values.exporter.imageRegistry }}/{{ .Values.exporter.imageRepository }}:{{ .Values.exporter.imageTag }}" - pullPolicy: IfNotPresent - ports: - containerPort: 8888 - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - serviceMonitorExtraLabels: {} - -# For CRDs supported by Citrix Ingress Controller -crds: - install: false - retainOnDelete: false - -# Config required to be done by Citrix Ingress Controller for sending metrics to Citrix Observability Exporter -analyticsConfig: - required: false - distributedTracing: - enable: false - samplingrate: 100 - endpoint: - server: - service: - timeseries: - port: 5563 - metrics: - enable: false - mode: 'avro' - auditlogs: - enable: false - events: - enable: false - transactions: - enable: false - port: 5557 - -# BGP configurations: local AS, remote AS and remote address is mandatory to provide. Please do the approrpiate changes with respect to your environment -bgpSettings: - # When bgpConfig is configured correctly, set the required to true for the configuration to be applied. - required: false - bgpConfig: - - bgpRouter: - # Local AS number for BGP advertisement - localAS: 100 - neighbor: - # Address of the nighbor router for BGP advertisement - - address: - # Remote AS number - remoteAS: 100 - advertisementInterval: 10 - ASOriginationInterval: 10 - -bgpPort: - -nsLbHashAlgo: - required: false - hashFingers: 256 - hashAlgorithm: 'DEFAULT' - -# Specifies whether a ServiceAccount should be created -serviceAccount: - create: true - # The name of the ServiceAccount to use. - # If not set and `create` is true, a name is generated using the fullname template - # name: - -podAnnotations: {} -# This is the resource for CPX container. -resources: - requests: - cpu: 128m - memory: 500Mi - limits: {} - # limits: - # cpu: 500m - # memory: 512Mi - -affinity: {} - -# cpxCommands: to provide global config to be applied in CPX. The commands will be executed in order. For e.g. -# add rewrite action rw_act_x_forwarded_proto insert_http_header X-Forwarded-Proto "\"https\"" -# add rewrite policy rw_pol_x_forwarded_proto CLIENT.SSL.IS_SSL rw_act_x_forwarded_proto -# bind rewrite global rw_pol_x_forwarded_proto 10 -type REQ_OVERRIDE -cpxCommands: | - - -# cpxShellCommands: to provide commands that need to be executed in shell of CPX. For e.g. -# touch /etc/a.txt -# echo "this is a" > /etc/a.txt -# echo "this is the file" >> /etc/a.txt -# ls >> /etc/a.txt -cpxShellCommands: | diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/Chart.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/Chart.yaml deleted file mode 100644 index c592cb1602..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/Chart.yaml +++ /dev/null @@ -1,19 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/release-name: citrix-cpx-with-ingress-controller -apiVersion: v1 -appVersion: 1.8.28 -deprecated: true -description: A Helm chart for Citrix ADC CPX with Citrix ingress Controller running - as sidecar. -home: https://www.citrix.com -icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png -maintainers: -- email: priyanka.sharma@citrix.com - name: priyankash-citrix -- email: subash.dangol@citrix.com - name: subashd -name: citrix-cpx-with-ingress-controller -sources: -- https://github.com/citrix/citrix-k8s-ingress-controller -version: 1.8.2800 diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/README.md b/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/README.md deleted file mode 100644 index f3cee100f4..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/README.md +++ /dev/null @@ -1,234 +0,0 @@ -# Citrix ADC CPX with Citrix Ingress Controller running as sidecar. - -In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) with Citrix ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). The Citrix ADC CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar Citrix ingress controller configures the Citrix ADC CPX. - -## TL;DR; - -### For Kubernetes - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cpx citrix/citrix-cpx-with-ingress-controller --set license.accept=yes - ``` - -### For OpenShift - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cpx citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true - ``` - -> **Important:** -> -> The "license.accept" is a mandatory argument and should be set to "yes" to accept the terms of the Citrix license. - - -## Introduction -This Helm chart deploys a Citrix ADC CPX with Citrix ingress controller as a sidecar in the [Kubernetes](https://kubernetes.io/) or in the [Openshift](https://www.openshift.com) cluster using the [Helm](https://helm.sh/) package manager. - -### Prerequisites - -- The [Kubernetes](https://kubernetes.io/) version is 1.6 or later if using Kubernetes environment. -- The [Openshift](https://www.openshift.com) version 3.11.x or later if using OpenShift platform. -- The [Helm](https://helm.sh/) version 3.x or later. You can follow instruction given [here](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- You have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator), if you want to view the metrics of the Citrix ADC CPX collected by the [metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics). -- Registration of Citrix ADC CPX in ADM: You may want to register your CPX in ADM for licensing or to obtain [servicegraph](https://docs.citrix.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html). For this you will have to create a Kubernetes secret using ADM credentials and provide it while install the chart. Create a Kubernetes secret for the user name and password using the following command: - - ``` - kubectl create secret generic admlogin --from-literal=username= --from-literal=password= -n citrix-system - ``` - -## Installing the Chart -Add the Citrix Ingress Controller helm chart repository using command: - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - ``` - -### For Kubernetes: -#### 1. Citrix ADC CPX with Citrix Ingress Controller running as side car. -To install the chart with the release name ``` my-release```: - - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,ingressClass[0]= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ADC CPX with Citrix ingress controller as a sidecar on the Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,ingressClass[0]=,exporter.required=true - ``` - -### For OpenShift: -Add the service account named "cpx-ingress-k8s-role" to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount::cpx-ingress-k8s-role - ``` - -#### 1. Citrix ADC CPX with Citrix Ingress Controller running as side car. -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller --set license.accept=yes,openshift=true - ``` - -#### 2. Citrix ADC CPX with Citrix Ingress Controller and Exporter running as side car. -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the Citrix ADC CPX and collects metrics from the Citrix ADC CPX instance. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. -> **Note:** -> -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-k8s-ingress-controller --set license.accept=yes,openshift=true,exporter.required=true - ``` - -### Installed components - -The following components are installed: - -- [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx/netscaler-cpx.html) -- [Citrix ingress controller](https://github.com/citrix/citrix-k8s-ingress-controller) (if enabled) -- [Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) (if enabled) - - -## CRDs configuration - -CRDs gets installed/upgraded automatically when we install/upgrade Citrix ADC CPX with Citrix ingress controller using Helm. If you do not want to install CRDs, then set the option `crds.install` to `false`. By default, CRDs too get deleted if you uninstall through Helm. This means, even the CustomResource objects created by the customer will get deleted. If you want to avoid this data loss set `crds.retainOnDelete` to `true`. - -> **Note:** -> Installing again may fail due to the presence of CRDs. Make sure that you back up all CustomResource objects and clean up CRDs before re-installing Citrix ADC CPX with Citrix ingress controller. - -There are a few examples of how to use these CRDs, which are placed in the folder: [Example-CRDs](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds). Refer to them and install as needed, using the following command: -```kubectl create -f ``` - -### Details of the supported CRDs: - -#### authpolicies CRD: - -Authentication policies are used to enforce access restrictions to resources hosted by an application or an API server. - -Citrix provides a Kubernetes CustomResourceDefinitions (CRDs) called the [Auth CRD](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/auth) that you can use with the Citrix ingress controller to define authentication policies on the ingress Citrix ADC. - -Example file: [auth_example.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/auth_example.yaml) - -#### continuousdeployments CRD for canary: - -Canary release is a technique to reduce the risk of introducing a new software version in production by first rolling out the change to a small subset of users. After user validation, the application is rolled out to the larger set of users. Citrix ADC-Integrated [Canary Deployment solution](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/canary) stitches together all components of continuous delivery (CD) and makes canary deployment easier for the application developers. - -#### httproutes and listeners CRDs for contentrouting: - -[Content Routing (CR)](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/contentrouting) is the execution of defined rules that determine the placement and configuration of network traffic between users and web applications, based on the content being sent. For example, a pattern in the URL or header fields of the request. - -Example files: [HTTPRoute_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/HTTPRoute_crd.yaml), [Listener_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/Listener_crd.yaml) - -#### ratelimits CRD: - -In a Kubernetes deployment, you can [rate limit the requests](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/ratelimit) to the resources on the back end server or services using rate limiting feature provided by the ingress Citrix ADC. - -Example files: [ratelimit-example1.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example1.yaml), [ratelimit-example2.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example2.yaml) - -#### vips CRD: - -Citrix provides a CustomResourceDefinitions (CRD) called [VIP](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/vip) for asynchronous communication between the IPAM controller and Citrix ingress controller. - -The IPAM controller is provided by Citrix for IP address management. It allocates IP address to the service from a defined IP address range. The Citrix ingress controller configures the IP address allocated to the service as virtual IP (VIP) in Citrix ADX VPX. And, the service is exposed using the IP address. - -When a new service is created, the Citrix ingress controller creates a CRD object for the service with an empty IP address field. The IPAM Controller listens to addition, deletion, or modification of the CRD and updates it with an IP address to the CRD. Once the CRD object is updated, the Citrix ingress controller automatically configures Citrix ADC-specfic configuration in the tier-1 Citrix ADC VPX. - -#### rewritepolicies CRD: - -In kubernetes environment, to deploy specific layer 7 policies to handle scenarios such as, redirecting HTTP traffic to a specific URL, blocking a set of IP addresses to mitigate DDoS attacks, imposing HTTP to HTTPS and so on, requires you to add appropriate libraries within the microservices and manually configure the policies. Instead, you can use the [Rewrite and Responder features](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/crd/rewrite-responder-policies-deployment.yaml) provided by the Ingress Citrix ADC device to deploy these policies. - -Example files: [target-url-rewrite.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/target-url-rewrite.yaml) - - -## Configuration -The following table lists the configurable parameters of the Citrix ADC CPX with Citrix ingress controller as side car chart and their default values. - -| Parameters | Mandatory or Optional | Default value | Description | -| ---------- | --------------------- | ------------- | ----------- | -| license.accept | Mandatory | no | Set `yes` to accept the Citrix ingress controller end user license agreement. | -| image | Mandatory | `quay.io/citrix/citrix-k8s-cpx-ingress:13.0-58.30` | The Citrix ADC CPX image. | -| pullPolicy | Mandatory | IfNotPresent | The Citrix ADC CPX image pull policy. | -| cic.image | Mandatory | `quay.io/citrix/citrix-k8s-ingress-controller:1.8.28` | The Citrix ingress controller image. | -| cic.pullPolicy | Mandatory | IfNotPresent | The Citrix ingress controller image pull policy. | -| cic.required | Mandatory | true | CIC to be run as sidecar with Citrix ADC CPX | -| logLevel | Optional | DEBUG | The loglevel to control the logs generated by CIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG and TRACE. For more information, see [Logging](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).| -| defaultSSLCert | Optional | N/A | Default SSL certificate that needs to be used as a non-SNI certificate in Citrix ADC. | -| http2ServerSide | Optional | OFF | Enables HTTP2 for Citrix ADC service group configurations. | -| logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter. | -| nsNamespace | Optional | k8s | The prefix for the resources on the Citrix ADC CPX. | -| ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify Citrix ingress controller to configure Citrix ADC associated with specific ingress class.| -| openshift | Optional | false | Set this argument if OpenShift environment is being used. | -| nodeSelector.key | Optional | N/A | Node label key to be used for nodeSelector option for CPX-CIC deployment. | -| nodeSelector.value | Optional | N/A | Node label value to be used for nodeSelector option in CPX-CIC deployment. | - -| ADMSettings.licenseServerIP | Optional | N/A | Provide the Citrix Application Delivery Management (ADM) IP address to license Citrix ADC CPX. For more information, see [Licensing](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/licensing/)| -| ADMSettings.licenseServerPort | Optional | 27000 | Citrix ADM port if non-default port is used. | -| ADMSettings.ADMIP | Optional | | Citrix Application Delivery Management (ADM) IP address. | -| ADMSettings.ADMFingerPrint | Optional | N/A | Citrix Application Delivery Management (ADM) Finger Print. For more information, see [this](https://docs.citrix.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html). | -| ADMSettings.loginSecret | Optional | N/A | The secret key to log on to the ADM. For information on how to create the secret keys, see [Prerequisites](#prerequistes). | -| ADMSettings.bandWidthLicense | Optional | False | Set to true if you want to use bandwidth based licensing for Citrix ADC CPX. | -| ADMSettings.bandWidth | Optional | N/A | Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps. | -| ADMSettings.vCPULicense | Optional | N/A | Set to true if you want to use vCPU based licensing for Citrix ADC CPX. | -| ADMSettings.cpxCores | Optional | 1 | Desired number of vCPU to be set for Citrix ADC CPX. | - -| exporter.required | Optional | false | Use the argument if you want to run the [Exporter for Citrix ADC Stats](https://github.com/citrix/citrix-adc-metrics-exporter) along with Citrix ingress controller to pull metrics for the Citrix ADC CPX| -| exporter.image | Optional | `quay.io/citrix/citrix-adc-metrics-exporter:1.4.5` | The Exporter for Citrix ADC Stats image. | -| exporter.pullPolicy | Optional | IfNotPresent | The Exporter for Citrix ADC Stats image pull policy. | -| exporter.ports.containerPort | Optional | 8888 | The Exporter for Citrix ADC Stats container port. | - -| coeConfig.required | Mandatory | false | Set this to true if you want to configure Citrix ADC to send metrics and transaction records to COE. | -| coeConfig.distributedTracing.enable | Optional | false | Set this value to true to enable OpenTracing in Citrix ADC. | -| coeConfig.distributedTracing.samplingrate | Optional | 100 | Specifies the OpenTracing sampling rate in percentage. | -| coeConfig.endpoint.server | Optional | N/A | Set this value as the IP address or DNS address of the analytics server. | -| coeConfig.timeseries.port | Optional | 5563 | Specify the port used to expose COE service for timeseries endpoint. | -| coeConfig.timeseries.metrics.enable | Optional | Set this value to true to enable sending metrics from Citrix ADC. | -| coeConfig.timeseries.metrics.mode | Optional | avro | Specifies the mode of metric endpoint. | -| coeConfig.timeseries.auditlogs.enable | Optional | false | Set this value to true to export audit log data from Citrix ADC. | -| coeConfig.timeseries.events.enable | Optional | false | Set this value to true to export events from the Citrix ADC. | -| coeConfig.transactions.enable | Optional | false | Set this value to true to export transactions from Citrix ADC. | -| coeConfig.transactions.port | Optional | 5557 | Specify the port used to expose COE service for transaction endpoint. | - -| crds.install | Optional | true | Unset this argument if you don't want to install CustomResourceDefinitions which are consumed by CIC. | -| crds.retainOnDelete | Optional | false | Set this argument if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation. | - -> **Note:** -> -> If Citrix ADM related information is not provided during installation, Citrix ADC CPX will come up with the default license. - -Alternatively, you can define a YAML file with the values for the parameters and pass the values while installing the chart. - -For example: - ``` - helm install my-release citrix/citrix-cpx-with-ingress-controller -f values.yaml - ``` - -> **Tip:** -> -> The [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-cpx-with-ingress-controller/values.yaml) contains the default values of the parameters. - -## Uninstalling the Chart -To uninstall/delete the ```my-release``` deployment: - ``` - helm delete my-release - ``` - -## Related documentation - -- [Citrix ADC CPX Documentation](https://docs.citrix.com/en-us/citrix-adc-cpx/12-1/cpx-architecture-and-traffic-flow.html) -- [Citrix ingress controller Documentation](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/) -- [Citrix ingress controller GitHub](https://github.com/citrix/citrix-k8s-ingress-controller) diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/app-readme.md b/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/app-readme.md deleted file mode 100644 index ef45a3d907..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/app-readme.md +++ /dev/null @@ -1,5 +0,0 @@ -# Citrix ADC CPX with Citrix Ingress Controller running as sidecar. - -In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) with Citrix ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). The Citrix ADC CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar Citrix ingress controller configures the Citrix ADC CPX. - -This Chart bootstraps deployment of Citrix ADC CPX with Citrix Ingress Controller as sidecar. diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/questions.yml b/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/questions.yml deleted file mode 100644 index 0c87144137..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/questions.yml +++ /dev/null @@ -1,211 +0,0 @@ -questions: -- variable: license.accept - required: true - default: "no" - type: enum - description: "Set to yes to accept the terms and conditions of the Citrix license." - label: Accept License - group: "Deployment Settings" - options: - - "yes" - - "no" -- variable: openshift - default: false - type: boolean - description: "openshift is set to true if charts are being deployed in OpenShift environment" - label: Openshift flag - group: "Deployment Settings" -- variable: nsNamespace - type: string - description: "Prefix for the resources on Citrix ADC" - label: Resource Prefix - group: "Deployment Settings" -- variable: ingressClass[0] - type: string - description: "ingressClass is the name of the Ingress Class" - label: Ingress Class - group: "Deployment Settings" -- variable: logLevel - default: "DEBUG" - type: enum - options: - - "TRACE" - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - description: "logLevel of Citrix Ingress Controller pod" - label: LogLevel - group: "Deployment Settings" -- variable: defaultSSLCert - type: string - description: "Secret containing the default ceritifcate for SSL vservers" - label: Default SSLCert - group: "ADC Settings" -- variable: logProxy - type: string - description: "Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporte" - label: LogProxy - group: "Deployment Settings" -- variable: http2ServerSide - default: "OFF" - type: enum - options: - - "ON" - - "OFF" - description: "Set to ON to enable HTTP2 for Citrix ADC service group configurations" - label: HTTP2 on ADC - group: "ADC Settings" -- variable: nodeSelector.key - type: string - label: NodeSelector Key - group: "Deployment Settings" -- variable: nodeSelector.value - type: string - label: NodeSelector Value - group: "Deployment Settings" - - -- variable: ADMSettings.licenseServerIP - type: string - label: ADM LicenseServerIP - group: "ADM Settings" -- variable: ADMSettings.licenseServerPort - default: 27000 - type: int - label: ADM LicenseServerPort - group: "ADM Settings" -- variable: ADMSettings.ADMIP - type: string - label: ADM IP - group: "ADM Settings" -- variable: ADMSettings.ADMFingerPrint - type: string - label: ADM FingerPrint - group: "ADM Settings" -- variable: ADMSettings.loginSecret - type: string - label: ADM Login Secret - group: "ADM Settings" -- variable: ADMSettings.bandWidthLicense - type: boolean - label: CPX Bandwidth License - group: "ADM Settings" -- variable: ADMSettings.bandWidth - type: int - label: CPX Bandwidth - group: "ADM Settings" -- variable: ADMSettings.vCPULicense - type: boolean - label: CPX vCPU License - group: "ADM Settings" -- variable: ADMSettings.cpxCores - type: int - label: CPX Cores - group: "ADM Settings" -- variable: cic.pullpolicy - default: "IfNotPresent" - type: enum - label: CIC Image Pullpolicy - group: "CIC/CPX Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: pullpolicy - default: "IfNotPresent" - type: enum - label: CPX Image Pullpolicy - group: "CIC/CPX Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: cic.image - default: "quay.io/citrix/citrix-k8s-ingress-controller:1.8.28" - type: string - label: CIC Image - group: "CIC/CPX Image Settings" -- variable: image - type: string - default: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-58.30" - label: CPX Image - group: "CIC/CPX Image Settings" -- variable: exporter.image - default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.5" - type: string - description: "Exporter Image to be used" - label: Exporter Image - group: "Exporter Settings" -- variable: exporter.pullPolicy - default: "IfNotPresent" - type: string - description: "Exporter Image pull policy" - label: Exporter Image PullPolicy - group: "Exporter Settings" -- variable: exporter.ports.containerPort - default: 8888 - type: int - label: Exporter ContainerPort - group: "Exporter Settings" -- variable: coeConfig.distributedTracing.enable - default: false - type: boolean - label: Enable distributedTracing - group: "COE Settings" -- variable: coeConfig.distributedTracing.samplingrate - default: 100 - type: int - label: COE Sampling Rate - group: "COE Settings" -- variable: coeConfig.endpoint.server - type: string - label: COE Endpoint Server - group: "COE Settings" -- variable: coeConfig.timeseries.port - default: 5563 - type: int - label: COE timeseries port - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.enable - default: false - type: boolean - label: Enable timeseries metrics - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.mode - default: 'avro' - type: string - label: COE timeseries metrics Mode - group: "COE Settings" -- variable: coeConfig.timeseries.auditlogs.enable - default: false - type: string - label: Enable timeseries auditlogs - group: "COE Settings" -- variable: coeConfig.timeseries.events.enable - default: false - type: string - label: Enable timeseries events - group: "COE Settings" -- variable: coeConfig.transactions.enable - default: false - type: string - label: Enable transactions - group: "COE Settings" -- variable: coeConfig.transactions.port - default: 5557 - type: int - label: COE transactions port - group: "COE Settings" -- variable: crds.install - default: true - type: boolean - description: "If set to true the charts will install CustomResourceDefinitions which are consumed by CIC." - label: CRD flag - group: "Deployment Settings" -- variable: crds.retainOnDelete - default: false - type: boolean - description: "Set this argument to true if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation." - label: CRD retainOnDelete flag - group: "Deployment Settings" diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/templates/NOTES.txt b/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/templates/NOTES.txt deleted file mode 100644 index bccfdf69a4..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/templates/NOTES.txt +++ /dev/null @@ -1,14 +0,0 @@ -Thank you for installing {{ .Chart.Name }}. - -Your release is named {{ .Release.Name }}. - - -To learn more about the release, try: - - $ helm status {{ .Release.Name }} - $ helm get {{ .Release.Name }} - - -To delete : - helm delete {{ .Release.Name }} - diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/templates/_helpers.tpl b/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/templates/_helpers.tpl deleted file mode 100644 index 5fd1f1d614..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/templates/_helpers.tpl +++ /dev/null @@ -1,11 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Analytics Server IP or DNS -*/}} -{{- define "analytics.server" -}} -{{- if .Values.coeConfig.endpoint.server -}} -{{- printf .Values.coeConfig.endpoint.server -}} -{{- else -}} -{{- printf "coe.%s.svc.cluster.local" .Release.Namespace -}} -{{- end -}} -{{- end -}} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/templates/cic_crds.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/templates/cic_crds.yaml deleted file mode 100644 index 2ca8413735..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/templates/cic_crds.yaml +++ /dev/null @@ -1,1009 +0,0 @@ -{{- if .Values.crds.install }} -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: rewritepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - version: v1 - names: - kind: rewritepolicy - plural: rewritepolicies - singular: rewritepolicy - scope: Namespaced - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - JSONPath: .status.state - - name: Message - type: string - description: "Status Message" - JSONPath: .status.status_message - validation: - openAPIV3Schema: - properties: - spec: - properties: - rewrite-policies: - type: array - items: - properties: - servicenames: - description: 'Name of the services that needs to be binded to rewrite policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - rewrite-policy: - properties: - rewrite-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOREWRITE', 'RESET', 'DROP'] - operation: - description: 'Type of user-defined rewrite action.' - type: string - enum: ["noop", "delete", "insert_http_header", "delete_http_header", - "corrupt_http_header", "insert_before", "insert_after", "replace", - "replace_http_res", "delete_all", "replace_all", "insert_before_all", - "insert_after_all", "clientless_vpn_encode", "clientless_vpn_encode_all", - "clientless_vpn_decode", "clientless_vpn_decode_all", "insert_sip_header", - "delete_sip_header", "corrupt_sip_header", "replace_sip_res", "replace_diameter_header_field", - "replace_dns_header_field", "replace_dns_answer_section"] - target: - description: 'Default syntax expression that specifies which part of the request or response to rewrite.' - type: string - maxLength: 1229 - modify-expression: - description: 'Default syntax expression that specifies the content to insert into the request - or response at the specified location, or that replaces the specified string.' - type: string - maxLength: 7991 - multiple-occurence-modify: - description: 'Search facility that is used to match multiple strings in the request or response.' - type: string - maxLength: 171 - additional-multiple-occurence-modify: - description: 'Specify additional criteria to refine the results of the search. - Always starts with the "extend(m,n)" operation, where "m" specifies number of bytes to the left of selected data - and "n" specifies number of bytes to the right of selected data. - You can use refineSearch only on body expressions, and only when rewrite-criteria is any one of this: - INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - comment: - description: 'Any comments to preserve information about this rewrite policy.' - type: string - maxLength: 255 - required: [rewrite-criteria, operation, target, direction] - required: [servicenames, rewrite-policy] - - responder-policies: - type: array - items: - properties: - servicenames: - description: 'Name of the services that needs to be binded to responder policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", - "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - responder-policy: - properties: - redirect: - description: 'Use this option when you want to Redirect the request when request matches to policy.' - properties: - url: - description: 'URL on which you want to redirect the request.' - type: string - maxLength: 7991 - redirect-status-code: - description: 'HTTP response status code, for example 200, 302, 404, etc.' - type: integer - minimum: 100 - maximum: 599 - redirect-reason: - description: 'Expression specifying the reason for redirecting the request.' - type: string - maxLength: 7991 - required: [url] - respondwith: - description: 'Use this parameter when you want to respond to the request when request matches to policy.' - properties: - http-payload-string: - description: 'Expression that you want to sent as response to the request.' - type: string - maxLength: 7991 - required: [http-payload-string] - noop: - description: 'Use this option when you want to send the request to the protected server instead of - responding to it when request matches to policy.' - properties: - target: - description: 'Default syntax expression that specifies to perform noop operation on' - type: string - maxLength: 1229 - reset: - description: 'Use this option when you want to Reset the client connection by closing it when request matches to policy.' - properties: - drop: - description: 'Use this option when you want to drop the request without sending a response to the user when request matches to policy.' - properties: - respond-criteria: - description: 'Default syntax expression that the policy uses to determine whether to respond to the specified request.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOOP', 'RESET', 'DROP'] - comment: - description: 'Any comments to preserve information about this responder policy.' - type: string - maxLength: 255 - required: [respond-criteria] - oneOf: [required: [redirect], required: [respondwith], required: [noop], required: [reset], required: [drop]] - required: [servicenames, responder-policy] - - dataset: - type: array - items: - properties: - name: - description: 'Name of the dataset.' - type: string - maxLength: 32 - type: - description: 'Type of value to bind to the dataset.' - type: string - enum: ["ipv4", "number", "ipv6", "ulong", "double", "mac"] - comment: - description: 'Any comments to preserve information about this dataset.' - type: string - maxLength: 255 - values: - description: 'Value of the specified type that is associated with this dataset.' - type: array - required: [name, type, values] - - patset: - type: array - items: - properties: - name: - description: 'Name of the Patset.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this patset.' - type: string - maxLength: 255 - values: - description: 'String of characters that constitutes a pattern and is associated with this patset.' - type: array - required: [name, values] - - stringmap: - type: array - items: - properties: - name: - description: 'Name of the Stringmap.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this stringmap.' - type: string - maxLength: 255 - values: - description: 'List of (key,value) pairs to be bound to this string map.' - type: array - items: - properties: - key: - description: 'Character string constituting the key to be bound to this string map.' - type: string - maxLength: 2047 - value: - description: 'Character string constituting the value associated with the key.' - type: string - maxLength: 2047 - required: [name, values] - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ratelimits.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - version: v1beta1 - names: - kind: ratelimit - plural: ratelimits - singular: ratelimit - scope: Namespaced - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - JSONPath: .status.state - - name: Message - type: string - description: "Status Message" - JSONPath: .status.status_message - validation: - openAPIV3Schema: - properties: - spec: - properties: - servicenames: - description: 'Name of the services to which the ratelimit policies are applied.' - type: array - items: - type: string - maxLength: 127 - selector_keys: - description: 'Traffic match criteria to which apply above rate-limit/throttling. All keys are applied as AND condition. If no keys are specified, rate-limit applies at service level' - properties: - basic: - description: "Basic traffic stream selection criteria to which to apply the ratelimit" - properties: - path: - type: array - description: "api resource path prefix match. e.g. /api/v1/products" - items: - type: string - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - header_name: - description: "HTTP header that identifies the unique API client for e.g. X-apikey" - type: string - per_client_ip: - description: "Setting this applies the throttling limit to each unique Client IP address accessing the API resource" - type: boolean - req_threshold: - description: 'Max requests per timeslice units to be allowed' - type: integer - timeslice: - description: 'Timeslice in miliseconds in multiple of 10. Defaults to 1000 miliseconds' - type: integer - limittype: - description: "Burst mode or smooth. Defaults to burst mode if the limittype is not specified" - type: string - enum: ['BURSTY','SMOOTH'] - throttle_action: - type: string - enum: ['DROP', 'RESET','REDIRECT', 'RESPOND'] - description: "Drop will drop the requests exceeding limits, RESET will reset the client connection, Redirect will redirect to specified URL, respond will respond with 429 'Exceeded allowed rate of requests'" - redirect_url: - type: string - description: "Redirect-URL" - required: [servicenames, req_threshold] ---- -#Sample CRD instance - -#apiVersion: citrix.com/v1 -#description: VIP for apache service -#kind: vip -#metadata: -# name: service-apache -# namespace: default -#spec: -# description: VIP for the apache Service -# ipaddress: 10.99.98.90 -# kind: service -# name: apache - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: vips.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - version: v1 - names: - kind: vip - plural: vips - singular: vip - scope: Namespaced - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - JSONPath: .status.state - - name: Message - type: string - description: "Status Message" - JSONPath: .status.status_message - additionalPrinterColumns: - - JSONPath: .spec.ipaddress - name: VIP - type: string - - name: Age - type: date - JSONPath: .metadata.creationTimestamp - validation: - openAPIV3Schema: - properties: - spec: - properties: - ipaddress: - type: string - name: - type: string - kind: - type: string - enum: ["service", "ingress"] - description: - type: string ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: authpolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - version: v1beta1 - names: - kind: authpolicy - plural: authpolicies - singular: authpolicy - scope: Namespaced - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - JSONPath: .status.state - - name: Message - type: string - description: "Status Message" - JSONPath: .status.status_message - validation: - openAPIV3Schema: - properties: - spec: - properties: - servicenames: - description: 'Name of the services that needs to be binded to rewrite policy.' - type: array - items: - type: string - maxLength: 127 - auth_providers: - description: 'Auth Config for required auth providers, one or more of these can be created' - type: array - items: - description: " create config for a single auth provider of a particular type" - properties: - name: - description: 'Name for this provider, has to be unique, referenced by auth policies' - type: string - - oauth: - description: 'Auth provided by external oAuth provider' - properties: - issuer: - description: 'Identity of the server whose tokens are to be accepted' - type: string - jwks_uri: - description: 'URL of the endpoint that contains JWKs (Json Web Key) for JWT (Json Web Token) verification' - type: string - audience: - description: 'Audience for which token sent by Authorization server is applicable' - type: array - items: - type: string - token_in_hdr: - description: 'custom header name where token is present, default is Authorization header' - type: array - items: - type: string - token_in_param: - description: 'query parameter name where token is present' - type: array - items: - type: string - - basic_local_db: - description: 'Basic HTTP authentication, user data in local DB' - - required: - - name - - auth_policies: - description: "Auth policies" - type: array - items: - description: "Auth policy" - properties: - resource: - description: " endpoint/resource selection criteria" - properties: - path: - description: "api resource path e.g. /products. " - type: array - items: - type: string - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - required: - - path - provider: - description: "name of the auth provider for the policy, empty if no authentication required" - type: array - items: - type: string - required: - - resource - - provider - - required: - - servicenames - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: listeners.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -status: -spec: - group: citrix.com - version: v1alpha1 - names: - kind: Listener - plural: listeners - singular: listener - scope: Namespaced - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - JSONPath: .status.state - - name: Message - type: string - description: "Status Message" - JSONPath: .status.status_message - validation: - openAPIV3Schema: - required: [spec] - properties: - spec: - type: object - required: [protocol] - properties: - protocol: - type: string - enum: ["https", "http"] - description: "Protocol for this listener" - vip: - type: string - description: "Endpoint IP address, Optional for CPX, required for Tier-1 deployments" - port: - type: integer - minimum: 1 - maximum: 65535 - certificates: - type: array - description: "certificates attached to the endpoints - Not applicable for HTTP" - minItems: 1 - items: - type: object - properties: - preconfigured: - type: string - description: "Preconfigured Certificate name on ADC " - secret: - type: object - description: "Kuberentes secret object" - required: [name] - properties: - name: - type: string - description: "name of the Kubernetes Secret object where Cert is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the kubernetes secret object; Default is same namespace where the Listener object is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - default: - type: boolean - description: "Only one of the certificate can be marked as default which will be presented if none of the cert matches with the hostname" - routes: - type: array - description: "List of route objects attached to the listener" - minItems: 1 - items: - type: object - properties: - name: - type: string - description: "Name of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - labelSelector: - description: "Labels key value pair, if the route carries the same labels, it is automatically attached" - type: object - additionalProperties: - type: string - oneOf: - - required: [name, namespace] - - required: [labelSelector] - defaultAction: - type: object - description: "Default action for the listener: One of Backend or Redirect" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - namespace: - description: "Service namespace" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - backendConfig: - description: "General backend service options" - properties: - secure_backend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: httproutes.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - version: v1alpha1 - names: - kind: HTTPRoute - plural: httproutes - singular: httproute - scope: Namespaced - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - JSONPath: .status.state - - name: Message - type: string - description: "Status Message" - JSONPath: .status.status_message - validation: - openAPIV3Schema: - required: [spec] - properties: - spec: - type: object - required: [rules] - properties: - hostname: - type: array - description: "List of domain names that share the same route, default is '*'" - minItems: 1 - items: - type: string - description: "Domain name" - rules: - type: array - description: "List Content routing rules with an action defined" - minItems: 1 - items: - type: object - required: [name, action] - properties: - name: - type: string - description: "A name to represent the rule, this is used as an identifier in content routing policy name in ADC" - minLength: 1 - maxLength: 20 - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - match: - type: array - description: "List of rules with same action" - minItems: 1 - items: - type: object - anyOf: - - required: [path] - - required: [headers] - - required: [cookies] - - required: [queryParams] - - required: [method] - - required: [policyExpression] - properties: - path: - type: object - description: "URL Path based content routing" - properties: - prefix: - type: string - description: "URL path matches the prefix expression" - exact: - type: string - description: "URL Path must match exact path" - regex: - type: string - description: "PCRE based regex expression for path matching" - headers: - type: array - description: "List of header for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Header details for content routing, Check for existence of a header or header name-value match" - properties: - headerName: - type: object - description: "Header name based content routing, Here existence of header is used for routing" - properties: - exact: - type: string - description: "Header Name - treated as exact must exist" - contains: - type: string - description: "Header Name - A header must exist that contain the string the name" - regex: - type: string - description: "header Name - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header name must not exist" - oneOf: - - required: [exact] - - required: [contains] - - required: [regex] - headerValue: - type: object - description: "Header Name and Value based match" - properties: - name: - type: string - description: "Header name that must match the value" - exact: - type: string - description: "Header value - treated as exact" - contains: - type: string - description: "Header value - treated as contains" - regex: - type: string - description: "header value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header if present must not match the value" - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - queryParams: - type: array - description: "List of Query parameters for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Query parameters Name and Value based match" - properties: - name: - type: string - description: "Query name that must match the value. If no value is specified, matches with any value" - exact: - type: string - description: "Query value - Exact match" - contains: - type: string - description: "Query value - value must have the string(substring)" - regex: - type: string - description: "Query value - Value must match this regex patterm" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e query if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - cookies: - type: array - description: "List of Cookie params for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Cookie based routing" - properties: - name: - type: string - description: "cookie name that must match the value. If no value specified, it matches with any value" - exact: - type: string - description: "cookie value - treated as exact" - contains: - type: string - description: "cookie value - treated as substring" - regex: - type: string - description: "cookie value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e cookie if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - method: - type: string - description: "HTTP method for content routing eg: POST, PUT, DELETE etc" - policyExpression: - type: string - description: "Citrix ADC policy expressions; refer: https://docs.citrix.com/en-us/netscaler/media/expression-prefix.pdf" - action: - type: object - description: "Action for the matched rule" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - backendConfig: - description: "General backend service options" - properties: - secure_backend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - # name must match the spec fields below, and be in the form: . - name: continuousdeployments.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - # group name to use for REST API: /apis// - group: citrix.com - # list of versions supported by this CustomResourceDefinition - version: v1 - # - name: v1 - # Each version can be enabled/disabled by Served flag. - # served: true - # One and only one version must be marked as the storage version. - #storage: true - # either Namespaced or Cluster - scope: Namespaced - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - JSONPath: .status.state - - name: Message - type: string - description: "Status Message" - JSONPath: .status.status_message - names: - # plural name to be used in the URL: /apis/// - plural: continuousdeployments - # singular name to be used as an alias on the CLI and for display - singular: continuousdeployment - # kind is normally the CamelCased singular type. Your resource manifests use this. - kind: continuousDeploymentCustomConfig - # shortNames allow shorter string to match your resource on the CLI - shortNames: - - crd - - validation: - # openAPIV3Schema is the schema for validating custom objects. - openAPIV3Schema: - properties: - spec: - properties: - cronSpec: - type: integer ---- -{{- end }} \ No newline at end of file diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/templates/citrix-k8s-cpx-ingress.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/templates/citrix-k8s-cpx-ingress.yaml deleted file mode 100644 index d920cb67c8..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/templates/citrix-k8s-cpx-ingress.yaml +++ /dev/null @@ -1,221 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: cpx-ingress -spec: - selector: - matchLabels: - app: cpx-ingress - replicas: 1 - template: - metadata: - name: cpx-ingress - labels: - app: cpx-ingress - annotations: - spec: - serviceAccountName: cpx-ingress-k8s-role - containers: - - name: cpx-ingress - image: "{{ .Values.image }}" - imagePullPolicy: {{ .Values.pullPolicy }} - securityContext: - privileged: true - env: - - name: "EULA" - value: "{{ .Values.license.accept }}" - - name: "KUBERNETES_TASK_ID" - value: "" -{{- if .Values.ADMSettings.licenseServerIP }} - - name: "LS_IP" - value: {{ .Values.ADMSettings.licenseServerIP | quote }} -{{- end }} -{{- if .Values.ADMSettings.licenseServerPort }} - - name: "LS_PORT" - value: {{ .Values.ADMSettings.licenseServerPort | quote }} -{{- end }} - - name: "MGMT_HTTP_PORT" - value: {{ .Values.mgmtHttpPort | quote }} - - name: "MGMT_HTTPS_PORT" - value: {{ .Values.mgmtHttpsPort | quote }} -{{- if .Values.ADMSettings.ADMIP }} - - name: "NS_MGMT_SERVER" - value: {{ .Values.ADMSettings.ADMIP | quote }} - - name: "NS_MGMT_FINGER_PRINT" - value: {{ .Values.ADMSettings.ADMFingerPrint | quote }} - - name: "NS_HTTP_PORT" - value: {{ .Values.mgmtHttpPort | quote }} - - name: "NS_HTTPS_PORT" - value: {{ .Values.mgmtHttpsPort | quote }} - - name: "LOGSTREAM_COLLECTOR_IP" - value: {{ .Values.ADMSettings.ADMIP | quote }} -{{- end }} -#To povision bandwidth based licensing to Citrix ADC CPX from ADM, needs bandwidth -{{- if and ( .Values.ADMSettings.licenseServerIP ) (eq .Values.ADMSettings.bandWidthLicense true) }} - - name: "BANDWIDTH" - value: {{ required "Mention bandwidth for bandwidth based licensing" .Values.ADMSettings.bandWidth | quote }} -{{- end }} -#for multiple-PE support, need to set CPX_CORES -{{- if .Values.ADMSettings.licenseServerIP }} -{{- if or (eq .Values.ADMSettings.vCPULicense true) (eq .Values.ADMSettings.bandWidthLicense true) }} - - name: "CPX_CORES" - value: {{ .Values.ADMSettings.cpxCores | default 1 | quote }} -{{- end }} -{{- end }} -{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }} - - name: NS_MGMT_USER - valueFrom: - secretKeyRef: - name: {{ required "Provide Secret for ADM/LicenseServer credentials" .Values.ADMSettings.loginSecret }} - key: username - - name: NS_MGMT_PASS - valueFrom: - secretKeyRef: - name: {{ required "Provide Secret for ADM/LicenseServer credentials" .Values.ADMSettings.loginSecret }} - key: password -{{- end }} - volumeMounts: - - mountPath: /cpx/conf/ - name: cpx-volume1 - - mountPath: /cpx/crash/ - name: cpx-volume2 -{{- if .Values.cic.required }} - # Add cic as a sidecar - - name: cic - image: "{{ .Values.cic.image }}" - imagePullPolicy: {{ .Values.cic.pullPolicy }} - env: - - name: "EULA" - value: "{{ .Values.license.accept }}" - - name: "NS_IP" - value: "127.0.0.1" - - name: "NS_APPS_NAME_PREFIX" - value: {{ .Values.nsNamespace | default "k8s"}} - - name: "NS_DEPLOYMENT_MODE" - value: "SIDECAR" - - name: "NS_ENABLE_MONITORING" - value: "YES" - - name: "NS_USER" - valueFrom: - secretKeyRef: - name: cpxlogin - key: username - - name: "NS_PASSWORD" - valueFrom: - secretKeyRef: - name: cpxlogin - key: password -{{- if .Values.logProxy }} - - name: "NS_LOGPROXY" - value: {{ .Values.logProxy | quote }} -{{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace -{{- if .Values.kubernetesURL }} - - name: "kubernetes_url" - value: "{{ .Values.kubernetesURL }}" -{{- end }} - args: - - --configmap - {{ .Release.Namespace }}/cpx-cic-configmap -{{- if .Values.ingressClass }} - - --ingress-class -{{- range .Values.ingressClass}} - {{.}} -{{- end }} -{{- end }} -{{- if .Values.defaultSSLCert }} - - --default-ssl-certificate - {{ .Release.Namespace }}/{{ .Values.defaultSSLCert }} -{{- end }} -{{- end }} -{{- if .Values.exporter.required }} - - name: exporter - image: "{{ .Values.exporter.image }}" - imagePullPolicy: {{ .Values.exporter.pullPolicy }} - args: - - "--secure=no" - - "--target-nsip=127.0.0.1" - - "--port={{ .Values.exporter.ports.containerPort }}" - env: - - name: "NS_USER" - valueFrom: - secretKeyRef: - name: cpxlogin - key: username - - name: "NS_PASSWORD" - valueFrom: - secretKeyRef: - name: cpxlogin - key: password - securityContext: - readOnlyRootFilesystem: true -{{- end }} - volumes: - - name: cpx-volume1 - emptyDir: {} - - name: cpx-volume2 - emptyDir: {} -{{- if and .Values.nodeSelector.key .Values.nodeSelector.value }} - nodeSelector: - {{ .Values.nodeSelector.key }}: {{ .Values.nodeSelector.value }} -{{- end }} - ---- - -apiVersion: v1 -kind: Service -metadata: - name: cpx-service - labels: - app: cpx-service - service-type: citrix-adc-cpx-monitor -spec: - type: NodePort - ports: - - port: 80 - protocol: TCP - name: http - - port: 443 - protocol: TCP - name: https -{{- if .Values.exporter.required }} - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port -{{- end }} - selector: - app: cpx-ingress - ---- - -{{- if .Values.exporter.required }} - -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: citrix-adc-cpx-servicemonitor - labels: - servicemonitor: citrix-adc-cpx -spec: - endpoints: - - interval: 30s - port: exporter-port - selector: - matchLabels: - service-type: citrix-adc-cpx-monitor - namespaceSelector: - matchNames: - - monitoring - - default - - {{ .Release.Namespace }} - -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/templates/configmap.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/templates/configmap.yaml deleted file mode 100644 index dd0c1bbee8..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/templates/configmap.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: cpx-cic-configmap - labels: - app: citrix-ingress-controller -data: - LOGLEVEL: {{ .Values.logLevel | quote | lower }} - NS_PROTOCOL: "http" - NS_PORT: "80" - NS_HTTP2_SERVER_SIDE: {{ .Values.http2ServerSide | quote | upper }} -{{- if .Values.coeConfig.required }} - NS_ANALYTICS_CONFIG: | - distributed_tracing: - enable: {{ .Values.coeConfig.distributedTracing.enable | quote }} - samplingrate: {{ .Values.coeConfig.distributedTracing.samplingrate }} - endpoint: - server: {{ include "analytics.server" . | quote }} - timeseries: - port: {{ .Values.coeConfig.timeseries.port }} - metrics: - enable: {{ .Values.coeConfig.timeseries.metrics.enable | quote }} - mode: {{ .Values.coeConfig.timeseries.metrics.mode | quote }} - auditlogs: - enable: {{ .Values.coeConfig.timeseries.auditlogs.enable | quote }} - events: - enable: {{ .Values.coeConfig.timeseries.events.enable | quote }} - transactions: - enable: {{ .Values.coeConfig.transactions.enable | quote }} - port: {{ .Values.coeConfig.transactions.port }} -{{- end }} diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/templates/login_credentials.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/templates/login_credentials.yaml deleted file mode 100644 index 0e22ef9dd8..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/templates/login_credentials.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: cpxlogin -type: Opaque -data: - username: bnNyb290 - password: bnNyb290 diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/templates/rbac.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/templates/rbac.yaml deleted file mode 100644 index 66482380dc..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/templates/rbac.yaml +++ /dev/null @@ -1,73 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: cpx-ingress-k8s-role -rules: - - apiGroups: [""] -{{- if .Values.openshift }} - resources: ["endpoints", "ingresses", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps"] -{{- else }} - resources: ["endpoints", "ingresses", "pods", "secrets", "routes", "nodes", "namespaces", "configmaps"] -{{- end}} - verbs: ["get", "list", "watch"] - # services/status is needed to update the loadbalancer IP in service status for integrating - # service of type LoadBalancer with external-dns - - apiGroups: [""] - resources: ["services/status"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["services"] - verbs: ["get", "list", "watch", "patch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create"] - - apiGroups: ["extensions","networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions","networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["patch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "watch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status"] - verbs: ["get", "list", "patch"] - - apiGroups: ["citrix.com"] - resources: ["vips"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["route.openshift.io"] - resources: ["routes"] - verbs: ["get", "list", "watch"] - ---- - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: cpx-ingress-k8s-role -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cpx-ingress-k8s-role -subjects: -- kind: ServiceAccount - name: cpx-ingress-k8s-role - namespace: {{ .Release.Namespace }} -apiVersion: rbac.authorization.k8s.io/v1 - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: cpx-ingress-k8s-role - namespace: {{ .Release.Namespace }} - ---- diff --git a/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/values.yaml b/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/values.yaml deleted file mode 100644 index cda67583c2..0000000000 --- a/charts/citrix/citrix-cpx-with-ingress-controller/1.8.2800/values.yaml +++ /dev/null @@ -1,81 +0,0 @@ -# Default values for citrix-cpx-with-ingress-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# cpximage contains information needed to fetch CPX image -image: quay.io/citrix/citrix-k8s-cpx-ingress:13.0-58.30 -pullPolicy: IfNotPresent -# cicimage contains information needed to fetch CIC image -cic: - image: quay.io/citrix/citrix-k8s-ingress-controller:1.8.28 - pullPolicy: IfNotPresent - required: true - -mgmtHttpPort: 9080 - -mgmtHttpsPort: 9443 -# openshift is set to true if charts are being deployed in OpenShift environment. -openshift: false -# nsNamespace is the prefix for the resources on the Citrix ADC -nsNamespace: -# license is used accept the terms of the Citrix license -license: - accept: no -# ingressClass is the name of the Ingress Class -ingressClass: -# logLevel is to set level of CIC Logs -logLevel: DEBUG -# Default SSL certificate -defaultSSLCert: -# Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter -logProxy: -# Set to ON to enables HTTP2 for Citrix ADC service group configurations -http2ServerSide: "OFF" -nodeSelector: - key: - value: - -ADMSettings: - licenseServerIP: - licenseServerPort: 27000 - ADMIP: - ADMFingerPrint: - loginSecret: - bandWidthLicense: false - bandWidth: - vCPULicense: false - cpxCores: - -# exporter conatins information of prometheus-exporter -exporter: - required: false - image: quay.io/citrix/citrix-adc-metrics-exporter:1.4.4 - pullPolicy: IfNotPresent - ports: - containerPort: 8888 - -coeConfig: - required: false - distributedTracing: - enable: false - samplingrate: 100 - endpoint: - server: - timeseries: - port: 5563 - metrics: - enable: false - mode: 'avro' - auditlogs: - enable: false - events: - enable: false - transactions: - enable: false - port: 5557 - -crds: -# If false, CustomResourceDefinitions will not be installed. - install: true -# if set to true, then CustomResourceDefinitions will not be deleted during helm delete. This way, CustomResourceObjects will not be deleted from the database. - retainOnDelete: false diff --git a/charts/citrix/citrix-ingress-controller/1.19.600/Chart.yaml b/charts/citrix/citrix-ingress-controller/1.19.600/Chart.yaml deleted file mode 100644 index 2c95727218..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.19.600/Chart.yaml +++ /dev/null @@ -1,20 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Ingress Controller - catalog.cattle.io/release-name: citrix-ingress-controller -apiVersion: v2 -appVersion: 1.19.6 -deprecated: true -description: A Helm chart for Citrix Ingress Controller configuring MPX/VPX. -home: https://www.citrix.com -icon: https://raw.githubusercontent.com/citrix/citrix-xds-adaptor/master/docs/media/Citrix_Logo_Trademark.png -kubeVersion: '>=v1.16.0-0' -maintainers: -- email: priyanka.sharma@citrix.com - name: priyankash-citrix -- email: subash.dangol@citrix.com - name: subashd -name: citrix-ingress-controller -sources: -- https://github.com/citrix/citrix-k8s-ingress-controller -version: 1.19.600 diff --git a/charts/citrix/citrix-ingress-controller/1.19.600/README.md b/charts/citrix/citrix-ingress-controller/1.19.600/README.md deleted file mode 100644 index fd2c7c74e5..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.19.600/README.md +++ /dev/null @@ -1,438 +0,0 @@ -# Citrix Ingress Controller - -[Citrix](https://www.citrix.com/en-in/) provides an Ingress Controller for Citrix ADC MPX (hardware), Citrix ADC VPX (virtualized), and [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx/13/about.html) (containerized) for [bare metal](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/deployment/baremetal) and [cloud](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/deployment) deployments. It configures one or more Citrix ADC based on the Ingress resource configuration in [Kubernetes](https://kubernetes.io/) or in [OpenShift](https://www.openshift.com) cluster. - -## TL;DR; - -### For Kubernetes - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret= - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,crds.install=true - ``` - -### For OpenShift - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true,crds.install=true - ``` - -> **Important:** -> -> The `license.accept` argument is mandatory. Ensure that you set the value as `yes` to accept the terms and conditions of the Citrix license. - -## Introduction -This Helm chart deploys Citrix ingress controller in the [Kubernetes](https://kubernetes.io) or in the [Openshift](https://www.openshift.com) cluster using [Helm](https://helm.sh) package manager. - -### Prerequisites - -- The [Kubernetes](https://kubernetes.io/) version should be 1.16 and above if using Kubernetes environment. -- The [Openshift](https://www.openshift.com) version 3.11.x or later if using OpenShift platform. -- The [Helm](https://helm.sh/) version 3.x or later. You can follow instruction given [here](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- You determine the NS_IP IP address needed by the controller to communicate with Citrix ADC. The IP address might be anyone of the following depending on the type of Citrix ADC deployment: - - - (Standalone appliances) NSIP - The management IP address of a standalone Citrix ADC appliance. For more information, see [IP Addressing in Citrix ADC](https://docs.citrix.com/en-us/citrix-adc/12-1/networking/ip-addressing.html). - - - (Appliances in High Availability mode) SNIP - The subnet IP address. For more information, see [IP Addressing in Citrix ADC](https://docs.citrix.com/en-us/citrix-adc/12-1/networking/ip-addressing.html). - - - (Appliances in Clustered mode) CLIP - The cluster management IP (CLIP) address for a clustered Citrix ADC deployment. For more information, see [IP addressing for a cluster](https://docs.citrix.com/en-us/citrix-adc/12-1/clustering/cluster-overview/ip-addressing.html). - -- You have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator), if you want to view the metrics of the Citrix ADC CPX collected by the [metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics). - -- The user name and password of the Citrix ADC VPX or MPX appliance used as the ingress device. The Citrix ADC appliance needs to have system user account (non-default) with certain privileges so that Citrix ingress controller can configure the Citrix ADC VPX or MPX appliance. For instructions to create the system user account on Citrix ADC, see [Create System User Account for CIC in Citrix ADC](#create-system-user-account-for-cic-in-citrix-adc). - - You can pass user name and password using Kubernetes secrets. Create a Kubernetes secret for the user name and password using the following command: - - ``` - kubectl create secret generic nslogin --from-literal=username='cic' --from-literal=password='mypassword' - ``` - -#### Create system User account for Citrix ingress controller in Citrix ADC - -Citrix ingress controller configures the Citrix ADC using a system user account of the Citrix ADC. The system user account should have certain privileges so that the CIC has permission configure the following on the Citrix ADC: - -- Add, Delete, or View Content Switching (CS) virtual server -- Configure CS policies and actions -- Configure Load Balancing (LB) virtual server -- Configure Service groups -- Cofigure SSl certkeys -- Configure routes -- Configure user monitors -- Add system file (for uploading SSL certkeys from Kubernetes) -- Configure Virtual IP address (VIP) -- Check the status of the Citrix ADC appliance - -> **Note:** -> -> The system user account would have privileges based on the command policy that you define. - -To create the system user account, do the following: - -1. Log on to the Citrix ADC appliance. Perform the following: - 1. Use an SSH client, such as PuTTy, to open an SSH connection to the Citrix ADC appliance. - - 2. Log on to the appliance by using the administrator credentials. - -2. Create the system user account using the following command: - - ``` - add system user - ``` - - For example: - - ``` - add system user cic mypassword - ``` - -3. Create a policy to provide required permissions to the system user account. Use the following command: - - ``` - add cmdpolicy cic-policy ALLOW "(^\S+\s+cs\s+\S+)|(^\S+\s+lb\s+\S+)|(^\S+\s+service\s+\S+)|(^\S+\s+servicegroup\s+\S+)|(^stat\s+system)|(^show\s+ha)|(^\S+\s+ssl\s+certKey)|(^\S+\s+ssl)|(^\S+\s+route)|(^\S+\s+monitor)|(^show\s+ns\s+ip)|(^\S+\s+system\s+file)" - ``` - -4. Bind the policy to the system user account using the following command: - - ``` - bind system user cic cic-policy 0 - ``` - -## Installing the Chart -Add the Citrix Ingress Controller helm chart repository using command: - -``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ -``` - -### For Kubernetes: -#### 1. Citrix Ingress Controller -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,ingressClass[0]= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ingress controller on Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix Ingress Controller with Exporter -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed along with Citrix ingress controller and collects metrics from the Citrix ADC instances. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. - -> **Note:** -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,ingressClass[0]=,exporter.required=true - ``` - -### For Openshift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix Ingress Controller -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true - ``` - -The command deploys Citrix ingress controller on your Openshift cluster in the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix Ingress Controller with Exporter -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed along with Citrix ingress controller and collects metrics from the Citrix ADC instances. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. - -> **Note:** -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator) - -Use the following command for this: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true,exporter.required=true - ``` - -### Installed components - -The following components are installed: - -- [Citrix ingress controller](https://github.com/citrix/citrix-k8s-ingress-controller) -- [Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) (if enabled) - -## Configuration for ServiceGraph: - If Citrix ADC VPX/MPX need to send data to the Citrix ADM to bring up the servicegraph, then the below steps can be followed to install Citrix ingress controller for Citrix ADC VPX/MPX. Citrix ingress controller configures Citrix ADC VPX/MPX with the configuration required for servicegraph. - - 1. Create secret using Citrix ADC VPX credentials, which will be used by Citrix ingress controller for configuring Citrix ADC VPX/MPX: - - kubectl create secret generic nslogin --from-literal=username='cic' --from-literal=password='mypassword' - - 2. Deploy Citrix ingress controller using helm command: - - helm install my-release citrix/citrix-ingress-controller --set nsIP=,nsVIP=,license.accept=yes,adcCredentialSecret=,coeConfig.required=true,coeConfig.timeseries.metrics.enable=true,coeConfig.timeseries.port=5563,coeConfig.distributedTracing.enable=true,coeConfig.transactions.enable=true,coeConfig.transactions.port=5557,coeConfig.endpoint.server= - -> **Note:** -> If container agent is being used here for Citrix ADM, please provide `podIP` of container agent in the `coeConfig.endpoint.server` parameter. - -## CRDs configuration - -CRDs can be installed/upgraded when we install/upgrade Citrix ingress controller using `crds.install=true` parameter in Helm. If you do not want to install CRDs, then set the option `crds.install` to `false`. By default, CRDs too get deleted if you uninstall through Helm. This means, even the CustomResource objects created by the customer will get deleted. If you want to avoid this data loss set `crds.retainOnDelete` to `true`. - -> **Note:** -> Installing again may fail due to the presence of CRDs. Make sure that you back up all CustomResource objects and clean up CRDs before re-installing Citrix Ingress Controller. - -There are a few examples of how to use these CRDs, which are placed in the folder: [Example-CRDs](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds). Refer to them and install as needed, using the following command: -```kubectl create -f ``` - -### Details of the supported CRDs: - -#### authpolicies CRD: - -Authentication policies are used to enforce access restrictions to resources hosted by an application or an API server. - -Citrix provides a Kubernetes CustomResourceDefinitions (CRDs) called the [Auth CRD](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/auth) that you can use with the Citrix ingress controller to define authentication policies on the ingress Citrix ADC. - -Example file: [auth_example.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/auth_example.yaml) - -#### continuousdeployments CRD for canary: - -Canary release is a technique to reduce the risk of introducing a new software version in production by first rolling out the change to a small subset of users. After user validation, the application is rolled out to the larger set of users. Citrix ADC-Integrated [Canary Deployment solution](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/canary) stitches together all components of continuous delivery (CD) and makes canary deployment easier for the application developers. - -#### httproutes and listeners CRDs for contentrouting: - -[Content Routing (CR)](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/contentrouting) is the execution of defined rules that determine the placement and configuration of network traffic between users and web applications, based on the content being sent. For example, a pattern in the URL or header fields of the request. - -Example files: [HTTPRoute_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/HTTPRoute_crd.yaml), [Listener_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/Listener_crd.yaml) - -#### ratelimits CRD: - -In a Kubernetes deployment, you can [rate limit the requests](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/ratelimit) to the resources on the back end server or services using rate limiting feature provided by the ingress Citrix ADC. - -Example files: [ratelimit-example1.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example1.yaml), [ratelimit-example2.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example2.yaml) - -#### vips CRD: - -Citrix provides a CustomResourceDefinitions (CRD) called [VIP](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/vip) for asynchronous communication between the IPAM controller and Citrix ingress controller. - -The IPAM controller is provided by Citrix for IP address management. It allocates IP address to the service from a defined IP address range. The Citrix ingress controller configures the IP address allocated to the service as virtual IP (VIP) in Citrix ADX VPX. And, the service is exposed using the IP address. - -When a new service is created, the Citrix ingress controller creates a CRD object for the service with an empty IP address field. The IPAM Controller listens to addition, deletion, or modification of the CRD and updates it with an IP address to the CRD. Once the CRD object is updated, the Citrix ingress controller automatically configures Citrix ADC-specfic configuration in the tier-1 Citrix ADC VPX. - -#### rewritepolicies CRD: - -In kubernetes environment, to deploy specific layer 7 policies to handle scenarios such as, redirecting HTTP traffic to a specific URL, blocking a set of IP addresses to mitigate DDoS attacks, imposing HTTP to HTTPS and so on, requires you to add appropriate libraries within the microservices and manually configure the policies. Instead, you can use the [Rewrite and Responder features](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/crd/rewrite-responder-policies-deployment.yaml) provided by the Ingress Citrix ADC device to deploy these policies. - -Example files: [target-url-rewrite.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/target-url-rewrite.yaml) - -#### wafs CRD: - -[WAF CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/waf.md) can be used to configure the web application firewall policies with the Citrix ingress controller on the Citrix ADC VPX, MPX, SDX, and CPX. The WAF CRD enables communication between the Citrix ingress controller and Citrix ADC for enforcing web application firewall policies. - -In a Kubernetes deployment, you can enforce a web application firewall policy to protect the server using the WAF CRD. For more information about web application firewall, see [Web application security](https://docs.citrix.com/en-us/citrix-adc/13/application-firewall/introduction/web-application-security.html). - -Example files: [wafhtmlxsssql.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wafhtmlxsssql.yaml) - -#### apigateway CRD: - -API Gateway CRD is used to configure gitops framework on citrix API gateway. This solution enables citrix ingress controller to generate API gateway configurations out of Open API Specification documents checked in to git repository by API developers and designers. - -Example files: [api-gateway-crd-instance.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/api-gateway-crd-instance.yaml) -#### bots CRD: - -[BOT CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/bot.md) You can use Bot CRDs to configure the bot management policies with the Citrix ingress controller on the Citrix ADC VPX. The Bot custom resource definition enables communication between the Citrix ingress controller and Citrix ADC for enforcing bot management policies. - -In a Kubernetes deployment, you can enforce bot management policy on therequests and responses from and to the server using the Bot CRDs. For more information on security vulnerabilities, see [Bot Detection](https://docs.citrix.com/en-us/citrix-adc/current-release/bot-management/bot-detection.html). - -Example files: [botallowlist.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/botallowlist.yaml) - -#### CORS CRD: - -[CORS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) Cross-origin resource sharing (CORS) is a mechanism allows a web application running under one domain to securely access resources in another domain. You can configure CORS policies on Citrix ADC using Citrix ingress controller to allow one domain (the origin domain) to call APIs in another domain. For more information, see the [cross-origin resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) documentation. - -Example files: [cors-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/corspolicy-example.yaml) - -### Tolerations - -Taints are applied on cluster nodes whereas tolerations are applied on pods. Tolerations enable pods to be scheduled on node with matching taints. For more information see [Taints and Tolerations in Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). - -Toleration can be applied to Citrix ingress controller pod using `tolerations` argument while deploying CIC using helm chart. This argument takes list of tolerations that user need to apply on the CIC pods. - -For example, following command can be used to apply toleration on the CIC pod: - -``` -helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,tolerations[0].key=,tolerations[0].value=,tolerations[0].operator=,tolerations[0].effect= -``` - -Here tolerations[0].key, tolerations[0].value and tolerations[0].effect are the key, value and effect that was used while tainting the node. -Effect represents what should happen to the pod if the pod don't have any matching toleration. It can have values `NoSchedule`, `NoExecute` and `PreferNoSchedule`. -Operator represents the operation to be used for key and value comparison between taint and tolerations. It can have values `Exists` and `Equal`. The default value for operator is `Equal`. - - - -### Configuration - -The following table lists the mandatory and optional parameters that you can configure during installation: - -| Parameters | Mandatory or Optional | Default value | Description | -| --------- | --------------------- | ------------- | ----------- | -| license.accept | Mandatory | no | Set `yes` to accept the CIC end user license agreement. | -| image | Mandatory | `quay.io/citrix/citrix-k8s-ingress-controller:1.19.6` | The CIC image. | -| pullPolicy | Mandatory | IfNotPresent | The CIC image pull policy. | -| imagePullSecrets | Optional | N/A | Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret please see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). | -| adcCredentialSecret | Mandatory | N/A | The secret key to log on to the Citrix ADC VPX or MPX. For information on how to create the secret keys, see [Prerequisites](#prerequistes). | -| nsIP | Mandatory | N/A | The IP address of the Citrix ADC device. For details, see [Prerequisites](#prerequistes). | -| nsVIP | Optional | N/A | The Virtual IP address on the Citrix ADC device. | -| nsSNIPS | Optional | N/A | The list of subnet IPAddresses on the Citrix ADC device, which will be used to create PBR Routes instead of Static Routes [PBR support](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md) | -| nsPort | Optional | 443 | The port used by CIC to communicate with Citrix ADC. You can use port 80 for HTTP. | -| nsProtocol | Optional | HTTPS | The protocol used by CIC to communicate with Citrix ADC. You can also use HTTP on port 80. | -| logLevel | Optional | DEBUG | The loglevel to control the logs generated by CIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG and TRACE. For more information, see [Logging](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).| -| kubernetesURL | Optional | N/A | The kube-apiserver url that CIC uses to register the events. If the value is not specified, CIC uses the [internal kube-apiserver IP address](https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod). | -| clusterName | Optional | N/A | The unique identifier of the kubernetes cluster on which the CIC is deployed. Used in multi-cluster deployments. | -| ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify CIC to configure Citrix ADC associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here | -| setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default ingress class. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 | -| serviceClass | Optional | N/A | By Default ingress controller configures all TypeLB Service on the ADC. You can use this parameter to finetune this behavior by specifing CIC to only configure TypeLB Service with specific service class. For more information on Service class, see [Service class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/service-classes/). | -| nodeWatch | Optional | false | Use the argument if you want to automatically configure network route from the Ingress Citrix ADC VPX or MPX to the pods in the Kubernetes cluster. For more information, see [Automatically configure route on the Citrix ADC instance](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/network/staticrouting/#automatically-configure-route-on-the-citrix-adc-instance). | -| cncPbr | Optional | False | Use this argument to inform CIC that Citrix Node Controller(CNC) is configuring Policy Based Routes(PBR) on the Citrix ADC. For more information, see [CNC-PBR-SUPPORT](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md#configure-pbr-using-the-citrix-node-controller) | -| defaultSSLCertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC. | -| podIPsforServiceGroupMembers | Optional | False | By default Citrix Ingress Controller will add NodeIP and NodePort as service group members while configuring type LoadBalancer Services and NodePort services. This variable if set to `True` will change the behaviour to add pod IP and Pod port instead of nodeIP and nodePort. Users can set this to `True` if there is a route between ADC and K8s clusters internal pods either using feature-node-watch argument or using Citrix Node Controller. | -| ignoreNodeExternalIP | Optional | False | While adding NodeIP, as Service group members for type LoadBalancer services or NodePort services, Citrix Ingress Controller has a selection criteria whereas it choose Node ExternalIP if available and Node InternalIP, if Node ExternalIP is not present. But some users may want to use Node InternalIP over Node ExternalIP even if Node ExternalIP is present. If this variable is set to `True`, then it prioritises the Node Internal IP to be used for service group members even if node ExternalIP is present | -| nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for Citrix ADC service group configurations. | -| nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). | -| ipam | Optional | False | Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer. | -| logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter. | -| entityPrefix | Optional | k8s | The prefix for the resources on the Citrix ADC VPX/MPX. | -| updateIngressStatus | Optional | False | Set this argurment if `Status.LoadBalancer.Ingress` field of the Ingress resources managed by the Citrix ingress controller needs to be updated with allocated IP addresses. For more information see [this](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/ingress-classes.md#updating-the-ingress-status-for-the-ingress-resources-with-the-specified-ip-address). | -| routeLabels | Optional | N/A | You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| namespaceLabels | Optional | N/A | You can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| exporter.required | Optional | false | Use the argument, if you want to run the [Exporter for Citrix ADC Stats](https://github.com/citrix/citrix-adc-metrics-exporter) along with CIC to pull metrics for the Citrix ADC VPX or MPX| -| exporter.image | Optional | `quay.io/citrix/citrix-adc-metrics-exporter:1.4.9` | The Exporter image. | -| exporter.pullPolicy | Optional | IfNotPresent | The Exporter image pull policy. | -| exporter.ports.containerPort | Optional | 8888 | The Exporter container port. | -| openshift | Optional | false | Set this argument if OpenShift environment is being used. | -| nodeSelector.key | Optional | N/A | Node label key to be used for nodeSelector option in CIC deployment. | -| nodeSelector.value | Optional | N/A | Node label value to be used for nodeSelector option in CIC deployment. | -| tolerations | Optional | N/A | Specify the tolerations for the CIC deployment. | -| crds.install | Optional | False | Unset this argument if you don't want to install CustomResourceDefinitions which are consumed by CIC. | -| crds.retainOnDelete | Optional | false | Set this argument if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation. | -| coeConfig.required | Mandatory | false | Set this to true if you want to configure Citrix ADC to send metrics and transaction records to COE. | -| coeConfig.distributedTracing.enable | Optional | false | Set this value to true to enable OpenTracing in Citrix ADC. | -| coeConfig.distributedTracing.samplingrate | Optional | 100 | Specifies the OpenTracing sampling rate in percentage. | -| coeConfig.endpoint.server | Optional | N/A | Set this value as the IP address or DNS address of the analytics server. | -| coeConfig.timeseries.port | Optional | 30002 | Specify the port used to expose COE service outside cluster for timeseries endpoint. | -| coeConfig.timeseries.metrics.enable | Optional | False | Set this value to true to enable sending metrics from Citrix ADC. | -| coeConfig.timeseries.metrics.mode | Optional | avro | Specifies the mode of metric endpoint. | -| coeConfig.timeseries.auditlogs.enable | Optional | false | Set this value to true to export audit log data from Citrix ADC. | -| coeConfig.timeseries.events.enable | Optional | false | Set this value to true to export events from the Citrix ADC. | -| coeConfig.transactions.enable | Optional | false | Set this value to true to export transactions from Citrix ADC. | -| coeConfig.transactions.port | Optional | 30001 | Specify the port used to expose COE service outside cluster for transaction endpoint. | - -Alternatively, you can define a YAML file with the values for the parameters and pass the values while installing the chart. - -For example: - ``` - helm install my-release citrix/citrix-ingress-controller -f values.yaml - ``` - -> **Tip:** -> -> The [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-ingress-controller/values.yaml) contains the default values of the parameters. - -> **Note:** -> -> Please provide frontend-ip (VIP) in your application ingress yaml file. For more info refer [this](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/annotations.md). - -## Route Addition in MPX/VPX -For seamless functioning of services deployed in the Kubernetes cluster, it is essential that Ingress NetScaler device should be able to reach the underlying overlay network over which Pods are running. -`feature-node-watch` knob of Citrix Ingress Controller can be used for automatic route configuration on NetScaler towards the pod network. Refer [Static Route Configuration](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) for further details regarding the same. -By default, `feature-node-watch` is false. It needs to be explicitly set to true if auto route configuration is required. - -This can also be achieved by deploying [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller). - -If your deployment uses one single Citrix ADC Device to loadbalance between multiple k8s clusters, there is a possibilty of CNI subnets to overlap, causing the above mentioned static routing to fail due to route conflicts. In such deployments [Policy Based Routing(PBR)] (https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-policy-based-routes/configuring-policy-based-routes-pbrs-for-ipv4-traffic.html) can be used instead. This would require you to provide one or more subnet IP Addresses unique for each kubernetes cluster either via Environment variable or Configmap, see [PBR Support](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md) - - Use the following command to provide subnet IPAddresses(SNIPs) to configure Policy Based Routes(PBR) on the Citrix ADC - - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,nsSNIPS='[\, \, ...]' - ``` - - [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller) by default also adds static routes while creating the VXLAN tunnel. To use [Policy Based Routing(PBR)] (https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-policy-based-routes/configuring-policy-based-routes-pbrs-for-ipv4-traffic.html) to avoid static route clash, both Citrix Node Controller and Citrix Ingress Controller has to work in conjunction and has to be started with specific arguments. For more details refer [CNC-PBR-SUPPORT](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md#configure-pbr-using-the-citrix-node-controller). - - Use the following command to inform Citrix Ingress Controller that Citrix Node Controller is configuring Policy Based Routes(PBR) on the Citrix ADC - - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,clusterName=,cncPbr= - ``` - -For configuring static routes manually on Citrix ADC VPX or MPX to reach the pods inside the cluster follow: -### For Kubernetes: -1. Obtain podCIDR using below options: - ``` - kubectl get nodes -o yaml | grep podCIDR - ``` - * podCIDR: 10.244.0.0/24 - * podCIDR: 10.244.1.0/24 - * podCIDR: 10.244.2.0/24 - -2. Log on to the Citrix ADC instance. - -3. Add Route in Netscaler VPX/MPX - ``` - add route - ``` -4. Ensure that Ingress MPX/VPX has a SNIP present in the host-network (i.e. network over which K8S nodes communicate with each other. Usually eth0 IP is from this network). - - Example: - * Node1 IP = 192.0.2.1 - * podCIDR = 10.244.1.0/24 - * add route 10.244.1.0 255.255.255.0 192.0.2.1 - -### For OpenShift: -1. Use the following command to get the information about host names, host IP addresses, and subnets for static route configuration. - ``` - oc get hostsubnet - ``` - -2. Log on to the Citrix ADC instance. - -3. Add the route on the Citrix ADC instance using the following command. - ```add route ``` - -4. Ensure that Ingress MPX/VPX has a SNIP present in the host-network (i.e. network over which OpenShift nodes communicate with each other. Usually eth0 IP is from this network). - - For example, if the output of the `oc get hostsubnet` is as follows: - * oc get hostsubnet - - NAME HOST HOST IP SUBNET - os.example.com os.example.com 192.0.2.1 10.1.1.0/24 - - * The required static route is as follows: - - add route 10.1.1.0 255.255.255.0 192.0.2.1 - -## Uninstalling the Chart -To uninstall/delete the ```my-release``` deployment: - - ``` - helm delete my-release - ``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Related documentation - -- [Citrix ingress controller Documentation](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/) -- [Citrix ingress controller GitHub](https://github.com/citrix/citrix-k8s-ingress-controller) diff --git a/charts/citrix/citrix-ingress-controller/1.19.600/app-readme.md b/charts/citrix/citrix-ingress-controller/1.19.600/app-readme.md deleted file mode 100644 index a8a8ebc15a..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.19.600/app-readme.md +++ /dev/null @@ -1,5 +0,0 @@ -# Citrix Ingress Controller - -[Citrix Ingress Controler](https://github.com/citrix/citrix-k8s-ingress-controller) is an ingress controller for Citrix ADC MPX (hardware), Citrix ADC VPX (virtualized), and Citrix ADC CPX (containerized) for bare metal and cloud deployments. It is built around Kubernetes Ingress and automatically configures Citrix ADC based on the Ingress resource configuration. - -This Chart bootstraps standalone Citrix Ingress Controller which can be used to configure Citrix MPX or VPX. diff --git a/charts/citrix/citrix-ingress-controller/1.19.600/questions.yml b/charts/citrix/citrix-ingress-controller/1.19.600/questions.yml deleted file mode 100644 index 89389ae11e..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.19.600/questions.yml +++ /dev/null @@ -1,348 +0,0 @@ -labels: - io.rancher.certified: partner -questions: -- variable: license.accept - required: true - type: enum - description: "Set to yes to accept the terms and conditions of the Citrix license." - label: Accept License - group: "Deployment Settings" - options: - - "yes" - - "no" -- variable: openshift - default: false - type: boolean - description: "openshift is set to true if charts are being deployed in OpenShift environment" - label: Openshift flag - group: "Deployment Settings" -- variable: adcCredentialSecret - required: true - default: "" - type: string - description: "adcCredentialSecret is secret file for NetScaler login" - label: adcCredentialSecret Name - group: "Deployment Settings" -- variable: imagePullSecrets[0] - required: false - type: string - description: "Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository" - label: imagePullSecrets - group: "Deployment Settings" -- variable: nsIP - required: true - type: string - description: "nsIP is NetScaler NSIP/SNIP, SNIP in case of HA (mgmt has to be enabled)" - label: Citrix ADC IP - group: "ADC Settings" -- variable: nsVIP - required: false - type: string - label: Virtual IP of Citrix ADC - group: "ADC Settings" -- variable: nsSNIPS - required: false - type: string - description: "The list of subnet IPAddresses on the Citrix ADC device, which will be used to create PBR Routes instead of Static Routes" - label: Citrix ADC nsSNIPS - group: "ADC Settings" -- variable: nsPort - required: false - default: 443 - type: int - description: "nsPort is port for ADC NITRO" - label: nsPort - group: "ADC Settings" -- variable: nsProtocol - required: false - default: "HTTPS" - type: string - description: "nsProtocol is protocol for ADC NITRO" - label: nsProtocol - group: "ADC Settings" -- variable: entityPrefix - required: false - type: string - description: "The prefix for the resources on the Citrix ADC VPX/MPX" - label: entityPrefix - group: "ADC Settings" -- variable: kubernetesURL - required: false - type: string - description: "kubernetesURL is for registering events to kubeapi server" - label: Kubernetes API-server URL - group: "Deployment Settings" -- variable: clusterName - required: false - type: string - description: "The unique identifier of the kubernetes cluster on which the CIC is deployed" - label: Cluster Name - group: "Deployment Settings" -- variable: ingressClass[0] - required: false - type: string - description: "ingressClass is the name of the Ingress Class" - label: Ingress Class - group: "Deployment Settings" -- variable: setAsDefaultIngressClass - required: false - default: False - type: boolean - description: "Set the IngressClass object as default ingress class. New Ingresses without an `ingressClassName` field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19" - label: setAsDefaultIngressClass - group: "Deployment Settings" -- variable: serviceClass[0] - required: false - type: string - description: "serviceClass is the name of the Service Class" - label: Service Class - group: "Deployment Settings" -- variable: defaultSSLCertSecret - required: false - type: string - description: "Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC." - label: defaultSSLCertSecret - group: "ADC Settings" -- variable: podIPsforServiceGroupMembers - required: false - default: False - type: boolean - description: "By default Citrix Ingress Controller will add NodeIP and NodePort as service group members,This variable if set to True will change the behaviour to add pod IP and Pod port instead of nodeIP and nodePort." - label: podIPsforServiceGroupMembers - group: "Deployment Settings" -- variable: ignoreNodeExternalIP - required: false - default: False - type: boolean - label: ignoreNodeExternalIP - group: "Deployment Settings" -- variable: ipam - required: false - default: False - type: boolean - description: "Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer" - label: ipam - group: "Deployment Settings" -- variable: logProxy - required: false - default: False - type: string - description: "Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter." - label: Log Proxy - group: "Deployment Settings" -- variable: nodeWatch - required: false - default: false - type: boolean - description: "nodeWatch is used for automatic route configuration on NetScaler towards the pod network" - label: NodeWatch - group: "ADC Settings" -- variable: cncPbr - required: false - default: false - type: boolean - description: "Use this argument to inform CIC that Citrix Node Controller(CNC) is configuring Policy Based Routes(PBR) on the Citrix ADC." - label: CNC PBR - group: "ADC Settings" -- variable: nodeSelector.key - required: false - type: string - description: "Node label key to be used for nodeSelector option in CIC deployment" - label: NodeSelector Key - group: "Deployment Settings" -- variable: nodeSelector.value - required: false - type: string - description: "Node label value to be used for nodeSelector option in CIC deployment." - label: NodeSelector value - group: "Deployment Settings" -- variable: tolerations[0] - required: false - type: string - description: "Specify the tolerations for the CIC deployment" - label: Tolerations - group: "Deployment Settings" -- variable: updateIngressStatus - required: false - default: false - type: boolean - description: "Set this argurment if Status.LoadBalancer.Ingress field of the Ingress resources managed by the Citrix ingress controller needs to be updated with allocated IP addresses" - label: Update Ingress Status - group: "Deployment Settings" -- variable: nsHTTP2ServerSide - required: false - default: "OFF" - type: string - description: "Set this argument to ON for enabling HTTP2 for Citrix ADC service group configurations." - label: nsHTTP2ServerSide - group: "Deployment Settings" -- variable: nsCookieVersion - required: false - default: "0" - type: string - description: "Specify the persistence cookie version (0 or 1)" - label: nsCookieVersion - group: "Deployment Settings" -- variable: routeLabels - required: false - type: string - description: "You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster." - label: Route Labels - group: "Deployment Settings" -- variable: namespaceLabels - required: false - type: string - description: "you can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster" - label: namespaceLabels - group: "Deployment Settings" -- variable: cic.image - required: true - type: string - default: "quay.io/citrix/citrix-k8s-ingress-controller:1.19.6" - label: CIC Image - group: "CIC Image Settings" -- variable: cic.pullpolicy - required: true - default: "IfNotPresent" - type: enum - label: CIC Image Pullpolicy - group: "CIC Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: logLevel - required: false - default: "INFO" - type: enum - label: CIC Loglevel - group: "CIC Image Settings" - options: - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - - "TRACE" -- variable: exporter.required - default: false - type: boolean - description: "If set to true exporter will be deployed as sidecar" - label: Enable Exporter - group: "Exporter Settings" -- variable: exporter.image - default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.9" - required: false - type: string - description: "Exporter Image" - label: Exporter Image - group: "Exporter Settings" -- variable: exporter.pullPolicy - required: false - default: IfNotPresent - type: string - description: "Exporter Image pull policy" - label: Exporter Image PullPolicy - group: "Exporter Settings" -- variable: exporter.ports.containerPort - required: false - default: 8888 - type: int - label: Exporter ContainerPort - group: "Exporter Settings" -- variable: crds.install - required: false - default: true - type: boolean - description: "If set to true the charts will install CustomResourceDefinitions which are consumed by CIC." - label: CRD flag - group: "Deployment Settings" -- variable: crds.retainOnDelete - required: false - default: false - type: boolean - description: "Set this argument to true if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation." - label: CRD retainOnDelete flag - group: "Deployment Settings" -- variable: coeConfig.required - required: true - default: false - type: boolean - description: "Set this to true if you want to configure Citrix ADC to send metrics and transaction records to COE" - label: Enable COE - group: "COE Settings" -- variable: coeConfig.distributedTracing.enable - required: false - default: false - type: boolean - description: "Set this value to true to enable OpenTracing in Citrix ADC." - label: Enable coeConfig DistributedTracing - group: "COE Settings" -- variable: coeConfig.distributedTracing.samplingrate - required: false - default: "100" - type: string - description: "Specifies the OpenTracing sampling rate in percentage." - label: coeConfig DistributedTracing Samplingrate - group: "COE Settings" -- variable: coeConfig.endpoint.server - required: false - type: string - description: "Set this value as the IP address or DNS address of the analytics server" - label: coeConfig Endpoint Server - group: "COE Settings" -- variable: coeConfig.timeseries.port - required: false - default: "30002" - type: string - description: "Specify the port used to expose COE service outside cluster for timeseries endpoint" - label: coeConfig timeseries Port - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.enable - required: false - default: False - type: boolean - description: "Set this value to true to enable sending metrics from Citrix ADC" - label: Enable coeConfig Timeseries Metrics - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.mode - required: false - default: "avro" - type: string - description: "Specifies the mode of metric endpoint" - label: coeConfig Timeseries Metrics Mode - group: "COE Settings" -- variable: coeConfig.timeseries.auditlogs.enable - required: false - default: False - type: boolean - description: "Set this value to true to export audit log data from Citrix ADC" - label: coeConfig Timeseries Auditlogs Enable - group: "COE Settings" -- variable: coeConfig.timeseries.events.enable - required: false - default: False - type: boolean - description: "Set this value to true to export events from the Citrix ADC" - label: Enable coeConfig Timeseries Events - group: "COE Settings" -- variable: coeConfig.transactions.enable - required: false - default: False - type: boolean - description: "Set this value to true to export transactions from Citrix ADC" - label: Enable coeConfig Transactions - group: "COE Settings" -- variable: coeConfig.transactions.port - required: false - default: 30001 - type: string - description: "Specify the port used to expose COE service outside cluster for transaction endpoint" - label: coeConfig Transactions Port - group: "COE Settings" -- variable: serviceAccount.create - required: false - default: true - type: boolean - description: "Specifies whether a ServiceAccount should be created" - label: ServiceAccount Create - group: "Deployment Settings" diff --git a/charts/citrix/citrix-ingress-controller/1.19.600/templates/NOTES.txt b/charts/citrix/citrix-ingress-controller/1.19.600/templates/NOTES.txt deleted file mode 100644 index 4d07f639fb..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.19.600/templates/NOTES.txt +++ /dev/null @@ -1,15 +0,0 @@ -Thank you for installing {{ .Chart.Name }}. - -Your release is named {{ .Release.Name }}. - - -To learn more about the release, try: - - $ helm status {{ .Release.Name }} - $ helm get {{ .Release.Name }} - - -To delete : - helm delete {{ .Release.Name }} - - diff --git a/charts/citrix/citrix-ingress-controller/1.19.600/templates/_helpers.tpl b/charts/citrix/citrix-ingress-controller/1.19.600/templates/_helpers.tpl deleted file mode 100644 index 28d2e2fddb..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.19.600/templates/_helpers.tpl +++ /dev/null @@ -1,94 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Analytics Server IP or DNS -*/}} -{{- define "analytics.server" -}} -{{- if .Values.coeConfig.endpoint.server -}} -{{- printf .Values.coeConfig.endpoint.server -}} -{{- else -}} -{{- $addresses := first (first (lookup "v1" "Node" "" "").items).status.addresses -}} -{{- printf "%s" ($addresses).address -}} -{{- end -}} -{{- end -}} - - - -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "citrix-ingress-controller.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "citrix-ingress-controller.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "exporter.fullname" -}} -{{- $name := default .Chart.Name "exporter" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "servicemonitor.fullname" -}} -{{- $name := default .Chart.Name "citrix-adc-servicemonitor" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "servicemonitorlabel" -}} -{{- $name := default .Chart.Name "citrix-adc-svcmon" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cicconfigmap.fullname" -}} -{{- $name := default .Chart.Name "cic-configmap" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "citrix-ingress-controller.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "citrix-ingress-controller.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "citrix-ingress-controller.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} diff --git a/charts/citrix/citrix-ingress-controller/1.19.600/templates/cic_crds.yaml b/charts/citrix/citrix-ingress-controller/1.19.600/templates/cic_crds.yaml deleted file mode 100644 index fb6ec8f11b..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.19.600/templates/cic_crds.yaml +++ /dev/null @@ -1,2287 +0,0 @@ -{{- if .Values.crds.install }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: rewritepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: rewritepolicy - plural: rewritepolicies - singular: rewritepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - rewrite-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to rewrite policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - rewrite-policy: - type: object - properties: - rewrite-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOREWRITE', 'RESET', 'DROP'] - operation: - description: 'Type of user-defined rewrite action.' - type: string - enum: ["noop", "delete", "insert_http_header", "delete_http_header", - "corrupt_http_header", "insert_before", "insert_after", "replace", - "replace_http_res", "delete_all", "replace_all", "insert_before_all", - "insert_after_all", "clientless_vpn_encode", "clientless_vpn_encode_all", - "clientless_vpn_decode", "clientless_vpn_decode_all", "insert_sip_header", - "delete_sip_header", "corrupt_sip_header", "replace_sip_res", "replace_diameter_header_field", - "replace_dns_header_field", "replace_dns_answer_section"] - target: - description: 'Default syntax expression that specifies which part of the request or response to rewrite.' - type: string - maxLength: 1229 - modify-expression: - description: 'Default syntax expression that specifies the content to insert into the request - or response at the specified location, or that replaces the specified string.' - type: string - maxLength: 7991 - multiple-occurence-modify: - description: 'Search facility that is used to match multiple strings in the request or response.' - type: string - maxLength: 171 - additional-multiple-occurence-modify: - description: 'Specify additional criteria to refine the results of the search. - Always starts with the "extend(m,n)" operation, where "m" specifies number of bytes to the left of selected data - and "n" specifies number of bytes to the right of selected data. - You can use refineSearch only on body expressions, and only when rewrite-criteria is any one of this: - INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - comment: - description: 'Any comments to preserve information about this rewrite policy.' - type: string - maxLength: 255 - required: [rewrite-criteria, operation, target, direction] - required: [servicenames, rewrite-policy] - - responder-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to responder policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", - "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - responder-policy: - type: object - properties: - redirect: - type: object - description: 'Use this option when you want to Redirect the request when request matches to policy.' - properties: - url: - description: 'URL on which you want to redirect the request.' - type: string - maxLength: 7991 - redirect-status-code: - description: 'HTTP response status code, for example 200, 302, 404, etc.' - type: integer - minimum: 100 - maximum: 599 - redirect-reason: - description: 'Expression specifying the reason for redirecting the request.' - type: string - maxLength: 7991 - required: [url] - respondwith: - type: object - description: 'Use this parameter when you want to respond to the request when request matches to policy.' - properties: - http-payload-string: - description: 'Expression that you want to sent as response to the request.' - type: string - maxLength: 7991 - required: [http-payload-string] - noop: - type: string - description: 'Use this option when you want to send the request to the protected server instead of - responding to it when request matches to policy.' - properties: - target: - description: 'Default syntax expression that specifies to perform noop operation on' - type: string - maxLength: 1229 - reset: - type: string - description: 'Use this option when you want to Reset the client connection by closing it when request matches to policy.' - properties: - drop: - type: string - description: 'Use this option when you want to drop the request without sending a response to the user when request matches to policy.' - properties: - respond-criteria: - description: 'Default syntax expression that the policy uses to determine whether to respond to the specified request.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOOP', 'RESET', 'DROP'] - comment: - description: 'Any comments to preserve information about this responder policy.' - type: string - maxLength: 255 - required: [respond-criteria] - oneOf: [required: [redirect], required: [respondwith], required: [noop], required: [reset], required: [drop]] - required: [servicenames, responder-policy] - - dataset: - type: array - items: - type: object - properties: - name: - description: 'Name of the dataset.' - type: string - maxLength: 32 - type: - description: 'Type of value to bind to the dataset.' - type: string - enum: ["ipv4", "number", "ipv6", "ulong", "double", "mac"] - comment: - description: 'Any comments to preserve information about this dataset.' - type: string - maxLength: 255 - values: - description: 'Value of the specified type that is associated with this dataset.' - type: array - items: - type: string - required: [name, type, values] - - patset: - type: array - items: - type: object - properties: - name: - description: 'Name of the Patset.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this patset.' - type: string - maxLength: 255 - values: - description: 'String of characters that constitutes a pattern and is associated with this patset.' - type: array - items: - type: string - required: [name, values] - - stringmap: - type: array - items: - type: object - properties: - name: - description: 'Name of the Stringmap.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this stringmap.' - type: string - maxLength: 255 - values: - description: 'List of (key,value) pairs to be bound to this string map.' - type: array - items: - type: object - properties: - key: - description: 'Character string constituting the key to be bound to this string map.' - type: string - maxLength: 2047 - value: - description: 'Character string constituting the value associated with the key.' - type: string - maxLength: 2047 - required: [name, values] - - httpcallout_policy: - type: array - items: - type: object - properties: - name: - description: 'httpcallout name' - type: string - maxLength: 32 - server_ip: - description: 'IP Address of the server(callout agent) to which the callout is sent.' - type: string - server_port: - description: 'Port of the server(callout agent) to which the callout is sent.' - type: integer - minimum: 1 - maximum: 65535 - http_method: - description: |+ - 'Method used in the HTTP request that this callout sends. - Default http method is GET' - type: string - enum: ['GET', 'POST'] - host_expr: - description: |+ - 'String expression to configure the Host header. Can contain a literal value - (for example, 10.101.10.11) or a derived value (for example, http.req.header("Host")). - The literal value can be an IP address or a fully qualified domain name. Mutually - exclusive with the full HTTP request expression.' - type: string - maxLength: 255 - url_stem_expr: - description: |+ - 'String expression for generating the URL stem. Can contain a literal string - (for example, "/mysite/index.html") or an expression that derives the value - (for example, http.req.url).' - type: string - maxLength: 8191 - headers: - type: array - description: |+ - 'One or more headers to insert into the HTTP request. Each header is represented by - name and expr, where expr is an expression that is evaluated at runtime to provide - the value for the named header. You can configure a maximum of eight headers for - an HTTP callout.' - items: - type: object - properties: - name: - description: 'header name' - type: string - expr: - description: 'header expression' - type: string - parameters: - type: array - description: |+ - 'One or more query parameters to insert into the HTTP request URL (for a GET request) - or into the request body (for a POST request). Each parameter is represented by - name and expr, where expr is an expression that is evaluated at run time to provide - the value for the named parameter (name=value). The parameter values are URL encoded.' - items: - type: object - properties: - name: - description: 'parameter name' - type: string - expr: - description: 'parameter expression' - type: string - body_expr: - description: |+ - 'An advanced string expression for generating the body of the request. - The expression can contain a literal string or an expression that derives - the value (for example, client.ip.src).' - type: string - full_req_expr: - description: |+ - 'Exact HTTP request, in the form of an expression, which the Citrix ADC sends - to the callout agent. The request expression is constrained by the feature - for which the callout is used. For example, an HTTP.RES expression cannot be - used in a request-time policy bank or in a TCP content switching policy bank.' - type: string - scheme: - description: |+ - 'Type of scheme for the callout server. - Default scheme is HTTP' - type: string - enum: ['HTTP', 'HTTPS'] - cache_for_secs: - description: |+ - 'Duration, in seconds, for which the callout response is cached. - The cached responses are stored in an integrated caching content - group named "calloutContentGroup". If no duration is configured, - the callout responses will not be cached unless normal caching - configuration is used to cache them. This parameter takes precedence over any - normal caching configuration that would otherwise apply to these responses.' - type: integer - minimum: 1 - maximum: 31536000 - return_type: - description: |+ - 'Type of data that the target callout agent returns in response to the callout - Available settings function as follows: - * TEXT - Treat the returned value as a text string. - * NUM - Treat the returned value as a number. - * BOOL - Treat the returned value as a Boolean value.' - type: string - enum: ['TEXT', 'NUM', 'BOOL'] - result_expr: - description: |+ - 'Expression that extracts the callout results from the response sent by the HTTP callout - agent. Must be a response based expression, that is, it must begin with HTTP.RES. The - operations in this expression must match the return type. For example, if you configure - a return type of TEXT, the result expression must be a text based expression. If the - return type is NUM, the result expression (resultExpr) must return a numeric value, - as in the following example: http.res.body(10000).length.' - type: string - maxLength: 8191 - comment: - description: 'Any comments to preserve information about this HTTP callout.' - type: string - maxLength: 255 - allOf: - - properties: - required: [name, server_ip, server_port] - - properties: - oneOf: - - properties: - required: [full_req_expr] - - properties: - anyOf: - - properties: - required: [http_method] - - properties: - required: [host_expr] - - properties: - required: [url_stem_expr] - - properties: - required: [headers] - - properties: - required: [parameters] - - properties: - required: [body_expr] - anyOf: [required: [rewrite-policies], required: [responder-policies]] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ratelimits.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: ratelimit - plural: ratelimits - singular: ratelimit - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the ratelimit policies are applied.' - type: array - items: - type: string - maxLength: 127 - selector_keys: - type: object - description: 'Traffic match criteria to which apply above rate-limit/throttling. All keys are applied as AND condition. If no keys are specified, rate-limit applies at service level' - properties: - basic: - type: object - description: "Basic traffic stream selection criteria to which to apply the ratelimit" - properties: - path: - type: array - description: "api resource path prefix match. e.g. /api/v1/products" - items: - type: string - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - header_name: - description: "HTTP header that identifies the unique API client for e.g. X-apikey" - type: string - per_client_ip: - description: "Setting this applies the throttling limit to each unique Client IP address accessing the API resource" - type: boolean - req_threshold: - description: 'Max requests per timeslice units to be allowed' - type: integer - timeslice: - description: 'Timeslice in miliseconds in multiple of 10. Defaults to 1000 miliseconds' - type: integer - limittype: - description: "Burst mode or smooth. Defaults to smooth limittype if not specified" - type: string - enum: ['BURSTY','SMOOTH'] - throttle_action: - type: string - enum: ['DROP', 'RESET','REDIRECT', 'RESPOND'] - description: "Drop will drop the requests exceeding limits, RESET will reset the client connection, Redirect will redirect to specified URL, respond will respond with 429 'Exceeded allowed rate of requests'" - redirect_url: - type: string - description: "Redirect-URL" - required: [servicenames, req_threshold] ---- -#Sample CRD instance - -#apiVersion: citrix.com/v1 -#description: VIP for apache service -#kind: vip -#metadata: -# name: service-apache -# namespace: default -#spec: -# description: VIP for the apache Service -# ipaddress: 10.99.98.90 -# kind: service -# name: apache - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vips.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: vip - plural: vips - singular: vip - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - jsonPath: .spec.ipaddress - name: VIP - type: string - - name: Age - type: date - jsonPath: .metadata.creationTimestamp - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - ipaddress: - type: string - name: - type: string - kind: - type: string - enum: ["service", "ingress"] - description: - type: string - range-name: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: authpolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: authpolicy - plural: authpolicies - singular: authpolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: |+ - 'Name of the services for which the policies applied' - type: array - items: - type: string - maxLength: 63 - authentication_mechanism: - type: object - description: |+ - 'Authentication mechanism. Options: using forms or using request header. - Default is Authentication using request header, when no option is specified' - properties: - using_request_header: - description: |+ - 'Enable user authentication using request header. Use when the credentials - or api keys are passed in a header. For example, when using Basic, Digest, - Bearer authentication or api keys. - When authentication using forms is provided, this is set to OFF' - - type: string - using_forms: - type: object - description: 'Enables authentication using forms. Use with user/web authentication.' - properties: - authentication_host: - description: |+ - 'Fully qualified domain name (FQDN) for authentication. - This FQDN should be unique and should resolve to frontend IP of - ADC with Ingress/service type LoadBalancer (or) vip of Listener CRD' - type: string - maxLength: 255 - authentication_host_cert: - description: |+ - 'Name of the SSL certificate to be used with authentication_host. - This certificate is mandatory while using_forms' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - ingress_name: - description: |+ - 'Ingress name for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - lb_service_name: - description: |+ - 'Service of type LoadBalancer for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - listener_name: - description: |+ - 'Listener CRD name for which the authentication using forms is applicable.' - type: string - maxLength: 63 - vip: - description: |+ - 'Frontend IP of ingress for which the authentication - using forms is applicable. This refers to frontend-ip provided - with Ingress. It is suggested to use vip, if more than one Ingress - resource use the same frontend-ip' - type: string - required: [authentication_host, authentication_host_cert] - oneOf: - - properties: - required: [ingress_name] - - properties: - required: [lb_service_name] - - properties: - required: [listener_name] - - properties: - required: [vip] - oneOf: - - properties: - using_request_header: - enum: ['ON'] - required: [using_request_header] - - properties: - required: [using_forms] - - authentication_providers: - description: |+ - 'Authentication Configuration for required authentication providers/schemes. - One or more of these can be created' - type: array - items: - description: 'Create config for a single authentication provider of a particular type' - type: object - properties: - name: - description: 'Name for this provider, has to be unique, referenced by authentication policies' - type: string - maxLength: 127 - - oauth: - description: 'Authentication provided by external oAuth provider' - type: object - properties: - issuer: - description: 'Identity of the server whose tokens are to be accepted' - type: string - maxLength: 127 - audience: - description: 'Audience for which token sent by Authorization server is applicable' - type: array - items: - type: string - maxLength: 127 - jwks_uri: - description: |+ - 'URL of the endpoint that contains JWKs (Json Web Key) for - JWT (Json Web Token) verification' - type: string - maxLength: 127 - introspect_url: - description: ' URL of the introspection server' - type: string - maxLength: 127 - client_credentials: - description: |+ - 'secrets object that contains Client Id and secret as known - to Introspection server' - type: string - maxLength: 253 - token_in_hdr: - description: |+ - 'custom header name where token is present, - default is Authorization header' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - token_in_param: - description: 'query parameter name where token is present' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - signature_algorithms: - description: 'list of allowed signature algorithms, by default HS256, RS256, RS512 are allowed' - type: array - items: - type: string - enum: ['HS256', 'RS256', 'RS512'] - claims_to_save: - description: 'list of claims to be saved, used to create authorization policies' - type: array - items: - type: string - maxLength: 127 - metadata_url: - description: 'URL used to get OAUTH/OIDC provider metadata' - type: string - maxLength: 255 - user_field: - description: |+ - 'Attribute in the token from which username should be extracted. - by default, ADC looks at email attribute for user id' - type: string - maxLength: 127 - default_group: - description: |+ - 'group assigned to the request if authentication succeeds, - this is in addition to any extracted groups from token' - type: string - maxLength: 63 - grant_type: - description: 'used to specify the type of flow to the token end point, defaults to CODE' - type: array - items: - type: string - enum: ['CODE','PASSWORD'] - pkce: - description: 'specify whether to enable Proof Key Code Exchange, defaults to ENABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - token_ep_auth_method: - description: |+ - 'authentication method to be used with token end point, - defaults to client_secret_post' - type: string - enum: ['client_secret_post', 'client_secret_jwt'] - - anyOf: - - properties: - required : [jwks_uri] - - properties: - required : [introspect_url, client_credentials] - - properties: - required : [metadata_url] - - ldap: - description: 'LDAP authentication provider' - type: object - properties: - server_ip: - description: 'IP address assigned to the LDAP server' - type: string - server_name: - description: 'LDAP server name as a FQDN' - type: string - maxLength: 127 - server_port: - description: 'Port on which the LDAP server accepts connections. Default is 389' - type: integer - minimum: 1 - maximum: 65535 - base: - description: |+ - 'Base (node) from which to start LDAP searches. If the LDAP server is - running locally, the default value of base is dc=netscaler, dc=com' - type: string - maxLength: 127 - server_login_credentials: - description: |+ - 'Kubernetes secret object providing credentials to login to LDAP server, - The secret data should have username and password' - type: string - login_name: - description: |+ - 'LDAP login name attribute. The Citrix ADC uses the LDAP login name - to query external LDAP servers or Active Directories' - type: string - maxLength: 127 - security_type: - description: |+ - 'Type of security used for communications between the Citrix ADC - and the LDAP server. Default is TLS' - type: string - enum: ['PLAINTEXT', 'TLS', 'SSL'] - validate_server_cert: - description: 'Validate LDAP Server certs. Default is NO' - type: string - enum: ['YES', 'NO'] - hostname: - description: |+ - 'Hostname for the LDAP server. If validate_server_cert is ON, - this must be the host name on the certificate from the LDAP - A hostname mismatch will cause a connection failure' - type: string - maxLength: 127 - sub_attribute_name: - description: 'LDAP group sub-attribute name. Used for group extraction from the LDAP server.' - type: string - maxLength: 31 - group_attribute_name: - description: 'LDAP group attribute name. Used for group extraction on the LDAP server.' - type: string - maxLength: 31 - search_filter: - description: |+ - 'String to be combined with the default LDAP user search string to form the - search value. For example, if the search filter "vpnallowed=true" is combined - with the LDAP login name "samaccount" and the user-supplied username is "bob", - the result is the LDAP search string ""(&(vpnallowed=true)(samaccount=bob)"" - (Be sure to enclose the search string in two sets of double quotation marks)' - type: string - maxLength: 255 - auth_timeout: - description: |+ - 'Number of seconds the Citrix ADC waits for a response from the server - Default is 3' - type: integer - minimum: 1 - maximum: 4294967295 - password_change: - description: 'Allow password change requests. Default is DISABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be fetched - from LDAP server and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - oneOf: - - properties: - required: [server_ip] - - properties: - required: [server_name] - - saml: - description: |+ - 'SAML authentication provider. - Currently SAML is supported only with authentication mechanism using forms' - type: object - properties: - metadata_url: - description: 'URL is used for obtaining saml metadata.' - type: string - maxLength: 255 - metadata_refresh_interval: - description: |+ - 'Interval in minutes for fetching metadata from specified metadata URL. - Default is 36000' - type: integer - minimum: 1 - maximum: 4294967295 - signing_cert: - description: 'SSL certificate to sign requests from SP to IDP' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - audience: - description: 'Audience for which assertion sent by IdP is applicable' - type: string - maxLength: 127 - issuer_name: - description: 'The name to be used in requests sent from SP to IDP to identify citrix ADC' - type: string - maxLength: 63 - binding: - description: 'Specifies the transport mechanism of saml message. Default is POST' - type: string - enum: ['REDIRECT', 'POST', 'ARTIFACT'] - artifact_resolution_service_url: - description: 'URL of the Artifact Resolution Service on IdP' - type: string - maxLength: 255 - logout_binding: - description: 'Specifies the transport mechanism of saml logout. Default is POST' - type: string - enum: ['REDIRECT', 'POST'] - reject_unsigned_assertion: - description: |+ - 'Reject unsigned SAML assertions. ON, rejects assertion without signature. - STRICT ensure that both Response and Assertion are signed. Default is ON' - type: string - enum: ['ON', 'OFF', 'STRICT'] - user_field: - description: 'SAML user ID, as given in the SAML assertion' - type: string - maxLength: 63 - default_authentication_group: - description: |+ - 'This is the default group that is chosen when the authentication - succeeds in addition to extracted groups' - type: string - maxLength: 63 - skew_time: - description: |+ - 'Allowed clock skew in number of minutes on an incoming assertion. - Default is 5' - type: integer - minimum: 1 - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be extracted - and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - required: - - metadata_url - - basic_local_db: - type: object - description: |+ - 'Basic HTTP authentication supported by ADC, user data in local DB of ADC. - Users needs to be added on ADC' - properties: - use_local_auth: - description: 'Use ADC authentication' - type: string - enum: ['YES'] - - required: - - name - - authentication_policies: - description: 'Authentication policies' - type: array - items: - type: object - description: 'Authentication policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - required: - - path - provider: - description: 'name of the authentication provider for the policy, empty if no authentication required' - type: array - items: - type: string - maxLength: 127 - maxItems: 1 - required: - - resource - - provider - - authorization_policies: - description: 'Authorization policies' - type: array - items: - type: object - description: 'Authorization policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - description: ' http method' - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - claims: - description: 'authorization scopes required for selected resource saved as claims or attributes' - type: array - items: - type: object - properties: - name: - description: 'name of the claim/attribute to check' - type: string - maxLength: 127 - values: - description: 'list of claim values required for the request' - type: array - items: - type: string - maxLength: 127 - minItems: 1 - required: - - name - - values - required: - - claims - - required: - - servicenames ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: listeners.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - version: null - names: - kind: Listener - plural: listeners - singular: listener - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - required: [spec] - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [protocol] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - protocol: - type: string - enum: ["https", "http"] - description: "Protocol for this listener" - vip: - type: string - description: "VIP address, Optional for CPX, required for Tier-1 deployments" - secondaryVips: - type: array - description: "An array of Secondary VIPs. All the VIPs will be part of an ipset" - minItems: 1 - items: - type: string - redirectPort: - type: integer - minimum: 1 - maximum: 65535 - description: "Port from which http traffic should be redirected to https" - port: - type: integer - minimum: 1 - maximum: 65535 - certificates: - type: array - description: "certificates attached to the endpoints - Not applicable for HTTP" - minItems: 1 - items: - type: object - properties: - preconfigured: - type: string - description: "Preconfigured Certificate name on ADC " - secret: - type: object - description: "Kuberentes secret object" - required: [name] - properties: - name: - type: string - description: "name of the Kubernetes Secret object where Cert is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the kubernetes secret object; Default is same namespace where the Listener object is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - default: - type: boolean - description: "Only one of the certificate can be marked as default which will be presented if none of the cert matches with the hostname" - oneOf: - - required: ["preconfigured"] - - required: ["secret"] - policies: - type: object - description: "Policies attached to the Listener" - properties: - httpprofile: - type: object - description: "HTTP profile configurations for the Listener, HTTP level configurations" - properties: - preconfigured: - type: string - description: "Preconfigured or Built-in HTTP profile name" - config: - type: object - description: "HTTP profile configuration for the listener. For individual fields, refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nshttpprofile/nshttpprofile/ Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - tcpprofile: - type: object - description: "TCP level configurations, uses ns tcpprofile of citrix ADC" - properties: - preconfigured: - description: "Preconfigured or Built-in TCP profile name" - type: string - config: - type: object - description: "TCPprofile configurations for the listener. For individual fields refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nstcpprofile/ ; Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - csvserverConfig: - type: object - description: "CS Vserver configuration for the listener" - additionalProperties: - type: string - sslprofile: - type: object - description: "SSL profile configuration" - properties: - preconfigured: - type: string - description: "SSL profile which is preconfigured in ADC. Ciphers bound to the profile is not overriden" - config: - description: "Citrix ADC frontend SSL profile configurations. Refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ssl/sslprofile/ for all configurations; Name field is auto generated" - type: object - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - sslciphers: - type: array - description: "List of ciphers to be bound to the ssl profile for the listener. Priority is as per the order in the list. A cipher suite, predefined cipher group or User created cipher group can be mentioned" - minItems: 1 - items: - type: string - description: "Cipher suite, cipher group name" - analyticsprofile: - type: object - description: "Analytics profile configuration" - properties: - preconfigured: - type: array - description: "Preconfigured Analytics profile that needs to be bound to the vserver" - minItems: 1 - items: - type: string - description: "Name of the analytics profile preconfigured that will be bound to the Vserver" - config: - type: array - description: "An array of analytics to be enabled" - minItems: 1 - items: - type: object - description: "Anlytics to be enabled" - required: ['type'] - properties: - type: - description: "Analytics profile to be enabled, you can enable one or more of the webinsight, tcpinsight, securityinsight, videoinsight, hdxinsight, gatewayinsight, timeseries, lsninsight, botinsight " - type: string - enum: ["webinsight", "tcpinsight", "securityinsight", "videoinsight", "hdxinsight", "gatewayinsight", "timeseries", "lsninsight", "botinsight"] - parameters: - type: object - description: "Additional parameters for analytics profile. Please refer:https://developer-docs.citrix.com/projects/citrix-adc-nitro-api-reference/en/latest/configuration/analytics/analyticsprofile/" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - routes: - type: array - description: "List of route objects attached to the listener" - minItems: 1 - items: - type: object - properties: - name: - type: string - description: "Name of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - labelSelector: - description: "Labels key value pair, if the route carries the same labels, it is automatically attached" - type: object - additionalProperties: - type: string - oneOf: - - required: [name, namespace] - - required: [labelSelector] - defaultAction: - type: object - description: "Default action for the listener: One of Backend or Redirect" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - namespace: - description: "Service namespace" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - backendConfig: - description: "General backend service options" - type: object - properties: - secure_backend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: httproutes.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - version: null - names: - kind: HTTPRoute - plural: httproutes - singular: httproute - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [rules] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - hostname: - type: array - description: "List of domain names that share the same route, default is '*'" - minItems: 1 - items: - type: string - description: "Domain name" - rules: - type: array - description: "List Content routing rules with an action defined" - minItems: 1 - items: - type: object - required: [name, action] - properties: - name: - type: string - description: "A name to represent the rule, this is used as an identifier in content routing policy name in ADC" - minLength: 1 - maxLength: 20 - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - match: - type: array - description: "List of rules with same action" - minItems: 1 - items: - type: object - anyOf: - - required: [path] - - required: [headers] - - required: [cookies] - - required: [queryParams] - - required: [method] - - required: [policyExpression] - properties: - path: - type: object - description: "URL Path based content routing" - properties: - prefix: - type: string - description: "URL path matches the prefix expression" - exact: - type: string - description: "URL Path must match exact path" - regex: - type: string - description: "PCRE based regex expression for path matching" - headers: - type: array - description: "List of header for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Header details for content routing, Check for existence of a header or header name-value match" - properties: - headerName: - type: object - description: "Header name based content routing, Here existence of header is used for routing" - properties: - exact: - type: string - description: "Header Name - treated as exact must exist" - contains: - type: string - description: "Header Name - A header must exist that contain the string the name" - regex: - type: string - description: "header Name - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header name must not exist" - oneOf: - - required: [exact] - - required: [contains] - - required: [regex] - headerValue: - type: object - description: "Header Name and Value based match" - properties: - name: - type: string - description: "Header name that must match the value" - exact: - type: string - description: "Header value - treated as exact" - contains: - type: string - description: "Header value - treated as contains" - regex: - type: string - description: "header value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header if present must not match the value" - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - queryParams: - type: array - description: "List of Query parameters for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Query parameters Name and Value based match" - properties: - name: - type: string - description: "Query name that must match the value. If no value is specified, matches with any value" - exact: - type: string - description: "Query value - Exact match" - contains: - type: string - description: "Query value - value must have the string(substring)" - regex: - type: string - description: "Query value - Value must match this regex patterm" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e query if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - cookies: - type: array - description: "List of Cookie params for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Cookie based routing" - properties: - name: - type: string - description: "cookie name that must match the value. If no value specified, it matches with any value" - exact: - type: string - description: "cookie value - treated as exact" - contains: - type: string - description: "cookie value - treated as substring" - regex: - type: string - description: "cookie value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e cookie if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - method: - type: string - description: "HTTP method for content routing eg: POST, PUT, DELETE etc" - policyExpression: - type: string - description: "Citrix ADC policy expressions; refer: https://docs.citrix.com/en-us/netscaler/media/expression-prefix.pdf" - action: - type: object - description: "Action for the matched rule" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - backendConfig: - type: object - description: "General backend service options" - properties: - secureBackend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - # name must match the spec fields below, and be in the form: . - name: continuousdeployments.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: continuousdeployment - plural: continuousdeployments - singular: continuousdeployment - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - cronSpec: - type: integer - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wafs.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: waf - plural: wafs - singular: waf - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the waf policies are applied.' - type: array - items: - type: string - maxLength: 127 - application_type: - description: 'Type of applications to protect' - type: array - items: - type: string - enum: ['HTML', 'JSON', 'XML'] - signatures: - description: 'Location of external signature file' - type: string - redirect_url: - description: '' - type: string - html_error_object: - description: 'Location of customized error page to respond when html or common violation are hit' - type: string - xml_error_object: - description: 'Location of customized error page to respond when xml violations are hit' - type: string - json_error_object: - description: 'Location of customized error page to respond when json violations are hit' - type: string - ip_reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - description: 'Enabling IP reputation feature' - target: - description: 'To control what traffic to be inspected by Web Application Firewall. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable application firewall security checks' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - settings: - description: 'To fine tune application firewall security checks default settings' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - relaxations: - description: 'Section which contains relaxation rules for known traffic and false positives' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - enforcements: - description: 'Section which contains enforcement or restriction rules' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: bots.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: bot - plural: bots - singular: bot - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the bot policies are applied.' - type: array - items: - type: string - maxLength: 127 - signatures: - description: 'Location of external bot signature file' - type: string - redirect_url: - description: 'url to redirect when bot violation is hit' - type: string - target: - description: 'To control what traffic to be inspected by BOT. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable bot ecurity checks' - type: object - properties: - allow_list: - type: string - enum: ['ON', 'OFF'] - block_list: - type: string - enum: ['ON', 'OFF'] - device_fingerprint: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: string - enum: ['ON', 'OFF'] - ratelimit: - type: string - enum: ['ON', 'OFF'] - tps: - type: string - enum: ['ON', 'OFF'] - trap: - type: object - x-kubernetes-preserve-unknown-fields: true - bindings: - description: 'Section which contains binding rules for bot security checks' - type: object - properties: - allow_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - - block_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - ratelimit: - type: array - items: - type: object - properties: - url: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - cookie: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - captcha: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - tps: - type: object - properties: - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - host: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - host: - type: object - x-kubernetes-preserve-unknown-fields: true - trapinsertion: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: apigatewaypolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: apigatewaypolicy - plural: apigatewaypolicies - singular: apigatewaypolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - api_definition: - type: object - properties: - repository: - type: string - branch: - type: string - oas_secret_ref: - type: string - files: - type: array - items: - type: string - maxLength: 127 - api_proxy: - type: object - properties: - ipaddress: - type: string - port: - type: integer - protocol: - type: string - secret: - type: string - policies: - type: array - items: - type: object - properties: - name: - type: string - selector: - type: array - items: - type: object - properties: - tags: - type: array - items: - type: string - api: - type: string - method: - type: array - items: - type: string - maxLength: 127 - upstream: - type: object - properties: - service: - type: string - port: - type: integer - policy_bindings: - type: object - properties: - ratelimit: - type: object - properties: - name: - type: string - waf: - type: object - properties: - name: - type: string - rewritepolicy: - type: object - properties: - name: - type: string - bot: - type: object - properties: - name: - type: string - aaa: - type: array - items: - type: object - properties: - crd_name: - type: string - mappings: - type: array - items: - type: object - properties: - petstore_auth: - type: string - api_key: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: corspolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: corspolicy - plural: corspolicies - singular: corspolicy - shortNames: - - cp - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'The list of Kubernetes services to which you want to apply the cors policies.' - type: array - items: - type: string - maxLength: 63 - allow_origin: - description: 'Represents list of allowed origins, it is used to screen the “origin” in the cors pre flight request' - type: array - items: - type: string - maxLength: 2083 - allow_methods: - description: 'Indicates which methods are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Methods in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - allow_headers: - description: 'Indicates which headers are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Headers in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - max_age: - description: 'Indicates the number of seconds (5 by default) the information provided by the `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` headers can be cached. This variable will be used to set Access-Control-Max-Age in the pre-flight cors response.' - type: integer - allow_credentials: - description: 'Indicates whether the response can be shared when the request’s credentials mode is "include". This variable will be set to Access-Control-Allow-Credentials in the rewrite action.' - type: boolean - required: [servicenames, allow_origin, allow_methods, allow_headers] ---- -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.19.600/templates/citrix-k8s-ingress.yaml b/charts/citrix/citrix-ingress-controller/1.19.600/templates/citrix-k8s-ingress.yaml deleted file mode 100644 index 6e2ad38549..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.19.600/templates/citrix-k8s-ingress.yaml +++ /dev/null @@ -1,189 +0,0 @@ -{{- if .Values.openshift }} -apiVersion: apps.openshift.io/v1 -kind: DeploymentConfig -{{- else }} -apiVersion: apps/v1 -kind: Deployment -{{- end }} -metadata: - name: {{ include "citrix-ingress-controller.fullname" . }} -spec: - selector: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - matchLabels: - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} - replicas: 1 -{{- if .Values.openshift }} - strategy: - resources: {} - rollingParams: - intervalSeconds: 1 - maxSurge: 0 - maxUnavailable: 25% - timeoutSeconds: 600 - updatePeriodSeconds: 1 - type: Rolling -{{- end }} - template: - metadata: - name: cic - labels: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} - spec: - serviceAccountName: {{ include "citrix-ingress-controller.serviceAccountName" . }} - containers: - - name: cic - image: "{{ .Values.image }}" - imagePullPolicy: {{ .Values.pullPolicy }} - args: - - --configmap - {{ .Release.Namespace }}/{{ include "cicconfigmap.fullname" . }} -{{- if .Values.defaultSSLCertSecret }} - - --default-ssl-certificate - {{ .Release.Namespace }}/{{ .Values.defaultSSLCertSecret }} -{{- end }} -{{- if .Values.ingressClass }} - - --ingress-class -{{- range .Values.ingressClass}} - {{.}} -{{- end }} -{{- end }} -{{- if .Values.serviceClass }} - - --service-classes -{{- range .Values.serviceClass}} - {{.}} -{{- end }} -{{- end }} - - --feature-node-watch - {{ .Values.nodeWatch }} - - --enable-cnc-pbr - {{ .Values.cncPbr }} -{{- if .Values.ipam }} - - --ipam - citrix-ipam-controller -{{- end }} -{{- if .Values.updateIngressStatus }} - - --update-ingress-status - yes -{{- end }} - env: - - name: "NS_IP" - value: "{{ .Values.nsIP }}" -{{- if .Values.nsVIP }} - - name: "NS_VIP" - value: "{{ .Values.nsVIP }}" -{{- end }} - - name: "NS_USER" - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: username - - name: "NS_PASSWORD" - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: password - - name: "EULA" - value: "{{ .Values.license.accept }}" -{{- if and .Values.openshift .Values.routeLabels }} - - name: "ROUTE_LABELS" - value: {{ .Values.routeLabels | quote}} -{{- end }} -{{- if and .Values.openshift .Values.namespaceLabels }} - - name: "NAMESPACE_LABELS" - value: {{ .Values.namespaceLabels | quote }} -{{- end }} - - name: "NS_APPS_NAME_PREFIX" - value: {{ .Values.entityPrefix | default "k8s"}} -{{- if .Values.kubernetesURL }} - - name: "kubernetes_url" - value: "{{ .Values.kubernetesURL }}" -{{- end }} -{{- if .Values.clusterName }} - - name: "CLUSTER_NAME" - value: "{{ .Values.clusterName }}" -{{- end }} -{{- if .Values.logProxy }} - - name: "NS_LOGPROXY" - value: "{{ .Values.logProxy }}" -{{- end }} -{{- if .Values.exporter.required }} - - name: exporter - image: "{{ .Values.exporter.image }}" - imagePullPolicy: {{ .Values.exporter.pullPolicy }} - args: - - "--target-nsip={{ .Values.nsIP }}" - - "--port={{ .Values.exporter.ports.containerPort }}" - volumeMounts: - - name: nslogin - mountPath: "/mnt/nslogin" - readOnly: true - securityContext: - readOnlyRootFilesystem: true - volumes: - - name: nslogin - secret: - secretName: {{ .Values.adcCredentialSecret }} -{{- end }} -{{- if and .Values.nodeSelector.key .Values.nodeSelector.value }} - nodeSelector: - {{ .Values.nodeSelector.key }}: {{ .Values.nodeSelector.value }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: {{ .Values.tolerations | toYaml | nindent 8 }} -{{- end }} - ---- - -{{- if .Values.exporter.required }} - - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "exporter.fullname" . }} - labels: - app: {{ include "exporter.fullname" . }} - service-type: {{ include "servicemonitorlabel" . }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port - selector: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} - ---- - -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "servicemonitor.fullname" . }} - labels: - servicemonitor: citrix-adc -spec: - endpoints: - - interval: 30s - port: exporter-port - selector: - matchLabels: - service-type: {{ include "servicemonitorlabel" . }} - namespaceSelector: - matchNames: - - monitoring - - default - - {{ .Release.Namespace }} - -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.19.600/templates/configmap.yaml b/charts/citrix/citrix-ingress-controller/1.19.600/templates/configmap.yaml deleted file mode 100644 index c5042b9c51..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.19.600/templates/configmap.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "cicconfigmap.fullname" . }} -data: - LOGLEVEL: {{ .Values.logLevel | quote | lower }} - NS_PROTOCOL: {{ .Values.nsProtocol | quote | lower }} - NS_PORT: {{ .Values.nsPort | quote }} -{{- if .Values.nsSNIPS }} - NS_SNIPS: {{ .Values.nsSNIPS | toJson}} -{{- end }} -{{- if .Values.podIPsforServiceGroupMembers }} - POD_IPS_FOR_SERVICEGROUP_MEMBERS: {{ .Values.podIPsforServiceGroupMembers | quote }} -{{- end }} -{{- if .Values.ignoreNodeExternalIP }} - IGNORE_NODE_EXTERNAL_IP: {{ .Values.ignoreNodeExternalIP | quote }} -{{- end }} - -{{- if ne (upper .Values.nsHTTP2ServerSide) "OFF" }} - NS_HTTP2_SERVER_SIDE: {{ .Values.nsHTTP2ServerSide | quote }} -{{- end }} -{{- if ne (toString .Values.nsCookieVersion) "0" }} - NS_COOKIE_VERSION: {{ .Values.nsCookieVersion | quote }} -{{- end }} - -{{- if .Values.coeConfig.required }} - NS_ANALYTICS_CONFIG: | - distributed_tracing: - enable: {{ .Values.coeConfig.distributedTracing.enable | quote }} - samplingrate: {{ .Values.coeConfig.distributedTracing.samplingrate }} - endpoint: - server: {{ include "analytics.server" . | quote }} - timeseries: - port: {{ .Values.coeConfig.timeseries.port }} - metrics: - enable: {{ .Values.coeConfig.timeseries.metrics.enable | quote }} - mode: {{ .Values.coeConfig.timeseries.metrics.mode | quote }} - auditlogs: - enable: {{ .Values.coeConfig.timeseries.auditlogs.enable | quote }} - events: - enable: {{ .Values.coeConfig.timeseries.events.enable | quote }} - transactions: - enable: {{ .Values.coeConfig.transactions.enable | quote }} - port: {{ .Values.coeConfig.transactions.port }} -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.19.600/templates/ingressclass.yaml b/charts/citrix/citrix-ingress-controller/1.19.600/templates/ingressclass.yaml deleted file mode 100644 index d75537b79f..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.19.600/templates/ingressclass.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- $default := .Values.setAsDefaultIngressClass -}} -{{- if semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.GitVersion }} -{{- if .Values.ingressClass }} -{{- range .Values.ingressClass }} -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: {{ . | quote }} -{{- if $default }} - annotations: - ingressclass.kubernetes.io/is-default-class: "true" -{{- end }} -spec: - controller: citrix.com/ingress-controller ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.19.600/templates/rbac.yaml b/charts/citrix/citrix-ingress-controller/1.19.600/templates/rbac.yaml deleted file mode 100644 index 64d26c24a9..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.19.600/templates/rbac.yaml +++ /dev/null @@ -1,86 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -rules: - - apiGroups: [""] -{{- if .Values.openshift }} - resources: ["endpoints", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"] -{{- else }} - resources: ["endpoints", "pods", "secrets", "routes", "nodes", "namespaces", "configmaps", "services"] -{{- end }} - verbs: ["get", "list", "watch"] - # services/status is needed to update the loadbalancer IP in service status for integrating - # service of type LoadBalancer with external-dns - - apiGroups: [""] - resources: ["services/status"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions","networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["patch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "watch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies"] - verbs: ["get", "list", "watch", "create", "delete", "patch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status"] - verbs: ["patch"] - - apiGroups: ["citrix.com"] - resources: ["vips"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["crd.projectcalico.org"] - resources: ["ipamblocks"] - verbs: ["get", "list", "watch"] -{{- if .Values.openshift }} - - apiGroups: ["route.openshift.io"] - resources: ["routes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["network.openshift.io"] - resources: ["hostsubnets"] - verbs: ["get", "list", "watch"] -{{- end }} - ---- - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- if .Values.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.imagePullSecrets }} -- name: {{.}} -{{- end }} -{{- end }} - ---- diff --git a/charts/citrix/citrix-ingress-controller/1.19.600/values.yaml b/charts/citrix/citrix-ingress-controller/1.19.600/values.yaml deleted file mode 100644 index 094912b67a..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.19.600/values.yaml +++ /dev/null @@ -1,82 +0,0 @@ -# Default values for citrix-ingress-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# Citrix Ingress Controller config details -image: quay.io/citrix/citrix-k8s-ingress-controller:1.19.6 -pullPolicy: IfNotPresent -imagePullSecrets: [] -openshift: false -adcCredentialSecret: -nsIP: x.x.x.x -nsVIP: -nsSNIPS: -license: - accept: no -nsPort: 443 -nsProtocol: HTTPS -logLevel: INFO -entityPrefix: -kubernetesURL: -clusterName: -ingressClass: -setAsDefaultIngressClass: False -serviceClass: -defaultSSLCertSecret: -podIPsforServiceGroupMembers: False -ignoreNodeExternalIP: False -ipam: False -logProxy: -nodeWatch: false -cncPbr: False -nodeSelector: - key: - value: -tolerations: [] -updateIngressStatus: False -nsHTTP2ServerSide: "OFF" -nsCookieVersion: "0" - -routeLabels: -namespaceLabels: - -# Exporter config details -exporter: - required: false - image: quay.io/citrix/citrix-adc-metrics-exporter:1.4.9 - pullPolicy: IfNotPresent - ports: - containerPort: 8888 - -# For CRDs supported by Citrix Ingress Controller -crds: - install: false - retainOnDelete: false - -# Config required to be done by Citrix Ingress Controller for sending metrics to Citrix Observability Exporter -coeConfig: - required: false - distributedTracing: - enable: false - samplingrate: 100 - endpoint: - server: - timeseries: - port: 30002 - metrics: - enable: false - mode: 'avro' - auditlogs: - enable: false - events: - enable: false - transactions: - enable: false - port: 30001 - -# Specifies whether a ServiceAccount should be created -serviceAccount: - create: true - # The name of the ServiceAccount to use. - # If not set and `create` is true, a name is generated using the fullname template - # name: diff --git a/charts/citrix/citrix-ingress-controller/1.27.15/Chart.yaml b/charts/citrix/citrix-ingress-controller/1.27.15/Chart.yaml deleted file mode 100644 index ef41253a62..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.27.15/Chart.yaml +++ /dev/null @@ -1,21 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-ingress-controller -apiVersion: v2 -appVersion: 1.27.15 -deprecated: true -description: A Helm chart for Citrix Ingress Controller configuring MPX/VPX. -home: https://www.citrix.com -icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png -kubeVersion: '>=v1.16.0-0' -maintainers: -- email: priyanka.sharma@citrix.com - name: priyankash-citrix -- email: subash.dangol@citrix.com - name: subashd -name: citrix-ingress-controller -sources: -- https://github.com/citrix/citrix-k8s-ingress-controller -version: 1.27.15 diff --git a/charts/citrix/citrix-ingress-controller/1.27.15/README.md b/charts/citrix/citrix-ingress-controller/1.27.15/README.md deleted file mode 100644 index 1ae3c07dce..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.27.15/README.md +++ /dev/null @@ -1,492 +0,0 @@ -# Citrix Ingress Controller - -[Citrix](https://www.citrix.com/en-in/) provides an Ingress Controller for Citrix ADC MPX (hardware), Citrix ADC VPX (virtualized), and [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx/13/about.html) (containerized) for [bare metal](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/deployment/baremetal) and [cloud](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/deployment) deployments. It configures one or more Citrix ADC based on the Ingress resource configuration in [Kubernetes](https://kubernetes.io/) or in [OpenShift](https://www.openshift.com) cluster. - -## TL;DR; - -### For Kubernetes - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret= - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,crds.install=true - ``` - -### For OpenShift - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true,crds.install=true - ``` - -> **Important:** -> -> The `license.accept` argument is mandatory. Ensure that you set the value as `yes` to accept the terms and conditions of the Citrix license. - -## Introduction -This Helm chart deploys Citrix ingress controller in the [Kubernetes](https://kubernetes.io) or in the [Openshift](https://www.openshift.com) cluster using [Helm](https://helm.sh) package manager. - -### Prerequisites - -- The [Kubernetes](https://kubernetes.io/) version should be 1.16 and above if using Kubernetes environment. -- The [Openshift](https://www.openshift.com) version 4.8 or later if using OpenShift platform. -- The [Helm](https://helm.sh/) version 3.x or later. You can follow instruction given [here](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- You determine the NS_IP IP address needed by the controller to communicate with Citrix ADC. The IP address might be anyone of the following depending on the type of Citrix ADC deployment: - - - (Standalone appliances) NSIP - The management IP address of a standalone Citrix ADC appliance. For more information, see [IP Addressing in Citrix ADC](https://docs.citrix.com/en-us/citrix-adc/12-1/networking/ip-addressing.html). - - - (Appliances in High Availability mode) SNIP - The subnet IP address. For more information, see [IP Addressing in Citrix ADC](https://docs.citrix.com/en-us/citrix-adc/12-1/networking/ip-addressing.html). - - - (Appliances in Clustered mode) CLIP - The cluster management IP (CLIP) address for a clustered Citrix ADC deployment. For more information, see [IP addressing for a cluster](https://docs.citrix.com/en-us/citrix-adc/12-1/clustering/cluster-overview/ip-addressing.html). - -- You have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator), if you want to view the metrics of the Citrix ADC CPX collected by the [metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics). - -- The user name and password of the Citrix ADC VPX or MPX appliance used as the ingress device. The Citrix ADC appliance needs to have system user account (non-default) with certain privileges so that Citrix ingress controller can configure the Citrix ADC VPX or MPX appliance. For instructions to create the system user account on Citrix ADC, see [Create System User Account for CIC in Citrix ADC](#create-system-user-account-for-cic-in-citrix-adc). - - You can pass user name and password using Kubernetes secrets. Create a Kubernetes secret for the user name and password using the following command: - - ``` - kubectl create secret generic nslogin --from-literal=username='cic' --from-literal=password='mypassword' - ``` - -#### Create system User account for Citrix ingress controller in Citrix ADC - -Citrix ingress controller configures the Citrix ADC using a system user account of the Citrix ADC. The system user account should have certain privileges so that the CIC has permission configure the following on the Citrix ADC: - -- Add, Delete, or View Content Switching (CS) virtual server -- Configure CS policies and actions -- Configure Load Balancing (LB) virtual server -- Configure Service groups -- Cofigure SSl certkeys -- Configure routes -- Configure user monitors -- Add system file (for uploading SSL certkeys from Kubernetes) -- Configure Virtual IP address (VIP) -- Check the status of the Citrix ADC appliance - -> **Note:** -> -> The system user account would have privileges based on the command policy that you define. - -To create the system user account, do the following: - -1. Log on to the Citrix ADC appliance. Perform the following: - 1. Use an SSH client, such as PuTTy, to open an SSH connection to the Citrix ADC appliance. - - 2. Log on to the appliance by using the administrator credentials. - -2. Create the system user account using the following command: - - ``` - add system user - ``` - - For example: - - ``` - add system user cic mypassword - ``` - -3. Create a policy to provide required permissions to the system user account. Use the following command: - - ``` - add cmdpolicy cic-policy ALLOW '^(\?!shell)(\?!sftp)(\?!scp)(\?!batch)(\?!source)(\?!.*superuser)(\?!.*nsroot)(\?!install)(\?!show\s+system\s+(user|cmdPolicy|file))(\?!(set|add|rm|create|export|kill)\s+system)(\?!(unbind|bind)\s+system\s+(user|group))(\?!diff\s+ns\s+config)(\?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)^(\?!shell)(\?!sftp)(\?!scp)(\?!batch)(\?!source)(\?!.*superuser)(\?!.*nsroot)(\?!install)(\?!show\s+system\s+(user|cmdPolicy|file))(\?!(set|add|rm|create|export|kill)\s+system)(\?!(unbind|bind)\s+system\s+(user|group))(\?!diff\s+ns\s+config)(\?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)' - ``` - - **Note**: The system user account would have privileges based on the command policy that you define. - The command policy mentioned in ***step 3*** is similar to the built-in `sysAdmin` command policy with another permission to upload files. - - The command policy spec provided above have already escaped special characters for easier copy pasting into the Citrix ADC command line. - - For configuring the command policy from Citrix ADC Configuration Wizard (GUI), use the below command policy spec. - - ``` - ^(?!shell)(?!sftp)(?!scp)(?!batch)(?!source)(?!.*superuser)(?!.*nsroot)(?!install)(?!show\s+system\s+(user|cmdPolicy|file))(?!(set|add|rm|create|export|kill)\s+system)(?!(unbind|bind)\s+system\s+(user|group))(?!diff\s+ns\s+config)(?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)^(?!shell)(?!sftp)(?!scp)(?!batch)(?!source)(?!.*superuser)(?!.*nsroot)(?!install)(?!show\s+system\s+(user|cmdPolicy|file))(?!(set|add|rm|create|export|kill)\s+system)(?!(unbind|bind)\s+system\s+(user|group))(?!diff\s+ns\s+config)(?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file) - ``` - -4. Bind the policy to the system user account using the following command: - - ``` - bind system user cic cic-policy 0 - ``` - -## Installing the Chart -Add the Citrix Ingress Controller helm chart repository using command: - -``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ -``` - -### For Kubernetes: -#### 1. Citrix Ingress Controller -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,ingressClass[0]= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ingress controller on Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix Ingress Controller with Exporter -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed along with Citrix ingress controller and collects metrics from the Citrix ADC instances. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. - -> **Note:** -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,ingressClass[0]=,exporter.required=true - ``` - -### For Openshift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix Ingress Controller -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true - ``` - -The command deploys Citrix ingress controller on your Openshift cluster in the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix Ingress Controller with Exporter -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed along with Citrix ingress controller and collects metrics from the Citrix ADC instances. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. - -> **Note:** -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator) - -Use the following command for this: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true,exporter.required=true - ``` - -### Installed components - -The following components are installed: - -- [Citrix ingress controller](https://github.com/citrix/citrix-k8s-ingress-controller) -- [Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) (if enabled) - -## Configuration for ServiceGraph: - If Citrix ADC VPX/MPX need to send data to the Citrix ADM to bring up the servicegraph, then the below steps can be followed to install Citrix ingress controller for Citrix ADC VPX/MPX. Citrix ingress controller configures Citrix ADC VPX/MPX with the configuration required for servicegraph. - - 1. Create secret using Citrix ADC VPX credentials, which will be used by Citrix ingress controller for configuring Citrix ADC VPX/MPX: - - kubectl create secret generic nslogin --from-literal=username='cic' --from-literal=password='mypassword' - - 2. Deploy Citrix ingress controller using helm command: - - helm install my-release citrix/citrix-ingress-controller --set nsIP=,nsVIP=,license.accept=yes,adcCredentialSecret=,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.timeseries.port=5563,analyticsConfig.distributedTracing.enable=true,analyticsConfig.transactions.enable=true,analyticsConfig.transactions.port=5557,analyticsConfig.endpoint.server= - -> **Note:** -> If container agent is being used here for Citrix ADM, please provide `podIP` of container agent in the `analyticsConfig.endpoint.server` parameter. - -## CRDs configuration - -CRDs can be installed/upgraded when we install/upgrade Citrix ingress controller using `crds.install=true` parameter in Helm. If you do not want to install CRDs, then set the option `crds.install` to `false`. By default, CRDs too get deleted if you uninstall through Helm. This means, even the CustomResource objects created by the customer will get deleted. If you want to avoid this data loss set `crds.retainOnDelete` to `true`. - -> **Note:** -> Installing again may fail due to the presence of CRDs. Make sure that you back up all CustomResource objects and clean up CRDs before re-installing Citrix Ingress Controller. - -There are a few examples of how to use these CRDs, which are placed in the folder: [Example-CRDs](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds). Refer to them and install as needed, using the following command: -```kubectl create -f ``` - -### Details of the supported CRDs: - -#### authpolicies CRD: - -Authentication policies are used to enforce access restrictions to resources hosted by an application or an API server. - -Citrix provides a Kubernetes CustomResourceDefinitions (CRDs) called the [Auth CRD](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/auth) that you can use with the Citrix ingress controller to define authentication policies on the ingress Citrix ADC. - -Example file: [auth_example.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/auth_example.yaml) - -#### continuousdeployments CRD for canary: - -Canary release is a technique to reduce the risk of introducing a new software version in production by first rolling out the change to a small subset of users. After user validation, the application is rolled out to the larger set of users. Citrix ADC-Integrated [Canary Deployment solution](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/canary) stitches together all components of continuous delivery (CD) and makes canary deployment easier for the application developers. - -#### httproutes and listeners CRDs for contentrouting: - -[Content Routing (CR)](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/contentrouting) is the execution of defined rules that determine the placement and configuration of network traffic between users and web applications, based on the content being sent. For example, a pattern in the URL or header fields of the request. - -Example files: [HTTPRoute_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/HTTPRoute_crd.yaml), [Listener_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/Listener_crd.yaml) - -#### ratelimits CRD: - -In a Kubernetes deployment, you can [rate limit the requests](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/ratelimit) to the resources on the back end server or services using rate limiting feature provided by the ingress Citrix ADC. - -Example files: [ratelimit-example1.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example1.yaml), [ratelimit-example2.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example2.yaml) - -#### vips CRD: - -Citrix provides a CustomResourceDefinitions (CRD) called [VIP](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/vip) for asynchronous communication between the IPAM controller and Citrix ingress controller. - -The IPAM controller is provided by Citrix for IP address management. It allocates IP address to the service from a defined IP address range. The Citrix ingress controller configures the IP address allocated to the service as virtual IP (VIP) in Citrix ADX VPX. And, the service is exposed using the IP address. - -When a new service is created, the Citrix ingress controller creates a CRD object for the service with an empty IP address field. The IPAM Controller listens to addition, deletion, or modification of the CRD and updates it with an IP address to the CRD. Once the CRD object is updated, the Citrix ingress controller automatically configures Citrix ADC-specfic configuration in the tier-1 Citrix ADC VPX. - -#### rewritepolicies CRD: - -In kubernetes environment, to deploy specific layer 7 policies to handle scenarios such as, redirecting HTTP traffic to a specific URL, blocking a set of IP addresses to mitigate DDoS attacks, imposing HTTP to HTTPS and so on, requires you to add appropriate libraries within the microservices and manually configure the policies. Instead, you can use the [Rewrite and Responder features](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/crd/rewrite-responder-policies-deployment.yaml) provided by the Ingress Citrix ADC device to deploy these policies. - -Example files: [target-url-rewrite.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/target-url-rewrite.yaml) - -#### wafs CRD: - -[WAF CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/waf.md) can be used to configure the web application firewall policies with the Citrix ingress controller on the Citrix ADC VPX, MPX, SDX, and CPX. The WAF CRD enables communication between the Citrix ingress controller and Citrix ADC for enforcing web application firewall policies. - -In a Kubernetes deployment, you can enforce a web application firewall policy to protect the server using the WAF CRD. For more information about web application firewall, see [Web application security](https://docs.citrix.com/en-us/citrix-adc/13/application-firewall/introduction/web-application-security.html). - -Example files: [wafhtmlxsssql.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wafhtmlxsssql.yaml) - -#### apigateway CRD: - -API Gateway CRD is used to configure gitops framework on citrix API gateway. This solution enables citrix ingress controller to generate API gateway configurations out of Open API Specification documents checked in to git repository by API developers and designers. - -Example files: [api-gateway-crd-instance.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/api-gateway-crd-instance.yaml) -#### bots CRD: - -[BOT CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/bot.md) You can use Bot CRDs to configure the bot management policies with the Citrix ingress controller on the Citrix ADC VPX. The Bot custom resource definition enables communication between the Citrix ingress controller and Citrix ADC for enforcing bot management policies. - -In a Kubernetes deployment, you can enforce bot management policy on therequests and responses from and to the server using the Bot CRDs. For more information on security vulnerabilities, see [Bot Detection](https://docs.citrix.com/en-us/citrix-adc/current-release/bot-management/bot-detection.html). - -Example files: [botallowlist.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/botallowlist.yaml) - -#### CORS CRD: - -[CORS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) Cross-origin resource sharing (CORS) is a mechanism allows a web application running under one domain to securely access resources in another domain. You can configure CORS policies on Citrix ADC using Citrix ingress controller to allow one domain (the origin domain) to call APIs in another domain. For more information, see the [cross-origin resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) documentation. - -Example files: [cors-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/corspolicy-example.yaml) - -#### APPQOE CRD: - -[APPQOE CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) When a Citrix ADC appliance receives an HTTP request and forwards it to a back-end server, sometimes there may be connection failures with the back-end server. You can configure the request-retry feature on Citrix ADC to forward the request to the next available server, instead of sending the reset to the client. Hence, the client saves round trip time when Citrix ADC initiates the same request to the next available service. -For more information, see the AppQoE support documentation. [Appqoe resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) documentation. - -Example files: [appqoe-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/appqoe_example.yaml) - -#### WILDCARDDNS CRD: - -[WILDCARDDNS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) Wildcard DNS domains are used to handle requests for nonexistent domains and subdomains. In a zone, use wildcard domains to redirect queries for all nonexistent domains or subdomains to a particular server, instead of creating a separate Resource Record (RR) for each domain. The most common use of a wildcard DNS domain is to create a zone that can be used to forward mail from the internet to some other mail system. -For more information, see the Wild card DNS domains support documentation. [Wildcard DNS Entry CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) documentation. - -Example files: [wildcarddns-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wildcarddns-example.yaml) - -### Tolerations - -Taints are applied on cluster nodes whereas tolerations are applied on pods. Tolerations enable pods to be scheduled on node with matching taints. For more information see [Taints and Tolerations in Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). - -Toleration can be applied to Citrix ingress controller pod using `tolerations` argument while deploying CIC using helm chart. This argument takes list of tolerations that user need to apply on the CIC pods. - -For example, following command can be used to apply toleration on the CIC pod: - -``` -helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,tolerations[0].key=,tolerations[0].value=,tolerations[0].operator=,tolerations[0].effect= -``` - -Here tolerations[0].key, tolerations[0].value and tolerations[0].effect are the key, value and effect that was used while tainting the node. -Effect represents what should happen to the pod if the pod don't have any matching toleration. It can have values `NoSchedule`, `NoExecute` and `PreferNoSchedule`. -Operator represents the operation to be used for key and value comparison between taint and tolerations. It can have values `Exists` and `Equal`. The default value for operator is `Equal`. - - - -### Configuration - -The following table lists the mandatory and optional parameters that you can configure during installation: - -| Parameters | Mandatory or Optional | Default value | Description | -| --------- | --------------------- | ------------- | ----------- | -| license.accept | Mandatory | no | Set `yes` to accept the CIC end user license agreement. | -| imageRegistry | Mandatory | `quay.io` | The Citrix ingress controller image registry | -| imageRepository | Mandatory | `citrix/citrix-k8s-ingress-controller` | The Citrix ingress controller image repository | -| imageTag | Mandatory | `1.27.15` | The Citrix ingress controller image tag | -| pullPolicy | Mandatory | IfNotPresent | The CIC image pull policy. | -| imagePullSecrets | Optional | N/A | Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret please see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). | -| nameOverride | Optional | N/A | String to partially override deployment fullname template with a string (will prepend the release name) | -| fullNameOverride | Optional | N/A | String to fully override deployment fullname template with a string | -| resources | Optional | {} | CPU/Memory resource requests/limits for Citrix Ingress Controller container | -| adcCredentialSecret | Mandatory | N/A | The secret key to log on to the Citrix ADC VPX or MPX. For information on how to create the secret keys, see [Prerequisites](#prerequistes). | -| secretStore.enabled | Optional | False | Set to "True" for deploying other Secret Provider classes | -| secretStore.username | Optional | N/A | if `secretStore.enabled`, `username` of ADC will be fetched from the Secret Provider | -| secretStore.password | Optional | N/A | if `secretStore.enabled`, `password` of ADC will be fetched from the Secret Provider | -| nsIP | Mandatory | N/A | The IP address of the Citrix ADC device. For details, see [Prerequisites](#prerequistes). | -| nsVIP | Optional | N/A | The Virtual IP address on the Citrix ADC device. | -| nsSNIPS | Optional | N/A | The list of subnet IPAddresses on the Citrix ADC device, which will be used to create PBR Routes instead of Static Routes [PBR support](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md) | -| nsPort | Optional | 443 | The port used by CIC to communicate with Citrix ADC. You can use port 80 for HTTP. | -| nsProtocol | Optional | HTTPS | The protocol used by CIC to communicate with Citrix ADC. You can also use HTTP on port 80. | -| nsEnableLabel | Optional | True | Set to true for plotting Servicegraph. Ensure ``analyticsConfig` are set. | -| nitroReadTimeout | Optional | 20 | The nitro Read timeout in seconds, defaults to 20 | -| logLevel | Optional | DEBUG | The loglevel to control the logs generated by CIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG and TRACE. For more information, see [Logging](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).| -| jsonLog | Optional | false | Set this argument to true if log messages are required in JSON format | -| nsConfigDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Ingress | -| nsSvcLbDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Type Load Balancer Service | -| nsDnsNameserver | Optional | N/A | To add DNS Nameservers in ADC | -| optimizeEndpointBinding | Optional | false | To enable/disable binding of backend endpoints to servicegroup in a single API-call. Recommended when endpoints(pods) per application are large in number. Applicable only for Citrix ADC Version >=13.0-45.7 | -| kubernetesURL | Optional | N/A | The kube-apiserver url that CIC uses to register the events. If the value is not specified, CIC uses the [internal kube-apiserver IP address](https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod). | -| clusterName | Optional | N/A | The unique identifier of the kubernetes cluster on which the CIC is deployed. Used in multi-cluster deployments. | -| ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify CIC to configure Citrix ADC associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here | -| setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default ingress class. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 | -| serviceClass | Optional | N/A | By Default ingress controller configures all TypeLB Service on the ADC. You can use this parameter to finetune this behavior by specifing CIC to only configure TypeLB Service with specific service class. For more information on Service class, see [Service class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/service-classes/). | -| nodeWatch | Optional | false | Use the argument if you want to automatically configure network route from the Ingress Citrix ADC VPX or MPX to the pods in the Kubernetes cluster. For more information, see [Automatically configure route on the Citrix ADC instance](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/network/staticrouting/#automatically-configure-route-on-the-citrix-adc-instance). | -| cncPbr | Optional | False | Use this argument to inform CIC that Citrix Node Controller(CNC) is configuring Policy Based Routes(PBR) on the Citrix ADC. For more information, see [CNC-PBR-SUPPORT](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md#configure-pbr-using-the-citrix-node-controller) | -| defaultSSLCertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC. | -| podIPsforServiceGroupMembers | Optional | False | By default Citrix Ingress Controller will add NodeIP and NodePort as service group members while configuring type LoadBalancer Services and NodePort services. This variable if set to `True` will change the behaviour to add pod IP and Pod port instead of nodeIP and nodePort. Users can set this to `True` if there is a route between ADC and K8s clusters internal pods either using feature-node-watch argument or using Citrix Node Controller. | -| ignoreNodeExternalIP | Optional | False | While adding NodeIP, as Service group members for type LoadBalancer services or NodePort services, Citrix Ingress Controller has a selection criteria whereas it choose Node ExternalIP if available and Node InternalIP, if Node ExternalIP is not present. But some users may want to use Node InternalIP over Node ExternalIP even if Node ExternalIP is present. If this variable is set to `True`, then it prioritises the Node Internal IP to be used for service group members even if node ExternalIP is present | -| nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for Citrix ADC service group configurations. | -| nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). | -| ipam | Optional | False | Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer. | -| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. | -| logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter. | -| entityPrefix | Optional | k8s | The prefix for the resources on the Citrix ADC VPX/MPX. | -| updateIngressStatus | Optional | True | Set this argurment if `Status.LoadBalancer.Ingress` field of the Ingress resources managed by the Citrix ingress controller needs to be updated with allocated IP addresses. For more information see [this](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/ingress-classes.md#updating-the-ingress-status-for-the-ingress-resources-with-the-specified-ip-address). | -| routeLabels | Optional | N/A | You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| namespaceLabels | Optional | N/A | You can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| podAnnotations | Optional | N/A | Map of annotations to add to the pods. | -| affinity | Optional | N/A | Affinity labels for pod assignment. | -| exporter.required | Optional | false | Use the argument, if you want to run the [Exporter for Citrix ADC Stats](https://github.com/citrix/citrix-adc-metrics-exporter) along with CIC to pull metrics for the Citrix ADC VPX or MPX| -| exporter.imageRegistry | Optional | `quay.io` | The Exporter for Citrix ADC Stats image registry | -| exporter.imageRepository | Optional | `citrix/citrix-adc-metrics-exporter` | The Exporter for Citrix ADC Stats image repository | -| exporter.imageTag | Optional | `1.4.9` | The Exporter for Citrix ADC Stats image tag | -| exporter.pullPolicy | Optional | IfNotPresent | The Exporter image pull policy. | -| exporter.ports.containerPort | Optional | 8888 | The Exporter container port. | -| exporter.resources | Optional | {} | CPU/Memory resource requests/limits for Metrics exporter container | -| exporter.extraVolumeMounts | Optional | [] | Specify the Additional VolumeMounts to be mounted in Exporter container. Specify the volumes in `extraVolumes` | -| openshift | Optional | false | Set this argument if OpenShift environment is being used. | -| disableOpenshiftRoutes | Optional | false | By default Openshift routes are processed in openshift environment, this variable can be used to disable Ingress controller processing the openshift routes. | -| nodeSelector.key | Optional | N/A | Node label key to be used for nodeSelector option in CIC deployment. | -| nodeSelector.value | Optional | N/A | Node label value to be used for nodeSelector option in CIC deployment. | -| tolerations | Optional | N/A | Specify the tolerations for the CIC deployment. | -| crds.install | Optional | False | Unset this argument if you don't want to install CustomResourceDefinitions which are consumed by CIC. | -| crds.retainOnDelete | Optional | false | Set this argument if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation. | -| analyticsConfig.required | Mandatory | false | Set this to true if you want to configure Citrix ADC to send metrics and transaction records to analytics . | -| analyticsConfig.distributedTracing.enable | Optional | false | Set this value to true to enable OpenTracing in Citrix ADC. | -| analyticsConfig.distributedTracing.samplingrate | Optional | 100 | Specifies the OpenTracing sampling rate in percentage. | -| analyticsConfig.endpoint.server | Optional | N/A | Set this value as the IP address or DNS address of the analytics server. | -| analyticsConfig.endpoint.service | Optional | N/A | Set this value as the IP address or service name with namespace of the analytics service deployed in k8s environment. Format: namespace/servicename | -| analyticsConfig.timeseries.port | Optional | 30002 | Specify the port used to expose analytics service outside cluster for timeseries endpoint. | -| analyticsConfig.timeseries.metrics.enable | Optional | False | Set this value to true to enable sending metrics from Citrix ADC. | -| analyticsConfig.timeseries.metrics.mode | Optional | avro | Specifies the mode of metric endpoint. | -| analyticsConfig.timeseries.auditlogs.enable | Optional | false | Set this value to true to export audit log data from Citrix ADC. | -| analyticsConfig.timeseries.events.enable | Optional | false | Set this value to true to export events from the Citrix ADC. | -| analyticsConfig.transactions.enable | Optional | false | Set this value to true to export transactions from Citrix ADC. | -| analyticsConfig.transactions.port | Optional | 30001 | Specify the port used to expose analytics service outside cluster for transaction endpoint. | -| nsLbHashAlgo.required | Optional | false | Set this value to set the LB consistent hashing Algorithm | -| nsLbHashAlgo.hashFingers | Optional | 256 | Specifies the number of fingers to be used for hashing algorithm. Possible values are from 1 to 1024, Default value is 256 | -| nsLbHashAlgo.hashAlgorithm | Optional | 'default' | Specifies the supported algorithm. Supported algorithms are "default", "jarh", "prac", Default value is 'default' | -| extraVolumeMounts | Optional | [] | Specify the Additional VolumeMounts to be mounted in CIC container | -| extraVolumes | Optional | [] | Specify the Additional Volumes for additional volumeMounts | - -Alternatively, you can define a YAML file with the values for the parameters and pass the values while installing the chart. - -For example: - ``` - helm install my-release citrix/citrix-ingress-controller -f values.yaml - ``` - -> **Tip:** -> -> The [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-ingress-controller/values.yaml) contains the default values of the parameters. - -> **Note:** -> -> Please provide frontend-ip (VIP) in your application ingress yaml file. For more info refer [this](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/annotations.md). - -## Route Addition in MPX/VPX -For seamless functioning of services deployed in the Kubernetes cluster, it is essential that Ingress NetScaler device should be able to reach the underlying overlay network over which Pods are running. -`feature-node-watch` knob of Citrix Ingress Controller can be used for automatic route configuration on NetScaler towards the pod network. Refer [Static Route Configuration](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) for further details regarding the same. -By default, `feature-node-watch` is false. It needs to be explicitly set to true if auto route configuration is required. - -This can also be achieved by deploying [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller). - -If your deployment uses one single Citrix ADC Device to loadbalance between multiple k8s clusters, there is a possibilty of CNI subnets to overlap, causing the above mentioned static routing to fail due to route conflicts. In such deployments [Policy Based Routing(PBR)] (https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-policy-based-routes/configuring-policy-based-routes-pbrs-for-ipv4-traffic.html) can be used instead. This would require you to provide one or more subnet IP Addresses unique for each kubernetes cluster either via Environment variable or Configmap, see [PBR Support](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md) - - Use the following command to provide subnet IPAddresses(SNIPs) to configure Policy Based Routes(PBR) on the Citrix ADC - - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,nsSNIPS='[\, \, ...]' - ``` - - [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller) by default also adds static routes while creating the VXLAN tunnel. To use [Policy Based Routing(PBR)] (https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-policy-based-routes/configuring-policy-based-routes-pbrs-for-ipv4-traffic.html) to avoid static route clash, both Citrix Node Controller and Citrix Ingress Controller has to work in conjunction and has to be started with specific arguments. For more details refer [CNC-PBR-SUPPORT](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md#configure-pbr-using-the-citrix-node-controller). - - Use the following command to inform Citrix Ingress Controller that Citrix Node Controller is configuring Policy Based Routes(PBR) on the Citrix ADC - - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,clusterName=,cncPbr= - ``` - -For configuring static routes manually on Citrix ADC VPX or MPX to reach the pods inside the cluster follow: -### For Kubernetes: -1. Obtain podCIDR using below options: - ``` - kubectl get nodes -o yaml | grep podCIDR - ``` - * podCIDR: 10.244.0.0/24 - * podCIDR: 10.244.1.0/24 - * podCIDR: 10.244.2.0/24 - -2. Log on to the Citrix ADC instance. - -3. Add Route in Netscaler VPX/MPX - ``` - add route - ``` -4. Ensure that Ingress MPX/VPX has a SNIP present in the host-network (i.e. network over which K8S nodes communicate with each other. Usually eth0 IP is from this network). - - Example: - * Node1 IP = 192.0.2.1 - * podCIDR = 10.244.1.0/24 - * add route 10.244.1.0 255.255.255.0 192.0.2.1 - -### For OpenShift: -1. Use the following command to get the information about host names, host IP addresses, and subnets for static route configuration. - ``` - oc get hostsubnet - ``` - -2. Log on to the Citrix ADC instance. - -3. Add the route on the Citrix ADC instance using the following command. - ```add route ``` - -4. Ensure that Ingress MPX/VPX has a SNIP present in the host-network (i.e. network over which OpenShift nodes communicate with each other. Usually eth0 IP is from this network). - - For example, if the output of the `oc get hostsubnet` is as follows: - * oc get hostsubnet - - NAME HOST HOST IP SUBNET - os.example.com os.example.com 192.0.2.1 10.1.1.0/24 - - * The required static route is as follows: - - add route 10.1.1.0 255.255.255.0 192.0.2.1 - -## Uninstalling the Chart -To uninstall/delete the ```my-release``` deployment: - - ``` - helm delete my-release - ``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Related documentation - -- [Citrix ingress controller Documentation](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/) -- [Citrix ingress controller GitHub](https://github.com/citrix/citrix-k8s-ingress-controller) diff --git a/charts/citrix/citrix-ingress-controller/1.27.15/app-readme.md b/charts/citrix/citrix-ingress-controller/1.27.15/app-readme.md deleted file mode 100644 index a8a8ebc15a..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.27.15/app-readme.md +++ /dev/null @@ -1,5 +0,0 @@ -# Citrix Ingress Controller - -[Citrix Ingress Controler](https://github.com/citrix/citrix-k8s-ingress-controller) is an ingress controller for Citrix ADC MPX (hardware), Citrix ADC VPX (virtualized), and Citrix ADC CPX (containerized) for bare metal and cloud deployments. It is built around Kubernetes Ingress and automatically configures Citrix ADC based on the Ingress resource configuration. - -This Chart bootstraps standalone Citrix Ingress Controller which can be used to configure Citrix MPX or VPX. diff --git a/charts/citrix/citrix-ingress-controller/1.27.15/questions.yml b/charts/citrix/citrix-ingress-controller/1.27.15/questions.yml deleted file mode 100644 index 89389ae11e..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.27.15/questions.yml +++ /dev/null @@ -1,348 +0,0 @@ -labels: - io.rancher.certified: partner -questions: -- variable: license.accept - required: true - type: enum - description: "Set to yes to accept the terms and conditions of the Citrix license." - label: Accept License - group: "Deployment Settings" - options: - - "yes" - - "no" -- variable: openshift - default: false - type: boolean - description: "openshift is set to true if charts are being deployed in OpenShift environment" - label: Openshift flag - group: "Deployment Settings" -- variable: adcCredentialSecret - required: true - default: "" - type: string - description: "adcCredentialSecret is secret file for NetScaler login" - label: adcCredentialSecret Name - group: "Deployment Settings" -- variable: imagePullSecrets[0] - required: false - type: string - description: "Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository" - label: imagePullSecrets - group: "Deployment Settings" -- variable: nsIP - required: true - type: string - description: "nsIP is NetScaler NSIP/SNIP, SNIP in case of HA (mgmt has to be enabled)" - label: Citrix ADC IP - group: "ADC Settings" -- variable: nsVIP - required: false - type: string - label: Virtual IP of Citrix ADC - group: "ADC Settings" -- variable: nsSNIPS - required: false - type: string - description: "The list of subnet IPAddresses on the Citrix ADC device, which will be used to create PBR Routes instead of Static Routes" - label: Citrix ADC nsSNIPS - group: "ADC Settings" -- variable: nsPort - required: false - default: 443 - type: int - description: "nsPort is port for ADC NITRO" - label: nsPort - group: "ADC Settings" -- variable: nsProtocol - required: false - default: "HTTPS" - type: string - description: "nsProtocol is protocol for ADC NITRO" - label: nsProtocol - group: "ADC Settings" -- variable: entityPrefix - required: false - type: string - description: "The prefix for the resources on the Citrix ADC VPX/MPX" - label: entityPrefix - group: "ADC Settings" -- variable: kubernetesURL - required: false - type: string - description: "kubernetesURL is for registering events to kubeapi server" - label: Kubernetes API-server URL - group: "Deployment Settings" -- variable: clusterName - required: false - type: string - description: "The unique identifier of the kubernetes cluster on which the CIC is deployed" - label: Cluster Name - group: "Deployment Settings" -- variable: ingressClass[0] - required: false - type: string - description: "ingressClass is the name of the Ingress Class" - label: Ingress Class - group: "Deployment Settings" -- variable: setAsDefaultIngressClass - required: false - default: False - type: boolean - description: "Set the IngressClass object as default ingress class. New Ingresses without an `ingressClassName` field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19" - label: setAsDefaultIngressClass - group: "Deployment Settings" -- variable: serviceClass[0] - required: false - type: string - description: "serviceClass is the name of the Service Class" - label: Service Class - group: "Deployment Settings" -- variable: defaultSSLCertSecret - required: false - type: string - description: "Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC." - label: defaultSSLCertSecret - group: "ADC Settings" -- variable: podIPsforServiceGroupMembers - required: false - default: False - type: boolean - description: "By default Citrix Ingress Controller will add NodeIP and NodePort as service group members,This variable if set to True will change the behaviour to add pod IP and Pod port instead of nodeIP and nodePort." - label: podIPsforServiceGroupMembers - group: "Deployment Settings" -- variable: ignoreNodeExternalIP - required: false - default: False - type: boolean - label: ignoreNodeExternalIP - group: "Deployment Settings" -- variable: ipam - required: false - default: False - type: boolean - description: "Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer" - label: ipam - group: "Deployment Settings" -- variable: logProxy - required: false - default: False - type: string - description: "Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter." - label: Log Proxy - group: "Deployment Settings" -- variable: nodeWatch - required: false - default: false - type: boolean - description: "nodeWatch is used for automatic route configuration on NetScaler towards the pod network" - label: NodeWatch - group: "ADC Settings" -- variable: cncPbr - required: false - default: false - type: boolean - description: "Use this argument to inform CIC that Citrix Node Controller(CNC) is configuring Policy Based Routes(PBR) on the Citrix ADC." - label: CNC PBR - group: "ADC Settings" -- variable: nodeSelector.key - required: false - type: string - description: "Node label key to be used for nodeSelector option in CIC deployment" - label: NodeSelector Key - group: "Deployment Settings" -- variable: nodeSelector.value - required: false - type: string - description: "Node label value to be used for nodeSelector option in CIC deployment." - label: NodeSelector value - group: "Deployment Settings" -- variable: tolerations[0] - required: false - type: string - description: "Specify the tolerations for the CIC deployment" - label: Tolerations - group: "Deployment Settings" -- variable: updateIngressStatus - required: false - default: false - type: boolean - description: "Set this argurment if Status.LoadBalancer.Ingress field of the Ingress resources managed by the Citrix ingress controller needs to be updated with allocated IP addresses" - label: Update Ingress Status - group: "Deployment Settings" -- variable: nsHTTP2ServerSide - required: false - default: "OFF" - type: string - description: "Set this argument to ON for enabling HTTP2 for Citrix ADC service group configurations." - label: nsHTTP2ServerSide - group: "Deployment Settings" -- variable: nsCookieVersion - required: false - default: "0" - type: string - description: "Specify the persistence cookie version (0 or 1)" - label: nsCookieVersion - group: "Deployment Settings" -- variable: routeLabels - required: false - type: string - description: "You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster." - label: Route Labels - group: "Deployment Settings" -- variable: namespaceLabels - required: false - type: string - description: "you can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster" - label: namespaceLabels - group: "Deployment Settings" -- variable: cic.image - required: true - type: string - default: "quay.io/citrix/citrix-k8s-ingress-controller:1.19.6" - label: CIC Image - group: "CIC Image Settings" -- variable: cic.pullpolicy - required: true - default: "IfNotPresent" - type: enum - label: CIC Image Pullpolicy - group: "CIC Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: logLevel - required: false - default: "INFO" - type: enum - label: CIC Loglevel - group: "CIC Image Settings" - options: - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - - "TRACE" -- variable: exporter.required - default: false - type: boolean - description: "If set to true exporter will be deployed as sidecar" - label: Enable Exporter - group: "Exporter Settings" -- variable: exporter.image - default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.9" - required: false - type: string - description: "Exporter Image" - label: Exporter Image - group: "Exporter Settings" -- variable: exporter.pullPolicy - required: false - default: IfNotPresent - type: string - description: "Exporter Image pull policy" - label: Exporter Image PullPolicy - group: "Exporter Settings" -- variable: exporter.ports.containerPort - required: false - default: 8888 - type: int - label: Exporter ContainerPort - group: "Exporter Settings" -- variable: crds.install - required: false - default: true - type: boolean - description: "If set to true the charts will install CustomResourceDefinitions which are consumed by CIC." - label: CRD flag - group: "Deployment Settings" -- variable: crds.retainOnDelete - required: false - default: false - type: boolean - description: "Set this argument to true if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation." - label: CRD retainOnDelete flag - group: "Deployment Settings" -- variable: coeConfig.required - required: true - default: false - type: boolean - description: "Set this to true if you want to configure Citrix ADC to send metrics and transaction records to COE" - label: Enable COE - group: "COE Settings" -- variable: coeConfig.distributedTracing.enable - required: false - default: false - type: boolean - description: "Set this value to true to enable OpenTracing in Citrix ADC." - label: Enable coeConfig DistributedTracing - group: "COE Settings" -- variable: coeConfig.distributedTracing.samplingrate - required: false - default: "100" - type: string - description: "Specifies the OpenTracing sampling rate in percentage." - label: coeConfig DistributedTracing Samplingrate - group: "COE Settings" -- variable: coeConfig.endpoint.server - required: false - type: string - description: "Set this value as the IP address or DNS address of the analytics server" - label: coeConfig Endpoint Server - group: "COE Settings" -- variable: coeConfig.timeseries.port - required: false - default: "30002" - type: string - description: "Specify the port used to expose COE service outside cluster for timeseries endpoint" - label: coeConfig timeseries Port - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.enable - required: false - default: False - type: boolean - description: "Set this value to true to enable sending metrics from Citrix ADC" - label: Enable coeConfig Timeseries Metrics - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.mode - required: false - default: "avro" - type: string - description: "Specifies the mode of metric endpoint" - label: coeConfig Timeseries Metrics Mode - group: "COE Settings" -- variable: coeConfig.timeseries.auditlogs.enable - required: false - default: False - type: boolean - description: "Set this value to true to export audit log data from Citrix ADC" - label: coeConfig Timeseries Auditlogs Enable - group: "COE Settings" -- variable: coeConfig.timeseries.events.enable - required: false - default: False - type: boolean - description: "Set this value to true to export events from the Citrix ADC" - label: Enable coeConfig Timeseries Events - group: "COE Settings" -- variable: coeConfig.transactions.enable - required: false - default: False - type: boolean - description: "Set this value to true to export transactions from Citrix ADC" - label: Enable coeConfig Transactions - group: "COE Settings" -- variable: coeConfig.transactions.port - required: false - default: 30001 - type: string - description: "Specify the port used to expose COE service outside cluster for transaction endpoint" - label: coeConfig Transactions Port - group: "COE Settings" -- variable: serviceAccount.create - required: false - default: true - type: boolean - description: "Specifies whether a ServiceAccount should be created" - label: ServiceAccount Create - group: "Deployment Settings" diff --git a/charts/citrix/citrix-ingress-controller/1.27.15/templates/NOTES.txt b/charts/citrix/citrix-ingress-controller/1.27.15/templates/NOTES.txt deleted file mode 100644 index 4d07f639fb..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.27.15/templates/NOTES.txt +++ /dev/null @@ -1,15 +0,0 @@ -Thank you for installing {{ .Chart.Name }}. - -Your release is named {{ .Release.Name }}. - - -To learn more about the release, try: - - $ helm status {{ .Release.Name }} - $ helm get {{ .Release.Name }} - - -To delete : - helm delete {{ .Release.Name }} - - diff --git a/charts/citrix/citrix-ingress-controller/1.27.15/templates/_helpers.tpl b/charts/citrix/citrix-ingress-controller/1.27.15/templates/_helpers.tpl deleted file mode 100644 index efca8083c7..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.27.15/templates/_helpers.tpl +++ /dev/null @@ -1,94 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Analytics Server IP or DNS -*/}} -{{- define "analytics.server" -}} -{{- if .Values.analyticsConfig.endpoint.server -}} -{{- printf .Values.analyticsConfig.endpoint.server -}} -{{- else -}} -{{- $addresses := first (first (lookup "v1" "Node" "" "").items).status.addresses -}} -{{- printf "%s" ($addresses).address -}} -{{- end -}} -{{- end -}} - - - -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "citrix-ingress-controller.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "citrix-ingress-controller.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "exporter.fullname" -}} -{{- $name := default .Chart.Name "exporter" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "servicemonitor.fullname" -}} -{{- $name := default .Chart.Name "citrix-adc-servicemonitor" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "servicemonitorlabel" -}} -{{- $name := default .Chart.Name "citrix-adc-svcmon" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cicconfigmap.fullname" -}} -{{- $name := default .Chart.Name "cic-configmap" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "citrix-ingress-controller.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "citrix-ingress-controller.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "citrix-ingress-controller.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} diff --git a/charts/citrix/citrix-ingress-controller/1.27.15/templates/cic_crds.yaml b/charts/citrix/citrix-ingress-controller/1.27.15/templates/cic_crds.yaml deleted file mode 100644 index 6ff58466f8..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.27.15/templates/cic_crds.yaml +++ /dev/null @@ -1,2515 +0,0 @@ -{{- if .Values.crds.install }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: rewritepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: rewritepolicy - plural: rewritepolicies - singular: rewritepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - rewrite-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to rewrite policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - rewrite-policy: - type: object - properties: - rewrite-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOREWRITE', 'RESET', 'DROP'] - operation: - description: 'Type of user-defined rewrite action.' - type: string - enum: ["noop", "delete", "insert_http_header", "delete_http_header", - "corrupt_http_header", "insert_before", "insert_after", "replace", - "replace_http_res", "delete_all", "replace_all", "insert_before_all", - "insert_after_all", "clientless_vpn_encode", "clientless_vpn_encode_all", - "clientless_vpn_decode", "clientless_vpn_decode_all", "insert_sip_header", - "delete_sip_header", "corrupt_sip_header", "replace_sip_res", "replace_diameter_header_field", - "replace_dns_header_field", "replace_dns_answer_section"] - target: - description: 'Default syntax expression that specifies which part of the request or response to rewrite.' - type: string - maxLength: 1229 - modify-expression: - description: 'Default syntax expression that specifies the content to insert into the request - or response at the specified location, or that replaces the specified string.' - type: string - maxLength: 7991 - multiple-occurence-modify: - description: 'Search facility that is used to match multiple strings in the request or response.' - type: string - maxLength: 171 - additional-multiple-occurence-modify: - description: 'Specify additional criteria to refine the results of the search. - Always starts with the "extend(m,n)" operation, where "m" specifies number of bytes to the left of selected data - and "n" specifies number of bytes to the right of selected data. - You can use refineSearch only on body expressions, and only when rewrite-criteria is any one of this: - INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - comment: - description: 'Any comments to preserve information about this rewrite policy.' - type: string - maxLength: 255 - required: [rewrite-criteria, operation, target, direction] - required: [rewrite-policy] - - responder-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to responder policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", - "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - responder-policy: - type: object - properties: - redirect: - type: object - description: 'Use this option when you want to Redirect the request when request matches to policy.' - properties: - url: - description: 'URL on which you want to redirect the request.' - type: string - maxLength: 7991 - redirect-status-code: - description: 'HTTP response status code, for example 200, 302, 404, etc.' - type: integer - minimum: 100 - maximum: 599 - redirect-reason: - description: 'Expression specifying the reason for redirecting the request.' - type: string - maxLength: 7991 - required: [url] - respondwith: - type: object - description: 'Use this parameter when you want to respond to the request when request matches to policy.' - properties: - http-payload-string: - description: 'Expression that you want to sent as response to the request.' - type: string - maxLength: 7991 - required: [http-payload-string] - noop: - type: string - description: 'Use this option when you want to send the request to the protected server instead of - responding to it when request matches to policy.' - properties: - target: - description: 'Default syntax expression that specifies to perform noop operation on' - type: string - maxLength: 1229 - reset: - type: string - description: 'Use this option when you want to Reset the client connection by closing it when request matches to policy.' - properties: - drop: - type: string - description: 'Use this option when you want to drop the request without sending a response to the user when request matches to policy.' - properties: - respond-criteria: - description: 'Default syntax expression that the policy uses to determine whether to respond to the specified request.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOOP', 'RESET', 'DROP'] - comment: - description: 'Any comments to preserve information about this responder policy.' - type: string - maxLength: 255 - required: [respond-criteria] - oneOf: [required: [redirect], required: [respondwith], required: [noop], required: [reset], required: [drop]] - required: [responder-policy] - - dataset: - type: array - items: - type: object - properties: - name: - description: 'Name of the dataset.' - type: string - maxLength: 32 - type: - description: 'Type of value to bind to the dataset.' - type: string - enum: ["ipv4", "number", "ipv6", "ulong", "double", "mac"] - comment: - description: 'Any comments to preserve information about this dataset.' - type: string - maxLength: 255 - values: - description: 'Value of the specified type that is associated with this dataset.' - type: array - items: - type: string - required: [name, type, values] - - patset: - type: array - items: - type: object - properties: - name: - description: 'Name of the Patset.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this patset.' - type: string - maxLength: 255 - values: - description: 'String of characters that constitutes a pattern and is associated with this patset.' - type: array - items: - type: string - required: [name, values] - - stringmap: - type: array - items: - type: object - properties: - name: - description: 'Name of the Stringmap.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this stringmap.' - type: string - maxLength: 255 - values: - description: 'List of (key,value) pairs to be bound to this string map.' - type: array - items: - type: object - properties: - key: - description: 'Character string constituting the key to be bound to this string map.' - type: string - maxLength: 2047 - value: - description: 'Character string constituting the value associated with the key.' - type: string - maxLength: 2047 - required: [name, values] - - httpcallout_policy: - type: array - items: - type: object - properties: - name: - description: 'httpcallout name' - type: string - maxLength: 32 - server_ip: - description: 'IP Address of the server(callout agent) to which the callout is sent.' - type: string - server_port: - description: 'Port of the server(callout agent) to which the callout is sent.' - type: integer - minimum: 1 - maximum: 65535 - http_method: - description: |+ - 'Method used in the HTTP request that this callout sends. - Default http method is GET' - type: string - enum: ['GET', 'POST'] - host_expr: - description: |+ - 'String expression to configure the Host header. Can contain a literal value - (for example, 10.101.10.11) or a derived value (for example, http.req.header("Host")). - The literal value can be an IP address or a fully qualified domain name. Mutually - exclusive with the full HTTP request expression.' - type: string - maxLength: 255 - url_stem_expr: - description: |+ - 'String expression for generating the URL stem. Can contain a literal string - (for example, "/mysite/index.html") or an expression that derives the value - (for example, http.req.url).' - type: string - maxLength: 8191 - headers: - type: array - description: |+ - 'One or more headers to insert into the HTTP request. Each header is represented by - name and expr, where expr is an expression that is evaluated at runtime to provide - the value for the named header. You can configure a maximum of eight headers for - an HTTP callout.' - items: - type: object - properties: - name: - description: 'header name' - type: string - expr: - description: 'header expression' - type: string - parameters: - type: array - description: |+ - 'One or more query parameters to insert into the HTTP request URL (for a GET request) - or into the request body (for a POST request). Each parameter is represented by - name and expr, where expr is an expression that is evaluated at run time to provide - the value for the named parameter (name=value). The parameter values are URL encoded.' - items: - type: object - properties: - name: - description: 'parameter name' - type: string - expr: - description: 'parameter expression' - type: string - body_expr: - description: |+ - 'An advanced string expression for generating the body of the request. - The expression can contain a literal string or an expression that derives - the value (for example, client.ip.src).' - type: string - full_req_expr: - description: |+ - 'Exact HTTP request, in the form of an expression, which the Citrix ADC sends - to the callout agent. The request expression is constrained by the feature - for which the callout is used. For example, an HTTP.RES expression cannot be - used in a request-time policy bank or in a TCP content switching policy bank.' - type: string - scheme: - description: |+ - 'Type of scheme for the callout server. - Default scheme is HTTP' - type: string - enum: ['HTTP', 'HTTPS'] - cache_for_secs: - description: |+ - 'Duration, in seconds, for which the callout response is cached. - The cached responses are stored in an integrated caching content - group named "calloutContentGroup". If no duration is configured, - the callout responses will not be cached unless normal caching - configuration is used to cache them. This parameter takes precedence over any - normal caching configuration that would otherwise apply to these responses.' - type: integer - minimum: 1 - maximum: 31536000 - return_type: - description: |+ - 'Type of data that the target callout agent returns in response to the callout - Available settings function as follows: - * TEXT - Treat the returned value as a text string. - * NUM - Treat the returned value as a number. - * BOOL - Treat the returned value as a Boolean value.' - type: string - enum: ['TEXT', 'NUM', 'BOOL'] - result_expr: - description: |+ - 'Expression that extracts the callout results from the response sent by the HTTP callout - agent. Must be a response based expression, that is, it must begin with HTTP.RES. The - operations in this expression must match the return type. For example, if you configure - a return type of TEXT, the result expression must be a text based expression. If the - return type is NUM, the result expression (resultExpr) must return a numeric value, - as in the following example: http.res.body(10000).length.' - type: string - maxLength: 8191 - comment: - description: 'Any comments to preserve information about this HTTP callout.' - type: string - maxLength: 255 - allOf: - - properties: - required: [name, server_ip, server_port] - - properties: - oneOf: - - properties: - required: [full_req_expr] - - properties: - anyOf: - - properties: - required: [http_method] - - properties: - required: [host_expr] - - properties: - required: [url_stem_expr] - - properties: - required: [headers] - - properties: - required: [parameters] - - properties: - required: [body_expr] - anyOf: [required: [rewrite-policies], required: [responder-policies]] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ratelimits.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: ratelimit - plural: ratelimits - singular: ratelimit - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the ratelimit policies are applied.' - type: array - items: - type: string - maxLength: 127 - selector_keys: - type: object - description: 'Traffic match criteria to which apply above rate-limit/throttling. All keys are applied as AND condition. If no keys are specified, rate-limit applies at service level' - properties: - basic: - type: object - description: "Basic traffic stream selection criteria to which to apply the ratelimit" - properties: - path: - type: array - description: "api resource path prefix match. e.g. /api/v1/products" - items: - type: string - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - header_name: - description: "HTTP header that identifies the unique API client for e.g. X-apikey" - type: string - per_client_ip: - description: "Setting this applies the throttling limit to each unique Client IP address accessing the API resource" - type: boolean - req_threshold: - description: 'Max requests per timeslice units to be allowed' - type: integer - timeslice: - description: 'Timeslice in miliseconds in multiple of 10. Defaults to 1000 miliseconds' - type: integer - limittype: - description: "Burst mode or smooth. Defaults to smooth limittype if not specified" - type: string - enum: ['BURSTY','SMOOTH'] - throttle_action: - type: string - enum: ['DROP', 'RESET','REDIRECT', 'RESPOND'] - description: "Drop will drop the requests exceeding limits, RESET will reset the client connection, Redirect will redirect to specified URL, respond will respond with 429 'Exceeded allowed rate of requests'" - redirect_url: - type: string - description: "Redirect-URL" - logpackets: - type: object - description: 'Adds an audit message action. The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - required: [req_threshold] ---- -#Sample CRD instance - -#apiVersion: citrix.com/v1 -#description: VIP for apache service -#kind: vip -#metadata: -# name: service-apache -# namespace: default -#spec: -# description: VIP for the apache Service -# ipaddress: 10.99.98.90 -# kind: service -# name: apache - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vips.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: vip - plural: vips - singular: vip - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - jsonPath: .spec.ipaddress - name: VIP - type: string - - name: Age - type: date - jsonPath: .metadata.creationTimestamp - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - ipaddress: - type: string - name: - type: string - kind: - type: string - enum: ["service", "ingress"] - description: - type: string - range-name: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: authpolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: authpolicy - plural: authpolicies - singular: authpolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: |+ - 'Name of the services for which the policies applied' - type: array - items: - type: string - maxLength: 63 - authentication_mechanism: - type: object - description: |+ - 'Authentication mechanism. Options: using forms or using request header. - Default is Authentication using request header, when no option is specified' - properties: - using_request_header: - description: |+ - 'Enable user authentication using request header. Use when the credentials - or api keys are passed in a header. For example, when using Basic, Digest, - Bearer authentication or api keys. - When authentication using forms is provided, this is set to OFF' - - type: string - using_forms: - type: object - description: 'Enables authentication using forms. Use with user/web authentication.' - properties: - authentication_host: - description: |+ - 'Fully qualified domain name (FQDN) for authentication. - This FQDN should be unique and should resolve to frontend IP of - ADC with Ingress/service type LoadBalancer (or) vip of Listener CRD' - type: string - maxLength: 255 - authentication_host_cert: - description: |+ - 'Name of the SSL certificate to be used with authentication_host. - This certificate is mandatory while using_forms' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - ingress_name: - description: |+ - 'Ingress name for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - lb_service_name: - description: |+ - 'Service of type LoadBalancer for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - listener_name: - description: |+ - 'Listener CRD name for which the authentication using forms is applicable.' - type: string - maxLength: 63 - vip: - description: |+ - 'Frontend IP of ingress for which the authentication - using forms is applicable. This refers to frontend-ip provided - with Ingress. It is suggested to use vip, if more than one Ingress - resource use the same frontend-ip' - type: string - required: [authentication_host, authentication_host_cert] - oneOf: - - properties: - required: [ingress_name] - - properties: - required: [lb_service_name] - - properties: - required: [listener_name] - - properties: - required: [vip] - oneOf: - - properties: - using_request_header: - enum: ['ON'] - required: [using_request_header] - - properties: - required: [using_forms] - - authentication_providers: - description: |+ - 'Authentication Configuration for required authentication providers/schemes. - One or more of these can be created' - type: array - items: - description: 'Create config for a single authentication provider of a particular type' - type: object - properties: - name: - description: 'Name for this provider, has to be unique, referenced by authentication policies' - type: string - maxLength: 127 - - oauth: - description: 'Authentication provided by external oAuth provider' - type: object - properties: - issuer: - description: 'Identity of the server whose tokens are to be accepted' - type: string - maxLength: 127 - audience: - description: 'Audience for which token sent by Authorization server is applicable' - type: array - items: - type: string - maxLength: 127 - jwks_uri: - description: |+ - 'URL of the endpoint that contains JWKs (Json Web Key) for - JWT (Json Web Token) verification' - type: string - maxLength: 127 - introspect_url: - description: ' URL of the introspection server' - type: string - maxLength: 127 - client_credentials: - description: |+ - 'secrets object that contains Client Id and secret as known - to Introspection server' - type: string - maxLength: 253 - token_in_hdr: - description: |+ - 'custom header name where token is present, - default is Authorization header' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - token_in_param: - description: 'query parameter name where token is present' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - signature_algorithms: - description: 'list of allowed signature algorithms, by default HS256, RS256, RS512 are allowed' - type: array - items: - type: string - enum: ['HS256', 'RS256', 'RS512'] - claims_to_save: - description: 'list of claims to be saved, used to create authorization policies' - type: array - items: - type: string - maxLength: 127 - metadata_url: - description: 'URL used to get OAUTH/OIDC provider metadata' - type: string - maxLength: 255 - user_field: - description: |+ - 'Attribute in the token from which username should be extracted. - by default, ADC looks at email attribute for user id' - type: string - maxLength: 127 - default_group: - description: |+ - 'group assigned to the request if authentication succeeds, - this is in addition to any extracted groups from token' - type: string - maxLength: 63 - grant_type: - description: 'used to specify the type of flow to the token end point, defaults to CODE' - type: array - items: - type: string - enum: ['CODE','PASSWORD'] - pkce: - description: 'specify whether to enable Proof Key Code Exchange, defaults to ENABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - token_ep_auth_method: - description: |+ - 'authentication method to be used with token end point, - defaults to client_secret_post' - type: string - enum: ['client_secret_post', 'client_secret_jwt'] - - anyOf: - - properties: - required : [jwks_uri] - - properties: - required : [introspect_url, client_credentials] - - properties: - required : [metadata_url] - - ldap: - description: 'LDAP authentication provider' - type: object - properties: - server_ip: - description: 'IP address assigned to the LDAP server' - type: string - server_name: - description: 'LDAP server name as a FQDN' - type: string - maxLength: 127 - server_port: - description: 'Port on which the LDAP server accepts connections. Default is 389' - type: integer - minimum: 1 - maximum: 65535 - base: - description: |+ - 'Base (node) from which to start LDAP searches. If the LDAP server is - running locally, the default value of base is dc=netscaler, dc=com' - type: string - maxLength: 127 - server_login_credentials: - description: |+ - 'Kubernetes secret object providing credentials to login to LDAP server, - The secret data should have username and password' - type: string - login_name: - description: |+ - 'LDAP login name attribute. The Citrix ADC uses the LDAP login name - to query external LDAP servers or Active Directories' - type: string - maxLength: 127 - security_type: - description: |+ - 'Type of security used for communications between the Citrix ADC - and the LDAP server. Default is TLS' - type: string - enum: ['PLAINTEXT', 'TLS', 'SSL'] - validate_server_cert: - description: 'Validate LDAP Server certs. Default is NO' - type: string - enum: ['YES', 'NO'] - hostname: - description: |+ - 'Hostname for the LDAP server. If validate_server_cert is ON, - this must be the host name on the certificate from the LDAP - A hostname mismatch will cause a connection failure' - type: string - maxLength: 127 - sub_attribute_name: - description: 'LDAP group sub-attribute name. Used for group extraction from the LDAP server.' - type: string - maxLength: 31 - group_attribute_name: - description: 'LDAP group attribute name. Used for group extraction on the LDAP server.' - type: string - maxLength: 31 - search_filter: - description: |+ - 'String to be combined with the default LDAP user search string to form the - search value. For example, if the search filter "vpnallowed=true" is combined - with the LDAP login name "samaccount" and the user-supplied username is "bob", - the result is the LDAP search string ""(&(vpnallowed=true)(samaccount=bob)"" - (Be sure to enclose the search string in two sets of double quotation marks)' - type: string - maxLength: 255 - auth_timeout: - description: |+ - 'Number of seconds the Citrix ADC waits for a response from the server - Default is 3' - type: integer - minimum: 1 - maximum: 4294967295 - password_change: - description: 'Allow password change requests. Default is DISABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be fetched - from LDAP server and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - oneOf: - - properties: - required: [server_ip] - - properties: - required: [server_name] - - saml: - description: |+ - 'SAML authentication provider. - Currently SAML is supported only with authentication mechanism using forms' - type: object - properties: - metadata_url: - description: 'URL is used for obtaining saml metadata.' - type: string - maxLength: 255 - metadata_refresh_interval: - description: |+ - 'Interval in minutes for fetching metadata from specified metadata URL. - Default is 36000' - type: integer - minimum: 1 - maximum: 4294967295 - signing_cert: - description: 'SSL certificate to sign requests from SP to IDP' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - audience: - description: 'Audience for which assertion sent by IdP is applicable' - type: string - maxLength: 127 - issuer_name: - description: 'The name to be used in requests sent from SP to IDP to identify citrix ADC' - type: string - maxLength: 63 - binding: - description: 'Specifies the transport mechanism of saml message. Default is POST' - type: string - enum: ['REDIRECT', 'POST', 'ARTIFACT'] - artifact_resolution_service_url: - description: 'URL of the Artifact Resolution Service on IdP' - type: string - maxLength: 255 - logout_binding: - description: 'Specifies the transport mechanism of saml logout. Default is POST' - type: string - enum: ['REDIRECT', 'POST'] - reject_unsigned_assertion: - description: |+ - 'Reject unsigned SAML assertions. ON, rejects assertion without signature. - STRICT ensure that both Response and Assertion are signed. Default is ON' - type: string - enum: ['ON', 'OFF', 'STRICT'] - user_field: - description: 'SAML user ID, as given in the SAML assertion' - type: string - maxLength: 63 - default_authentication_group: - description: |+ - 'This is the default group that is chosen when the authentication - succeeds in addition to extracted groups' - type: string - maxLength: 63 - skew_time: - description: |+ - 'Allowed clock skew in number of minutes on an incoming assertion. - Default is 5' - type: integer - minimum: 1 - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be extracted - and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - required: - - metadata_url - - basic_local_db: - type: object - description: |+ - 'Basic HTTP authentication supported by ADC, user data in local DB of ADC. - Users needs to be added on ADC' - properties: - use_local_auth: - description: 'Use ADC authentication' - type: string - enum: ['YES'] - - required: - - name - - authentication_policies: - description: 'Authentication policies' - type: array - items: - type: object - description: 'Authentication policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - required: - - path - expression: - description: 'ADC syntax expression for authentication' - type: string - maxLength: 1229 - provider: - description: 'name of the authentication provider for the policy, empty if no authentication required' - type: array - items: - type: string - maxLength: 127 - maxItems: 1 - oneOf: - - required: [resource, provider] - - required: [expression, provider] - - authorization_policies: - description: 'Authorization policies' - type: array - items: - type: object - description: 'Authorization policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - description: ' http method' - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - claims: - description: 'authorization scopes required for selected resource saved as claims or attributes' - type: array - items: - type: object - properties: - name: - description: 'name of the claim/attribute to check' - type: string - maxLength: 127 - values: - description: 'list of claim values required for the request' - type: array - items: - type: string - maxLength: 127 - minItems: 1 - required: - - name - - values - required: - - claims - expression: - description: 'ADC syntax expression for authorization' - type: string - maxLength: 1229 - oneOf: - - required: [resource] - - required: [expression] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: listeners.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - version: null - names: - kind: Listener - plural: listeners - singular: listener - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - required: [spec] - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [protocol] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - protocol: - type: string - enum: ["https", "http"] - description: "Protocol for this listener" - vip: - type: string - description: "VIP address, Optional for CPX, required for Tier-1 deployments" - secondaryVips: - type: array - description: "An array of Secondary VIPs. All the VIPs will be part of an ipset" - minItems: 1 - items: - type: string - redirectPort: - type: integer - minimum: 1 - maximum: 65535 - description: "Port from which http traffic should be redirected to https" - port: - type: integer - minimum: 1 - maximum: 65535 - certificates: - type: array - description: "certificates attached to the endpoints - Not applicable for HTTP" - minItems: 1 - items: - type: object - properties: - preconfigured: - type: string - description: "Preconfigured Certificate name on ADC " - secret: - type: object - description: "Kuberentes secret object" - required: [name] - properties: - name: - type: string - description: "name of the Kubernetes Secret object where Cert is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the kubernetes secret object; Default is same namespace where the Listener object is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - default: - type: boolean - description: "Only one of the certificate can be marked as default which will be presented if none of the cert matches with the hostname" - oneOf: - - required: ["preconfigured"] - - required: ["secret"] - policies: - type: object - description: "Policies attached to the Listener" - properties: - httpprofile: - type: object - description: "HTTP profile configurations for the Listener, HTTP level configurations" - properties: - preconfigured: - type: string - description: "Preconfigured or Built-in HTTP profile name" - config: - type: object - description: "HTTP profile configuration for the listener. For individual fields, refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nshttpprofile/nshttpprofile/ Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - tcpprofile: - type: object - description: "TCP level configurations, uses ns tcpprofile of citrix ADC" - properties: - preconfigured: - description: "Preconfigured or Built-in TCP profile name" - type: string - config: - type: object - description: "TCPprofile configurations for the listener. For individual fields refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nstcpprofile/ ; Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - csvserverConfig: - type: object - description: "CS Vserver configuration for the listener" - additionalProperties: - type: string - sslprofile: - type: object - description: "SSL profile configuration" - properties: - preconfigured: - type: string - description: "SSL profile which is preconfigured in ADC. Ciphers bound to the profile is not overriden" - config: - description: "Citrix ADC frontend SSL profile configurations. Refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ssl/sslprofile/ for all configurations; Name field is auto generated" - type: object - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - sslciphers: - type: array - description: "List of ciphers to be bound to the ssl profile for the listener. Priority is as per the order in the list. A cipher suite, predefined cipher group or User created cipher group can be mentioned" - minItems: 1 - items: - type: string - description: "Cipher suite, cipher group name" - analyticsprofile: - type: object - description: "Analytics profile configuration" - properties: - preconfigured: - type: array - description: "Preconfigured Analytics profile that needs to be bound to the vserver" - minItems: 1 - items: - type: string - description: "Name of the analytics profile preconfigured that will be bound to the Vserver" - config: - type: array - description: "An array of analytics to be enabled" - minItems: 1 - items: - type: object - description: "Anlytics to be enabled" - required: ['type'] - properties: - type: - description: "Analytics profile to be enabled, you can enable one or more of the webinsight, tcpinsight, securityinsight, videoinsight, hdxinsight, gatewayinsight, timeseries, lsninsight, botinsight " - type: string - enum: ["webinsight", "tcpinsight", "securityinsight", "videoinsight", "hdxinsight", "gatewayinsight", "timeseries", "lsninsight", "botinsight"] - parameters: - type: object - description: "Additional parameters for analytics profile. Please refer:https://developer-docs.citrix.com/projects/citrix-adc-nitro-api-reference/en/latest/configuration/analytics/analyticsprofile/" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - routes: - type: array - description: "List of route objects attached to the listener" - minItems: 1 - items: - type: object - properties: - name: - type: string - description: "Name of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - labelSelector: - description: "Labels key value pair, if the route carries the same labels, it is automatically attached" - type: object - additionalProperties: - type: string - oneOf: - - required: [name, namespace] - - required: [labelSelector] - defaultAction: - type: object - description: "Default action for the listener: One of Backend or Redirect" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - namespace: - description: "Service namespace" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - backendConfig: - description: "General backend service options" - type: object - properties: - secure_backend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: httproutes.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - version: null - names: - kind: HTTPRoute - plural: httproutes - singular: httproute - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [rules] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - hostname: - type: array - description: "List of domain names that share the same route, default is '*'" - minItems: 1 - items: - type: string - description: "Domain name" - rules: - type: array - description: "List Content routing rules with an action defined" - minItems: 1 - items: - type: object - required: [name, action] - properties: - name: - type: string - description: "A name to represent the rule, this is used as an identifier in content routing policy name in ADC" - minLength: 1 - maxLength: 20 - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - match: - type: array - description: "List of rules with same action" - minItems: 1 - items: - type: object - anyOf: - - required: [path] - - required: [headers] - - required: [cookies] - - required: [queryParams] - - required: [method] - - required: [policyExpression] - properties: - path: - type: object - description: "URL Path based content routing" - properties: - prefix: - type: string - description: "URL path matches the prefix expression" - exact: - type: string - description: "URL Path must match exact path" - regex: - type: string - description: "PCRE based regex expression for path matching" - headers: - type: array - description: "List of header for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Header details for content routing, Check for existence of a header or header name-value match" - properties: - headerName: - type: object - description: "Header name based content routing, Here existence of header is used for routing" - properties: - exact: - type: string - description: "Header Name - treated as exact must exist" - contains: - type: string - description: "Header Name - A header must exist that contain the string the name" - regex: - type: string - description: "header Name - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header name must not exist" - oneOf: - - required: [exact] - - required: [contains] - - required: [regex] - headerValue: - type: object - description: "Header Name and Value based match" - properties: - name: - type: string - description: "Header name that must match the value" - exact: - type: string - description: "Header value - treated as exact" - contains: - type: string - description: "Header value - treated as contains" - regex: - type: string - description: "header value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header if present must not match the value" - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - queryParams: - type: array - description: "List of Query parameters for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Query parameters Name and Value based match" - properties: - name: - type: string - description: "Query name that must match the value. If no value is specified, matches with any value" - exact: - type: string - description: "Query value - Exact match" - contains: - type: string - description: "Query value - value must have the string(substring)" - regex: - type: string - description: "Query value - Value must match this regex patterm" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e query if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - cookies: - type: array - description: "List of Cookie params for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Cookie based routing" - properties: - name: - type: string - description: "cookie name that must match the value. If no value specified, it matches with any value" - exact: - type: string - description: "cookie value - treated as exact" - contains: - type: string - description: "cookie value - treated as substring" - regex: - type: string - description: "cookie value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e cookie if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - method: - type: string - description: "HTTP method for content routing eg: POST, PUT, DELETE etc" - policyExpression: - type: string - description: "Citrix ADC policy expressions; refer: https://docs.citrix.com/en-us/netscaler/media/expression-prefix.pdf" - action: - type: object - description: "Action for the matched rule" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - backendConfig: - type: object - description: "General backend service options" - properties: - secureBackend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - # name must match the spec fields below, and be in the form: . - name: continuousdeployments.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: continuousdeployment - plural: continuousdeployments - singular: continuousdeployment - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - cronSpec: - type: integer - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wafs.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: waf - plural: wafs - singular: waf - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the waf policies are applied.' - type: array - items: - type: string - maxLength: 127 - application_type: - description: 'Type of applications to protect' - type: array - items: - type: string - enum: ['HTML', 'JSON', 'XML'] - signatures: - description: 'Location of external signature file' - type: string - redirect_url: - description: 'When a URL is blocked/down, redirect_url represents the alternate URL where the client requests should be sent.' - type: string - html_error_object: - description: 'Location of customized error page to respond when html or common violation are hit' - type: string - xml_error_object: - description: 'Location of customized error page to respond when xml violations are hit' - type: string - json_error_object: - description: 'Location of customized error page to respond when json violations are hit' - type: string - ip_reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - description: 'Enabling IP reputation feature' - target: - description: 'To control what traffic to be inspected by Web Application Firewall. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable application firewall security checks' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - settings: - description: 'To fine tune application firewall security checks default settings' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - relaxations: - description: 'Section which contains relaxation rules for known traffic and false positives' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - enforcements: - description: 'Section which contains enforcement or restriction rules' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: bots.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: bot - plural: bots - singular: bot - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the bot policies are applied.' - type: array - items: - type: string - maxLength: 127 - signatures: - description: 'Location of external bot signature file' - type: string - redirect_url: - description: 'url to redirect when bot violation is hit' - type: string - target: - description: 'To control what traffic to be inspected by BOT. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable bot ecurity checks' - type: object - properties: - allow_list: - type: string - enum: ['ON', 'OFF'] - block_list: - type: string - enum: ['ON', 'OFF'] - device_fingerprint: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: string - enum: ['ON', 'OFF'] - ratelimit: - type: string - enum: ['ON', 'OFF'] - tps: - type: string - enum: ['ON', 'OFF'] - trap: - type: object - x-kubernetes-preserve-unknown-fields: true - bindings: - description: 'Section which contains binding rules for bot security checks' - type: object - properties: - allow_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - - block_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - ratelimit: - type: array - items: - type: object - properties: - url: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - cookie: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - captcha: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - tps: - type: object - properties: - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - host: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - trapinsertion: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: apigatewaypolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: apigatewaypolicy - plural: apigatewaypolicies - singular: apigatewaypolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - api_definition: - type: object - properties: - repository: - type: string - branch: - type: string - oas_secret_ref: - type: string - files: - type: array - items: - type: string - maxLength: 127 - api_proxy: - type: object - properties: - ipaddress: - type: string - port: - type: integer - protocol: - type: string - secret: - type: string - policies: - type: array - items: - type: object - properties: - name: - type: string - selector: - type: array - items: - type: object - properties: - tags: - type: array - items: - type: string - api: - type: string - method: - type: array - items: - type: string - maxLength: 127 - upstream: - type: object - properties: - service: - type: string - port: - type: integer - policy_bindings: - type: object - properties: - ratelimit: - type: object - properties: - name: - type: string - waf: - type: object - properties: - name: - type: string - rewritepolicy: - type: object - properties: - name: - type: string - bot: - type: object - properties: - name: - type: string - aaa: - type: array - items: - type: object - properties: - crd_name: - type: string - mappings: - type: array - items: - type: object - properties: - petstore_auth: - type: string - api_key: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: corspolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: corspolicy - plural: corspolicies - singular: corspolicy - shortNames: - - cp - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'The list of Kubernetes services to which you want to apply the cors policies.' - type: array - items: - type: string - maxLength: 63 - allow_origin: - description: 'Represents list of allowed origins, it is used to screen the “origin” in the cors pre flight request' - type: array - items: - type: string - maxLength: 2083 - allow_methods: - description: 'Indicates which methods are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Methods in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - allow_headers: - description: 'Indicates which headers are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Headers in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - max_age: - description: 'Indicates the number of seconds (5 by default) the information provided by the `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` headers can be cached. This variable will be used to set Access-Control-Max-Age in the pre-flight cors response.' - type: integer - allow_credentials: - description: 'Indicates whether the response can be shared when the request’s credentials mode is "include". This variable will be set to Access-Control-Allow-Credentials in the rewrite action.' - type: boolean - required: [servicenames, allow_origin, allow_methods, allow_headers] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: appqoepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: appqoepolicy - plural: appqoepolicies - singular: appqoepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - appqoe-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to appqoe policy.' - type: array - items: - type: string - maxLength: 127 - appqoe-policy: - type: object - properties: - operation-retry: - type: object - properties: - on-reset: - description: "To set Retry on Connection Reset or Not" - type: string - enum: ['YES','NO'] - on-timeout: - description: "Time in milliseconds for retry" - type: integer - minimum: 30 - maximum: 2000 - number-of-retries: - description: "To set number of retries" - type: integer - minimum: 1 - maximum: 7 - required: [operation-retry] - appqoe-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - required: [appqoe-criteria, operation-retry] - required: [appqoe-policy] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wildcarddnsentries.citrix.com -spec: - group: citrix.com - names: - kind: wildcarddnsentry - plural: wildcarddnsentries - singular: wildcarddnsentry - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: Current Status of the CRD - jsonPath: .status.state - - name: Message - type: string - description: Status Message - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - zone: - type: object - description: DNS configuration for a zone - properties: - domain: - type: string - description: Domain name - dnsaddrec: - type: object - description: DNS Address record - properties: - domain-ip: - type: string - description: IPv4 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - dnsaaaarec: - type: object - description: DNS AAAA record - properties: - domain-ip: - type: string - description: IPv6 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - soarec: - type: object - description: SOA record - properties: - origin-server: - type: string - description: Origin server domain - contact: - type: string - description: Admin contact - serial: - type: integer - description: >- - The secondary server uses this parameter to - determine whether it requires a zone transfer from - the primary server. - refresh: - type: integer - description: >- - Time, in seconds, for which a secondary server must - wait between successive checks on the value of the - serial number. - retry: - type: integer - description: >- - Time, in seconds, between retries if a secondary server's - attempt to contact the primary server for a zone refresh fails. - expire: - type: integer - description: >- - Time, in seconds, after which the zone data on a secondary - nameserver can no longer be considered authoritative because - all refresh and retry attempts made during the period have failed." - nsrec: - type: object - description: Name server record - properties: - nameserver: - type: string - description: Host name of the name server to add to the domain. - ttl: - type: integer - description: >- - Time to Live (TTL), in seconds, for the record. TTL - is the time for which the record must be cached by - DNS proxies. The specified TTL is applied to all the - resource records that are of the same record type - and belong to the specified domain name ---- -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.27.15/templates/citrix-k8s-ingress.yaml b/charts/citrix/citrix-ingress-controller/1.27.15/templates/citrix-k8s-ingress.yaml deleted file mode 100644 index c18d692076..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.27.15/templates/citrix-k8s-ingress.yaml +++ /dev/null @@ -1,260 +0,0 @@ -{{- if .Values.openshift }} -apiVersion: apps.openshift.io/v1 -kind: DeploymentConfig -{{- else }} -apiVersion: apps/v1 -kind: Deployment -{{- end }} -metadata: - name: {{ include "citrix-ingress-controller.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - selector: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - matchLabels: - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} - replicas: 1 -{{- if .Values.openshift }} - strategy: - resources: {} - rollingParams: - intervalSeconds: 1 - maxSurge: 0 - maxUnavailable: 25% - timeoutSeconds: 600 - updatePeriodSeconds: 1 - type: Rolling -{{- end }} - template: - metadata: - name: cic - labels: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} -{{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} -{{- end }} - spec: - serviceAccountName: {{ include "citrix-ingress-controller.serviceAccountName" . }} - containers: - - name: cic - image: "{{ tpl .Values.image . }}" - imagePullPolicy: {{ .Values.pullPolicy }} - args: - - --configmap - {{ .Release.Namespace }}/{{ include "cicconfigmap.fullname" . }} -{{- if .Values.defaultSSLCertSecret }} - - --default-ssl-certificate - {{ .Release.Namespace }}/{{ .Values.defaultSSLCertSecret }} -{{- end }} -{{- if .Values.ingressClass }} - - --ingress-classes -{{- range .Values.ingressClass}} - {{.}} -{{- end }} -{{- end }} -{{- if .Values.serviceClass }} - - --service-classes -{{- range .Values.serviceClass}} - {{.}} -{{- end }} -{{- end }} - - --feature-node-watch - {{ .Values.nodeWatch }} - - --enable-cnc-pbr - {{ .Values.cncPbr }} -{{- if .Values.ipam }} - - --ipam - citrix-ipam-controller -{{- end }} -{{- if .Values.disableAPIServerCertVerify }} - - --disable-apiserver-cert-verify - {{ .Values.disableAPIServerCertVerify }} -{{- end }} -{{- if .Values.updateIngressStatus }} - - --update-ingress-status - yes -{{- end }} - env: - - name: "NS_IP" - value: "{{ .Values.nsIP }}" -{{- if .Values.nsVIP }} - - name: "NS_VIP" - value: "{{ .Values.nsVIP }}" -{{- end }} -{{- if .Values.nitroReadTimeout }} - - name: "NS_NITRO_READ_TIMEOUT" - value: "{{ .Values.nitroReadTimeout }}" -{{- end }} - - name: "NS_USER" - {{- if and .Values.secretStore.enabled .Values.secretStore.username}} - {{- toYaml .Values.secretStore.username | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: username - {{- end }} - - name: "NS_PASSWORD" - {{- if and .Values.secretStore.enabled .Values.secretStore.password}} - {{- toYaml .Values.secretStore.password | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: password - {{- end }} - - name: "EULA" - value: "{{ .Values.license.accept }}" -{{- if and .Values.openshift .Values.routeLabels }} - - name: "ROUTE_LABELS" - value: {{ .Values.routeLabels | quote}} -{{- end }} -{{- if and .Values.openshift .Values.namespaceLabels }} - - name: "NAMESPACE_LABELS" - value: {{ .Values.namespaceLabels | quote }} -{{- end }} - - name: "NS_APPS_NAME_PREFIX" - value: {{ .Values.entityPrefix | default "k8s"}} -{{- if .Values.kubernetesURL }} - - name: "kubernetes_url" - value: "{{ .Values.kubernetesURL }}" -{{- end }} -{{- if .Values.clusterName }} - - name: "CLUSTER_NAME" - value: "{{ .Values.clusterName }}" -{{- end }} -{{- if .Values.logProxy }} - - name: "NS_LOGPROXY" - value: "{{ .Values.logProxy }}" -{{- end }} -{{- if .Values.disableOpenshiftRoutes }} - - name: "DISABLE_OPENSHIFT_ROUTES" - value: "{{ .Values.disableOpenshiftRoutes }}" -{{- end }} -{{- if .Values.nsConfigDnsRec }} - - name: "NS_CONFIG_DNS_REC" - value: "{{ .Values.nsConfigDnsRec }}" -{{- end }} -{{- if .Values.nsSvcLbDnsRec }} - - name: "NS_SVC_LB_DNS_REC" - value: "{{ .Values.nsSvcLbDnsRec }}" -{{- end }} -{{- if .Values.optimizeEndpointBinding }} - - name: "OPTIMIZE_ENDPOINT_BINDING" - value: "{{ .Values.optimizeEndpointBinding }}" -{{- end }} - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- if ne (len .Values.extraVolumeMounts) 0 }} - volumeMounts: -{{- toYaml .Values.extraVolumeMounts | nindent 8 }} - {{- end }} -{{- if .Values.exporter.required }} - - name: exporter - image: "{{ tpl .Values.exporter.image . }}" - imagePullPolicy: {{ .Values.exporter.pullPolicy }} - args: - - "--target-nsip={{ .Values.nsIP }}" - - "--port={{ .Values.exporter.ports.containerPort }}" - env: - - name: "NS_USER" - {{- if and .Values.secretStore.enabled .Values.secretStore.username}} - {{- toYaml .Values.secretStore.username | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: username - {{- end }} - - name: "NS_PASSWORD" - {{- if and .Values.secretStore.enabled .Values.secretStore.password}} - {{- toYaml .Values.secretStore.password | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: password - {{- end }} - {{- if ne (len .Values.exporter.extraVolumeMounts) 0 }} - volumeMounts: - {{- toYaml .Values.exporter.extraVolumeMounts | nindent 8 }} - {{- end }} - securityContext: - readOnlyRootFilesystem: true - resources: -{{- toYaml .Values.exporter.resources | nindent 12 }} -{{- end }} -{{- if or (and .Values.extraVolumeMounts .Values.extraVolumes) (and .Values.exporter.extraVolumeMounts .Values.extraVolumes) }} - volumes: -{{- end }} -{{- if ne (len .Values.extraVolumes) 0 }} -{{ toYaml .Values.extraVolumes | indent 6 }} -{{- end }} -{{- if and .Values.nodeSelector.key .Values.nodeSelector.value }} - nodeSelector: - {{ .Values.nodeSelector.key }}: {{ .Values.nodeSelector.value }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: {{ .Values.tolerations | toYaml | nindent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} -{{- end }} - ---- - -{{- if .Values.exporter.required }} - - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "exporter.fullname" . }} - labels: - app: {{ include "exporter.fullname" . }} - service-type: {{ include "servicemonitorlabel" . }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port - selector: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} - ---- - -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "servicemonitor.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - servicemonitor: citrix-adc -spec: - endpoints: - - interval: 30s - port: exporter-port - selector: - matchLabels: - service-type: {{ include "servicemonitorlabel" . }} - namespaceSelector: - matchNames: - - monitoring - - default - - {{ .Release.Namespace }} - -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.27.15/templates/configmap.yaml b/charts/citrix/citrix-ingress-controller/1.27.15/templates/configmap.yaml deleted file mode 100644 index a765d00051..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.27.15/templates/configmap.yaml +++ /dev/null @@ -1,60 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "cicconfigmap.fullname" . }} - namespace: {{ .Release.Namespace }} -data: - LOGLEVEL: {{ .Values.logLevel | quote | lower }} - JSONLOG: {{ .Values.jsonLog | quote | lower }} - NS_PROTOCOL: {{ .Values.nsProtocol | quote | lower }} - NS_PORT: {{ .Values.nsPort | quote }} -{{- if .Values.nsSNIPS }} - NS_SNIPS: {{ .Values.nsSNIPS | toJson}} -{{- end }} -{{- if and .Values.analyticsConfig.required .Values.nsEnableLabel }} - NS_ENABLE_LABELS: {{ .Values.nsEnableLabel | quote}} -{{- end }} -{{- if .Values.podIPsforServiceGroupMembers }} - POD_IPS_FOR_SERVICEGROUP_MEMBERS: {{ .Values.podIPsforServiceGroupMembers | quote }} -{{- end }} -{{- if .Values.ignoreNodeExternalIP }} - IGNORE_NODE_EXTERNAL_IP: {{ .Values.ignoreNodeExternalIP | quote }} -{{- end }} - -{{- if ne (upper .Values.nsHTTP2ServerSide) "OFF" }} - NS_HTTP2_SERVER_SIDE: {{ .Values.nsHTTP2ServerSide | quote }} -{{- end }} -{{- if ne (toString .Values.nsCookieVersion) "0" }} - NS_COOKIE_VERSION: {{ .Values.nsCookieVersion | quote }} -{{- end }} -{{- if .Values.nsDnsNameserver }} - NS_DNS_NAMESERVER: {{ .Values.nsDnsNameserver }} -{{- end }} - -{{- if .Values.analyticsConfig.required }} - NS_ANALYTICS_CONFIG: | - distributed_tracing: - enable: {{ .Values.analyticsConfig.distributedTracing.enable | quote }} - samplingrate: {{ .Values.analyticsConfig.distributedTracing.samplingrate }} - endpoint: - server: {{ include "analytics.server" . | quote }} - service: {{ .Values.analyticsConfig.endpoint.service | quote }} - timeseries: - port: {{ .Values.analyticsConfig.timeseries.port }} - metrics: - enable: {{ .Values.analyticsConfig.timeseries.metrics.enable | quote }} - mode: {{ .Values.analyticsConfig.timeseries.metrics.mode | quote }} - auditlogs: - enable: {{ .Values.analyticsConfig.timeseries.auditlogs.enable | quote }} - events: - enable: {{ .Values.analyticsConfig.timeseries.events.enable | quote }} - transactions: - enable: {{ .Values.analyticsConfig.transactions.enable | quote }} - port: {{ .Values.analyticsConfig.transactions.port }} -{{- end }} - -{{- if .Values.nsLbHashAlgo.required }} - NS_LB_HASH_ALGO: | - hashFingers: {{ .Values.nsLbHashAlgo.hashFingers }} - hashAlgorithm: {{ .Values.nsLbHashAlgo.hashAlgorithm | quote }} -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.27.15/templates/ingressclass.yaml b/charts/citrix/citrix-ingress-controller/1.27.15/templates/ingressclass.yaml deleted file mode 100644 index d75537b79f..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.27.15/templates/ingressclass.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- $default := .Values.setAsDefaultIngressClass -}} -{{- if semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.GitVersion }} -{{- if .Values.ingressClass }} -{{- range .Values.ingressClass }} -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: {{ . | quote }} -{{- if $default }} - annotations: - ingressclass.kubernetes.io/is-default-class: "true" -{{- end }} -spec: - controller: citrix.com/ingress-controller ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.27.15/templates/rbac.yaml b/charts/citrix/citrix-ingress-controller/1.27.15/templates/rbac.yaml deleted file mode 100644 index fe7c883a45..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.27.15/templates/rbac.yaml +++ /dev/null @@ -1,89 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -rules: - - apiGroups: [""] -{{- if .Values.openshift }} - resources: ["endpoints", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"] -{{- else }} - resources: ["endpoints", "pods", "secrets", "routes", "nodes", "namespaces", "configmaps", "services"] -{{- end }} - verbs: ["get", "list", "watch"] - # services/status is needed to update the loadbalancer IP in service status for integrating - # service of type LoadBalancer with external-dns - - apiGroups: [""] - resources: ["services/status"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions","networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["patch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "watch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"] - verbs: ["get", "list", "watch", "create", "delete", "patch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"] - verbs: ["patch"] - - apiGroups: ["citrix.com"] - resources: ["vips"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["crd.projectcalico.org"] - resources: ["ipamblocks"] - verbs: ["get", "list", "watch"] -{{- if .Values.openshift }} - - apiGroups: ["route.openshift.io"] - resources: ["routes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["network.openshift.io"] - resources: ["hostsubnets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["config.openshift.io"] - resources: ["networks"] - verbs: ["get", "list"] -{{- end }} - ---- - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- if .Values.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.imagePullSecrets }} -- name: {{.}} -{{- end }} -{{- end }} - ---- diff --git a/charts/citrix/citrix-ingress-controller/1.27.15/values.yaml b/charts/citrix/citrix-ingress-controller/1.27.15/values.yaml deleted file mode 100644 index 8c660b854c..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.27.15/values.yaml +++ /dev/null @@ -1,177 +0,0 @@ -# Default values for citrix-ingress-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# Citrix Ingress Controller config details -imageRegistry: quay.io -imageRepository: citrix/citrix-k8s-ingress-controller -imageTag: 1.27.15 -image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}" -pullPolicy: IfNotPresent -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" -openshift: false -adcCredentialSecret: # K8s Secret Name -# Enable secretStore to implement CSI Secret Provider classes for holding the nslogin credentials -secretStore: - enabled: false - username: {} - #valueFrom: - # configMapKeyRef: - # name: test1 - # key: username - password: {} - #valueFrom: - # configMapKeyRef: - # name: test1 - # key: password -nsIP: x.x.x.x -nsVIP: -nsSNIPS: -license: - accept: no -nsPort: 443 -nsProtocol: HTTPS -nsEnableLabel: true -# nitroReadTimeout is timeout value in seconds for nitro api read timeout(default is 20) -nitroReadTimeout: -logLevel: INFO -jsonLog: false -entityPrefix: -kubernetesURL: -clusterName: -ingressClass: -setAsDefaultIngressClass: False -serviceClass: -defaultSSLCertSecret: -podIPsforServiceGroupMembers: False -ignoreNodeExternalIP: False -ipam: False -# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True -disableAPIServerCertVerify: False -logProxy: -nodeWatch: false -cncPbr: False -nodeSelector: - key: - value: -tolerations: [] -updateIngressStatus: True -nsHTTP2ServerSide: "OFF" -nsCookieVersion: "0" -nsConfigDnsRec: -nsSvcLbDnsRec: -nsDnsNameserver: -optimizeEndpointBinding: -routeLabels: -namespaceLabels: -disableOpenshiftRoutes: - -# Exporter config details -exporter: - required: false - imageRegistry: quay.io - imageRepository: citrix/citrix-adc-metrics-exporter - imageTag: 1.4.9 - image: "{{ .Values.exporter.imageRegistry }}/{{ .Values.exporter.imageRepository }}:{{ .Values.exporter.imageTag }}" - pullPolicy: IfNotPresent - ports: - containerPort: 8888 - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - extraVolumeMounts: [] - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. - #- name: github-key - # mountPath: /etc/config/keys/ - # readOnly: true - #- name: agent-init-scripts - # mountPath: /docker-entrypoint.d/ - -# For CRDs supported by Citrix Ingress Controller -crds: - install: false - retainOnDelete: false - -# Config required to be done by Citrix Ingress Controller for sending metrics to Citrix Observability Exporter -analyticsConfig: - required: false - distributedTracing: - enable: false - samplingrate: 100 - endpoint: - server: - service: - timeseries: - port: 30002 - metrics: - enable: false - mode: 'avro' - auditlogs: - enable: false - events: - enable: false - transactions: - enable: false - port: 30001 - -nsLbHashAlgo: - required: false - hashFingers: 256 - hashAlgorithm: 'DEFAULT' - -# Specifies whether a ServiceAccount should be created -serviceAccount: - create: true - # The name of the ServiceAccount to use. - # If not set and `create` is true, a name is generated using the fullname template - # name: - -podAnnotations: {} - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # Following values depends on no of ingresses configured by Ingress Controllers, so it is - # advised to test with maximum no of ingresses to set these values. - # limits: - # cpu: 1000m - # memory: 1000Mi - # requests: - # cpu: 500m - # memory: 500Mi - -affinity: {} - -extraVolumeMounts: [] - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. - #- name: github-key - # mountPath: /etc/config/keys/ - # readOnly: true - #- name: agent-init-scripts - # mountPath: /docker-entrypoint.d/ - -extraVolumes: [] - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. - #- name: agent-init-scripts - # configMap: - # name: agent-init-scripts - # defaultMode: 0755 - #- name: github-key - # secret: - # secretName: github-key - # defaultMode: 0744 diff --git a/charts/citrix/citrix-ingress-controller/1.28.2/Chart.yaml b/charts/citrix/citrix-ingress-controller/1.28.2/Chart.yaml deleted file mode 100644 index 55bfbba044..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.28.2/Chart.yaml +++ /dev/null @@ -1,21 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-ingress-controller -apiVersion: v2 -appVersion: 1.28.2 -deprecated: true -description: A Helm chart for Citrix Ingress Controller configuring MPX/VPX. -home: https://www.citrix.com -icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png -kubeVersion: '>=v1.16.0-0' -maintainers: -- email: priyanka.sharma@citrix.com - name: priyankash-citrix -- email: subash.dangol@citrix.com - name: subashd -name: citrix-ingress-controller -sources: -- https://github.com/citrix/citrix-k8s-ingress-controller -version: 1.28.2 diff --git a/charts/citrix/citrix-ingress-controller/1.28.2/README.md b/charts/citrix/citrix-ingress-controller/1.28.2/README.md deleted file mode 100644 index 955301483f..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.28.2/README.md +++ /dev/null @@ -1,493 +0,0 @@ -# Citrix Ingress Controller - -[Citrix](https://www.citrix.com/en-in/) provides an Ingress Controller for Citrix ADC MPX (hardware), Citrix ADC VPX (virtualized), and [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx/13/about.html) (containerized) for [bare metal](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/deployment/baremetal) and [cloud](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/deployment) deployments. It configures one or more Citrix ADC based on the Ingress resource configuration in [Kubernetes](https://kubernetes.io/) or in [OpenShift](https://www.openshift.com) cluster. - -## TL;DR; - -### For Kubernetes - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret= - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,crds.install=true - ``` - -### For OpenShift - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true,crds.install=true - ``` - -> **Important:** -> -> The `license.accept` argument is mandatory. Ensure that you set the value as `yes` to accept the terms and conditions of the Citrix license. - -## Introduction -This Helm chart deploys Citrix ingress controller in the [Kubernetes](https://kubernetes.io) or in the [Openshift](https://www.openshift.com) cluster using [Helm](https://helm.sh) package manager. - -### Prerequisites - -- The [Kubernetes](https://kubernetes.io/) version should be 1.16 and above if using Kubernetes environment. -- The [Openshift](https://www.openshift.com) version 4.8 or later if using OpenShift platform. -- The [Helm](https://helm.sh/) version 3.x or later. You can follow instruction given [here](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- You determine the NS_IP IP address needed by the controller to communicate with Citrix ADC. The IP address might be anyone of the following depending on the type of Citrix ADC deployment: - - - (Standalone appliances) NSIP - The management IP address of a standalone Citrix ADC appliance. For more information, see [IP Addressing in Citrix ADC](https://docs.citrix.com/en-us/citrix-adc/12-1/networking/ip-addressing.html). - - - (Appliances in High Availability mode) SNIP - The subnet IP address. For more information, see [IP Addressing in Citrix ADC](https://docs.citrix.com/en-us/citrix-adc/12-1/networking/ip-addressing.html). - - - (Appliances in Clustered mode) CLIP - The cluster management IP (CLIP) address for a clustered Citrix ADC deployment. For more information, see [IP addressing for a cluster](https://docs.citrix.com/en-us/citrix-adc/12-1/clustering/cluster-overview/ip-addressing.html). - -- You have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator), if you want to view the metrics of the Citrix ADC CPX collected by the [metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics). - -- The user name and password of the Citrix ADC VPX or MPX appliance used as the ingress device. The Citrix ADC appliance needs to have system user account (non-default) with certain privileges so that Citrix ingress controller can configure the Citrix ADC VPX or MPX appliance. For instructions to create the system user account on Citrix ADC, see [Create System User Account for CIC in Citrix ADC](#create-system-user-account-for-cic-in-citrix-adc). - - You can pass user name and password using Kubernetes secrets. Create a Kubernetes secret for the user name and password using the following command: - - ``` - kubectl create secret generic nslogin --from-literal=username='cic' --from-literal=password='mypassword' - ``` - -#### Create system User account for Citrix ingress controller in Citrix ADC - -Citrix ingress controller configures the Citrix ADC using a system user account of the Citrix ADC. The system user account should have certain privileges so that the CIC has permission configure the following on the Citrix ADC: - -- Add, Delete, or View Content Switching (CS) virtual server -- Configure CS policies and actions -- Configure Load Balancing (LB) virtual server -- Configure Service groups -- Cofigure SSl certkeys -- Configure routes -- Configure user monitors -- Add system file (for uploading SSL certkeys from Kubernetes) -- Configure Virtual IP address (VIP) -- Check the status of the Citrix ADC appliance - -> **Note:** -> -> The system user account would have privileges based on the command policy that you define. - -To create the system user account, do the following: - -1. Log on to the Citrix ADC appliance. Perform the following: - 1. Use an SSH client, such as PuTTy, to open an SSH connection to the Citrix ADC appliance. - - 2. Log on to the appliance by using the administrator credentials. - -2. Create the system user account using the following command: - - ``` - add system user - ``` - - For example: - - ``` - add system user cic mypassword - ``` - -3. Create a policy to provide required permissions to the system user account. Use the following command: - - ``` - add cmdpolicy cic-policy ALLOW '^(\?!shell)(\?!sftp)(\?!scp)(\?!batch)(\?!source)(\?!.*superuser)(\?!.*nsroot)(\?!install)(\?!show\s+system\s+(user|cmdPolicy|file))(\?!(set|add|rm|create|export|kill)\s+system)(\?!(unbind|bind)\s+system\s+(user|group))(\?!diff\s+ns\s+config)(\?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)^(\?!shell)(\?!sftp)(\?!scp)(\?!batch)(\?!source)(\?!.*superuser)(\?!.*nsroot)(\?!install)(\?!show\s+system\s+(user|cmdPolicy|file))(\?!(set|add|rm|create|export|kill)\s+system)(\?!(unbind|bind)\s+system\s+(user|group))(\?!diff\s+ns\s+config)(\?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)' - ``` - - **Note**: The system user account would have privileges based on the command policy that you define. - The command policy mentioned in ***step 3*** is similar to the built-in `sysAdmin` command policy with another permission to upload files. - - The command policy spec provided above have already escaped special characters for easier copy pasting into the Citrix ADC command line. - - For configuring the command policy from Citrix ADC Configuration Wizard (GUI), use the below command policy spec. - - ``` - ^(?!shell)(?!sftp)(?!scp)(?!batch)(?!source)(?!.*superuser)(?!.*nsroot)(?!install)(?!show\s+system\s+(user|cmdPolicy|file))(?!(set|add|rm|create|export|kill)\s+system)(?!(unbind|bind)\s+system\s+(user|group))(?!diff\s+ns\s+config)(?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)^(?!shell)(?!sftp)(?!scp)(?!batch)(?!source)(?!.*superuser)(?!.*nsroot)(?!install)(?!show\s+system\s+(user|cmdPolicy|file))(?!(set|add|rm|create|export|kill)\s+system)(?!(unbind|bind)\s+system\s+(user|group))(?!diff\s+ns\s+config)(?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file) - ``` - -4. Bind the policy to the system user account using the following command: - - ``` - bind system user cic cic-policy 0 - ``` - -## Installing the Chart -Add the Citrix Ingress Controller helm chart repository using command: - -``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ -``` - -### For Kubernetes: -#### 1. Citrix Ingress Controller -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,ingressClass[0]= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ingress controller on Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix Ingress Controller with Exporter -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed along with Citrix ingress controller and collects metrics from the Citrix ADC instances. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. - -> **Note:** -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,ingressClass[0]=,exporter.required=true - ``` - -### For Openshift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix Ingress Controller -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true - ``` - -The command deploys Citrix ingress controller on your Openshift cluster in the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix Ingress Controller with Exporter -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed along with Citrix ingress controller and collects metrics from the Citrix ADC instances. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. - -> **Note:** -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator) - -Use the following command for this: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true,exporter.required=true - ``` - -### Installed components - -The following components are installed: - -- [Citrix ingress controller](https://github.com/citrix/citrix-k8s-ingress-controller) -- [Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) (if enabled) - -## Configuration for ServiceGraph: - If Citrix ADC VPX/MPX need to send data to the Citrix ADM to bring up the servicegraph, then the below steps can be followed to install Citrix ingress controller for Citrix ADC VPX/MPX. Citrix ingress controller configures Citrix ADC VPX/MPX with the configuration required for servicegraph. - - 1. Create secret using Citrix ADC VPX credentials, which will be used by Citrix ingress controller for configuring Citrix ADC VPX/MPX: - - kubectl create secret generic nslogin --from-literal=username='cic' --from-literal=password='mypassword' - - 2. Deploy Citrix ingress controller using helm command: - - helm install my-release citrix/citrix-ingress-controller --set nsIP=,nsVIP=,license.accept=yes,adcCredentialSecret=,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.timeseries.port=5563,analyticsConfig.distributedTracing.enable=true,analyticsConfig.transactions.enable=true,analyticsConfig.transactions.port=5557,analyticsConfig.endpoint.server= - -> **Note:** -> If container agent is being used here for Citrix ADM, please provide `podIP` of container agent in the `analyticsConfig.endpoint.server` parameter. - -## CRDs configuration - -CRDs can be installed/upgraded when we install/upgrade Citrix ingress controller using `crds.install=true` parameter in Helm. If you do not want to install CRDs, then set the option `crds.install` to `false`. By default, CRDs too get deleted if you uninstall through Helm. This means, even the CustomResource objects created by the customer will get deleted. If you want to avoid this data loss set `crds.retainOnDelete` to `true`. - -> **Note:** -> Installing again may fail due to the presence of CRDs. Make sure that you back up all CustomResource objects and clean up CRDs before re-installing Citrix Ingress Controller. - -There are a few examples of how to use these CRDs, which are placed in the folder: [Example-CRDs](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds). Refer to them and install as needed, using the following command: -```kubectl create -f ``` - -### Details of the supported CRDs: - -#### authpolicies CRD: - -Authentication policies are used to enforce access restrictions to resources hosted by an application or an API server. - -Citrix provides a Kubernetes CustomResourceDefinitions (CRDs) called the [Auth CRD](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/auth) that you can use with the Citrix ingress controller to define authentication policies on the ingress Citrix ADC. - -Example file: [auth_example.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/auth_example.yaml) - -#### continuousdeployments CRD for canary: - -Canary release is a technique to reduce the risk of introducing a new software version in production by first rolling out the change to a small subset of users. After user validation, the application is rolled out to the larger set of users. Citrix ADC-Integrated [Canary Deployment solution](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/canary) stitches together all components of continuous delivery (CD) and makes canary deployment easier for the application developers. - -#### httproutes and listeners CRDs for contentrouting: - -[Content Routing (CR)](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/contentrouting) is the execution of defined rules that determine the placement and configuration of network traffic between users and web applications, based on the content being sent. For example, a pattern in the URL or header fields of the request. - -Example files: [HTTPRoute_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/HTTPRoute_crd.yaml), [Listener_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/Listener_crd.yaml) - -#### ratelimits CRD: - -In a Kubernetes deployment, you can [rate limit the requests](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/ratelimit) to the resources on the back end server or services using rate limiting feature provided by the ingress Citrix ADC. - -Example files: [ratelimit-example1.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example1.yaml), [ratelimit-example2.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example2.yaml) - -#### vips CRD: - -Citrix provides a CustomResourceDefinitions (CRD) called [VIP](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/vip) for asynchronous communication between the IPAM controller and Citrix ingress controller. - -The IPAM controller is provided by Citrix for IP address management. It allocates IP address to the service from a defined IP address range. The Citrix ingress controller configures the IP address allocated to the service as virtual IP (VIP) in Citrix ADX VPX. And, the service is exposed using the IP address. - -When a new service is created, the Citrix ingress controller creates a CRD object for the service with an empty IP address field. The IPAM Controller listens to addition, deletion, or modification of the CRD and updates it with an IP address to the CRD. Once the CRD object is updated, the Citrix ingress controller automatically configures Citrix ADC-specfic configuration in the tier-1 Citrix ADC VPX. - -#### rewritepolicies CRD: - -In kubernetes environment, to deploy specific layer 7 policies to handle scenarios such as, redirecting HTTP traffic to a specific URL, blocking a set of IP addresses to mitigate DDoS attacks, imposing HTTP to HTTPS and so on, requires you to add appropriate libraries within the microservices and manually configure the policies. Instead, you can use the [Rewrite and Responder features](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/crd/rewrite-responder-policies-deployment.yaml) provided by the Ingress Citrix ADC device to deploy these policies. - -Example files: [target-url-rewrite.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/target-url-rewrite.yaml) - -#### wafs CRD: - -[WAF CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/waf.md) can be used to configure the web application firewall policies with the Citrix ingress controller on the Citrix ADC VPX, MPX, SDX, and CPX. The WAF CRD enables communication between the Citrix ingress controller and Citrix ADC for enforcing web application firewall policies. - -In a Kubernetes deployment, you can enforce a web application firewall policy to protect the server using the WAF CRD. For more information about web application firewall, see [Web application security](https://docs.citrix.com/en-us/citrix-adc/13/application-firewall/introduction/web-application-security.html). - -Example files: [wafhtmlxsssql.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wafhtmlxsssql.yaml) - -#### apigateway CRD: - -API Gateway CRD is used to configure gitops framework on citrix API gateway. This solution enables citrix ingress controller to generate API gateway configurations out of Open API Specification documents checked in to git repository by API developers and designers. - -Example files: [api-gateway-crd-instance.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/api-gateway-crd-instance.yaml) -#### bots CRD: - -[BOT CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/bot.md) You can use Bot CRDs to configure the bot management policies with the Citrix ingress controller on the Citrix ADC VPX. The Bot custom resource definition enables communication between the Citrix ingress controller and Citrix ADC for enforcing bot management policies. - -In a Kubernetes deployment, you can enforce bot management policy on therequests and responses from and to the server using the Bot CRDs. For more information on security vulnerabilities, see [Bot Detection](https://docs.citrix.com/en-us/citrix-adc/current-release/bot-management/bot-detection.html). - -Example files: [botallowlist.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/botallowlist.yaml) - -#### CORS CRD: - -[CORS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) Cross-origin resource sharing (CORS) is a mechanism allows a web application running under one domain to securely access resources in another domain. You can configure CORS policies on Citrix ADC using Citrix ingress controller to allow one domain (the origin domain) to call APIs in another domain. For more information, see the [cross-origin resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) documentation. - -Example files: [cors-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/corspolicy-example.yaml) - -#### APPQOE CRD: - -[APPQOE CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) When a Citrix ADC appliance receives an HTTP request and forwards it to a back-end server, sometimes there may be connection failures with the back-end server. You can configure the request-retry feature on Citrix ADC to forward the request to the next available server, instead of sending the reset to the client. Hence, the client saves round trip time when Citrix ADC initiates the same request to the next available service. -For more information, see the AppQoE support documentation. [Appqoe resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) documentation. - -Example files: [appqoe-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/appqoe_example.yaml) - -#### WILDCARDDNS CRD: - -[WILDCARDDNS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) Wildcard DNS domains are used to handle requests for nonexistent domains and subdomains. In a zone, use wildcard domains to redirect queries for all nonexistent domains or subdomains to a particular server, instead of creating a separate Resource Record (RR) for each domain. The most common use of a wildcard DNS domain is to create a zone that can be used to forward mail from the internet to some other mail system. -For more information, see the Wild card DNS domains support documentation. [Wildcard DNS Entry CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) documentation. - -Example files: [wildcarddns-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wildcarddns-example.yaml) - -### Tolerations - -Taints are applied on cluster nodes whereas tolerations are applied on pods. Tolerations enable pods to be scheduled on node with matching taints. For more information see [Taints and Tolerations in Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). - -Toleration can be applied to Citrix ingress controller pod using `tolerations` argument while deploying CIC using helm chart. This argument takes list of tolerations that user need to apply on the CIC pods. - -For example, following command can be used to apply toleration on the CIC pod: - -``` -helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,tolerations[0].key=,tolerations[0].value=,tolerations[0].operator=,tolerations[0].effect= -``` - -Here tolerations[0].key, tolerations[0].value and tolerations[0].effect are the key, value and effect that was used while tainting the node. -Effect represents what should happen to the pod if the pod don't have any matching toleration. It can have values `NoSchedule`, `NoExecute` and `PreferNoSchedule`. -Operator represents the operation to be used for key and value comparison between taint and tolerations. It can have values `Exists` and `Equal`. The default value for operator is `Equal`. - - - -### Configuration - -The following table lists the mandatory and optional parameters that you can configure during installation: - -| Parameters | Mandatory or Optional | Default value | Description | -| --------- | --------------------- | ------------- | ----------- | -| license.accept | Mandatory | no | Set `yes` to accept the CIC end user license agreement. | -| imageRegistry | Mandatory | `quay.io` | The Citrix ingress controller image registry | -| imageRepository | Mandatory | `citrix/citrix-k8s-ingress-controller` | The Citrix ingress controller image repository | -| imageTag | Mandatory | `1.28.2` | The Citrix ingress controller image tag | -| pullPolicy | Mandatory | IfNotPresent | The CIC image pull policy. | -| imagePullSecrets | Optional | N/A | Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret please see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). | -| nameOverride | Optional | N/A | String to partially override deployment fullname template with a string (will prepend the release name) | -| fullNameOverride | Optional | N/A | String to fully override deployment fullname template with a string | -| resources | Optional | {} | CPU/Memory resource requests/limits for Citrix Ingress Controller container | -| adcCredentialSecret | Mandatory | N/A | The secret key to log on to the Citrix ADC VPX or MPX. For information on how to create the secret keys, see [Prerequisites](#prerequistes). | -| secretStore.enabled | Optional | False | Set to "True" for deploying other Secret Provider classes | -| secretStore.username | Optional | N/A | if `secretStore.enabled`, `username` of ADC will be fetched from the Secret Provider | -| secretStore.password | Optional | N/A | if `secretStore.enabled`, `password` of ADC will be fetched from the Secret Provider | -| nsIP | Mandatory | N/A | The IP address of the Citrix ADC device. For details, see [Prerequisites](#prerequistes). | -| nsVIP | Optional | N/A | The Virtual IP address on the Citrix ADC device. | -| nsSNIPS | Optional | N/A | The list of subnet IPAddresses on the Citrix ADC device, which will be used to create PBR Routes instead of Static Routes [PBR support](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md) | -| nsPort | Optional | 443 | The port used by CIC to communicate with Citrix ADC. You can use port 80 for HTTP. | -| nsProtocol | Optional | HTTPS | The protocol used by CIC to communicate with Citrix ADC. You can also use HTTP on port 80. | -| nsEnableLabel | Optional | True | Set to true for plotting Servicegraph. Ensure ``analyticsConfig` are set. | -| nitroReadTimeout | Optional | 20 | The nitro Read timeout in seconds, defaults to 20 | -| logLevel | Optional | DEBUG | The loglevel to control the logs generated by CIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG and TRACE. For more information, see [Logging](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).| -| jsonLog | Optional | false | Set this argument to true if log messages are required in JSON format | -| nsConfigDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Ingress | -| nsSvcLbDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Type Load Balancer Service | -| nsDnsNameserver | Optional | N/A | To add DNS Nameservers in ADC | -| optimizeEndpointBinding | Optional | false | To enable/disable binding of backend endpoints to servicegroup in a single API-call. Recommended when endpoints(pods) per application are large in number. Applicable only for Citrix ADC Version >=13.0-45.7 | -| kubernetesURL | Optional | N/A | The kube-apiserver url that CIC uses to register the events. If the value is not specified, CIC uses the [internal kube-apiserver IP address](https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod). | -| clusterName | Optional | N/A | The unique identifier of the kubernetes cluster on which the CIC is deployed. Used in multi-cluster deployments. | -| ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify CIC to configure Citrix ADC associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here | -| setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default ingress class. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 | -| serviceClass | Optional | N/A | By Default ingress controller configures all TypeLB Service on the ADC. You can use this parameter to finetune this behavior by specifing CIC to only configure TypeLB Service with specific service class. For more information on Service class, see [Service class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/service-classes/). | -| nodeWatch | Optional | false | Use the argument if you want to automatically configure network route from the Ingress Citrix ADC VPX or MPX to the pods in the Kubernetes cluster. For more information, see [Automatically configure route on the Citrix ADC instance](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/network/staticrouting/#automatically-configure-route-on-the-citrix-adc-instance). | -| cncPbr | Optional | False | Use this argument to inform CIC that Citrix Node Controller(CNC) is configuring Policy Based Routes(PBR) on the Citrix ADC. For more information, see [CNC-PBR-SUPPORT](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md#configure-pbr-using-the-citrix-node-controller) | -| defaultSSLCertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC. | -| podIPsforServiceGroupMembers | Optional | False | By default Citrix Ingress Controller will add NodeIP and NodePort as service group members while configuring type LoadBalancer Services and NodePort services. This variable if set to `True` will change the behaviour to add pod IP and Pod port instead of nodeIP and nodePort. Users can set this to `True` if there is a route between ADC and K8s clusters internal pods either using feature-node-watch argument or using Citrix Node Controller. | -| ignoreNodeExternalIP | Optional | False | While adding NodeIP, as Service group members for type LoadBalancer services or NodePort services, Citrix Ingress Controller has a selection criteria whereas it choose Node ExternalIP if available and Node InternalIP, if Node ExternalIP is not present. But some users may want to use Node InternalIP over Node ExternalIP even if Node ExternalIP is present. If this variable is set to `True`, then it prioritises the Node Internal IP to be used for service group members even if node ExternalIP is present | -| nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for Citrix ADC service group configurations. | -| nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). | -| ipam | Optional | False | Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer. | -| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. | -| logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter. | -| entityPrefix | Optional | k8s | The prefix for the resources on the Citrix ADC VPX/MPX. | -| updateIngressStatus | Optional | True | Set this argurment if `Status.LoadBalancer.Ingress` field of the Ingress resources managed by the Citrix ingress controller needs to be updated with allocated IP addresses. For more information see [this](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/ingress-classes.md#updating-the-ingress-status-for-the-ingress-resources-with-the-specified-ip-address). | -| routeLabels | Optional | N/A | You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| namespaceLabels | Optional | N/A | You can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| podAnnotations | Optional | N/A | Map of annotations to add to the pods. | -| affinity | Optional | N/A | Affinity labels for pod assignment. | -| exporter.required | Optional | false | Use the argument, if you want to run the [Exporter for Citrix ADC Stats](https://github.com/citrix/citrix-adc-metrics-exporter) along with CIC to pull metrics for the Citrix ADC VPX or MPX| -| exporter.imageRegistry | Optional | `quay.io` | The Exporter for Citrix ADC Stats image registry | -| exporter.imageRepository | Optional | `citrix/citrix-adc-metrics-exporter` | The Exporter for Citrix ADC Stats image repository | -| exporter.imageTag | Optional | `1.4.9` | The Exporter for Citrix ADC Stats image tag | -| exporter.pullPolicy | Optional | IfNotPresent | The Exporter image pull policy. | -| exporter.ports.containerPort | Optional | 8888 | The Exporter container port. | -| exporter.resources | Optional | {} | CPU/Memory resource requests/limits for Metrics exporter container | -| exporter.extraVolumeMounts | Optional | [] | Specify the Additional VolumeMounts to be mounted in Exporter container. Specify the volumes in `extraVolumes` | -| openshift | Optional | false | Set this argument if OpenShift environment is being used. | -| disableOpenshiftRoutes | Optional | false | By default Openshift routes are processed in openshift environment, this variable can be used to disable Ingress controller processing the openshift routes. | -| nodeSelector.key | Optional | N/A | Node label key to be used for nodeSelector option in CIC deployment. | -| nodeSelector.value | Optional | N/A | Node label value to be used for nodeSelector option in CIC deployment. | -| tolerations | Optional | N/A | Specify the tolerations for the CIC deployment. | -| crds.install | Optional | False | Unset this argument if you don't want to install CustomResourceDefinitions which are consumed by CIC. | -| crds.retainOnDelete | Optional | false | Set this argument if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation. | -| analyticsConfig.required | Mandatory | false | Set this to true if you want to configure Citrix ADC to send metrics and transaction records to analytics . | -| analyticsConfig.distributedTracing.enable | Optional | false | Set this value to true to enable OpenTracing in Citrix ADC. | -| analyticsConfig.distributedTracing.samplingrate | Optional | 100 | Specifies the OpenTracing sampling rate in percentage. | -| analyticsConfig.endpoint.server | Optional | N/A | Set this value as the IP address or DNS address of the analytics server. | -| analyticsConfig.endpoint.service | Optional | N/A | Set this value as the IP address or service name with namespace of the analytics service deployed in k8s environment. Format: namespace/servicename | -| analyticsConfig.timeseries.port | Optional | 30002 | Specify the port used to expose analytics service outside cluster for timeseries endpoint. | -| analyticsConfig.timeseries.metrics.enable | Optional | False | Set this value to true to enable sending metrics from Citrix ADC. | -| analyticsConfig.timeseries.metrics.mode | Optional | avro | Specifies the mode of metric endpoint. | -| analyticsConfig.timeseries.auditlogs.enable | Optional | false | Set this value to true to export audit log data from Citrix ADC. | -| analyticsConfig.timeseries.events.enable | Optional | false | Set this value to true to export events from the Citrix ADC. | -| analyticsConfig.transactions.enable | Optional | false | Set this value to true to export transactions from Citrix ADC. | -| analyticsConfig.transactions.port | Optional | 30001 | Specify the port used to expose analytics service outside cluster for transaction endpoint. | -| nsLbHashAlgo.required | Optional | false | Set this value to set the LB consistent hashing Algorithm | -| nsLbHashAlgo.hashFingers | Optional | 256 | Specifies the number of fingers to be used for hashing algorithm. Possible values are from 1 to 1024, Default value is 256 | -| nsLbHashAlgo.hashAlgorithm | Optional | 'default' | Specifies the supported algorithm. Supported algorithms are "default", "jarh", "prac", Default value is 'default' | -| extraVolumeMounts | Optional | [] | Specify the Additional VolumeMounts to be mounted in CIC container | -| extraVolumes | Optional | [] | Specify the Additional Volumes for additional volumeMounts | -| rbacRole | Optional | false | To deploy CIC with RBAC Role set rbacRole=true; by default CIC gets installed with RBAC ClusterRole(rbacRole=false)) | - -Alternatively, you can define a YAML file with the values for the parameters and pass the values while installing the chart. - -For example: - ``` - helm install my-release citrix/citrix-ingress-controller -f values.yaml - ``` - -> **Tip:** -> -> The [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-ingress-controller/values.yaml) contains the default values of the parameters. - -> **Note:** -> -> Please provide frontend-ip (VIP) in your application ingress yaml file. For more info refer [this](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/annotations.md). - -## Route Addition in MPX/VPX -For seamless functioning of services deployed in the Kubernetes cluster, it is essential that Ingress NetScaler device should be able to reach the underlying overlay network over which Pods are running. -`feature-node-watch` knob of Citrix Ingress Controller can be used for automatic route configuration on NetScaler towards the pod network. Refer [Static Route Configuration](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) for further details regarding the same. -By default, `feature-node-watch` is false. It needs to be explicitly set to true if auto route configuration is required. - -This can also be achieved by deploying [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller). - -If your deployment uses one single Citrix ADC Device to loadbalance between multiple k8s clusters, there is a possibilty of CNI subnets to overlap, causing the above mentioned static routing to fail due to route conflicts. In such deployments [Policy Based Routing(PBR)] (https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-policy-based-routes/configuring-policy-based-routes-pbrs-for-ipv4-traffic.html) can be used instead. This would require you to provide one or more subnet IP Addresses unique for each kubernetes cluster either via Environment variable or Configmap, see [PBR Support](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md) - - Use the following command to provide subnet IPAddresses(SNIPs) to configure Policy Based Routes(PBR) on the Citrix ADC - - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,nsSNIPS='[\, \, ...]' - ``` - - [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller) by default also adds static routes while creating the VXLAN tunnel. To use [Policy Based Routing(PBR)] (https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-policy-based-routes/configuring-policy-based-routes-pbrs-for-ipv4-traffic.html) to avoid static route clash, both Citrix Node Controller and Citrix Ingress Controller has to work in conjunction and has to be started with specific arguments. For more details refer [CNC-PBR-SUPPORT](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md#configure-pbr-using-the-citrix-node-controller). - - Use the following command to inform Citrix Ingress Controller that Citrix Node Controller is configuring Policy Based Routes(PBR) on the Citrix ADC - - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,clusterName=,cncPbr= - ``` - -For configuring static routes manually on Citrix ADC VPX or MPX to reach the pods inside the cluster follow: -### For Kubernetes: -1. Obtain podCIDR using below options: - ``` - kubectl get nodes -o yaml | grep podCIDR - ``` - * podCIDR: 10.244.0.0/24 - * podCIDR: 10.244.1.0/24 - * podCIDR: 10.244.2.0/24 - -2. Log on to the Citrix ADC instance. - -3. Add Route in Netscaler VPX/MPX - ``` - add route - ``` -4. Ensure that Ingress MPX/VPX has a SNIP present in the host-network (i.e. network over which K8S nodes communicate with each other. Usually eth0 IP is from this network). - - Example: - * Node1 IP = 192.0.2.1 - * podCIDR = 10.244.1.0/24 - * add route 10.244.1.0 255.255.255.0 192.0.2.1 - -### For OpenShift: -1. Use the following command to get the information about host names, host IP addresses, and subnets for static route configuration. - ``` - oc get hostsubnet - ``` - -2. Log on to the Citrix ADC instance. - -3. Add the route on the Citrix ADC instance using the following command. - ```add route ``` - -4. Ensure that Ingress MPX/VPX has a SNIP present in the host-network (i.e. network over which OpenShift nodes communicate with each other. Usually eth0 IP is from this network). - - For example, if the output of the `oc get hostsubnet` is as follows: - * oc get hostsubnet - - NAME HOST HOST IP SUBNET - os.example.com os.example.com 192.0.2.1 10.1.1.0/24 - - * The required static route is as follows: - - add route 10.1.1.0 255.255.255.0 192.0.2.1 - -## Uninstalling the Chart -To uninstall/delete the ```my-release``` deployment: - - ``` - helm delete my-release - ``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Related documentation - -- [Citrix ingress controller Documentation](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/) -- [Citrix ingress controller GitHub](https://github.com/citrix/citrix-k8s-ingress-controller) diff --git a/charts/citrix/citrix-ingress-controller/1.28.2/app-readme.md b/charts/citrix/citrix-ingress-controller/1.28.2/app-readme.md deleted file mode 100644 index a8a8ebc15a..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.28.2/app-readme.md +++ /dev/null @@ -1,5 +0,0 @@ -# Citrix Ingress Controller - -[Citrix Ingress Controler](https://github.com/citrix/citrix-k8s-ingress-controller) is an ingress controller for Citrix ADC MPX (hardware), Citrix ADC VPX (virtualized), and Citrix ADC CPX (containerized) for bare metal and cloud deployments. It is built around Kubernetes Ingress and automatically configures Citrix ADC based on the Ingress resource configuration. - -This Chart bootstraps standalone Citrix Ingress Controller which can be used to configure Citrix MPX or VPX. diff --git a/charts/citrix/citrix-ingress-controller/1.28.2/questions.yml b/charts/citrix/citrix-ingress-controller/1.28.2/questions.yml deleted file mode 100644 index 89389ae11e..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.28.2/questions.yml +++ /dev/null @@ -1,348 +0,0 @@ -labels: - io.rancher.certified: partner -questions: -- variable: license.accept - required: true - type: enum - description: "Set to yes to accept the terms and conditions of the Citrix license." - label: Accept License - group: "Deployment Settings" - options: - - "yes" - - "no" -- variable: openshift - default: false - type: boolean - description: "openshift is set to true if charts are being deployed in OpenShift environment" - label: Openshift flag - group: "Deployment Settings" -- variable: adcCredentialSecret - required: true - default: "" - type: string - description: "adcCredentialSecret is secret file for NetScaler login" - label: adcCredentialSecret Name - group: "Deployment Settings" -- variable: imagePullSecrets[0] - required: false - type: string - description: "Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository" - label: imagePullSecrets - group: "Deployment Settings" -- variable: nsIP - required: true - type: string - description: "nsIP is NetScaler NSIP/SNIP, SNIP in case of HA (mgmt has to be enabled)" - label: Citrix ADC IP - group: "ADC Settings" -- variable: nsVIP - required: false - type: string - label: Virtual IP of Citrix ADC - group: "ADC Settings" -- variable: nsSNIPS - required: false - type: string - description: "The list of subnet IPAddresses on the Citrix ADC device, which will be used to create PBR Routes instead of Static Routes" - label: Citrix ADC nsSNIPS - group: "ADC Settings" -- variable: nsPort - required: false - default: 443 - type: int - description: "nsPort is port for ADC NITRO" - label: nsPort - group: "ADC Settings" -- variable: nsProtocol - required: false - default: "HTTPS" - type: string - description: "nsProtocol is protocol for ADC NITRO" - label: nsProtocol - group: "ADC Settings" -- variable: entityPrefix - required: false - type: string - description: "The prefix for the resources on the Citrix ADC VPX/MPX" - label: entityPrefix - group: "ADC Settings" -- variable: kubernetesURL - required: false - type: string - description: "kubernetesURL is for registering events to kubeapi server" - label: Kubernetes API-server URL - group: "Deployment Settings" -- variable: clusterName - required: false - type: string - description: "The unique identifier of the kubernetes cluster on which the CIC is deployed" - label: Cluster Name - group: "Deployment Settings" -- variable: ingressClass[0] - required: false - type: string - description: "ingressClass is the name of the Ingress Class" - label: Ingress Class - group: "Deployment Settings" -- variable: setAsDefaultIngressClass - required: false - default: False - type: boolean - description: "Set the IngressClass object as default ingress class. New Ingresses without an `ingressClassName` field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19" - label: setAsDefaultIngressClass - group: "Deployment Settings" -- variable: serviceClass[0] - required: false - type: string - description: "serviceClass is the name of the Service Class" - label: Service Class - group: "Deployment Settings" -- variable: defaultSSLCertSecret - required: false - type: string - description: "Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC." - label: defaultSSLCertSecret - group: "ADC Settings" -- variable: podIPsforServiceGroupMembers - required: false - default: False - type: boolean - description: "By default Citrix Ingress Controller will add NodeIP and NodePort as service group members,This variable if set to True will change the behaviour to add pod IP and Pod port instead of nodeIP and nodePort." - label: podIPsforServiceGroupMembers - group: "Deployment Settings" -- variable: ignoreNodeExternalIP - required: false - default: False - type: boolean - label: ignoreNodeExternalIP - group: "Deployment Settings" -- variable: ipam - required: false - default: False - type: boolean - description: "Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer" - label: ipam - group: "Deployment Settings" -- variable: logProxy - required: false - default: False - type: string - description: "Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter." - label: Log Proxy - group: "Deployment Settings" -- variable: nodeWatch - required: false - default: false - type: boolean - description: "nodeWatch is used for automatic route configuration on NetScaler towards the pod network" - label: NodeWatch - group: "ADC Settings" -- variable: cncPbr - required: false - default: false - type: boolean - description: "Use this argument to inform CIC that Citrix Node Controller(CNC) is configuring Policy Based Routes(PBR) on the Citrix ADC." - label: CNC PBR - group: "ADC Settings" -- variable: nodeSelector.key - required: false - type: string - description: "Node label key to be used for nodeSelector option in CIC deployment" - label: NodeSelector Key - group: "Deployment Settings" -- variable: nodeSelector.value - required: false - type: string - description: "Node label value to be used for nodeSelector option in CIC deployment." - label: NodeSelector value - group: "Deployment Settings" -- variable: tolerations[0] - required: false - type: string - description: "Specify the tolerations for the CIC deployment" - label: Tolerations - group: "Deployment Settings" -- variable: updateIngressStatus - required: false - default: false - type: boolean - description: "Set this argurment if Status.LoadBalancer.Ingress field of the Ingress resources managed by the Citrix ingress controller needs to be updated with allocated IP addresses" - label: Update Ingress Status - group: "Deployment Settings" -- variable: nsHTTP2ServerSide - required: false - default: "OFF" - type: string - description: "Set this argument to ON for enabling HTTP2 for Citrix ADC service group configurations." - label: nsHTTP2ServerSide - group: "Deployment Settings" -- variable: nsCookieVersion - required: false - default: "0" - type: string - description: "Specify the persistence cookie version (0 or 1)" - label: nsCookieVersion - group: "Deployment Settings" -- variable: routeLabels - required: false - type: string - description: "You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster." - label: Route Labels - group: "Deployment Settings" -- variable: namespaceLabels - required: false - type: string - description: "you can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster" - label: namespaceLabels - group: "Deployment Settings" -- variable: cic.image - required: true - type: string - default: "quay.io/citrix/citrix-k8s-ingress-controller:1.19.6" - label: CIC Image - group: "CIC Image Settings" -- variable: cic.pullpolicy - required: true - default: "IfNotPresent" - type: enum - label: CIC Image Pullpolicy - group: "CIC Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: logLevel - required: false - default: "INFO" - type: enum - label: CIC Loglevel - group: "CIC Image Settings" - options: - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - - "TRACE" -- variable: exporter.required - default: false - type: boolean - description: "If set to true exporter will be deployed as sidecar" - label: Enable Exporter - group: "Exporter Settings" -- variable: exporter.image - default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.9" - required: false - type: string - description: "Exporter Image" - label: Exporter Image - group: "Exporter Settings" -- variable: exporter.pullPolicy - required: false - default: IfNotPresent - type: string - description: "Exporter Image pull policy" - label: Exporter Image PullPolicy - group: "Exporter Settings" -- variable: exporter.ports.containerPort - required: false - default: 8888 - type: int - label: Exporter ContainerPort - group: "Exporter Settings" -- variable: crds.install - required: false - default: true - type: boolean - description: "If set to true the charts will install CustomResourceDefinitions which are consumed by CIC." - label: CRD flag - group: "Deployment Settings" -- variable: crds.retainOnDelete - required: false - default: false - type: boolean - description: "Set this argument to true if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation." - label: CRD retainOnDelete flag - group: "Deployment Settings" -- variable: coeConfig.required - required: true - default: false - type: boolean - description: "Set this to true if you want to configure Citrix ADC to send metrics and transaction records to COE" - label: Enable COE - group: "COE Settings" -- variable: coeConfig.distributedTracing.enable - required: false - default: false - type: boolean - description: "Set this value to true to enable OpenTracing in Citrix ADC." - label: Enable coeConfig DistributedTracing - group: "COE Settings" -- variable: coeConfig.distributedTracing.samplingrate - required: false - default: "100" - type: string - description: "Specifies the OpenTracing sampling rate in percentage." - label: coeConfig DistributedTracing Samplingrate - group: "COE Settings" -- variable: coeConfig.endpoint.server - required: false - type: string - description: "Set this value as the IP address or DNS address of the analytics server" - label: coeConfig Endpoint Server - group: "COE Settings" -- variable: coeConfig.timeseries.port - required: false - default: "30002" - type: string - description: "Specify the port used to expose COE service outside cluster for timeseries endpoint" - label: coeConfig timeseries Port - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.enable - required: false - default: False - type: boolean - description: "Set this value to true to enable sending metrics from Citrix ADC" - label: Enable coeConfig Timeseries Metrics - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.mode - required: false - default: "avro" - type: string - description: "Specifies the mode of metric endpoint" - label: coeConfig Timeseries Metrics Mode - group: "COE Settings" -- variable: coeConfig.timeseries.auditlogs.enable - required: false - default: False - type: boolean - description: "Set this value to true to export audit log data from Citrix ADC" - label: coeConfig Timeseries Auditlogs Enable - group: "COE Settings" -- variable: coeConfig.timeseries.events.enable - required: false - default: False - type: boolean - description: "Set this value to true to export events from the Citrix ADC" - label: Enable coeConfig Timeseries Events - group: "COE Settings" -- variable: coeConfig.transactions.enable - required: false - default: False - type: boolean - description: "Set this value to true to export transactions from Citrix ADC" - label: Enable coeConfig Transactions - group: "COE Settings" -- variable: coeConfig.transactions.port - required: false - default: 30001 - type: string - description: "Specify the port used to expose COE service outside cluster for transaction endpoint" - label: coeConfig Transactions Port - group: "COE Settings" -- variable: serviceAccount.create - required: false - default: true - type: boolean - description: "Specifies whether a ServiceAccount should be created" - label: ServiceAccount Create - group: "Deployment Settings" diff --git a/charts/citrix/citrix-ingress-controller/1.28.2/templates/NOTES.txt b/charts/citrix/citrix-ingress-controller/1.28.2/templates/NOTES.txt deleted file mode 100644 index 4d07f639fb..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.28.2/templates/NOTES.txt +++ /dev/null @@ -1,15 +0,0 @@ -Thank you for installing {{ .Chart.Name }}. - -Your release is named {{ .Release.Name }}. - - -To learn more about the release, try: - - $ helm status {{ .Release.Name }} - $ helm get {{ .Release.Name }} - - -To delete : - helm delete {{ .Release.Name }} - - diff --git a/charts/citrix/citrix-ingress-controller/1.28.2/templates/_helpers.tpl b/charts/citrix/citrix-ingress-controller/1.28.2/templates/_helpers.tpl deleted file mode 100644 index efca8083c7..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.28.2/templates/_helpers.tpl +++ /dev/null @@ -1,94 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Analytics Server IP or DNS -*/}} -{{- define "analytics.server" -}} -{{- if .Values.analyticsConfig.endpoint.server -}} -{{- printf .Values.analyticsConfig.endpoint.server -}} -{{- else -}} -{{- $addresses := first (first (lookup "v1" "Node" "" "").items).status.addresses -}} -{{- printf "%s" ($addresses).address -}} -{{- end -}} -{{- end -}} - - - -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "citrix-ingress-controller.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "citrix-ingress-controller.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "exporter.fullname" -}} -{{- $name := default .Chart.Name "exporter" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "servicemonitor.fullname" -}} -{{- $name := default .Chart.Name "citrix-adc-servicemonitor" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "servicemonitorlabel" -}} -{{- $name := default .Chart.Name "citrix-adc-svcmon" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cicconfigmap.fullname" -}} -{{- $name := default .Chart.Name "cic-configmap" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "citrix-ingress-controller.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "citrix-ingress-controller.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "citrix-ingress-controller.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} diff --git a/charts/citrix/citrix-ingress-controller/1.28.2/templates/cic_crds.yaml b/charts/citrix/citrix-ingress-controller/1.28.2/templates/cic_crds.yaml deleted file mode 100644 index 6ff58466f8..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.28.2/templates/cic_crds.yaml +++ /dev/null @@ -1,2515 +0,0 @@ -{{- if .Values.crds.install }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: rewritepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: rewritepolicy - plural: rewritepolicies - singular: rewritepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - rewrite-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to rewrite policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - rewrite-policy: - type: object - properties: - rewrite-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOREWRITE', 'RESET', 'DROP'] - operation: - description: 'Type of user-defined rewrite action.' - type: string - enum: ["noop", "delete", "insert_http_header", "delete_http_header", - "corrupt_http_header", "insert_before", "insert_after", "replace", - "replace_http_res", "delete_all", "replace_all", "insert_before_all", - "insert_after_all", "clientless_vpn_encode", "clientless_vpn_encode_all", - "clientless_vpn_decode", "clientless_vpn_decode_all", "insert_sip_header", - "delete_sip_header", "corrupt_sip_header", "replace_sip_res", "replace_diameter_header_field", - "replace_dns_header_field", "replace_dns_answer_section"] - target: - description: 'Default syntax expression that specifies which part of the request or response to rewrite.' - type: string - maxLength: 1229 - modify-expression: - description: 'Default syntax expression that specifies the content to insert into the request - or response at the specified location, or that replaces the specified string.' - type: string - maxLength: 7991 - multiple-occurence-modify: - description: 'Search facility that is used to match multiple strings in the request or response.' - type: string - maxLength: 171 - additional-multiple-occurence-modify: - description: 'Specify additional criteria to refine the results of the search. - Always starts with the "extend(m,n)" operation, where "m" specifies number of bytes to the left of selected data - and "n" specifies number of bytes to the right of selected data. - You can use refineSearch only on body expressions, and only when rewrite-criteria is any one of this: - INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - comment: - description: 'Any comments to preserve information about this rewrite policy.' - type: string - maxLength: 255 - required: [rewrite-criteria, operation, target, direction] - required: [rewrite-policy] - - responder-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to responder policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", - "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - responder-policy: - type: object - properties: - redirect: - type: object - description: 'Use this option when you want to Redirect the request when request matches to policy.' - properties: - url: - description: 'URL on which you want to redirect the request.' - type: string - maxLength: 7991 - redirect-status-code: - description: 'HTTP response status code, for example 200, 302, 404, etc.' - type: integer - minimum: 100 - maximum: 599 - redirect-reason: - description: 'Expression specifying the reason for redirecting the request.' - type: string - maxLength: 7991 - required: [url] - respondwith: - type: object - description: 'Use this parameter when you want to respond to the request when request matches to policy.' - properties: - http-payload-string: - description: 'Expression that you want to sent as response to the request.' - type: string - maxLength: 7991 - required: [http-payload-string] - noop: - type: string - description: 'Use this option when you want to send the request to the protected server instead of - responding to it when request matches to policy.' - properties: - target: - description: 'Default syntax expression that specifies to perform noop operation on' - type: string - maxLength: 1229 - reset: - type: string - description: 'Use this option when you want to Reset the client connection by closing it when request matches to policy.' - properties: - drop: - type: string - description: 'Use this option when you want to drop the request without sending a response to the user when request matches to policy.' - properties: - respond-criteria: - description: 'Default syntax expression that the policy uses to determine whether to respond to the specified request.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOOP', 'RESET', 'DROP'] - comment: - description: 'Any comments to preserve information about this responder policy.' - type: string - maxLength: 255 - required: [respond-criteria] - oneOf: [required: [redirect], required: [respondwith], required: [noop], required: [reset], required: [drop]] - required: [responder-policy] - - dataset: - type: array - items: - type: object - properties: - name: - description: 'Name of the dataset.' - type: string - maxLength: 32 - type: - description: 'Type of value to bind to the dataset.' - type: string - enum: ["ipv4", "number", "ipv6", "ulong", "double", "mac"] - comment: - description: 'Any comments to preserve information about this dataset.' - type: string - maxLength: 255 - values: - description: 'Value of the specified type that is associated with this dataset.' - type: array - items: - type: string - required: [name, type, values] - - patset: - type: array - items: - type: object - properties: - name: - description: 'Name of the Patset.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this patset.' - type: string - maxLength: 255 - values: - description: 'String of characters that constitutes a pattern and is associated with this patset.' - type: array - items: - type: string - required: [name, values] - - stringmap: - type: array - items: - type: object - properties: - name: - description: 'Name of the Stringmap.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this stringmap.' - type: string - maxLength: 255 - values: - description: 'List of (key,value) pairs to be bound to this string map.' - type: array - items: - type: object - properties: - key: - description: 'Character string constituting the key to be bound to this string map.' - type: string - maxLength: 2047 - value: - description: 'Character string constituting the value associated with the key.' - type: string - maxLength: 2047 - required: [name, values] - - httpcallout_policy: - type: array - items: - type: object - properties: - name: - description: 'httpcallout name' - type: string - maxLength: 32 - server_ip: - description: 'IP Address of the server(callout agent) to which the callout is sent.' - type: string - server_port: - description: 'Port of the server(callout agent) to which the callout is sent.' - type: integer - minimum: 1 - maximum: 65535 - http_method: - description: |+ - 'Method used in the HTTP request that this callout sends. - Default http method is GET' - type: string - enum: ['GET', 'POST'] - host_expr: - description: |+ - 'String expression to configure the Host header. Can contain a literal value - (for example, 10.101.10.11) or a derived value (for example, http.req.header("Host")). - The literal value can be an IP address or a fully qualified domain name. Mutually - exclusive with the full HTTP request expression.' - type: string - maxLength: 255 - url_stem_expr: - description: |+ - 'String expression for generating the URL stem. Can contain a literal string - (for example, "/mysite/index.html") or an expression that derives the value - (for example, http.req.url).' - type: string - maxLength: 8191 - headers: - type: array - description: |+ - 'One or more headers to insert into the HTTP request. Each header is represented by - name and expr, where expr is an expression that is evaluated at runtime to provide - the value for the named header. You can configure a maximum of eight headers for - an HTTP callout.' - items: - type: object - properties: - name: - description: 'header name' - type: string - expr: - description: 'header expression' - type: string - parameters: - type: array - description: |+ - 'One or more query parameters to insert into the HTTP request URL (for a GET request) - or into the request body (for a POST request). Each parameter is represented by - name and expr, where expr is an expression that is evaluated at run time to provide - the value for the named parameter (name=value). The parameter values are URL encoded.' - items: - type: object - properties: - name: - description: 'parameter name' - type: string - expr: - description: 'parameter expression' - type: string - body_expr: - description: |+ - 'An advanced string expression for generating the body of the request. - The expression can contain a literal string or an expression that derives - the value (for example, client.ip.src).' - type: string - full_req_expr: - description: |+ - 'Exact HTTP request, in the form of an expression, which the Citrix ADC sends - to the callout agent. The request expression is constrained by the feature - for which the callout is used. For example, an HTTP.RES expression cannot be - used in a request-time policy bank or in a TCP content switching policy bank.' - type: string - scheme: - description: |+ - 'Type of scheme for the callout server. - Default scheme is HTTP' - type: string - enum: ['HTTP', 'HTTPS'] - cache_for_secs: - description: |+ - 'Duration, in seconds, for which the callout response is cached. - The cached responses are stored in an integrated caching content - group named "calloutContentGroup". If no duration is configured, - the callout responses will not be cached unless normal caching - configuration is used to cache them. This parameter takes precedence over any - normal caching configuration that would otherwise apply to these responses.' - type: integer - minimum: 1 - maximum: 31536000 - return_type: - description: |+ - 'Type of data that the target callout agent returns in response to the callout - Available settings function as follows: - * TEXT - Treat the returned value as a text string. - * NUM - Treat the returned value as a number. - * BOOL - Treat the returned value as a Boolean value.' - type: string - enum: ['TEXT', 'NUM', 'BOOL'] - result_expr: - description: |+ - 'Expression that extracts the callout results from the response sent by the HTTP callout - agent. Must be a response based expression, that is, it must begin with HTTP.RES. The - operations in this expression must match the return type. For example, if you configure - a return type of TEXT, the result expression must be a text based expression. If the - return type is NUM, the result expression (resultExpr) must return a numeric value, - as in the following example: http.res.body(10000).length.' - type: string - maxLength: 8191 - comment: - description: 'Any comments to preserve information about this HTTP callout.' - type: string - maxLength: 255 - allOf: - - properties: - required: [name, server_ip, server_port] - - properties: - oneOf: - - properties: - required: [full_req_expr] - - properties: - anyOf: - - properties: - required: [http_method] - - properties: - required: [host_expr] - - properties: - required: [url_stem_expr] - - properties: - required: [headers] - - properties: - required: [parameters] - - properties: - required: [body_expr] - anyOf: [required: [rewrite-policies], required: [responder-policies]] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ratelimits.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: ratelimit - plural: ratelimits - singular: ratelimit - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the ratelimit policies are applied.' - type: array - items: - type: string - maxLength: 127 - selector_keys: - type: object - description: 'Traffic match criteria to which apply above rate-limit/throttling. All keys are applied as AND condition. If no keys are specified, rate-limit applies at service level' - properties: - basic: - type: object - description: "Basic traffic stream selection criteria to which to apply the ratelimit" - properties: - path: - type: array - description: "api resource path prefix match. e.g. /api/v1/products" - items: - type: string - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - header_name: - description: "HTTP header that identifies the unique API client for e.g. X-apikey" - type: string - per_client_ip: - description: "Setting this applies the throttling limit to each unique Client IP address accessing the API resource" - type: boolean - req_threshold: - description: 'Max requests per timeslice units to be allowed' - type: integer - timeslice: - description: 'Timeslice in miliseconds in multiple of 10. Defaults to 1000 miliseconds' - type: integer - limittype: - description: "Burst mode or smooth. Defaults to smooth limittype if not specified" - type: string - enum: ['BURSTY','SMOOTH'] - throttle_action: - type: string - enum: ['DROP', 'RESET','REDIRECT', 'RESPOND'] - description: "Drop will drop the requests exceeding limits, RESET will reset the client connection, Redirect will redirect to specified URL, respond will respond with 429 'Exceeded allowed rate of requests'" - redirect_url: - type: string - description: "Redirect-URL" - logpackets: - type: object - description: 'Adds an audit message action. The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - required: [req_threshold] ---- -#Sample CRD instance - -#apiVersion: citrix.com/v1 -#description: VIP for apache service -#kind: vip -#metadata: -# name: service-apache -# namespace: default -#spec: -# description: VIP for the apache Service -# ipaddress: 10.99.98.90 -# kind: service -# name: apache - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vips.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: vip - plural: vips - singular: vip - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - jsonPath: .spec.ipaddress - name: VIP - type: string - - name: Age - type: date - jsonPath: .metadata.creationTimestamp - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - ipaddress: - type: string - name: - type: string - kind: - type: string - enum: ["service", "ingress"] - description: - type: string - range-name: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: authpolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: authpolicy - plural: authpolicies - singular: authpolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: |+ - 'Name of the services for which the policies applied' - type: array - items: - type: string - maxLength: 63 - authentication_mechanism: - type: object - description: |+ - 'Authentication mechanism. Options: using forms or using request header. - Default is Authentication using request header, when no option is specified' - properties: - using_request_header: - description: |+ - 'Enable user authentication using request header. Use when the credentials - or api keys are passed in a header. For example, when using Basic, Digest, - Bearer authentication or api keys. - When authentication using forms is provided, this is set to OFF' - - type: string - using_forms: - type: object - description: 'Enables authentication using forms. Use with user/web authentication.' - properties: - authentication_host: - description: |+ - 'Fully qualified domain name (FQDN) for authentication. - This FQDN should be unique and should resolve to frontend IP of - ADC with Ingress/service type LoadBalancer (or) vip of Listener CRD' - type: string - maxLength: 255 - authentication_host_cert: - description: |+ - 'Name of the SSL certificate to be used with authentication_host. - This certificate is mandatory while using_forms' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - ingress_name: - description: |+ - 'Ingress name for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - lb_service_name: - description: |+ - 'Service of type LoadBalancer for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - listener_name: - description: |+ - 'Listener CRD name for which the authentication using forms is applicable.' - type: string - maxLength: 63 - vip: - description: |+ - 'Frontend IP of ingress for which the authentication - using forms is applicable. This refers to frontend-ip provided - with Ingress. It is suggested to use vip, if more than one Ingress - resource use the same frontend-ip' - type: string - required: [authentication_host, authentication_host_cert] - oneOf: - - properties: - required: [ingress_name] - - properties: - required: [lb_service_name] - - properties: - required: [listener_name] - - properties: - required: [vip] - oneOf: - - properties: - using_request_header: - enum: ['ON'] - required: [using_request_header] - - properties: - required: [using_forms] - - authentication_providers: - description: |+ - 'Authentication Configuration for required authentication providers/schemes. - One or more of these can be created' - type: array - items: - description: 'Create config for a single authentication provider of a particular type' - type: object - properties: - name: - description: 'Name for this provider, has to be unique, referenced by authentication policies' - type: string - maxLength: 127 - - oauth: - description: 'Authentication provided by external oAuth provider' - type: object - properties: - issuer: - description: 'Identity of the server whose tokens are to be accepted' - type: string - maxLength: 127 - audience: - description: 'Audience for which token sent by Authorization server is applicable' - type: array - items: - type: string - maxLength: 127 - jwks_uri: - description: |+ - 'URL of the endpoint that contains JWKs (Json Web Key) for - JWT (Json Web Token) verification' - type: string - maxLength: 127 - introspect_url: - description: ' URL of the introspection server' - type: string - maxLength: 127 - client_credentials: - description: |+ - 'secrets object that contains Client Id and secret as known - to Introspection server' - type: string - maxLength: 253 - token_in_hdr: - description: |+ - 'custom header name where token is present, - default is Authorization header' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - token_in_param: - description: 'query parameter name where token is present' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - signature_algorithms: - description: 'list of allowed signature algorithms, by default HS256, RS256, RS512 are allowed' - type: array - items: - type: string - enum: ['HS256', 'RS256', 'RS512'] - claims_to_save: - description: 'list of claims to be saved, used to create authorization policies' - type: array - items: - type: string - maxLength: 127 - metadata_url: - description: 'URL used to get OAUTH/OIDC provider metadata' - type: string - maxLength: 255 - user_field: - description: |+ - 'Attribute in the token from which username should be extracted. - by default, ADC looks at email attribute for user id' - type: string - maxLength: 127 - default_group: - description: |+ - 'group assigned to the request if authentication succeeds, - this is in addition to any extracted groups from token' - type: string - maxLength: 63 - grant_type: - description: 'used to specify the type of flow to the token end point, defaults to CODE' - type: array - items: - type: string - enum: ['CODE','PASSWORD'] - pkce: - description: 'specify whether to enable Proof Key Code Exchange, defaults to ENABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - token_ep_auth_method: - description: |+ - 'authentication method to be used with token end point, - defaults to client_secret_post' - type: string - enum: ['client_secret_post', 'client_secret_jwt'] - - anyOf: - - properties: - required : [jwks_uri] - - properties: - required : [introspect_url, client_credentials] - - properties: - required : [metadata_url] - - ldap: - description: 'LDAP authentication provider' - type: object - properties: - server_ip: - description: 'IP address assigned to the LDAP server' - type: string - server_name: - description: 'LDAP server name as a FQDN' - type: string - maxLength: 127 - server_port: - description: 'Port on which the LDAP server accepts connections. Default is 389' - type: integer - minimum: 1 - maximum: 65535 - base: - description: |+ - 'Base (node) from which to start LDAP searches. If the LDAP server is - running locally, the default value of base is dc=netscaler, dc=com' - type: string - maxLength: 127 - server_login_credentials: - description: |+ - 'Kubernetes secret object providing credentials to login to LDAP server, - The secret data should have username and password' - type: string - login_name: - description: |+ - 'LDAP login name attribute. The Citrix ADC uses the LDAP login name - to query external LDAP servers or Active Directories' - type: string - maxLength: 127 - security_type: - description: |+ - 'Type of security used for communications between the Citrix ADC - and the LDAP server. Default is TLS' - type: string - enum: ['PLAINTEXT', 'TLS', 'SSL'] - validate_server_cert: - description: 'Validate LDAP Server certs. Default is NO' - type: string - enum: ['YES', 'NO'] - hostname: - description: |+ - 'Hostname for the LDAP server. If validate_server_cert is ON, - this must be the host name on the certificate from the LDAP - A hostname mismatch will cause a connection failure' - type: string - maxLength: 127 - sub_attribute_name: - description: 'LDAP group sub-attribute name. Used for group extraction from the LDAP server.' - type: string - maxLength: 31 - group_attribute_name: - description: 'LDAP group attribute name. Used for group extraction on the LDAP server.' - type: string - maxLength: 31 - search_filter: - description: |+ - 'String to be combined with the default LDAP user search string to form the - search value. For example, if the search filter "vpnallowed=true" is combined - with the LDAP login name "samaccount" and the user-supplied username is "bob", - the result is the LDAP search string ""(&(vpnallowed=true)(samaccount=bob)"" - (Be sure to enclose the search string in two sets of double quotation marks)' - type: string - maxLength: 255 - auth_timeout: - description: |+ - 'Number of seconds the Citrix ADC waits for a response from the server - Default is 3' - type: integer - minimum: 1 - maximum: 4294967295 - password_change: - description: 'Allow password change requests. Default is DISABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be fetched - from LDAP server and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - oneOf: - - properties: - required: [server_ip] - - properties: - required: [server_name] - - saml: - description: |+ - 'SAML authentication provider. - Currently SAML is supported only with authentication mechanism using forms' - type: object - properties: - metadata_url: - description: 'URL is used for obtaining saml metadata.' - type: string - maxLength: 255 - metadata_refresh_interval: - description: |+ - 'Interval in minutes for fetching metadata from specified metadata URL. - Default is 36000' - type: integer - minimum: 1 - maximum: 4294967295 - signing_cert: - description: 'SSL certificate to sign requests from SP to IDP' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - audience: - description: 'Audience for which assertion sent by IdP is applicable' - type: string - maxLength: 127 - issuer_name: - description: 'The name to be used in requests sent from SP to IDP to identify citrix ADC' - type: string - maxLength: 63 - binding: - description: 'Specifies the transport mechanism of saml message. Default is POST' - type: string - enum: ['REDIRECT', 'POST', 'ARTIFACT'] - artifact_resolution_service_url: - description: 'URL of the Artifact Resolution Service on IdP' - type: string - maxLength: 255 - logout_binding: - description: 'Specifies the transport mechanism of saml logout. Default is POST' - type: string - enum: ['REDIRECT', 'POST'] - reject_unsigned_assertion: - description: |+ - 'Reject unsigned SAML assertions. ON, rejects assertion without signature. - STRICT ensure that both Response and Assertion are signed. Default is ON' - type: string - enum: ['ON', 'OFF', 'STRICT'] - user_field: - description: 'SAML user ID, as given in the SAML assertion' - type: string - maxLength: 63 - default_authentication_group: - description: |+ - 'This is the default group that is chosen when the authentication - succeeds in addition to extracted groups' - type: string - maxLength: 63 - skew_time: - description: |+ - 'Allowed clock skew in number of minutes on an incoming assertion. - Default is 5' - type: integer - minimum: 1 - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be extracted - and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - required: - - metadata_url - - basic_local_db: - type: object - description: |+ - 'Basic HTTP authentication supported by ADC, user data in local DB of ADC. - Users needs to be added on ADC' - properties: - use_local_auth: - description: 'Use ADC authentication' - type: string - enum: ['YES'] - - required: - - name - - authentication_policies: - description: 'Authentication policies' - type: array - items: - type: object - description: 'Authentication policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - required: - - path - expression: - description: 'ADC syntax expression for authentication' - type: string - maxLength: 1229 - provider: - description: 'name of the authentication provider for the policy, empty if no authentication required' - type: array - items: - type: string - maxLength: 127 - maxItems: 1 - oneOf: - - required: [resource, provider] - - required: [expression, provider] - - authorization_policies: - description: 'Authorization policies' - type: array - items: - type: object - description: 'Authorization policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - description: ' http method' - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - claims: - description: 'authorization scopes required for selected resource saved as claims or attributes' - type: array - items: - type: object - properties: - name: - description: 'name of the claim/attribute to check' - type: string - maxLength: 127 - values: - description: 'list of claim values required for the request' - type: array - items: - type: string - maxLength: 127 - minItems: 1 - required: - - name - - values - required: - - claims - expression: - description: 'ADC syntax expression for authorization' - type: string - maxLength: 1229 - oneOf: - - required: [resource] - - required: [expression] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: listeners.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - version: null - names: - kind: Listener - plural: listeners - singular: listener - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - required: [spec] - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [protocol] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - protocol: - type: string - enum: ["https", "http"] - description: "Protocol for this listener" - vip: - type: string - description: "VIP address, Optional for CPX, required for Tier-1 deployments" - secondaryVips: - type: array - description: "An array of Secondary VIPs. All the VIPs will be part of an ipset" - minItems: 1 - items: - type: string - redirectPort: - type: integer - minimum: 1 - maximum: 65535 - description: "Port from which http traffic should be redirected to https" - port: - type: integer - minimum: 1 - maximum: 65535 - certificates: - type: array - description: "certificates attached to the endpoints - Not applicable for HTTP" - minItems: 1 - items: - type: object - properties: - preconfigured: - type: string - description: "Preconfigured Certificate name on ADC " - secret: - type: object - description: "Kuberentes secret object" - required: [name] - properties: - name: - type: string - description: "name of the Kubernetes Secret object where Cert is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the kubernetes secret object; Default is same namespace where the Listener object is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - default: - type: boolean - description: "Only one of the certificate can be marked as default which will be presented if none of the cert matches with the hostname" - oneOf: - - required: ["preconfigured"] - - required: ["secret"] - policies: - type: object - description: "Policies attached to the Listener" - properties: - httpprofile: - type: object - description: "HTTP profile configurations for the Listener, HTTP level configurations" - properties: - preconfigured: - type: string - description: "Preconfigured or Built-in HTTP profile name" - config: - type: object - description: "HTTP profile configuration for the listener. For individual fields, refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nshttpprofile/nshttpprofile/ Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - tcpprofile: - type: object - description: "TCP level configurations, uses ns tcpprofile of citrix ADC" - properties: - preconfigured: - description: "Preconfigured or Built-in TCP profile name" - type: string - config: - type: object - description: "TCPprofile configurations for the listener. For individual fields refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nstcpprofile/ ; Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - csvserverConfig: - type: object - description: "CS Vserver configuration for the listener" - additionalProperties: - type: string - sslprofile: - type: object - description: "SSL profile configuration" - properties: - preconfigured: - type: string - description: "SSL profile which is preconfigured in ADC. Ciphers bound to the profile is not overriden" - config: - description: "Citrix ADC frontend SSL profile configurations. Refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ssl/sslprofile/ for all configurations; Name field is auto generated" - type: object - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - sslciphers: - type: array - description: "List of ciphers to be bound to the ssl profile for the listener. Priority is as per the order in the list. A cipher suite, predefined cipher group or User created cipher group can be mentioned" - minItems: 1 - items: - type: string - description: "Cipher suite, cipher group name" - analyticsprofile: - type: object - description: "Analytics profile configuration" - properties: - preconfigured: - type: array - description: "Preconfigured Analytics profile that needs to be bound to the vserver" - minItems: 1 - items: - type: string - description: "Name of the analytics profile preconfigured that will be bound to the Vserver" - config: - type: array - description: "An array of analytics to be enabled" - minItems: 1 - items: - type: object - description: "Anlytics to be enabled" - required: ['type'] - properties: - type: - description: "Analytics profile to be enabled, you can enable one or more of the webinsight, tcpinsight, securityinsight, videoinsight, hdxinsight, gatewayinsight, timeseries, lsninsight, botinsight " - type: string - enum: ["webinsight", "tcpinsight", "securityinsight", "videoinsight", "hdxinsight", "gatewayinsight", "timeseries", "lsninsight", "botinsight"] - parameters: - type: object - description: "Additional parameters for analytics profile. Please refer:https://developer-docs.citrix.com/projects/citrix-adc-nitro-api-reference/en/latest/configuration/analytics/analyticsprofile/" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - routes: - type: array - description: "List of route objects attached to the listener" - minItems: 1 - items: - type: object - properties: - name: - type: string - description: "Name of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - labelSelector: - description: "Labels key value pair, if the route carries the same labels, it is automatically attached" - type: object - additionalProperties: - type: string - oneOf: - - required: [name, namespace] - - required: [labelSelector] - defaultAction: - type: object - description: "Default action for the listener: One of Backend or Redirect" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - namespace: - description: "Service namespace" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - backendConfig: - description: "General backend service options" - type: object - properties: - secure_backend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: httproutes.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - version: null - names: - kind: HTTPRoute - plural: httproutes - singular: httproute - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [rules] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - hostname: - type: array - description: "List of domain names that share the same route, default is '*'" - minItems: 1 - items: - type: string - description: "Domain name" - rules: - type: array - description: "List Content routing rules with an action defined" - minItems: 1 - items: - type: object - required: [name, action] - properties: - name: - type: string - description: "A name to represent the rule, this is used as an identifier in content routing policy name in ADC" - minLength: 1 - maxLength: 20 - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - match: - type: array - description: "List of rules with same action" - minItems: 1 - items: - type: object - anyOf: - - required: [path] - - required: [headers] - - required: [cookies] - - required: [queryParams] - - required: [method] - - required: [policyExpression] - properties: - path: - type: object - description: "URL Path based content routing" - properties: - prefix: - type: string - description: "URL path matches the prefix expression" - exact: - type: string - description: "URL Path must match exact path" - regex: - type: string - description: "PCRE based regex expression for path matching" - headers: - type: array - description: "List of header for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Header details for content routing, Check for existence of a header or header name-value match" - properties: - headerName: - type: object - description: "Header name based content routing, Here existence of header is used for routing" - properties: - exact: - type: string - description: "Header Name - treated as exact must exist" - contains: - type: string - description: "Header Name - A header must exist that contain the string the name" - regex: - type: string - description: "header Name - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header name must not exist" - oneOf: - - required: [exact] - - required: [contains] - - required: [regex] - headerValue: - type: object - description: "Header Name and Value based match" - properties: - name: - type: string - description: "Header name that must match the value" - exact: - type: string - description: "Header value - treated as exact" - contains: - type: string - description: "Header value - treated as contains" - regex: - type: string - description: "header value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header if present must not match the value" - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - queryParams: - type: array - description: "List of Query parameters for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Query parameters Name and Value based match" - properties: - name: - type: string - description: "Query name that must match the value. If no value is specified, matches with any value" - exact: - type: string - description: "Query value - Exact match" - contains: - type: string - description: "Query value - value must have the string(substring)" - regex: - type: string - description: "Query value - Value must match this regex patterm" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e query if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - cookies: - type: array - description: "List of Cookie params for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Cookie based routing" - properties: - name: - type: string - description: "cookie name that must match the value. If no value specified, it matches with any value" - exact: - type: string - description: "cookie value - treated as exact" - contains: - type: string - description: "cookie value - treated as substring" - regex: - type: string - description: "cookie value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e cookie if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - method: - type: string - description: "HTTP method for content routing eg: POST, PUT, DELETE etc" - policyExpression: - type: string - description: "Citrix ADC policy expressions; refer: https://docs.citrix.com/en-us/netscaler/media/expression-prefix.pdf" - action: - type: object - description: "Action for the matched rule" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - backendConfig: - type: object - description: "General backend service options" - properties: - secureBackend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - # name must match the spec fields below, and be in the form: . - name: continuousdeployments.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: continuousdeployment - plural: continuousdeployments - singular: continuousdeployment - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - cronSpec: - type: integer - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wafs.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: waf - plural: wafs - singular: waf - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the waf policies are applied.' - type: array - items: - type: string - maxLength: 127 - application_type: - description: 'Type of applications to protect' - type: array - items: - type: string - enum: ['HTML', 'JSON', 'XML'] - signatures: - description: 'Location of external signature file' - type: string - redirect_url: - description: 'When a URL is blocked/down, redirect_url represents the alternate URL where the client requests should be sent.' - type: string - html_error_object: - description: 'Location of customized error page to respond when html or common violation are hit' - type: string - xml_error_object: - description: 'Location of customized error page to respond when xml violations are hit' - type: string - json_error_object: - description: 'Location of customized error page to respond when json violations are hit' - type: string - ip_reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - description: 'Enabling IP reputation feature' - target: - description: 'To control what traffic to be inspected by Web Application Firewall. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable application firewall security checks' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - settings: - description: 'To fine tune application firewall security checks default settings' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - relaxations: - description: 'Section which contains relaxation rules for known traffic and false positives' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - enforcements: - description: 'Section which contains enforcement or restriction rules' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: bots.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: bot - plural: bots - singular: bot - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the bot policies are applied.' - type: array - items: - type: string - maxLength: 127 - signatures: - description: 'Location of external bot signature file' - type: string - redirect_url: - description: 'url to redirect when bot violation is hit' - type: string - target: - description: 'To control what traffic to be inspected by BOT. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable bot ecurity checks' - type: object - properties: - allow_list: - type: string - enum: ['ON', 'OFF'] - block_list: - type: string - enum: ['ON', 'OFF'] - device_fingerprint: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: string - enum: ['ON', 'OFF'] - ratelimit: - type: string - enum: ['ON', 'OFF'] - tps: - type: string - enum: ['ON', 'OFF'] - trap: - type: object - x-kubernetes-preserve-unknown-fields: true - bindings: - description: 'Section which contains binding rules for bot security checks' - type: object - properties: - allow_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - - block_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - ratelimit: - type: array - items: - type: object - properties: - url: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - cookie: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - captcha: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - tps: - type: object - properties: - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - host: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - trapinsertion: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: apigatewaypolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: apigatewaypolicy - plural: apigatewaypolicies - singular: apigatewaypolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - api_definition: - type: object - properties: - repository: - type: string - branch: - type: string - oas_secret_ref: - type: string - files: - type: array - items: - type: string - maxLength: 127 - api_proxy: - type: object - properties: - ipaddress: - type: string - port: - type: integer - protocol: - type: string - secret: - type: string - policies: - type: array - items: - type: object - properties: - name: - type: string - selector: - type: array - items: - type: object - properties: - tags: - type: array - items: - type: string - api: - type: string - method: - type: array - items: - type: string - maxLength: 127 - upstream: - type: object - properties: - service: - type: string - port: - type: integer - policy_bindings: - type: object - properties: - ratelimit: - type: object - properties: - name: - type: string - waf: - type: object - properties: - name: - type: string - rewritepolicy: - type: object - properties: - name: - type: string - bot: - type: object - properties: - name: - type: string - aaa: - type: array - items: - type: object - properties: - crd_name: - type: string - mappings: - type: array - items: - type: object - properties: - petstore_auth: - type: string - api_key: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: corspolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: corspolicy - plural: corspolicies - singular: corspolicy - shortNames: - - cp - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'The list of Kubernetes services to which you want to apply the cors policies.' - type: array - items: - type: string - maxLength: 63 - allow_origin: - description: 'Represents list of allowed origins, it is used to screen the “origin” in the cors pre flight request' - type: array - items: - type: string - maxLength: 2083 - allow_methods: - description: 'Indicates which methods are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Methods in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - allow_headers: - description: 'Indicates which headers are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Headers in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - max_age: - description: 'Indicates the number of seconds (5 by default) the information provided by the `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` headers can be cached. This variable will be used to set Access-Control-Max-Age in the pre-flight cors response.' - type: integer - allow_credentials: - description: 'Indicates whether the response can be shared when the request’s credentials mode is "include". This variable will be set to Access-Control-Allow-Credentials in the rewrite action.' - type: boolean - required: [servicenames, allow_origin, allow_methods, allow_headers] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: appqoepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: appqoepolicy - plural: appqoepolicies - singular: appqoepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - appqoe-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to appqoe policy.' - type: array - items: - type: string - maxLength: 127 - appqoe-policy: - type: object - properties: - operation-retry: - type: object - properties: - on-reset: - description: "To set Retry on Connection Reset or Not" - type: string - enum: ['YES','NO'] - on-timeout: - description: "Time in milliseconds for retry" - type: integer - minimum: 30 - maximum: 2000 - number-of-retries: - description: "To set number of retries" - type: integer - minimum: 1 - maximum: 7 - required: [operation-retry] - appqoe-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - required: [appqoe-criteria, operation-retry] - required: [appqoe-policy] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wildcarddnsentries.citrix.com -spec: - group: citrix.com - names: - kind: wildcarddnsentry - plural: wildcarddnsentries - singular: wildcarddnsentry - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: Current Status of the CRD - jsonPath: .status.state - - name: Message - type: string - description: Status Message - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - zone: - type: object - description: DNS configuration for a zone - properties: - domain: - type: string - description: Domain name - dnsaddrec: - type: object - description: DNS Address record - properties: - domain-ip: - type: string - description: IPv4 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - dnsaaaarec: - type: object - description: DNS AAAA record - properties: - domain-ip: - type: string - description: IPv6 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - soarec: - type: object - description: SOA record - properties: - origin-server: - type: string - description: Origin server domain - contact: - type: string - description: Admin contact - serial: - type: integer - description: >- - The secondary server uses this parameter to - determine whether it requires a zone transfer from - the primary server. - refresh: - type: integer - description: >- - Time, in seconds, for which a secondary server must - wait between successive checks on the value of the - serial number. - retry: - type: integer - description: >- - Time, in seconds, between retries if a secondary server's - attempt to contact the primary server for a zone refresh fails. - expire: - type: integer - description: >- - Time, in seconds, after which the zone data on a secondary - nameserver can no longer be considered authoritative because - all refresh and retry attempts made during the period have failed." - nsrec: - type: object - description: Name server record - properties: - nameserver: - type: string - description: Host name of the name server to add to the domain. - ttl: - type: integer - description: >- - Time to Live (TTL), in seconds, for the record. TTL - is the time for which the record must be cached by - DNS proxies. The specified TTL is applied to all the - resource records that are of the same record type - and belong to the specified domain name ---- -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.28.2/templates/citrix-k8s-ingress.yaml b/charts/citrix/citrix-ingress-controller/1.28.2/templates/citrix-k8s-ingress.yaml deleted file mode 100644 index a695346479..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.28.2/templates/citrix-k8s-ingress.yaml +++ /dev/null @@ -1,264 +0,0 @@ -{{- if .Values.openshift }} -apiVersion: apps.openshift.io/v1 -kind: DeploymentConfig -{{- else }} -apiVersion: apps/v1 -kind: Deployment -{{- end }} -metadata: - name: {{ include "citrix-ingress-controller.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - selector: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - matchLabels: - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} - replicas: 1 -{{- if .Values.openshift }} - strategy: - resources: {} - rollingParams: - intervalSeconds: 1 - maxSurge: 0 - maxUnavailable: 25% - timeoutSeconds: 600 - updatePeriodSeconds: 1 - type: Rolling -{{- end }} - template: - metadata: - name: cic - labels: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} -{{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} -{{- end }} - spec: - serviceAccountName: {{ include "citrix-ingress-controller.serviceAccountName" . }} - containers: - - name: cic - image: "{{ tpl .Values.image . }}" - imagePullPolicy: {{ .Values.pullPolicy }} - args: - - --configmap - {{ .Release.Namespace }}/{{ include "cicconfigmap.fullname" . }} -{{- if .Values.defaultSSLCertSecret }} - - --default-ssl-certificate - {{ .Release.Namespace }}/{{ .Values.defaultSSLCertSecret }} -{{- end }} -{{- if .Values.ingressClass }} - - --ingress-classes -{{- range .Values.ingressClass}} - {{.}} -{{- end }} -{{- end }} -{{- if .Values.serviceClass }} - - --service-classes -{{- range .Values.serviceClass}} - {{.}} -{{- end }} -{{- end }} - - --feature-node-watch - {{ .Values.nodeWatch }} - - --enable-cnc-pbr - {{ .Values.cncPbr }} -{{- if .Values.ipam }} - - --ipam - citrix-ipam-controller -{{- end }} -{{- if .Values.disableAPIServerCertVerify }} - - --disable-apiserver-cert-verify - {{ .Values.disableAPIServerCertVerify }} -{{- end }} -{{- if .Values.updateIngressStatus }} - - --update-ingress-status - yes -{{- end }} - env: - - name: "NS_IP" - value: "{{ .Values.nsIP }}" -{{- if .Values.nsVIP }} - - name: "NS_VIP" - value: "{{ .Values.nsVIP }}" -{{- end }} -{{- if .Values.rbacRole }} - - name: "SCOPE" - value: "local" -{{- end }} -{{- if .Values.nitroReadTimeout }} - - name: "NS_NITRO_READ_TIMEOUT" - value: "{{ .Values.nitroReadTimeout }}" -{{- end }} - - name: "NS_USER" - {{- if and .Values.secretStore.enabled .Values.secretStore.username}} - {{- toYaml .Values.secretStore.username | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: username - {{- end }} - - name: "NS_PASSWORD" - {{- if and .Values.secretStore.enabled .Values.secretStore.password}} - {{- toYaml .Values.secretStore.password | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: password - {{- end }} - - name: "EULA" - value: "{{ .Values.license.accept }}" -{{- if and .Values.openshift .Values.routeLabels }} - - name: "ROUTE_LABELS" - value: {{ .Values.routeLabels | quote}} -{{- end }} -{{- if and .Values.openshift .Values.namespaceLabels }} - - name: "NAMESPACE_LABELS" - value: {{ .Values.namespaceLabels | quote }} -{{- end }} - - name: "NS_APPS_NAME_PREFIX" - value: {{ .Values.entityPrefix | default "k8s"}} -{{- if .Values.kubernetesURL }} - - name: "kubernetes_url" - value: "{{ .Values.kubernetesURL }}" -{{- end }} -{{- if .Values.clusterName }} - - name: "CLUSTER_NAME" - value: "{{ .Values.clusterName }}" -{{- end }} -{{- if .Values.logProxy }} - - name: "NS_LOGPROXY" - value: "{{ .Values.logProxy }}" -{{- end }} -{{- if .Values.disableOpenshiftRoutes }} - - name: "DISABLE_OPENSHIFT_ROUTES" - value: "{{ .Values.disableOpenshiftRoutes }}" -{{- end }} -{{- if .Values.nsConfigDnsRec }} - - name: "NS_CONFIG_DNS_REC" - value: "{{ .Values.nsConfigDnsRec }}" -{{- end }} -{{- if .Values.nsSvcLbDnsRec }} - - name: "NS_SVC_LB_DNS_REC" - value: "{{ .Values.nsSvcLbDnsRec }}" -{{- end }} -{{- if .Values.optimizeEndpointBinding }} - - name: "OPTIMIZE_ENDPOINT_BINDING" - value: "{{ .Values.optimizeEndpointBinding }}" -{{- end }} - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- if ne (len .Values.extraVolumeMounts) 0 }} - volumeMounts: -{{- toYaml .Values.extraVolumeMounts | nindent 8 }} - {{- end }} -{{- if .Values.exporter.required }} - - name: exporter - image: "{{ tpl .Values.exporter.image . }}" - imagePullPolicy: {{ .Values.exporter.pullPolicy }} - args: - - "--target-nsip={{ .Values.nsIP }}" - - "--port={{ .Values.exporter.ports.containerPort }}" - env: - - name: "NS_USER" - {{- if and .Values.secretStore.enabled .Values.secretStore.username}} - {{- toYaml .Values.secretStore.username | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: username - {{- end }} - - name: "NS_PASSWORD" - {{- if and .Values.secretStore.enabled .Values.secretStore.password}} - {{- toYaml .Values.secretStore.password | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: password - {{- end }} - {{- if ne (len .Values.exporter.extraVolumeMounts) 0 }} - volumeMounts: - {{- toYaml .Values.exporter.extraVolumeMounts | nindent 8 }} - {{- end }} - securityContext: - readOnlyRootFilesystem: true - resources: -{{- toYaml .Values.exporter.resources | nindent 12 }} -{{- end }} -{{- if or (and .Values.extraVolumeMounts .Values.extraVolumes) (and .Values.exporter.extraVolumeMounts .Values.extraVolumes) }} - volumes: -{{- end }} -{{- if ne (len .Values.extraVolumes) 0 }} -{{ toYaml .Values.extraVolumes | indent 6 }} -{{- end }} -{{- if and .Values.nodeSelector.key .Values.nodeSelector.value }} - nodeSelector: - {{ .Values.nodeSelector.key }}: {{ .Values.nodeSelector.value }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: {{ .Values.tolerations | toYaml | nindent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} -{{- end }} - ---- - -{{- if .Values.exporter.required }} - - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "exporter.fullname" . }} - labels: - app: {{ include "exporter.fullname" . }} - service-type: {{ include "servicemonitorlabel" . }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port - selector: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} - ---- - -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "servicemonitor.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - servicemonitor: citrix-adc -spec: - endpoints: - - interval: 30s - port: exporter-port - selector: - matchLabels: - service-type: {{ include "servicemonitorlabel" . }} - namespaceSelector: - matchNames: - - monitoring - - default - - {{ .Release.Namespace }} - -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.28.2/templates/configmap.yaml b/charts/citrix/citrix-ingress-controller/1.28.2/templates/configmap.yaml deleted file mode 100644 index a765d00051..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.28.2/templates/configmap.yaml +++ /dev/null @@ -1,60 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "cicconfigmap.fullname" . }} - namespace: {{ .Release.Namespace }} -data: - LOGLEVEL: {{ .Values.logLevel | quote | lower }} - JSONLOG: {{ .Values.jsonLog | quote | lower }} - NS_PROTOCOL: {{ .Values.nsProtocol | quote | lower }} - NS_PORT: {{ .Values.nsPort | quote }} -{{- if .Values.nsSNIPS }} - NS_SNIPS: {{ .Values.nsSNIPS | toJson}} -{{- end }} -{{- if and .Values.analyticsConfig.required .Values.nsEnableLabel }} - NS_ENABLE_LABELS: {{ .Values.nsEnableLabel | quote}} -{{- end }} -{{- if .Values.podIPsforServiceGroupMembers }} - POD_IPS_FOR_SERVICEGROUP_MEMBERS: {{ .Values.podIPsforServiceGroupMembers | quote }} -{{- end }} -{{- if .Values.ignoreNodeExternalIP }} - IGNORE_NODE_EXTERNAL_IP: {{ .Values.ignoreNodeExternalIP | quote }} -{{- end }} - -{{- if ne (upper .Values.nsHTTP2ServerSide) "OFF" }} - NS_HTTP2_SERVER_SIDE: {{ .Values.nsHTTP2ServerSide | quote }} -{{- end }} -{{- if ne (toString .Values.nsCookieVersion) "0" }} - NS_COOKIE_VERSION: {{ .Values.nsCookieVersion | quote }} -{{- end }} -{{- if .Values.nsDnsNameserver }} - NS_DNS_NAMESERVER: {{ .Values.nsDnsNameserver }} -{{- end }} - -{{- if .Values.analyticsConfig.required }} - NS_ANALYTICS_CONFIG: | - distributed_tracing: - enable: {{ .Values.analyticsConfig.distributedTracing.enable | quote }} - samplingrate: {{ .Values.analyticsConfig.distributedTracing.samplingrate }} - endpoint: - server: {{ include "analytics.server" . | quote }} - service: {{ .Values.analyticsConfig.endpoint.service | quote }} - timeseries: - port: {{ .Values.analyticsConfig.timeseries.port }} - metrics: - enable: {{ .Values.analyticsConfig.timeseries.metrics.enable | quote }} - mode: {{ .Values.analyticsConfig.timeseries.metrics.mode | quote }} - auditlogs: - enable: {{ .Values.analyticsConfig.timeseries.auditlogs.enable | quote }} - events: - enable: {{ .Values.analyticsConfig.timeseries.events.enable | quote }} - transactions: - enable: {{ .Values.analyticsConfig.transactions.enable | quote }} - port: {{ .Values.analyticsConfig.transactions.port }} -{{- end }} - -{{- if .Values.nsLbHashAlgo.required }} - NS_LB_HASH_ALGO: | - hashFingers: {{ .Values.nsLbHashAlgo.hashFingers }} - hashAlgorithm: {{ .Values.nsLbHashAlgo.hashAlgorithm | quote }} -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.28.2/templates/ingressclass.yaml b/charts/citrix/citrix-ingress-controller/1.28.2/templates/ingressclass.yaml deleted file mode 100644 index d75537b79f..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.28.2/templates/ingressclass.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- $default := .Values.setAsDefaultIngressClass -}} -{{- if semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.GitVersion }} -{{- if .Values.ingressClass }} -{{- range .Values.ingressClass }} -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: {{ . | quote }} -{{- if $default }} - annotations: - ingressclass.kubernetes.io/is-default-class: "true" -{{- end }} -spec: - controller: citrix.com/ingress-controller ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.28.2/templates/rbac.yaml b/charts/citrix/citrix-ingress-controller/1.28.2/templates/rbac.yaml deleted file mode 100644 index c20c1512e0..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.28.2/templates/rbac.yaml +++ /dev/null @@ -1,106 +0,0 @@ -{{- if not .Values.rbacRole }} -kind: ClusterRole -{{- else }} -kind: Role -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -rules: - - apiGroups: [""] -{{- if .Values.openshift }} - resources: ["endpoints", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"] -{{- else }} - resources: ["endpoints", "pods", "secrets", "routes", "nodes", "namespaces", "configmaps", "services"] -{{- end }} - verbs: ["get", "list", "watch"] - # services/status is needed to update the loadbalancer IP in service status for integrating - # service of type LoadBalancer with external-dns - - apiGroups: [""] - resources: ["services/status"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions","networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["patch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "watch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"] - verbs: ["get", "list", "watch", "create", "delete", "patch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"] - verbs: ["patch"] - - apiGroups: ["citrix.com"] - resources: ["vips"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["crd.projectcalico.org"] - resources: ["ipamblocks"] - verbs: ["get", "list", "watch"] -{{- if .Values.openshift }} - - apiGroups: ["route.openshift.io"] - resources: ["routes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["network.openshift.io"] - resources: ["hostsubnets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["config.openshift.io"] - resources: ["networks"] - verbs: ["get", "list"] -{{- end }} - ---- - -{{- if not .Values.rbacRole }} -kind: ClusterRoleBinding -{{- else }} -kind: RoleBinding -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io -{{- if not .Values.rbacRole }} - kind: ClusterRole -{{- else }} - kind: Role -{{- end }} - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- if .Values.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.imagePullSecrets }} -- name: {{.}} -{{- end }} -{{- end }} - diff --git a/charts/citrix/citrix-ingress-controller/1.28.2/values.yaml b/charts/citrix/citrix-ingress-controller/1.28.2/values.yaml deleted file mode 100644 index ba6cda298a..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.28.2/values.yaml +++ /dev/null @@ -1,181 +0,0 @@ -# Default values for citrix-ingress-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# Citrix Ingress Controller config details -imageRegistry: quay.io -imageRepository: citrix/citrix-k8s-ingress-controller -imageTag: 1.28.2 -image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}" -pullPolicy: IfNotPresent -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" -openshift: false -adcCredentialSecret: # K8s Secret Name -# Enable secretStore to implement CSI Secret Provider classes for holding the nslogin credentials -secretStore: - enabled: false - username: {} - #valueFrom: - # configMapKeyRef: - # name: test1 - # key: username - password: {} - #valueFrom: - # configMapKeyRef: - # name: test1 - # key: password -nsIP: x.x.x.x -nsVIP: -nsSNIPS: -license: - accept: no -nsPort: 443 -nsProtocol: HTTPS -nsEnableLabel: true -# nitroReadTimeout is timeout value in seconds for nitro api read timeout(default is 20) -nitroReadTimeout: -logLevel: INFO -jsonLog: false -entityPrefix: -kubernetesURL: -clusterName: -ingressClass: -setAsDefaultIngressClass: False -serviceClass: -defaultSSLCertSecret: -podIPsforServiceGroupMembers: False -ignoreNodeExternalIP: False -ipam: False -# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True -disableAPIServerCertVerify: False -logProxy: -nodeWatch: false -cncPbr: False -nodeSelector: - key: - value: -tolerations: [] -updateIngressStatus: True -nsHTTP2ServerSide: "OFF" -nsCookieVersion: "0" -nsConfigDnsRec: -nsSvcLbDnsRec: -nsDnsNameserver: -optimizeEndpointBinding: -routeLabels: -namespaceLabels: -disableOpenshiftRoutes: - -# Exporter config details -exporter: - required: false - imageRegistry: quay.io - imageRepository: citrix/citrix-adc-metrics-exporter - imageTag: 1.4.9 - image: "{{ .Values.exporter.imageRegistry }}/{{ .Values.exporter.imageRepository }}:{{ .Values.exporter.imageTag }}" - pullPolicy: IfNotPresent - ports: - containerPort: 8888 - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - extraVolumeMounts: [] - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. - #- name: github-key - # mountPath: /etc/config/keys/ - # readOnly: true - #- name: agent-init-scripts - # mountPath: /docker-entrypoint.d/ - -# For CRDs supported by Citrix Ingress Controller -crds: - install: false - retainOnDelete: false - -# Enable RBAC role (so called local role), by default CIC deployed with ClusterRole. -# below variable to deploy CIC with RBAC role, only ingress service supported with this config -rbacRole: False - -# Config required to be done by Citrix Ingress Controller for sending metrics to Citrix Observability Exporter -analyticsConfig: - required: false - distributedTracing: - enable: false - samplingrate: 100 - endpoint: - server: - service: - timeseries: - port: 30002 - metrics: - enable: false - mode: 'avro' - auditlogs: - enable: false - events: - enable: false - transactions: - enable: false - port: 30001 - -nsLbHashAlgo: - required: false - hashFingers: 256 - hashAlgorithm: 'DEFAULT' - -# Specifies whether a ServiceAccount should be created -serviceAccount: - create: true - # The name of the ServiceAccount to use. - # If not set and `create` is true, a name is generated using the fullname template - # name: - -podAnnotations: {} - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # Following values depends on no of ingresses configured by Ingress Controllers, so it is - # advised to test with maximum no of ingresses to set these values. - # limits: - # cpu: 1000m - # memory: 1000Mi - # requests: - # cpu: 500m - # memory: 500Mi - -affinity: {} - -extraVolumeMounts: [] - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. - #- name: github-key - # mountPath: /etc/config/keys/ - # readOnly: true - #- name: agent-init-scripts - # mountPath: /docker-entrypoint.d/ - -extraVolumes: [] - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. - #- name: agent-init-scripts - # configMap: - # name: agent-init-scripts - # defaultMode: 0755 - #- name: github-key - # secret: - # secretName: github-key - # defaultMode: 0744 diff --git a/charts/citrix/citrix-ingress-controller/1.29.5/Chart.yaml b/charts/citrix/citrix-ingress-controller/1.29.5/Chart.yaml deleted file mode 100644 index c0fb25aa34..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.29.5/Chart.yaml +++ /dev/null @@ -1,21 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-ingress-controller -apiVersion: v2 -appVersion: 1.29.5 -deprecated: true -description: A Helm chart for Citrix Ingress Controller configuring MPX/VPX. -home: https://www.citrix.com -icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png -kubeVersion: '>=v1.16.0-0' -maintainers: -- email: priyanka.sharma@citrix.com - name: priyankash-citrix -- email: subash.dangol@citrix.com - name: subashd -name: citrix-ingress-controller -sources: -- https://github.com/citrix/citrix-k8s-ingress-controller -version: 1.29.5 diff --git a/charts/citrix/citrix-ingress-controller/1.29.5/README.md b/charts/citrix/citrix-ingress-controller/1.29.5/README.md deleted file mode 100644 index 402ca65218..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.29.5/README.md +++ /dev/null @@ -1,496 +0,0 @@ -# Citrix Ingress Controller - -[Citrix](https://www.citrix.com/en-in/) provides an Ingress Controller for Citrix ADC MPX (hardware), Citrix ADC VPX (virtualized), and [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx/13/about.html) (containerized) for [bare metal](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/deployment/baremetal) and [cloud](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/deployment) deployments. It configures one or more Citrix ADC based on the Ingress resource configuration in [Kubernetes](https://kubernetes.io/) or in [OpenShift](https://www.openshift.com) cluster. - -## TL;DR; - -### For Kubernetes - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret= - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,crds.install=true - ``` - -### For OpenShift - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true,crds.install=true - ``` - -> **Important:** -> -> The `license.accept` argument is mandatory. Ensure that you set the value as `yes` to accept the terms and conditions of the Citrix license. - -## Introduction -This Helm chart deploys Citrix ingress controller in the [Kubernetes](https://kubernetes.io) or in the [Openshift](https://www.openshift.com) cluster using [Helm](https://helm.sh) package manager. - -### Prerequisites - -- The [Kubernetes](https://kubernetes.io/) version should be 1.16 and above if using Kubernetes environment. -- The [Openshift](https://www.openshift.com) version 4.8 or later if using OpenShift platform. -- The [Helm](https://helm.sh/) version 3.x or later. You can follow instruction given [here](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- You determine the NS_IP IP address needed by the controller to communicate with Citrix ADC. The IP address might be anyone of the following depending on the type of Citrix ADC deployment: - - - (Standalone appliances) NSIP - The management IP address of a standalone Citrix ADC appliance. For more information, see [IP Addressing in Citrix ADC](https://docs.citrix.com/en-us/citrix-adc/12-1/networking/ip-addressing.html). - - - (Appliances in High Availability mode) SNIP - The subnet IP address. For more information, see [IP Addressing in Citrix ADC](https://docs.citrix.com/en-us/citrix-adc/12-1/networking/ip-addressing.html). - - - (Appliances in Clustered mode) CLIP - The cluster management IP (CLIP) address for a clustered Citrix ADC deployment. For more information, see [IP addressing for a cluster](https://docs.citrix.com/en-us/citrix-adc/12-1/clustering/cluster-overview/ip-addressing.html). - -- You have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator), if you want to view the metrics of the Citrix ADC CPX collected by the [metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics). - -- The user name and password of the Citrix ADC VPX or MPX appliance used as the ingress device. The Citrix ADC appliance needs to have system user account (non-default) with certain privileges so that Citrix ingress controller can configure the Citrix ADC VPX or MPX appliance. For instructions to create the system user account on Citrix ADC, see [Create System User Account for CIC in Citrix ADC](#create-system-user-account-for-cic-in-citrix-adc). - - You can pass user name and password using Kubernetes secrets. Create a Kubernetes secret for the user name and password using the following command: - - ``` - kubectl create secret generic nslogin --from-literal=username='cic' --from-literal=password='mypassword' - ``` - -#### Create system User account for Citrix ingress controller in Citrix ADC - -Citrix ingress controller configures the Citrix ADC using a system user account of the Citrix ADC. The system user account should have certain privileges so that the CIC has permission configure the following on the Citrix ADC: - -- Add, Delete, or View Content Switching (CS) virtual server -- Configure CS policies and actions -- Configure Load Balancing (LB) virtual server -- Configure Service groups -- Cofigure SSl certkeys -- Configure routes -- Configure user monitors -- Add system file (for uploading SSL certkeys from Kubernetes) -- Configure Virtual IP address (VIP) -- Check the status of the Citrix ADC appliance - -> **Note:** -> -> The system user account would have privileges based on the command policy that you define. - -To create the system user account, do the following: - -1. Log on to the Citrix ADC appliance. Perform the following: - 1. Use an SSH client, such as PuTTy, to open an SSH connection to the Citrix ADC appliance. - - 2. Log on to the appliance by using the administrator credentials. - -2. Create the system user account using the following command: - - ``` - add system user - ``` - - For example: - - ``` - add system user cic mypassword - ``` - -3. Create a policy to provide required permissions to the system user account. Use the following command: - - ``` - add cmdpolicy cic-policy ALLOW '^(\?!shell)(\?!sftp)(\?!scp)(\?!batch)(\?!source)(\?!.*superuser)(\?!.*nsroot)(\?!install)(\?!show\s+system\s+(user|cmdPolicy|file))(\?!(set|add|rm|create|export|kill)\s+system)(\?!(unbind|bind)\s+system\s+(user|group))(\?!diff\s+ns\s+config)(\?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)^(\?!shell)(\?!sftp)(\?!scp)(\?!batch)(\?!source)(\?!.*superuser)(\?!.*nsroot)(\?!install)(\?!show\s+system\s+(user|cmdPolicy|file))(\?!(set|add|rm|create|export|kill)\s+system)(\?!(unbind|bind)\s+system\s+(user|group))(\?!diff\s+ns\s+config)(\?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)' - ``` - - **Note**: The system user account would have privileges based on the command policy that you define. - The command policy mentioned in ***step 3*** is similar to the built-in `sysAdmin` command policy with another permission to upload files. - - The command policy spec provided above have already escaped special characters for easier copy pasting into the Citrix ADC command line. - - For configuring the command policy from Citrix ADC Configuration Wizard (GUI), use the below command policy spec. - - ``` - ^(?!shell)(?!sftp)(?!scp)(?!batch)(?!source)(?!.*superuser)(?!.*nsroot)(?!install)(?!show\s+system\s+(user|cmdPolicy|file))(?!(set|add|rm|create|export|kill)\s+system)(?!(unbind|bind)\s+system\s+(user|group))(?!diff\s+ns\s+config)(?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)^(?!shell)(?!sftp)(?!scp)(?!batch)(?!source)(?!.*superuser)(?!.*nsroot)(?!install)(?!show\s+system\s+(user|cmdPolicy|file))(?!(set|add|rm|create|export|kill)\s+system)(?!(unbind|bind)\s+system\s+(user|group))(?!diff\s+ns\s+config)(?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file) - ``` - -4. Bind the policy to the system user account using the following command: - - ``` - bind system user cic cic-policy 0 - ``` - -## Installing the Chart -Add the Citrix Ingress Controller helm chart repository using command: - -``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ -``` - -### For Kubernetes: -#### 1. Citrix Ingress Controller -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,ingressClass[0]= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ingress controller on Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix Ingress Controller with Exporter -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed along with Citrix ingress controller and collects metrics from the Citrix ADC instances. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. - -> **Note:** -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,ingressClass[0]=,exporter.required=true - ``` - -### For Openshift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix Ingress Controller -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true - ``` - -The command deploys Citrix ingress controller on your Openshift cluster in the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix Ingress Controller with Exporter -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed along with Citrix ingress controller and collects metrics from the Citrix ADC instances. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. - -> **Note:** -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator) - -Use the following command for this: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true,exporter.required=true - ``` - -### Installed components - -The following components are installed: - -- [Citrix ingress controller](https://github.com/citrix/citrix-k8s-ingress-controller) -- [Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) (if enabled) - -## Configuration for ServiceGraph: - If Citrix ADC VPX/MPX need to send data to the Citrix ADM to bring up the servicegraph, then the below steps can be followed to install Citrix ingress controller for Citrix ADC VPX/MPX. Citrix ingress controller configures Citrix ADC VPX/MPX with the configuration required for servicegraph. - - 1. Create secret using Citrix ADC VPX credentials, which will be used by Citrix ingress controller for configuring Citrix ADC VPX/MPX: - - kubectl create secret generic nslogin --from-literal=username='cic' --from-literal=password='mypassword' - - 2. Deploy Citrix ingress controller using helm command: - - helm install my-release citrix/citrix-ingress-controller --set nsIP=,nsVIP=,license.accept=yes,adcCredentialSecret=,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.timeseries.port=5563,analyticsConfig.distributedTracing.enable=true,analyticsConfig.transactions.enable=true,analyticsConfig.transactions.port=5557,analyticsConfig.endpoint.server= - -> **Note:** -> If container agent is being used here for Citrix ADM, please provide `podIP` of container agent in the `analyticsConfig.endpoint.server` parameter. - -## CRDs configuration - -CRDs can be installed/upgraded when we install/upgrade Citrix ingress controller using `crds.install=true` parameter in Helm. If you do not want to install CRDs, then set the option `crds.install` to `false`. By default, CRDs too get deleted if you uninstall through Helm. This means, even the CustomResource objects created by the customer will get deleted. If you want to avoid this data loss set `crds.retainOnDelete` to `true`. - -> **Note:** -> Installing again may fail due to the presence of CRDs. Make sure that you back up all CustomResource objects and clean up CRDs before re-installing Citrix Ingress Controller. - -There are a few examples of how to use these CRDs, which are placed in the folder: [Example-CRDs](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds). Refer to them and install as needed, using the following command: -```kubectl create -f ``` - -### Details of the supported CRDs: - -#### authpolicies CRD: - -Authentication policies are used to enforce access restrictions to resources hosted by an application or an API server. - -Citrix provides a Kubernetes CustomResourceDefinitions (CRDs) called the [Auth CRD](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/auth) that you can use with the Citrix ingress controller to define authentication policies on the ingress Citrix ADC. - -Example file: [auth_example.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/auth_example.yaml) - -#### continuousdeployments CRD for canary: - -Canary release is a technique to reduce the risk of introducing a new software version in production by first rolling out the change to a small subset of users. After user validation, the application is rolled out to the larger set of users. Citrix ADC-Integrated [Canary Deployment solution](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/canary) stitches together all components of continuous delivery (CD) and makes canary deployment easier for the application developers. - -#### httproutes and listeners CRDs for contentrouting: - -[Content Routing (CR)](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/contentrouting) is the execution of defined rules that determine the placement and configuration of network traffic between users and web applications, based on the content being sent. For example, a pattern in the URL or header fields of the request. - -Example files: [HTTPRoute_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/HTTPRoute_crd.yaml), [Listener_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/Listener_crd.yaml) - -#### ratelimits CRD: - -In a Kubernetes deployment, you can [rate limit the requests](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/ratelimit) to the resources on the back end server or services using rate limiting feature provided by the ingress Citrix ADC. - -Example files: [ratelimit-example1.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example1.yaml), [ratelimit-example2.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example2.yaml) - -#### vips CRD: - -Citrix provides a CustomResourceDefinitions (CRD) called [VIP](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/vip) for asynchronous communication between the IPAM controller and Citrix ingress controller. - -The IPAM controller is provided by Citrix for IP address management. It allocates IP address to the service from a defined IP address range. The Citrix ingress controller configures the IP address allocated to the service as virtual IP (VIP) in Citrix ADX VPX. And, the service is exposed using the IP address. - -When a new service is created, the Citrix ingress controller creates a CRD object for the service with an empty IP address field. The IPAM Controller listens to addition, deletion, or modification of the CRD and updates it with an IP address to the CRD. Once the CRD object is updated, the Citrix ingress controller automatically configures Citrix ADC-specfic configuration in the tier-1 Citrix ADC VPX. - -#### rewritepolicies CRD: - -In kubernetes environment, to deploy specific layer 7 policies to handle scenarios such as, redirecting HTTP traffic to a specific URL, blocking a set of IP addresses to mitigate DDoS attacks, imposing HTTP to HTTPS and so on, requires you to add appropriate libraries within the microservices and manually configure the policies. Instead, you can use the [Rewrite and Responder features](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/crd/rewrite-responder-policies-deployment.yaml) provided by the Ingress Citrix ADC device to deploy these policies. - -Example files: [target-url-rewrite.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/target-url-rewrite.yaml) - -#### wafs CRD: - -[WAF CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/waf.md) can be used to configure the web application firewall policies with the Citrix ingress controller on the Citrix ADC VPX, MPX, SDX, and CPX. The WAF CRD enables communication between the Citrix ingress controller and Citrix ADC for enforcing web application firewall policies. - -In a Kubernetes deployment, you can enforce a web application firewall policy to protect the server using the WAF CRD. For more information about web application firewall, see [Web application security](https://docs.citrix.com/en-us/citrix-adc/13/application-firewall/introduction/web-application-security.html). - -Example files: [wafhtmlxsssql.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wafhtmlxsssql.yaml) - -#### apigateway CRD: - -API Gateway CRD is used to configure gitops framework on citrix API gateway. This solution enables citrix ingress controller to generate API gateway configurations out of Open API Specification documents checked in to git repository by API developers and designers. - -Example files: [api-gateway-crd-instance.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/api-gateway-crd-instance.yaml) -#### bots CRD: - -[BOT CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/bot.md) You can use Bot CRDs to configure the bot management policies with the Citrix ingress controller on the Citrix ADC VPX. The Bot custom resource definition enables communication between the Citrix ingress controller and Citrix ADC for enforcing bot management policies. - -In a Kubernetes deployment, you can enforce bot management policy on therequests and responses from and to the server using the Bot CRDs. For more information on security vulnerabilities, see [Bot Detection](https://docs.citrix.com/en-us/citrix-adc/current-release/bot-management/bot-detection.html). - -Example files: [botallowlist.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/botallowlist.yaml) - -#### CORS CRD: - -[CORS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) Cross-origin resource sharing (CORS) is a mechanism allows a web application running under one domain to securely access resources in another domain. You can configure CORS policies on Citrix ADC using Citrix ingress controller to allow one domain (the origin domain) to call APIs in another domain. For more information, see the [cross-origin resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) documentation. - -Example files: [cors-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/corspolicy-example.yaml) - -#### APPQOE CRD: - -[APPQOE CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) When a Citrix ADC appliance receives an HTTP request and forwards it to a back-end server, sometimes there may be connection failures with the back-end server. You can configure the request-retry feature on Citrix ADC to forward the request to the next available server, instead of sending the reset to the client. Hence, the client saves round trip time when Citrix ADC initiates the same request to the next available service. -For more information, see the AppQoE support documentation. [Appqoe resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) documentation. - -Example files: [appqoe-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/appqoe_example.yaml) - -#### WILDCARDDNS CRD: - -[WILDCARDDNS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) Wildcard DNS domains are used to handle requests for nonexistent domains and subdomains. In a zone, use wildcard domains to redirect queries for all nonexistent domains or subdomains to a particular server, instead of creating a separate Resource Record (RR) for each domain. The most common use of a wildcard DNS domain is to create a zone that can be used to forward mail from the internet to some other mail system. -For more information, see the Wild card DNS domains support documentation. [Wildcard DNS Entry CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) documentation. - -Example files: [wildcarddns-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wildcarddns-example.yaml) - -### Tolerations - -Taints are applied on cluster nodes whereas tolerations are applied on pods. Tolerations enable pods to be scheduled on node with matching taints. For more information see [Taints and Tolerations in Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). - -Toleration can be applied to Citrix ingress controller pod using `tolerations` argument while deploying CIC using helm chart. This argument takes list of tolerations that user need to apply on the CIC pods. - -For example, following command can be used to apply toleration on the CIC pod: - -``` -helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,tolerations[0].key=,tolerations[0].value=,tolerations[0].operator=,tolerations[0].effect= -``` - -Here tolerations[0].key, tolerations[0].value and tolerations[0].effect are the key, value and effect that was used while tainting the node. -Effect represents what should happen to the pod if the pod don't have any matching toleration. It can have values `NoSchedule`, `NoExecute` and `PreferNoSchedule`. -Operator represents the operation to be used for key and value comparison between taint and tolerations. It can have values `Exists` and `Equal`. The default value for operator is `Equal`. - - - -### Configuration - -The following table lists the mandatory and optional parameters that you can configure during installation: - -| Parameters | Mandatory or Optional | Default value | Description | -| --------- | --------------------- | ------------- | ----------- | -| license.accept | Mandatory | no | Set `yes` to accept the CIC end user license agreement. | -| imageRegistry | Mandatory | `quay.io` | The Citrix ingress controller image registry | -| imageRepository | Mandatory | `citrix/citrix-k8s-ingress-controller` | The Citrix ingress controller image repository | -| imageTag | Mandatory | `1.29.5` | The Citrix ingress controller image tag | -| pullPolicy | Mandatory | IfNotPresent | The CIC image pull policy. | -| imagePullSecrets | Optional | N/A | Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret please see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). | -| nameOverride | Optional | N/A | String to partially override deployment fullname template with a string (will prepend the release name) | -| fullNameOverride | Optional | N/A | String to fully override deployment fullname template with a string | -| resources | Optional | {} | CPU/Memory resource requests/limits for Citrix Ingress Controller container | -| adcCredentialSecret | Mandatory | N/A | The secret key to log on to the Citrix ADC VPX or MPX. For information on how to create the secret keys, see [Prerequisites](#prerequistes). | -| secretStore.enabled | Optional | False | Set to "True" for deploying other Secret Provider classes | -| secretStore.username | Optional | N/A | if `secretStore.enabled`, `username` of ADC will be fetched from the Secret Provider | -| secretStore.password | Optional | N/A | if `secretStore.enabled`, `password` of ADC will be fetched from the Secret Provider | -| nsIP | Mandatory | N/A | The IP address of the Citrix ADC device. For details, see [Prerequisites](#prerequistes). | -| nsVIP | Optional | N/A | The Virtual IP address on the Citrix ADC device. | -| nsSNIPS | Optional | N/A | The list of subnet IPAddresses on the Citrix ADC device, which will be used to create PBR Routes instead of Static Routes [PBR support](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md) | -| nsPort | Optional | 443 | The port used by CIC to communicate with Citrix ADC. You can use port 80 for HTTP. | -| nsProtocol | Optional | HTTPS | The protocol used by CIC to communicate with Citrix ADC. You can also use HTTP on port 80. | -| nsEnableLabel | Optional | True | Set to true for plotting Servicegraph. Ensure ``analyticsConfig` are set. | -| nitroReadTimeout | Optional | 20 | The nitro Read timeout in seconds, defaults to 20 | -| logLevel | Optional | DEBUG | The loglevel to control the logs generated by CIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG and TRACE. For more information, see [Logging](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).| -| jsonLog | Optional | false | Set this argument to true if log messages are required in JSON format | -| nsConfigDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Ingress | -| nsSvcLbDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Type Load Balancer Service | -| nsDnsNameserver | Optional | N/A | To add DNS Nameservers in ADC | -| optimizeEndpointBinding | Optional | false | To enable/disable binding of backend endpoints to servicegroup in a single API-call. Recommended when endpoints(pods) per application are large in number. Applicable only for Citrix ADC Version >=13.0-45.7 | -| kubernetesURL | Optional | N/A | The kube-apiserver url that CIC uses to register the events. If the value is not specified, CIC uses the [internal kube-apiserver IP address](https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod). | -| clusterName | Optional | N/A | The unique identifier of the kubernetes cluster on which the CIC is deployed. Used in multi-cluster deployments. | -| ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify CIC to configure Citrix ADC associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here | -| setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default ingress class. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 | -| serviceClass | Optional | N/A | By Default ingress controller configures all TypeLB Service on the ADC. You can use this parameter to finetune this behavior by specifing CIC to only configure TypeLB Service with specific service class. For more information on Service class, see [Service class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/service-classes/). | -| nodeWatch | Optional | false | Use the argument if you want to automatically configure network route from the Ingress Citrix ADC VPX or MPX to the pods in the Kubernetes cluster. For more information, see [Automatically configure route on the Citrix ADC instance](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/network/staticrouting/#automatically-configure-route-on-the-citrix-adc-instance). | -| cncPbr | Optional | False | Use this argument to inform CIC that Citrix Node Controller(CNC) is configuring Policy Based Routes(PBR) on the Citrix ADC. For more information, see [CNC-PBR-SUPPORT](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md#configure-pbr-using-the-citrix-node-controller) | -| defaultSSLCertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC. | -| podIPsforServiceGroupMembers | Optional | False | By default Citrix Ingress Controller will add NodeIP and NodePort as service group members while configuring type LoadBalancer Services and NodePort services. This variable if set to `True` will change the behaviour to add pod IP and Pod port instead of nodeIP and nodePort. Users can set this to `True` if there is a route between ADC and K8s clusters internal pods either using feature-node-watch argument or using Citrix Node Controller. | -| ignoreNodeExternalIP | Optional | False | While adding NodeIP, as Service group members for type LoadBalancer services or NodePort services, Citrix Ingress Controller has a selection criteria whereas it choose Node ExternalIP if available and Node InternalIP, if Node ExternalIP is not present. But some users may want to use Node InternalIP over Node ExternalIP even if Node ExternalIP is present. If this variable is set to `True`, then it prioritises the Node Internal IP to be used for service group members even if node ExternalIP is present | -| nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for Citrix ADC service group configurations. | -| nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). | -| profileSslFrontend | Optional | N/A | Specify the frontend SSL profile. For Details see [Configuration using FRONTEND_SSL_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| profileTcpFrontend | Optional | N/A | Specify the frontend TCP profile. For Details see [Configuration using FRONTEND_TCP_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| profileHttpFrontend | Optional | N/A | Specify the frontend HTTP profile. For Details see [Configuration using FRONTEND_HTTP_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| ipam | Optional | False | Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer. | -| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. | -| logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter. | -| entityPrefix | Optional | k8s | The prefix for the resources on the Citrix ADC VPX/MPX. | -| updateIngressStatus | Optional | True | Set this argurment if `Status.LoadBalancer.Ingress` field of the Ingress resources managed by the Citrix ingress controller needs to be updated with allocated IP addresses. For more information see [this](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/ingress-classes.md#updating-the-ingress-status-for-the-ingress-resources-with-the-specified-ip-address). | -| routeLabels | Optional | N/A | You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| namespaceLabels | Optional | N/A | You can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| podAnnotations | Optional | N/A | Map of annotations to add to the pods. | -| affinity | Optional | N/A | Affinity labels for pod assignment. | -| exporter.required | Optional | false | Use the argument, if you want to run the [Exporter for Citrix ADC Stats](https://github.com/citrix/citrix-adc-metrics-exporter) along with CIC to pull metrics for the Citrix ADC VPX or MPX| -| exporter.imageRegistry | Optional | `quay.io` | The Exporter for Citrix ADC Stats image registry | -| exporter.imageRepository | Optional | `citrix/citrix-adc-metrics-exporter` | The Exporter for Citrix ADC Stats image repository | -| exporter.imageTag | Optional | `1.4.9` | The Exporter for Citrix ADC Stats image tag | -| exporter.pullPolicy | Optional | IfNotPresent | The Exporter image pull policy. | -| exporter.ports.containerPort | Optional | 8888 | The Exporter container port. | -| exporter.resources | Optional | {} | CPU/Memory resource requests/limits for Metrics exporter container | -| exporter.extraVolumeMounts | Optional | [] | Specify the Additional VolumeMounts to be mounted in Exporter container. Specify the volumes in `extraVolumes` | -| openshift | Optional | false | Set this argument if OpenShift environment is being used. | -| disableOpenshiftRoutes | Optional | false | By default Openshift routes are processed in openshift environment, this variable can be used to disable Ingress controller processing the openshift routes. | -| nodeSelector.key | Optional | N/A | Node label key to be used for nodeSelector option in CIC deployment. | -| nodeSelector.value | Optional | N/A | Node label value to be used for nodeSelector option in CIC deployment. | -| tolerations | Optional | N/A | Specify the tolerations for the CIC deployment. | -| crds.install | Optional | False | Unset this argument if you don't want to install CustomResourceDefinitions which are consumed by CIC. | -| crds.retainOnDelete | Optional | false | Set this argument if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation. | -| analyticsConfig.required | Mandatory | false | Set this to true if you want to configure Citrix ADC to send metrics and transaction records to analytics . | -| analyticsConfig.distributedTracing.enable | Optional | false | Set this value to true to enable OpenTracing in Citrix ADC. | -| analyticsConfig.distributedTracing.samplingrate | Optional | 100 | Specifies the OpenTracing sampling rate in percentage. | -| analyticsConfig.endpoint.server | Optional | N/A | Set this value as the IP address or DNS address of the analytics server. | -| analyticsConfig.endpoint.service | Optional | N/A | Set this value as the IP address or service name with namespace of the analytics service deployed in k8s environment. Format: namespace/servicename | -| analyticsConfig.timeseries.port | Optional | 30002 | Specify the port used to expose analytics service outside cluster for timeseries endpoint. | -| analyticsConfig.timeseries.metrics.enable | Optional | False | Set this value to true to enable sending metrics from Citrix ADC. | -| analyticsConfig.timeseries.metrics.mode | Optional | avro | Specifies the mode of metric endpoint. | -| analyticsConfig.timeseries.auditlogs.enable | Optional | false | Set this value to true to export audit log data from Citrix ADC. | -| analyticsConfig.timeseries.events.enable | Optional | false | Set this value to true to export events from the Citrix ADC. | -| analyticsConfig.transactions.enable | Optional | false | Set this value to true to export transactions from Citrix ADC. | -| analyticsConfig.transactions.port | Optional | 30001 | Specify the port used to expose analytics service outside cluster for transaction endpoint. | -| nsLbHashAlgo.required | Optional | false | Set this value to set the LB consistent hashing Algorithm | -| nsLbHashAlgo.hashFingers | Optional | 256 | Specifies the number of fingers to be used for hashing algorithm. Possible values are from 1 to 1024, Default value is 256 | -| nsLbHashAlgo.hashAlgorithm | Optional | 'default' | Specifies the supported algorithm. Supported algorithms are "default", "jarh", "prac", Default value is 'default' | -| extraVolumeMounts | Optional | [] | Specify the Additional VolumeMounts to be mounted in CIC container | -| extraVolumes | Optional | [] | Specify the Additional Volumes for additional volumeMounts | -| rbacRole | Optional | false | To deploy CIC with RBAC Role set rbacRole=true; by default CIC gets installed with RBAC ClusterRole(rbacRole=false)) | - -Alternatively, you can define a YAML file with the values for the parameters and pass the values while installing the chart. - -For example: - ``` - helm install my-release citrix/citrix-ingress-controller -f values.yaml - ``` - -> **Tip:** -> -> The [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-ingress-controller/values.yaml) contains the default values of the parameters. - -> **Note:** -> -> Please provide frontend-ip (VIP) in your application ingress yaml file. For more info refer [this](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/annotations.md). - -## Route Addition in MPX/VPX -For seamless functioning of services deployed in the Kubernetes cluster, it is essential that Ingress NetScaler device should be able to reach the underlying overlay network over which Pods are running. -`feature-node-watch` knob of Citrix Ingress Controller can be used for automatic route configuration on NetScaler towards the pod network. Refer [Static Route Configuration](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) for further details regarding the same. -By default, `feature-node-watch` is false. It needs to be explicitly set to true if auto route configuration is required. - -This can also be achieved by deploying [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller). - -If your deployment uses one single Citrix ADC Device to loadbalance between multiple k8s clusters, there is a possibilty of CNI subnets to overlap, causing the above mentioned static routing to fail due to route conflicts. In such deployments [Policy Based Routing(PBR)] (https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-policy-based-routes/configuring-policy-based-routes-pbrs-for-ipv4-traffic.html) can be used instead. This would require you to provide one or more subnet IP Addresses unique for each kubernetes cluster either via Environment variable or Configmap, see [PBR Support](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md) - - Use the following command to provide subnet IPAddresses(SNIPs) to configure Policy Based Routes(PBR) on the Citrix ADC - - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,nsSNIPS='[\, \, ...]' - ``` - - [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller) by default also adds static routes while creating the VXLAN tunnel. To use [Policy Based Routing(PBR)] (https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-policy-based-routes/configuring-policy-based-routes-pbrs-for-ipv4-traffic.html) to avoid static route clash, both Citrix Node Controller and Citrix Ingress Controller has to work in conjunction and has to be started with specific arguments. For more details refer [CNC-PBR-SUPPORT](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md#configure-pbr-using-the-citrix-node-controller). - - Use the following command to inform Citrix Ingress Controller that Citrix Node Controller is configuring Policy Based Routes(PBR) on the Citrix ADC - - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,clusterName=,cncPbr= - ``` - -For configuring static routes manually on Citrix ADC VPX or MPX to reach the pods inside the cluster follow: -### For Kubernetes: -1. Obtain podCIDR using below options: - ``` - kubectl get nodes -o yaml | grep podCIDR - ``` - * podCIDR: 10.244.0.0/24 - * podCIDR: 10.244.1.0/24 - * podCIDR: 10.244.2.0/24 - -2. Log on to the Citrix ADC instance. - -3. Add Route in Netscaler VPX/MPX - ``` - add route - ``` -4. Ensure that Ingress MPX/VPX has a SNIP present in the host-network (i.e. network over which K8S nodes communicate with each other. Usually eth0 IP is from this network). - - Example: - * Node1 IP = 192.0.2.1 - * podCIDR = 10.244.1.0/24 - * add route 10.244.1.0 255.255.255.0 192.0.2.1 - -### For OpenShift: -1. Use the following command to get the information about host names, host IP addresses, and subnets for static route configuration. - ``` - oc get hostsubnet - ``` - -2. Log on to the Citrix ADC instance. - -3. Add the route on the Citrix ADC instance using the following command. - ```add route ``` - -4. Ensure that Ingress MPX/VPX has a SNIP present in the host-network (i.e. network over which OpenShift nodes communicate with each other. Usually eth0 IP is from this network). - - For example, if the output of the `oc get hostsubnet` is as follows: - * oc get hostsubnet - - NAME HOST HOST IP SUBNET - os.example.com os.example.com 192.0.2.1 10.1.1.0/24 - - * The required static route is as follows: - - add route 10.1.1.0 255.255.255.0 192.0.2.1 - -## Uninstalling the Chart -To uninstall/delete the ```my-release``` deployment: - - ``` - helm delete my-release - ``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Related documentation - -- [Citrix ingress controller Documentation](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/) -- [Citrix ingress controller GitHub](https://github.com/citrix/citrix-k8s-ingress-controller) diff --git a/charts/citrix/citrix-ingress-controller/1.29.5/app-readme.md b/charts/citrix/citrix-ingress-controller/1.29.5/app-readme.md deleted file mode 100644 index a8a8ebc15a..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.29.5/app-readme.md +++ /dev/null @@ -1,5 +0,0 @@ -# Citrix Ingress Controller - -[Citrix Ingress Controler](https://github.com/citrix/citrix-k8s-ingress-controller) is an ingress controller for Citrix ADC MPX (hardware), Citrix ADC VPX (virtualized), and Citrix ADC CPX (containerized) for bare metal and cloud deployments. It is built around Kubernetes Ingress and automatically configures Citrix ADC based on the Ingress resource configuration. - -This Chart bootstraps standalone Citrix Ingress Controller which can be used to configure Citrix MPX or VPX. diff --git a/charts/citrix/citrix-ingress-controller/1.29.5/questions.yml b/charts/citrix/citrix-ingress-controller/1.29.5/questions.yml deleted file mode 100644 index 89389ae11e..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.29.5/questions.yml +++ /dev/null @@ -1,348 +0,0 @@ -labels: - io.rancher.certified: partner -questions: -- variable: license.accept - required: true - type: enum - description: "Set to yes to accept the terms and conditions of the Citrix license." - label: Accept License - group: "Deployment Settings" - options: - - "yes" - - "no" -- variable: openshift - default: false - type: boolean - description: "openshift is set to true if charts are being deployed in OpenShift environment" - label: Openshift flag - group: "Deployment Settings" -- variable: adcCredentialSecret - required: true - default: "" - type: string - description: "adcCredentialSecret is secret file for NetScaler login" - label: adcCredentialSecret Name - group: "Deployment Settings" -- variable: imagePullSecrets[0] - required: false - type: string - description: "Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository" - label: imagePullSecrets - group: "Deployment Settings" -- variable: nsIP - required: true - type: string - description: "nsIP is NetScaler NSIP/SNIP, SNIP in case of HA (mgmt has to be enabled)" - label: Citrix ADC IP - group: "ADC Settings" -- variable: nsVIP - required: false - type: string - label: Virtual IP of Citrix ADC - group: "ADC Settings" -- variable: nsSNIPS - required: false - type: string - description: "The list of subnet IPAddresses on the Citrix ADC device, which will be used to create PBR Routes instead of Static Routes" - label: Citrix ADC nsSNIPS - group: "ADC Settings" -- variable: nsPort - required: false - default: 443 - type: int - description: "nsPort is port for ADC NITRO" - label: nsPort - group: "ADC Settings" -- variable: nsProtocol - required: false - default: "HTTPS" - type: string - description: "nsProtocol is protocol for ADC NITRO" - label: nsProtocol - group: "ADC Settings" -- variable: entityPrefix - required: false - type: string - description: "The prefix for the resources on the Citrix ADC VPX/MPX" - label: entityPrefix - group: "ADC Settings" -- variable: kubernetesURL - required: false - type: string - description: "kubernetesURL is for registering events to kubeapi server" - label: Kubernetes API-server URL - group: "Deployment Settings" -- variable: clusterName - required: false - type: string - description: "The unique identifier of the kubernetes cluster on which the CIC is deployed" - label: Cluster Name - group: "Deployment Settings" -- variable: ingressClass[0] - required: false - type: string - description: "ingressClass is the name of the Ingress Class" - label: Ingress Class - group: "Deployment Settings" -- variable: setAsDefaultIngressClass - required: false - default: False - type: boolean - description: "Set the IngressClass object as default ingress class. New Ingresses without an `ingressClassName` field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19" - label: setAsDefaultIngressClass - group: "Deployment Settings" -- variable: serviceClass[0] - required: false - type: string - description: "serviceClass is the name of the Service Class" - label: Service Class - group: "Deployment Settings" -- variable: defaultSSLCertSecret - required: false - type: string - description: "Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC." - label: defaultSSLCertSecret - group: "ADC Settings" -- variable: podIPsforServiceGroupMembers - required: false - default: False - type: boolean - description: "By default Citrix Ingress Controller will add NodeIP and NodePort as service group members,This variable if set to True will change the behaviour to add pod IP and Pod port instead of nodeIP and nodePort." - label: podIPsforServiceGroupMembers - group: "Deployment Settings" -- variable: ignoreNodeExternalIP - required: false - default: False - type: boolean - label: ignoreNodeExternalIP - group: "Deployment Settings" -- variable: ipam - required: false - default: False - type: boolean - description: "Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer" - label: ipam - group: "Deployment Settings" -- variable: logProxy - required: false - default: False - type: string - description: "Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter." - label: Log Proxy - group: "Deployment Settings" -- variable: nodeWatch - required: false - default: false - type: boolean - description: "nodeWatch is used for automatic route configuration on NetScaler towards the pod network" - label: NodeWatch - group: "ADC Settings" -- variable: cncPbr - required: false - default: false - type: boolean - description: "Use this argument to inform CIC that Citrix Node Controller(CNC) is configuring Policy Based Routes(PBR) on the Citrix ADC." - label: CNC PBR - group: "ADC Settings" -- variable: nodeSelector.key - required: false - type: string - description: "Node label key to be used for nodeSelector option in CIC deployment" - label: NodeSelector Key - group: "Deployment Settings" -- variable: nodeSelector.value - required: false - type: string - description: "Node label value to be used for nodeSelector option in CIC deployment." - label: NodeSelector value - group: "Deployment Settings" -- variable: tolerations[0] - required: false - type: string - description: "Specify the tolerations for the CIC deployment" - label: Tolerations - group: "Deployment Settings" -- variable: updateIngressStatus - required: false - default: false - type: boolean - description: "Set this argurment if Status.LoadBalancer.Ingress field of the Ingress resources managed by the Citrix ingress controller needs to be updated with allocated IP addresses" - label: Update Ingress Status - group: "Deployment Settings" -- variable: nsHTTP2ServerSide - required: false - default: "OFF" - type: string - description: "Set this argument to ON for enabling HTTP2 for Citrix ADC service group configurations." - label: nsHTTP2ServerSide - group: "Deployment Settings" -- variable: nsCookieVersion - required: false - default: "0" - type: string - description: "Specify the persistence cookie version (0 or 1)" - label: nsCookieVersion - group: "Deployment Settings" -- variable: routeLabels - required: false - type: string - description: "You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster." - label: Route Labels - group: "Deployment Settings" -- variable: namespaceLabels - required: false - type: string - description: "you can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster" - label: namespaceLabels - group: "Deployment Settings" -- variable: cic.image - required: true - type: string - default: "quay.io/citrix/citrix-k8s-ingress-controller:1.19.6" - label: CIC Image - group: "CIC Image Settings" -- variable: cic.pullpolicy - required: true - default: "IfNotPresent" - type: enum - label: CIC Image Pullpolicy - group: "CIC Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: logLevel - required: false - default: "INFO" - type: enum - label: CIC Loglevel - group: "CIC Image Settings" - options: - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - - "TRACE" -- variable: exporter.required - default: false - type: boolean - description: "If set to true exporter will be deployed as sidecar" - label: Enable Exporter - group: "Exporter Settings" -- variable: exporter.image - default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.9" - required: false - type: string - description: "Exporter Image" - label: Exporter Image - group: "Exporter Settings" -- variable: exporter.pullPolicy - required: false - default: IfNotPresent - type: string - description: "Exporter Image pull policy" - label: Exporter Image PullPolicy - group: "Exporter Settings" -- variable: exporter.ports.containerPort - required: false - default: 8888 - type: int - label: Exporter ContainerPort - group: "Exporter Settings" -- variable: crds.install - required: false - default: true - type: boolean - description: "If set to true the charts will install CustomResourceDefinitions which are consumed by CIC." - label: CRD flag - group: "Deployment Settings" -- variable: crds.retainOnDelete - required: false - default: false - type: boolean - description: "Set this argument to true if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation." - label: CRD retainOnDelete flag - group: "Deployment Settings" -- variable: coeConfig.required - required: true - default: false - type: boolean - description: "Set this to true if you want to configure Citrix ADC to send metrics and transaction records to COE" - label: Enable COE - group: "COE Settings" -- variable: coeConfig.distributedTracing.enable - required: false - default: false - type: boolean - description: "Set this value to true to enable OpenTracing in Citrix ADC." - label: Enable coeConfig DistributedTracing - group: "COE Settings" -- variable: coeConfig.distributedTracing.samplingrate - required: false - default: "100" - type: string - description: "Specifies the OpenTracing sampling rate in percentage." - label: coeConfig DistributedTracing Samplingrate - group: "COE Settings" -- variable: coeConfig.endpoint.server - required: false - type: string - description: "Set this value as the IP address or DNS address of the analytics server" - label: coeConfig Endpoint Server - group: "COE Settings" -- variable: coeConfig.timeseries.port - required: false - default: "30002" - type: string - description: "Specify the port used to expose COE service outside cluster for timeseries endpoint" - label: coeConfig timeseries Port - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.enable - required: false - default: False - type: boolean - description: "Set this value to true to enable sending metrics from Citrix ADC" - label: Enable coeConfig Timeseries Metrics - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.mode - required: false - default: "avro" - type: string - description: "Specifies the mode of metric endpoint" - label: coeConfig Timeseries Metrics Mode - group: "COE Settings" -- variable: coeConfig.timeseries.auditlogs.enable - required: false - default: False - type: boolean - description: "Set this value to true to export audit log data from Citrix ADC" - label: coeConfig Timeseries Auditlogs Enable - group: "COE Settings" -- variable: coeConfig.timeseries.events.enable - required: false - default: False - type: boolean - description: "Set this value to true to export events from the Citrix ADC" - label: Enable coeConfig Timeseries Events - group: "COE Settings" -- variable: coeConfig.transactions.enable - required: false - default: False - type: boolean - description: "Set this value to true to export transactions from Citrix ADC" - label: Enable coeConfig Transactions - group: "COE Settings" -- variable: coeConfig.transactions.port - required: false - default: 30001 - type: string - description: "Specify the port used to expose COE service outside cluster for transaction endpoint" - label: coeConfig Transactions Port - group: "COE Settings" -- variable: serviceAccount.create - required: false - default: true - type: boolean - description: "Specifies whether a ServiceAccount should be created" - label: ServiceAccount Create - group: "Deployment Settings" diff --git a/charts/citrix/citrix-ingress-controller/1.29.5/templates/NOTES.txt b/charts/citrix/citrix-ingress-controller/1.29.5/templates/NOTES.txt deleted file mode 100644 index 4d07f639fb..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.29.5/templates/NOTES.txt +++ /dev/null @@ -1,15 +0,0 @@ -Thank you for installing {{ .Chart.Name }}. - -Your release is named {{ .Release.Name }}. - - -To learn more about the release, try: - - $ helm status {{ .Release.Name }} - $ helm get {{ .Release.Name }} - - -To delete : - helm delete {{ .Release.Name }} - - diff --git a/charts/citrix/citrix-ingress-controller/1.29.5/templates/_helpers.tpl b/charts/citrix/citrix-ingress-controller/1.29.5/templates/_helpers.tpl deleted file mode 100644 index efca8083c7..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.29.5/templates/_helpers.tpl +++ /dev/null @@ -1,94 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Analytics Server IP or DNS -*/}} -{{- define "analytics.server" -}} -{{- if .Values.analyticsConfig.endpoint.server -}} -{{- printf .Values.analyticsConfig.endpoint.server -}} -{{- else -}} -{{- $addresses := first (first (lookup "v1" "Node" "" "").items).status.addresses -}} -{{- printf "%s" ($addresses).address -}} -{{- end -}} -{{- end -}} - - - -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "citrix-ingress-controller.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "citrix-ingress-controller.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "exporter.fullname" -}} -{{- $name := default .Chart.Name "exporter" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "servicemonitor.fullname" -}} -{{- $name := default .Chart.Name "citrix-adc-servicemonitor" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "servicemonitorlabel" -}} -{{- $name := default .Chart.Name "citrix-adc-svcmon" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cicconfigmap.fullname" -}} -{{- $name := default .Chart.Name "cic-configmap" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "citrix-ingress-controller.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "citrix-ingress-controller.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "citrix-ingress-controller.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} diff --git a/charts/citrix/citrix-ingress-controller/1.29.5/templates/cic_crds.yaml b/charts/citrix/citrix-ingress-controller/1.29.5/templates/cic_crds.yaml deleted file mode 100644 index 54c7c448dd..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.29.5/templates/cic_crds.yaml +++ /dev/null @@ -1,2515 +0,0 @@ -{{- if .Values.crds.install }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: rewritepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: rewritepolicy - plural: rewritepolicies - singular: rewritepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - rewrite-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to rewrite policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - rewrite-policy: - type: object - properties: - rewrite-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOREWRITE', 'RESET', 'DROP'] - operation: - description: 'Type of user-defined rewrite action.' - type: string - enum: ["noop", "delete", "insert_http_header", "delete_http_header", - "corrupt_http_header", "insert_before", "insert_after", "replace", - "replace_http_res", "delete_all", "replace_all", "insert_before_all", - "insert_after_all", "clientless_vpn_encode", "clientless_vpn_encode_all", - "clientless_vpn_decode", "clientless_vpn_decode_all", "insert_sip_header", - "delete_sip_header", "corrupt_sip_header", "replace_sip_res", "replace_diameter_header_field", - "replace_dns_header_field", "replace_dns_answer_section"] - target: - description: 'Default syntax expression that specifies which part of the request or response to rewrite.' - type: string - maxLength: 1229 - modify-expression: - description: 'Default syntax expression that specifies the content to insert into the request - or response at the specified location, or that replaces the specified string.' - type: string - maxLength: 7991 - multiple-occurence-modify: - description: 'Search facility that is used to match multiple strings in the request or response.' - type: string - maxLength: 171 - additional-multiple-occurence-modify: - description: 'Specify additional criteria to refine the results of the search. - Always starts with the "extend(m,n)" operation, where "m" specifies number of bytes to the left of selected data - and "n" specifies number of bytes to the right of selected data. - You can use refineSearch only on body expressions, and only when rewrite-criteria is any one of this: - INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - comment: - description: 'Any comments to preserve information about this rewrite policy.' - type: string - maxLength: 255 - required: [rewrite-criteria, operation, target, direction] - required: [rewrite-policy] - - responder-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to responder policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", - "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - responder-policy: - type: object - properties: - redirect: - type: object - description: 'Use this option when you want to Redirect the request when request matches to policy.' - properties: - url: - description: 'URL on which you want to redirect the request.' - type: string - maxLength: 7991 - redirect-status-code: - description: 'HTTP response status code, for example 200, 302, 404, etc.' - type: integer - minimum: 100 - maximum: 599 - redirect-reason: - description: 'Expression specifying the reason for redirecting the request.' - type: string - maxLength: 7991 - required: [url] - respondwith: - type: object - description: 'Use this parameter when you want to respond to the request when request matches to policy.' - properties: - http-payload-string: - description: 'Expression that you want to sent as response to the request.' - type: string - maxLength: 7991 - required: [http-payload-string] - noop: - type: string - description: 'Use this option when you want to send the request to the protected server instead of - responding to it when request matches to policy.' - properties: - target: - description: 'Default syntax expression that specifies to perform noop operation on' - type: string - maxLength: 1229 - reset: - type: string - description: 'Use this option when you want to Reset the client connection by closing it when request matches to policy.' - properties: - drop: - type: string - description: 'Use this option when you want to drop the request without sending a response to the user when request matches to policy.' - properties: - respond-criteria: - description: 'Default syntax expression that the policy uses to determine whether to respond to the specified request.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOOP', 'RESET', 'DROP'] - comment: - description: 'Any comments to preserve information about this responder policy.' - type: string - maxLength: 255 - required: [respond-criteria] - oneOf: [required: [redirect], required: [respondwith], required: [noop], required: [reset], required: [drop]] - required: [responder-policy] - - dataset: - type: array - items: - type: object - properties: - name: - description: 'Name of the dataset.' - type: string - maxLength: 32 - type: - description: 'Type of value to bind to the dataset.' - type: string - enum: ["ipv4", "number", "ipv6", "ulong", "double", "mac"] - comment: - description: 'Any comments to preserve information about this dataset.' - type: string - maxLength: 255 - values: - description: 'Value of the specified type that is associated with this dataset.' - type: array - items: - type: string - required: [name, type, values] - - patset: - type: array - items: - type: object - properties: - name: - description: 'Name of the Patset.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this patset.' - type: string - maxLength: 255 - values: - description: 'String of characters that constitutes a pattern and is associated with this patset.' - type: array - items: - type: string - required: [name, values] - - stringmap: - type: array - items: - type: object - properties: - name: - description: 'Name of the Stringmap.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this stringmap.' - type: string - maxLength: 255 - values: - description: 'List of (key,value) pairs to be bound to this string map.' - type: array - items: - type: object - properties: - key: - description: 'Character string constituting the key to be bound to this string map.' - type: string - maxLength: 2047 - value: - description: 'Character string constituting the value associated with the key.' - type: string - maxLength: 2047 - required: [name, values] - - httpcallout_policy: - type: array - items: - type: object - properties: - name: - description: 'httpcallout name' - type: string - maxLength: 32 - server_ip: - description: 'IP Address of the server(callout agent) to which the callout is sent.' - type: string - server_port: - description: 'Port of the server(callout agent) to which the callout is sent.' - type: integer - minimum: 1 - maximum: 65535 - http_method: - description: |+ - 'Method used in the HTTP request that this callout sends. - Default http method is GET' - type: string - enum: ['GET', 'POST'] - host_expr: - description: |+ - 'String expression to configure the Host header. Can contain a literal value - (for example, 10.101.10.11) or a derived value (for example, http.req.header("Host")). - The literal value can be an IP address or a fully qualified domain name. Mutually - exclusive with the full HTTP request expression.' - type: string - maxLength: 255 - url_stem_expr: - description: |+ - 'String expression for generating the URL stem. Can contain a literal string - (for example, "/mysite/index.html") or an expression that derives the value - (for example, http.req.url).' - type: string - maxLength: 8191 - headers: - type: array - description: |+ - 'One or more headers to insert into the HTTP request. Each header is represented by - name and expr, where expr is an expression that is evaluated at runtime to provide - the value for the named header. You can configure a maximum of eight headers for - an HTTP callout.' - items: - type: object - properties: - name: - description: 'header name' - type: string - expr: - description: 'header expression' - type: string - parameters: - type: array - description: |+ - 'One or more query parameters to insert into the HTTP request URL (for a GET request) - or into the request body (for a POST request). Each parameter is represented by - name and expr, where expr is an expression that is evaluated at run time to provide - the value for the named parameter (name=value). The parameter values are URL encoded.' - items: - type: object - properties: - name: - description: 'parameter name' - type: string - expr: - description: 'parameter expression' - type: string - body_expr: - description: |+ - 'An advanced string expression for generating the body of the request. - The expression can contain a literal string or an expression that derives - the value (for example, client.ip.src).' - type: string - full_req_expr: - description: |+ - 'Exact HTTP request, in the form of an expression, which the Citrix ADC sends - to the callout agent. The request expression is constrained by the feature - for which the callout is used. For example, an HTTP.RES expression cannot be - used in a request-time policy bank or in a TCP content switching policy bank.' - type: string - scheme: - description: |+ - 'Type of scheme for the callout server. - Default scheme is HTTP' - type: string - enum: ['HTTP', 'HTTPS'] - cache_for_secs: - description: |+ - 'Duration, in seconds, for which the callout response is cached. - The cached responses are stored in an integrated caching content - group named "calloutContentGroup". If no duration is configured, - the callout responses will not be cached unless normal caching - configuration is used to cache them. This parameter takes precedence over any - normal caching configuration that would otherwise apply to these responses.' - type: integer - minimum: 1 - maximum: 31536000 - return_type: - description: |+ - 'Type of data that the target callout agent returns in response to the callout - Available settings function as follows: - * TEXT - Treat the returned value as a text string. - * NUM - Treat the returned value as a number. - * BOOL - Treat the returned value as a Boolean value.' - type: string - enum: ['TEXT', 'NUM', 'BOOL'] - result_expr: - description: |+ - 'Expression that extracts the callout results from the response sent by the HTTP callout - agent. Must be a response based expression, that is, it must begin with HTTP.RES. The - operations in this expression must match the return type. For example, if you configure - a return type of TEXT, the result expression must be a text based expression. If the - return type is NUM, the result expression (resultExpr) must return a numeric value, - as in the following example: http.res.body(10000).length.' - type: string - maxLength: 8191 - comment: - description: 'Any comments to preserve information about this HTTP callout.' - type: string - maxLength: 255 - allOf: - - properties: - required: [name, server_ip, server_port] - - properties: - oneOf: - - properties: - required: [full_req_expr] - - properties: - anyOf: - - properties: - required: [http_method] - - properties: - required: [host_expr] - - properties: - required: [url_stem_expr] - - properties: - required: [headers] - - properties: - required: [parameters] - - properties: - required: [body_expr] - anyOf: [required: [rewrite-policies], required: [responder-policies]] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ratelimits.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: ratelimit - plural: ratelimits - singular: ratelimit - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the ratelimit policies are applied.' - type: array - items: - type: string - maxLength: 127 - selector_keys: - type: object - description: 'Traffic match criteria to which apply above rate-limit/throttling. All keys are applied as AND condition. If no keys are specified, rate-limit applies at service level' - properties: - basic: - type: object - description: "Basic traffic stream selection criteria to which to apply the ratelimit" - properties: - path: - type: array - description: "api resource path prefix match. e.g. /api/v1/products" - items: - type: string - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - header_name: - description: "HTTP header that identifies the unique API client for e.g. X-apikey" - type: string - per_client_ip: - description: "Setting this applies the throttling limit to each unique Client IP address accessing the API resource" - type: boolean - req_threshold: - description: 'Max requests per timeslice units to be allowed' - type: integer - timeslice: - description: 'Timeslice in miliseconds in multiple of 10. Defaults to 1000 miliseconds' - type: integer - limittype: - description: "Burst mode or smooth. Defaults to smooth limittype if not specified" - type: string - enum: ['BURSTY','SMOOTH'] - throttle_action: - type: string - enum: ['DROP', 'RESET','REDIRECT', 'RESPOND'] - description: "Drop will drop the requests exceeding limits, RESET will reset the client connection, Redirect will redirect to specified URL, respond will respond with 429 'Exceeded allowed rate of requests'" - redirect_url: - type: string - description: "Redirect-URL" - logpackets: - type: object - description: 'Adds an audit message action. The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - required: [req_threshold] ---- -#Sample CRD instance - -#apiVersion: citrix.com/v1 -#description: VIP for apache service -#kind: vip -#metadata: -# name: service-apache -# namespace: default -#spec: -# description: VIP for the apache Service -# ipaddress: 10.99.98.90 -# kind: service -# name: apache - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vips.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: vip - plural: vips - singular: vip - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - jsonPath: .spec.ipaddress - name: VIP - type: string - - name: Age - type: date - jsonPath: .metadata.creationTimestamp - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - ipaddress: - type: string - name: - type: string - kind: - type: string - enum: ["service", "ingress"] - description: - type: string - range-name: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: authpolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: authpolicy - plural: authpolicies - singular: authpolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: |+ - 'Name of the services for which the policies applied' - type: array - items: - type: string - maxLength: 63 - authentication_mechanism: - type: object - description: |+ - 'Authentication mechanism. Options: using forms or using request header. - Default is Authentication using request header, when no option is specified' - properties: - using_request_header: - description: |+ - 'Enable user authentication using request header. Use when the credentials - or api keys are passed in a header. For example, when using Basic, Digest, - Bearer authentication or api keys. - When authentication using forms is provided, this is set to OFF' - - type: string - using_forms: - type: object - description: 'Enables authentication using forms. Use with user/web authentication.' - properties: - authentication_host: - description: |+ - 'Fully qualified domain name (FQDN) for authentication. - This FQDN should be unique and should resolve to frontend IP of - ADC with Ingress/service type LoadBalancer (or) vip of Listener CRD' - type: string - maxLength: 255 - authentication_host_cert: - description: |+ - 'Name of the SSL certificate to be used with authentication_host. - This certificate is mandatory while using_forms' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - ingress_name: - description: |+ - 'Ingress name for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - lb_service_name: - description: |+ - 'Service of type LoadBalancer for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - listener_name: - description: |+ - 'Listener CRD name for which the authentication using forms is applicable.' - type: string - maxLength: 63 - vip: - description: |+ - 'Frontend IP of ingress for which the authentication - using forms is applicable. This refers to frontend-ip provided - with Ingress. It is suggested to use vip, if more than one Ingress - resource use the same frontend-ip' - type: string - required: [authentication_host, authentication_host_cert] - oneOf: - - properties: - required: [ingress_name] - - properties: - required: [lb_service_name] - - properties: - required: [listener_name] - - properties: - required: [vip] - oneOf: - - properties: - using_request_header: - enum: ['ON'] - required: [using_request_header] - - properties: - required: [using_forms] - - authentication_providers: - description: |+ - 'Authentication Configuration for required authentication providers/schemes. - One or more of these can be created' - type: array - items: - description: 'Create config for a single authentication provider of a particular type' - type: object - properties: - name: - description: 'Name for this provider, has to be unique, referenced by authentication policies' - type: string - maxLength: 127 - - oauth: - description: 'Authentication provided by external oAuth provider' - type: object - properties: - issuer: - description: 'Identity of the server whose tokens are to be accepted' - type: string - maxLength: 127 - audience: - description: 'Audience for which token sent by Authorization server is applicable' - type: array - items: - type: string - maxLength: 127 - jwks_uri: - description: |+ - 'URL of the endpoint that contains JWKs (Json Web Key) for - JWT (Json Web Token) verification' - type: string - maxLength: 127 - introspect_url: - description: ' URL of the introspection server' - type: string - maxLength: 127 - client_credentials: - description: |+ - 'secrets object that contains Client Id and secret as known - to Introspection server' - type: string - maxLength: 253 - token_in_hdr: - description: |+ - 'custom header name where token is present, - default is Authorization header' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - token_in_param: - description: 'query parameter name where token is present' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - signature_algorithms: - description: 'list of allowed signature algorithms, by default HS256, RS256, RS512 are allowed' - type: array - items: - type: string - enum: ['HS256', 'RS256', 'RS512'] - claims_to_save: - description: 'list of claims to be saved, used to create authorization policies' - type: array - items: - type: string - maxLength: 127 - metadata_url: - description: 'URL used to get OAUTH/OIDC provider metadata' - type: string - maxLength: 255 - user_field: - description: |+ - 'Attribute in the token from which username should be extracted. - by default, ADC looks at email attribute for user id' - type: string - maxLength: 127 - default_group: - description: |+ - 'group assigned to the request if authentication succeeds, - this is in addition to any extracted groups from token' - type: string - maxLength: 63 - grant_type: - description: 'used to specify the type of flow to the token end point, defaults to CODE' - type: array - items: - type: string - enum: ['CODE','PASSWORD'] - pkce: - description: 'specify whether to enable Proof Key Code Exchange, defaults to ENABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - token_ep_auth_method: - description: |+ - 'authentication method to be used with token end point, - defaults to client_secret_post' - type: string - enum: ['client_secret_post', 'client_secret_jwt'] - - anyOf: - - properties: - required : [jwks_uri] - - properties: - required : [introspect_url, client_credentials] - - properties: - required : [metadata_url] - - ldap: - description: 'LDAP authentication provider' - type: object - properties: - server_ip: - description: 'IP address assigned to the LDAP server' - type: string - server_name: - description: 'LDAP server name as a FQDN' - type: string - maxLength: 127 - server_port: - description: 'Port on which the LDAP server accepts connections. Default is 389' - type: integer - minimum: 1 - maximum: 65535 - base: - description: |+ - 'Base (node) from which to start LDAP searches. If the LDAP server is - running locally, the default value of base is dc=netscaler, dc=com' - type: string - maxLength: 127 - server_login_credentials: - description: |+ - 'Kubernetes secret object providing credentials to login to LDAP server, - The secret data should have username and password' - type: string - login_name: - description: |+ - 'LDAP login name attribute. The Citrix ADC uses the LDAP login name - to query external LDAP servers or Active Directories' - type: string - maxLength: 127 - security_type: - description: |+ - 'Type of security used for communications between the Citrix ADC - and the LDAP server. Default is TLS' - type: string - enum: ['PLAINTEXT', 'TLS', 'SSL'] - validate_server_cert: - description: 'Validate LDAP Server certs. Default is NO' - type: string - enum: ['YES', 'NO'] - hostname: - description: |+ - 'Hostname for the LDAP server. If validate_server_cert is ON, - this must be the host name on the certificate from the LDAP - A hostname mismatch will cause a connection failure' - type: string - maxLength: 127 - sub_attribute_name: - description: 'LDAP group sub-attribute name. Used for group extraction from the LDAP server.' - type: string - maxLength: 31 - group_attribute_name: - description: 'LDAP group attribute name. Used for group extraction on the LDAP server.' - type: string - maxLength: 31 - search_filter: - description: |+ - 'String to be combined with the default LDAP user search string to form the - search value. For example, if the search filter "vpnallowed=true" is combined - with the LDAP login name "samaccount" and the user-supplied username is "bob", - the result is the LDAP search string ""(&(vpnallowed=true)(samaccount=bob)"" - (Be sure to enclose the search string in two sets of double quotation marks)' - type: string - maxLength: 255 - auth_timeout: - description: |+ - 'Number of seconds the Citrix ADC waits for a response from the server - Default is 3' - type: integer - minimum: 1 - maximum: 4294967295 - password_change: - description: 'Allow password change requests. Default is DISABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be fetched - from LDAP server and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - oneOf: - - properties: - required: [server_ip] - - properties: - required: [server_name] - - saml: - description: |+ - 'SAML authentication provider. - Currently SAML is supported only with authentication mechanism using forms' - type: object - properties: - metadata_url: - description: 'URL is used for obtaining saml metadata.' - type: string - maxLength: 255 - metadata_refresh_interval: - description: |+ - 'Interval in minutes for fetching metadata from specified metadata URL. - Default is 36000' - type: integer - minimum: 1 - maximum: 4294967295 - signing_cert: - description: 'SSL certificate to sign requests from SP to IDP' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - audience: - description: 'Audience for which assertion sent by IdP is applicable' - type: string - maxLength: 127 - issuer_name: - description: 'The name to be used in requests sent from SP to IDP to identify citrix ADC' - type: string - maxLength: 63 - binding: - description: 'Specifies the transport mechanism of saml message. Default is POST' - type: string - enum: ['REDIRECT', 'POST', 'ARTIFACT'] - artifact_resolution_service_url: - description: 'URL of the Artifact Resolution Service on IdP' - type: string - maxLength: 255 - logout_binding: - description: 'Specifies the transport mechanism of saml logout. Default is POST' - type: string - enum: ['REDIRECT', 'POST'] - reject_unsigned_assertion: - description: |+ - 'Reject unsigned SAML assertions. ON, rejects assertion without signature. - STRICT ensure that both Response and Assertion are signed. Default is ON' - type: string - enum: ['ON', 'OFF', 'STRICT'] - user_field: - description: 'SAML user ID, as given in the SAML assertion' - type: string - maxLength: 63 - default_authentication_group: - description: |+ - 'This is the default group that is chosen when the authentication - succeeds in addition to extracted groups' - type: string - maxLength: 63 - skew_time: - description: |+ - 'Allowed clock skew in number of minutes on an incoming assertion. - Default is 5' - type: integer - minimum: 1 - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be extracted - and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - required: - - metadata_url - - basic_local_db: - type: object - description: |+ - 'Basic HTTP authentication supported by ADC, user data in local DB of ADC. - Users needs to be added on ADC' - properties: - use_local_auth: - description: 'Use ADC authentication' - type: string - enum: ['YES'] - - required: - - name - - authentication_policies: - description: 'Authentication policies' - type: array - items: - type: object - description: 'Authentication policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - required: - - path - expression: - description: 'ADC syntax expression for authentication' - type: string - maxLength: 1229 - provider: - description: 'name of the authentication provider for the policy, empty if no authentication required' - type: array - items: - type: string - maxLength: 127 - maxItems: 1 - oneOf: - - required: [resource, provider] - - required: [expression, provider] - - authorization_policies: - description: 'Authorization policies' - type: array - items: - type: object - description: 'Authorization policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - description: ' http method' - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - claims: - description: 'authorization scopes required for selected resource saved as claims or attributes' - type: array - items: - type: object - properties: - name: - description: 'name of the claim/attribute to check' - type: string - maxLength: 127 - values: - description: 'list of claim values required for the request' - type: array - items: - type: string - maxLength: 127 - minItems: 1 - required: - - name - - values - required: - - claims - expression: - description: 'ADC syntax expression for authorization' - type: string - maxLength: 1229 - oneOf: - - required: [resource] - - required: [expression] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: listeners.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - version: null - names: - kind: Listener - plural: listeners - singular: listener - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - required: [spec] - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [protocol] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - protocol: - type: string - enum: ["https", "http"] - description: "Protocol for this listener" - vip: - type: string - description: "VIP address, Optional for CPX, required for Tier-1 deployments" - secondaryVips: - type: array - description: "An array of Secondary VIPs. All the VIPs will be part of an ipset" - minItems: 1 - items: - type: string - redirectPort: - type: integer - minimum: 1 - maximum: 65535 - description: "Port from which http traffic should be redirected to https" - port: - type: integer - minimum: 1 - maximum: 65535 - certificates: - type: array - description: "certificates attached to the endpoints - Not applicable for HTTP" - minItems: 1 - items: - type: object - properties: - preconfigured: - type: string - description: "Preconfigured Certificate name on ADC " - secret: - type: object - description: "Kuberentes secret object" - required: [name] - properties: - name: - type: string - description: "name of the Kubernetes Secret object where Cert is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the kubernetes secret object; Default is same namespace where the Listener object is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - default: - type: boolean - description: "Only one of the certificate can be marked as default which will be presented if none of the cert matches with the hostname" - oneOf: - - required: ["preconfigured"] - - required: ["secret"] - policies: - type: object - description: "Policies attached to the Listener" - properties: - httpprofile: - type: object - description: "HTTP profile configurations for the Listener, HTTP level configurations" - properties: - preconfigured: - type: string - description: "Preconfigured or Built-in HTTP profile name" - config: - type: object - description: "HTTP profile configuration for the listener. For individual fields, refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nshttpprofile/nshttpprofile/ Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - tcpprofile: - type: object - description: "TCP level configurations, uses ns tcpprofile of citrix ADC" - properties: - preconfigured: - description: "Preconfigured or Built-in TCP profile name" - type: string - config: - type: object - description: "TCPprofile configurations for the listener. For individual fields refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nstcpprofile/ ; Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - csvserverConfig: - type: object - description: "CS Vserver configuration for the listener" - additionalProperties: - type: string - sslprofile: - type: object - description: "SSL profile configuration" - properties: - preconfigured: - type: string - description: "SSL profile which is preconfigured in ADC. Ciphers bound to the profile is not overriden" - config: - description: "Citrix ADC frontend SSL profile configurations. Refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ssl/sslprofile/ for all configurations; Name field is auto generated" - type: object - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - sslciphers: - type: array - description: "List of ciphers to be bound to the ssl profile for the listener. Priority is as per the order in the list. A cipher suite, predefined cipher group or User created cipher group can be mentioned" - minItems: 1 - items: - type: string - description: "Cipher suite, cipher group name" - analyticsprofile: - type: object - description: "Analytics profile configuration" - properties: - preconfigured: - type: array - description: "Preconfigured Analytics profile that needs to be bound to the vserver" - minItems: 1 - items: - type: string - description: "Name of the analytics profile preconfigured that will be bound to the Vserver" - config: - type: array - description: "An array of analytics to be enabled" - minItems: 1 - items: - type: object - description: "Anlytics to be enabled" - required: ['type'] - properties: - type: - description: "Analytics profile to be enabled, you can enable one or more of the webinsight, tcpinsight, securityinsight, videoinsight, hdxinsight, gatewayinsight, timeseries, lsninsight, botinsight " - type: string - enum: ["webinsight", "tcpinsight", "securityinsight", "videoinsight", "hdxinsight", "gatewayinsight", "timeseries", "lsninsight", "botinsight"] - parameters: - type: object - description: "Additional parameters for analytics profile. Please refer:https://developer-docs.citrix.com/projects/citrix-adc-nitro-api-reference/en/latest/configuration/analytics/analyticsprofile/" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - routes: - type: array - description: "List of route objects attached to the listener" - minItems: 1 - items: - type: object - properties: - name: - type: string - description: "Name of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - labelSelector: - description: "Labels key value pair, if the route carries the same labels, it is automatically attached" - type: object - additionalProperties: - type: string - oneOf: - - required: [name, namespace] - - required: [labelSelector] - defaultAction: - type: object - description: "Default action for the listener: One of Backend or Redirect" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - namespace: - description: "Service namespace" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - backendConfig: - description: "General backend service options" - type: object - properties: - secure_backend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: httproutes.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - version: null - names: - kind: HTTPRoute - plural: httproutes - singular: httproute - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [rules] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - hostname: - type: array - description: "List of domain names that share the same route, default is '*'" - minItems: 1 - items: - type: string - description: "Domain name" - rules: - type: array - description: "List Content routing rules with an action defined" - minItems: 1 - items: - type: object - required: [name, action] - properties: - name: - type: string - description: "A name to represent the rule, this is used as an identifier in content routing policy name in ADC" - minLength: 1 - maxLength: 20 - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - match: - type: array - description: "List of rules with same action" - minItems: 1 - items: - type: object - anyOf: - - required: [path] - - required: [headers] - - required: [cookies] - - required: [queryParams] - - required: [method] - - required: [policyExpression] - properties: - path: - type: object - description: "URL Path based content routing" - properties: - prefix: - type: string - description: "URL path matches the prefix expression" - exact: - type: string - description: "URL Path must match exact path" - regex: - type: string - description: "PCRE based regex expression for path matching" - headers: - type: array - description: "List of header for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Header details for content routing, Check for existence of a header or header name-value match" - properties: - headerName: - type: object - description: "Header name based content routing, Here existence of header is used for routing" - properties: - exact: - type: string - description: "Header Name - treated as exact must exist" - contains: - type: string - description: "Header Name - A header must exist that contain the string the name" - regex: - type: string - description: "header Name - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header name must not exist" - oneOf: - - required: [exact] - - required: [contains] - - required: [regex] - headerValue: - type: object - description: "Header Name and Value based match" - properties: - name: - type: string - description: "Header name that must match the value" - exact: - type: string - description: "Header value - treated as exact" - contains: - type: string - description: "Header value - treated as contains" - regex: - type: string - description: "header value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header if present must not match the value" - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - queryParams: - type: array - description: "List of Query parameters for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Query parameters Name and Value based match" - properties: - name: - type: string - description: "Query name that must match the value. If no value is specified, matches with any value" - exact: - type: string - description: "Query value - Exact match" - contains: - type: string - description: "Query value - value must have the string(substring)" - regex: - type: string - description: "Query value - Value must match this regex patterm" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e query if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - cookies: - type: array - description: "List of Cookie params for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Cookie based routing" - properties: - name: - type: string - description: "cookie name that must match the value. If no value specified, it matches with any value" - exact: - type: string - description: "cookie value - treated as exact" - contains: - type: string - description: "cookie value - treated as substring" - regex: - type: string - description: "cookie value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e cookie if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - method: - type: string - description: "HTTP method for content routing eg: POST, PUT, DELETE etc" - policyExpression: - type: string - description: "Citrix ADC policy expressions; refer: https://docs.citrix.com/en-us/netscaler/media/expression-prefix.pdf" - action: - type: object - description: "Action for the matched rule" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - backendConfig: - type: object - description: "General backend service options" - properties: - secureBackend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - # name must match the spec fields below, and be in the form: . - name: continuousdeployments.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: continuousdeployment - plural: continuousdeployments - singular: continuousdeployment - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - cronSpec: - type: integer - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wafs.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: waf - plural: wafs - singular: waf - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the waf policies are applied.' - type: array - items: - type: string - maxLength: 127 - application_type: - description: 'Type of applications to protect' - type: array - items: - type: string - enum: ['HTML', 'JSON', 'XML'] - signatures: - description: 'Location of external signature file' - type: string - redirect_url: - description: 'When a URL is blocked/down, redirect_url represents the alternate URL where the client requests should be sent.' - type: string - html_error_object: - description: 'Location of customized error page to respond when html or common violation are hit' - type: string - xml_error_object: - description: 'Location of customized error page to respond when xml violations are hit' - type: string - json_error_object: - description: 'Location of customized error page to respond when json violations are hit' - type: string - ip_reputation: - type: string - x-kubernetes-preserve-unknown-fields: true - description: 'Enabling IP reputation feature' - target: - description: 'To control what traffic to be inspected by Web Application Firewall. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable application firewall security checks' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - settings: - description: 'To fine tune application firewall security checks default settings' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - relaxations: - description: 'Section which contains relaxation rules for known traffic and false positives' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - enforcements: - description: 'Section which contains enforcement or restriction rules' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: bots.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: bot - plural: bots - singular: bot - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the bot policies are applied.' - type: array - items: - type: string - maxLength: 127 - signatures: - description: 'Location of external bot signature file' - type: string - redirect_url: - description: 'url to redirect when bot violation is hit' - type: string - target: - description: 'To control what traffic to be inspected by BOT. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST','DELETE'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable bot ecurity checks' - type: object - properties: - allow_list: - type: string - enum: ['ON', 'OFF'] - block_list: - type: string - enum: ['ON', 'OFF'] - device_fingerprint: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: string - enum: ['ON', 'OFF'] - ratelimit: - type: string - enum: ['ON', 'OFF'] - tps: - type: string - enum: ['ON', 'OFF'] - trap: - type: object - x-kubernetes-preserve-unknown-fields: true - bindings: - description: 'Section which contains binding rules for bot security checks' - type: object - properties: - allow_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - - block_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - ratelimit: - type: array - items: - type: object - properties: - url: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - cookie: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - captcha: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - tps: - type: object - properties: - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - host: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - trapinsertion: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: apigatewaypolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: apigatewaypolicy - plural: apigatewaypolicies - singular: apigatewaypolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - api_definition: - type: object - properties: - repository: - type: string - branch: - type: string - oas_secret_ref: - type: string - files: - type: array - items: - type: string - maxLength: 127 - api_proxy: - type: object - properties: - ipaddress: - type: string - port: - type: integer - protocol: - type: string - secret: - type: string - policies: - type: array - items: - type: object - properties: - name: - type: string - selector: - type: array - items: - type: object - properties: - tags: - type: array - items: - type: string - api: - type: string - method: - type: array - items: - type: string - maxLength: 127 - upstream: - type: object - properties: - service: - type: string - port: - type: integer - policy_bindings: - type: object - properties: - ratelimit: - type: object - properties: - name: - type: string - waf: - type: object - properties: - name: - type: string - rewritepolicy: - type: object - properties: - name: - type: string - bot: - type: object - properties: - name: - type: string - aaa: - type: array - items: - type: object - properties: - crd_name: - type: string - mappings: - type: array - items: - type: object - properties: - petstore_auth: - type: string - api_key: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: corspolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: corspolicy - plural: corspolicies - singular: corspolicy - shortNames: - - cp - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'The list of Kubernetes services to which you want to apply the cors policies.' - type: array - items: - type: string - maxLength: 63 - allow_origin: - description: 'Represents list of allowed origins, it is used to screen the “origin” in the cors pre flight request' - type: array - items: - type: string - maxLength: 2083 - allow_methods: - description: 'Indicates which methods are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Methods in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - allow_headers: - description: 'Indicates which headers are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Headers in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - max_age: - description: 'Indicates the number of seconds (5 by default) the information provided by the `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` headers can be cached. This variable will be used to set Access-Control-Max-Age in the pre-flight cors response.' - type: integer - allow_credentials: - description: 'Indicates whether the response can be shared when the request’s credentials mode is "include". This variable will be set to Access-Control-Allow-Credentials in the rewrite action.' - type: boolean - required: [servicenames, allow_origin, allow_methods, allow_headers] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: appqoepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: appqoepolicy - plural: appqoepolicies - singular: appqoepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - appqoe-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to appqoe policy.' - type: array - items: - type: string - maxLength: 127 - appqoe-policy: - type: object - properties: - operation-retry: - type: object - properties: - on-reset: - description: "To set Retry on Connection Reset or Not" - type: string - enum: ['YES','NO'] - on-timeout: - description: "Time in milliseconds for retry" - type: integer - minimum: 30 - maximum: 2000 - number-of-retries: - description: "To set number of retries" - type: integer - minimum: 1 - maximum: 7 - required: [operation-retry] - appqoe-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - required: [appqoe-criteria, operation-retry] - required: [appqoe-policy] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wildcarddnsentries.citrix.com -spec: - group: citrix.com - names: - kind: wildcarddnsentry - plural: wildcarddnsentries - singular: wildcarddnsentry - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: Current Status of the CRD - jsonPath: .status.state - - name: Message - type: string - description: Status Message - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - zone: - type: object - description: DNS configuration for a zone - properties: - domain: - type: string - description: Domain name - dnsaddrec: - type: object - description: DNS Address record - properties: - domain-ip: - type: string - description: IPv4 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - dnsaaaarec: - type: object - description: DNS AAAA record - properties: - domain-ip: - type: string - description: IPv6 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - soarec: - type: object - description: SOA record - properties: - origin-server: - type: string - description: Origin server domain - contact: - type: string - description: Admin contact - serial: - type: integer - description: >- - The secondary server uses this parameter to - determine whether it requires a zone transfer from - the primary server. - refresh: - type: integer - description: >- - Time, in seconds, for which a secondary server must - wait between successive checks on the value of the - serial number. - retry: - type: integer - description: >- - Time, in seconds, between retries if a secondary server's - attempt to contact the primary server for a zone refresh fails. - expire: - type: integer - description: >- - Time, in seconds, after which the zone data on a secondary - nameserver can no longer be considered authoritative because - all refresh and retry attempts made during the period have failed." - nsrec: - type: object - description: Name server record - properties: - nameserver: - type: string - description: Host name of the name server to add to the domain. - ttl: - type: integer - description: >- - Time to Live (TTL), in seconds, for the record. TTL - is the time for which the record must be cached by - DNS proxies. The specified TTL is applied to all the - resource records that are of the same record type - and belong to the specified domain name ---- -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.29.5/templates/citrix-k8s-ingress.yaml b/charts/citrix/citrix-ingress-controller/1.29.5/templates/citrix-k8s-ingress.yaml deleted file mode 100644 index a695346479..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.29.5/templates/citrix-k8s-ingress.yaml +++ /dev/null @@ -1,264 +0,0 @@ -{{- if .Values.openshift }} -apiVersion: apps.openshift.io/v1 -kind: DeploymentConfig -{{- else }} -apiVersion: apps/v1 -kind: Deployment -{{- end }} -metadata: - name: {{ include "citrix-ingress-controller.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - selector: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - matchLabels: - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} - replicas: 1 -{{- if .Values.openshift }} - strategy: - resources: {} - rollingParams: - intervalSeconds: 1 - maxSurge: 0 - maxUnavailable: 25% - timeoutSeconds: 600 - updatePeriodSeconds: 1 - type: Rolling -{{- end }} - template: - metadata: - name: cic - labels: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} -{{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} -{{- end }} - spec: - serviceAccountName: {{ include "citrix-ingress-controller.serviceAccountName" . }} - containers: - - name: cic - image: "{{ tpl .Values.image . }}" - imagePullPolicy: {{ .Values.pullPolicy }} - args: - - --configmap - {{ .Release.Namespace }}/{{ include "cicconfigmap.fullname" . }} -{{- if .Values.defaultSSLCertSecret }} - - --default-ssl-certificate - {{ .Release.Namespace }}/{{ .Values.defaultSSLCertSecret }} -{{- end }} -{{- if .Values.ingressClass }} - - --ingress-classes -{{- range .Values.ingressClass}} - {{.}} -{{- end }} -{{- end }} -{{- if .Values.serviceClass }} - - --service-classes -{{- range .Values.serviceClass}} - {{.}} -{{- end }} -{{- end }} - - --feature-node-watch - {{ .Values.nodeWatch }} - - --enable-cnc-pbr - {{ .Values.cncPbr }} -{{- if .Values.ipam }} - - --ipam - citrix-ipam-controller -{{- end }} -{{- if .Values.disableAPIServerCertVerify }} - - --disable-apiserver-cert-verify - {{ .Values.disableAPIServerCertVerify }} -{{- end }} -{{- if .Values.updateIngressStatus }} - - --update-ingress-status - yes -{{- end }} - env: - - name: "NS_IP" - value: "{{ .Values.nsIP }}" -{{- if .Values.nsVIP }} - - name: "NS_VIP" - value: "{{ .Values.nsVIP }}" -{{- end }} -{{- if .Values.rbacRole }} - - name: "SCOPE" - value: "local" -{{- end }} -{{- if .Values.nitroReadTimeout }} - - name: "NS_NITRO_READ_TIMEOUT" - value: "{{ .Values.nitroReadTimeout }}" -{{- end }} - - name: "NS_USER" - {{- if and .Values.secretStore.enabled .Values.secretStore.username}} - {{- toYaml .Values.secretStore.username | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: username - {{- end }} - - name: "NS_PASSWORD" - {{- if and .Values.secretStore.enabled .Values.secretStore.password}} - {{- toYaml .Values.secretStore.password | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: password - {{- end }} - - name: "EULA" - value: "{{ .Values.license.accept }}" -{{- if and .Values.openshift .Values.routeLabels }} - - name: "ROUTE_LABELS" - value: {{ .Values.routeLabels | quote}} -{{- end }} -{{- if and .Values.openshift .Values.namespaceLabels }} - - name: "NAMESPACE_LABELS" - value: {{ .Values.namespaceLabels | quote }} -{{- end }} - - name: "NS_APPS_NAME_PREFIX" - value: {{ .Values.entityPrefix | default "k8s"}} -{{- if .Values.kubernetesURL }} - - name: "kubernetes_url" - value: "{{ .Values.kubernetesURL }}" -{{- end }} -{{- if .Values.clusterName }} - - name: "CLUSTER_NAME" - value: "{{ .Values.clusterName }}" -{{- end }} -{{- if .Values.logProxy }} - - name: "NS_LOGPROXY" - value: "{{ .Values.logProxy }}" -{{- end }} -{{- if .Values.disableOpenshiftRoutes }} - - name: "DISABLE_OPENSHIFT_ROUTES" - value: "{{ .Values.disableOpenshiftRoutes }}" -{{- end }} -{{- if .Values.nsConfigDnsRec }} - - name: "NS_CONFIG_DNS_REC" - value: "{{ .Values.nsConfigDnsRec }}" -{{- end }} -{{- if .Values.nsSvcLbDnsRec }} - - name: "NS_SVC_LB_DNS_REC" - value: "{{ .Values.nsSvcLbDnsRec }}" -{{- end }} -{{- if .Values.optimizeEndpointBinding }} - - name: "OPTIMIZE_ENDPOINT_BINDING" - value: "{{ .Values.optimizeEndpointBinding }}" -{{- end }} - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- if ne (len .Values.extraVolumeMounts) 0 }} - volumeMounts: -{{- toYaml .Values.extraVolumeMounts | nindent 8 }} - {{- end }} -{{- if .Values.exporter.required }} - - name: exporter - image: "{{ tpl .Values.exporter.image . }}" - imagePullPolicy: {{ .Values.exporter.pullPolicy }} - args: - - "--target-nsip={{ .Values.nsIP }}" - - "--port={{ .Values.exporter.ports.containerPort }}" - env: - - name: "NS_USER" - {{- if and .Values.secretStore.enabled .Values.secretStore.username}} - {{- toYaml .Values.secretStore.username | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: username - {{- end }} - - name: "NS_PASSWORD" - {{- if and .Values.secretStore.enabled .Values.secretStore.password}} - {{- toYaml .Values.secretStore.password | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: password - {{- end }} - {{- if ne (len .Values.exporter.extraVolumeMounts) 0 }} - volumeMounts: - {{- toYaml .Values.exporter.extraVolumeMounts | nindent 8 }} - {{- end }} - securityContext: - readOnlyRootFilesystem: true - resources: -{{- toYaml .Values.exporter.resources | nindent 12 }} -{{- end }} -{{- if or (and .Values.extraVolumeMounts .Values.extraVolumes) (and .Values.exporter.extraVolumeMounts .Values.extraVolumes) }} - volumes: -{{- end }} -{{- if ne (len .Values.extraVolumes) 0 }} -{{ toYaml .Values.extraVolumes | indent 6 }} -{{- end }} -{{- if and .Values.nodeSelector.key .Values.nodeSelector.value }} - nodeSelector: - {{ .Values.nodeSelector.key }}: {{ .Values.nodeSelector.value }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: {{ .Values.tolerations | toYaml | nindent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} -{{- end }} - ---- - -{{- if .Values.exporter.required }} - - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "exporter.fullname" . }} - labels: - app: {{ include "exporter.fullname" . }} - service-type: {{ include "servicemonitorlabel" . }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port - selector: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} - ---- - -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "servicemonitor.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - servicemonitor: citrix-adc -spec: - endpoints: - - interval: 30s - port: exporter-port - selector: - matchLabels: - service-type: {{ include "servicemonitorlabel" . }} - namespaceSelector: - matchNames: - - monitoring - - default - - {{ .Release.Namespace }} - -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.29.5/templates/configmap.yaml b/charts/citrix/citrix-ingress-controller/1.29.5/templates/configmap.yaml deleted file mode 100644 index 586906391b..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.29.5/templates/configmap.yaml +++ /dev/null @@ -1,75 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "cicconfigmap.fullname" . }} - namespace: {{ .Release.Namespace }} -data: - LOGLEVEL: {{ .Values.logLevel | quote | lower }} - JSONLOG: {{ .Values.jsonLog | quote | lower }} - NS_PROTOCOL: {{ .Values.nsProtocol | quote | lower }} - NS_PORT: {{ .Values.nsPort | quote }} -{{- if .Values.nsSNIPS }} - NS_SNIPS: {{ .Values.nsSNIPS | toJson}} -{{- end }} -{{- if and .Values.analyticsConfig.required .Values.nsEnableLabel }} - NS_ENABLE_LABELS: {{ .Values.nsEnableLabel | quote}} -{{- end }} -{{- if .Values.podIPsforServiceGroupMembers }} - POD_IPS_FOR_SERVICEGROUP_MEMBERS: {{ .Values.podIPsforServiceGroupMembers | quote }} -{{- end }} -{{- if .Values.ignoreNodeExternalIP }} - IGNORE_NODE_EXTERNAL_IP: {{ .Values.ignoreNodeExternalIP | quote }} -{{- end }} - -{{- if ne (upper .Values.nsHTTP2ServerSide) "OFF" }} - NS_HTTP2_SERVER_SIDE: {{ .Values.nsHTTP2ServerSide | quote }} -{{- end }} -{{- if ne (toString .Values.nsCookieVersion) "0" }} - NS_COOKIE_VERSION: {{ .Values.nsCookieVersion | quote }} -{{- end }} -{{- if .Values.nsDnsNameserver }} - NS_DNS_NAMESERVER: {{ .Values.nsDnsNameserver }} -{{- end }} - -{{- if .Values.analyticsConfig.required }} - NS_ANALYTICS_CONFIG: | - distributed_tracing: - enable: {{ .Values.analyticsConfig.distributedTracing.enable | quote }} - samplingrate: {{ .Values.analyticsConfig.distributedTracing.samplingrate }} - endpoint: - server: {{ include "analytics.server" . | quote }} - service: {{ .Values.analyticsConfig.endpoint.service | quote }} - timeseries: - port: {{ .Values.analyticsConfig.timeseries.port }} - metrics: - enable: {{ .Values.analyticsConfig.timeseries.metrics.enable | quote }} - mode: {{ .Values.analyticsConfig.timeseries.metrics.mode | quote }} - auditlogs: - enable: {{ .Values.analyticsConfig.timeseries.auditlogs.enable | quote }} - events: - enable: {{ .Values.analyticsConfig.timeseries.events.enable | quote }} - transactions: - enable: {{ .Values.analyticsConfig.transactions.enable | quote }} - port: {{ .Values.analyticsConfig.transactions.port }} -{{- end }} - -{{- if .Values.nsLbHashAlgo.required }} - NS_LB_HASH_ALGO: | - hashFingers: {{ .Values.nsLbHashAlgo.hashFingers }} - hashAlgorithm: {{ .Values.nsLbHashAlgo.hashAlgorithm | quote }} -{{- end }} - -{{- if .Values.profileSslFrontend }} - FRONTEND_SSL_PROFILE: | - {{- toYaml .Values.profileSslFrontend | nindent 4 }} -{{- end }} - -{{- if .Values.profileTcpFrontend }} - FRONTEND_TCP_PROFILE: | - {{- toYaml .Values.profileTcpFrontend | nindent 4 }} -{{- end }} - -{{- if .Values.profileHttpFrontend }} - FRONTEND_HTTP_PROFILE: | - {{- toYaml .Values.profileHttpFrontend | nindent 4 }} -{{- end }} \ No newline at end of file diff --git a/charts/citrix/citrix-ingress-controller/1.29.5/templates/ingressclass.yaml b/charts/citrix/citrix-ingress-controller/1.29.5/templates/ingressclass.yaml deleted file mode 100644 index d75537b79f..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.29.5/templates/ingressclass.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- $default := .Values.setAsDefaultIngressClass -}} -{{- if semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.GitVersion }} -{{- if .Values.ingressClass }} -{{- range .Values.ingressClass }} -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: {{ . | quote }} -{{- if $default }} - annotations: - ingressclass.kubernetes.io/is-default-class: "true" -{{- end }} -spec: - controller: citrix.com/ingress-controller ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.29.5/templates/rbac.yaml b/charts/citrix/citrix-ingress-controller/1.29.5/templates/rbac.yaml deleted file mode 100644 index c20c1512e0..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.29.5/templates/rbac.yaml +++ /dev/null @@ -1,106 +0,0 @@ -{{- if not .Values.rbacRole }} -kind: ClusterRole -{{- else }} -kind: Role -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -rules: - - apiGroups: [""] -{{- if .Values.openshift }} - resources: ["endpoints", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"] -{{- else }} - resources: ["endpoints", "pods", "secrets", "routes", "nodes", "namespaces", "configmaps", "services"] -{{- end }} - verbs: ["get", "list", "watch"] - # services/status is needed to update the loadbalancer IP in service status for integrating - # service of type LoadBalancer with external-dns - - apiGroups: [""] - resources: ["services/status"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions","networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["patch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "watch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"] - verbs: ["get", "list", "watch", "create", "delete", "patch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"] - verbs: ["patch"] - - apiGroups: ["citrix.com"] - resources: ["vips"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["crd.projectcalico.org"] - resources: ["ipamblocks"] - verbs: ["get", "list", "watch"] -{{- if .Values.openshift }} - - apiGroups: ["route.openshift.io"] - resources: ["routes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["network.openshift.io"] - resources: ["hostsubnets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["config.openshift.io"] - resources: ["networks"] - verbs: ["get", "list"] -{{- end }} - ---- - -{{- if not .Values.rbacRole }} -kind: ClusterRoleBinding -{{- else }} -kind: RoleBinding -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io -{{- if not .Values.rbacRole }} - kind: ClusterRole -{{- else }} - kind: Role -{{- end }} - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- if .Values.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.imagePullSecrets }} -- name: {{.}} -{{- end }} -{{- end }} - diff --git a/charts/citrix/citrix-ingress-controller/1.29.5/values.yaml b/charts/citrix/citrix-ingress-controller/1.29.5/values.yaml deleted file mode 100644 index 480aab871b..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.29.5/values.yaml +++ /dev/null @@ -1,199 +0,0 @@ -# Default values for citrix-ingress-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# Citrix Ingress Controller config details -imageRegistry: quay.io -imageRepository: citrix/citrix-k8s-ingress-controller -imageTag: 1.29.5 -image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}" -pullPolicy: IfNotPresent -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" -openshift: false -adcCredentialSecret: # K8s Secret Name -# Enable secretStore to implement CSI Secret Provider classes for holding the nslogin credentials -secretStore: - enabled: false - username: {} - #valueFrom: - # configMapKeyRef: - # name: test1 - # key: username - password: {} - #valueFrom: - # configMapKeyRef: - # name: test1 - # key: password -nsIP: x.x.x.x -nsVIP: -nsSNIPS: -license: - accept: no -nsPort: 443 -nsProtocol: HTTPS -nsEnableLabel: true -# nitroReadTimeout is timeout value in seconds for nitro api read timeout(default is 20) -nitroReadTimeout: -logLevel: INFO -jsonLog: false -entityPrefix: -kubernetesURL: -clusterName: -ingressClass: -setAsDefaultIngressClass: False -serviceClass: -defaultSSLCertSecret: -podIPsforServiceGroupMembers: False -ignoreNodeExternalIP: False -ipam: False -# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True -disableAPIServerCertVerify: False -logProxy: -nodeWatch: false -cncPbr: False -nodeSelector: - key: - value: -tolerations: [] -updateIngressStatus: True -nsHTTP2ServerSide: "OFF" -nsCookieVersion: "0" -nsConfigDnsRec: -nsSvcLbDnsRec: -nsDnsNameserver: -optimizeEndpointBinding: -routeLabels: -namespaceLabels: -disableOpenshiftRoutes: -profileSslFrontend: {} - # preconfigured: my_ssl_profile - # OR - # config: - # tls13: 'ENABLED' - # hsts: 'ENABLED' -profileHttpFrontend: {} - # preconfigured: my_http_profile - # OR - # config: - # dropinvalreqs: 'ENABLED' - # websocket: 'ENABLED' -profileTcpFrontend: {} - # preconfigured: my_tcp_profile - # OR - # config: - # sack: 'ENABLED' - # nagle: 'ENABLED' - -# Exporter config details -exporter: - required: false - imageRegistry: quay.io - imageRepository: citrix/citrix-adc-metrics-exporter - imageTag: 1.4.9 - image: "{{ .Values.exporter.imageRegistry }}/{{ .Values.exporter.imageRepository }}:{{ .Values.exporter.imageTag }}" - pullPolicy: IfNotPresent - ports: - containerPort: 8888 - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - extraVolumeMounts: [] - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. - #- name: github-key - # mountPath: /etc/config/keys/ - # readOnly: true - #- name: agent-init-scripts - # mountPath: /docker-entrypoint.d/ - -# For CRDs supported by Citrix Ingress Controller -crds: - install: false - retainOnDelete: false - -# Enable RBAC role (so called local role), by default CIC deployed with ClusterRole. -# below variable to deploy CIC with RBAC role, only ingress service supported with this config -rbacRole: False - -# Config required to be done by Citrix Ingress Controller for sending metrics to Citrix Observability Exporter -analyticsConfig: - required: false - distributedTracing: - enable: false - samplingrate: 100 - endpoint: - server: - service: - timeseries: - port: 30002 - metrics: - enable: false - mode: 'avro' - auditlogs: - enable: false - events: - enable: false - transactions: - enable: false - port: 30001 - -nsLbHashAlgo: - required: false - hashFingers: 256 - hashAlgorithm: 'DEFAULT' - -# Specifies whether a ServiceAccount should be created -serviceAccount: - create: true - # The name of the ServiceAccount to use. - # If not set and `create` is true, a name is generated using the fullname template - # name: - -podAnnotations: {} - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # Following values depends on no of ingresses configured by Ingress Controllers, so it is - # advised to test with maximum no of ingresses to set these values. - # limits: - # cpu: 1000m - # memory: 1000Mi - # requests: - # cpu: 500m - # memory: 500Mi - -affinity: {} - -extraVolumeMounts: [] - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. - #- name: github-key - # mountPath: /etc/config/keys/ - # readOnly: true - #- name: agent-init-scripts - # mountPath: /docker-entrypoint.d/ - -extraVolumes: [] - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. - #- name: agent-init-scripts - # configMap: - # name: agent-init-scripts - # defaultMode: 0755 - #- name: github-key - # secret: - # secretName: github-key - # defaultMode: 0744 diff --git a/charts/citrix/citrix-ingress-controller/1.30.1/Chart.yaml b/charts/citrix/citrix-ingress-controller/1.30.1/Chart.yaml deleted file mode 100644 index dcd1f80523..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.30.1/Chart.yaml +++ /dev/null @@ -1,21 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-ingress-controller -apiVersion: v2 -appVersion: 1.30.1 -deprecated: true -description: A Helm chart for Citrix Ingress Controller configuring MPX/VPX. -home: https://www.cloud.com -icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png -kubeVersion: '>=v1.16.0-0' -maintainers: -- email: priyanka.sharma@cloud.com - name: priyankash-citrix -- email: subash.dangol@cloud.com - name: subashd -name: citrix-ingress-controller -sources: -- https://github.com/citrix/citrix-k8s-ingress-controller -version: 1.30.1 diff --git a/charts/citrix/citrix-ingress-controller/1.30.1/README.md b/charts/citrix/citrix-ingress-controller/1.30.1/README.md deleted file mode 100644 index f4751b7ac2..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.30.1/README.md +++ /dev/null @@ -1,496 +0,0 @@ -# Citrix Ingress Controller - -[Citrix](https://www.citrix.com/en-in/) provides an Ingress Controller for Citrix ADC MPX (hardware), Citrix ADC VPX (virtualized), and [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx/13/about.html) (containerized) for [bare metal](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/deployment/baremetal) and [cloud](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/deployment) deployments. It configures one or more Citrix ADC based on the Ingress resource configuration in [Kubernetes](https://kubernetes.io/) or in [OpenShift](https://www.openshift.com) cluster. - -## TL;DR; - -### For Kubernetes - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret= - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,crds.install=true - ``` - -### For OpenShift - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true,crds.install=true - ``` - -> **Important:** -> -> The `license.accept` argument is mandatory. Ensure that you set the value as `yes` to accept the terms and conditions of the Citrix license. - -## Introduction -This Helm chart deploys Citrix ingress controller in the [Kubernetes](https://kubernetes.io) or in the [Openshift](https://www.openshift.com) cluster using [Helm](https://helm.sh) package manager. - -### Prerequisites - -- The [Kubernetes](https://kubernetes.io/) version should be 1.16 and above if using Kubernetes environment. -- The [Openshift](https://www.openshift.com) version 4.8 or later if using OpenShift platform. -- The [Helm](https://helm.sh/) version 3.x or later. You can follow instruction given [here](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- You determine the NS_IP IP address needed by the controller to communicate with Citrix ADC. The IP address might be anyone of the following depending on the type of Citrix ADC deployment: - - - (Standalone appliances) NSIP - The management IP address of a standalone Citrix ADC appliance. For more information, see [IP Addressing in Citrix ADC](https://docs.citrix.com/en-us/citrix-adc/12-1/networking/ip-addressing.html). - - - (Appliances in High Availability mode) SNIP - The subnet IP address. For more information, see [IP Addressing in Citrix ADC](https://docs.citrix.com/en-us/citrix-adc/12-1/networking/ip-addressing.html). - - - (Appliances in Clustered mode) CLIP - The cluster management IP (CLIP) address for a clustered Citrix ADC deployment. For more information, see [IP addressing for a cluster](https://docs.citrix.com/en-us/citrix-adc/12-1/clustering/cluster-overview/ip-addressing.html). - -- You have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator), if you want to view the metrics of the Citrix ADC CPX collected by the [metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics). - -- The user name and password of the Citrix ADC VPX or MPX appliance used as the ingress device. The Citrix ADC appliance needs to have system user account (non-default) with certain privileges so that Citrix ingress controller can configure the Citrix ADC VPX or MPX appliance. For instructions to create the system user account on Citrix ADC, see [Create System User Account for CIC in Citrix ADC](#create-system-user-account-for-cic-in-citrix-adc). - - You can pass user name and password using Kubernetes secrets. Create a Kubernetes secret for the user name and password using the following command: - - ``` - kubectl create secret generic nslogin --from-literal=username='cic' --from-literal=password='mypassword' - ``` - -#### Create system User account for Citrix ingress controller in Citrix ADC - -Citrix ingress controller configures the Citrix ADC using a system user account of the Citrix ADC. The system user account should have certain privileges so that the CIC has permission configure the following on the Citrix ADC: - -- Add, Delete, or View Content Switching (CS) virtual server -- Configure CS policies and actions -- Configure Load Balancing (LB) virtual server -- Configure Service groups -- Cofigure SSl certkeys -- Configure routes -- Configure user monitors -- Add system file (for uploading SSL certkeys from Kubernetes) -- Configure Virtual IP address (VIP) -- Check the status of the Citrix ADC appliance - -> **Note:** -> -> The system user account would have privileges based on the command policy that you define. - -To create the system user account, do the following: - -1. Log on to the Citrix ADC appliance. Perform the following: - 1. Use an SSH client, such as PuTTy, to open an SSH connection to the Citrix ADC appliance. - - 2. Log on to the appliance by using the administrator credentials. - -2. Create the system user account using the following command: - - ``` - add system user - ``` - - For example: - - ``` - add system user cic mypassword - ``` - -3. Create a policy to provide required permissions to the system user account. Use the following command: - - ``` - add cmdpolicy cic-policy ALLOW '^(\?!shell)(\?!sftp)(\?!scp)(\?!batch)(\?!source)(\?!.*superuser)(\?!.*nsroot)(\?!install)(\?!show\s+system\s+(user|cmdPolicy|file))(\?!(set|add|rm|create|export|kill)\s+system)(\?!(unbind|bind)\s+system\s+(user|group))(\?!diff\s+ns\s+config)(\?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)^(\?!shell)(\?!sftp)(\?!scp)(\?!batch)(\?!source)(\?!.*superuser)(\?!.*nsroot)(\?!install)(\?!show\s+system\s+(user|cmdPolicy|file))(\?!(set|add|rm|create|export|kill)\s+system)(\?!(unbind|bind)\s+system\s+(user|group))(\?!diff\s+ns\s+config)(\?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)' - ``` - - **Note**: The system user account would have privileges based on the command policy that you define. - The command policy mentioned in ***step 3*** is similar to the built-in `sysAdmin` command policy with another permission to upload files. - - The command policy spec provided above have already escaped special characters for easier copy pasting into the Citrix ADC command line. - - For configuring the command policy from Citrix ADC Configuration Wizard (GUI), use the below command policy spec. - - ``` - ^(?!shell)(?!sftp)(?!scp)(?!batch)(?!source)(?!.*superuser)(?!.*nsroot)(?!install)(?!show\s+system\s+(user|cmdPolicy|file))(?!(set|add|rm|create|export|kill)\s+system)(?!(unbind|bind)\s+system\s+(user|group))(?!diff\s+ns\s+config)(?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)^(?!shell)(?!sftp)(?!scp)(?!batch)(?!source)(?!.*superuser)(?!.*nsroot)(?!install)(?!show\s+system\s+(user|cmdPolicy|file))(?!(set|add|rm|create|export|kill)\s+system)(?!(unbind|bind)\s+system\s+(user|group))(?!diff\s+ns\s+config)(?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file) - ``` - -4. Bind the policy to the system user account using the following command: - - ``` - bind system user cic cic-policy 0 - ``` - -## Installing the Chart -Add the Citrix Ingress Controller helm chart repository using command: - -``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ -``` - -### For Kubernetes: -#### 1. Citrix Ingress Controller -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,ingressClass[0]= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ingress controller on Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix Ingress Controller with Exporter -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed along with Citrix ingress controller and collects metrics from the Citrix ADC instances. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. - -> **Note:** -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,ingressClass[0]=,exporter.required=true - ``` - -### For Openshift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix Ingress Controller -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true - ``` - -The command deploys Citrix ingress controller on your Openshift cluster in the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix Ingress Controller with Exporter -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed along with Citrix ingress controller and collects metrics from the Citrix ADC instances. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. - -> **Note:** -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator) - -Use the following command for this: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true,exporter.required=true - ``` - -### Installed components - -The following components are installed: - -- [Citrix ingress controller](https://github.com/citrix/citrix-k8s-ingress-controller) -- [Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) (if enabled) - -## Configuration for ServiceGraph: - If Citrix ADC VPX/MPX need to send data to the Citrix ADM to bring up the servicegraph, then the below steps can be followed to install Citrix ingress controller for Citrix ADC VPX/MPX. Citrix ingress controller configures Citrix ADC VPX/MPX with the configuration required for servicegraph. - - 1. Create secret using Citrix ADC VPX credentials, which will be used by Citrix ingress controller for configuring Citrix ADC VPX/MPX: - - kubectl create secret generic nslogin --from-literal=username='cic' --from-literal=password='mypassword' - - 2. Deploy Citrix ingress controller using helm command: - - helm install my-release citrix/citrix-ingress-controller --set nsIP=,nsVIP=,license.accept=yes,adcCredentialSecret=,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.timeseries.port=5563,analyticsConfig.distributedTracing.enable=true,analyticsConfig.transactions.enable=true,analyticsConfig.transactions.port=5557,analyticsConfig.endpoint.server= - -> **Note:** -> If container agent is being used here for Citrix ADM, please provide `podIP` of container agent in the `analyticsConfig.endpoint.server` parameter. - -## CRDs configuration - -CRDs can be installed/upgraded when we install/upgrade Citrix ingress controller using `crds.install=true` parameter in Helm. If you do not want to install CRDs, then set the option `crds.install` to `false`. By default, CRDs too get deleted if you uninstall through Helm. This means, even the CustomResource objects created by the customer will get deleted. If you want to avoid this data loss set `crds.retainOnDelete` to `true`. - -> **Note:** -> Installing again may fail due to the presence of CRDs. Make sure that you back up all CustomResource objects and clean up CRDs before re-installing Citrix Ingress Controller. - -There are a few examples of how to use these CRDs, which are placed in the folder: [Example-CRDs](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds). Refer to them and install as needed, using the following command: -```kubectl create -f ``` - -### Details of the supported CRDs: - -#### authpolicies CRD: - -Authentication policies are used to enforce access restrictions to resources hosted by an application or an API server. - -Citrix provides a Kubernetes CustomResourceDefinitions (CRDs) called the [Auth CRD](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/auth) that you can use with the Citrix ingress controller to define authentication policies on the ingress Citrix ADC. - -Example file: [auth_example.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/auth_example.yaml) - -#### continuousdeployments CRD for canary: - -Canary release is a technique to reduce the risk of introducing a new software version in production by first rolling out the change to a small subset of users. After user validation, the application is rolled out to the larger set of users. Citrix ADC-Integrated [Canary Deployment solution](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/canary) stitches together all components of continuous delivery (CD) and makes canary deployment easier for the application developers. - -#### httproutes and listeners CRDs for contentrouting: - -[Content Routing (CR)](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/contentrouting) is the execution of defined rules that determine the placement and configuration of network traffic between users and web applications, based on the content being sent. For example, a pattern in the URL or header fields of the request. - -Example files: [HTTPRoute_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/HTTPRoute_crd.yaml), [Listener_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/Listener_crd.yaml) - -#### ratelimits CRD: - -In a Kubernetes deployment, you can [rate limit the requests](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/ratelimit) to the resources on the back end server or services using rate limiting feature provided by the ingress Citrix ADC. - -Example files: [ratelimit-example1.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example1.yaml), [ratelimit-example2.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example2.yaml) - -#### vips CRD: - -Citrix provides a CustomResourceDefinitions (CRD) called [VIP](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/vip) for asynchronous communication between the IPAM controller and Citrix ingress controller. - -The IPAM controller is provided by Citrix for IP address management. It allocates IP address to the service from a defined IP address range. The Citrix ingress controller configures the IP address allocated to the service as virtual IP (VIP) in Citrix ADX VPX. And, the service is exposed using the IP address. - -When a new service is created, the Citrix ingress controller creates a CRD object for the service with an empty IP address field. The IPAM Controller listens to addition, deletion, or modification of the CRD and updates it with an IP address to the CRD. Once the CRD object is updated, the Citrix ingress controller automatically configures Citrix ADC-specfic configuration in the tier-1 Citrix ADC VPX. - -#### rewritepolicies CRD: - -In kubernetes environment, to deploy specific layer 7 policies to handle scenarios such as, redirecting HTTP traffic to a specific URL, blocking a set of IP addresses to mitigate DDoS attacks, imposing HTTP to HTTPS and so on, requires you to add appropriate libraries within the microservices and manually configure the policies. Instead, you can use the [Rewrite and Responder features](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/crd/rewrite-responder-policies-deployment.yaml) provided by the Ingress Citrix ADC device to deploy these policies. - -Example files: [target-url-rewrite.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/target-url-rewrite.yaml) - -#### wafs CRD: - -[WAF CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/waf.md) can be used to configure the web application firewall policies with the Citrix ingress controller on the Citrix ADC VPX, MPX, SDX, and CPX. The WAF CRD enables communication between the Citrix ingress controller and Citrix ADC for enforcing web application firewall policies. - -In a Kubernetes deployment, you can enforce a web application firewall policy to protect the server using the WAF CRD. For more information about web application firewall, see [Web application security](https://docs.citrix.com/en-us/citrix-adc/13/application-firewall/introduction/web-application-security.html). - -Example files: [wafhtmlxsssql.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wafhtmlxsssql.yaml) - -#### apigateway CRD: - -API Gateway CRD is used to configure gitops framework on citrix API gateway. This solution enables citrix ingress controller to generate API gateway configurations out of Open API Specification documents checked in to git repository by API developers and designers. - -Example files: [api-gateway-crd-instance.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/api-gateway-crd-instance.yaml) -#### bots CRD: - -[BOT CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/bot.md) You can use Bot CRDs to configure the bot management policies with the Citrix ingress controller on the Citrix ADC VPX. The Bot custom resource definition enables communication between the Citrix ingress controller and Citrix ADC for enforcing bot management policies. - -In a Kubernetes deployment, you can enforce bot management policy on therequests and responses from and to the server using the Bot CRDs. For more information on security vulnerabilities, see [Bot Detection](https://docs.citrix.com/en-us/citrix-adc/current-release/bot-management/bot-detection.html). - -Example files: [botallowlist.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/botallowlist.yaml) - -#### CORS CRD: - -[CORS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) Cross-origin resource sharing (CORS) is a mechanism allows a web application running under one domain to securely access resources in another domain. You can configure CORS policies on Citrix ADC using Citrix ingress controller to allow one domain (the origin domain) to call APIs in another domain. For more information, see the [cross-origin resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) documentation. - -Example files: [cors-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/corspolicy-example.yaml) - -#### APPQOE CRD: - -[APPQOE CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) When a Citrix ADC appliance receives an HTTP request and forwards it to a back-end server, sometimes there may be connection failures with the back-end server. You can configure the request-retry feature on Citrix ADC to forward the request to the next available server, instead of sending the reset to the client. Hence, the client saves round trip time when Citrix ADC initiates the same request to the next available service. -For more information, see the AppQoE support documentation. [Appqoe resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) documentation. - -Example files: [appqoe-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/appqoe_example.yaml) - -#### WILDCARDDNS CRD: - -[WILDCARDDNS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) Wildcard DNS domains are used to handle requests for nonexistent domains and subdomains. In a zone, use wildcard domains to redirect queries for all nonexistent domains or subdomains to a particular server, instead of creating a separate Resource Record (RR) for each domain. The most common use of a wildcard DNS domain is to create a zone that can be used to forward mail from the internet to some other mail system. -For more information, see the Wild card DNS domains support documentation. [Wildcard DNS Entry CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) documentation. - -Example files: [wildcarddns-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wildcarddns-example.yaml) - -### Tolerations - -Taints are applied on cluster nodes whereas tolerations are applied on pods. Tolerations enable pods to be scheduled on node with matching taints. For more information see [Taints and Tolerations in Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). - -Toleration can be applied to Citrix ingress controller pod using `tolerations` argument while deploying CIC using helm chart. This argument takes list of tolerations that user need to apply on the CIC pods. - -For example, following command can be used to apply toleration on the CIC pod: - -``` -helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,tolerations[0].key=,tolerations[0].value=,tolerations[0].operator=,tolerations[0].effect= -``` - -Here tolerations[0].key, tolerations[0].value and tolerations[0].effect are the key, value and effect that was used while tainting the node. -Effect represents what should happen to the pod if the pod don't have any matching toleration. It can have values `NoSchedule`, `NoExecute` and `PreferNoSchedule`. -Operator represents the operation to be used for key and value comparison between taint and tolerations. It can have values `Exists` and `Equal`. The default value for operator is `Equal`. - - - -### Configuration - -The following table lists the mandatory and optional parameters that you can configure during installation: - -| Parameters | Mandatory or Optional | Default value | Description | -| --------- | --------------------- | ------------- | ----------- | -| license.accept | Mandatory | no | Set `yes` to accept the CIC end user license agreement. | -| imageRegistry | Mandatory | `quay.io` | The Citrix ingress controller image registry | -| imageRepository | Mandatory | `citrix/citrix-k8s-ingress-controller` | The Citrix ingress controller image repository | -| imageTag | Mandatory | `1.30.1` | The Citrix ingress controller image tag | -| pullPolicy | Mandatory | IfNotPresent | The CIC image pull policy. | -| imagePullSecrets | Optional | N/A | Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret please see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). | -| nameOverride | Optional | N/A | String to partially override deployment fullname template with a string (will prepend the release name) | -| fullNameOverride | Optional | N/A | String to fully override deployment fullname template with a string | -| resources | Optional | {} | CPU/Memory resource requests/limits for Citrix Ingress Controller container | -| adcCredentialSecret | Mandatory | N/A | The secret key to log on to the Citrix ADC VPX or MPX. For information on how to create the secret keys, see [Prerequisites](#prerequistes). | -| secretStore.enabled | Optional | False | Set to "True" for deploying other Secret Provider classes | -| secretStore.username | Optional | N/A | if `secretStore.enabled`, `username` of ADC will be fetched from the Secret Provider | -| secretStore.password | Optional | N/A | if `secretStore.enabled`, `password` of ADC will be fetched from the Secret Provider | -| nsIP | Mandatory | N/A | The IP address of the Citrix ADC device. For details, see [Prerequisites](#prerequistes). | -| nsVIP | Optional | N/A | The Virtual IP address on the Citrix ADC device. | -| nsSNIPS | Optional | N/A | The list of subnet IPAddresses on the Citrix ADC device, which will be used to create PBR Routes instead of Static Routes [PBR support](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md) | -| nsPort | Optional | 443 | The port used by CIC to communicate with Citrix ADC. You can use port 80 for HTTP. | -| nsProtocol | Optional | HTTPS | The protocol used by CIC to communicate with Citrix ADC. You can also use HTTP on port 80. | -| nsEnableLabel | Optional | True | Set to true for plotting Servicegraph. Ensure ``analyticsConfig` are set. | -| nitroReadTimeout | Optional | 20 | The nitro Read timeout in seconds, defaults to 20 | -| logLevel | Optional | DEBUG | The loglevel to control the logs generated by CIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG and TRACE. For more information, see [Logging](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).| -| jsonLog | Optional | false | Set this argument to true if log messages are required in JSON format | -| nsConfigDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Ingress | -| nsSvcLbDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Type Load Balancer Service | -| nsDnsNameserver | Optional | N/A | To add DNS Nameservers in ADC | -| optimizeEndpointBinding | Optional | false | To enable/disable binding of backend endpoints to servicegroup in a single API-call. Recommended when endpoints(pods) per application are large in number. Applicable only for Citrix ADC Version >=13.0-45.7 | -| kubernetesURL | Optional | N/A | The kube-apiserver url that CIC uses to register the events. If the value is not specified, CIC uses the [internal kube-apiserver IP address](https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod). | -| clusterName | Optional | N/A | The unique identifier of the kubernetes cluster on which the CIC is deployed. Used in multi-cluster deployments. | -| ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify CIC to configure Citrix ADC associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here | -| setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default ingress class. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 | -| serviceClass | Optional | N/A | By Default ingress controller configures all TypeLB Service on the ADC. You can use this parameter to finetune this behavior by specifing CIC to only configure TypeLB Service with specific service class. For more information on Service class, see [Service class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/service-classes/). | -| nodeWatch | Optional | false | Use the argument if you want to automatically configure network route from the Ingress Citrix ADC VPX or MPX to the pods in the Kubernetes cluster. For more information, see [Automatically configure route on the Citrix ADC instance](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/network/staticrouting/#automatically-configure-route-on-the-citrix-adc-instance). | -| cncPbr | Optional | False | Use this argument to inform CIC that Citrix Node Controller(CNC) is configuring Policy Based Routes(PBR) on the Citrix ADC. For more information, see [CNC-PBR-SUPPORT](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md#configure-pbr-using-the-citrix-node-controller) | -| defaultSSLCertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC. | -| podIPsforServiceGroupMembers | Optional | False | By default Citrix Ingress Controller will add NodeIP and NodePort as service group members while configuring type LoadBalancer Services and NodePort services. This variable if set to `True` will change the behaviour to add pod IP and Pod port instead of nodeIP and nodePort. Users can set this to `True` if there is a route between ADC and K8s clusters internal pods either using feature-node-watch argument or using Citrix Node Controller. | -| ignoreNodeExternalIP | Optional | False | While adding NodeIP, as Service group members for type LoadBalancer services or NodePort services, Citrix Ingress Controller has a selection criteria whereas it choose Node ExternalIP if available and Node InternalIP, if Node ExternalIP is not present. But some users may want to use Node InternalIP over Node ExternalIP even if Node ExternalIP is present. If this variable is set to `True`, then it prioritises the Node Internal IP to be used for service group members even if node ExternalIP is present | -| nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for Citrix ADC service group configurations. | -| nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). | -| profileSslFrontend | Optional | N/A | Specify the frontend SSL profile. For Details see [Configuration using FRONTEND_SSL_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| profileTcpFrontend | Optional | N/A | Specify the frontend TCP profile. For Details see [Configuration using FRONTEND_TCP_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| profileHttpFrontend | Optional | N/A | Specify the frontend HTTP profile. For Details see [Configuration using FRONTEND_HTTP_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| ipam | Optional | False | Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer. | -| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. | -| logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter. | -| entityPrefix | Optional | k8s | The prefix for the resources on the Citrix ADC VPX/MPX. | -| updateIngressStatus | Optional | True | Set this argurment if `Status.LoadBalancer.Ingress` field of the Ingress resources managed by the Citrix ingress controller needs to be updated with allocated IP addresses. For more information see [this](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/ingress-classes.md#updating-the-ingress-status-for-the-ingress-resources-with-the-specified-ip-address). | -| routeLabels | Optional | N/A | You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| namespaceLabels | Optional | N/A | You can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| podAnnotations | Optional | N/A | Map of annotations to add to the pods. | -| affinity | Optional | N/A | Affinity labels for pod assignment. | -| exporter.required | Optional | false | Use the argument, if you want to run the [Exporter for Citrix ADC Stats](https://github.com/citrix/citrix-adc-metrics-exporter) along with CIC to pull metrics for the Citrix ADC VPX or MPX| -| exporter.imageRegistry | Optional | `quay.io` | The Exporter for Citrix ADC Stats image registry | -| exporter.imageRepository | Optional | `citrix/citrix-adc-metrics-exporter` | The Exporter for Citrix ADC Stats image repository | -| exporter.imageTag | Optional | `1.4.9` | The Exporter for Citrix ADC Stats image tag | -| exporter.pullPolicy | Optional | IfNotPresent | The Exporter image pull policy. | -| exporter.ports.containerPort | Optional | 8888 | The Exporter container port. | -| exporter.resources | Optional | {} | CPU/Memory resource requests/limits for Metrics exporter container | -| exporter.extraVolumeMounts | Optional | [] | Specify the Additional VolumeMounts to be mounted in Exporter container. Specify the volumes in `extraVolumes` | -| openshift | Optional | false | Set this argument if OpenShift environment is being used. | -| disableOpenshiftRoutes | Optional | false | By default Openshift routes are processed in openshift environment, this variable can be used to disable Ingress controller processing the openshift routes. | -| nodeSelector.key | Optional | N/A | Node label key to be used for nodeSelector option in CIC deployment. | -| nodeSelector.value | Optional | N/A | Node label value to be used for nodeSelector option in CIC deployment. | -| tolerations | Optional | N/A | Specify the tolerations for the CIC deployment. | -| crds.install | Optional | False | Unset this argument if you don't want to install CustomResourceDefinitions which are consumed by CIC. | -| crds.retainOnDelete | Optional | false | Set this argument if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation. | -| analyticsConfig.required | Mandatory | false | Set this to true if you want to configure Citrix ADC to send metrics and transaction records to analytics . | -| analyticsConfig.distributedTracing.enable | Optional | false | Set this value to true to enable OpenTracing in Citrix ADC. | -| analyticsConfig.distributedTracing.samplingrate | Optional | 100 | Specifies the OpenTracing sampling rate in percentage. | -| analyticsConfig.endpoint.server | Optional | N/A | Set this value as the IP address or DNS address of the analytics server. | -| analyticsConfig.endpoint.service | Optional | N/A | Set this value as the IP address or service name with namespace of the analytics service deployed in k8s environment. Format: namespace/servicename | -| analyticsConfig.timeseries.port | Optional | 30002 | Specify the port used to expose analytics service outside cluster for timeseries endpoint. | -| analyticsConfig.timeseries.metrics.enable | Optional | False | Set this value to true to enable sending metrics from Citrix ADC. | -| analyticsConfig.timeseries.metrics.mode | Optional | avro | Specifies the mode of metric endpoint. | -| analyticsConfig.timeseries.auditlogs.enable | Optional | false | Set this value to true to export audit log data from Citrix ADC. | -| analyticsConfig.timeseries.events.enable | Optional | false | Set this value to true to export events from the Citrix ADC. | -| analyticsConfig.transactions.enable | Optional | false | Set this value to true to export transactions from Citrix ADC. | -| analyticsConfig.transactions.port | Optional | 30001 | Specify the port used to expose analytics service outside cluster for transaction endpoint. | -| nsLbHashAlgo.required | Optional | false | Set this value to set the LB consistent hashing Algorithm | -| nsLbHashAlgo.hashFingers | Optional | 256 | Specifies the number of fingers to be used for hashing algorithm. Possible values are from 1 to 1024, Default value is 256 | -| nsLbHashAlgo.hashAlgorithm | Optional | 'default' | Specifies the supported algorithm. Supported algorithms are "default", "jarh", "prac", Default value is 'default' | -| extraVolumeMounts | Optional | [] | Specify the Additional VolumeMounts to be mounted in CIC container | -| extraVolumes | Optional | [] | Specify the Additional Volumes for additional volumeMounts | -| rbacRole | Optional | false | To deploy CIC with RBAC Role set rbacRole=true; by default CIC gets installed with RBAC ClusterRole(rbacRole=false)) | - -Alternatively, you can define a YAML file with the values for the parameters and pass the values while installing the chart. - -For example: - ``` - helm install my-release citrix/citrix-ingress-controller -f values.yaml - ``` - -> **Tip:** -> -> The [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-ingress-controller/values.yaml) contains the default values of the parameters. - -> **Note:** -> -> Please provide frontend-ip (VIP) in your application ingress yaml file. For more info refer [this](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/annotations.md). - -## Route Addition in MPX/VPX -For seamless functioning of services deployed in the Kubernetes cluster, it is essential that Ingress NetScaler device should be able to reach the underlying overlay network over which Pods are running. -`feature-node-watch` knob of Citrix Ingress Controller can be used for automatic route configuration on NetScaler towards the pod network. Refer [Static Route Configuration](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) for further details regarding the same. -By default, `feature-node-watch` is false. It needs to be explicitly set to true if auto route configuration is required. - -This can also be achieved by deploying [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller). - -If your deployment uses one single Citrix ADC Device to loadbalance between multiple k8s clusters, there is a possibilty of CNI subnets to overlap, causing the above mentioned static routing to fail due to route conflicts. In such deployments [Policy Based Routing(PBR)] (https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-policy-based-routes/configuring-policy-based-routes-pbrs-for-ipv4-traffic.html) can be used instead. This would require you to provide one or more subnet IP Addresses unique for each kubernetes cluster either via Environment variable or Configmap, see [PBR Support](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md) - - Use the following command to provide subnet IPAddresses(SNIPs) to configure Policy Based Routes(PBR) on the Citrix ADC - - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,nsSNIPS='[\, \, ...]' - ``` - - [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller) by default also adds static routes while creating the VXLAN tunnel. To use [Policy Based Routing(PBR)] (https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-policy-based-routes/configuring-policy-based-routes-pbrs-for-ipv4-traffic.html) to avoid static route clash, both Citrix Node Controller and Citrix Ingress Controller has to work in conjunction and has to be started with specific arguments. For more details refer [CNC-PBR-SUPPORT](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md#configure-pbr-using-the-citrix-node-controller). - - Use the following command to inform Citrix Ingress Controller that Citrix Node Controller is configuring Policy Based Routes(PBR) on the Citrix ADC - - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,clusterName=,cncPbr= - ``` - -For configuring static routes manually on Citrix ADC VPX or MPX to reach the pods inside the cluster follow: -### For Kubernetes: -1. Obtain podCIDR using below options: - ``` - kubectl get nodes -o yaml | grep podCIDR - ``` - * podCIDR: 10.244.0.0/24 - * podCIDR: 10.244.1.0/24 - * podCIDR: 10.244.2.0/24 - -2. Log on to the Citrix ADC instance. - -3. Add Route in Netscaler VPX/MPX - ``` - add route - ``` -4. Ensure that Ingress MPX/VPX has a SNIP present in the host-network (i.e. network over which K8S nodes communicate with each other. Usually eth0 IP is from this network). - - Example: - * Node1 IP = 192.0.2.1 - * podCIDR = 10.244.1.0/24 - * add route 10.244.1.0 255.255.255.0 192.0.2.1 - -### For OpenShift: -1. Use the following command to get the information about host names, host IP addresses, and subnets for static route configuration. - ``` - oc get hostsubnet - ``` - -2. Log on to the Citrix ADC instance. - -3. Add the route on the Citrix ADC instance using the following command. - ```add route ``` - -4. Ensure that Ingress MPX/VPX has a SNIP present in the host-network (i.e. network over which OpenShift nodes communicate with each other. Usually eth0 IP is from this network). - - For example, if the output of the `oc get hostsubnet` is as follows: - * oc get hostsubnet - - NAME HOST HOST IP SUBNET - os.example.com os.example.com 192.0.2.1 10.1.1.0/24 - - * The required static route is as follows: - - add route 10.1.1.0 255.255.255.0 192.0.2.1 - -## Uninstalling the Chart -To uninstall/delete the ```my-release``` deployment: - - ``` - helm delete my-release - ``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Related documentation - -- [Citrix ingress controller Documentation](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/) -- [Citrix ingress controller GitHub](https://github.com/citrix/citrix-k8s-ingress-controller) diff --git a/charts/citrix/citrix-ingress-controller/1.30.1/app-readme.md b/charts/citrix/citrix-ingress-controller/1.30.1/app-readme.md deleted file mode 100644 index a8a8ebc15a..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.30.1/app-readme.md +++ /dev/null @@ -1,5 +0,0 @@ -# Citrix Ingress Controller - -[Citrix Ingress Controler](https://github.com/citrix/citrix-k8s-ingress-controller) is an ingress controller for Citrix ADC MPX (hardware), Citrix ADC VPX (virtualized), and Citrix ADC CPX (containerized) for bare metal and cloud deployments. It is built around Kubernetes Ingress and automatically configures Citrix ADC based on the Ingress resource configuration. - -This Chart bootstraps standalone Citrix Ingress Controller which can be used to configure Citrix MPX or VPX. diff --git a/charts/citrix/citrix-ingress-controller/1.30.1/questions.yml b/charts/citrix/citrix-ingress-controller/1.30.1/questions.yml deleted file mode 100644 index 89389ae11e..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.30.1/questions.yml +++ /dev/null @@ -1,348 +0,0 @@ -labels: - io.rancher.certified: partner -questions: -- variable: license.accept - required: true - type: enum - description: "Set to yes to accept the terms and conditions of the Citrix license." - label: Accept License - group: "Deployment Settings" - options: - - "yes" - - "no" -- variable: openshift - default: false - type: boolean - description: "openshift is set to true if charts are being deployed in OpenShift environment" - label: Openshift flag - group: "Deployment Settings" -- variable: adcCredentialSecret - required: true - default: "" - type: string - description: "adcCredentialSecret is secret file for NetScaler login" - label: adcCredentialSecret Name - group: "Deployment Settings" -- variable: imagePullSecrets[0] - required: false - type: string - description: "Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository" - label: imagePullSecrets - group: "Deployment Settings" -- variable: nsIP - required: true - type: string - description: "nsIP is NetScaler NSIP/SNIP, SNIP in case of HA (mgmt has to be enabled)" - label: Citrix ADC IP - group: "ADC Settings" -- variable: nsVIP - required: false - type: string - label: Virtual IP of Citrix ADC - group: "ADC Settings" -- variable: nsSNIPS - required: false - type: string - description: "The list of subnet IPAddresses on the Citrix ADC device, which will be used to create PBR Routes instead of Static Routes" - label: Citrix ADC nsSNIPS - group: "ADC Settings" -- variable: nsPort - required: false - default: 443 - type: int - description: "nsPort is port for ADC NITRO" - label: nsPort - group: "ADC Settings" -- variable: nsProtocol - required: false - default: "HTTPS" - type: string - description: "nsProtocol is protocol for ADC NITRO" - label: nsProtocol - group: "ADC Settings" -- variable: entityPrefix - required: false - type: string - description: "The prefix for the resources on the Citrix ADC VPX/MPX" - label: entityPrefix - group: "ADC Settings" -- variable: kubernetesURL - required: false - type: string - description: "kubernetesURL is for registering events to kubeapi server" - label: Kubernetes API-server URL - group: "Deployment Settings" -- variable: clusterName - required: false - type: string - description: "The unique identifier of the kubernetes cluster on which the CIC is deployed" - label: Cluster Name - group: "Deployment Settings" -- variable: ingressClass[0] - required: false - type: string - description: "ingressClass is the name of the Ingress Class" - label: Ingress Class - group: "Deployment Settings" -- variable: setAsDefaultIngressClass - required: false - default: False - type: boolean - description: "Set the IngressClass object as default ingress class. New Ingresses without an `ingressClassName` field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19" - label: setAsDefaultIngressClass - group: "Deployment Settings" -- variable: serviceClass[0] - required: false - type: string - description: "serviceClass is the name of the Service Class" - label: Service Class - group: "Deployment Settings" -- variable: defaultSSLCertSecret - required: false - type: string - description: "Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC." - label: defaultSSLCertSecret - group: "ADC Settings" -- variable: podIPsforServiceGroupMembers - required: false - default: False - type: boolean - description: "By default Citrix Ingress Controller will add NodeIP and NodePort as service group members,This variable if set to True will change the behaviour to add pod IP and Pod port instead of nodeIP and nodePort." - label: podIPsforServiceGroupMembers - group: "Deployment Settings" -- variable: ignoreNodeExternalIP - required: false - default: False - type: boolean - label: ignoreNodeExternalIP - group: "Deployment Settings" -- variable: ipam - required: false - default: False - type: boolean - description: "Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer" - label: ipam - group: "Deployment Settings" -- variable: logProxy - required: false - default: False - type: string - description: "Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter." - label: Log Proxy - group: "Deployment Settings" -- variable: nodeWatch - required: false - default: false - type: boolean - description: "nodeWatch is used for automatic route configuration on NetScaler towards the pod network" - label: NodeWatch - group: "ADC Settings" -- variable: cncPbr - required: false - default: false - type: boolean - description: "Use this argument to inform CIC that Citrix Node Controller(CNC) is configuring Policy Based Routes(PBR) on the Citrix ADC." - label: CNC PBR - group: "ADC Settings" -- variable: nodeSelector.key - required: false - type: string - description: "Node label key to be used for nodeSelector option in CIC deployment" - label: NodeSelector Key - group: "Deployment Settings" -- variable: nodeSelector.value - required: false - type: string - description: "Node label value to be used for nodeSelector option in CIC deployment." - label: NodeSelector value - group: "Deployment Settings" -- variable: tolerations[0] - required: false - type: string - description: "Specify the tolerations for the CIC deployment" - label: Tolerations - group: "Deployment Settings" -- variable: updateIngressStatus - required: false - default: false - type: boolean - description: "Set this argurment if Status.LoadBalancer.Ingress field of the Ingress resources managed by the Citrix ingress controller needs to be updated with allocated IP addresses" - label: Update Ingress Status - group: "Deployment Settings" -- variable: nsHTTP2ServerSide - required: false - default: "OFF" - type: string - description: "Set this argument to ON for enabling HTTP2 for Citrix ADC service group configurations." - label: nsHTTP2ServerSide - group: "Deployment Settings" -- variable: nsCookieVersion - required: false - default: "0" - type: string - description: "Specify the persistence cookie version (0 or 1)" - label: nsCookieVersion - group: "Deployment Settings" -- variable: routeLabels - required: false - type: string - description: "You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster." - label: Route Labels - group: "Deployment Settings" -- variable: namespaceLabels - required: false - type: string - description: "you can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster" - label: namespaceLabels - group: "Deployment Settings" -- variable: cic.image - required: true - type: string - default: "quay.io/citrix/citrix-k8s-ingress-controller:1.19.6" - label: CIC Image - group: "CIC Image Settings" -- variable: cic.pullpolicy - required: true - default: "IfNotPresent" - type: enum - label: CIC Image Pullpolicy - group: "CIC Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: logLevel - required: false - default: "INFO" - type: enum - label: CIC Loglevel - group: "CIC Image Settings" - options: - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - - "TRACE" -- variable: exporter.required - default: false - type: boolean - description: "If set to true exporter will be deployed as sidecar" - label: Enable Exporter - group: "Exporter Settings" -- variable: exporter.image - default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.9" - required: false - type: string - description: "Exporter Image" - label: Exporter Image - group: "Exporter Settings" -- variable: exporter.pullPolicy - required: false - default: IfNotPresent - type: string - description: "Exporter Image pull policy" - label: Exporter Image PullPolicy - group: "Exporter Settings" -- variable: exporter.ports.containerPort - required: false - default: 8888 - type: int - label: Exporter ContainerPort - group: "Exporter Settings" -- variable: crds.install - required: false - default: true - type: boolean - description: "If set to true the charts will install CustomResourceDefinitions which are consumed by CIC." - label: CRD flag - group: "Deployment Settings" -- variable: crds.retainOnDelete - required: false - default: false - type: boolean - description: "Set this argument to true if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation." - label: CRD retainOnDelete flag - group: "Deployment Settings" -- variable: coeConfig.required - required: true - default: false - type: boolean - description: "Set this to true if you want to configure Citrix ADC to send metrics and transaction records to COE" - label: Enable COE - group: "COE Settings" -- variable: coeConfig.distributedTracing.enable - required: false - default: false - type: boolean - description: "Set this value to true to enable OpenTracing in Citrix ADC." - label: Enable coeConfig DistributedTracing - group: "COE Settings" -- variable: coeConfig.distributedTracing.samplingrate - required: false - default: "100" - type: string - description: "Specifies the OpenTracing sampling rate in percentage." - label: coeConfig DistributedTracing Samplingrate - group: "COE Settings" -- variable: coeConfig.endpoint.server - required: false - type: string - description: "Set this value as the IP address or DNS address of the analytics server" - label: coeConfig Endpoint Server - group: "COE Settings" -- variable: coeConfig.timeseries.port - required: false - default: "30002" - type: string - description: "Specify the port used to expose COE service outside cluster for timeseries endpoint" - label: coeConfig timeseries Port - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.enable - required: false - default: False - type: boolean - description: "Set this value to true to enable sending metrics from Citrix ADC" - label: Enable coeConfig Timeseries Metrics - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.mode - required: false - default: "avro" - type: string - description: "Specifies the mode of metric endpoint" - label: coeConfig Timeseries Metrics Mode - group: "COE Settings" -- variable: coeConfig.timeseries.auditlogs.enable - required: false - default: False - type: boolean - description: "Set this value to true to export audit log data from Citrix ADC" - label: coeConfig Timeseries Auditlogs Enable - group: "COE Settings" -- variable: coeConfig.timeseries.events.enable - required: false - default: False - type: boolean - description: "Set this value to true to export events from the Citrix ADC" - label: Enable coeConfig Timeseries Events - group: "COE Settings" -- variable: coeConfig.transactions.enable - required: false - default: False - type: boolean - description: "Set this value to true to export transactions from Citrix ADC" - label: Enable coeConfig Transactions - group: "COE Settings" -- variable: coeConfig.transactions.port - required: false - default: 30001 - type: string - description: "Specify the port used to expose COE service outside cluster for transaction endpoint" - label: coeConfig Transactions Port - group: "COE Settings" -- variable: serviceAccount.create - required: false - default: true - type: boolean - description: "Specifies whether a ServiceAccount should be created" - label: ServiceAccount Create - group: "Deployment Settings" diff --git a/charts/citrix/citrix-ingress-controller/1.30.1/templates/NOTES.txt b/charts/citrix/citrix-ingress-controller/1.30.1/templates/NOTES.txt deleted file mode 100644 index 4d07f639fb..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.30.1/templates/NOTES.txt +++ /dev/null @@ -1,15 +0,0 @@ -Thank you for installing {{ .Chart.Name }}. - -Your release is named {{ .Release.Name }}. - - -To learn more about the release, try: - - $ helm status {{ .Release.Name }} - $ helm get {{ .Release.Name }} - - -To delete : - helm delete {{ .Release.Name }} - - diff --git a/charts/citrix/citrix-ingress-controller/1.30.1/templates/_helpers.tpl b/charts/citrix/citrix-ingress-controller/1.30.1/templates/_helpers.tpl deleted file mode 100644 index efca8083c7..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.30.1/templates/_helpers.tpl +++ /dev/null @@ -1,94 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Analytics Server IP or DNS -*/}} -{{- define "analytics.server" -}} -{{- if .Values.analyticsConfig.endpoint.server -}} -{{- printf .Values.analyticsConfig.endpoint.server -}} -{{- else -}} -{{- $addresses := first (first (lookup "v1" "Node" "" "").items).status.addresses -}} -{{- printf "%s" ($addresses).address -}} -{{- end -}} -{{- end -}} - - - -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "citrix-ingress-controller.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "citrix-ingress-controller.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "exporter.fullname" -}} -{{- $name := default .Chart.Name "exporter" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "servicemonitor.fullname" -}} -{{- $name := default .Chart.Name "citrix-adc-servicemonitor" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "servicemonitorlabel" -}} -{{- $name := default .Chart.Name "citrix-adc-svcmon" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cicconfigmap.fullname" -}} -{{- $name := default .Chart.Name "cic-configmap" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "citrix-ingress-controller.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "citrix-ingress-controller.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "citrix-ingress-controller.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} diff --git a/charts/citrix/citrix-ingress-controller/1.30.1/templates/cic_crds.yaml b/charts/citrix/citrix-ingress-controller/1.30.1/templates/cic_crds.yaml deleted file mode 100644 index b1c287d233..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.30.1/templates/cic_crds.yaml +++ /dev/null @@ -1,2513 +0,0 @@ -{{- if .Values.crds.install }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: rewritepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: rewritepolicy - plural: rewritepolicies - singular: rewritepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - rewrite-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to rewrite policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - rewrite-policy: - type: object - properties: - rewrite-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOREWRITE', 'RESET', 'DROP'] - operation: - description: 'Type of user-defined rewrite action.' - type: string - enum: ["noop", "delete", "insert_http_header", "delete_http_header", - "corrupt_http_header", "insert_before", "insert_after", "replace", - "replace_http_res", "delete_all", "replace_all", "insert_before_all", - "insert_after_all", "clientless_vpn_encode", "clientless_vpn_encode_all", - "clientless_vpn_decode", "clientless_vpn_decode_all", "insert_sip_header", - "delete_sip_header", "corrupt_sip_header", "replace_sip_res", "replace_diameter_header_field", - "replace_dns_header_field", "replace_dns_answer_section"] - target: - description: 'Default syntax expression that specifies which part of the request or response to rewrite.' - type: string - maxLength: 1229 - modify-expression: - description: 'Default syntax expression that specifies the content to insert into the request - or response at the specified location, or that replaces the specified string.' - type: string - maxLength: 7991 - multiple-occurence-modify: - description: 'Search facility that is used to match multiple strings in the request or response.' - type: string - maxLength: 171 - additional-multiple-occurence-modify: - description: 'Specify additional criteria to refine the results of the search. - Always starts with the "extend(m,n)" operation, where "m" specifies number of bytes to the left of selected data - and "n" specifies number of bytes to the right of selected data. - You can use refineSearch only on body expressions, and only when rewrite-criteria is any one of this: - INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - comment: - description: 'Any comments to preserve information about this rewrite policy.' - type: string - maxLength: 255 - required: [rewrite-criteria, operation, target, direction] - required: [rewrite-policy] - - responder-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to responder policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", - "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - responder-policy: - type: object - properties: - redirect: - type: object - description: 'Use this option when you want to Redirect the request when request matches to policy.' - properties: - url: - description: 'URL on which you want to redirect the request.' - type: string - maxLength: 7991 - redirect-status-code: - description: 'HTTP response status code, for example 200, 302, 404, etc.' - type: integer - minimum: 100 - maximum: 599 - redirect-reason: - description: 'Expression specifying the reason for redirecting the request.' - type: string - maxLength: 7991 - required: [url] - respondwith: - type: object - description: 'Use this parameter when you want to respond to the request when request matches to policy.' - properties: - http-payload-string: - description: 'Expression that you want to sent as response to the request.' - type: string - maxLength: 7991 - required: [http-payload-string] - noop: - type: string - description: 'Use this option when you want to send the request to the protected server instead of - responding to it when request matches to policy.' - properties: - target: - description: 'Default syntax expression that specifies to perform noop operation on' - type: string - maxLength: 1229 - reset: - type: string - description: 'Use this option when you want to Reset the client connection by closing it when request matches to policy.' - properties: - drop: - type: string - description: 'Use this option when you want to drop the request without sending a response to the user when request matches to policy.' - properties: - respond-criteria: - description: 'Default syntax expression that the policy uses to determine whether to respond to the specified request.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOOP', 'RESET', 'DROP'] - comment: - description: 'Any comments to preserve information about this responder policy.' - type: string - maxLength: 255 - required: [respond-criteria] - oneOf: [required: [redirect], required: [respondwith], required: [noop], required: [reset], required: [drop]] - required: [responder-policy] - - dataset: - type: array - items: - type: object - properties: - name: - description: 'Name of the dataset.' - type: string - maxLength: 32 - type: - description: 'Type of value to bind to the dataset.' - type: string - enum: ["ipv4", "number", "ipv6", "ulong", "double", "mac"] - comment: - description: 'Any comments to preserve information about this dataset.' - type: string - maxLength: 255 - values: - description: 'Value of the specified type that is associated with this dataset.' - type: array - items: - type: string - required: [name, type, values] - - patset: - type: array - items: - type: object - properties: - name: - description: 'Name of the Patset.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this patset.' - type: string - maxLength: 255 - values: - description: 'String of characters that constitutes a pattern and is associated with this patset.' - type: array - items: - type: string - required: [name, values] - - stringmap: - type: array - items: - type: object - properties: - name: - description: 'Name of the Stringmap.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this stringmap.' - type: string - maxLength: 255 - values: - description: 'List of (key,value) pairs to be bound to this string map.' - type: array - items: - type: object - properties: - key: - description: 'Character string constituting the key to be bound to this string map.' - type: string - maxLength: 2047 - value: - description: 'Character string constituting the value associated with the key.' - type: string - maxLength: 2047 - required: [name, values] - - httpcallout_policy: - type: array - items: - type: object - properties: - name: - description: 'httpcallout name' - type: string - maxLength: 32 - server_ip: - description: 'IP Address of the server(callout agent) to which the callout is sent.' - type: string - server_port: - description: 'Port of the server(callout agent) to which the callout is sent.' - type: integer - minimum: 1 - maximum: 65535 - http_method: - description: |+ - 'Method used in the HTTP request that this callout sends. - Default http method is GET' - type: string - enum: ['GET', 'POST'] - host_expr: - description: |+ - 'String expression to configure the Host header. Can contain a literal value - (for example, 10.101.10.11) or a derived value (for example, http.req.header("Host")). - The literal value can be an IP address or a fully qualified domain name. Mutually - exclusive with the full HTTP request expression.' - type: string - maxLength: 255 - url_stem_expr: - description: |+ - 'String expression for generating the URL stem. Can contain a literal string - (for example, "/mysite/index.html") or an expression that derives the value - (for example, http.req.url).' - type: string - maxLength: 8191 - headers: - type: array - description: |+ - 'One or more headers to insert into the HTTP request. Each header is represented by - name and expr, where expr is an expression that is evaluated at runtime to provide - the value for the named header. You can configure a maximum of eight headers for - an HTTP callout.' - items: - type: object - properties: - name: - description: 'header name' - type: string - expr: - description: 'header expression' - type: string - parameters: - type: array - description: |+ - 'One or more query parameters to insert into the HTTP request URL (for a GET request) - or into the request body (for a POST request). Each parameter is represented by - name and expr, where expr is an expression that is evaluated at run time to provide - the value for the named parameter (name=value). The parameter values are URL encoded.' - items: - type: object - properties: - name: - description: 'parameter name' - type: string - expr: - description: 'parameter expression' - type: string - body_expr: - description: |+ - 'An advanced string expression for generating the body of the request. - The expression can contain a literal string or an expression that derives - the value (for example, client.ip.src).' - type: string - full_req_expr: - description: |+ - 'Exact HTTP request, in the form of an expression, which the Citrix ADC sends - to the callout agent. The request expression is constrained by the feature - for which the callout is used. For example, an HTTP.RES expression cannot be - used in a request-time policy bank or in a TCP content switching policy bank.' - type: string - scheme: - description: |+ - 'Type of scheme for the callout server. - Default scheme is HTTP' - type: string - enum: ['HTTP', 'HTTPS'] - cache_for_secs: - description: |+ - 'Duration, in seconds, for which the callout response is cached. - The cached responses are stored in an integrated caching content - group named "calloutContentGroup". If no duration is configured, - the callout responses will not be cached unless normal caching - configuration is used to cache them. This parameter takes precedence over any - normal caching configuration that would otherwise apply to these responses.' - type: integer - minimum: 1 - maximum: 31536000 - return_type: - description: |+ - 'Type of data that the target callout agent returns in response to the callout - Available settings function as follows: - * TEXT - Treat the returned value as a text string. - * NUM - Treat the returned value as a number. - * BOOL - Treat the returned value as a Boolean value.' - type: string - enum: ['TEXT', 'NUM', 'BOOL'] - result_expr: - description: |+ - 'Expression that extracts the callout results from the response sent by the HTTP callout - agent. Must be a response based expression, that is, it must begin with HTTP.RES. The - operations in this expression must match the return type. For example, if you configure - a return type of TEXT, the result expression must be a text based expression. If the - return type is NUM, the result expression (resultExpr) must return a numeric value, - as in the following example: http.res.body(10000).length.' - type: string - maxLength: 8191 - comment: - description: 'Any comments to preserve information about this HTTP callout.' - type: string - maxLength: 255 - allOf: - - properties: - required: [name, server_ip, server_port] - - properties: - oneOf: - - properties: - required: [full_req_expr] - - properties: - anyOf: - - properties: - required: [http_method] - - properties: - required: [host_expr] - - properties: - required: [url_stem_expr] - - properties: - required: [headers] - - properties: - required: [parameters] - - properties: - required: [body_expr] - anyOf: [required: [rewrite-policies], required: [responder-policies]] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ratelimits.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: ratelimit - plural: ratelimits - singular: ratelimit - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the ratelimit policies are applied.' - type: array - items: - type: string - maxLength: 127 - selector_keys: - type: object - description: 'Traffic match criteria to which apply above rate-limit/throttling. All keys are applied as AND condition. If no keys are specified, rate-limit applies at service level' - properties: - basic: - type: object - description: "Basic traffic stream selection criteria to which to apply the ratelimit" - properties: - path: - type: array - description: "api resource path prefix match. e.g. /api/v1/products" - items: - type: string - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT', 'UNKNOWN_METHOD'] - header_name: - description: "HTTP header that identifies the unique API client for e.g. X-apikey" - type: string - per_client_ip: - description: "Setting this applies the throttling limit to each unique Client IP address accessing the API resource" - type: boolean - req_threshold: - description: 'Max requests per timeslice units to be allowed' - type: integer - timeslice: - description: 'Timeslice in miliseconds in multiple of 10. Defaults to 1000 miliseconds' - type: integer - limittype: - description: "Burst mode or smooth. Defaults to smooth limittype if not specified" - type: string - enum: ['BURSTY','SMOOTH'] - throttle_action: - type: string - enum: ['DROP', 'RESET','REDIRECT', 'RESPOND'] - description: "Drop will drop the requests exceeding limits, RESET will reset the client connection, Redirect will redirect to specified URL, respond will respond with 429 'Exceeded allowed rate of requests'" - redirect_url: - type: string - description: "Redirect-URL" - logpackets: - type: object - description: 'Adds an audit message action. The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - required: [req_threshold] ---- -#Sample CRD instance - -#apiVersion: citrix.com/v1 -#description: VIP for apache service -#kind: vip -#metadata: -# name: service-apache -# namespace: default -#spec: -# description: VIP for the apache Service -# ipaddress: 10.99.98.90 -# kind: service -# name: apache - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vips.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: vip - plural: vips - singular: vip - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - jsonPath: .spec.ipaddress - name: VIP - type: string - - name: Age - type: date - jsonPath: .metadata.creationTimestamp - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - ipaddress: - type: string - name: - type: string - kind: - type: string - enum: ["service", "ingress"] - description: - type: string - range-name: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: authpolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: authpolicy - plural: authpolicies - singular: authpolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: |+ - 'Name of the services for which the policies applied' - type: array - items: - type: string - maxLength: 63 - authentication_mechanism: - type: object - description: |+ - 'Authentication mechanism. Options: using forms or using request header. - Default is Authentication using request header, when no option is specified' - properties: - using_request_header: - description: |+ - 'Enable user authentication using request header. Use when the credentials - or api keys are passed in a header. For example, when using Basic, Digest, - Bearer authentication or api keys. - When authentication using forms is provided, this is set to OFF' - - type: string - using_forms: - type: object - description: 'Enables authentication using forms. Use with user/web authentication.' - properties: - authentication_host: - description: |+ - 'Fully qualified domain name (FQDN) for authentication. - This FQDN should be unique and should resolve to frontend IP of - ADC with Ingress/service type LoadBalancer (or) vip of Listener CRD' - type: string - maxLength: 255 - authentication_host_cert: - description: |+ - 'Name of the SSL certificate to be used with authentication_host. - This certificate is mandatory while using_forms' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - ingress_name: - description: |+ - 'Ingress name for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - lb_service_name: - description: |+ - 'Service of type LoadBalancer for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - listener_name: - description: |+ - 'Listener CRD name for which the authentication using forms is applicable.' - type: string - maxLength: 63 - vip: - description: |+ - 'Frontend IP of ingress for which the authentication - using forms is applicable. This refers to frontend-ip provided - with Ingress. It is suggested to use vip, if more than one Ingress - resource use the same frontend-ip' - type: string - required: [authentication_host, authentication_host_cert] - oneOf: - - properties: - required: [ingress_name] - - properties: - required: [lb_service_name] - - properties: - required: [listener_name] - - properties: - required: [vip] - oneOf: - - properties: - using_request_header: - enum: ['ON'] - required: [using_request_header] - - properties: - required: [using_forms] - - authentication_providers: - description: |+ - 'Authentication Configuration for required authentication providers/schemes. - One or more of these can be created' - type: array - items: - description: 'Create config for a single authentication provider of a particular type' - type: object - properties: - name: - description: 'Name for this provider, has to be unique, referenced by authentication policies' - type: string - maxLength: 127 - - oauth: - description: 'Authentication provided by external oAuth provider' - type: object - properties: - issuer: - description: 'Identity of the server whose tokens are to be accepted' - type: string - maxLength: 127 - audience: - description: 'Audience for which token sent by Authorization server is applicable' - type: array - items: - type: string - maxLength: 127 - jwks_uri: - description: |+ - 'URL of the endpoint that contains JWKs (Json Web Key) for - JWT (Json Web Token) verification' - type: string - maxLength: 127 - introspect_url: - description: ' URL of the introspection server' - type: string - maxLength: 127 - client_credentials: - description: |+ - 'secrets object that contains Client Id and secret as known - to Introspection server' - type: string - maxLength: 253 - token_in_hdr: - description: |+ - 'custom header name where token is present, - default is Authorization header' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - token_in_param: - description: 'query parameter name where token is present' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - signature_algorithms: - description: 'list of allowed signature algorithms, by default HS256, RS256, RS512 are allowed' - type: array - items: - type: string - enum: ['HS256', 'RS256', 'RS512'] - claims_to_save: - description: 'list of claims to be saved, used to create authorization policies' - type: array - items: - type: string - maxLength: 127 - metadata_url: - description: 'URL used to get OAUTH/OIDC provider metadata' - type: string - maxLength: 255 - user_field: - description: |+ - 'Attribute in the token from which username should be extracted. - by default, ADC looks at email attribute for user id' - type: string - maxLength: 127 - default_group: - description: |+ - 'group assigned to the request if authentication succeeds, - this is in addition to any extracted groups from token' - type: string - maxLength: 63 - grant_type: - description: 'used to specify the type of flow to the token end point, defaults to CODE' - type: array - items: - type: string - enum: ['CODE','PASSWORD'] - pkce: - description: 'specify whether to enable Proof Key Code Exchange, defaults to ENABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - token_ep_auth_method: - description: |+ - 'authentication method to be used with token end point, - defaults to client_secret_post' - type: string - enum: ['client_secret_post', 'client_secret_jwt'] - - anyOf: - - properties: - required : [jwks_uri] - - properties: - required : [introspect_url, client_credentials] - - properties: - required : [metadata_url] - - ldap: - description: 'LDAP authentication provider' - type: object - properties: - server_ip: - description: 'IP address assigned to the LDAP server' - type: string - server_name: - description: 'LDAP server name as a FQDN' - type: string - maxLength: 127 - server_port: - description: 'Port on which the LDAP server accepts connections. Default is 389' - type: integer - minimum: 1 - maximum: 65535 - base: - description: |+ - 'Base (node) from which to start LDAP searches. If the LDAP server is - running locally, the default value of base is dc=netscaler, dc=com' - type: string - maxLength: 127 - server_login_credentials: - description: |+ - 'Kubernetes secret object providing credentials to login to LDAP server, - The secret data should have username and password' - type: string - login_name: - description: |+ - 'LDAP login name attribute. The Citrix ADC uses the LDAP login name - to query external LDAP servers or Active Directories' - type: string - maxLength: 127 - security_type: - description: |+ - 'Type of security used for communications between the Citrix ADC - and the LDAP server. Default is TLS' - type: string - enum: ['PLAINTEXT', 'TLS', 'SSL'] - validate_server_cert: - description: 'Validate LDAP Server certs. Default is NO' - type: string - enum: ['YES', 'NO'] - hostname: - description: |+ - 'Hostname for the LDAP server. If validate_server_cert is ON, - this must be the host name on the certificate from the LDAP - A hostname mismatch will cause a connection failure' - type: string - maxLength: 127 - sub_attribute_name: - description: 'LDAP group sub-attribute name. Used for group extraction from the LDAP server.' - type: string - maxLength: 31 - group_attribute_name: - description: 'LDAP group attribute name. Used for group extraction on the LDAP server.' - type: string - maxLength: 31 - search_filter: - description: |+ - 'String to be combined with the default LDAP user search string to form the - search value. For example, if the search filter "vpnallowed=true" is combined - with the LDAP login name "samaccount" and the user-supplied username is "bob", - the result is the LDAP search string ""(&(vpnallowed=true)(samaccount=bob)"" - (Be sure to enclose the search string in two sets of double quotation marks)' - type: string - maxLength: 255 - auth_timeout: - description: |+ - 'Number of seconds the Citrix ADC waits for a response from the server - Default is 3' - type: integer - minimum: 1 - maximum: 4294967295 - password_change: - description: 'Allow password change requests. Default is DISABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be fetched - from LDAP server and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - oneOf: - - properties: - required: [server_ip] - - properties: - required: [server_name] - - saml: - description: |+ - 'SAML authentication provider. - Currently SAML is supported only with authentication mechanism using forms' - type: object - properties: - metadata_url: - description: 'URL is used for obtaining saml metadata.' - type: string - maxLength: 255 - metadata_refresh_interval: - description: |+ - 'Interval in minutes for fetching metadata from specified metadata URL. - Default is 36000' - type: integer - minimum: 1 - maximum: 4294967295 - signing_cert: - description: 'SSL certificate to sign requests from SP to IDP' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - audience: - description: 'Audience for which assertion sent by IdP is applicable' - type: string - maxLength: 127 - issuer_name: - description: 'The name to be used in requests sent from SP to IDP to identify citrix ADC' - type: string - maxLength: 63 - binding: - description: 'Specifies the transport mechanism of saml message. Default is POST' - type: string - enum: ['REDIRECT', 'POST', 'ARTIFACT'] - artifact_resolution_service_url: - description: 'URL of the Artifact Resolution Service on IdP' - type: string - maxLength: 255 - logout_binding: - description: 'Specifies the transport mechanism of saml logout. Default is POST' - type: string - enum: ['REDIRECT', 'POST'] - reject_unsigned_assertion: - description: |+ - 'Reject unsigned SAML assertions. ON, rejects assertion without signature. - STRICT ensure that both Response and Assertion are signed. Default is ON' - type: string - enum: ['ON', 'OFF', 'STRICT'] - user_field: - description: 'SAML user ID, as given in the SAML assertion' - type: string - maxLength: 63 - default_authentication_group: - description: |+ - 'This is the default group that is chosen when the authentication - succeeds in addition to extracted groups' - type: string - maxLength: 63 - skew_time: - description: |+ - 'Allowed clock skew in number of minutes on an incoming assertion. - Default is 5' - type: integer - minimum: 1 - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be extracted - and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - required: - - metadata_url - - basic_local_db: - type: object - description: |+ - 'Basic HTTP authentication supported by ADC, user data in local DB of ADC. - Users needs to be added on ADC' - properties: - use_local_auth: - description: 'Use ADC authentication' - type: string - enum: ['YES'] - - required: - - name - - authentication_policies: - description: 'Authentication policies' - type: array - items: - type: object - description: 'Authentication policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT', 'UNKNOWN_METHOD'] - required: - - path - expression: - description: 'ADC syntax expression for authentication' - type: string - maxLength: 1229 - provider: - description: 'name of the authentication provider for the policy, empty if no authentication required' - type: array - items: - type: string - maxLength: 127 - maxItems: 1 - oneOf: - - required: [resource, provider] - - required: [expression, provider] - - authorization_policies: - description: 'Authorization policies' - type: array - items: - type: object - description: 'Authorization policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - description: ' http method' - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT', 'UNKNOWN_METHOD'] - claims: - description: 'authorization scopes required for selected resource saved as claims or attributes' - type: array - items: - type: object - properties: - name: - description: 'name of the claim/attribute to check' - type: string - maxLength: 127 - values: - description: 'list of claim values required for the request' - type: array - items: - type: string - maxLength: 127 - minItems: 1 - required: - - name - - values - required: - - claims - expression: - description: 'ADC syntax expression for authorization' - type: string - maxLength: 1229 - oneOf: - - required: [resource] - - required: [expression] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: listeners.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: Listener - plural: listeners - singular: listener - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - required: [spec] - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [protocol] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - protocol: - type: string - enum: ["https", "http"] - description: "Protocol for this listener" - vip: - type: string - description: "VIP address, Optional for CPX, required for Tier-1 deployments" - secondaryVips: - type: array - description: "An array of Secondary VIPs. All the VIPs will be part of an ipset" - minItems: 1 - items: - type: string - redirectPort: - type: integer - minimum: 1 - maximum: 65535 - description: "Port from which http traffic should be redirected to https" - port: - type: integer - minimum: 1 - maximum: 65535 - certificates: - type: array - description: "certificates attached to the endpoints - Not applicable for HTTP" - minItems: 1 - items: - type: object - properties: - preconfigured: - type: string - description: "Preconfigured Certificate name on ADC " - secret: - type: object - description: "Kuberentes secret object" - required: [name] - properties: - name: - type: string - description: "name of the Kubernetes Secret object where Cert is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the kubernetes secret object; Default is same namespace where the Listener object is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - default: - type: boolean - description: "Only one of the certificate can be marked as default which will be presented if none of the cert matches with the hostname" - oneOf: - - required: ["preconfigured"] - - required: ["secret"] - policies: - type: object - description: "Policies attached to the Listener" - properties: - httpprofile: - type: object - description: "HTTP profile configurations for the Listener, HTTP level configurations" - properties: - preconfigured: - type: string - description: "Preconfigured or Built-in HTTP profile name" - config: - type: object - description: "HTTP profile configuration for the listener. For individual fields, refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nshttpprofile/nshttpprofile/ Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - tcpprofile: - type: object - description: "TCP level configurations, uses ns tcpprofile of citrix ADC" - properties: - preconfigured: - description: "Preconfigured or Built-in TCP profile name" - type: string - config: - type: object - description: "TCPprofile configurations for the listener. For individual fields refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nstcpprofile/ ; Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - csvserverConfig: - type: object - description: "CS Vserver configuration for the listener" - additionalProperties: - type: string - sslprofile: - type: object - description: "SSL profile configuration" - properties: - preconfigured: - type: string - description: "SSL profile which is preconfigured in ADC. Ciphers bound to the profile is not overriden" - config: - description: "Citrix ADC frontend SSL profile configurations. Refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ssl/sslprofile/ for all configurations; Name field is auto generated" - type: object - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - sslciphers: - type: array - description: "List of ciphers to be bound to the ssl profile for the listener. Priority is as per the order in the list. A cipher suite, predefined cipher group or User created cipher group can be mentioned" - minItems: 1 - items: - type: string - description: "Cipher suite, cipher group name" - analyticsprofile: - type: object - description: "Analytics profile configuration" - properties: - preconfigured: - type: array - description: "Preconfigured Analytics profile that needs to be bound to the vserver" - minItems: 1 - items: - type: string - description: "Name of the analytics profile preconfigured that will be bound to the Vserver" - config: - type: array - description: "An array of analytics to be enabled" - minItems: 1 - items: - type: object - description: "Anlytics to be enabled" - required: ['type'] - properties: - type: - description: "Analytics profile to be enabled, you can enable one or more of the webinsight, tcpinsight, securityinsight, videoinsight, hdxinsight, gatewayinsight, timeseries, lsninsight, botinsight " - type: string - enum: ["webinsight", "tcpinsight", "securityinsight", "videoinsight", "hdxinsight", "gatewayinsight", "timeseries", "lsninsight", "botinsight"] - parameters: - type: object - description: "Additional parameters for analytics profile. Please refer:https://developer-docs.citrix.com/projects/citrix-adc-nitro-api-reference/en/latest/configuration/analytics/analyticsprofile/" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - routes: - type: array - description: "List of route objects attached to the listener" - minItems: 1 - items: - type: object - properties: - name: - type: string - description: "Name of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - labelSelector: - description: "Labels key value pair, if the route carries the same labels, it is automatically attached" - type: object - additionalProperties: - type: string - oneOf: - - required: [name, namespace] - - required: [labelSelector] - defaultAction: - type: object - description: "Default action for the listener: One of Backend or Redirect" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - namespace: - description: "Service namespace" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - backendConfig: - description: "General backend service options" - type: object - properties: - secure_backend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: httproutes.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: HTTPRoute - plural: httproutes - singular: httproute - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [rules] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - hostname: - type: array - description: "List of domain names that share the same route, default is '*'" - minItems: 1 - items: - type: string - description: "Domain name" - rules: - type: array - description: "List Content routing rules with an action defined" - minItems: 1 - items: - type: object - required: [name, action] - properties: - name: - type: string - description: "A name to represent the rule, this is used as an identifier in content routing policy name in ADC" - minLength: 1 - maxLength: 20 - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - match: - type: array - description: "List of rules with same action" - minItems: 1 - items: - type: object - anyOf: - - required: [path] - - required: [headers] - - required: [cookies] - - required: [queryParams] - - required: [method] - - required: [policyExpression] - properties: - path: - type: object - description: "URL Path based content routing" - properties: - prefix: - type: string - description: "URL path matches the prefix expression" - exact: - type: string - description: "URL Path must match exact path" - regex: - type: string - description: "PCRE based regex expression for path matching" - headers: - type: array - description: "List of header for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Header details for content routing, Check for existence of a header or header name-value match" - properties: - headerName: - type: object - description: "Header name based content routing, Here existence of header is used for routing" - properties: - exact: - type: string - description: "Header Name - treated as exact must exist" - contains: - type: string - description: "Header Name - A header must exist that contain the string the name" - regex: - type: string - description: "header Name - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header name must not exist" - oneOf: - - required: [exact] - - required: [contains] - - required: [regex] - headerValue: - type: object - description: "Header Name and Value based match" - properties: - name: - type: string - description: "Header name that must match the value" - exact: - type: string - description: "Header value - treated as exact" - contains: - type: string - description: "Header value - treated as contains" - regex: - type: string - description: "header value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header if present must not match the value" - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - queryParams: - type: array - description: "List of Query parameters for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Query parameters Name and Value based match" - properties: - name: - type: string - description: "Query name that must match the value. If no value is specified, matches with any value" - exact: - type: string - description: "Query value - Exact match" - contains: - type: string - description: "Query value - value must have the string(substring)" - regex: - type: string - description: "Query value - Value must match this regex patterm" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e query if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - cookies: - type: array - description: "List of Cookie params for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Cookie based routing" - properties: - name: - type: string - description: "cookie name that must match the value. If no value specified, it matches with any value" - exact: - type: string - description: "cookie value - treated as exact" - contains: - type: string - description: "cookie value - treated as substring" - regex: - type: string - description: "cookie value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e cookie if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - method: - type: string - description: "HTTP method for content routing eg: POST, PUT, DELETE etc" - policyExpression: - type: string - description: "Citrix ADC policy expressions; refer: https://docs.citrix.com/en-us/netscaler/media/expression-prefix.pdf" - action: - type: object - description: "Action for the matched rule" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - backendConfig: - type: object - description: "General backend service options" - properties: - secureBackend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - # name must match the spec fields below, and be in the form: . - name: continuousdeployments.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: continuousdeployment - plural: continuousdeployments - singular: continuousdeployment - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - cronSpec: - type: integer - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wafs.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: waf - plural: wafs - singular: waf - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the waf policies are applied.' - type: array - items: - type: string - maxLength: 127 - application_type: - description: 'Type of applications to protect' - type: array - items: - type: string - enum: ['HTML', 'JSON', 'XML'] - signatures: - description: 'Location of external signature file' - type: string - redirect_url: - description: 'When a URL is blocked/down, redirect_url represents the alternate URL where the client requests should be sent.' - type: string - html_error_object: - description: 'Location of customized error page to respond when html or common violation are hit' - type: string - xml_error_object: - description: 'Location of customized error page to respond when xml violations are hit' - type: string - json_error_object: - description: 'Location of customized error page to respond when json violations are hit' - type: string - ip_reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - description: 'Enabling IP reputation feature' - target: - description: 'To control what traffic to be inspected by Web Application Firewall. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT', 'UNKNOWN_METHOD'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable application firewall security checks' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - settings: - description: 'To fine tune application firewall security checks default settings' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - relaxations: - description: 'Section which contains relaxation rules for known traffic and false positives' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - enforcements: - description: 'Section which contains enforcement or restriction rules' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: bots.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: bot - plural: bots - singular: bot - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the bot policies are applied.' - type: array - items: - type: string - maxLength: 127 - signatures: - description: 'Location of external bot signature file' - type: string - redirect_url: - description: 'url to redirect when bot violation is hit' - type: string - target: - description: 'To control what traffic to be inspected by BOT. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT', 'UNKNOWN_METHOD'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable bot ecurity checks' - type: object - properties: - allow_list: - type: string - enum: ['ON', 'OFF'] - block_list: - type: string - enum: ['ON', 'OFF'] - device_fingerprint: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: string - enum: ['ON', 'OFF'] - ratelimit: - type: string - enum: ['ON', 'OFF'] - tps: - type: string - enum: ['ON', 'OFF'] - trap: - type: object - x-kubernetes-preserve-unknown-fields: true - bindings: - description: 'Section which contains binding rules for bot security checks' - type: object - properties: - allow_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - - block_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - ratelimit: - type: array - items: - type: object - properties: - url: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - cookie: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - captcha: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - tps: - type: object - properties: - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - host: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - trapinsertion: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: apigatewaypolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: apigatewaypolicy - plural: apigatewaypolicies - singular: apigatewaypolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - api_definition: - type: object - properties: - repository: - type: string - branch: - type: string - oas_secret_ref: - type: string - files: - type: array - items: - type: string - maxLength: 127 - api_proxy: - type: object - properties: - ipaddress: - type: string - port: - type: integer - protocol: - type: string - secret: - type: string - policies: - type: array - items: - type: object - properties: - name: - type: string - selector: - type: array - items: - type: object - properties: - tags: - type: array - items: - type: string - api: - type: string - method: - type: array - items: - type: string - maxLength: 127 - upstream: - type: object - properties: - service: - type: string - port: - type: integer - policy_bindings: - type: object - properties: - ratelimit: - type: object - properties: - name: - type: string - waf: - type: object - properties: - name: - type: string - rewritepolicy: - type: object - properties: - name: - type: string - bot: - type: object - properties: - name: - type: string - aaa: - type: array - items: - type: object - properties: - crd_name: - type: string - mappings: - type: array - items: - type: object - properties: - petstore_auth: - type: string - api_key: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: corspolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: corspolicy - plural: corspolicies - singular: corspolicy - shortNames: - - cp - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'The list of Kubernetes services to which you want to apply the cors policies.' - type: array - items: - type: string - maxLength: 63 - allow_origin: - description: 'Represents list of allowed origins, it is used to screen the “origin” in the cors pre flight request' - type: array - items: - type: string - maxLength: 2083 - allow_methods: - description: 'Indicates which methods are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Methods in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - allow_headers: - description: 'Indicates which headers are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Headers in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - max_age: - description: 'Indicates the number of seconds (5 by default) the information provided by the `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` headers can be cached. This variable will be used to set Access-Control-Max-Age in the pre-flight cors response.' - type: integer - allow_credentials: - description: 'Indicates whether the response can be shared when the request’s credentials mode is "include". This variable will be set to Access-Control-Allow-Credentials in the rewrite action.' - type: boolean - required: [servicenames, allow_origin, allow_methods, allow_headers] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: appqoepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: appqoepolicy - plural: appqoepolicies - singular: appqoepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - appqoe-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to appqoe policy.' - type: array - items: - type: string - maxLength: 127 - appqoe-policy: - type: object - properties: - operation-retry: - type: object - properties: - on-reset: - description: "To set Retry on Connection Reset or Not" - type: string - enum: ['YES','NO'] - on-timeout: - description: "Time in milliseconds for retry" - type: integer - minimum: 30 - maximum: 2000 - number-of-retries: - description: "To set number of retries" - type: integer - minimum: 1 - maximum: 7 - required: [operation-retry] - appqoe-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - required: [appqoe-criteria, operation-retry] - required: [appqoe-policy] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wildcarddnsentries.citrix.com -spec: - group: citrix.com - names: - kind: wildcarddnsentry - plural: wildcarddnsentries - singular: wildcarddnsentry - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: Current Status of the CRD - jsonPath: .status.state - - name: Message - type: string - description: Status Message - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - zone: - type: object - description: DNS configuration for a zone - properties: - domain: - type: string - description: Domain name - dnsaddrec: - type: object - description: DNS Address record - properties: - domain-ip: - type: string - description: IPv4 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - dnsaaaarec: - type: object - description: DNS AAAA record - properties: - domain-ip: - type: string - description: IPv6 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - soarec: - type: object - description: SOA record - properties: - origin-server: - type: string - description: Origin server domain - contact: - type: string - description: Admin contact - serial: - type: integer - description: >- - The secondary server uses this parameter to - determine whether it requires a zone transfer from - the primary server. - refresh: - type: integer - description: >- - Time, in seconds, for which a secondary server must - wait between successive checks on the value of the - serial number. - retry: - type: integer - description: >- - Time, in seconds, between retries if a secondary server's - attempt to contact the primary server for a zone refresh fails. - expire: - type: integer - description: >- - Time, in seconds, after which the zone data on a secondary - nameserver can no longer be considered authoritative because - all refresh and retry attempts made during the period have failed." - nsrec: - type: object - description: Name server record - properties: - nameserver: - type: string - description: Host name of the name server to add to the domain. - ttl: - type: integer - description: >- - Time to Live (TTL), in seconds, for the record. TTL - is the time for which the record must be cached by - DNS proxies. The specified TTL is applied to all the - resource records that are of the same record type - and belong to the specified domain name ---- -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.30.1/templates/citrix-k8s-ingress.yaml b/charts/citrix/citrix-ingress-controller/1.30.1/templates/citrix-k8s-ingress.yaml deleted file mode 100644 index ac0ba09fad..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.30.1/templates/citrix-k8s-ingress.yaml +++ /dev/null @@ -1,264 +0,0 @@ -{{- if .Values.openshift }} -apiVersion: apps.openshift.io/v1 -kind: DeploymentConfig -{{- else }} -apiVersion: apps/v1 -kind: Deployment -{{- end }} -metadata: - name: {{ include "citrix-ingress-controller.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - selector: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - matchLabels: - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} - replicas: 1 -{{- if .Values.openshift }} - strategy: - resources: {} - rollingParams: - intervalSeconds: 1 - maxSurge: 0 - maxUnavailable: 25% - timeoutSeconds: 600 - updatePeriodSeconds: 1 - type: Rolling -{{- end }} - template: - metadata: - name: cic - labels: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} -{{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} -{{- end }} - spec: - serviceAccountName: {{ include "citrix-ingress-controller.serviceAccountName" . }} - containers: - - name: cic - image: "{{ tpl .Values.image . }}" - imagePullPolicy: {{ .Values.pullPolicy }} - args: - - --configmap - {{ .Release.Namespace }}/{{ include "cicconfigmap.fullname" . }} -{{- if .Values.defaultSSLCertSecret }} - - --default-ssl-certificate - {{ .Release.Namespace }}/{{ .Values.defaultSSLCertSecret }} -{{- end }} -{{- if .Values.ingressClass }} - - --ingress-classes -{{- range .Values.ingressClass}} - {{.}} -{{- end }} -{{- end }} -{{- if .Values.serviceClass }} - - --service-classes -{{- range .Values.serviceClass}} - {{.}} -{{- end }} -{{- end }} - - --feature-node-watch - {{ .Values.nodeWatch }} - - --enable-cnc-pbr - {{ .Values.cncPbr }} -{{- if .Values.ipam }} - - --ipam - citrix-ipam-controller -{{- end }} -{{- if .Values.disableAPIServerCertVerify }} - - --disable-apiserver-cert-verify - {{ .Values.disableAPIServerCertVerify }} -{{- end }} -{{- if .Values.updateIngressStatus }} - - --update-ingress-status - yes -{{- end }} - env: - - name: "NS_IP" - value: "{{ .Values.nsIP }}" -{{- if .Values.nsVIP }} - - name: "NS_VIP" - value: "{{ .Values.nsVIP }}" -{{- end }} -{{- if .Values.rbacRole }} - - name: "SCOPE" - value: "local" -{{- end }} -{{- if .Values.nitroReadTimeout }} - - name: "NS_NITRO_READ_TIMEOUT" - value: "{{ .Values.nitroReadTimeout }}" -{{- end }} - - name: "NS_USER" - {{- if and .Values.secretStore.enabled .Values.secretStore.username}} - {{- toYaml .Values.secretStore.username | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: username - {{- end }} - - name: "NS_PASSWORD" - {{- if and .Values.secretStore.enabled .Values.secretStore.password}} - {{- toYaml .Values.secretStore.password | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: password - {{- end }} - - name: "EULA" - value: "{{ .Values.license.accept }}" -{{- if and .Values.openshift .Values.routeLabels }} - - name: "ROUTE_LABELS" - value: {{ .Values.routeLabels | quote}} -{{- end }} -{{- if and .Values.openshift .Values.namespaceLabels }} - - name: "NAMESPACE_LABELS" - value: {{ .Values.namespaceLabels | quote }} -{{- end }} - - name: "NS_APPS_NAME_PREFIX" - value: {{ .Values.entityPrefix | default "k8s"| quote }} -{{- if .Values.kubernetesURL }} - - name: "kubernetes_url" - value: "{{ .Values.kubernetesURL }}" -{{- end }} -{{- if .Values.clusterName }} - - name: "CLUSTER_NAME" - value: "{{ .Values.clusterName }}" -{{- end }} -{{- if .Values.logProxy }} - - name: "NS_LOGPROXY" - value: "{{ .Values.logProxy }}" -{{- end }} -{{- if .Values.disableOpenshiftRoutes }} - - name: "DISABLE_OPENSHIFT_ROUTES" - value: "{{ .Values.disableOpenshiftRoutes }}" -{{- end }} -{{- if .Values.nsConfigDnsRec }} - - name: "NS_CONFIG_DNS_REC" - value: "{{ .Values.nsConfigDnsRec }}" -{{- end }} -{{- if .Values.nsSvcLbDnsRec }} - - name: "NS_SVC_LB_DNS_REC" - value: "{{ .Values.nsSvcLbDnsRec }}" -{{- end }} -{{- if .Values.optimizeEndpointBinding }} - - name: "OPTIMIZE_ENDPOINT_BINDING" - value: "{{ .Values.optimizeEndpointBinding }}" -{{- end }} - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- if ne (len .Values.extraVolumeMounts) 0 }} - volumeMounts: -{{- toYaml .Values.extraVolumeMounts | nindent 8 }} - {{- end }} -{{- if .Values.exporter.required }} - - name: exporter - image: "{{ tpl .Values.exporter.image . }}" - imagePullPolicy: {{ .Values.exporter.pullPolicy }} - args: - - "--target-nsip={{ .Values.nsIP }}" - - "--port={{ .Values.exporter.ports.containerPort }}" - env: - - name: "NS_USER" - {{- if and .Values.secretStore.enabled .Values.secretStore.username}} - {{- toYaml .Values.secretStore.username | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: username - {{- end }} - - name: "NS_PASSWORD" - {{- if and .Values.secretStore.enabled .Values.secretStore.password}} - {{- toYaml .Values.secretStore.password | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: password - {{- end }} - {{- if ne (len .Values.exporter.extraVolumeMounts) 0 }} - volumeMounts: - {{- toYaml .Values.exporter.extraVolumeMounts | nindent 8 }} - {{- end }} - securityContext: - readOnlyRootFilesystem: true - resources: -{{- toYaml .Values.exporter.resources | nindent 12 }} -{{- end }} -{{- if or (and .Values.extraVolumeMounts .Values.extraVolumes) (and .Values.exporter.extraVolumeMounts .Values.extraVolumes) }} - volumes: -{{- end }} -{{- if ne (len .Values.extraVolumes) 0 }} -{{ toYaml .Values.extraVolumes | indent 6 }} -{{- end }} -{{- if and .Values.nodeSelector.key .Values.nodeSelector.value }} - nodeSelector: - {{ .Values.nodeSelector.key }}: {{ .Values.nodeSelector.value }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: {{ .Values.tolerations | toYaml | nindent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} -{{- end }} - ---- - -{{- if .Values.exporter.required }} - - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "exporter.fullname" . }} - labels: - app: {{ include "exporter.fullname" . }} - service-type: {{ include "servicemonitorlabel" . }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port - selector: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} - ---- - -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "servicemonitor.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - servicemonitor: citrix-adc -spec: - endpoints: - - interval: 30s - port: exporter-port - selector: - matchLabels: - service-type: {{ include "servicemonitorlabel" . }} - namespaceSelector: - matchNames: - - monitoring - - default - - {{ .Release.Namespace }} - -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.30.1/templates/configmap.yaml b/charts/citrix/citrix-ingress-controller/1.30.1/templates/configmap.yaml deleted file mode 100644 index 586906391b..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.30.1/templates/configmap.yaml +++ /dev/null @@ -1,75 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "cicconfigmap.fullname" . }} - namespace: {{ .Release.Namespace }} -data: - LOGLEVEL: {{ .Values.logLevel | quote | lower }} - JSONLOG: {{ .Values.jsonLog | quote | lower }} - NS_PROTOCOL: {{ .Values.nsProtocol | quote | lower }} - NS_PORT: {{ .Values.nsPort | quote }} -{{- if .Values.nsSNIPS }} - NS_SNIPS: {{ .Values.nsSNIPS | toJson}} -{{- end }} -{{- if and .Values.analyticsConfig.required .Values.nsEnableLabel }} - NS_ENABLE_LABELS: {{ .Values.nsEnableLabel | quote}} -{{- end }} -{{- if .Values.podIPsforServiceGroupMembers }} - POD_IPS_FOR_SERVICEGROUP_MEMBERS: {{ .Values.podIPsforServiceGroupMembers | quote }} -{{- end }} -{{- if .Values.ignoreNodeExternalIP }} - IGNORE_NODE_EXTERNAL_IP: {{ .Values.ignoreNodeExternalIP | quote }} -{{- end }} - -{{- if ne (upper .Values.nsHTTP2ServerSide) "OFF" }} - NS_HTTP2_SERVER_SIDE: {{ .Values.nsHTTP2ServerSide | quote }} -{{- end }} -{{- if ne (toString .Values.nsCookieVersion) "0" }} - NS_COOKIE_VERSION: {{ .Values.nsCookieVersion | quote }} -{{- end }} -{{- if .Values.nsDnsNameserver }} - NS_DNS_NAMESERVER: {{ .Values.nsDnsNameserver }} -{{- end }} - -{{- if .Values.analyticsConfig.required }} - NS_ANALYTICS_CONFIG: | - distributed_tracing: - enable: {{ .Values.analyticsConfig.distributedTracing.enable | quote }} - samplingrate: {{ .Values.analyticsConfig.distributedTracing.samplingrate }} - endpoint: - server: {{ include "analytics.server" . | quote }} - service: {{ .Values.analyticsConfig.endpoint.service | quote }} - timeseries: - port: {{ .Values.analyticsConfig.timeseries.port }} - metrics: - enable: {{ .Values.analyticsConfig.timeseries.metrics.enable | quote }} - mode: {{ .Values.analyticsConfig.timeseries.metrics.mode | quote }} - auditlogs: - enable: {{ .Values.analyticsConfig.timeseries.auditlogs.enable | quote }} - events: - enable: {{ .Values.analyticsConfig.timeseries.events.enable | quote }} - transactions: - enable: {{ .Values.analyticsConfig.transactions.enable | quote }} - port: {{ .Values.analyticsConfig.transactions.port }} -{{- end }} - -{{- if .Values.nsLbHashAlgo.required }} - NS_LB_HASH_ALGO: | - hashFingers: {{ .Values.nsLbHashAlgo.hashFingers }} - hashAlgorithm: {{ .Values.nsLbHashAlgo.hashAlgorithm | quote }} -{{- end }} - -{{- if .Values.profileSslFrontend }} - FRONTEND_SSL_PROFILE: | - {{- toYaml .Values.profileSslFrontend | nindent 4 }} -{{- end }} - -{{- if .Values.profileTcpFrontend }} - FRONTEND_TCP_PROFILE: | - {{- toYaml .Values.profileTcpFrontend | nindent 4 }} -{{- end }} - -{{- if .Values.profileHttpFrontend }} - FRONTEND_HTTP_PROFILE: | - {{- toYaml .Values.profileHttpFrontend | nindent 4 }} -{{- end }} \ No newline at end of file diff --git a/charts/citrix/citrix-ingress-controller/1.30.1/templates/ingressclass.yaml b/charts/citrix/citrix-ingress-controller/1.30.1/templates/ingressclass.yaml deleted file mode 100644 index d75537b79f..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.30.1/templates/ingressclass.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- $default := .Values.setAsDefaultIngressClass -}} -{{- if semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.GitVersion }} -{{- if .Values.ingressClass }} -{{- range .Values.ingressClass }} -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: {{ . | quote }} -{{- if $default }} - annotations: - ingressclass.kubernetes.io/is-default-class: "true" -{{- end }} -spec: - controller: citrix.com/ingress-controller ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.30.1/templates/rbac.yaml b/charts/citrix/citrix-ingress-controller/1.30.1/templates/rbac.yaml deleted file mode 100644 index c20c1512e0..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.30.1/templates/rbac.yaml +++ /dev/null @@ -1,106 +0,0 @@ -{{- if not .Values.rbacRole }} -kind: ClusterRole -{{- else }} -kind: Role -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -rules: - - apiGroups: [""] -{{- if .Values.openshift }} - resources: ["endpoints", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"] -{{- else }} - resources: ["endpoints", "pods", "secrets", "routes", "nodes", "namespaces", "configmaps", "services"] -{{- end }} - verbs: ["get", "list", "watch"] - # services/status is needed to update the loadbalancer IP in service status for integrating - # service of type LoadBalancer with external-dns - - apiGroups: [""] - resources: ["services/status"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions","networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["patch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "watch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"] - verbs: ["get", "list", "watch", "create", "delete", "patch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"] - verbs: ["patch"] - - apiGroups: ["citrix.com"] - resources: ["vips"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["crd.projectcalico.org"] - resources: ["ipamblocks"] - verbs: ["get", "list", "watch"] -{{- if .Values.openshift }} - - apiGroups: ["route.openshift.io"] - resources: ["routes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["network.openshift.io"] - resources: ["hostsubnets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["config.openshift.io"] - resources: ["networks"] - verbs: ["get", "list"] -{{- end }} - ---- - -{{- if not .Values.rbacRole }} -kind: ClusterRoleBinding -{{- else }} -kind: RoleBinding -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io -{{- if not .Values.rbacRole }} - kind: ClusterRole -{{- else }} - kind: Role -{{- end }} - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- if .Values.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.imagePullSecrets }} -- name: {{.}} -{{- end }} -{{- end }} - diff --git a/charts/citrix/citrix-ingress-controller/1.30.1/values.yaml b/charts/citrix/citrix-ingress-controller/1.30.1/values.yaml deleted file mode 100644 index 7c1531e051..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.30.1/values.yaml +++ /dev/null @@ -1,199 +0,0 @@ -# Default values for citrix-ingress-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# Citrix Ingress Controller config details -imageRegistry: quay.io -imageRepository: citrix/citrix-k8s-ingress-controller -imageTag: 1.30.1 -image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}" -pullPolicy: IfNotPresent -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" -openshift: false -adcCredentialSecret: # K8s Secret Name -# Enable secretStore to implement CSI Secret Provider classes for holding the nslogin credentials -secretStore: - enabled: false - username: {} - #valueFrom: - # configMapKeyRef: - # name: test1 - # key: username - password: {} - #valueFrom: - # configMapKeyRef: - # name: test1 - # key: password -nsIP: x.x.x.x -nsVIP: -nsSNIPS: -license: - accept: no -nsPort: 443 -nsProtocol: HTTPS -nsEnableLabel: true -# nitroReadTimeout is timeout value in seconds for nitro api read timeout(default is 20) -nitroReadTimeout: -logLevel: INFO -jsonLog: false -entityPrefix: -kubernetesURL: -clusterName: -ingressClass: -setAsDefaultIngressClass: False -serviceClass: -defaultSSLCertSecret: -podIPsforServiceGroupMembers: False -ignoreNodeExternalIP: False -ipam: False -# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True -disableAPIServerCertVerify: False -logProxy: -nodeWatch: false -cncPbr: False -nodeSelector: - key: - value: -tolerations: [] -updateIngressStatus: True -nsHTTP2ServerSide: "OFF" -nsCookieVersion: "0" -nsConfigDnsRec: -nsSvcLbDnsRec: -nsDnsNameserver: -optimizeEndpointBinding: -routeLabels: -namespaceLabels: -disableOpenshiftRoutes: -profileSslFrontend: {} - # preconfigured: my_ssl_profile - # OR - # config: - # tls13: 'ENABLED' - # hsts: 'ENABLED' -profileHttpFrontend: {} - # preconfigured: my_http_profile - # OR - # config: - # dropinvalreqs: 'ENABLED' - # websocket: 'ENABLED' -profileTcpFrontend: {} - # preconfigured: my_tcp_profile - # OR - # config: - # sack: 'ENABLED' - # nagle: 'ENABLED' - -# Exporter config details -exporter: - required: false - imageRegistry: quay.io - imageRepository: citrix/citrix-adc-metrics-exporter - imageTag: 1.4.9 - image: "{{ .Values.exporter.imageRegistry }}/{{ .Values.exporter.imageRepository }}:{{ .Values.exporter.imageTag }}" - pullPolicy: IfNotPresent - ports: - containerPort: 8888 - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - extraVolumeMounts: [] - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. - #- name: github-key - # mountPath: /etc/config/keys/ - # readOnly: true - #- name: agent-init-scripts - # mountPath: /docker-entrypoint.d/ - -# For CRDs supported by Citrix Ingress Controller -crds: - install: false - retainOnDelete: false - -# Enable RBAC role (so called local role), by default CIC deployed with ClusterRole. -# below variable to deploy CIC with RBAC role, only ingress service supported with this config -rbacRole: False - -# Config required to be done by Citrix Ingress Controller for sending metrics to Citrix Observability Exporter -analyticsConfig: - required: false - distributedTracing: - enable: false - samplingrate: 100 - endpoint: - server: - service: - timeseries: - port: 30002 - metrics: - enable: false - mode: 'avro' - auditlogs: - enable: false - events: - enable: false - transactions: - enable: false - port: 30001 - -nsLbHashAlgo: - required: false - hashFingers: 256 - hashAlgorithm: 'DEFAULT' - -# Specifies whether a ServiceAccount should be created -serviceAccount: - create: true - # The name of the ServiceAccount to use. - # If not set and `create` is true, a name is generated using the fullname template - # name: - -podAnnotations: {} - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # Following values depends on no of ingresses configured by Ingress Controllers, so it is - # advised to test with maximum no of ingresses to set these values. - # limits: - # cpu: 1000m - # memory: 1000Mi - # requests: - # cpu: 500m - # memory: 500Mi - -affinity: {} - -extraVolumeMounts: [] - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. - #- name: github-key - # mountPath: /etc/config/keys/ - # readOnly: true - #- name: agent-init-scripts - # mountPath: /docker-entrypoint.d/ - -extraVolumes: [] - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. - #- name: agent-init-scripts - # configMap: - # name: agent-init-scripts - # defaultMode: 0755 - #- name: github-key - # secret: - # secretName: github-key - # defaultMode: 0744 diff --git a/charts/citrix/citrix-ingress-controller/1.32.7/Chart.yaml b/charts/citrix/citrix-ingress-controller/1.32.7/Chart.yaml deleted file mode 100644 index 575881b61b..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.32.7/Chart.yaml +++ /dev/null @@ -1,21 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-ingress-controller -apiVersion: v2 -appVersion: 1.32.7 -deprecated: true -description: A Helm chart for Citrix Ingress Controller configuring MPX/VPX. -home: https://www.cloud.com -icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png -kubeVersion: '>=v1.16.0-0' -maintainers: -- email: priyanka.sharma@cloud.com - name: priyankash-citrix -- email: subash.dangol@cloud.com - name: subashd -name: citrix-ingress-controller -sources: -- https://github.com/citrix/citrix-k8s-ingress-controller -version: 1.32.7 diff --git a/charts/citrix/citrix-ingress-controller/1.32.7/README.md b/charts/citrix/citrix-ingress-controller/1.32.7/README.md deleted file mode 100644 index 5f6711c373..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.32.7/README.md +++ /dev/null @@ -1,496 +0,0 @@ -# Citrix Ingress Controller - -[Citrix](https://www.citrix.com/en-in/) provides an Ingress Controller for Citrix ADC MPX (hardware), Citrix ADC VPX (virtualized), and [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx/13/about.html) (containerized) for [bare metal](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/deployment/baremetal) and [cloud](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/deployment) deployments. It configures one or more Citrix ADC based on the Ingress resource configuration in [Kubernetes](https://kubernetes.io/) or in [OpenShift](https://www.openshift.com) cluster. - -## TL;DR; - -### For Kubernetes - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret= - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,crds.install=true - ``` - -### For OpenShift - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true,crds.install=true - ``` - -> **Important:** -> -> The `license.accept` argument is mandatory. Ensure that you set the value as `yes` to accept the terms and conditions of the Citrix license. - -## Introduction -This Helm chart deploys Citrix ingress controller in the [Kubernetes](https://kubernetes.io) or in the [Openshift](https://www.openshift.com) cluster using [Helm](https://helm.sh) package manager. - -### Prerequisites - -- The [Kubernetes](https://kubernetes.io/) version should be 1.16 and above if using Kubernetes environment. -- The [Openshift](https://www.openshift.com) version 4.8 or later if using OpenShift platform. -- The [Helm](https://helm.sh/) version 3.x or later. You can follow instruction given [here](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- You determine the NS_IP IP address needed by the controller to communicate with Citrix ADC. The IP address might be anyone of the following depending on the type of Citrix ADC deployment: - - - (Standalone appliances) NSIP - The management IP address of a standalone Citrix ADC appliance. For more information, see [IP Addressing in Citrix ADC](https://docs.citrix.com/en-us/citrix-adc/12-1/networking/ip-addressing.html). - - - (Appliances in High Availability mode) SNIP - The subnet IP address. For more information, see [IP Addressing in Citrix ADC](https://docs.citrix.com/en-us/citrix-adc/12-1/networking/ip-addressing.html). - - - (Appliances in Clustered mode) CLIP - The cluster management IP (CLIP) address for a clustered Citrix ADC deployment. For more information, see [IP addressing for a cluster](https://docs.citrix.com/en-us/citrix-adc/12-1/clustering/cluster-overview/ip-addressing.html). - -- You have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator), if you want to view the metrics of the Citrix ADC CPX collected by the [metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics). - -- The user name and password of the Citrix ADC VPX or MPX appliance used as the ingress device. The Citrix ADC appliance needs to have system user account (non-default) with certain privileges so that Citrix ingress controller can configure the Citrix ADC VPX or MPX appliance. For instructions to create the system user account on Citrix ADC, see [Create System User Account for CIC in Citrix ADC](#create-system-user-account-for-cic-in-citrix-adc). - - You can pass user name and password using Kubernetes secrets. Create a Kubernetes secret for the user name and password using the following command: - - ``` - kubectl create secret generic nslogin --from-literal=username='cic' --from-literal=password='mypassword' - ``` - -#### Create system User account for Citrix ingress controller in Citrix ADC - -Citrix ingress controller configures the Citrix ADC using a system user account of the Citrix ADC. The system user account should have certain privileges so that the CIC has permission configure the following on the Citrix ADC: - -- Add, Delete, or View Content Switching (CS) virtual server -- Configure CS policies and actions -- Configure Load Balancing (LB) virtual server -- Configure Service groups -- Cofigure SSl certkeys -- Configure routes -- Configure user monitors -- Add system file (for uploading SSL certkeys from Kubernetes) -- Configure Virtual IP address (VIP) -- Check the status of the Citrix ADC appliance - -> **Note:** -> -> The system user account would have privileges based on the command policy that you define. - -To create the system user account, do the following: - -1. Log on to the Citrix ADC appliance. Perform the following: - 1. Use an SSH client, such as PuTTy, to open an SSH connection to the Citrix ADC appliance. - - 2. Log on to the appliance by using the administrator credentials. - -2. Create the system user account using the following command: - - ``` - add system user - ``` - - For example: - - ``` - add system user cic mypassword - ``` - -3. Create a policy to provide required permissions to the system user account. Use the following command: - - ``` - add cmdpolicy cic-policy ALLOW '^(\?!shell)(\?!sftp)(\?!scp)(\?!batch)(\?!source)(\?!.*superuser)(\?!.*nsroot)(\?!install)(\?!show\s+system\s+(user|cmdPolicy|file))(\?!(set|add|rm|create|export|kill)\s+system)(\?!(unbind|bind)\s+system\s+(user|group))(\?!diff\s+ns\s+config)(\?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)^(\?!shell)(\?!sftp)(\?!scp)(\?!batch)(\?!source)(\?!.*superuser)(\?!.*nsroot)(\?!install)(\?!show\s+system\s+(user|cmdPolicy|file))(\?!(set|add|rm|create|export|kill)\s+system)(\?!(unbind|bind)\s+system\s+(user|group))(\?!diff\s+ns\s+config)(\?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)' - ``` - - **Note**: The system user account would have privileges based on the command policy that you define. - The command policy mentioned in ***step 3*** is similar to the built-in `sysAdmin` command policy with another permission to upload files. - - The command policy spec provided above have already escaped special characters for easier copy pasting into the Citrix ADC command line. - - For configuring the command policy from Citrix ADC Configuration Wizard (GUI), use the below command policy spec. - - ``` - ^(?!shell)(?!sftp)(?!scp)(?!batch)(?!source)(?!.*superuser)(?!.*nsroot)(?!install)(?!show\s+system\s+(user|cmdPolicy|file))(?!(set|add|rm|create|export|kill)\s+system)(?!(unbind|bind)\s+system\s+(user|group))(?!diff\s+ns\s+config)(?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)^(?!shell)(?!sftp)(?!scp)(?!batch)(?!source)(?!.*superuser)(?!.*nsroot)(?!install)(?!show\s+system\s+(user|cmdPolicy|file))(?!(set|add|rm|create|export|kill)\s+system)(?!(unbind|bind)\s+system\s+(user|group))(?!diff\s+ns\s+config)(?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file) - ``` - -4. Bind the policy to the system user account using the following command: - - ``` - bind system user cic cic-policy 0 - ``` - -## Installing the Chart -Add the Citrix Ingress Controller helm chart repository using command: - -``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ -``` - -### For Kubernetes: -#### 1. Citrix Ingress Controller -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,ingressClass[0]= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ingress controller on Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix Ingress Controller with Exporter -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed along with Citrix ingress controller and collects metrics from the Citrix ADC instances. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. - -> **Note:** -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,ingressClass[0]=,exporter.required=true - ``` - -### For Openshift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix Ingress Controller -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true - ``` - -The command deploys Citrix ingress controller on your Openshift cluster in the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix Ingress Controller with Exporter -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed along with Citrix ingress controller and collects metrics from the Citrix ADC instances. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. - -> **Note:** -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator) - -Use the following command for this: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true,exporter.required=true - ``` - -### Installed components - -The following components are installed: - -- [Citrix ingress controller](https://github.com/citrix/citrix-k8s-ingress-controller) -- [Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) (if enabled) - -## Configuration for ServiceGraph: - If Citrix ADC VPX/MPX need to send data to the Citrix ADM to bring up the servicegraph, then the below steps can be followed to install Citrix ingress controller for Citrix ADC VPX/MPX. Citrix ingress controller configures Citrix ADC VPX/MPX with the configuration required for servicegraph. - - 1. Create secret using Citrix ADC VPX credentials, which will be used by Citrix ingress controller for configuring Citrix ADC VPX/MPX: - - kubectl create secret generic nslogin --from-literal=username='cic' --from-literal=password='mypassword' - - 2. Deploy Citrix ingress controller using helm command: - - helm install my-release citrix/citrix-ingress-controller --set nsIP=,nsVIP=,license.accept=yes,adcCredentialSecret=,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.timeseries.port=5563,analyticsConfig.distributedTracing.enable=true,analyticsConfig.transactions.enable=true,analyticsConfig.transactions.port=5557,analyticsConfig.endpoint.server= - -> **Note:** -> If container agent is being used here for Citrix ADM, please provide `podIP` of container agent in the `analyticsConfig.endpoint.server` parameter. - -## CRDs configuration - -CRDs can be installed/upgraded when we install/upgrade Citrix ingress controller using `crds.install=true` parameter in Helm. If you do not want to install CRDs, then set the option `crds.install` to `false`. By default, CRDs too get deleted if you uninstall through Helm. This means, even the CustomResource objects created by the customer will get deleted. If you want to avoid this data loss set `crds.retainOnDelete` to `true`. - -> **Note:** -> Installing again may fail due to the presence of CRDs. Make sure that you back up all CustomResource objects and clean up CRDs before re-installing Citrix Ingress Controller. - -There are a few examples of how to use these CRDs, which are placed in the folder: [Example-CRDs](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds). Refer to them and install as needed, using the following command: -```kubectl create -f ``` - -### Details of the supported CRDs: - -#### authpolicies CRD: - -Authentication policies are used to enforce access restrictions to resources hosted by an application or an API server. - -Citrix provides a Kubernetes CustomResourceDefinitions (CRDs) called the [Auth CRD](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/auth) that you can use with the Citrix ingress controller to define authentication policies on the ingress Citrix ADC. - -Example file: [auth_example.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/auth_example.yaml) - -#### continuousdeployments CRD for canary: - -Canary release is a technique to reduce the risk of introducing a new software version in production by first rolling out the change to a small subset of users. After user validation, the application is rolled out to the larger set of users. Citrix ADC-Integrated [Canary Deployment solution](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/canary) stitches together all components of continuous delivery (CD) and makes canary deployment easier for the application developers. - -#### httproutes and listeners CRDs for contentrouting: - -[Content Routing (CR)](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/contentrouting) is the execution of defined rules that determine the placement and configuration of network traffic between users and web applications, based on the content being sent. For example, a pattern in the URL or header fields of the request. - -Example files: [HTTPRoute_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/HTTPRoute_crd.yaml), [Listener_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/Listener_crd.yaml) - -#### ratelimits CRD: - -In a Kubernetes deployment, you can [rate limit the requests](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/ratelimit) to the resources on the back end server or services using rate limiting feature provided by the ingress Citrix ADC. - -Example files: [ratelimit-example1.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example1.yaml), [ratelimit-example2.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example2.yaml) - -#### vips CRD: - -Citrix provides a CustomResourceDefinitions (CRD) called [VIP](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/vip) for asynchronous communication between the IPAM controller and Citrix ingress controller. - -The IPAM controller is provided by Citrix for IP address management. It allocates IP address to the service from a defined IP address range. The Citrix ingress controller configures the IP address allocated to the service as virtual IP (VIP) in Citrix ADX VPX. And, the service is exposed using the IP address. - -When a new service is created, the Citrix ingress controller creates a CRD object for the service with an empty IP address field. The IPAM Controller listens to addition, deletion, or modification of the CRD and updates it with an IP address to the CRD. Once the CRD object is updated, the Citrix ingress controller automatically configures Citrix ADC-specfic configuration in the tier-1 Citrix ADC VPX. - -#### rewritepolicies CRD: - -In kubernetes environment, to deploy specific layer 7 policies to handle scenarios such as, redirecting HTTP traffic to a specific URL, blocking a set of IP addresses to mitigate DDoS attacks, imposing HTTP to HTTPS and so on, requires you to add appropriate libraries within the microservices and manually configure the policies. Instead, you can use the [Rewrite and Responder features](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/crd/rewrite-responder-policies-deployment.yaml) provided by the Ingress Citrix ADC device to deploy these policies. - -Example files: [target-url-rewrite.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/target-url-rewrite.yaml) - -#### wafs CRD: - -[WAF CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/waf.md) can be used to configure the web application firewall policies with the Citrix ingress controller on the Citrix ADC VPX, MPX, SDX, and CPX. The WAF CRD enables communication between the Citrix ingress controller and Citrix ADC for enforcing web application firewall policies. - -In a Kubernetes deployment, you can enforce a web application firewall policy to protect the server using the WAF CRD. For more information about web application firewall, see [Web application security](https://docs.citrix.com/en-us/citrix-adc/13/application-firewall/introduction/web-application-security.html). - -Example files: [wafhtmlxsssql.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wafhtmlxsssql.yaml) - -#### apigateway CRD: - -API Gateway CRD is used to configure gitops framework on citrix API gateway. This solution enables citrix ingress controller to generate API gateway configurations out of Open API Specification documents checked in to git repository by API developers and designers. - -Example files: [api-gateway-crd-instance.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/api-gateway-crd-instance.yaml) -#### bots CRD: - -[BOT CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/bot.md) You can use Bot CRDs to configure the bot management policies with the Citrix ingress controller on the Citrix ADC VPX. The Bot custom resource definition enables communication between the Citrix ingress controller and Citrix ADC for enforcing bot management policies. - -In a Kubernetes deployment, you can enforce bot management policy on therequests and responses from and to the server using the Bot CRDs. For more information on security vulnerabilities, see [Bot Detection](https://docs.citrix.com/en-us/citrix-adc/current-release/bot-management/bot-detection.html). - -Example files: [botallowlist.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/botallowlist.yaml) - -#### CORS CRD: - -[CORS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) Cross-origin resource sharing (CORS) is a mechanism allows a web application running under one domain to securely access resources in another domain. You can configure CORS policies on Citrix ADC using Citrix ingress controller to allow one domain (the origin domain) to call APIs in another domain. For more information, see the [cross-origin resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) documentation. - -Example files: [cors-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/corspolicy-example.yaml) - -#### APPQOE CRD: - -[APPQOE CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) When a Citrix ADC appliance receives an HTTP request and forwards it to a back-end server, sometimes there may be connection failures with the back-end server. You can configure the request-retry feature on Citrix ADC to forward the request to the next available server, instead of sending the reset to the client. Hence, the client saves round trip time when Citrix ADC initiates the same request to the next available service. -For more information, see the AppQoE support documentation. [Appqoe resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) documentation. - -Example files: [appqoe-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/appqoe_example.yaml) - -#### WILDCARDDNS CRD: - -[WILDCARDDNS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) Wildcard DNS domains are used to handle requests for nonexistent domains and subdomains. In a zone, use wildcard domains to redirect queries for all nonexistent domains or subdomains to a particular server, instead of creating a separate Resource Record (RR) for each domain. The most common use of a wildcard DNS domain is to create a zone that can be used to forward mail from the internet to some other mail system. -For more information, see the Wild card DNS domains support documentation. [Wildcard DNS Entry CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) documentation. - -Example files: [wildcarddns-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wildcarddns-example.yaml) - -### Tolerations - -Taints are applied on cluster nodes whereas tolerations are applied on pods. Tolerations enable pods to be scheduled on node with matching taints. For more information see [Taints and Tolerations in Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). - -Toleration can be applied to Citrix ingress controller pod using `tolerations` argument while deploying CIC using helm chart. This argument takes list of tolerations that user need to apply on the CIC pods. - -For example, following command can be used to apply toleration on the CIC pod: - -``` -helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,tolerations[0].key=,tolerations[0].value=,tolerations[0].operator=,tolerations[0].effect= -``` - -Here tolerations[0].key, tolerations[0].value and tolerations[0].effect are the key, value and effect that was used while tainting the node. -Effect represents what should happen to the pod if the pod don't have any matching toleration. It can have values `NoSchedule`, `NoExecute` and `PreferNoSchedule`. -Operator represents the operation to be used for key and value comparison between taint and tolerations. It can have values `Exists` and `Equal`. The default value for operator is `Equal`. - - - -### Configuration - -The following table lists the mandatory and optional parameters that you can configure during installation: - -| Parameters | Mandatory or Optional | Default value | Description | -| --------- | --------------------- | ------------- | ----------- | -| license.accept | Mandatory | no | Set `yes` to accept the CIC end user license agreement. | -| imageRegistry | Mandatory | `quay.io` | The Citrix ingress controller image registry | -| imageRepository | Mandatory | `citrix/citrix-k8s-ingress-controller` | The Citrix ingress controller image repository | -| imageTag | Mandatory | `1.32.7` | The Citrix ingress controller image tag | -| pullPolicy | Mandatory | IfNotPresent | The CIC image pull policy. | -| imagePullSecrets | Optional | N/A | Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret please see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). | -| nameOverride | Optional | N/A | String to partially override deployment fullname template with a string (will prepend the release name) | -| fullNameOverride | Optional | N/A | String to fully override deployment fullname template with a string | -| resources | Optional | {} | CPU/Memory resource requests/limits for Citrix Ingress Controller container | -| adcCredentialSecret | Mandatory | N/A | The secret key to log on to the Citrix ADC VPX or MPX. For information on how to create the secret keys, see [Prerequisites](#prerequistes). | -| secretStore.enabled | Optional | False | Set to "True" for deploying other Secret Provider classes | -| secretStore.username | Optional | N/A | if `secretStore.enabled`, `username` of ADC will be fetched from the Secret Provider | -| secretStore.password | Optional | N/A | if `secretStore.enabled`, `password` of ADC will be fetched from the Secret Provider | -| nsIP | Mandatory | N/A | The IP address of the Citrix ADC device. For details, see [Prerequisites](#prerequistes). | -| nsVIP | Optional | N/A | The Virtual IP address on the Citrix ADC device. | -| nsSNIPS | Optional | N/A | The list of subnet IPAddresses on the Citrix ADC device, which will be used to create PBR Routes instead of Static Routes [PBR support](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md) | -| nsPort | Optional | 443 | The port used by CIC to communicate with Citrix ADC. You can use port 80 for HTTP. | -| nsProtocol | Optional | HTTPS | The protocol used by CIC to communicate with Citrix ADC. You can also use HTTP on port 80. | -| nsEnableLabel | Optional | True | Set to true for plotting Servicegraph. Ensure ``analyticsConfig` are set. | -| nitroReadTimeout | Optional | 20 | The nitro Read timeout in seconds, defaults to 20 | -| logLevel | Optional | DEBUG | The loglevel to control the logs generated by CIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG and TRACE. For more information, see [Logging](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).| -| jsonLog | Optional | false | Set this argument to true if log messages are required in JSON format | -| nsConfigDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Ingress | -| nsSvcLbDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Type Load Balancer Service | -| nsDnsNameserver | Optional | N/A | To add DNS Nameservers in ADC | -| optimizeEndpointBinding | Optional | false | To enable/disable binding of backend endpoints to servicegroup in a single API-call. Recommended when endpoints(pods) per application are large in number. Applicable only for Citrix ADC Version >=13.0-45.7 | -| kubernetesURL | Optional | N/A | The kube-apiserver url that CIC uses to register the events. If the value is not specified, CIC uses the [internal kube-apiserver IP address](https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod). | -| clusterName | Optional | N/A | The unique identifier of the kubernetes cluster on which the CIC is deployed. Used in multi-cluster deployments. | -| ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify CIC to configure Citrix ADC associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here | -| setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default ingress class. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 | -| serviceClass | Optional | N/A | By Default ingress controller configures all TypeLB Service on the ADC. You can use this parameter to finetune this behavior by specifing CIC to only configure TypeLB Service with specific service class. For more information on Service class, see [Service class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/service-classes/). | -| nodeWatch | Optional | false | Use the argument if you want to automatically configure network route from the Ingress Citrix ADC VPX or MPX to the pods in the Kubernetes cluster. For more information, see [Automatically configure route on the Citrix ADC instance](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/network/staticrouting/#automatically-configure-route-on-the-citrix-adc-instance). | -| cncPbr | Optional | False | Use this argument to inform CIC that Citrix Node Controller(CNC) is configuring Policy Based Routes(PBR) on the Citrix ADC. For more information, see [CNC-PBR-SUPPORT](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md#configure-pbr-using-the-citrix-node-controller) | -| defaultSSLCertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC. | -| podIPsforServiceGroupMembers | Optional | False | By default Citrix Ingress Controller will add NodeIP and NodePort as service group members while configuring type LoadBalancer Services and NodePort services. This variable if set to `True` will change the behaviour to add pod IP and Pod port instead of nodeIP and nodePort. Users can set this to `True` if there is a route between ADC and K8s clusters internal pods either using feature-node-watch argument or using Citrix Node Controller. | -| ignoreNodeExternalIP | Optional | False | While adding NodeIP, as Service group members for type LoadBalancer services or NodePort services, Citrix Ingress Controller has a selection criteria whereas it choose Node ExternalIP if available and Node InternalIP, if Node ExternalIP is not present. But some users may want to use Node InternalIP over Node ExternalIP even if Node ExternalIP is present. If this variable is set to `True`, then it prioritises the Node Internal IP to be used for service group members even if node ExternalIP is present | -| nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for Citrix ADC service group configurations. | -| nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). | -| profileSslFrontend | Optional | N/A | Specify the frontend SSL profile. For Details see [Configuration using FRONTEND_SSL_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| profileTcpFrontend | Optional | N/A | Specify the frontend TCP profile. For Details see [Configuration using FRONTEND_TCP_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| profileHttpFrontend | Optional | N/A | Specify the frontend HTTP profile. For Details see [Configuration using FRONTEND_HTTP_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| ipam | Optional | False | Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer. | -| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. | -| logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter. | -| entityPrefix | Optional | k8s | The prefix for the resources on the Citrix ADC VPX/MPX. | -| updateIngressStatus | Optional | True | Set this argurment if `Status.LoadBalancer.Ingress` field of the Ingress resources managed by the Citrix ingress controller needs to be updated with allocated IP addresses. For more information see [this](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/ingress-classes.md#updating-the-ingress-status-for-the-ingress-resources-with-the-specified-ip-address). | -| routeLabels | Optional | N/A | You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| namespaceLabels | Optional | N/A | You can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| podAnnotations | Optional | N/A | Map of annotations to add to the pods. | -| affinity | Optional | N/A | Affinity labels for pod assignment. | -| exporter.required | Optional | false | Use the argument, if you want to run the [Exporter for Citrix ADC Stats](https://github.com/citrix/citrix-adc-metrics-exporter) along with CIC to pull metrics for the Citrix ADC VPX or MPX| -| exporter.imageRegistry | Optional | `quay.io` | The Exporter for Citrix ADC Stats image registry | -| exporter.imageRepository | Optional | `citrix/citrix-adc-metrics-exporter` | The Exporter for Citrix ADC Stats image repository | -| exporter.imageTag | Optional | `1.4.9` | The Exporter for Citrix ADC Stats image tag | -| exporter.pullPolicy | Optional | IfNotPresent | The Exporter image pull policy. | -| exporter.ports.containerPort | Optional | 8888 | The Exporter container port. | -| exporter.resources | Optional | {} | CPU/Memory resource requests/limits for Metrics exporter container | -| exporter.extraVolumeMounts | Optional | [] | Specify the Additional VolumeMounts to be mounted in Exporter container. Specify the volumes in `extraVolumes` | -| openshift | Optional | false | Set this argument if OpenShift environment is being used. | -| disableOpenshiftRoutes | Optional | false | By default Openshift routes are processed in openshift environment, this variable can be used to disable Ingress controller processing the openshift routes. | -| nodeSelector.key | Optional | N/A | Node label key to be used for nodeSelector option in CIC deployment. | -| nodeSelector.value | Optional | N/A | Node label value to be used for nodeSelector option in CIC deployment. | -| tolerations | Optional | N/A | Specify the tolerations for the CIC deployment. | -| crds.install | Optional | False | Unset this argument if you don't want to install CustomResourceDefinitions which are consumed by CIC. | -| crds.retainOnDelete | Optional | false | Set this argument if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation. | -| analyticsConfig.required | Mandatory | false | Set this to true if you want to configure Citrix ADC to send metrics and transaction records to analytics . | -| analyticsConfig.distributedTracing.enable | Optional | false | Set this value to true to enable OpenTracing in Citrix ADC. | -| analyticsConfig.distributedTracing.samplingrate | Optional | 100 | Specifies the OpenTracing sampling rate in percentage. | -| analyticsConfig.endpoint.server | Optional | N/A | Set this value as the IP address or DNS address of the analytics server. | -| analyticsConfig.endpoint.service | Optional | N/A | Set this value as the IP address or service name with namespace of the analytics service deployed in k8s environment. Format: namespace/servicename | -| analyticsConfig.timeseries.port | Optional | 30002 | Specify the port used to expose analytics service outside cluster for timeseries endpoint. | -| analyticsConfig.timeseries.metrics.enable | Optional | False | Set this value to true to enable sending metrics from Citrix ADC. | -| analyticsConfig.timeseries.metrics.mode | Optional | avro | Specifies the mode of metric endpoint. | -| analyticsConfig.timeseries.auditlogs.enable | Optional | false | Set this value to true to export audit log data from Citrix ADC. | -| analyticsConfig.timeseries.events.enable | Optional | false | Set this value to true to export events from the Citrix ADC. | -| analyticsConfig.transactions.enable | Optional | false | Set this value to true to export transactions from Citrix ADC. | -| analyticsConfig.transactions.port | Optional | 30001 | Specify the port used to expose analytics service outside cluster for transaction endpoint. | -| nsLbHashAlgo.required | Optional | false | Set this value to set the LB consistent hashing Algorithm | -| nsLbHashAlgo.hashFingers | Optional | 256 | Specifies the number of fingers to be used for hashing algorithm. Possible values are from 1 to 1024, Default value is 256 | -| nsLbHashAlgo.hashAlgorithm | Optional | 'default' | Specifies the supported algorithm. Supported algorithms are "default", "jarh", "prac", Default value is 'default' | -| extraVolumeMounts | Optional | [] | Specify the Additional VolumeMounts to be mounted in CIC container | -| extraVolumes | Optional | [] | Specify the Additional Volumes for additional volumeMounts | -| rbacRole | Optional | false | To deploy CIC with RBAC Role set rbacRole=true; by default CIC gets installed with RBAC ClusterRole(rbacRole=false)) | - -Alternatively, you can define a YAML file with the values for the parameters and pass the values while installing the chart. - -For example: - ``` - helm install my-release citrix/citrix-ingress-controller -f values.yaml - ``` - -> **Tip:** -> -> The [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-ingress-controller/values.yaml) contains the default values of the parameters. - -> **Note:** -> -> Please provide frontend-ip (VIP) in your application ingress yaml file. For more info refer [this](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/annotations.md). - -## Route Addition in MPX/VPX -For seamless functioning of services deployed in the Kubernetes cluster, it is essential that Ingress NetScaler device should be able to reach the underlying overlay network over which Pods are running. -`feature-node-watch` knob of Citrix Ingress Controller can be used for automatic route configuration on NetScaler towards the pod network. Refer [Static Route Configuration](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) for further details regarding the same. -By default, `feature-node-watch` is false. It needs to be explicitly set to true if auto route configuration is required. - -This can also be achieved by deploying [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller). - -If your deployment uses one single Citrix ADC Device to loadbalance between multiple k8s clusters, there is a possibilty of CNI subnets to overlap, causing the above mentioned static routing to fail due to route conflicts. In such deployments [Policy Based Routing(PBR)] (https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-policy-based-routes/configuring-policy-based-routes-pbrs-for-ipv4-traffic.html) can be used instead. This would require you to provide one or more subnet IP Addresses unique for each kubernetes cluster either via Environment variable or Configmap, see [PBR Support](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md) - - Use the following command to provide subnet IPAddresses(SNIPs) to configure Policy Based Routes(PBR) on the Citrix ADC - - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,nsSNIPS='[\, \, ...]' - ``` - - [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller) by default also adds static routes while creating the VXLAN tunnel. To use [Policy Based Routing(PBR)] (https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-policy-based-routes/configuring-policy-based-routes-pbrs-for-ipv4-traffic.html) to avoid static route clash, both Citrix Node Controller and Citrix Ingress Controller has to work in conjunction and has to be started with specific arguments. For more details refer [CNC-PBR-SUPPORT](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md#configure-pbr-using-the-citrix-node-controller). - - Use the following command to inform Citrix Ingress Controller that Citrix Node Controller is configuring Policy Based Routes(PBR) on the Citrix ADC - - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,clusterName=,cncPbr= - ``` - -For configuring static routes manually on Citrix ADC VPX or MPX to reach the pods inside the cluster follow: -### For Kubernetes: -1. Obtain podCIDR using below options: - ``` - kubectl get nodes -o yaml | grep podCIDR - ``` - * podCIDR: 10.244.0.0/24 - * podCIDR: 10.244.1.0/24 - * podCIDR: 10.244.2.0/24 - -2. Log on to the Citrix ADC instance. - -3. Add Route in Netscaler VPX/MPX - ``` - add route - ``` -4. Ensure that Ingress MPX/VPX has a SNIP present in the host-network (i.e. network over which K8S nodes communicate with each other. Usually eth0 IP is from this network). - - Example: - * Node1 IP = 192.0.2.1 - * podCIDR = 10.244.1.0/24 - * add route 10.244.1.0 255.255.255.0 192.0.2.1 - -### For OpenShift: -1. Use the following command to get the information about host names, host IP addresses, and subnets for static route configuration. - ``` - oc get hostsubnet - ``` - -2. Log on to the Citrix ADC instance. - -3. Add the route on the Citrix ADC instance using the following command. - ```add route ``` - -4. Ensure that Ingress MPX/VPX has a SNIP present in the host-network (i.e. network over which OpenShift nodes communicate with each other. Usually eth0 IP is from this network). - - For example, if the output of the `oc get hostsubnet` is as follows: - * oc get hostsubnet - - NAME HOST HOST IP SUBNET - os.example.com os.example.com 192.0.2.1 10.1.1.0/24 - - * The required static route is as follows: - - add route 10.1.1.0 255.255.255.0 192.0.2.1 - -## Uninstalling the Chart -To uninstall/delete the ```my-release``` deployment: - - ``` - helm delete my-release - ``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Related documentation - -- [Citrix ingress controller Documentation](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/) -- [Citrix ingress controller GitHub](https://github.com/citrix/citrix-k8s-ingress-controller) diff --git a/charts/citrix/citrix-ingress-controller/1.32.7/app-readme.md b/charts/citrix/citrix-ingress-controller/1.32.7/app-readme.md deleted file mode 100644 index a8a8ebc15a..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.32.7/app-readme.md +++ /dev/null @@ -1,5 +0,0 @@ -# Citrix Ingress Controller - -[Citrix Ingress Controler](https://github.com/citrix/citrix-k8s-ingress-controller) is an ingress controller for Citrix ADC MPX (hardware), Citrix ADC VPX (virtualized), and Citrix ADC CPX (containerized) for bare metal and cloud deployments. It is built around Kubernetes Ingress and automatically configures Citrix ADC based on the Ingress resource configuration. - -This Chart bootstraps standalone Citrix Ingress Controller which can be used to configure Citrix MPX or VPX. diff --git a/charts/citrix/citrix-ingress-controller/1.32.7/questions.yml b/charts/citrix/citrix-ingress-controller/1.32.7/questions.yml deleted file mode 100644 index 89389ae11e..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.32.7/questions.yml +++ /dev/null @@ -1,348 +0,0 @@ -labels: - io.rancher.certified: partner -questions: -- variable: license.accept - required: true - type: enum - description: "Set to yes to accept the terms and conditions of the Citrix license." - label: Accept License - group: "Deployment Settings" - options: - - "yes" - - "no" -- variable: openshift - default: false - type: boolean - description: "openshift is set to true if charts are being deployed in OpenShift environment" - label: Openshift flag - group: "Deployment Settings" -- variable: adcCredentialSecret - required: true - default: "" - type: string - description: "adcCredentialSecret is secret file for NetScaler login" - label: adcCredentialSecret Name - group: "Deployment Settings" -- variable: imagePullSecrets[0] - required: false - type: string - description: "Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository" - label: imagePullSecrets - group: "Deployment Settings" -- variable: nsIP - required: true - type: string - description: "nsIP is NetScaler NSIP/SNIP, SNIP in case of HA (mgmt has to be enabled)" - label: Citrix ADC IP - group: "ADC Settings" -- variable: nsVIP - required: false - type: string - label: Virtual IP of Citrix ADC - group: "ADC Settings" -- variable: nsSNIPS - required: false - type: string - description: "The list of subnet IPAddresses on the Citrix ADC device, which will be used to create PBR Routes instead of Static Routes" - label: Citrix ADC nsSNIPS - group: "ADC Settings" -- variable: nsPort - required: false - default: 443 - type: int - description: "nsPort is port for ADC NITRO" - label: nsPort - group: "ADC Settings" -- variable: nsProtocol - required: false - default: "HTTPS" - type: string - description: "nsProtocol is protocol for ADC NITRO" - label: nsProtocol - group: "ADC Settings" -- variable: entityPrefix - required: false - type: string - description: "The prefix for the resources on the Citrix ADC VPX/MPX" - label: entityPrefix - group: "ADC Settings" -- variable: kubernetesURL - required: false - type: string - description: "kubernetesURL is for registering events to kubeapi server" - label: Kubernetes API-server URL - group: "Deployment Settings" -- variable: clusterName - required: false - type: string - description: "The unique identifier of the kubernetes cluster on which the CIC is deployed" - label: Cluster Name - group: "Deployment Settings" -- variable: ingressClass[0] - required: false - type: string - description: "ingressClass is the name of the Ingress Class" - label: Ingress Class - group: "Deployment Settings" -- variable: setAsDefaultIngressClass - required: false - default: False - type: boolean - description: "Set the IngressClass object as default ingress class. New Ingresses without an `ingressClassName` field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19" - label: setAsDefaultIngressClass - group: "Deployment Settings" -- variable: serviceClass[0] - required: false - type: string - description: "serviceClass is the name of the Service Class" - label: Service Class - group: "Deployment Settings" -- variable: defaultSSLCertSecret - required: false - type: string - description: "Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC." - label: defaultSSLCertSecret - group: "ADC Settings" -- variable: podIPsforServiceGroupMembers - required: false - default: False - type: boolean - description: "By default Citrix Ingress Controller will add NodeIP and NodePort as service group members,This variable if set to True will change the behaviour to add pod IP and Pod port instead of nodeIP and nodePort." - label: podIPsforServiceGroupMembers - group: "Deployment Settings" -- variable: ignoreNodeExternalIP - required: false - default: False - type: boolean - label: ignoreNodeExternalIP - group: "Deployment Settings" -- variable: ipam - required: false - default: False - type: boolean - description: "Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer" - label: ipam - group: "Deployment Settings" -- variable: logProxy - required: false - default: False - type: string - description: "Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter." - label: Log Proxy - group: "Deployment Settings" -- variable: nodeWatch - required: false - default: false - type: boolean - description: "nodeWatch is used for automatic route configuration on NetScaler towards the pod network" - label: NodeWatch - group: "ADC Settings" -- variable: cncPbr - required: false - default: false - type: boolean - description: "Use this argument to inform CIC that Citrix Node Controller(CNC) is configuring Policy Based Routes(PBR) on the Citrix ADC." - label: CNC PBR - group: "ADC Settings" -- variable: nodeSelector.key - required: false - type: string - description: "Node label key to be used for nodeSelector option in CIC deployment" - label: NodeSelector Key - group: "Deployment Settings" -- variable: nodeSelector.value - required: false - type: string - description: "Node label value to be used for nodeSelector option in CIC deployment." - label: NodeSelector value - group: "Deployment Settings" -- variable: tolerations[0] - required: false - type: string - description: "Specify the tolerations for the CIC deployment" - label: Tolerations - group: "Deployment Settings" -- variable: updateIngressStatus - required: false - default: false - type: boolean - description: "Set this argurment if Status.LoadBalancer.Ingress field of the Ingress resources managed by the Citrix ingress controller needs to be updated with allocated IP addresses" - label: Update Ingress Status - group: "Deployment Settings" -- variable: nsHTTP2ServerSide - required: false - default: "OFF" - type: string - description: "Set this argument to ON for enabling HTTP2 for Citrix ADC service group configurations." - label: nsHTTP2ServerSide - group: "Deployment Settings" -- variable: nsCookieVersion - required: false - default: "0" - type: string - description: "Specify the persistence cookie version (0 or 1)" - label: nsCookieVersion - group: "Deployment Settings" -- variable: routeLabels - required: false - type: string - description: "You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster." - label: Route Labels - group: "Deployment Settings" -- variable: namespaceLabels - required: false - type: string - description: "you can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster" - label: namespaceLabels - group: "Deployment Settings" -- variable: cic.image - required: true - type: string - default: "quay.io/citrix/citrix-k8s-ingress-controller:1.19.6" - label: CIC Image - group: "CIC Image Settings" -- variable: cic.pullpolicy - required: true - default: "IfNotPresent" - type: enum - label: CIC Image Pullpolicy - group: "CIC Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: logLevel - required: false - default: "INFO" - type: enum - label: CIC Loglevel - group: "CIC Image Settings" - options: - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - - "TRACE" -- variable: exporter.required - default: false - type: boolean - description: "If set to true exporter will be deployed as sidecar" - label: Enable Exporter - group: "Exporter Settings" -- variable: exporter.image - default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.9" - required: false - type: string - description: "Exporter Image" - label: Exporter Image - group: "Exporter Settings" -- variable: exporter.pullPolicy - required: false - default: IfNotPresent - type: string - description: "Exporter Image pull policy" - label: Exporter Image PullPolicy - group: "Exporter Settings" -- variable: exporter.ports.containerPort - required: false - default: 8888 - type: int - label: Exporter ContainerPort - group: "Exporter Settings" -- variable: crds.install - required: false - default: true - type: boolean - description: "If set to true the charts will install CustomResourceDefinitions which are consumed by CIC." - label: CRD flag - group: "Deployment Settings" -- variable: crds.retainOnDelete - required: false - default: false - type: boolean - description: "Set this argument to true if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation." - label: CRD retainOnDelete flag - group: "Deployment Settings" -- variable: coeConfig.required - required: true - default: false - type: boolean - description: "Set this to true if you want to configure Citrix ADC to send metrics and transaction records to COE" - label: Enable COE - group: "COE Settings" -- variable: coeConfig.distributedTracing.enable - required: false - default: false - type: boolean - description: "Set this value to true to enable OpenTracing in Citrix ADC." - label: Enable coeConfig DistributedTracing - group: "COE Settings" -- variable: coeConfig.distributedTracing.samplingrate - required: false - default: "100" - type: string - description: "Specifies the OpenTracing sampling rate in percentage." - label: coeConfig DistributedTracing Samplingrate - group: "COE Settings" -- variable: coeConfig.endpoint.server - required: false - type: string - description: "Set this value as the IP address or DNS address of the analytics server" - label: coeConfig Endpoint Server - group: "COE Settings" -- variable: coeConfig.timeseries.port - required: false - default: "30002" - type: string - description: "Specify the port used to expose COE service outside cluster for timeseries endpoint" - label: coeConfig timeseries Port - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.enable - required: false - default: False - type: boolean - description: "Set this value to true to enable sending metrics from Citrix ADC" - label: Enable coeConfig Timeseries Metrics - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.mode - required: false - default: "avro" - type: string - description: "Specifies the mode of metric endpoint" - label: coeConfig Timeseries Metrics Mode - group: "COE Settings" -- variable: coeConfig.timeseries.auditlogs.enable - required: false - default: False - type: boolean - description: "Set this value to true to export audit log data from Citrix ADC" - label: coeConfig Timeseries Auditlogs Enable - group: "COE Settings" -- variable: coeConfig.timeseries.events.enable - required: false - default: False - type: boolean - description: "Set this value to true to export events from the Citrix ADC" - label: Enable coeConfig Timeseries Events - group: "COE Settings" -- variable: coeConfig.transactions.enable - required: false - default: False - type: boolean - description: "Set this value to true to export transactions from Citrix ADC" - label: Enable coeConfig Transactions - group: "COE Settings" -- variable: coeConfig.transactions.port - required: false - default: 30001 - type: string - description: "Specify the port used to expose COE service outside cluster for transaction endpoint" - label: coeConfig Transactions Port - group: "COE Settings" -- variable: serviceAccount.create - required: false - default: true - type: boolean - description: "Specifies whether a ServiceAccount should be created" - label: ServiceAccount Create - group: "Deployment Settings" diff --git a/charts/citrix/citrix-ingress-controller/1.32.7/templates/NOTES.txt b/charts/citrix/citrix-ingress-controller/1.32.7/templates/NOTES.txt deleted file mode 100644 index 4d07f639fb..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.32.7/templates/NOTES.txt +++ /dev/null @@ -1,15 +0,0 @@ -Thank you for installing {{ .Chart.Name }}. - -Your release is named {{ .Release.Name }}. - - -To learn more about the release, try: - - $ helm status {{ .Release.Name }} - $ helm get {{ .Release.Name }} - - -To delete : - helm delete {{ .Release.Name }} - - diff --git a/charts/citrix/citrix-ingress-controller/1.32.7/templates/_helpers.tpl b/charts/citrix/citrix-ingress-controller/1.32.7/templates/_helpers.tpl deleted file mode 100644 index efca8083c7..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.32.7/templates/_helpers.tpl +++ /dev/null @@ -1,94 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Analytics Server IP or DNS -*/}} -{{- define "analytics.server" -}} -{{- if .Values.analyticsConfig.endpoint.server -}} -{{- printf .Values.analyticsConfig.endpoint.server -}} -{{- else -}} -{{- $addresses := first (first (lookup "v1" "Node" "" "").items).status.addresses -}} -{{- printf "%s" ($addresses).address -}} -{{- end -}} -{{- end -}} - - - -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "citrix-ingress-controller.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "citrix-ingress-controller.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "exporter.fullname" -}} -{{- $name := default .Chart.Name "exporter" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "servicemonitor.fullname" -}} -{{- $name := default .Chart.Name "citrix-adc-servicemonitor" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "servicemonitorlabel" -}} -{{- $name := default .Chart.Name "citrix-adc-svcmon" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cicconfigmap.fullname" -}} -{{- $name := default .Chart.Name "cic-configmap" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "citrix-ingress-controller.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "citrix-ingress-controller.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "citrix-ingress-controller.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} diff --git a/charts/citrix/citrix-ingress-controller/1.32.7/templates/cic_crds.yaml b/charts/citrix/citrix-ingress-controller/1.32.7/templates/cic_crds.yaml deleted file mode 100644 index 04ab366055..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.32.7/templates/cic_crds.yaml +++ /dev/null @@ -1,2549 +0,0 @@ -{{- if .Values.crds.install }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: rewritepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: rewritepolicy - plural: rewritepolicies - singular: rewritepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - rewrite-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to rewrite policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - rewrite-policy: - type: object - properties: - rewrite-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOREWRITE', 'RESET', 'DROP'] - operation: - description: 'Type of user-defined rewrite action.' - type: string - enum: ["noop", "delete", "insert_http_header", "delete_http_header", - "corrupt_http_header", "insert_before", "insert_after", "replace", - "replace_http_res", "delete_all", "replace_all", "insert_before_all", - "insert_after_all", "clientless_vpn_encode", "clientless_vpn_encode_all", - "clientless_vpn_decode", "clientless_vpn_decode_all", "insert_sip_header", - "delete_sip_header", "corrupt_sip_header", "replace_sip_res", "replace_diameter_header_field", - "replace_dns_header_field", "replace_dns_answer_section"] - target: - description: 'Default syntax expression that specifies which part of the request or response to rewrite.' - type: string - maxLength: 1229 - modify-expression: - description: 'Default syntax expression that specifies the content to insert into the request - or response at the specified location, or that replaces the specified string.' - type: string - maxLength: 7991 - multiple-occurence-modify: - description: 'Search facility that is used to match multiple strings in the request or response.' - type: string - maxLength: 171 - additional-multiple-occurence-modify: - description: 'Specify additional criteria to refine the results of the search. - Always starts with the "extend(m,n)" operation, where "m" specifies number of bytes to the left of selected data - and "n" specifies number of bytes to the right of selected data. - You can use refineSearch only on body expressions, and only when rewrite-criteria is any one of this: - INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - comment: - description: 'Any comments to preserve information about this rewrite policy.' - type: string - maxLength: 255 - required: [rewrite-criteria, operation, target, direction] - required: [rewrite-policy] - - responder-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to responder policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", - "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - responder-policy: - type: object - properties: - redirect: - type: object - description: 'Use this option when you want to Redirect the request when request matches to policy.' - properties: - url: - description: 'URL on which you want to redirect the request.' - type: string - maxLength: 7991 - redirect-status-code: - description: 'HTTP response status code, for example 200, 302, 404, etc.' - type: integer - minimum: 100 - maximum: 599 - redirect-reason: - description: 'Expression specifying the reason for redirecting the request.' - type: string - maxLength: 7991 - required: [url] - respondwith: - type: object - description: 'Use this parameter when you want to respond to the request when request matches to policy.' - properties: - http-payload-string: - description: 'Expression that you want to sent as response to the request.' - type: string - maxLength: 7991 - required: [http-payload-string] - noop: - type: string - description: 'Use this option when you want to send the request to the protected server instead of - responding to it when request matches to policy.' - properties: - target: - description: 'Default syntax expression that specifies to perform noop operation on' - type: string - maxLength: 1229 - reset: - type: string - description: 'Use this option when you want to Reset the client connection by closing it when request matches to policy.' - properties: - drop: - type: string - description: 'Use this option when you want to drop the request without sending a response to the user when request matches to policy.' - properties: - respond-criteria: - description: 'Default syntax expression that the policy uses to determine whether to respond to the specified request.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOOP', 'RESET', 'DROP'] - comment: - description: 'Any comments to preserve information about this responder policy.' - type: string - maxLength: 255 - required: [respond-criteria] - oneOf: [required: [redirect], required: [respondwith], required: [noop], required: [reset], required: [drop]] - required: [responder-policy] - - dataset: - type: array - items: - type: object - properties: - name: - description: 'Name of the dataset.' - type: string - maxLength: 32 - type: - description: 'Type of value to bind to the dataset.' - type: string - enum: ["ipv4", "number", "ipv6", "ulong", "double", "mac"] - comment: - description: 'Any comments to preserve information about this dataset.' - type: string - maxLength: 255 - values: - description: 'Value of the specified type that is associated with this dataset.' - type: array - items: - type: string - required: [name, type, values] - - patset: - type: array - items: - type: object - properties: - name: - description: 'Name of the Patset.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this patset.' - type: string - maxLength: 255 - values: - description: 'String of characters that constitutes a pattern and is associated with this patset.' - type: array - items: - type: string - required: [name, values] - - stringmap: - type: array - items: - type: object - properties: - name: - description: 'Name of the Stringmap.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this stringmap.' - type: string - maxLength: 255 - values: - description: 'List of (key,value) pairs to be bound to this string map.' - type: array - items: - type: object - properties: - key: - description: 'Character string constituting the key to be bound to this string map.' - type: string - maxLength: 2047 - value: - description: 'Character string constituting the value associated with the key.' - type: string - maxLength: 2047 - required: [name, values] - - httpcallout_policy: - type: array - items: - type: object - properties: - name: - description: 'httpcallout name' - type: string - maxLength: 32 - server_ip: - description: 'IP Address of the server(callout agent) to which the callout is sent.' - type: string - server_port: - description: 'Port of the server(callout agent) to which the callout is sent.' - type: integer - minimum: 1 - maximum: 65535 - http_method: - description: |+ - 'Method used in the HTTP request that this callout sends. - Default http method is GET' - type: string - enum: ['GET', 'POST'] - host_expr: - description: |+ - 'String expression to configure the Host header. Can contain a literal value - (for example, 10.101.10.11) or a derived value (for example, http.req.header("Host")). - The literal value can be an IP address or a fully qualified domain name. Mutually - exclusive with the full HTTP request expression.' - type: string - maxLength: 255 - url_stem_expr: - description: |+ - 'String expression for generating the URL stem. Can contain a literal string - (for example, "/mysite/index.html") or an expression that derives the value - (for example, http.req.url).' - type: string - maxLength: 8191 - headers: - type: array - description: |+ - 'One or more headers to insert into the HTTP request. Each header is represented by - name and expr, where expr is an expression that is evaluated at runtime to provide - the value for the named header. You can configure a maximum of eight headers for - an HTTP callout.' - items: - type: object - properties: - name: - description: 'header name' - type: string - expr: - description: 'header expression' - type: string - parameters: - type: array - description: |+ - 'One or more query parameters to insert into the HTTP request URL (for a GET request) - or into the request body (for a POST request). Each parameter is represented by - name and expr, where expr is an expression that is evaluated at run time to provide - the value for the named parameter (name=value). The parameter values are URL encoded.' - items: - type: object - properties: - name: - description: 'parameter name' - type: string - expr: - description: 'parameter expression' - type: string - body_expr: - description: |+ - 'An advanced string expression for generating the body of the request. - The expression can contain a literal string or an expression that derives - the value (for example, client.ip.src).' - type: string - full_req_expr: - description: |+ - 'Exact HTTP request, in the form of an expression, which the Citrix ADC sends - to the callout agent. The request expression is constrained by the feature - for which the callout is used. For example, an HTTP.RES expression cannot be - used in a request-time policy bank or in a TCP content switching policy bank.' - type: string - scheme: - description: |+ - 'Type of scheme for the callout server. - Default scheme is HTTP' - type: string - enum: ['HTTP', 'HTTPS'] - cache_for_secs: - description: |+ - 'Duration, in seconds, for which the callout response is cached. - The cached responses are stored in an integrated caching content - group named "calloutContentGroup". If no duration is configured, - the callout responses will not be cached unless normal caching - configuration is used to cache them. This parameter takes precedence over any - normal caching configuration that would otherwise apply to these responses.' - type: integer - minimum: 1 - maximum: 31536000 - return_type: - description: |+ - 'Type of data that the target callout agent returns in response to the callout - Available settings function as follows: - * TEXT - Treat the returned value as a text string. - * NUM - Treat the returned value as a number. - * BOOL - Treat the returned value as a Boolean value.' - type: string - enum: ['TEXT', 'NUM', 'BOOL'] - result_expr: - description: |+ - 'Expression that extracts the callout results from the response sent by the HTTP callout - agent. Must be a response based expression, that is, it must begin with HTTP.RES. The - operations in this expression must match the return type. For example, if you configure - a return type of TEXT, the result expression must be a text based expression. If the - return type is NUM, the result expression (resultExpr) must return a numeric value, - as in the following example: http.res.body(10000).length.' - type: string - maxLength: 8191 - comment: - description: 'Any comments to preserve information about this HTTP callout.' - type: string - maxLength: 255 - allOf: - - properties: - required: [name, server_ip, server_port] - - properties: - oneOf: - - properties: - required: [full_req_expr] - - properties: - anyOf: - - properties: - required: [http_method] - - properties: - required: [host_expr] - - properties: - required: [url_stem_expr] - - properties: - required: [headers] - - properties: - required: [parameters] - - properties: - required: [body_expr] - anyOf: [required: [rewrite-policies], required: [responder-policies]] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ratelimits.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: ratelimit - plural: ratelimits - singular: ratelimit - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the ratelimit policies are applied.' - type: array - items: - type: string - maxLength: 127 - selector_keys: - type: object - description: 'Traffic match criteria to which apply above rate-limit/throttling. All keys are applied as AND condition. If no keys are specified, rate-limit applies at service level' - properties: - basic: - type: object - description: "Basic traffic stream selection criteria to which to apply the ratelimit" - properties: - path: - type: array - description: "api resource path prefix match. e.g. /api/v1/products" - items: - type: string - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT', 'UNKNOWN_METHOD'] - header_name: - description: "HTTP header that identifies the unique API client for e.g. X-apikey" - type: string - per_client_ip: - description: "Setting this applies the throttling limit to each unique Client IP address accessing the API resource" - type: boolean - req_threshold: - description: 'Max requests per timeslice units to be allowed' - type: integer - timeslice: - description: 'Timeslice in miliseconds in multiple of 10. Defaults to 1000 miliseconds' - type: integer - limittype: - description: "Burst mode or smooth. Defaults to smooth limittype if not specified" - type: string - enum: ['BURSTY','SMOOTH'] - throttle_action: - type: string - enum: ['DROP', 'RESET','REDIRECT', 'RESPOND'] - description: "Drop will drop the requests exceeding limits, RESET will reset the client connection, Redirect will redirect to specified URL, respond will respond with 429 'Exceeded allowed rate of requests'" - redirect_url: - type: string - description: "Redirect-URL" - logpackets: - type: object - description: 'Adds an audit message action. The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - required: [req_threshold] ---- -#Sample CRD instance - -#apiVersion: citrix.com/v1 -#description: VIP for apache service -#kind: vip -#metadata: -# name: service-apache -# namespace: default -#spec: -# description: VIP for the apache Service -# ipaddress: 10.99.98.90 -# kind: service -# name: apache - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vips.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: vip - plural: vips - singular: vip - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - jsonPath: .spec.ipaddress - name: VIP - type: string - - name: Age - type: date - jsonPath: .metadata.creationTimestamp - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - ipaddress: - type: string - name: - type: string - kind: - type: string - enum: ["service", "ingress"] - description: - type: string - range-name: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: authpolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: authpolicy - plural: authpolicies - singular: authpolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: |+ - 'Name of the services for which the policies applied' - type: array - items: - type: string - maxLength: 63 - authentication_mechanism: - type: object - description: |+ - 'Authentication mechanism. Options: using forms or using request header. - Default is Authentication using request header, when no option is specified' - properties: - using_request_header: - description: |+ - 'Enable user authentication using request header. Use when the credentials - or api keys are passed in a header. For example, when using Basic, Digest, - Bearer authentication or api keys. - When authentication using forms is provided, this is set to OFF' - - type: string - using_forms: - type: object - description: 'Enables authentication using forms. Use with user/web authentication.' - properties: - authentication_host: - description: |+ - 'Fully qualified domain name (FQDN) for authentication. - This FQDN should be unique and should resolve to frontend IP of - ADC with Ingress/service type LoadBalancer (or) vip of Listener CRD' - type: string - maxLength: 255 - authentication_host_cert: - description: |+ - 'Name of the SSL certificate to be used with authentication_host. - This certificate is mandatory while using_forms' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - ingress_name: - description: |+ - 'Ingress name for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - lb_service_name: - description: |+ - 'Service of type LoadBalancer for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - listener_name: - description: |+ - 'Listener CRD name for which the authentication using forms is applicable.' - type: string - maxLength: 63 - vip: - description: |+ - 'Frontend IP of ingress for which the authentication - using forms is applicable. This refers to frontend-ip provided - with Ingress. It is suggested to use vip, if more than one Ingress - resource use the same frontend-ip' - type: string - required: [authentication_host, authentication_host_cert] - oneOf: - - properties: - required: [ingress_name] - - properties: - required: [lb_service_name] - - properties: - required: [listener_name] - - properties: - required: [vip] - oneOf: - - properties: - using_request_header: - enum: ['ON'] - required: [using_request_header] - - properties: - required: [using_forms] - - authentication_providers: - description: |+ - 'Authentication Configuration for required authentication providers/schemes. - One or more of these can be created' - type: array - items: - description: 'Create config for a single authentication provider of a particular type' - type: object - properties: - name: - description: 'Name for this provider, has to be unique, referenced by authentication policies' - type: string - maxLength: 127 - - oauth: - description: 'Authentication provided by external oAuth provider' - type: object - properties: - issuer: - description: 'Identity of the server whose tokens are to be accepted' - type: string - maxLength: 127 - audience: - description: 'Audience for which token sent by Authorization server is applicable' - type: array - items: - type: string - maxLength: 127 - jwks_uri: - description: |+ - 'URL of the endpoint that contains JWKs (Json Web Key) for - JWT (Json Web Token) verification' - type: string - maxLength: 127 - introspect_url: - description: ' URL of the introspection server' - type: string - maxLength: 127 - client_credentials: - description: |+ - 'secrets object that contains Client Id and secret as known - to Introspection server' - type: string - maxLength: 253 - token_in_hdr: - description: |+ - 'custom header name where token is present, - default is Authorization header' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - token_in_param: - description: 'query parameter name where token is present' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - signature_algorithms: - description: 'list of allowed signature algorithms, by default HS256, RS256, RS512 are allowed' - type: array - items: - type: string - enum: ['HS256', 'RS256', 'RS512'] - claims_to_save: - description: 'list of claims to be saved, used to create authorization policies' - type: array - items: - type: string - maxLength: 127 - metadata_url: - description: 'URL used to get OAUTH/OIDC provider metadata' - type: string - maxLength: 255 - user_field: - description: |+ - 'Attribute in the token from which username should be extracted. - by default, ADC looks at email attribute for user id' - type: string - maxLength: 127 - default_group: - description: |+ - 'group assigned to the request if authentication succeeds, - this is in addition to any extracted groups from token' - type: string - maxLength: 63 - grant_type: - description: 'used to specify the type of flow to the token end point, defaults to CODE' - type: array - items: - type: string - enum: ['CODE','PASSWORD'] - pkce: - description: 'specify whether to enable Proof Key Code Exchange, defaults to ENABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - token_ep_auth_method: - description: |+ - 'authentication method to be used with token end point, - defaults to client_secret_post' - type: string - enum: ['client_secret_post', 'client_secret_jwt'] - - anyOf: - - properties: - required : [jwks_uri] - - properties: - required : [introspect_url, client_credentials] - - properties: - required : [metadata_url] - - ldap: - description: 'LDAP authentication provider' - type: object - properties: - server_ip: - description: 'IP address assigned to the LDAP server' - type: string - server_name: - description: 'LDAP server name as a FQDN' - type: string - maxLength: 127 - server_port: - description: 'Port on which the LDAP server accepts connections. Default is 389' - type: integer - minimum: 1 - maximum: 65535 - base: - description: |+ - 'Base (node) from which to start LDAP searches. If the LDAP server is - running locally, the default value of base is dc=netscaler, dc=com' - type: string - maxLength: 127 - server_login_credentials: - description: |+ - 'Kubernetes secret object providing credentials to login to LDAP server, - The secret data should have username and password' - type: string - login_name: - description: |+ - 'LDAP login name attribute. The Citrix ADC uses the LDAP login name - to query external LDAP servers or Active Directories' - type: string - maxLength: 127 - security_type: - description: |+ - 'Type of security used for communications between the Citrix ADC - and the LDAP server. Default is TLS' - type: string - enum: ['PLAINTEXT', 'TLS', 'SSL'] - validate_server_cert: - description: 'Validate LDAP Server certs. Default is NO' - type: string - enum: ['YES', 'NO'] - hostname: - description: |+ - 'Hostname for the LDAP server. If validate_server_cert is ON, - this must be the host name on the certificate from the LDAP - A hostname mismatch will cause a connection failure' - type: string - maxLength: 127 - sub_attribute_name: - description: 'LDAP group sub-attribute name. Used for group extraction from the LDAP server.' - type: string - maxLength: 31 - group_attribute_name: - description: 'LDAP group attribute name. Used for group extraction on the LDAP server.' - type: string - maxLength: 31 - search_filter: - description: |+ - 'String to be combined with the default LDAP user search string to form the - search value. For example, if the search filter "vpnallowed=true" is combined - with the LDAP login name "samaccount" and the user-supplied username is "bob", - the result is the LDAP search string ""(&(vpnallowed=true)(samaccount=bob)"" - (Be sure to enclose the search string in two sets of double quotation marks)' - type: string - maxLength: 255 - auth_timeout: - description: |+ - 'Number of seconds the Citrix ADC waits for a response from the server - Default is 3' - type: integer - minimum: 1 - maximum: 4294967295 - password_change: - description: 'Allow password change requests. Default is DISABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be fetched - from LDAP server and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - oneOf: - - properties: - required: [server_ip] - - properties: - required: [server_name] - - saml: - description: |+ - 'SAML authentication provider. - Currently SAML is supported only with authentication mechanism using forms' - type: object - properties: - metadata_url: - description: 'URL is used for obtaining saml metadata.' - type: string - maxLength: 255 - metadata_refresh_interval: - description: |+ - 'Interval in minutes for fetching metadata from specified metadata URL. - Default is 36000' - type: integer - minimum: 1 - maximum: 4294967295 - signing_cert: - description: 'SSL certificate to sign requests from SP to IDP' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - audience: - description: 'Audience for which assertion sent by IdP is applicable' - type: string - maxLength: 127 - issuer_name: - description: 'The name to be used in requests sent from SP to IDP to identify citrix ADC' - type: string - maxLength: 63 - binding: - description: 'Specifies the transport mechanism of saml message. Default is POST' - type: string - enum: ['REDIRECT', 'POST', 'ARTIFACT'] - artifact_resolution_service_url: - description: 'URL of the Artifact Resolution Service on IdP' - type: string - maxLength: 255 - logout_binding: - description: 'Specifies the transport mechanism of saml logout. Default is POST' - type: string - enum: ['REDIRECT', 'POST'] - reject_unsigned_assertion: - description: |+ - 'Reject unsigned SAML assertions. ON, rejects assertion without signature. - STRICT ensure that both Response and Assertion are signed. Default is ON' - type: string - enum: ['ON', 'OFF', 'STRICT'] - user_field: - description: 'SAML user ID, as given in the SAML assertion' - type: string - maxLength: 63 - default_authentication_group: - description: |+ - 'This is the default group that is chosen when the authentication - succeeds in addition to extracted groups' - type: string - maxLength: 63 - skew_time: - description: |+ - 'Allowed clock skew in number of minutes on an incoming assertion. - Default is 5' - type: integer - minimum: 1 - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be extracted - and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - required: - - metadata_url - - basic_local_db: - type: object - description: |+ - 'Basic HTTP authentication supported by ADC, user data in local DB of ADC. - Users needs to be added on ADC' - properties: - use_local_auth: - description: 'Use ADC authentication' - type: string - enum: ['YES'] - - required: - - name - - authentication_policies: - description: 'Authentication policies' - type: array - items: - type: object - description: 'Authentication policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT', 'UNKNOWN_METHOD'] - required: - - path - expression: - description: 'ADC syntax expression for authentication' - type: string - maxLength: 1229 - provider: - description: 'name of the authentication provider for the policy, empty if no authentication required' - type: array - items: - type: string - maxLength: 127 - maxItems: 1 - oneOf: - - required: [resource, provider] - - required: [expression, provider] - - authorization_policies: - description: 'Authorization policies' - type: array - items: - type: object - description: 'Authorization policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - description: ' http method' - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT', 'UNKNOWN_METHOD'] - claims: - description: 'authorization scopes required for selected resource saved as claims or attributes' - type: array - items: - type: object - properties: - name: - description: 'name of the claim/attribute to check' - type: string - maxLength: 127 - values: - description: 'list of claim values required for the request' - type: array - items: - type: string - maxLength: 127 - minItems: 1 - required: - - name - - values - required: - - claims - expression: - description: 'ADC syntax expression for authorization' - type: string - maxLength: 1229 - oneOf: - - required: [resource] - - required: [expression] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: listeners.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: Listener - plural: listeners - singular: listener - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - required: [spec] - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [protocol] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - protocol: - type: string - enum: ["https", "http"] - description: "Protocol for this listener" - vip: - type: string - description: "VIP address, Optional for CPX, required for Tier-1 deployments" - secondaryVips: - type: array - description: "An array of Secondary VIPs. All the VIPs will be part of an ipset" - minItems: 1 - items: - type: string - redirectPort: - type: integer - minimum: 1 - maximum: 65535 - description: "Port from which http traffic should be redirected to https" - port: - type: integer - minimum: 1 - maximum: 65535 - certificates: - type: array - description: "certificates attached to the endpoints - Not applicable for HTTP" - minItems: 1 - items: - type: object - properties: - preconfigured: - type: string - description: "Preconfigured Certificate name on ADC " - secret: - type: object - description: "Kuberentes secret object" - required: [name] - properties: - name: - type: string - description: "name of the Kubernetes Secret object where Cert is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the kubernetes secret object; Default is same namespace where the Listener object is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - default: - type: boolean - description: "Only one of the certificate can be marked as default which will be presented if none of the cert matches with the hostname" - oneOf: - - required: ["preconfigured"] - - required: ["secret"] - policies: - type: object - description: "Policies attached to the Listener" - properties: - httpprofile: - type: object - description: "HTTP profile configurations for the Listener, HTTP level configurations" - properties: - preconfigured: - type: string - description: "Preconfigured or Built-in HTTP profile name" - config: - type: object - description: "HTTP profile configuration for the listener. For individual fields, refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nshttpprofile/nshttpprofile/ Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - tcpprofile: - type: object - description: "TCP level configurations, uses ns tcpprofile of citrix ADC" - properties: - preconfigured: - description: "Preconfigured or Built-in TCP profile name" - type: string - config: - type: object - description: "TCPprofile configurations for the listener. For individual fields refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nstcpprofile/ ; Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - csvserverConfig: - type: object - description: "CS Vserver configuration for the listener" - additionalProperties: - type: string - sslprofile: - type: object - description: "SSL profile configuration" - properties: - preconfigured: - type: string - description: "SSL profile which is preconfigured in ADC. Ciphers bound to the profile is not overriden" - config: - description: "Citrix ADC frontend SSL profile configurations. Refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ssl/sslprofile/ for all configurations; Name field is auto generated" - type: object - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - sslciphers: - type: array - description: "List of ciphers to be bound to the ssl profile for the listener. Priority is as per the order in the list. A cipher suite, predefined cipher group or User created cipher group can be mentioned" - minItems: 1 - items: - type: string - description: "Cipher suite, cipher group name" - analyticsprofile: - type: object - description: "Analytics profile configuration" - properties: - preconfigured: - type: array - description: "Preconfigured Analytics profile that needs to be bound to the vserver" - minItems: 1 - items: - type: string - description: "Name of the analytics profile preconfigured that will be bound to the Vserver" - config: - type: array - description: "An array of analytics to be enabled" - minItems: 1 - items: - type: object - description: "Anlytics to be enabled" - required: ['type'] - properties: - type: - description: "Analytics profile to be enabled, you can enable one or more of the webinsight, tcpinsight, securityinsight, videoinsight, hdxinsight, gatewayinsight, timeseries, lsninsight, botinsight " - type: string - enum: ["webinsight", "tcpinsight", "securityinsight", "videoinsight", "hdxinsight", "gatewayinsight", "timeseries", "lsninsight", "botinsight"] - parameters: - type: object - description: "Additional parameters for analytics profile. Please refer:https://developer-docs.citrix.com/projects/citrix-adc-nitro-api-reference/en/latest/configuration/analytics/analyticsprofile/" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - routes: - type: array - description: "List of route objects attached to the listener" - minItems: 1 - items: - type: object - properties: - name: - type: string - description: "Name of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - labelSelector: - description: "Labels key value pair, if the route carries the same labels, it is automatically attached" - type: object - additionalProperties: - type: string - oneOf: - - required: [name, namespace] - - required: [labelSelector] - defaultAction: - type: object - description: "Default action for the listener: One of Backend or Redirect" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - namespace: - description: "Service namespace" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - backendConfig: - description: "General backend service options" - type: object - properties: - secure_backend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: httproutes.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: HTTPRoute - plural: httproutes - singular: httproute - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [rules] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - hostname: - type: array - description: "List of domain names that share the same route, default is '*'" - minItems: 1 - items: - type: string - description: "Domain name" - rules: - type: array - description: "List Content routing rules with an action defined" - minItems: 1 - items: - type: object - required: [name, action] - properties: - name: - type: string - description: "A name to represent the rule, this is used as an identifier in content routing policy name in ADC" - minLength: 1 - maxLength: 20 - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - match: - type: array - description: "List of rules with same action" - minItems: 1 - items: - type: object - anyOf: - - required: [path] - - required: [headers] - - required: [cookies] - - required: [queryParams] - - required: [method] - - required: [policyExpression] - properties: - path: - type: object - description: "URL Path based content routing" - properties: - prefix: - type: string - description: "URL path matches the prefix expression" - exact: - type: string - description: "URL Path must match exact path" - regex: - type: string - description: "PCRE based regex expression for path matching" - headers: - type: array - description: "List of header for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Header details for content routing, Check for existence of a header or header name-value match" - properties: - headerName: - type: object - description: "Header name based content routing, Here existence of header is used for routing" - properties: - exact: - type: string - description: "Header Name - treated as exact must exist" - contains: - type: string - description: "Header Name - A header must exist that contain the string the name" - regex: - type: string - description: "header Name - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header name must not exist" - oneOf: - - required: [exact] - - required: [contains] - - required: [regex] - headerValue: - type: object - description: "Header Name and Value based match" - properties: - name: - type: string - description: "Header name that must match the value" - exact: - type: string - description: "Header value - treated as exact" - contains: - type: string - description: "Header value - treated as contains" - regex: - type: string - description: "header value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header if present must not match the value" - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - queryParams: - type: array - description: "List of Query parameters for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Query parameters Name and Value based match" - properties: - name: - type: string - description: "Query name that must match the value. If no value is specified, matches with any value" - exact: - type: string - description: "Query value - Exact match" - contains: - type: string - description: "Query value - value must have the string(substring)" - regex: - type: string - description: "Query value - Value must match this regex patterm" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e query if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - cookies: - type: array - description: "List of Cookie params for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Cookie based routing" - properties: - name: - type: string - description: "cookie name that must match the value. If no value specified, it matches with any value" - exact: - type: string - description: "cookie value - treated as exact" - contains: - type: string - description: "cookie value - treated as substring" - regex: - type: string - description: "cookie value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e cookie if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - method: - type: string - description: "HTTP method for content routing eg: POST, PUT, DELETE etc" - policyExpression: - type: string - description: "Citrix ADC policy expressions; refer: https://docs.citrix.com/en-us/netscaler/media/expression-prefix.pdf" - action: - type: object - description: "Action for the matched rule" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - backendConfig: - type: object - description: "General backend service options" - properties: - secureBackend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - # name must match the spec fields below, and be in the form: . - name: continuousdeployments.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: continuousdeployment - plural: continuousdeployments - singular: continuousdeployment - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - cronSpec: - type: integer - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wafs.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: waf - plural: wafs - singular: waf - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the waf policies are applied.' - type: array - items: - type: string - maxLength: 127 - application_type: - description: 'Type of applications to protect' - type: array - items: - type: string - enum: ['HTML', 'JSON', 'XML'] - signatures: - description: 'Location of external signature file' - type: string - redirect_url: - description: 'When a URL is blocked/down, redirect_url represents the alternate URL where the client requests should be sent.' - type: string - html_error_object: - description: 'Location of customized error page to respond when html or common violation are hit' - type: string - xml_error_object: - description: 'Location of customized error page to respond when xml violations are hit' - type: string - json_error_object: - description: 'Location of customized error page to respond when json violations are hit' - type: string - ip_reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - description: 'Enabling IP reputation feature' - target: - description: 'To control what traffic to be inspected by Web Application Firewall. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT', 'UNKNOWN_METHOD'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable application firewall security checks' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - settings: - description: 'To fine tune application firewall security checks default settings' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - relaxations: - description: 'Section which contains relaxation rules for known traffic and false positives' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - enforcements: - description: 'Section which contains enforcement or restriction rules' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: bots.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: bot - plural: bots - singular: bot - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the bot policies are applied.' - type: array - items: - type: string - maxLength: 127 - signatures: - description: 'Location of external bot signature file' - type: string - redirect_url: - description: 'url to redirect when bot violation is hit' - type: string - target: - description: 'To control what traffic to be inspected by BOT. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT', 'UNKNOWN_METHOD'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable bot ecurity checks' - type: object - properties: - allow_list: - type: string - enum: ['ON', 'OFF'] - block_list: - type: string - enum: ['ON', 'OFF'] - device_fingerprint: - type: string - enum: ['ON', 'OFF'] - device_fingerprint_action: - type: object - x-kubernetes-preserve-unknown-fields: true - headless_browser: - type: string - enum: ['ON','OFF'] - reputation: - type: string - enum: ['ON', 'OFF'] - ratelimit: - type: string - enum: ['ON', 'OFF'] - tps: - type: string - enum: ['ON', 'OFF'] - trap: - type: object - x-kubernetes-preserve-unknown-fields: true - bindings: - description: 'Section which contains binding rules for bot security checks' - type: object - properties: - allow_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6_subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - - block_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6_subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - ratelimit: - type: array - items: - type: object - properties: - url: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - cookie: - type: object - x-kubernetes-preserve-unknown-fields: true - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - captcha: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - logexp: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - kbmexpr: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - tps: - type: object - properties: - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - host: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - url: - type: object - x-kubernetes-preserve-unknown-fields: true - trapinsertion: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: apigatewaypolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: apigatewaypolicy - plural: apigatewaypolicies - singular: apigatewaypolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - api_definition: - type: object - properties: - repository: - type: string - branch: - type: string - oas_secret_ref: - type: string - files: - type: array - items: - type: string - maxLength: 127 - api_proxy: - type: object - properties: - ipaddress: - type: string - port: - type: integer - protocol: - type: string - secret: - type: string - policies: - type: array - items: - type: object - properties: - name: - type: string - selector: - type: array - items: - type: object - properties: - tags: - type: array - items: - type: string - api: - type: string - method: - type: array - items: - type: string - maxLength: 127 - upstream: - type: object - properties: - service: - type: string - port: - type: integer - policy_bindings: - type: object - properties: - ratelimit: - type: object - properties: - name: - type: string - waf: - type: object - properties: - name: - type: string - rewritepolicy: - type: object - properties: - name: - type: string - bot: - type: object - properties: - name: - type: string - aaa: - type: array - items: - type: object - properties: - crd_name: - type: string - mappings: - type: array - items: - type: object - properties: - petstore_auth: - type: string - api_key: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: corspolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: corspolicy - plural: corspolicies - singular: corspolicy - shortNames: - - cp - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'The list of Kubernetes services to which you want to apply the cors policies.' - type: array - items: - type: string - maxLength: 63 - allow_origin: - description: 'Represents list of allowed origins, it is used to screen the “origin” in the cors pre flight request' - type: array - items: - type: string - maxLength: 2083 - allow_methods: - description: 'Indicates which methods are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Methods in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - allow_headers: - description: 'Indicates which headers are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Headers in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - max_age: - description: 'Indicates the number of seconds (5 by default) the information provided by the `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` headers can be cached. This variable will be used to set Access-Control-Max-Age in the pre-flight cors response.' - type: integer - allow_credentials: - description: 'Indicates whether the response can be shared when the request’s credentials mode is "include". This variable will be set to Access-Control-Allow-Credentials in the rewrite action.' - type: boolean - required: [servicenames, allow_origin, allow_methods, allow_headers] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: appqoepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: appqoepolicy - plural: appqoepolicies - singular: appqoepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - appqoe-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to appqoe policy.' - type: array - items: - type: string - maxLength: 127 - appqoe-policy: - type: object - properties: - operation-retry: - type: object - properties: - on-reset: - description: "To set Retry on Connection Reset or Not" - type: string - enum: ['YES','NO'] - on-timeout: - description: "Time in milliseconds for retry" - type: integer - minimum: 30 - maximum: 2000 - number-of-retries: - description: "To set number of retries" - type: integer - minimum: 1 - maximum: 7 - required: [operation-retry] - appqoe-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - required: [appqoe-criteria, operation-retry] - required: [appqoe-policy] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wildcarddnsentries.citrix.com -spec: - group: citrix.com - names: - kind: wildcarddnsentry - plural: wildcarddnsentries - singular: wildcarddnsentry - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: Current Status of the CRD - jsonPath: .status.state - - name: Message - type: string - description: Status Message - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - zone: - type: object - description: DNS configuration for a zone - properties: - domain: - type: string - description: Domain name - dnsaddrec: - type: object - description: DNS Address record - properties: - domain-ip: - type: string - description: IPv4 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - dnsaaaarec: - type: object - description: DNS AAAA record - properties: - domain-ip: - type: string - description: IPv6 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - soarec: - type: object - description: SOA record - properties: - origin-server: - type: string - description: Origin server domain - contact: - type: string - description: Admin contact - serial: - type: integer - description: >- - The secondary server uses this parameter to - determine whether it requires a zone transfer from - the primary server. - refresh: - type: integer - description: >- - Time, in seconds, for which a secondary server must - wait between successive checks on the value of the - serial number. - retry: - type: integer - description: >- - Time, in seconds, between retries if a secondary server's - attempt to contact the primary server for a zone refresh fails. - expire: - type: integer - description: >- - Time, in seconds, after which the zone data on a secondary - nameserver can no longer be considered authoritative because - all refresh and retry attempts made during the period have failed." - nsrec: - type: object - description: Name server record - properties: - nameserver: - type: string - description: Host name of the name server to add to the domain. - ttl: - type: integer - description: >- - Time to Live (TTL), in seconds, for the record. TTL - is the time for which the record must be cached by - DNS proxies. The specified TTL is applied to all the - resource records that are of the same record type - and belong to the specified domain name ---- -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.32.7/templates/citrix-k8s-ingress.yaml b/charts/citrix/citrix-ingress-controller/1.32.7/templates/citrix-k8s-ingress.yaml deleted file mode 100644 index ac0ba09fad..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.32.7/templates/citrix-k8s-ingress.yaml +++ /dev/null @@ -1,264 +0,0 @@ -{{- if .Values.openshift }} -apiVersion: apps.openshift.io/v1 -kind: DeploymentConfig -{{- else }} -apiVersion: apps/v1 -kind: Deployment -{{- end }} -metadata: - name: {{ include "citrix-ingress-controller.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - selector: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - matchLabels: - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} - replicas: 1 -{{- if .Values.openshift }} - strategy: - resources: {} - rollingParams: - intervalSeconds: 1 - maxSurge: 0 - maxUnavailable: 25% - timeoutSeconds: 600 - updatePeriodSeconds: 1 - type: Rolling -{{- end }} - template: - metadata: - name: cic - labels: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} -{{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} -{{- end }} - spec: - serviceAccountName: {{ include "citrix-ingress-controller.serviceAccountName" . }} - containers: - - name: cic - image: "{{ tpl .Values.image . }}" - imagePullPolicy: {{ .Values.pullPolicy }} - args: - - --configmap - {{ .Release.Namespace }}/{{ include "cicconfigmap.fullname" . }} -{{- if .Values.defaultSSLCertSecret }} - - --default-ssl-certificate - {{ .Release.Namespace }}/{{ .Values.defaultSSLCertSecret }} -{{- end }} -{{- if .Values.ingressClass }} - - --ingress-classes -{{- range .Values.ingressClass}} - {{.}} -{{- end }} -{{- end }} -{{- if .Values.serviceClass }} - - --service-classes -{{- range .Values.serviceClass}} - {{.}} -{{- end }} -{{- end }} - - --feature-node-watch - {{ .Values.nodeWatch }} - - --enable-cnc-pbr - {{ .Values.cncPbr }} -{{- if .Values.ipam }} - - --ipam - citrix-ipam-controller -{{- end }} -{{- if .Values.disableAPIServerCertVerify }} - - --disable-apiserver-cert-verify - {{ .Values.disableAPIServerCertVerify }} -{{- end }} -{{- if .Values.updateIngressStatus }} - - --update-ingress-status - yes -{{- end }} - env: - - name: "NS_IP" - value: "{{ .Values.nsIP }}" -{{- if .Values.nsVIP }} - - name: "NS_VIP" - value: "{{ .Values.nsVIP }}" -{{- end }} -{{- if .Values.rbacRole }} - - name: "SCOPE" - value: "local" -{{- end }} -{{- if .Values.nitroReadTimeout }} - - name: "NS_NITRO_READ_TIMEOUT" - value: "{{ .Values.nitroReadTimeout }}" -{{- end }} - - name: "NS_USER" - {{- if and .Values.secretStore.enabled .Values.secretStore.username}} - {{- toYaml .Values.secretStore.username | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: username - {{- end }} - - name: "NS_PASSWORD" - {{- if and .Values.secretStore.enabled .Values.secretStore.password}} - {{- toYaml .Values.secretStore.password | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: password - {{- end }} - - name: "EULA" - value: "{{ .Values.license.accept }}" -{{- if and .Values.openshift .Values.routeLabels }} - - name: "ROUTE_LABELS" - value: {{ .Values.routeLabels | quote}} -{{- end }} -{{- if and .Values.openshift .Values.namespaceLabels }} - - name: "NAMESPACE_LABELS" - value: {{ .Values.namespaceLabels | quote }} -{{- end }} - - name: "NS_APPS_NAME_PREFIX" - value: {{ .Values.entityPrefix | default "k8s"| quote }} -{{- if .Values.kubernetesURL }} - - name: "kubernetes_url" - value: "{{ .Values.kubernetesURL }}" -{{- end }} -{{- if .Values.clusterName }} - - name: "CLUSTER_NAME" - value: "{{ .Values.clusterName }}" -{{- end }} -{{- if .Values.logProxy }} - - name: "NS_LOGPROXY" - value: "{{ .Values.logProxy }}" -{{- end }} -{{- if .Values.disableOpenshiftRoutes }} - - name: "DISABLE_OPENSHIFT_ROUTES" - value: "{{ .Values.disableOpenshiftRoutes }}" -{{- end }} -{{- if .Values.nsConfigDnsRec }} - - name: "NS_CONFIG_DNS_REC" - value: "{{ .Values.nsConfigDnsRec }}" -{{- end }} -{{- if .Values.nsSvcLbDnsRec }} - - name: "NS_SVC_LB_DNS_REC" - value: "{{ .Values.nsSvcLbDnsRec }}" -{{- end }} -{{- if .Values.optimizeEndpointBinding }} - - name: "OPTIMIZE_ENDPOINT_BINDING" - value: "{{ .Values.optimizeEndpointBinding }}" -{{- end }} - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- if ne (len .Values.extraVolumeMounts) 0 }} - volumeMounts: -{{- toYaml .Values.extraVolumeMounts | nindent 8 }} - {{- end }} -{{- if .Values.exporter.required }} - - name: exporter - image: "{{ tpl .Values.exporter.image . }}" - imagePullPolicy: {{ .Values.exporter.pullPolicy }} - args: - - "--target-nsip={{ .Values.nsIP }}" - - "--port={{ .Values.exporter.ports.containerPort }}" - env: - - name: "NS_USER" - {{- if and .Values.secretStore.enabled .Values.secretStore.username}} - {{- toYaml .Values.secretStore.username | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: username - {{- end }} - - name: "NS_PASSWORD" - {{- if and .Values.secretStore.enabled .Values.secretStore.password}} - {{- toYaml .Values.secretStore.password | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: password - {{- end }} - {{- if ne (len .Values.exporter.extraVolumeMounts) 0 }} - volumeMounts: - {{- toYaml .Values.exporter.extraVolumeMounts | nindent 8 }} - {{- end }} - securityContext: - readOnlyRootFilesystem: true - resources: -{{- toYaml .Values.exporter.resources | nindent 12 }} -{{- end }} -{{- if or (and .Values.extraVolumeMounts .Values.extraVolumes) (and .Values.exporter.extraVolumeMounts .Values.extraVolumes) }} - volumes: -{{- end }} -{{- if ne (len .Values.extraVolumes) 0 }} -{{ toYaml .Values.extraVolumes | indent 6 }} -{{- end }} -{{- if and .Values.nodeSelector.key .Values.nodeSelector.value }} - nodeSelector: - {{ .Values.nodeSelector.key }}: {{ .Values.nodeSelector.value }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: {{ .Values.tolerations | toYaml | nindent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} -{{- end }} - ---- - -{{- if .Values.exporter.required }} - - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "exporter.fullname" . }} - labels: - app: {{ include "exporter.fullname" . }} - service-type: {{ include "servicemonitorlabel" . }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port - selector: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} - ---- - -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "servicemonitor.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - servicemonitor: citrix-adc -spec: - endpoints: - - interval: 30s - port: exporter-port - selector: - matchLabels: - service-type: {{ include "servicemonitorlabel" . }} - namespaceSelector: - matchNames: - - monitoring - - default - - {{ .Release.Namespace }} - -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.32.7/templates/configmap.yaml b/charts/citrix/citrix-ingress-controller/1.32.7/templates/configmap.yaml deleted file mode 100644 index 586906391b..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.32.7/templates/configmap.yaml +++ /dev/null @@ -1,75 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "cicconfigmap.fullname" . }} - namespace: {{ .Release.Namespace }} -data: - LOGLEVEL: {{ .Values.logLevel | quote | lower }} - JSONLOG: {{ .Values.jsonLog | quote | lower }} - NS_PROTOCOL: {{ .Values.nsProtocol | quote | lower }} - NS_PORT: {{ .Values.nsPort | quote }} -{{- if .Values.nsSNIPS }} - NS_SNIPS: {{ .Values.nsSNIPS | toJson}} -{{- end }} -{{- if and .Values.analyticsConfig.required .Values.nsEnableLabel }} - NS_ENABLE_LABELS: {{ .Values.nsEnableLabel | quote}} -{{- end }} -{{- if .Values.podIPsforServiceGroupMembers }} - POD_IPS_FOR_SERVICEGROUP_MEMBERS: {{ .Values.podIPsforServiceGroupMembers | quote }} -{{- end }} -{{- if .Values.ignoreNodeExternalIP }} - IGNORE_NODE_EXTERNAL_IP: {{ .Values.ignoreNodeExternalIP | quote }} -{{- end }} - -{{- if ne (upper .Values.nsHTTP2ServerSide) "OFF" }} - NS_HTTP2_SERVER_SIDE: {{ .Values.nsHTTP2ServerSide | quote }} -{{- end }} -{{- if ne (toString .Values.nsCookieVersion) "0" }} - NS_COOKIE_VERSION: {{ .Values.nsCookieVersion | quote }} -{{- end }} -{{- if .Values.nsDnsNameserver }} - NS_DNS_NAMESERVER: {{ .Values.nsDnsNameserver }} -{{- end }} - -{{- if .Values.analyticsConfig.required }} - NS_ANALYTICS_CONFIG: | - distributed_tracing: - enable: {{ .Values.analyticsConfig.distributedTracing.enable | quote }} - samplingrate: {{ .Values.analyticsConfig.distributedTracing.samplingrate }} - endpoint: - server: {{ include "analytics.server" . | quote }} - service: {{ .Values.analyticsConfig.endpoint.service | quote }} - timeseries: - port: {{ .Values.analyticsConfig.timeseries.port }} - metrics: - enable: {{ .Values.analyticsConfig.timeseries.metrics.enable | quote }} - mode: {{ .Values.analyticsConfig.timeseries.metrics.mode | quote }} - auditlogs: - enable: {{ .Values.analyticsConfig.timeseries.auditlogs.enable | quote }} - events: - enable: {{ .Values.analyticsConfig.timeseries.events.enable | quote }} - transactions: - enable: {{ .Values.analyticsConfig.transactions.enable | quote }} - port: {{ .Values.analyticsConfig.transactions.port }} -{{- end }} - -{{- if .Values.nsLbHashAlgo.required }} - NS_LB_HASH_ALGO: | - hashFingers: {{ .Values.nsLbHashAlgo.hashFingers }} - hashAlgorithm: {{ .Values.nsLbHashAlgo.hashAlgorithm | quote }} -{{- end }} - -{{- if .Values.profileSslFrontend }} - FRONTEND_SSL_PROFILE: | - {{- toYaml .Values.profileSslFrontend | nindent 4 }} -{{- end }} - -{{- if .Values.profileTcpFrontend }} - FRONTEND_TCP_PROFILE: | - {{- toYaml .Values.profileTcpFrontend | nindent 4 }} -{{- end }} - -{{- if .Values.profileHttpFrontend }} - FRONTEND_HTTP_PROFILE: | - {{- toYaml .Values.profileHttpFrontend | nindent 4 }} -{{- end }} \ No newline at end of file diff --git a/charts/citrix/citrix-ingress-controller/1.32.7/templates/ingressclass.yaml b/charts/citrix/citrix-ingress-controller/1.32.7/templates/ingressclass.yaml deleted file mode 100644 index d75537b79f..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.32.7/templates/ingressclass.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- $default := .Values.setAsDefaultIngressClass -}} -{{- if semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.GitVersion }} -{{- if .Values.ingressClass }} -{{- range .Values.ingressClass }} -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: {{ . | quote }} -{{- if $default }} - annotations: - ingressclass.kubernetes.io/is-default-class: "true" -{{- end }} -spec: - controller: citrix.com/ingress-controller ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.32.7/templates/rbac.yaml b/charts/citrix/citrix-ingress-controller/1.32.7/templates/rbac.yaml deleted file mode 100644 index c20c1512e0..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.32.7/templates/rbac.yaml +++ /dev/null @@ -1,106 +0,0 @@ -{{- if not .Values.rbacRole }} -kind: ClusterRole -{{- else }} -kind: Role -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -rules: - - apiGroups: [""] -{{- if .Values.openshift }} - resources: ["endpoints", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"] -{{- else }} - resources: ["endpoints", "pods", "secrets", "routes", "nodes", "namespaces", "configmaps", "services"] -{{- end }} - verbs: ["get", "list", "watch"] - # services/status is needed to update the loadbalancer IP in service status for integrating - # service of type LoadBalancer with external-dns - - apiGroups: [""] - resources: ["services/status"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions","networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["patch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "watch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"] - verbs: ["get", "list", "watch", "create", "delete", "patch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"] - verbs: ["patch"] - - apiGroups: ["citrix.com"] - resources: ["vips"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["crd.projectcalico.org"] - resources: ["ipamblocks"] - verbs: ["get", "list", "watch"] -{{- if .Values.openshift }} - - apiGroups: ["route.openshift.io"] - resources: ["routes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["network.openshift.io"] - resources: ["hostsubnets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["config.openshift.io"] - resources: ["networks"] - verbs: ["get", "list"] -{{- end }} - ---- - -{{- if not .Values.rbacRole }} -kind: ClusterRoleBinding -{{- else }} -kind: RoleBinding -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io -{{- if not .Values.rbacRole }} - kind: ClusterRole -{{- else }} - kind: Role -{{- end }} - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- if .Values.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.imagePullSecrets }} -- name: {{.}} -{{- end }} -{{- end }} - diff --git a/charts/citrix/citrix-ingress-controller/1.32.7/values.yaml b/charts/citrix/citrix-ingress-controller/1.32.7/values.yaml deleted file mode 100644 index 5c5ef03403..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.32.7/values.yaml +++ /dev/null @@ -1,199 +0,0 @@ -# Default values for citrix-ingress-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# Citrix Ingress Controller config details -imageRegistry: quay.io -imageRepository: citrix/citrix-k8s-ingress-controller -imageTag: 1.32.7 -image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}" -pullPolicy: IfNotPresent -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" -openshift: false -adcCredentialSecret: # K8s Secret Name -# Enable secretStore to implement CSI Secret Provider classes for holding the nslogin credentials -secretStore: - enabled: false - username: {} - #valueFrom: - # configMapKeyRef: - # name: test1 - # key: username - password: {} - #valueFrom: - # configMapKeyRef: - # name: test1 - # key: password -nsIP: x.x.x.x -nsVIP: -nsSNIPS: -license: - accept: no -nsPort: 443 -nsProtocol: HTTPS -nsEnableLabel: true -# nitroReadTimeout is timeout value in seconds for nitro api read timeout(default is 20) -nitroReadTimeout: -logLevel: INFO -jsonLog: false -entityPrefix: -kubernetesURL: -clusterName: -ingressClass: -setAsDefaultIngressClass: False -serviceClass: -defaultSSLCertSecret: -podIPsforServiceGroupMembers: False -ignoreNodeExternalIP: False -ipam: False -# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True -disableAPIServerCertVerify: False -logProxy: -nodeWatch: false -cncPbr: False -nodeSelector: - key: - value: -tolerations: [] -updateIngressStatus: True -nsHTTP2ServerSide: "OFF" -nsCookieVersion: "0" -nsConfigDnsRec: -nsSvcLbDnsRec: -nsDnsNameserver: -optimizeEndpointBinding: -routeLabels: -namespaceLabels: -disableOpenshiftRoutes: -profileSslFrontend: {} - # preconfigured: my_ssl_profile - # OR - # config: - # tls13: 'ENABLED' - # hsts: 'ENABLED' -profileHttpFrontend: {} - # preconfigured: my_http_profile - # OR - # config: - # dropinvalreqs: 'ENABLED' - # websocket: 'ENABLED' -profileTcpFrontend: {} - # preconfigured: my_tcp_profile - # OR - # config: - # sack: 'ENABLED' - # nagle: 'ENABLED' - -# Exporter config details -exporter: - required: false - imageRegistry: quay.io - imageRepository: citrix/citrix-adc-metrics-exporter - imageTag: 1.4.9 - image: "{{ .Values.exporter.imageRegistry }}/{{ .Values.exporter.imageRepository }}:{{ .Values.exporter.imageTag }}" - pullPolicy: IfNotPresent - ports: - containerPort: 8888 - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - extraVolumeMounts: [] - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. - #- name: github-key - # mountPath: /etc/config/keys/ - # readOnly: true - #- name: agent-init-scripts - # mountPath: /docker-entrypoint.d/ - -# For CRDs supported by Citrix Ingress Controller -crds: - install: false - retainOnDelete: false - -# Enable RBAC role (so called local role), by default CIC deployed with ClusterRole. -# below variable to deploy CIC with RBAC role, only ingress service supported with this config -rbacRole: False - -# Config required to be done by Citrix Ingress Controller for sending metrics to Citrix Observability Exporter -analyticsConfig: - required: false - distributedTracing: - enable: false - samplingrate: 100 - endpoint: - server: - service: - timeseries: - port: 30002 - metrics: - enable: false - mode: 'avro' - auditlogs: - enable: false - events: - enable: false - transactions: - enable: false - port: 30001 - -nsLbHashAlgo: - required: false - hashFingers: 256 - hashAlgorithm: 'DEFAULT' - -# Specifies whether a ServiceAccount should be created -serviceAccount: - create: true - # The name of the ServiceAccount to use. - # If not set and `create` is true, a name is generated using the fullname template - # name: - -podAnnotations: {} - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # Following values depends on no of ingresses configured by Ingress Controllers, so it is - # advised to test with maximum no of ingresses to set these values. - # limits: - # cpu: 1000m - # memory: 1000Mi - # requests: - # cpu: 500m - # memory: 500Mi - -affinity: {} - -extraVolumeMounts: [] - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. - #- name: github-key - # mountPath: /etc/config/keys/ - # readOnly: true - #- name: agent-init-scripts - # mountPath: /docker-entrypoint.d/ - -extraVolumes: [] - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. - #- name: agent-init-scripts - # configMap: - # name: agent-init-scripts - # defaultMode: 0755 - #- name: github-key - # secret: - # secretName: github-key - # defaultMode: 0744 diff --git a/charts/citrix/citrix-ingress-controller/1.33.4/Chart.yaml b/charts/citrix/citrix-ingress-controller/1.33.4/Chart.yaml deleted file mode 100644 index d0441e5e5e..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.33.4/Chart.yaml +++ /dev/null @@ -1,21 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-ingress-controller -apiVersion: v2 -appVersion: 1.33.4 -deprecated: true -description: A Helm chart for Citrix Ingress Controller configuring MPX/VPX. -home: https://www.cloud.com -icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png -kubeVersion: '>=v1.16.0-0' -maintainers: -- email: priyanka.sharma@cloud.com - name: priyankash-citrix -- email: subash.dangol@cloud.com - name: subashd -name: citrix-ingress-controller -sources: -- https://github.com/citrix/citrix-k8s-ingress-controller -version: 1.33.4 diff --git a/charts/citrix/citrix-ingress-controller/1.33.4/README.md b/charts/citrix/citrix-ingress-controller/1.33.4/README.md deleted file mode 100644 index c2f193f544..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.33.4/README.md +++ /dev/null @@ -1,496 +0,0 @@ -# Citrix Ingress Controller - -[Citrix](https://www.citrix.com/en-in/) provides an Ingress Controller for Citrix ADC MPX (hardware), Citrix ADC VPX (virtualized), and [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx/13/about.html) (containerized) for [bare metal](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/deployment/baremetal) and [cloud](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/deployment) deployments. It configures one or more Citrix ADC based on the Ingress resource configuration in [Kubernetes](https://kubernetes.io/) or in [OpenShift](https://www.openshift.com) cluster. - -## TL;DR; - -### For Kubernetes - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret= - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,crds.install=true - ``` - -### For OpenShift - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true,crds.install=true - ``` - -> **Important:** -> -> The `license.accept` argument is mandatory. Ensure that you set the value as `yes` to accept the terms and conditions of the Citrix license. - -## Introduction -This Helm chart deploys Citrix ingress controller in the [Kubernetes](https://kubernetes.io) or in the [Openshift](https://www.openshift.com) cluster using [Helm](https://helm.sh) package manager. - -### Prerequisites - -- The [Kubernetes](https://kubernetes.io/) version should be 1.16 and above if using Kubernetes environment. -- The [Openshift](https://www.openshift.com) version 4.8 or later if using OpenShift platform. -- The [Helm](https://helm.sh/) version 3.x or later. You can follow instruction given [here](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- You determine the NS_IP IP address needed by the controller to communicate with Citrix ADC. The IP address might be anyone of the following depending on the type of Citrix ADC deployment: - - - (Standalone appliances) NSIP - The management IP address of a standalone Citrix ADC appliance. For more information, see [IP Addressing in Citrix ADC](https://docs.citrix.com/en-us/citrix-adc/12-1/networking/ip-addressing.html). - - - (Appliances in High Availability mode) SNIP - The subnet IP address. For more information, see [IP Addressing in Citrix ADC](https://docs.citrix.com/en-us/citrix-adc/12-1/networking/ip-addressing.html). - - - (Appliances in Clustered mode) CLIP - The cluster management IP (CLIP) address for a clustered Citrix ADC deployment. For more information, see [IP addressing for a cluster](https://docs.citrix.com/en-us/citrix-adc/12-1/clustering/cluster-overview/ip-addressing.html). - -- You have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator), if you want to view the metrics of the Citrix ADC CPX collected by the [metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics). - -- The user name and password of the Citrix ADC VPX or MPX appliance used as the ingress device. The Citrix ADC appliance needs to have system user account (non-default) with certain privileges so that Citrix ingress controller can configure the Citrix ADC VPX or MPX appliance. For instructions to create the system user account on Citrix ADC, see [Create System User Account for CIC in Citrix ADC](#create-system-user-account-for-cic-in-citrix-adc). - - You can pass user name and password using Kubernetes secrets. Create a Kubernetes secret for the user name and password using the following command: - - ``` - kubectl create secret generic nslogin --from-literal=username='cic' --from-literal=password='mypassword' - ``` - -#### Create system User account for Citrix ingress controller in Citrix ADC - -Citrix ingress controller configures the Citrix ADC using a system user account of the Citrix ADC. The system user account should have certain privileges so that the CIC has permission configure the following on the Citrix ADC: - -- Add, Delete, or View Content Switching (CS) virtual server -- Configure CS policies and actions -- Configure Load Balancing (LB) virtual server -- Configure Service groups -- Cofigure SSl certkeys -- Configure routes -- Configure user monitors -- Add system file (for uploading SSL certkeys from Kubernetes) -- Configure Virtual IP address (VIP) -- Check the status of the Citrix ADC appliance - -> **Note:** -> -> The system user account would have privileges based on the command policy that you define. - -To create the system user account, do the following: - -1. Log on to the Citrix ADC appliance. Perform the following: - 1. Use an SSH client, such as PuTTy, to open an SSH connection to the Citrix ADC appliance. - - 2. Log on to the appliance by using the administrator credentials. - -2. Create the system user account using the following command: - - ``` - add system user - ``` - - For example: - - ``` - add system user cic mypassword - ``` - -3. Create a policy to provide required permissions to the system user account. Use the following command: - - ``` - add cmdpolicy cic-policy ALLOW '^(\?!shell)(\?!sftp)(\?!scp)(\?!batch)(\?!source)(\?!.*superuser)(\?!.*nsroot)(\?!install)(\?!show\s+system\s+(user|cmdPolicy|file))(\?!(set|add|rm|create|export|kill)\s+system)(\?!(unbind|bind)\s+system\s+(user|group))(\?!diff\s+ns\s+config)(\?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)^(\?!shell)(\?!sftp)(\?!scp)(\?!batch)(\?!source)(\?!.*superuser)(\?!.*nsroot)(\?!install)(\?!show\s+system\s+(user|cmdPolicy|file))(\?!(set|add|rm|create|export|kill)\s+system)(\?!(unbind|bind)\s+system\s+(user|group))(\?!diff\s+ns\s+config)(\?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)' - ``` - - **Note**: The system user account would have privileges based on the command policy that you define. - The command policy mentioned in ***step 3*** is similar to the built-in `sysAdmin` command policy with another permission to upload files. - - The command policy spec provided above have already escaped special characters for easier copy pasting into the Citrix ADC command line. - - For configuring the command policy from Citrix ADC Configuration Wizard (GUI), use the below command policy spec. - - ``` - ^(?!shell)(?!sftp)(?!scp)(?!batch)(?!source)(?!.*superuser)(?!.*nsroot)(?!install)(?!show\s+system\s+(user|cmdPolicy|file))(?!(set|add|rm|create|export|kill)\s+system)(?!(unbind|bind)\s+system\s+(user|group))(?!diff\s+ns\s+config)(?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)^(?!shell)(?!sftp)(?!scp)(?!batch)(?!source)(?!.*superuser)(?!.*nsroot)(?!install)(?!show\s+system\s+(user|cmdPolicy|file))(?!(set|add|rm|create|export|kill)\s+system)(?!(unbind|bind)\s+system\s+(user|group))(?!diff\s+ns\s+config)(?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file) - ``` - -4. Bind the policy to the system user account using the following command: - - ``` - bind system user cic cic-policy 0 - ``` - -## Installing the Chart -Add the Citrix Ingress Controller helm chart repository using command: - -``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ -``` - -### For Kubernetes: -#### 1. Citrix Ingress Controller -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,ingressClass[0]= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ingress controller on Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix Ingress Controller with Exporter -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed along with Citrix ingress controller and collects metrics from the Citrix ADC instances. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. - -> **Note:** -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,ingressClass[0]=,exporter.required=true - ``` - -### For Openshift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix Ingress Controller -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true - ``` - -The command deploys Citrix ingress controller on your Openshift cluster in the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix Ingress Controller with Exporter -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed along with Citrix ingress controller and collects metrics from the Citrix ADC instances. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. - -> **Note:** -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator) - -Use the following command for this: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true,exporter.required=true - ``` - -### Installed components - -The following components are installed: - -- [Citrix ingress controller](https://github.com/citrix/citrix-k8s-ingress-controller) -- [Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) (if enabled) - -## Configuration for ServiceGraph: - If Citrix ADC VPX/MPX need to send data to the Citrix ADM to bring up the servicegraph, then the below steps can be followed to install Citrix ingress controller for Citrix ADC VPX/MPX. Citrix ingress controller configures Citrix ADC VPX/MPX with the configuration required for servicegraph. - - 1. Create secret using Citrix ADC VPX credentials, which will be used by Citrix ingress controller for configuring Citrix ADC VPX/MPX: - - kubectl create secret generic nslogin --from-literal=username='cic' --from-literal=password='mypassword' - - 2. Deploy Citrix ingress controller using helm command: - - helm install my-release citrix/citrix-ingress-controller --set nsIP=,nsVIP=,license.accept=yes,adcCredentialSecret=,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.timeseries.port=5563,analyticsConfig.distributedTracing.enable=true,analyticsConfig.transactions.enable=true,analyticsConfig.transactions.port=5557,analyticsConfig.endpoint.server= - -> **Note:** -> If container agent is being used here for Citrix ADM, please provide `podIP` of container agent in the `analyticsConfig.endpoint.server` parameter. - -## CRDs configuration - -CRDs can be installed/upgraded when we install/upgrade Citrix ingress controller using `crds.install=true` parameter in Helm. If you do not want to install CRDs, then set the option `crds.install` to `false`. By default, CRDs too get deleted if you uninstall through Helm. This means, even the CustomResource objects created by the customer will get deleted. If you want to avoid this data loss set `crds.retainOnDelete` to `true`. - -> **Note:** -> Installing again may fail due to the presence of CRDs. Make sure that you back up all CustomResource objects and clean up CRDs before re-installing Citrix Ingress Controller. - -There are a few examples of how to use these CRDs, which are placed in the folder: [Example-CRDs](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds). Refer to them and install as needed, using the following command: -```kubectl create -f ``` - -### Details of the supported CRDs: - -#### authpolicies CRD: - -Authentication policies are used to enforce access restrictions to resources hosted by an application or an API server. - -Citrix provides a Kubernetes CustomResourceDefinitions (CRDs) called the [Auth CRD](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/auth) that you can use with the Citrix ingress controller to define authentication policies on the ingress Citrix ADC. - -Example file: [auth_example.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/auth_example.yaml) - -#### continuousdeployments CRD for canary: - -Canary release is a technique to reduce the risk of introducing a new software version in production by first rolling out the change to a small subset of users. After user validation, the application is rolled out to the larger set of users. Citrix ADC-Integrated [Canary Deployment solution](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/canary) stitches together all components of continuous delivery (CD) and makes canary deployment easier for the application developers. - -#### httproutes and listeners CRDs for contentrouting: - -[Content Routing (CR)](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/contentrouting) is the execution of defined rules that determine the placement and configuration of network traffic between users and web applications, based on the content being sent. For example, a pattern in the URL or header fields of the request. - -Example files: [HTTPRoute_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/HTTPRoute_crd.yaml), [Listener_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/Listener_crd.yaml) - -#### ratelimits CRD: - -In a Kubernetes deployment, you can [rate limit the requests](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/ratelimit) to the resources on the back end server or services using rate limiting feature provided by the ingress Citrix ADC. - -Example files: [ratelimit-example1.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example1.yaml), [ratelimit-example2.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example2.yaml) - -#### vips CRD: - -Citrix provides a CustomResourceDefinitions (CRD) called [VIP](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/vip) for asynchronous communication between the IPAM controller and Citrix ingress controller. - -The IPAM controller is provided by Citrix for IP address management. It allocates IP address to the service from a defined IP address range. The Citrix ingress controller configures the IP address allocated to the service as virtual IP (VIP) in Citrix ADX VPX. And, the service is exposed using the IP address. - -When a new service is created, the Citrix ingress controller creates a CRD object for the service with an empty IP address field. The IPAM Controller listens to addition, deletion, or modification of the CRD and updates it with an IP address to the CRD. Once the CRD object is updated, the Citrix ingress controller automatically configures Citrix ADC-specfic configuration in the tier-1 Citrix ADC VPX. - -#### rewritepolicies CRD: - -In kubernetes environment, to deploy specific layer 7 policies to handle scenarios such as, redirecting HTTP traffic to a specific URL, blocking a set of IP addresses to mitigate DDoS attacks, imposing HTTP to HTTPS and so on, requires you to add appropriate libraries within the microservices and manually configure the policies. Instead, you can use the [Rewrite and Responder features](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/crd/rewrite-responder-policies-deployment.yaml) provided by the Ingress Citrix ADC device to deploy these policies. - -Example files: [target-url-rewrite.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/target-url-rewrite.yaml) - -#### wafs CRD: - -[WAF CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/waf.md) can be used to configure the web application firewall policies with the Citrix ingress controller on the Citrix ADC VPX, MPX, SDX, and CPX. The WAF CRD enables communication between the Citrix ingress controller and Citrix ADC for enforcing web application firewall policies. - -In a Kubernetes deployment, you can enforce a web application firewall policy to protect the server using the WAF CRD. For more information about web application firewall, see [Web application security](https://docs.citrix.com/en-us/citrix-adc/13/application-firewall/introduction/web-application-security.html). - -Example files: [wafhtmlxsssql.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wafhtmlxsssql.yaml) - -#### apigateway CRD: - -API Gateway CRD is used to configure gitops framework on citrix API gateway. This solution enables citrix ingress controller to generate API gateway configurations out of Open API Specification documents checked in to git repository by API developers and designers. - -Example files: [api-gateway-crd-instance.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/api-gateway-crd-instance.yaml) -#### bots CRD: - -[BOT CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/bot.md) You can use Bot CRDs to configure the bot management policies with the Citrix ingress controller on the Citrix ADC VPX. The Bot custom resource definition enables communication between the Citrix ingress controller and Citrix ADC for enforcing bot management policies. - -In a Kubernetes deployment, you can enforce bot management policy on therequests and responses from and to the server using the Bot CRDs. For more information on security vulnerabilities, see [Bot Detection](https://docs.citrix.com/en-us/citrix-adc/current-release/bot-management/bot-detection.html). - -Example files: [botallowlist.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/botallowlist.yaml) - -#### CORS CRD: - -[CORS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) Cross-origin resource sharing (CORS) is a mechanism allows a web application running under one domain to securely access resources in another domain. You can configure CORS policies on Citrix ADC using Citrix ingress controller to allow one domain (the origin domain) to call APIs in another domain. For more information, see the [cross-origin resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) documentation. - -Example files: [cors-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/corspolicy-example.yaml) - -#### APPQOE CRD: - -[APPQOE CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) When a Citrix ADC appliance receives an HTTP request and forwards it to a back-end server, sometimes there may be connection failures with the back-end server. You can configure the request-retry feature on Citrix ADC to forward the request to the next available server, instead of sending the reset to the client. Hence, the client saves round trip time when Citrix ADC initiates the same request to the next available service. -For more information, see the AppQoE support documentation. [Appqoe resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) documentation. - -Example files: [appqoe-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/appqoe_example.yaml) - -#### WILDCARDDNS CRD: - -[WILDCARDDNS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) Wildcard DNS domains are used to handle requests for nonexistent domains and subdomains. In a zone, use wildcard domains to redirect queries for all nonexistent domains or subdomains to a particular server, instead of creating a separate Resource Record (RR) for each domain. The most common use of a wildcard DNS domain is to create a zone that can be used to forward mail from the internet to some other mail system. -For more information, see the Wild card DNS domains support documentation. [Wildcard DNS Entry CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) documentation. - -Example files: [wildcarddns-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wildcarddns-example.yaml) - -### Tolerations - -Taints are applied on cluster nodes whereas tolerations are applied on pods. Tolerations enable pods to be scheduled on node with matching taints. For more information see [Taints and Tolerations in Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). - -Toleration can be applied to Citrix ingress controller pod using `tolerations` argument while deploying CIC using helm chart. This argument takes list of tolerations that user need to apply on the CIC pods. - -For example, following command can be used to apply toleration on the CIC pod: - -``` -helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,tolerations[0].key=,tolerations[0].value=,tolerations[0].operator=,tolerations[0].effect= -``` - -Here tolerations[0].key, tolerations[0].value and tolerations[0].effect are the key, value and effect that was used while tainting the node. -Effect represents what should happen to the pod if the pod don't have any matching toleration. It can have values `NoSchedule`, `NoExecute` and `PreferNoSchedule`. -Operator represents the operation to be used for key and value comparison between taint and tolerations. It can have values `Exists` and `Equal`. The default value for operator is `Equal`. - - - -### Configuration - -The following table lists the mandatory and optional parameters that you can configure during installation: - -| Parameters | Mandatory or Optional | Default value | Description | -| --------- | --------------------- | ------------- | ----------- | -| license.accept | Mandatory | no | Set `yes` to accept the CIC end user license agreement. | -| imageRegistry | Mandatory | `quay.io` | The Citrix ingress controller image registry | -| imageRepository | Mandatory | `citrix/citrix-k8s-ingress-controller` | The Citrix ingress controller image repository | -| imageTag | Mandatory | `1.33.4` | The Citrix ingress controller image tag | -| pullPolicy | Mandatory | IfNotPresent | The CIC image pull policy. | -| imagePullSecrets | Optional | N/A | Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret please see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). | -| nameOverride | Optional | N/A | String to partially override deployment fullname template with a string (will prepend the release name) | -| fullNameOverride | Optional | N/A | String to fully override deployment fullname template with a string | -| resources | Optional | {} | CPU/Memory resource requests/limits for Citrix Ingress Controller container | -| adcCredentialSecret | Mandatory | N/A | The secret key to log on to the Citrix ADC VPX or MPX. For information on how to create the secret keys, see [Prerequisites](#prerequistes). | -| secretStore.enabled | Optional | False | Set to "True" for deploying other Secret Provider classes | -| secretStore.username | Optional | N/A | if `secretStore.enabled`, `username` of ADC will be fetched from the Secret Provider | -| secretStore.password | Optional | N/A | if `secretStore.enabled`, `password` of ADC will be fetched from the Secret Provider | -| nsIP | Mandatory | N/A | The IP address of the Citrix ADC device. For details, see [Prerequisites](#prerequistes). | -| nsVIP | Optional | N/A | The Virtual IP address on the Citrix ADC device. | -| nsSNIPS | Optional | N/A | The list of subnet IPAddresses on the Citrix ADC device, which will be used to create PBR Routes instead of Static Routes [PBR support](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md) | -| nsPort | Optional | 443 | The port used by CIC to communicate with Citrix ADC. You can use port 80 for HTTP. | -| nsProtocol | Optional | HTTPS | The protocol used by CIC to communicate with Citrix ADC. You can also use HTTP on port 80. | -| nsEnableLabel | Optional | True | Set to true for plotting Servicegraph. Ensure ``analyticsConfig` are set. | -| nitroReadTimeout | Optional | 20 | The nitro Read timeout in seconds, defaults to 20 | -| logLevel | Optional | DEBUG | The loglevel to control the logs generated by CIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG and TRACE. For more information, see [Logging](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).| -| jsonLog | Optional | false | Set this argument to true if log messages are required in JSON format | -| nsConfigDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Ingress | -| nsSvcLbDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Type Load Balancer Service | -| nsDnsNameserver | Optional | N/A | To add DNS Nameservers in ADC | -| optimizeEndpointBinding | Optional | false | To enable/disable binding of backend endpoints to servicegroup in a single API-call. Recommended when endpoints(pods) per application are large in number. Applicable only for Citrix ADC Version >=13.0-45.7 | -| kubernetesURL | Optional | N/A | The kube-apiserver url that CIC uses to register the events. If the value is not specified, CIC uses the [internal kube-apiserver IP address](https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod). | -| clusterName | Optional | N/A | The unique identifier of the kubernetes cluster on which the CIC is deployed. Used in multi-cluster deployments. | -| ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify CIC to configure Citrix ADC associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here | -| setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default ingress class. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 | -| serviceClass | Optional | N/A | By Default ingress controller configures all TypeLB Service on the ADC. You can use this parameter to finetune this behavior by specifing CIC to only configure TypeLB Service with specific service class. For more information on Service class, see [Service class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/service-classes/). | -| nodeWatch | Optional | false | Use the argument if you want to automatically configure network route from the Ingress Citrix ADC VPX or MPX to the pods in the Kubernetes cluster. For more information, see [Automatically configure route on the Citrix ADC instance](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/network/staticrouting/#automatically-configure-route-on-the-citrix-adc-instance). | -| cncPbr | Optional | False | Use this argument to inform CIC that Citrix Node Controller(CNC) is configuring Policy Based Routes(PBR) on the Citrix ADC. For more information, see [CNC-PBR-SUPPORT](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md#configure-pbr-using-the-citrix-node-controller) | -| defaultSSLCertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC. | -| podIPsforServiceGroupMembers | Optional | False | By default Citrix Ingress Controller will add NodeIP and NodePort as service group members while configuring type LoadBalancer Services and NodePort services. This variable if set to `True` will change the behaviour to add pod IP and Pod port instead of nodeIP and nodePort. Users can set this to `True` if there is a route between ADC and K8s clusters internal pods either using feature-node-watch argument or using Citrix Node Controller. | -| ignoreNodeExternalIP | Optional | False | While adding NodeIP, as Service group members for type LoadBalancer services or NodePort services, Citrix Ingress Controller has a selection criteria whereas it choose Node ExternalIP if available and Node InternalIP, if Node ExternalIP is not present. But some users may want to use Node InternalIP over Node ExternalIP even if Node ExternalIP is present. If this variable is set to `True`, then it prioritises the Node Internal IP to be used for service group members even if node ExternalIP is present | -| nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for Citrix ADC service group configurations. | -| nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). | -| profileSslFrontend | Optional | N/A | Specify the frontend SSL profile. For Details see [Configuration using FRONTEND_SSL_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| profileTcpFrontend | Optional | N/A | Specify the frontend TCP profile. For Details see [Configuration using FRONTEND_TCP_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| profileHttpFrontend | Optional | N/A | Specify the frontend HTTP profile. For Details see [Configuration using FRONTEND_HTTP_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| ipam | Optional | False | Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer. | -| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. | -| logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter. | -| entityPrefix | Optional | k8s | The prefix for the resources on the Citrix ADC VPX/MPX. | -| updateIngressStatus | Optional | True | Set this argurment if `Status.LoadBalancer.Ingress` field of the Ingress resources managed by the Citrix ingress controller needs to be updated with allocated IP addresses. For more information see [this](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/ingress-classes.md#updating-the-ingress-status-for-the-ingress-resources-with-the-specified-ip-address). | -| routeLabels | Optional | N/A | You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| namespaceLabels | Optional | N/A | You can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| podAnnotations | Optional | N/A | Map of annotations to add to the pods. | -| affinity | Optional | N/A | Affinity labels for pod assignment. | -| exporter.required | Optional | false | Use the argument, if you want to run the [Exporter for Citrix ADC Stats](https://github.com/citrix/citrix-adc-metrics-exporter) along with CIC to pull metrics for the Citrix ADC VPX or MPX| -| exporter.imageRegistry | Optional | `quay.io` | The Exporter for Citrix ADC Stats image registry | -| exporter.imageRepository | Optional | `citrix/citrix-adc-metrics-exporter` | The Exporter for Citrix ADC Stats image repository | -| exporter.imageTag | Optional | `1.4.9` | The Exporter for Citrix ADC Stats image tag | -| exporter.pullPolicy | Optional | IfNotPresent | The Exporter image pull policy. | -| exporter.ports.containerPort | Optional | 8888 | The Exporter container port. | -| exporter.resources | Optional | {} | CPU/Memory resource requests/limits for Metrics exporter container | -| exporter.extraVolumeMounts | Optional | [] | Specify the Additional VolumeMounts to be mounted in Exporter container. Specify the volumes in `extraVolumes` | -| openshift | Optional | false | Set this argument if OpenShift environment is being used. | -| disableOpenshiftRoutes | Optional | false | By default Openshift routes are processed in openshift environment, this variable can be used to disable Ingress controller processing the openshift routes. | -| nodeSelector.key | Optional | N/A | Node label key to be used for nodeSelector option in CIC deployment. | -| nodeSelector.value | Optional | N/A | Node label value to be used for nodeSelector option in CIC deployment. | -| tolerations | Optional | N/A | Specify the tolerations for the CIC deployment. | -| crds.install | Optional | False | Unset this argument if you don't want to install CustomResourceDefinitions which are consumed by CIC. | -| crds.retainOnDelete | Optional | false | Set this argument if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation. | -| analyticsConfig.required | Mandatory | false | Set this to true if you want to configure Citrix ADC to send metrics and transaction records to analytics . | -| analyticsConfig.distributedTracing.enable | Optional | false | Set this value to true to enable OpenTracing in Citrix ADC. | -| analyticsConfig.distributedTracing.samplingrate | Optional | 100 | Specifies the OpenTracing sampling rate in percentage. | -| analyticsConfig.endpoint.server | Optional | N/A | Set this value as the IP address or DNS address of the analytics server. | -| analyticsConfig.endpoint.service | Optional | N/A | Set this value as the IP address or service name with namespace of the analytics service deployed in k8s environment. Format: namespace/servicename | -| analyticsConfig.timeseries.port | Optional | 30002 | Specify the port used to expose analytics service outside cluster for timeseries endpoint. | -| analyticsConfig.timeseries.metrics.enable | Optional | False | Set this value to true to enable sending metrics from Citrix ADC. | -| analyticsConfig.timeseries.metrics.mode | Optional | avro | Specifies the mode of metric endpoint. | -| analyticsConfig.timeseries.auditlogs.enable | Optional | false | Set this value to true to export audit log data from Citrix ADC. | -| analyticsConfig.timeseries.events.enable | Optional | false | Set this value to true to export events from the Citrix ADC. | -| analyticsConfig.transactions.enable | Optional | false | Set this value to true to export transactions from Citrix ADC. | -| analyticsConfig.transactions.port | Optional | 30001 | Specify the port used to expose analytics service outside cluster for transaction endpoint. | -| nsLbHashAlgo.required | Optional | false | Set this value to set the LB consistent hashing Algorithm | -| nsLbHashAlgo.hashFingers | Optional | 256 | Specifies the number of fingers to be used for hashing algorithm. Possible values are from 1 to 1024, Default value is 256 | -| nsLbHashAlgo.hashAlgorithm | Optional | 'default' | Specifies the supported algorithm. Supported algorithms are "default", "jarh", "prac", Default value is 'default' | -| extraVolumeMounts | Optional | [] | Specify the Additional VolumeMounts to be mounted in CIC container | -| extraVolumes | Optional | [] | Specify the Additional Volumes for additional volumeMounts | -| rbacRole | Optional | false | To deploy CIC with RBAC Role set rbacRole=true; by default CIC gets installed with RBAC ClusterRole(rbacRole=false)) | - -Alternatively, you can define a YAML file with the values for the parameters and pass the values while installing the chart. - -For example: - ``` - helm install my-release citrix/citrix-ingress-controller -f values.yaml - ``` - -> **Tip:** -> -> The [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-ingress-controller/values.yaml) contains the default values of the parameters. - -> **Note:** -> -> Please provide frontend-ip (VIP) in your application ingress yaml file. For more info refer [this](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/annotations.md). - -## Route Addition in MPX/VPX -For seamless functioning of services deployed in the Kubernetes cluster, it is essential that Ingress NetScaler device should be able to reach the underlying overlay network over which Pods are running. -`feature-node-watch` knob of Citrix Ingress Controller can be used for automatic route configuration on NetScaler towards the pod network. Refer [Static Route Configuration](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) for further details regarding the same. -By default, `feature-node-watch` is false. It needs to be explicitly set to true if auto route configuration is required. - -This can also be achieved by deploying [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller). - -If your deployment uses one single Citrix ADC Device to loadbalance between multiple k8s clusters, there is a possibilty of CNI subnets to overlap, causing the above mentioned static routing to fail due to route conflicts. In such deployments [Policy Based Routing(PBR)] (https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-policy-based-routes/configuring-policy-based-routes-pbrs-for-ipv4-traffic.html) can be used instead. This would require you to provide one or more subnet IP Addresses unique for each kubernetes cluster either via Environment variable or Configmap, see [PBR Support](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md) - - Use the following command to provide subnet IPAddresses(SNIPs) to configure Policy Based Routes(PBR) on the Citrix ADC - - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,nsSNIPS='[\, \, ...]' - ``` - - [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller) by default also adds static routes while creating the VXLAN tunnel. To use [Policy Based Routing(PBR)] (https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-policy-based-routes/configuring-policy-based-routes-pbrs-for-ipv4-traffic.html) to avoid static route clash, both Citrix Node Controller and Citrix Ingress Controller has to work in conjunction and has to be started with specific arguments. For more details refer [CNC-PBR-SUPPORT](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md#configure-pbr-using-the-citrix-node-controller). - - Use the following command to inform Citrix Ingress Controller that Citrix Node Controller is configuring Policy Based Routes(PBR) on the Citrix ADC - - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,clusterName=,cncPbr= - ``` - -For configuring static routes manually on Citrix ADC VPX or MPX to reach the pods inside the cluster follow: -### For Kubernetes: -1. Obtain podCIDR using below options: - ``` - kubectl get nodes -o yaml | grep podCIDR - ``` - * podCIDR: 10.244.0.0/24 - * podCIDR: 10.244.1.0/24 - * podCIDR: 10.244.2.0/24 - -2. Log on to the Citrix ADC instance. - -3. Add Route in Netscaler VPX/MPX - ``` - add route - ``` -4. Ensure that Ingress MPX/VPX has a SNIP present in the host-network (i.e. network over which K8S nodes communicate with each other. Usually eth0 IP is from this network). - - Example: - * Node1 IP = 192.0.2.1 - * podCIDR = 10.244.1.0/24 - * add route 10.244.1.0 255.255.255.0 192.0.2.1 - -### For OpenShift: -1. Use the following command to get the information about host names, host IP addresses, and subnets for static route configuration. - ``` - oc get hostsubnet - ``` - -2. Log on to the Citrix ADC instance. - -3. Add the route on the Citrix ADC instance using the following command. - ```add route ``` - -4. Ensure that Ingress MPX/VPX has a SNIP present in the host-network (i.e. network over which OpenShift nodes communicate with each other. Usually eth0 IP is from this network). - - For example, if the output of the `oc get hostsubnet` is as follows: - * oc get hostsubnet - - NAME HOST HOST IP SUBNET - os.example.com os.example.com 192.0.2.1 10.1.1.0/24 - - * The required static route is as follows: - - add route 10.1.1.0 255.255.255.0 192.0.2.1 - -## Uninstalling the Chart -To uninstall/delete the ```my-release``` deployment: - - ``` - helm delete my-release - ``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Related documentation - -- [Citrix ingress controller Documentation](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/) -- [Citrix ingress controller GitHub](https://github.com/citrix/citrix-k8s-ingress-controller) diff --git a/charts/citrix/citrix-ingress-controller/1.33.4/app-readme.md b/charts/citrix/citrix-ingress-controller/1.33.4/app-readme.md deleted file mode 100644 index a8a8ebc15a..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.33.4/app-readme.md +++ /dev/null @@ -1,5 +0,0 @@ -# Citrix Ingress Controller - -[Citrix Ingress Controler](https://github.com/citrix/citrix-k8s-ingress-controller) is an ingress controller for Citrix ADC MPX (hardware), Citrix ADC VPX (virtualized), and Citrix ADC CPX (containerized) for bare metal and cloud deployments. It is built around Kubernetes Ingress and automatically configures Citrix ADC based on the Ingress resource configuration. - -This Chart bootstraps standalone Citrix Ingress Controller which can be used to configure Citrix MPX or VPX. diff --git a/charts/citrix/citrix-ingress-controller/1.33.4/questions.yml b/charts/citrix/citrix-ingress-controller/1.33.4/questions.yml deleted file mode 100644 index 89389ae11e..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.33.4/questions.yml +++ /dev/null @@ -1,348 +0,0 @@ -labels: - io.rancher.certified: partner -questions: -- variable: license.accept - required: true - type: enum - description: "Set to yes to accept the terms and conditions of the Citrix license." - label: Accept License - group: "Deployment Settings" - options: - - "yes" - - "no" -- variable: openshift - default: false - type: boolean - description: "openshift is set to true if charts are being deployed in OpenShift environment" - label: Openshift flag - group: "Deployment Settings" -- variable: adcCredentialSecret - required: true - default: "" - type: string - description: "adcCredentialSecret is secret file for NetScaler login" - label: adcCredentialSecret Name - group: "Deployment Settings" -- variable: imagePullSecrets[0] - required: false - type: string - description: "Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository" - label: imagePullSecrets - group: "Deployment Settings" -- variable: nsIP - required: true - type: string - description: "nsIP is NetScaler NSIP/SNIP, SNIP in case of HA (mgmt has to be enabled)" - label: Citrix ADC IP - group: "ADC Settings" -- variable: nsVIP - required: false - type: string - label: Virtual IP of Citrix ADC - group: "ADC Settings" -- variable: nsSNIPS - required: false - type: string - description: "The list of subnet IPAddresses on the Citrix ADC device, which will be used to create PBR Routes instead of Static Routes" - label: Citrix ADC nsSNIPS - group: "ADC Settings" -- variable: nsPort - required: false - default: 443 - type: int - description: "nsPort is port for ADC NITRO" - label: nsPort - group: "ADC Settings" -- variable: nsProtocol - required: false - default: "HTTPS" - type: string - description: "nsProtocol is protocol for ADC NITRO" - label: nsProtocol - group: "ADC Settings" -- variable: entityPrefix - required: false - type: string - description: "The prefix for the resources on the Citrix ADC VPX/MPX" - label: entityPrefix - group: "ADC Settings" -- variable: kubernetesURL - required: false - type: string - description: "kubernetesURL is for registering events to kubeapi server" - label: Kubernetes API-server URL - group: "Deployment Settings" -- variable: clusterName - required: false - type: string - description: "The unique identifier of the kubernetes cluster on which the CIC is deployed" - label: Cluster Name - group: "Deployment Settings" -- variable: ingressClass[0] - required: false - type: string - description: "ingressClass is the name of the Ingress Class" - label: Ingress Class - group: "Deployment Settings" -- variable: setAsDefaultIngressClass - required: false - default: False - type: boolean - description: "Set the IngressClass object as default ingress class. New Ingresses without an `ingressClassName` field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19" - label: setAsDefaultIngressClass - group: "Deployment Settings" -- variable: serviceClass[0] - required: false - type: string - description: "serviceClass is the name of the Service Class" - label: Service Class - group: "Deployment Settings" -- variable: defaultSSLCertSecret - required: false - type: string - description: "Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC." - label: defaultSSLCertSecret - group: "ADC Settings" -- variable: podIPsforServiceGroupMembers - required: false - default: False - type: boolean - description: "By default Citrix Ingress Controller will add NodeIP and NodePort as service group members,This variable if set to True will change the behaviour to add pod IP and Pod port instead of nodeIP and nodePort." - label: podIPsforServiceGroupMembers - group: "Deployment Settings" -- variable: ignoreNodeExternalIP - required: false - default: False - type: boolean - label: ignoreNodeExternalIP - group: "Deployment Settings" -- variable: ipam - required: false - default: False - type: boolean - description: "Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer" - label: ipam - group: "Deployment Settings" -- variable: logProxy - required: false - default: False - type: string - description: "Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter." - label: Log Proxy - group: "Deployment Settings" -- variable: nodeWatch - required: false - default: false - type: boolean - description: "nodeWatch is used for automatic route configuration on NetScaler towards the pod network" - label: NodeWatch - group: "ADC Settings" -- variable: cncPbr - required: false - default: false - type: boolean - description: "Use this argument to inform CIC that Citrix Node Controller(CNC) is configuring Policy Based Routes(PBR) on the Citrix ADC." - label: CNC PBR - group: "ADC Settings" -- variable: nodeSelector.key - required: false - type: string - description: "Node label key to be used for nodeSelector option in CIC deployment" - label: NodeSelector Key - group: "Deployment Settings" -- variable: nodeSelector.value - required: false - type: string - description: "Node label value to be used for nodeSelector option in CIC deployment." - label: NodeSelector value - group: "Deployment Settings" -- variable: tolerations[0] - required: false - type: string - description: "Specify the tolerations for the CIC deployment" - label: Tolerations - group: "Deployment Settings" -- variable: updateIngressStatus - required: false - default: false - type: boolean - description: "Set this argurment if Status.LoadBalancer.Ingress field of the Ingress resources managed by the Citrix ingress controller needs to be updated with allocated IP addresses" - label: Update Ingress Status - group: "Deployment Settings" -- variable: nsHTTP2ServerSide - required: false - default: "OFF" - type: string - description: "Set this argument to ON for enabling HTTP2 for Citrix ADC service group configurations." - label: nsHTTP2ServerSide - group: "Deployment Settings" -- variable: nsCookieVersion - required: false - default: "0" - type: string - description: "Specify the persistence cookie version (0 or 1)" - label: nsCookieVersion - group: "Deployment Settings" -- variable: routeLabels - required: false - type: string - description: "You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster." - label: Route Labels - group: "Deployment Settings" -- variable: namespaceLabels - required: false - type: string - description: "you can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster" - label: namespaceLabels - group: "Deployment Settings" -- variable: cic.image - required: true - type: string - default: "quay.io/citrix/citrix-k8s-ingress-controller:1.19.6" - label: CIC Image - group: "CIC Image Settings" -- variable: cic.pullpolicy - required: true - default: "IfNotPresent" - type: enum - label: CIC Image Pullpolicy - group: "CIC Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: logLevel - required: false - default: "INFO" - type: enum - label: CIC Loglevel - group: "CIC Image Settings" - options: - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - - "TRACE" -- variable: exporter.required - default: false - type: boolean - description: "If set to true exporter will be deployed as sidecar" - label: Enable Exporter - group: "Exporter Settings" -- variable: exporter.image - default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.9" - required: false - type: string - description: "Exporter Image" - label: Exporter Image - group: "Exporter Settings" -- variable: exporter.pullPolicy - required: false - default: IfNotPresent - type: string - description: "Exporter Image pull policy" - label: Exporter Image PullPolicy - group: "Exporter Settings" -- variable: exporter.ports.containerPort - required: false - default: 8888 - type: int - label: Exporter ContainerPort - group: "Exporter Settings" -- variable: crds.install - required: false - default: true - type: boolean - description: "If set to true the charts will install CustomResourceDefinitions which are consumed by CIC." - label: CRD flag - group: "Deployment Settings" -- variable: crds.retainOnDelete - required: false - default: false - type: boolean - description: "Set this argument to true if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation." - label: CRD retainOnDelete flag - group: "Deployment Settings" -- variable: coeConfig.required - required: true - default: false - type: boolean - description: "Set this to true if you want to configure Citrix ADC to send metrics and transaction records to COE" - label: Enable COE - group: "COE Settings" -- variable: coeConfig.distributedTracing.enable - required: false - default: false - type: boolean - description: "Set this value to true to enable OpenTracing in Citrix ADC." - label: Enable coeConfig DistributedTracing - group: "COE Settings" -- variable: coeConfig.distributedTracing.samplingrate - required: false - default: "100" - type: string - description: "Specifies the OpenTracing sampling rate in percentage." - label: coeConfig DistributedTracing Samplingrate - group: "COE Settings" -- variable: coeConfig.endpoint.server - required: false - type: string - description: "Set this value as the IP address or DNS address of the analytics server" - label: coeConfig Endpoint Server - group: "COE Settings" -- variable: coeConfig.timeseries.port - required: false - default: "30002" - type: string - description: "Specify the port used to expose COE service outside cluster for timeseries endpoint" - label: coeConfig timeseries Port - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.enable - required: false - default: False - type: boolean - description: "Set this value to true to enable sending metrics from Citrix ADC" - label: Enable coeConfig Timeseries Metrics - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.mode - required: false - default: "avro" - type: string - description: "Specifies the mode of metric endpoint" - label: coeConfig Timeseries Metrics Mode - group: "COE Settings" -- variable: coeConfig.timeseries.auditlogs.enable - required: false - default: False - type: boolean - description: "Set this value to true to export audit log data from Citrix ADC" - label: coeConfig Timeseries Auditlogs Enable - group: "COE Settings" -- variable: coeConfig.timeseries.events.enable - required: false - default: False - type: boolean - description: "Set this value to true to export events from the Citrix ADC" - label: Enable coeConfig Timeseries Events - group: "COE Settings" -- variable: coeConfig.transactions.enable - required: false - default: False - type: boolean - description: "Set this value to true to export transactions from Citrix ADC" - label: Enable coeConfig Transactions - group: "COE Settings" -- variable: coeConfig.transactions.port - required: false - default: 30001 - type: string - description: "Specify the port used to expose COE service outside cluster for transaction endpoint" - label: coeConfig Transactions Port - group: "COE Settings" -- variable: serviceAccount.create - required: false - default: true - type: boolean - description: "Specifies whether a ServiceAccount should be created" - label: ServiceAccount Create - group: "Deployment Settings" diff --git a/charts/citrix/citrix-ingress-controller/1.33.4/templates/NOTES.txt b/charts/citrix/citrix-ingress-controller/1.33.4/templates/NOTES.txt deleted file mode 100644 index 4d07f639fb..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.33.4/templates/NOTES.txt +++ /dev/null @@ -1,15 +0,0 @@ -Thank you for installing {{ .Chart.Name }}. - -Your release is named {{ .Release.Name }}. - - -To learn more about the release, try: - - $ helm status {{ .Release.Name }} - $ helm get {{ .Release.Name }} - - -To delete : - helm delete {{ .Release.Name }} - - diff --git a/charts/citrix/citrix-ingress-controller/1.33.4/templates/_helpers.tpl b/charts/citrix/citrix-ingress-controller/1.33.4/templates/_helpers.tpl deleted file mode 100644 index efca8083c7..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.33.4/templates/_helpers.tpl +++ /dev/null @@ -1,94 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Analytics Server IP or DNS -*/}} -{{- define "analytics.server" -}} -{{- if .Values.analyticsConfig.endpoint.server -}} -{{- printf .Values.analyticsConfig.endpoint.server -}} -{{- else -}} -{{- $addresses := first (first (lookup "v1" "Node" "" "").items).status.addresses -}} -{{- printf "%s" ($addresses).address -}} -{{- end -}} -{{- end -}} - - - -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "citrix-ingress-controller.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "citrix-ingress-controller.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "exporter.fullname" -}} -{{- $name := default .Chart.Name "exporter" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "servicemonitor.fullname" -}} -{{- $name := default .Chart.Name "citrix-adc-servicemonitor" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "servicemonitorlabel" -}} -{{- $name := default .Chart.Name "citrix-adc-svcmon" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cicconfigmap.fullname" -}} -{{- $name := default .Chart.Name "cic-configmap" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "citrix-ingress-controller.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "citrix-ingress-controller.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "citrix-ingress-controller.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} diff --git a/charts/citrix/citrix-ingress-controller/1.33.4/templates/cic_crds.yaml b/charts/citrix/citrix-ingress-controller/1.33.4/templates/cic_crds.yaml deleted file mode 100644 index 085d7d271d..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.33.4/templates/cic_crds.yaml +++ /dev/null @@ -1,2549 +0,0 @@ -{{- if .Values.crds.install }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: rewritepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: rewritepolicy - plural: rewritepolicies - singular: rewritepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - rewrite-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to rewrite policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - rewrite-policy: - type: object - properties: - rewrite-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOREWRITE', 'RESET', 'DROP'] - operation: - description: 'Type of user-defined rewrite action.' - type: string - enum: ["noop", "delete", "insert_http_header", "delete_http_header", - "corrupt_http_header", "insert_before", "insert_after", "replace", - "replace_http_res", "delete_all", "replace_all", "insert_before_all", - "insert_after_all", "clientless_vpn_encode", "clientless_vpn_encode_all", - "clientless_vpn_decode", "clientless_vpn_decode_all", "insert_sip_header", - "delete_sip_header", "corrupt_sip_header", "replace_sip_res", "replace_diameter_header_field", - "replace_dns_header_field", "replace_dns_answer_section"] - target: - description: 'Default syntax expression that specifies which part of the request or response to rewrite.' - type: string - maxLength: 1229 - modify-expression: - description: 'Default syntax expression that specifies the content to insert into the request - or response at the specified location, or that replaces the specified string.' - type: string - maxLength: 7991 - multiple-occurence-modify: - description: 'Search facility that is used to match multiple strings in the request or response.' - type: string - maxLength: 171 - additional-multiple-occurence-modify: - description: 'Specify additional criteria to refine the results of the search. - Always starts with the "extend(m,n)" operation, where "m" specifies number of bytes to the left of selected data - and "n" specifies number of bytes to the right of selected data. - You can use refineSearch only on body expressions, and only when rewrite-criteria is any one of this: - INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - comment: - description: 'Any comments to preserve information about this rewrite policy.' - type: string - maxLength: 255 - required: [rewrite-criteria, operation, target, direction] - required: [rewrite-policy] - - responder-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to responder policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", - "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - responder-policy: - type: object - properties: - redirect: - type: object - description: 'Use this option when you want to Redirect the request when request matches to policy.' - properties: - url: - description: 'URL on which you want to redirect the request.' - type: string - maxLength: 7991 - redirect-status-code: - description: 'HTTP response status code, for example 200, 302, 404, etc.' - type: integer - minimum: 100 - maximum: 599 - redirect-reason: - description: 'Expression specifying the reason for redirecting the request.' - type: string - maxLength: 7991 - required: [url] - respondwith: - type: object - description: 'Use this parameter when you want to respond to the request when request matches to policy.' - properties: - http-payload-string: - description: 'Expression that you want to sent as response to the request.' - type: string - maxLength: 7991 - required: [http-payload-string] - noop: - type: string - description: 'Use this option when you want to send the request to the protected server instead of - responding to it when request matches to policy.' - properties: - target: - description: 'Default syntax expression that specifies to perform noop operation on' - type: string - maxLength: 1229 - reset: - type: string - description: 'Use this option when you want to Reset the client connection by closing it when request matches to policy.' - properties: - drop: - type: string - description: 'Use this option when you want to drop the request without sending a response to the user when request matches to policy.' - properties: - respond-criteria: - description: 'Default syntax expression that the policy uses to determine whether to respond to the specified request.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOOP', 'RESET', 'DROP'] - comment: - description: 'Any comments to preserve information about this responder policy.' - type: string - maxLength: 255 - required: [respond-criteria] - oneOf: [required: [redirect], required: [respondwith], required: [noop], required: [reset], required: [drop]] - required: [responder-policy] - - dataset: - type: array - items: - type: object - properties: - name: - description: 'Name of the dataset.' - type: string - maxLength: 32 - type: - description: 'Type of value to bind to the dataset.' - type: string - enum: ["ipv4", "number", "ipv6", "ulong", "double", "mac"] - comment: - description: 'Any comments to preserve information about this dataset.' - type: string - maxLength: 255 - values: - description: 'Value of the specified type that is associated with this dataset.' - type: array - items: - type: string - required: [name, type, values] - - patset: - type: array - items: - type: object - properties: - name: - description: 'Name of the Patset.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this patset.' - type: string - maxLength: 255 - values: - description: 'String of characters that constitutes a pattern and is associated with this patset.' - type: array - items: - type: string - required: [name, values] - - stringmap: - type: array - items: - type: object - properties: - name: - description: 'Name of the Stringmap.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this stringmap.' - type: string - maxLength: 255 - values: - description: 'List of (key,value) pairs to be bound to this string map.' - type: array - items: - type: object - properties: - key: - description: 'Character string constituting the key to be bound to this string map.' - type: string - maxLength: 2047 - value: - description: 'Character string constituting the value associated with the key.' - type: string - maxLength: 2047 - required: [name, values] - - httpcallout_policy: - type: array - items: - type: object - properties: - name: - description: 'httpcallout name' - type: string - maxLength: 32 - server_ip: - description: 'IP Address of the server(callout agent) to which the callout is sent.' - type: string - server_port: - description: 'Port of the server(callout agent) to which the callout is sent.' - type: integer - minimum: 1 - maximum: 65535 - http_method: - description: |+ - 'Method used in the HTTP request that this callout sends. - Default http method is GET' - type: string - enum: ['GET', 'POST'] - host_expr: - description: |+ - 'String expression to configure the Host header. Can contain a literal value - (for example, 10.101.10.11) or a derived value (for example, http.req.header("Host")). - The literal value can be an IP address or a fully qualified domain name. Mutually - exclusive with the full HTTP request expression.' - type: string - maxLength: 255 - url_stem_expr: - description: |+ - 'String expression for generating the URL stem. Can contain a literal string - (for example, "/mysite/index.html") or an expression that derives the value - (for example, http.req.url).' - type: string - maxLength: 8191 - headers: - type: array - description: |+ - 'One or more headers to insert into the HTTP request. Each header is represented by - name and expr, where expr is an expression that is evaluated at runtime to provide - the value for the named header. You can configure a maximum of eight headers for - an HTTP callout.' - items: - type: object - properties: - name: - description: 'header name' - type: string - expr: - description: 'header expression' - type: string - parameters: - type: array - description: |+ - 'One or more query parameters to insert into the HTTP request URL (for a GET request) - or into the request body (for a POST request). Each parameter is represented by - name and expr, where expr is an expression that is evaluated at run time to provide - the value for the named parameter (name=value). The parameter values are URL encoded.' - items: - type: object - properties: - name: - description: 'parameter name' - type: string - expr: - description: 'parameter expression' - type: string - body_expr: - description: |+ - 'An advanced string expression for generating the body of the request. - The expression can contain a literal string or an expression that derives - the value (for example, client.ip.src).' - type: string - full_req_expr: - description: |+ - 'Exact HTTP request, in the form of an expression, which the Citrix ADC sends - to the callout agent. The request expression is constrained by the feature - for which the callout is used. For example, an HTTP.RES expression cannot be - used in a request-time policy bank or in a TCP content switching policy bank.' - type: string - scheme: - description: |+ - 'Type of scheme for the callout server. - Default scheme is HTTP' - type: string - enum: ['HTTP', 'HTTPS'] - cache_for_secs: - description: |+ - 'Duration, in seconds, for which the callout response is cached. - The cached responses are stored in an integrated caching content - group named "calloutContentGroup". If no duration is configured, - the callout responses will not be cached unless normal caching - configuration is used to cache them. This parameter takes precedence over any - normal caching configuration that would otherwise apply to these responses.' - type: integer - minimum: 1 - maximum: 31536000 - return_type: - description: |+ - 'Type of data that the target callout agent returns in response to the callout - Available settings function as follows: - * TEXT - Treat the returned value as a text string. - * NUM - Treat the returned value as a number. - * BOOL - Treat the returned value as a Boolean value.' - type: string - enum: ['TEXT', 'NUM', 'BOOL'] - result_expr: - description: |+ - 'Expression that extracts the callout results from the response sent by the HTTP callout - agent. Must be a response based expression, that is, it must begin with HTTP.RES. The - operations in this expression must match the return type. For example, if you configure - a return type of TEXT, the result expression must be a text based expression. If the - return type is NUM, the result expression (resultExpr) must return a numeric value, - as in the following example: http.res.body(10000).length.' - type: string - maxLength: 8191 - comment: - description: 'Any comments to preserve information about this HTTP callout.' - type: string - maxLength: 255 - allOf: - - properties: - required: [name, server_ip, server_port] - - properties: - oneOf: - - properties: - required: [full_req_expr] - - properties: - anyOf: - - properties: - required: [http_method] - - properties: - required: [host_expr] - - properties: - required: [url_stem_expr] - - properties: - required: [headers] - - properties: - required: [parameters] - - properties: - required: [body_expr] - anyOf: [required: [rewrite-policies], required: [responder-policies]] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ratelimits.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: ratelimit - plural: ratelimits - singular: ratelimit - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the ratelimit policies are applied.' - type: array - items: - type: string - maxLength: 127 - selector_keys: - type: object - description: 'Traffic match criteria to which apply above rate-limit/throttling. All keys are applied as AND condition. If no keys are specified, rate-limit applies at service level' - properties: - basic: - type: object - description: "Basic traffic stream selection criteria to which to apply the ratelimit" - properties: - path: - type: array - description: "api resource path prefix match. e.g. /api/v1/products" - items: - type: string - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - header_name: - description: "HTTP header that identifies the unique API client for e.g. X-apikey" - type: string - per_client_ip: - description: "Setting this applies the throttling limit to each unique Client IP address accessing the API resource" - type: boolean - req_threshold: - description: 'Max requests per timeslice units to be allowed' - type: integer - timeslice: - description: 'Timeslice in miliseconds in multiple of 10. Defaults to 1000 miliseconds' - type: integer - limittype: - description: "Burst mode or smooth. Defaults to smooth limittype if not specified" - type: string - enum: ['BURSTY','SMOOTH'] - throttle_action: - type: string - enum: ['DROP', 'RESET','REDIRECT', 'RESPOND'] - description: "Drop will drop the requests exceeding limits, RESET will reset the client connection, Redirect will redirect to specified URL, respond will respond with 429 'Exceeded allowed rate of requests'" - redirect_url: - type: string - description: "Redirect-URL" - logpackets: - type: object - description: 'Adds an audit message action. The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - required: [req_threshold] ---- -#Sample CRD instance - -#apiVersion: citrix.com/v1 -#description: VIP for apache service -#kind: vip -#metadata: -# name: service-apache -# namespace: default -#spec: -# description: VIP for the apache Service -# ipaddress: 10.99.98.90 -# kind: service -# name: apache - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vips.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: vip - plural: vips - singular: vip - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - jsonPath: .spec.ipaddress - name: VIP - type: string - - name: Age - type: date - jsonPath: .metadata.creationTimestamp - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - ipaddress: - type: string - name: - type: string - kind: - type: string - enum: ["service", "ingress"] - description: - type: string - range-name: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: authpolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: authpolicy - plural: authpolicies - singular: authpolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: |+ - 'Name of the services for which the policies applied' - type: array - items: - type: string - maxLength: 63 - authentication_mechanism: - type: object - description: |+ - 'Authentication mechanism. Options: using forms or using request header. - Default is Authentication using request header, when no option is specified' - properties: - using_request_header: - description: |+ - 'Enable user authentication using request header. Use when the credentials - or api keys are passed in a header. For example, when using Basic, Digest, - Bearer authentication or api keys. - When authentication using forms is provided, this is set to OFF' - - type: string - using_forms: - type: object - description: 'Enables authentication using forms. Use with user/web authentication.' - properties: - authentication_host: - description: |+ - 'Fully qualified domain name (FQDN) for authentication. - This FQDN should be unique and should resolve to frontend IP of - ADC with Ingress/service type LoadBalancer (or) vip of Listener CRD' - type: string - maxLength: 255 - authentication_host_cert: - description: |+ - 'Name of the SSL certificate to be used with authentication_host. - This certificate is mandatory while using_forms' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - ingress_name: - description: |+ - 'Ingress name for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - lb_service_name: - description: |+ - 'Service of type LoadBalancer for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - listener_name: - description: |+ - 'Listener CRD name for which the authentication using forms is applicable.' - type: string - maxLength: 63 - vip: - description: |+ - 'Frontend IP of ingress for which the authentication - using forms is applicable. This refers to frontend-ip provided - with Ingress. It is suggested to use vip, if more than one Ingress - resource use the same frontend-ip' - type: string - required: [authentication_host, authentication_host_cert] - oneOf: - - properties: - required: [ingress_name] - - properties: - required: [lb_service_name] - - properties: - required: [listener_name] - - properties: - required: [vip] - oneOf: - - properties: - using_request_header: - enum: ['ON'] - required: [using_request_header] - - properties: - required: [using_forms] - - authentication_providers: - description: |+ - 'Authentication Configuration for required authentication providers/schemes. - One or more of these can be created' - type: array - items: - description: 'Create config for a single authentication provider of a particular type' - type: object - properties: - name: - description: 'Name for this provider, has to be unique, referenced by authentication policies' - type: string - maxLength: 127 - - oauth: - description: 'Authentication provided by external oAuth provider' - type: object - properties: - issuer: - description: 'Identity of the server whose tokens are to be accepted' - type: string - maxLength: 127 - audience: - description: 'Audience for which token sent by Authorization server is applicable' - type: array - items: - type: string - maxLength: 127 - jwks_uri: - description: |+ - 'URL of the endpoint that contains JWKs (Json Web Key) for - JWT (Json Web Token) verification' - type: string - maxLength: 127 - introspect_url: - description: ' URL of the introspection server' - type: string - maxLength: 127 - client_credentials: - description: |+ - 'secrets object that contains Client Id and secret as known - to Introspection server' - type: string - maxLength: 253 - token_in_hdr: - description: |+ - 'custom header name where token is present, - default is Authorization header' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - token_in_param: - description: 'query parameter name where token is present' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - signature_algorithms: - description: 'list of allowed signature algorithms, by default HS256, RS256, RS512 are allowed' - type: array - items: - type: string - enum: ['HS256', 'RS256', 'RS512'] - claims_to_save: - description: 'list of claims to be saved, used to create authorization policies' - type: array - items: - type: string - maxLength: 127 - metadata_url: - description: 'URL used to get OAUTH/OIDC provider metadata' - type: string - maxLength: 255 - user_field: - description: |+ - 'Attribute in the token from which username should be extracted. - by default, ADC looks at email attribute for user id' - type: string - maxLength: 127 - default_group: - description: |+ - 'group assigned to the request if authentication succeeds, - this is in addition to any extracted groups from token' - type: string - maxLength: 63 - grant_type: - description: 'used to specify the type of flow to the token end point, defaults to CODE' - type: array - items: - type: string - enum: ['CODE','PASSWORD'] - pkce: - description: 'specify whether to enable Proof Key Code Exchange, defaults to ENABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - token_ep_auth_method: - description: |+ - 'authentication method to be used with token end point, - defaults to client_secret_post' - type: string - enum: ['client_secret_post', 'client_secret_jwt'] - - anyOf: - - properties: - required : [jwks_uri] - - properties: - required : [introspect_url, client_credentials] - - properties: - required : [metadata_url] - - ldap: - description: 'LDAP authentication provider' - type: object - properties: - server_ip: - description: 'IP address assigned to the LDAP server' - type: string - server_name: - description: 'LDAP server name as a FQDN' - type: string - maxLength: 127 - server_port: - description: 'Port on which the LDAP server accepts connections. Default is 389' - type: integer - minimum: 1 - maximum: 65535 - base: - description: |+ - 'Base (node) from which to start LDAP searches. If the LDAP server is - running locally, the default value of base is dc=netscaler, dc=com' - type: string - maxLength: 127 - server_login_credentials: - description: |+ - 'Kubernetes secret object providing credentials to login to LDAP server, - The secret data should have username and password' - type: string - login_name: - description: |+ - 'LDAP login name attribute. The Citrix ADC uses the LDAP login name - to query external LDAP servers or Active Directories' - type: string - maxLength: 127 - security_type: - description: |+ - 'Type of security used for communications between the Citrix ADC - and the LDAP server. Default is TLS' - type: string - enum: ['PLAINTEXT', 'TLS', 'SSL'] - validate_server_cert: - description: 'Validate LDAP Server certs. Default is NO' - type: string - enum: ['YES', 'NO'] - hostname: - description: |+ - 'Hostname for the LDAP server. If validate_server_cert is ON, - this must be the host name on the certificate from the LDAP - A hostname mismatch will cause a connection failure' - type: string - maxLength: 127 - sub_attribute_name: - description: 'LDAP group sub-attribute name. Used for group extraction from the LDAP server.' - type: string - maxLength: 31 - group_attribute_name: - description: 'LDAP group attribute name. Used for group extraction on the LDAP server.' - type: string - maxLength: 31 - search_filter: - description: |+ - 'String to be combined with the default LDAP user search string to form the - search value. For example, if the search filter "vpnallowed=true" is combined - with the LDAP login name "samaccount" and the user-supplied username is "bob", - the result is the LDAP search string ""(&(vpnallowed=true)(samaccount=bob)"" - (Be sure to enclose the search string in two sets of double quotation marks)' - type: string - maxLength: 255 - auth_timeout: - description: |+ - 'Number of seconds the Citrix ADC waits for a response from the server - Default is 3' - type: integer - minimum: 1 - maximum: 4294967295 - password_change: - description: 'Allow password change requests. Default is DISABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be fetched - from LDAP server and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - oneOf: - - properties: - required: [server_ip] - - properties: - required: [server_name] - - saml: - description: |+ - 'SAML authentication provider. - Currently SAML is supported only with authentication mechanism using forms' - type: object - properties: - metadata_url: - description: 'URL is used for obtaining saml metadata.' - type: string - maxLength: 255 - metadata_refresh_interval: - description: |+ - 'Interval in minutes for fetching metadata from specified metadata URL. - Default is 36000' - type: integer - minimum: 1 - maximum: 4294967295 - signing_cert: - description: 'SSL certificate to sign requests from SP to IDP' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - audience: - description: 'Audience for which assertion sent by IdP is applicable' - type: string - maxLength: 127 - issuer_name: - description: 'The name to be used in requests sent from SP to IDP to identify citrix ADC' - type: string - maxLength: 63 - binding: - description: 'Specifies the transport mechanism of saml message. Default is POST' - type: string - enum: ['REDIRECT', 'POST', 'ARTIFACT'] - artifact_resolution_service_url: - description: 'URL of the Artifact Resolution Service on IdP' - type: string - maxLength: 255 - logout_binding: - description: 'Specifies the transport mechanism of saml logout. Default is POST' - type: string - enum: ['REDIRECT', 'POST'] - reject_unsigned_assertion: - description: |+ - 'Reject unsigned SAML assertions. ON, rejects assertion without signature. - STRICT ensure that both Response and Assertion are signed. Default is ON' - type: string - enum: ['ON', 'OFF', 'STRICT'] - user_field: - description: 'SAML user ID, as given in the SAML assertion' - type: string - maxLength: 63 - default_authentication_group: - description: |+ - 'This is the default group that is chosen when the authentication - succeeds in addition to extracted groups' - type: string - maxLength: 63 - skew_time: - description: |+ - 'Allowed clock skew in number of minutes on an incoming assertion. - Default is 5' - type: integer - minimum: 1 - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be extracted - and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - required: - - metadata_url - - basic_local_db: - type: object - description: |+ - 'Basic HTTP authentication supported by ADC, user data in local DB of ADC. - Users needs to be added on ADC' - properties: - use_local_auth: - description: 'Use ADC authentication' - type: string - enum: ['YES'] - - required: - - name - - authentication_policies: - description: 'Authentication policies' - type: array - items: - type: object - description: 'Authentication policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - required: - - path - expression: - description: 'ADC syntax expression for authentication' - type: string - maxLength: 1229 - provider: - description: 'name of the authentication provider for the policy, empty if no authentication required' - type: array - items: - type: string - maxLength: 127 - maxItems: 1 - oneOf: - - required: [resource, provider] - - required: [expression, provider] - - authorization_policies: - description: 'Authorization policies' - type: array - items: - type: object - description: 'Authorization policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - description: ' http method' - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - claims: - description: 'authorization scopes required for selected resource saved as claims or attributes' - type: array - items: - type: object - properties: - name: - description: 'name of the claim/attribute to check' - type: string - maxLength: 127 - values: - description: 'list of claim values required for the request' - type: array - items: - type: string - maxLength: 127 - minItems: 1 - required: - - name - - values - required: - - claims - expression: - description: 'ADC syntax expression for authorization' - type: string - maxLength: 1229 - oneOf: - - required: [resource] - - required: [expression] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: listeners.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: Listener - plural: listeners - singular: listener - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - required: [spec] - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [protocol] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - protocol: - type: string - enum: ["https", "http"] - description: "Protocol for this listener" - vip: - type: string - description: "VIP address, Optional for CPX, required for Tier-1 deployments" - secondaryVips: - type: array - description: "An array of Secondary VIPs. All the VIPs will be part of an ipset" - minItems: 1 - items: - type: string - redirectPort: - type: integer - minimum: 1 - maximum: 65535 - description: "Port from which http traffic should be redirected to https" - port: - type: integer - minimum: 1 - maximum: 65535 - certificates: - type: array - description: "certificates attached to the endpoints - Not applicable for HTTP" - minItems: 1 - items: - type: object - properties: - preconfigured: - type: string - description: "Preconfigured Certificate name on ADC " - secret: - type: object - description: "Kuberentes secret object" - required: [name] - properties: - name: - type: string - description: "name of the Kubernetes Secret object where Cert is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the kubernetes secret object; Default is same namespace where the Listener object is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - default: - type: boolean - description: "Only one of the certificate can be marked as default which will be presented if none of the cert matches with the hostname" - oneOf: - - required: ["preconfigured"] - - required: ["secret"] - policies: - type: object - description: "Policies attached to the Listener" - properties: - httpprofile: - type: object - description: "HTTP profile configurations for the Listener, HTTP level configurations" - properties: - preconfigured: - type: string - description: "Preconfigured or Built-in HTTP profile name" - config: - type: object - description: "HTTP profile configuration for the listener. For individual fields, refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nshttpprofile/nshttpprofile/ Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - tcpprofile: - type: object - description: "TCP level configurations, uses ns tcpprofile of citrix ADC" - properties: - preconfigured: - description: "Preconfigured or Built-in TCP profile name" - type: string - config: - type: object - description: "TCPprofile configurations for the listener. For individual fields refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nstcpprofile/ ; Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - csvserverConfig: - type: object - description: "CS Vserver configuration for the listener" - additionalProperties: - type: string - sslprofile: - type: object - description: "SSL profile configuration" - properties: - preconfigured: - type: string - description: "SSL profile which is preconfigured in ADC. Ciphers bound to the profile is not overriden" - config: - description: "Citrix ADC frontend SSL profile configurations. Refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ssl/sslprofile/ for all configurations; Name field is auto generated" - type: object - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - sslciphers: - type: array - description: "List of ciphers to be bound to the ssl profile for the listener. Priority is as per the order in the list. A cipher suite, predefined cipher group or User created cipher group can be mentioned" - minItems: 1 - items: - type: string - description: "Cipher suite, cipher group name" - analyticsprofile: - type: object - description: "Analytics profile configuration" - properties: - preconfigured: - type: array - description: "Preconfigured Analytics profile that needs to be bound to the vserver" - minItems: 1 - items: - type: string - description: "Name of the analytics profile preconfigured that will be bound to the Vserver" - config: - type: array - description: "An array of analytics to be enabled" - minItems: 1 - items: - type: object - description: "Anlytics to be enabled" - required: ['type'] - properties: - type: - description: "Analytics profile to be enabled, you can enable one or more of the webinsight, tcpinsight, securityinsight, videoinsight, hdxinsight, gatewayinsight, timeseries, lsninsight, botinsight " - type: string - enum: ["webinsight", "tcpinsight", "securityinsight", "videoinsight", "hdxinsight", "gatewayinsight", "timeseries", "lsninsight", "botinsight"] - parameters: - type: object - description: "Additional parameters for analytics profile. Please refer:https://developer-docs.citrix.com/projects/citrix-adc-nitro-api-reference/en/latest/configuration/analytics/analyticsprofile/" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - routes: - type: array - description: "List of route objects attached to the listener" - minItems: 1 - items: - type: object - properties: - name: - type: string - description: "Name of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - labelSelector: - description: "Labels key value pair, if the route carries the same labels, it is automatically attached" - type: object - additionalProperties: - type: string - oneOf: - - required: [name, namespace] - - required: [labelSelector] - defaultAction: - type: object - description: "Default action for the listener: One of Backend or Redirect" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - namespace: - description: "Service namespace" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - backendConfig: - description: "General backend service options" - type: object - properties: - secure_backend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: httproutes.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: HTTPRoute - plural: httproutes - singular: httproute - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [rules] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - hostname: - type: array - description: "List of domain names that share the same route, default is '*'" - minItems: 1 - items: - type: string - description: "Domain name" - rules: - type: array - description: "List Content routing rules with an action defined" - minItems: 1 - items: - type: object - required: [name, action] - properties: - name: - type: string - description: "A name to represent the rule, this is used as an identifier in content routing policy name in ADC" - minLength: 1 - maxLength: 20 - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - match: - type: array - description: "List of rules with same action" - minItems: 1 - items: - type: object - anyOf: - - required: [path] - - required: [headers] - - required: [cookies] - - required: [queryParams] - - required: [method] - - required: [policyExpression] - properties: - path: - type: object - description: "URL Path based content routing" - properties: - prefix: - type: string - description: "URL path matches the prefix expression" - exact: - type: string - description: "URL Path must match exact path" - regex: - type: string - description: "PCRE based regex expression for path matching" - headers: - type: array - description: "List of header for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Header details for content routing, Check for existence of a header or header name-value match" - properties: - headerName: - type: object - description: "Header name based content routing, Here existence of header is used for routing" - properties: - exact: - type: string - description: "Header Name - treated as exact must exist" - contains: - type: string - description: "Header Name - A header must exist that contain the string the name" - regex: - type: string - description: "header Name - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header name must not exist" - oneOf: - - required: [exact] - - required: [contains] - - required: [regex] - headerValue: - type: object - description: "Header Name and Value based match" - properties: - name: - type: string - description: "Header name that must match the value" - exact: - type: string - description: "Header value - treated as exact" - contains: - type: string - description: "Header value - treated as contains" - regex: - type: string - description: "header value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header if present must not match the value" - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - queryParams: - type: array - description: "List of Query parameters for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Query parameters Name and Value based match" - properties: - name: - type: string - description: "Query name that must match the value. If no value is specified, matches with any value" - exact: - type: string - description: "Query value - Exact match" - contains: - type: string - description: "Query value - value must have the string(substring)" - regex: - type: string - description: "Query value - Value must match this regex patterm" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e query if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - cookies: - type: array - description: "List of Cookie params for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Cookie based routing" - properties: - name: - type: string - description: "cookie name that must match the value. If no value specified, it matches with any value" - exact: - type: string - description: "cookie value - treated as exact" - contains: - type: string - description: "cookie value - treated as substring" - regex: - type: string - description: "cookie value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e cookie if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - method: - type: string - description: "HTTP method for content routing eg: POST, PUT, DELETE etc" - policyExpression: - type: string - description: "Citrix ADC policy expressions; refer: https://docs.citrix.com/en-us/netscaler/media/expression-prefix.pdf" - action: - type: object - description: "Action for the matched rule" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - backendConfig: - type: object - description: "General backend service options" - properties: - secureBackend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - # name must match the spec fields below, and be in the form: . - name: continuousdeployments.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: continuousdeployment - plural: continuousdeployments - singular: continuousdeployment - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - cronSpec: - type: integer - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wafs.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: waf - plural: wafs - singular: waf - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the waf policies are applied.' - type: array - items: - type: string - maxLength: 127 - application_type: - description: 'Type of applications to protect' - type: array - items: - type: string - enum: ['HTML', 'JSON', 'XML'] - signatures: - description: 'Location of external signature file' - type: string - redirect_url: - description: 'When a URL is blocked/down, redirect_url represents the alternate URL where the client requests should be sent.' - type: string - html_error_object: - description: 'Location of customized error page to respond when html or common violation are hit' - type: string - xml_error_object: - description: 'Location of customized error page to respond when xml violations are hit' - type: string - json_error_object: - description: 'Location of customized error page to respond when json violations are hit' - type: string - ip_reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - description: 'Enabling IP reputation feature' - target: - description: 'To control what traffic to be inspected by Web Application Firewall. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable application firewall security checks' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - settings: - description: 'To fine tune application firewall security checks default settings' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - relaxations: - description: 'Section which contains relaxation rules for known traffic and false positives' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - enforcements: - description: 'Section which contains enforcement or restriction rules' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: bots.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: bot - plural: bots - singular: bot - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the bot policies are applied.' - type: array - items: - type: string - maxLength: 127 - signatures: - description: 'Location of external bot signature file' - type: string - redirect_url: - description: 'url to redirect when bot violation is hit' - type: string - target: - description: 'To control what traffic to be inspected by BOT. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable bot ecurity checks' - type: object - properties: - allow_list: - type: string - enum: ['ON', 'OFF'] - block_list: - type: string - enum: ['ON', 'OFF'] - device_fingerprint: - type: string - enum: ['ON', 'OFF'] - device_fingerprint_action: - type: object - x-kubernetes-preserve-unknown-fields: true - headless_browser: - type: string - enum: ['ON','OFF'] - reputation: - type: string - enum: ['ON', 'OFF'] - ratelimit: - type: string - enum: ['ON', 'OFF'] - tps: - type: string - enum: ['ON', 'OFF'] - trap: - type: object - x-kubernetes-preserve-unknown-fields: true - bindings: - description: 'Section which contains binding rules for bot security checks' - type: object - properties: - allow_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6_subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - - block_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6_subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - ratelimit: - type: array - items: - type: object - properties: - url: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - cookie: - type: object - x-kubernetes-preserve-unknown-fields: true - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - captcha: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - logexp: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - kbmexpr: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - tps: - type: object - properties: - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - host: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - url: - type: object - x-kubernetes-preserve-unknown-fields: true - trapinsertion: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: apigatewaypolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: apigatewaypolicy - plural: apigatewaypolicies - singular: apigatewaypolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - api_definition: - type: object - properties: - repository: - type: string - branch: - type: string - oas_secret_ref: - type: string - files: - type: array - items: - type: string - maxLength: 127 - api_proxy: - type: object - properties: - ipaddress: - type: string - port: - type: integer - protocol: - type: string - secret: - type: string - policies: - type: array - items: - type: object - properties: - name: - type: string - selector: - type: array - items: - type: object - properties: - tags: - type: array - items: - type: string - api: - type: string - method: - type: array - items: - type: string - maxLength: 127 - upstream: - type: object - properties: - service: - type: string - port: - type: integer - policy_bindings: - type: object - properties: - ratelimit: - type: object - properties: - name: - type: string - waf: - type: object - properties: - name: - type: string - rewritepolicy: - type: object - properties: - name: - type: string - bot: - type: object - properties: - name: - type: string - aaa: - type: array - items: - type: object - properties: - crd_name: - type: string - mappings: - type: array - items: - type: object - properties: - petstore_auth: - type: string - api_key: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: corspolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: corspolicy - plural: corspolicies - singular: corspolicy - shortNames: - - cp - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'The list of Kubernetes services to which you want to apply the cors policies.' - type: array - items: - type: string - maxLength: 63 - allow_origin: - description: 'Represents list of allowed origins, it is used to screen the “origin” in the cors pre flight request' - type: array - items: - type: string - maxLength: 2083 - allow_methods: - description: 'Indicates which methods are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Methods in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - allow_headers: - description: 'Indicates which headers are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Headers in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - max_age: - description: 'Indicates the number of seconds (5 by default) the information provided by the `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` headers can be cached. This variable will be used to set Access-Control-Max-Age in the pre-flight cors response.' - type: integer - allow_credentials: - description: 'Indicates whether the response can be shared when the request’s credentials mode is "include". This variable will be set to Access-Control-Allow-Credentials in the rewrite action.' - type: boolean - required: [servicenames, allow_origin, allow_methods, allow_headers] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: appqoepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: appqoepolicy - plural: appqoepolicies - singular: appqoepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - appqoe-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to appqoe policy.' - type: array - items: - type: string - maxLength: 127 - appqoe-policy: - type: object - properties: - operation-retry: - type: object - properties: - on-reset: - description: "To set Retry on Connection Reset or Not" - type: string - enum: ['YES','NO'] - on-timeout: - description: "Time in milliseconds for retry" - type: integer - minimum: 30 - maximum: 2000 - number-of-retries: - description: "To set number of retries" - type: integer - minimum: 1 - maximum: 7 - required: [operation-retry] - appqoe-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - required: [appqoe-criteria, operation-retry] - required: [appqoe-policy] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wildcarddnsentries.citrix.com -spec: - group: citrix.com - names: - kind: wildcarddnsentry - plural: wildcarddnsentries - singular: wildcarddnsentry - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: Current Status of the CRD - jsonPath: .status.state - - name: Message - type: string - description: Status Message - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - zone: - type: object - description: DNS configuration for a zone - properties: - domain: - type: string - description: Domain name - dnsaddrec: - type: object - description: DNS Address record - properties: - domain-ip: - type: string - description: IPv4 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - dnsaaaarec: - type: object - description: DNS AAAA record - properties: - domain-ip: - type: string - description: IPv6 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - soarec: - type: object - description: SOA record - properties: - origin-server: - type: string - description: Origin server domain - contact: - type: string - description: Admin contact - serial: - type: integer - description: >- - The secondary server uses this parameter to - determine whether it requires a zone transfer from - the primary server. - refresh: - type: integer - description: >- - Time, in seconds, for which a secondary server must - wait between successive checks on the value of the - serial number. - retry: - type: integer - description: >- - Time, in seconds, between retries if a secondary server's - attempt to contact the primary server for a zone refresh fails. - expire: - type: integer - description: >- - Time, in seconds, after which the zone data on a secondary - nameserver can no longer be considered authoritative because - all refresh and retry attempts made during the period have failed." - nsrec: - type: object - description: Name server record - properties: - nameserver: - type: string - description: Host name of the name server to add to the domain. - ttl: - type: integer - description: >- - Time to Live (TTL), in seconds, for the record. TTL - is the time for which the record must be cached by - DNS proxies. The specified TTL is applied to all the - resource records that are of the same record type - and belong to the specified domain name ---- -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.33.4/templates/citrix-k8s-ingress.yaml b/charts/citrix/citrix-ingress-controller/1.33.4/templates/citrix-k8s-ingress.yaml deleted file mode 100644 index ac0ba09fad..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.33.4/templates/citrix-k8s-ingress.yaml +++ /dev/null @@ -1,264 +0,0 @@ -{{- if .Values.openshift }} -apiVersion: apps.openshift.io/v1 -kind: DeploymentConfig -{{- else }} -apiVersion: apps/v1 -kind: Deployment -{{- end }} -metadata: - name: {{ include "citrix-ingress-controller.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - selector: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - matchLabels: - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} - replicas: 1 -{{- if .Values.openshift }} - strategy: - resources: {} - rollingParams: - intervalSeconds: 1 - maxSurge: 0 - maxUnavailable: 25% - timeoutSeconds: 600 - updatePeriodSeconds: 1 - type: Rolling -{{- end }} - template: - metadata: - name: cic - labels: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} -{{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} -{{- end }} - spec: - serviceAccountName: {{ include "citrix-ingress-controller.serviceAccountName" . }} - containers: - - name: cic - image: "{{ tpl .Values.image . }}" - imagePullPolicy: {{ .Values.pullPolicy }} - args: - - --configmap - {{ .Release.Namespace }}/{{ include "cicconfigmap.fullname" . }} -{{- if .Values.defaultSSLCertSecret }} - - --default-ssl-certificate - {{ .Release.Namespace }}/{{ .Values.defaultSSLCertSecret }} -{{- end }} -{{- if .Values.ingressClass }} - - --ingress-classes -{{- range .Values.ingressClass}} - {{.}} -{{- end }} -{{- end }} -{{- if .Values.serviceClass }} - - --service-classes -{{- range .Values.serviceClass}} - {{.}} -{{- end }} -{{- end }} - - --feature-node-watch - {{ .Values.nodeWatch }} - - --enable-cnc-pbr - {{ .Values.cncPbr }} -{{- if .Values.ipam }} - - --ipam - citrix-ipam-controller -{{- end }} -{{- if .Values.disableAPIServerCertVerify }} - - --disable-apiserver-cert-verify - {{ .Values.disableAPIServerCertVerify }} -{{- end }} -{{- if .Values.updateIngressStatus }} - - --update-ingress-status - yes -{{- end }} - env: - - name: "NS_IP" - value: "{{ .Values.nsIP }}" -{{- if .Values.nsVIP }} - - name: "NS_VIP" - value: "{{ .Values.nsVIP }}" -{{- end }} -{{- if .Values.rbacRole }} - - name: "SCOPE" - value: "local" -{{- end }} -{{- if .Values.nitroReadTimeout }} - - name: "NS_NITRO_READ_TIMEOUT" - value: "{{ .Values.nitroReadTimeout }}" -{{- end }} - - name: "NS_USER" - {{- if and .Values.secretStore.enabled .Values.secretStore.username}} - {{- toYaml .Values.secretStore.username | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: username - {{- end }} - - name: "NS_PASSWORD" - {{- if and .Values.secretStore.enabled .Values.secretStore.password}} - {{- toYaml .Values.secretStore.password | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: password - {{- end }} - - name: "EULA" - value: "{{ .Values.license.accept }}" -{{- if and .Values.openshift .Values.routeLabels }} - - name: "ROUTE_LABELS" - value: {{ .Values.routeLabels | quote}} -{{- end }} -{{- if and .Values.openshift .Values.namespaceLabels }} - - name: "NAMESPACE_LABELS" - value: {{ .Values.namespaceLabels | quote }} -{{- end }} - - name: "NS_APPS_NAME_PREFIX" - value: {{ .Values.entityPrefix | default "k8s"| quote }} -{{- if .Values.kubernetesURL }} - - name: "kubernetes_url" - value: "{{ .Values.kubernetesURL }}" -{{- end }} -{{- if .Values.clusterName }} - - name: "CLUSTER_NAME" - value: "{{ .Values.clusterName }}" -{{- end }} -{{- if .Values.logProxy }} - - name: "NS_LOGPROXY" - value: "{{ .Values.logProxy }}" -{{- end }} -{{- if .Values.disableOpenshiftRoutes }} - - name: "DISABLE_OPENSHIFT_ROUTES" - value: "{{ .Values.disableOpenshiftRoutes }}" -{{- end }} -{{- if .Values.nsConfigDnsRec }} - - name: "NS_CONFIG_DNS_REC" - value: "{{ .Values.nsConfigDnsRec }}" -{{- end }} -{{- if .Values.nsSvcLbDnsRec }} - - name: "NS_SVC_LB_DNS_REC" - value: "{{ .Values.nsSvcLbDnsRec }}" -{{- end }} -{{- if .Values.optimizeEndpointBinding }} - - name: "OPTIMIZE_ENDPOINT_BINDING" - value: "{{ .Values.optimizeEndpointBinding }}" -{{- end }} - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- if ne (len .Values.extraVolumeMounts) 0 }} - volumeMounts: -{{- toYaml .Values.extraVolumeMounts | nindent 8 }} - {{- end }} -{{- if .Values.exporter.required }} - - name: exporter - image: "{{ tpl .Values.exporter.image . }}" - imagePullPolicy: {{ .Values.exporter.pullPolicy }} - args: - - "--target-nsip={{ .Values.nsIP }}" - - "--port={{ .Values.exporter.ports.containerPort }}" - env: - - name: "NS_USER" - {{- if and .Values.secretStore.enabled .Values.secretStore.username}} - {{- toYaml .Values.secretStore.username | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: username - {{- end }} - - name: "NS_PASSWORD" - {{- if and .Values.secretStore.enabled .Values.secretStore.password}} - {{- toYaml .Values.secretStore.password | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: password - {{- end }} - {{- if ne (len .Values.exporter.extraVolumeMounts) 0 }} - volumeMounts: - {{- toYaml .Values.exporter.extraVolumeMounts | nindent 8 }} - {{- end }} - securityContext: - readOnlyRootFilesystem: true - resources: -{{- toYaml .Values.exporter.resources | nindent 12 }} -{{- end }} -{{- if or (and .Values.extraVolumeMounts .Values.extraVolumes) (and .Values.exporter.extraVolumeMounts .Values.extraVolumes) }} - volumes: -{{- end }} -{{- if ne (len .Values.extraVolumes) 0 }} -{{ toYaml .Values.extraVolumes | indent 6 }} -{{- end }} -{{- if and .Values.nodeSelector.key .Values.nodeSelector.value }} - nodeSelector: - {{ .Values.nodeSelector.key }}: {{ .Values.nodeSelector.value }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: {{ .Values.tolerations | toYaml | nindent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} -{{- end }} - ---- - -{{- if .Values.exporter.required }} - - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "exporter.fullname" . }} - labels: - app: {{ include "exporter.fullname" . }} - service-type: {{ include "servicemonitorlabel" . }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port - selector: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} - ---- - -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "servicemonitor.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - servicemonitor: citrix-adc -spec: - endpoints: - - interval: 30s - port: exporter-port - selector: - matchLabels: - service-type: {{ include "servicemonitorlabel" . }} - namespaceSelector: - matchNames: - - monitoring - - default - - {{ .Release.Namespace }} - -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.33.4/templates/configmap.yaml b/charts/citrix/citrix-ingress-controller/1.33.4/templates/configmap.yaml deleted file mode 100644 index 586906391b..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.33.4/templates/configmap.yaml +++ /dev/null @@ -1,75 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "cicconfigmap.fullname" . }} - namespace: {{ .Release.Namespace }} -data: - LOGLEVEL: {{ .Values.logLevel | quote | lower }} - JSONLOG: {{ .Values.jsonLog | quote | lower }} - NS_PROTOCOL: {{ .Values.nsProtocol | quote | lower }} - NS_PORT: {{ .Values.nsPort | quote }} -{{- if .Values.nsSNIPS }} - NS_SNIPS: {{ .Values.nsSNIPS | toJson}} -{{- end }} -{{- if and .Values.analyticsConfig.required .Values.nsEnableLabel }} - NS_ENABLE_LABELS: {{ .Values.nsEnableLabel | quote}} -{{- end }} -{{- if .Values.podIPsforServiceGroupMembers }} - POD_IPS_FOR_SERVICEGROUP_MEMBERS: {{ .Values.podIPsforServiceGroupMembers | quote }} -{{- end }} -{{- if .Values.ignoreNodeExternalIP }} - IGNORE_NODE_EXTERNAL_IP: {{ .Values.ignoreNodeExternalIP | quote }} -{{- end }} - -{{- if ne (upper .Values.nsHTTP2ServerSide) "OFF" }} - NS_HTTP2_SERVER_SIDE: {{ .Values.nsHTTP2ServerSide | quote }} -{{- end }} -{{- if ne (toString .Values.nsCookieVersion) "0" }} - NS_COOKIE_VERSION: {{ .Values.nsCookieVersion | quote }} -{{- end }} -{{- if .Values.nsDnsNameserver }} - NS_DNS_NAMESERVER: {{ .Values.nsDnsNameserver }} -{{- end }} - -{{- if .Values.analyticsConfig.required }} - NS_ANALYTICS_CONFIG: | - distributed_tracing: - enable: {{ .Values.analyticsConfig.distributedTracing.enable | quote }} - samplingrate: {{ .Values.analyticsConfig.distributedTracing.samplingrate }} - endpoint: - server: {{ include "analytics.server" . | quote }} - service: {{ .Values.analyticsConfig.endpoint.service | quote }} - timeseries: - port: {{ .Values.analyticsConfig.timeseries.port }} - metrics: - enable: {{ .Values.analyticsConfig.timeseries.metrics.enable | quote }} - mode: {{ .Values.analyticsConfig.timeseries.metrics.mode | quote }} - auditlogs: - enable: {{ .Values.analyticsConfig.timeseries.auditlogs.enable | quote }} - events: - enable: {{ .Values.analyticsConfig.timeseries.events.enable | quote }} - transactions: - enable: {{ .Values.analyticsConfig.transactions.enable | quote }} - port: {{ .Values.analyticsConfig.transactions.port }} -{{- end }} - -{{- if .Values.nsLbHashAlgo.required }} - NS_LB_HASH_ALGO: | - hashFingers: {{ .Values.nsLbHashAlgo.hashFingers }} - hashAlgorithm: {{ .Values.nsLbHashAlgo.hashAlgorithm | quote }} -{{- end }} - -{{- if .Values.profileSslFrontend }} - FRONTEND_SSL_PROFILE: | - {{- toYaml .Values.profileSslFrontend | nindent 4 }} -{{- end }} - -{{- if .Values.profileTcpFrontend }} - FRONTEND_TCP_PROFILE: | - {{- toYaml .Values.profileTcpFrontend | nindent 4 }} -{{- end }} - -{{- if .Values.profileHttpFrontend }} - FRONTEND_HTTP_PROFILE: | - {{- toYaml .Values.profileHttpFrontend | nindent 4 }} -{{- end }} \ No newline at end of file diff --git a/charts/citrix/citrix-ingress-controller/1.33.4/templates/ingressclass.yaml b/charts/citrix/citrix-ingress-controller/1.33.4/templates/ingressclass.yaml deleted file mode 100644 index d75537b79f..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.33.4/templates/ingressclass.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- $default := .Values.setAsDefaultIngressClass -}} -{{- if semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.GitVersion }} -{{- if .Values.ingressClass }} -{{- range .Values.ingressClass }} -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: {{ . | quote }} -{{- if $default }} - annotations: - ingressclass.kubernetes.io/is-default-class: "true" -{{- end }} -spec: - controller: citrix.com/ingress-controller ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.33.4/templates/rbac.yaml b/charts/citrix/citrix-ingress-controller/1.33.4/templates/rbac.yaml deleted file mode 100644 index c20c1512e0..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.33.4/templates/rbac.yaml +++ /dev/null @@ -1,106 +0,0 @@ -{{- if not .Values.rbacRole }} -kind: ClusterRole -{{- else }} -kind: Role -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -rules: - - apiGroups: [""] -{{- if .Values.openshift }} - resources: ["endpoints", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"] -{{- else }} - resources: ["endpoints", "pods", "secrets", "routes", "nodes", "namespaces", "configmaps", "services"] -{{- end }} - verbs: ["get", "list", "watch"] - # services/status is needed to update the loadbalancer IP in service status for integrating - # service of type LoadBalancer with external-dns - - apiGroups: [""] - resources: ["services/status"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions","networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["patch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "watch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"] - verbs: ["get", "list", "watch", "create", "delete", "patch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"] - verbs: ["patch"] - - apiGroups: ["citrix.com"] - resources: ["vips"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["crd.projectcalico.org"] - resources: ["ipamblocks"] - verbs: ["get", "list", "watch"] -{{- if .Values.openshift }} - - apiGroups: ["route.openshift.io"] - resources: ["routes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["network.openshift.io"] - resources: ["hostsubnets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["config.openshift.io"] - resources: ["networks"] - verbs: ["get", "list"] -{{- end }} - ---- - -{{- if not .Values.rbacRole }} -kind: ClusterRoleBinding -{{- else }} -kind: RoleBinding -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io -{{- if not .Values.rbacRole }} - kind: ClusterRole -{{- else }} - kind: Role -{{- end }} - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- if .Values.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.imagePullSecrets }} -- name: {{.}} -{{- end }} -{{- end }} - diff --git a/charts/citrix/citrix-ingress-controller/1.33.4/values.yaml b/charts/citrix/citrix-ingress-controller/1.33.4/values.yaml deleted file mode 100644 index 1a2f8bf53a..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.33.4/values.yaml +++ /dev/null @@ -1,199 +0,0 @@ -# Default values for citrix-ingress-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# Citrix Ingress Controller config details -imageRegistry: quay.io -imageRepository: citrix/citrix-k8s-ingress-controller -imageTag: 1.33.4 -image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}" -pullPolicy: IfNotPresent -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" -openshift: false -adcCredentialSecret: # K8s Secret Name -# Enable secretStore to implement CSI Secret Provider classes for holding the nslogin credentials -secretStore: - enabled: false - username: {} - #valueFrom: - # configMapKeyRef: - # name: test1 - # key: username - password: {} - #valueFrom: - # configMapKeyRef: - # name: test1 - # key: password -nsIP: x.x.x.x -nsVIP: -nsSNIPS: -license: - accept: no -nsPort: 443 -nsProtocol: HTTPS -nsEnableLabel: true -# nitroReadTimeout is timeout value in seconds for nitro api read timeout(default is 20) -nitroReadTimeout: -logLevel: INFO -jsonLog: false -entityPrefix: -kubernetesURL: -clusterName: -ingressClass: -setAsDefaultIngressClass: False -serviceClass: -defaultSSLCertSecret: -podIPsforServiceGroupMembers: False -ignoreNodeExternalIP: False -ipam: False -# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True -disableAPIServerCertVerify: False -logProxy: -nodeWatch: false -cncPbr: False -nodeSelector: - key: - value: -tolerations: [] -updateIngressStatus: True -nsHTTP2ServerSide: "OFF" -nsCookieVersion: "0" -nsConfigDnsRec: -nsSvcLbDnsRec: -nsDnsNameserver: -optimizeEndpointBinding: -routeLabels: -namespaceLabels: -disableOpenshiftRoutes: -profileSslFrontend: {} - # preconfigured: my_ssl_profile - # OR - # config: - # tls13: 'ENABLED' - # hsts: 'ENABLED' -profileHttpFrontend: {} - # preconfigured: my_http_profile - # OR - # config: - # dropinvalreqs: 'ENABLED' - # websocket: 'ENABLED' -profileTcpFrontend: {} - # preconfigured: my_tcp_profile - # OR - # config: - # sack: 'ENABLED' - # nagle: 'ENABLED' - -# Exporter config details -exporter: - required: false - imageRegistry: quay.io - imageRepository: citrix/citrix-adc-metrics-exporter - imageTag: 1.4.9 - image: "{{ .Values.exporter.imageRegistry }}/{{ .Values.exporter.imageRepository }}:{{ .Values.exporter.imageTag }}" - pullPolicy: IfNotPresent - ports: - containerPort: 8888 - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - extraVolumeMounts: [] - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. - #- name: github-key - # mountPath: /etc/config/keys/ - # readOnly: true - #- name: agent-init-scripts - # mountPath: /docker-entrypoint.d/ - -# For CRDs supported by Citrix Ingress Controller -crds: - install: false - retainOnDelete: false - -# Enable RBAC role (so called local role), by default CIC deployed with ClusterRole. -# below variable to deploy CIC with RBAC role, only ingress service supported with this config -rbacRole: False - -# Config required to be done by Citrix Ingress Controller for sending metrics to Citrix Observability Exporter -analyticsConfig: - required: false - distributedTracing: - enable: false - samplingrate: 100 - endpoint: - server: - service: - timeseries: - port: 30002 - metrics: - enable: false - mode: 'avro' - auditlogs: - enable: false - events: - enable: false - transactions: - enable: false - port: 30001 - -nsLbHashAlgo: - required: false - hashFingers: 256 - hashAlgorithm: 'DEFAULT' - -# Specifies whether a ServiceAccount should be created -serviceAccount: - create: true - # The name of the ServiceAccount to use. - # If not set and `create` is true, a name is generated using the fullname template - # name: - -podAnnotations: {} - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # Following values depends on no of ingresses configured by Ingress Controllers, so it is - # advised to test with maximum no of ingresses to set these values. - # limits: - # cpu: 1000m - # memory: 1000Mi - # requests: - # cpu: 500m - # memory: 500Mi - -affinity: {} - -extraVolumeMounts: [] - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. - #- name: github-key - # mountPath: /etc/config/keys/ - # readOnly: true - #- name: agent-init-scripts - # mountPath: /docker-entrypoint.d/ - -extraVolumes: [] - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. - #- name: agent-init-scripts - # configMap: - # name: agent-init-scripts - # defaultMode: 0755 - #- name: github-key - # secret: - # secretName: github-key - # defaultMode: 0744 diff --git a/charts/citrix/citrix-ingress-controller/1.34.16/Chart.yaml b/charts/citrix/citrix-ingress-controller/1.34.16/Chart.yaml deleted file mode 100644 index 5f5a8d350a..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.34.16/Chart.yaml +++ /dev/null @@ -1,21 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-ingress-controller -apiVersion: v2 -appVersion: 1.34.16 -deprecated: true -description: A Helm chart for Citrix Ingress Controller configuring MPX/VPX. -home: https://www.cloud.com -icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png -kubeVersion: '>=v1.16.0-0' -maintainers: -- email: priyanka.sharma@cloud.com - name: priyankash-citrix -- email: subash.dangol@cloud.com - name: subashd -name: citrix-ingress-controller -sources: -- https://github.com/citrix/citrix-k8s-ingress-controller -version: 1.34.16 diff --git a/charts/citrix/citrix-ingress-controller/1.34.16/README.md b/charts/citrix/citrix-ingress-controller/1.34.16/README.md deleted file mode 100644 index e70970ae8b..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.34.16/README.md +++ /dev/null @@ -1,497 +0,0 @@ -# Citrix Ingress Controller - -[Citrix](https://www.citrix.com/en-in/) provides an Ingress Controller for Citrix ADC MPX (hardware), Citrix ADC VPX (virtualized), and [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx/13/about.html) (containerized) for [bare metal](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/deployment/baremetal) and [cloud](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/deployment) deployments. It configures one or more Citrix ADC based on the Ingress resource configuration in [Kubernetes](https://kubernetes.io/) or in [OpenShift](https://www.openshift.com) cluster. - -## TL;DR; - -### For Kubernetes - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret= - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,crds.install=true - ``` - -### For OpenShift - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true,crds.install=true - ``` - -> **Important:** -> -> The `license.accept` argument is mandatory. Ensure that you set the value as `yes` to accept the terms and conditions of the Citrix license. - -## Introduction -This Helm chart deploys Citrix ingress controller in the [Kubernetes](https://kubernetes.io) or in the [Openshift](https://www.openshift.com) cluster using [Helm](https://helm.sh) package manager. - -### Prerequisites - -- The [Kubernetes](https://kubernetes.io/) version should be 1.16 and above if using Kubernetes environment. -- The [Openshift](https://www.openshift.com) version 4.8 or later if using OpenShift platform. -- The [Helm](https://helm.sh/) version 3.x or later. You can follow instruction given [here](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- You determine the NS_IP IP address needed by the controller to communicate with Citrix ADC. The IP address might be anyone of the following depending on the type of Citrix ADC deployment: - - - (Standalone appliances) NSIP - The management IP address of a standalone Citrix ADC appliance. For more information, see [IP Addressing in Citrix ADC](https://docs.citrix.com/en-us/citrix-adc/12-1/networking/ip-addressing.html). - - - (Appliances in High Availability mode) SNIP - The subnet IP address. For more information, see [IP Addressing in Citrix ADC](https://docs.citrix.com/en-us/citrix-adc/12-1/networking/ip-addressing.html). - - - (Appliances in Clustered mode) CLIP - The cluster management IP (CLIP) address for a clustered Citrix ADC deployment. For more information, see [IP addressing for a cluster](https://docs.citrix.com/en-us/citrix-adc/12-1/clustering/cluster-overview/ip-addressing.html). - -- You have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator), if you want to view the metrics of the Citrix ADC CPX collected by the [metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics). - -- The user name and password of the Citrix ADC VPX or MPX appliance used as the ingress device. The Citrix ADC appliance needs to have system user account (non-default) with certain privileges so that Citrix ingress controller can configure the Citrix ADC VPX or MPX appliance. For instructions to create the system user account on Citrix ADC, see [Create System User Account for CIC in Citrix ADC](#create-system-user-account-for-cic-in-citrix-adc). - - You can pass user name and password using Kubernetes secrets. Create a Kubernetes secret for the user name and password using the following command: - - ``` - kubectl create secret generic nslogin --from-literal=username='cic' --from-literal=password='mypassword' - ``` - -#### Create system User account for Citrix ingress controller in Citrix ADC - -Citrix ingress controller configures the Citrix ADC using a system user account of the Citrix ADC. The system user account should have certain privileges so that the CIC has permission configure the following on the Citrix ADC: - -- Add, Delete, or View Content Switching (CS) virtual server -- Configure CS policies and actions -- Configure Load Balancing (LB) virtual server -- Configure Service groups -- Cofigure SSl certkeys -- Configure routes -- Configure user monitors -- Add system file (for uploading SSL certkeys from Kubernetes) -- Configure Virtual IP address (VIP) -- Check the status of the Citrix ADC appliance - -> **Note:** -> -> The system user account would have privileges based on the command policy that you define. - -To create the system user account, do the following: - -1. Log on to the Citrix ADC appliance. Perform the following: - 1. Use an SSH client, such as PuTTy, to open an SSH connection to the Citrix ADC appliance. - - 2. Log on to the appliance by using the administrator credentials. - -2. Create the system user account using the following command: - - ``` - add system user - ``` - - For example: - - ``` - add system user cic mypassword - ``` - -3. Create a policy to provide required permissions to the system user account. Use the following command: - - ``` - add cmdpolicy cic-policy ALLOW '^(\?!shell)(\?!sftp)(\?!scp)(\?!batch)(\?!source)(\?!.*superuser)(\?!.*nsroot)(\?!install)(\?!show\s+system\s+(user|cmdPolicy|file))(\?!(set|add|rm|create|export|kill)\s+system)(\?!(unbind|bind)\s+system\s+(user|group))(\?!diff\s+ns\s+config)(\?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)^(\?!shell)(\?!sftp)(\?!scp)(\?!batch)(\?!source)(\?!.*superuser)(\?!.*nsroot)(\?!install)(\?!show\s+system\s+(user|cmdPolicy|file))(\?!(set|add|rm|create|export|kill)\s+system)(\?!(unbind|bind)\s+system\s+(user|group))(\?!diff\s+ns\s+config)(\?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)' - ``` - - **Note**: The system user account would have privileges based on the command policy that you define. - The command policy mentioned in ***step 3*** is similar to the built-in `sysAdmin` command policy with another permission to upload files. - - The command policy spec provided above have already escaped special characters for easier copy pasting into the Citrix ADC command line. - - For configuring the command policy from Citrix ADC Configuration Wizard (GUI), use the below command policy spec. - - ``` - ^(?!shell)(?!sftp)(?!scp)(?!batch)(?!source)(?!.*superuser)(?!.*nsroot)(?!install)(?!show\s+system\s+(user|cmdPolicy|file))(?!(set|add|rm|create|export|kill)\s+system)(?!(unbind|bind)\s+system\s+(user|group))(?!diff\s+ns\s+config)(?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)^(?!shell)(?!sftp)(?!scp)(?!batch)(?!source)(?!.*superuser)(?!.*nsroot)(?!install)(?!show\s+system\s+(user|cmdPolicy|file))(?!(set|add|rm|create|export|kill)\s+system)(?!(unbind|bind)\s+system\s+(user|group))(?!diff\s+ns\s+config)(?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file) - ``` - -4. Bind the policy to the system user account using the following command: - - ``` - bind system user cic cic-policy 0 - ``` - -## Installing the Chart -Add the Citrix Ingress Controller helm chart repository using command: - -``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ -``` - -### For Kubernetes: -#### 1. Citrix Ingress Controller -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,ingressClass[0]= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ingress controller on Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix Ingress Controller with Exporter -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed along with Citrix ingress controller and collects metrics from the Citrix ADC instances. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. - -> **Note:** -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,ingressClass[0]=,exporter.required=true - ``` - -### For Openshift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix Ingress Controller -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true - ``` - -The command deploys Citrix ingress controller on your Openshift cluster in the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix Ingress Controller with Exporter -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed along with Citrix ingress controller and collects metrics from the Citrix ADC instances. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. - -> **Note:** -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator) - -Use the following command for this: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true,exporter.required=true - ``` - -### Installed components - -The following components are installed: - -- [Citrix ingress controller](https://github.com/citrix/citrix-k8s-ingress-controller) -- [Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) (if enabled) - -## Configuration for ServiceGraph: - If Citrix ADC VPX/MPX need to send data to the Citrix ADM to bring up the servicegraph, then the below steps can be followed to install Citrix ingress controller for Citrix ADC VPX/MPX. Citrix ingress controller configures Citrix ADC VPX/MPX with the configuration required for servicegraph. - - 1. Create secret using Citrix ADC VPX credentials, which will be used by Citrix ingress controller for configuring Citrix ADC VPX/MPX: - - kubectl create secret generic nslogin --from-literal=username='cic' --from-literal=password='mypassword' - - 2. Deploy Citrix ingress controller using helm command: - - helm install my-release citrix/citrix-ingress-controller --set nsIP=,nsVIP=,license.accept=yes,adcCredentialSecret=,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.timeseries.port=5563,analyticsConfig.distributedTracing.enable=true,analyticsConfig.transactions.enable=true,analyticsConfig.transactions.port=5557,analyticsConfig.endpoint.server= - -> **Note:** -> If container agent is being used here for Citrix ADM, please provide `podIP` of container agent in the `analyticsConfig.endpoint.server` parameter. - -## CRDs configuration - -CRDs can be installed/upgraded when we install/upgrade Citrix ingress controller using `crds.install=true` parameter in Helm. If you do not want to install CRDs, then set the option `crds.install` to `false`. By default, CRDs too get deleted if you uninstall through Helm. This means, even the CustomResource objects created by the customer will get deleted. If you want to avoid this data loss set `crds.retainOnDelete` to `true`. - -> **Note:** -> Installing again may fail due to the presence of CRDs. Make sure that you back up all CustomResource objects and clean up CRDs before re-installing Citrix Ingress Controller. - -There are a few examples of how to use these CRDs, which are placed in the folder: [Example-CRDs](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds). Refer to them and install as needed, using the following command: -```kubectl create -f ``` - -### Details of the supported CRDs: - -#### authpolicies CRD: - -Authentication policies are used to enforce access restrictions to resources hosted by an application or an API server. - -Citrix provides a Kubernetes CustomResourceDefinitions (CRDs) called the [Auth CRD](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/auth) that you can use with the Citrix ingress controller to define authentication policies on the ingress Citrix ADC. - -Example file: [auth_example.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/auth_example.yaml) - -#### continuousdeployments CRD for canary: - -Canary release is a technique to reduce the risk of introducing a new software version in production by first rolling out the change to a small subset of users. After user validation, the application is rolled out to the larger set of users. Citrix ADC-Integrated [Canary Deployment solution](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/canary) stitches together all components of continuous delivery (CD) and makes canary deployment easier for the application developers. - -#### httproutes and listeners CRDs for contentrouting: - -[Content Routing (CR)](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/contentrouting) is the execution of defined rules that determine the placement and configuration of network traffic between users and web applications, based on the content being sent. For example, a pattern in the URL or header fields of the request. - -Example files: [HTTPRoute_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/HTTPRoute_crd.yaml), [Listener_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/Listener_crd.yaml) - -#### ratelimits CRD: - -In a Kubernetes deployment, you can [rate limit the requests](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/ratelimit) to the resources on the back end server or services using rate limiting feature provided by the ingress Citrix ADC. - -Example files: [ratelimit-example1.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example1.yaml), [ratelimit-example2.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example2.yaml) - -#### vips CRD: - -Citrix provides a CustomResourceDefinitions (CRD) called [VIP](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/vip) for asynchronous communication between the IPAM controller and Citrix ingress controller. - -The IPAM controller is provided by Citrix for IP address management. It allocates IP address to the service from a defined IP address range. The Citrix ingress controller configures the IP address allocated to the service as virtual IP (VIP) in Citrix ADX VPX. And, the service is exposed using the IP address. - -When a new service is created, the Citrix ingress controller creates a CRD object for the service with an empty IP address field. The IPAM Controller listens to addition, deletion, or modification of the CRD and updates it with an IP address to the CRD. Once the CRD object is updated, the Citrix ingress controller automatically configures Citrix ADC-specfic configuration in the tier-1 Citrix ADC VPX. - -#### rewritepolicies CRD: - -In kubernetes environment, to deploy specific layer 7 policies to handle scenarios such as, redirecting HTTP traffic to a specific URL, blocking a set of IP addresses to mitigate DDoS attacks, imposing HTTP to HTTPS and so on, requires you to add appropriate libraries within the microservices and manually configure the policies. Instead, you can use the [Rewrite and Responder features](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/crd/rewrite-responder-policies-deployment.yaml) provided by the Ingress Citrix ADC device to deploy these policies. - -Example files: [target-url-rewrite.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/target-url-rewrite.yaml) - -#### wafs CRD: - -[WAF CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/waf.md) can be used to configure the web application firewall policies with the Citrix ingress controller on the Citrix ADC VPX, MPX, SDX, and CPX. The WAF CRD enables communication between the Citrix ingress controller and Citrix ADC for enforcing web application firewall policies. - -In a Kubernetes deployment, you can enforce a web application firewall policy to protect the server using the WAF CRD. For more information about web application firewall, see [Web application security](https://docs.citrix.com/en-us/citrix-adc/13/application-firewall/introduction/web-application-security.html). - -Example files: [wafhtmlxsssql.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wafhtmlxsssql.yaml) - -#### apigateway CRD: - -API Gateway CRD is used to configure gitops framework on citrix API gateway. This solution enables citrix ingress controller to generate API gateway configurations out of Open API Specification documents checked in to git repository by API developers and designers. - -Example files: [api-gateway-crd-instance.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/api-gateway-crd-instance.yaml) -#### bots CRD: - -[BOT CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/bot.md) You can use Bot CRDs to configure the bot management policies with the Citrix ingress controller on the Citrix ADC VPX. The Bot custom resource definition enables communication between the Citrix ingress controller and Citrix ADC for enforcing bot management policies. - -In a Kubernetes deployment, you can enforce bot management policy on therequests and responses from and to the server using the Bot CRDs. For more information on security vulnerabilities, see [Bot Detection](https://docs.citrix.com/en-us/citrix-adc/current-release/bot-management/bot-detection.html). - -Example files: [botallowlist.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/botallowlist.yaml) - -#### CORS CRD: - -[CORS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) Cross-origin resource sharing (CORS) is a mechanism allows a web application running under one domain to securely access resources in another domain. You can configure CORS policies on Citrix ADC using Citrix ingress controller to allow one domain (the origin domain) to call APIs in another domain. For more information, see the [cross-origin resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) documentation. - -Example files: [cors-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/corspolicy-example.yaml) - -#### APPQOE CRD: - -[APPQOE CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) When a Citrix ADC appliance receives an HTTP request and forwards it to a back-end server, sometimes there may be connection failures with the back-end server. You can configure the request-retry feature on Citrix ADC to forward the request to the next available server, instead of sending the reset to the client. Hence, the client saves round trip time when Citrix ADC initiates the same request to the next available service. -For more information, see the AppQoE support documentation. [Appqoe resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) documentation. - -Example files: [appqoe-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/appqoe_example.yaml) - -#### WILDCARDDNS CRD: - -[WILDCARDDNS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) Wildcard DNS domains are used to handle requests for nonexistent domains and subdomains. In a zone, use wildcard domains to redirect queries for all nonexistent domains or subdomains to a particular server, instead of creating a separate Resource Record (RR) for each domain. The most common use of a wildcard DNS domain is to create a zone that can be used to forward mail from the internet to some other mail system. -For more information, see the Wild card DNS domains support documentation. [Wildcard DNS Entry CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) documentation. - -Example files: [wildcarddns-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wildcarddns-example.yaml) - -### Tolerations - -Taints are applied on cluster nodes whereas tolerations are applied on pods. Tolerations enable pods to be scheduled on node with matching taints. For more information see [Taints and Tolerations in Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). - -Toleration can be applied to Citrix ingress controller pod using `tolerations` argument while deploying CIC using helm chart. This argument takes list of tolerations that user need to apply on the CIC pods. - -For example, following command can be used to apply toleration on the CIC pod: - -``` -helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,tolerations[0].key=,tolerations[0].value=,tolerations[0].operator=,tolerations[0].effect= -``` - -Here tolerations[0].key, tolerations[0].value and tolerations[0].effect are the key, value and effect that was used while tainting the node. -Effect represents what should happen to the pod if the pod don't have any matching toleration. It can have values `NoSchedule`, `NoExecute` and `PreferNoSchedule`. -Operator represents the operation to be used for key and value comparison between taint and tolerations. It can have values `Exists` and `Equal`. The default value for operator is `Equal`. - - - -### Configuration - -The following table lists the mandatory and optional parameters that you can configure during installation: - -| Parameters | Mandatory or Optional | Default value | Description | -| --------- | --------------------- | ------------- | ----------- | -| license.accept | Mandatory | no | Set `yes` to accept the CIC end user license agreement. | -| imageRegistry | Mandatory | `quay.io` | The Citrix ingress controller image registry | -| imageRepository | Mandatory | `citrix/citrix-k8s-ingress-controller` | The Citrix ingress controller image repository | -| imageTag | Mandatory | `1.34.16` | The Citrix ingress controller image tag | -| pullPolicy | Mandatory | IfNotPresent | The CIC image pull policy. | -| imagePullSecrets | Optional | N/A | Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret please see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). | -| nameOverride | Optional | N/A | String to partially override deployment fullname template with a string (will prepend the release name) | -| fullNameOverride | Optional | N/A | String to fully override deployment fullname template with a string | -| resources | Optional | {} | CPU/Memory resource requests/limits for Citrix Ingress Controller container | -| adcCredentialSecret | Mandatory | N/A | The secret key to log on to the Citrix ADC VPX or MPX. For information on how to create the secret keys, see [Prerequisites](#prerequistes). | -| secretStore.enabled | Optional | False | Set to "True" for deploying other Secret Provider classes | -| secretStore.username | Optional | N/A | if `secretStore.enabled`, `username` of ADC will be fetched from the Secret Provider | -| secretStore.password | Optional | N/A | if `secretStore.enabled`, `password` of ADC will be fetched from the Secret Provider | -| nsIP | Mandatory | N/A | The IP address of the Citrix ADC device. For details, see [Prerequisites](#prerequistes). | -| nsVIP | Optional | N/A | The Virtual IP address on the Citrix ADC device. | -| nsSNIPS | Optional | N/A | The list of subnet IPAddresses on the Citrix ADC device, which will be used to create PBR Routes instead of Static Routes [PBR support](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md) | -| nsPort | Optional | 443 | The port used by CIC to communicate with Citrix ADC. You can use port 80 for HTTP. | -| nsProtocol | Optional | HTTPS | The protocol used by CIC to communicate with Citrix ADC. You can also use HTTP on port 80. | -| nsEnableLabel | Optional | True | Set to true for plotting Servicegraph. Ensure ``analyticsConfig` are set. | -| nitroReadTimeout | Optional | 20 | The nitro Read timeout in seconds, defaults to 20 | -| logLevel | Optional | DEBUG | The loglevel to control the logs generated by CIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG and TRACE. For more information, see [Logging](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).| -| jsonLog | Optional | false | Set this argument to true if log messages are required in JSON format | -| nsConfigDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Ingress | -| nsSvcLbDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Type Load Balancer Service | -| nsDnsNameserver | Optional | N/A | To add DNS Nameservers in ADC | -| optimizeEndpointBinding | Optional | false | To enable/disable binding of backend endpoints to servicegroup in a single API-call. Recommended when endpoints(pods) per application are large in number. Applicable only for Citrix ADC Version >=13.0-45.7 | -| kubernetesURL | Optional | N/A | The kube-apiserver url that CIC uses to register the events. If the value is not specified, CIC uses the [internal kube-apiserver IP address](https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod). | -| clusterName | Optional | N/A | The unique identifier of the kubernetes cluster on which the CIC is deployed. Used in multi-cluster deployments. | -| ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify CIC to configure Citrix ADC associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here | -| setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default ingress class. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 | -| serviceClass | Optional | N/A | By Default ingress controller configures all TypeLB Service on the ADC. You can use this parameter to finetune this behavior by specifing CIC to only configure TypeLB Service with specific service class. For more information on Service class, see [Service class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/service-classes/). | -| nodeWatch | Optional | false | Use the argument if you want to automatically configure network route from the Ingress Citrix ADC VPX or MPX to the pods in the Kubernetes cluster. For more information, see [Automatically configure route on the Citrix ADC instance](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/network/staticrouting/#automatically-configure-route-on-the-citrix-adc-instance). | -| cncPbr | Optional | False | Use this argument to inform CIC that Citrix Node Controller(CNC) is configuring Policy Based Routes(PBR) on the Citrix ADC. For more information, see [CNC-PBR-SUPPORT](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md#configure-pbr-using-the-citrix-node-controller) | -| defaultSSLCertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC. | -| podIPsforServiceGroupMembers | Optional | False | By default Citrix Ingress Controller will add NodeIP and NodePort as service group members while configuring type LoadBalancer Services and NodePort services. This variable if set to `True` will change the behaviour to add pod IP and Pod port instead of nodeIP and nodePort. Users can set this to `True` if there is a route between ADC and K8s clusters internal pods either using feature-node-watch argument or using Citrix Node Controller. | -| ignoreNodeExternalIP | Optional | False | While adding NodeIP, as Service group members for type LoadBalancer services or NodePort services, Citrix Ingress Controller has a selection criteria whereas it choose Node ExternalIP if available and Node InternalIP, if Node ExternalIP is not present. But some users may want to use Node InternalIP over Node ExternalIP even if Node ExternalIP is present. If this variable is set to `True`, then it prioritises the Node Internal IP to be used for service group members even if node ExternalIP is present | -| nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for Citrix ADC service group configurations. | -| nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). | -| profileSslFrontend | Optional | N/A | Specify the frontend SSL profile. For Details see [Configuration using FRONTEND_SSL_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| profileTcpFrontend | Optional | N/A | Specify the frontend TCP profile. For Details see [Configuration using FRONTEND_TCP_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| profileHttpFrontend | Optional | N/A | Specify the frontend HTTP profile. For Details see [Configuration using FRONTEND_HTTP_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| ipam | Optional | False | Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer. | -| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. | -| logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter. | -| entityPrefix | Optional | k8s | The prefix for the resources on the Citrix ADC VPX/MPX. | -| updateIngressStatus | Optional | True | Set this argurment if `Status.LoadBalancer.Ingress` field of the Ingress resources managed by the Citrix ingress controller needs to be updated with allocated IP addresses. For more information see [this](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/ingress-classes.md#updating-the-ingress-status-for-the-ingress-resources-with-the-specified-ip-address). | -| routeLabels | Optional | N/A | You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| namespaceLabels | Optional | N/A | You can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| podAnnotations | Optional | N/A | Map of annotations to add to the pods. | -| affinity | Optional | N/A | Affinity labels for pod assignment. | -| exporter.required | Optional | false | Use the argument, if you want to run the [Exporter for Citrix ADC Stats](https://github.com/citrix/citrix-adc-metrics-exporter) along with CIC to pull metrics for the Citrix ADC VPX or MPX| -| exporter.imageRegistry | Optional | `quay.io` | The Exporter for Citrix ADC Stats image registry | -| exporter.imageRepository | Optional | `citrix/citrix-adc-metrics-exporter` | The Exporter for Citrix ADC Stats image repository | -| exporter.imageTag | Optional | `1.4.9` | The Exporter for Citrix ADC Stats image tag | -| exporter.pullPolicy | Optional | IfNotPresent | The Exporter image pull policy. | -| exporter.ports.containerPort | Optional | 8888 | The Exporter container port. | -| exporter.resources | Optional | {} | CPU/Memory resource requests/limits for Metrics exporter container | -| exporter.extraVolumeMounts | Optional | [] | Specify the Additional VolumeMounts to be mounted in Exporter container. Specify the volumes in `extraVolumes` | -| exporter.serviceMonitorExtraLabels | Optional | | Extra labels for service monitor whem Citrix-adc-metrics-exporter is enabled. |s -| openshift | Optional | false | Set this argument if OpenShift environment is being used. | -| disableOpenshiftRoutes | Optional | false | By default Openshift routes are processed in openshift environment, this variable can be used to disable Ingress controller processing the openshift routes. | -| nodeSelector.key | Optional | N/A | Node label key to be used for nodeSelector option in CIC deployment. | -| nodeSelector.value | Optional | N/A | Node label value to be used for nodeSelector option in CIC deployment. | -| tolerations | Optional | N/A | Specify the tolerations for the CIC deployment. | -| crds.install | Optional | False | Unset this argument if you don't want to install CustomResourceDefinitions which are consumed by CIC. | -| crds.retainOnDelete | Optional | false | Set this argument if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation. | -| analyticsConfig.required | Mandatory | false | Set this to true if you want to configure Citrix ADC to send metrics and transaction records to analytics . | -| analyticsConfig.distributedTracing.enable | Optional | false | Set this value to true to enable OpenTracing in Citrix ADC. | -| analyticsConfig.distributedTracing.samplingrate | Optional | 100 | Specifies the OpenTracing sampling rate in percentage. | -| analyticsConfig.endpoint.server | Optional | N/A | Set this value as the IP address or DNS address of the analytics server. | -| analyticsConfig.endpoint.service | Optional | N/A | Set this value as the IP address or service name with namespace of the analytics service deployed in k8s environment. Format: namespace/servicename | -| analyticsConfig.timeseries.port | Optional | 30002 | Specify the port used to expose analytics service outside cluster for timeseries endpoint. | -| analyticsConfig.timeseries.metrics.enable | Optional | False | Set this value to true to enable sending metrics from Citrix ADC. | -| analyticsConfig.timeseries.metrics.mode | Optional | avro | Specifies the mode of metric endpoint. | -| analyticsConfig.timeseries.auditlogs.enable | Optional | false | Set this value to true to export audit log data from Citrix ADC. | -| analyticsConfig.timeseries.events.enable | Optional | false | Set this value to true to export events from the Citrix ADC. | -| analyticsConfig.transactions.enable | Optional | false | Set this value to true to export transactions from Citrix ADC. | -| analyticsConfig.transactions.port | Optional | 30001 | Specify the port used to expose analytics service outside cluster for transaction endpoint. | -| nsLbHashAlgo.required | Optional | false | Set this value to set the LB consistent hashing Algorithm | -| nsLbHashAlgo.hashFingers | Optional | 256 | Specifies the number of fingers to be used for hashing algorithm. Possible values are from 1 to 1024, Default value is 256 | -| nsLbHashAlgo.hashAlgorithm | Optional | 'default' | Specifies the supported algorithm. Supported algorithms are "default", "jarh", "prac", Default value is 'default' | -| extraVolumeMounts | Optional | [] | Specify the Additional VolumeMounts to be mounted in CIC container | -| extraVolumes | Optional | [] | Specify the Additional Volumes for additional volumeMounts | -| rbacRole | Optional | false | To deploy CIC with RBAC Role set rbacRole=true; by default CIC gets installed with RBAC ClusterRole(rbacRole=false)) | - -Alternatively, you can define a YAML file with the values for the parameters and pass the values while installing the chart. - -For example: - ``` - helm install my-release citrix/citrix-ingress-controller -f values.yaml - ``` - -> **Tip:** -> -> The [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-ingress-controller/values.yaml) contains the default values of the parameters. - -> **Note:** -> -> Please provide frontend-ip (VIP) in your application ingress yaml file. For more info refer [this](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/annotations.md). - -## Route Addition in MPX/VPX -For seamless functioning of services deployed in the Kubernetes cluster, it is essential that Ingress NetScaler device should be able to reach the underlying overlay network over which Pods are running. -`feature-node-watch` knob of Citrix Ingress Controller can be used for automatic route configuration on NetScaler towards the pod network. Refer [Static Route Configuration](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) for further details regarding the same. -By default, `feature-node-watch` is false. It needs to be explicitly set to true if auto route configuration is required. - -This can also be achieved by deploying [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller). - -If your deployment uses one single Citrix ADC Device to loadbalance between multiple k8s clusters, there is a possibilty of CNI subnets to overlap, causing the above mentioned static routing to fail due to route conflicts. In such deployments [Policy Based Routing(PBR)] (https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-policy-based-routes/configuring-policy-based-routes-pbrs-for-ipv4-traffic.html) can be used instead. This would require you to provide one or more subnet IP Addresses unique for each kubernetes cluster either via Environment variable or Configmap, see [PBR Support](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md) - - Use the following command to provide subnet IPAddresses(SNIPs) to configure Policy Based Routes(PBR) on the Citrix ADC - - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,nsSNIPS='[\, \, ...]' - ``` - - [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller) by default also adds static routes while creating the VXLAN tunnel. To use [Policy Based Routing(PBR)] (https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-policy-based-routes/configuring-policy-based-routes-pbrs-for-ipv4-traffic.html) to avoid static route clash, both Citrix Node Controller and Citrix Ingress Controller has to work in conjunction and has to be started with specific arguments. For more details refer [CNC-PBR-SUPPORT](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md#configure-pbr-using-the-citrix-node-controller). - - Use the following command to inform Citrix Ingress Controller that Citrix Node Controller is configuring Policy Based Routes(PBR) on the Citrix ADC - - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,clusterName=,cncPbr= - ``` - -For configuring static routes manually on Citrix ADC VPX or MPX to reach the pods inside the cluster follow: -### For Kubernetes: -1. Obtain podCIDR using below options: - ``` - kubectl get nodes -o yaml | grep podCIDR - ``` - * podCIDR: 10.244.0.0/24 - * podCIDR: 10.244.1.0/24 - * podCIDR: 10.244.2.0/24 - -2. Log on to the Citrix ADC instance. - -3. Add Route in Netscaler VPX/MPX - ``` - add route - ``` -4. Ensure that Ingress MPX/VPX has a SNIP present in the host-network (i.e. network over which K8S nodes communicate with each other. Usually eth0 IP is from this network). - - Example: - * Node1 IP = 192.0.2.1 - * podCIDR = 10.244.1.0/24 - * add route 10.244.1.0 255.255.255.0 192.0.2.1 - -### For OpenShift: -1. Use the following command to get the information about host names, host IP addresses, and subnets for static route configuration. - ``` - oc get hostsubnet - ``` - -2. Log on to the Citrix ADC instance. - -3. Add the route on the Citrix ADC instance using the following command. - ```add route ``` - -4. Ensure that Ingress MPX/VPX has a SNIP present in the host-network (i.e. network over which OpenShift nodes communicate with each other. Usually eth0 IP is from this network). - - For example, if the output of the `oc get hostsubnet` is as follows: - * oc get hostsubnet - - NAME HOST HOST IP SUBNET - os.example.com os.example.com 192.0.2.1 10.1.1.0/24 - - * The required static route is as follows: - - add route 10.1.1.0 255.255.255.0 192.0.2.1 - -## Uninstalling the Chart -To uninstall/delete the ```my-release``` deployment: - - ``` - helm delete my-release - ``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Related documentation - -- [Citrix ingress controller Documentation](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/) -- [Citrix ingress controller GitHub](https://github.com/citrix/citrix-k8s-ingress-controller) diff --git a/charts/citrix/citrix-ingress-controller/1.34.16/app-readme.md b/charts/citrix/citrix-ingress-controller/1.34.16/app-readme.md deleted file mode 100644 index a8a8ebc15a..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.34.16/app-readme.md +++ /dev/null @@ -1,5 +0,0 @@ -# Citrix Ingress Controller - -[Citrix Ingress Controler](https://github.com/citrix/citrix-k8s-ingress-controller) is an ingress controller for Citrix ADC MPX (hardware), Citrix ADC VPX (virtualized), and Citrix ADC CPX (containerized) for bare metal and cloud deployments. It is built around Kubernetes Ingress and automatically configures Citrix ADC based on the Ingress resource configuration. - -This Chart bootstraps standalone Citrix Ingress Controller which can be used to configure Citrix MPX or VPX. diff --git a/charts/citrix/citrix-ingress-controller/1.34.16/questions.yml b/charts/citrix/citrix-ingress-controller/1.34.16/questions.yml deleted file mode 100644 index 89389ae11e..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.34.16/questions.yml +++ /dev/null @@ -1,348 +0,0 @@ -labels: - io.rancher.certified: partner -questions: -- variable: license.accept - required: true - type: enum - description: "Set to yes to accept the terms and conditions of the Citrix license." - label: Accept License - group: "Deployment Settings" - options: - - "yes" - - "no" -- variable: openshift - default: false - type: boolean - description: "openshift is set to true if charts are being deployed in OpenShift environment" - label: Openshift flag - group: "Deployment Settings" -- variable: adcCredentialSecret - required: true - default: "" - type: string - description: "adcCredentialSecret is secret file for NetScaler login" - label: adcCredentialSecret Name - group: "Deployment Settings" -- variable: imagePullSecrets[0] - required: false - type: string - description: "Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository" - label: imagePullSecrets - group: "Deployment Settings" -- variable: nsIP - required: true - type: string - description: "nsIP is NetScaler NSIP/SNIP, SNIP in case of HA (mgmt has to be enabled)" - label: Citrix ADC IP - group: "ADC Settings" -- variable: nsVIP - required: false - type: string - label: Virtual IP of Citrix ADC - group: "ADC Settings" -- variable: nsSNIPS - required: false - type: string - description: "The list of subnet IPAddresses on the Citrix ADC device, which will be used to create PBR Routes instead of Static Routes" - label: Citrix ADC nsSNIPS - group: "ADC Settings" -- variable: nsPort - required: false - default: 443 - type: int - description: "nsPort is port for ADC NITRO" - label: nsPort - group: "ADC Settings" -- variable: nsProtocol - required: false - default: "HTTPS" - type: string - description: "nsProtocol is protocol for ADC NITRO" - label: nsProtocol - group: "ADC Settings" -- variable: entityPrefix - required: false - type: string - description: "The prefix for the resources on the Citrix ADC VPX/MPX" - label: entityPrefix - group: "ADC Settings" -- variable: kubernetesURL - required: false - type: string - description: "kubernetesURL is for registering events to kubeapi server" - label: Kubernetes API-server URL - group: "Deployment Settings" -- variable: clusterName - required: false - type: string - description: "The unique identifier of the kubernetes cluster on which the CIC is deployed" - label: Cluster Name - group: "Deployment Settings" -- variable: ingressClass[0] - required: false - type: string - description: "ingressClass is the name of the Ingress Class" - label: Ingress Class - group: "Deployment Settings" -- variable: setAsDefaultIngressClass - required: false - default: False - type: boolean - description: "Set the IngressClass object as default ingress class. New Ingresses without an `ingressClassName` field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19" - label: setAsDefaultIngressClass - group: "Deployment Settings" -- variable: serviceClass[0] - required: false - type: string - description: "serviceClass is the name of the Service Class" - label: Service Class - group: "Deployment Settings" -- variable: defaultSSLCertSecret - required: false - type: string - description: "Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC." - label: defaultSSLCertSecret - group: "ADC Settings" -- variable: podIPsforServiceGroupMembers - required: false - default: False - type: boolean - description: "By default Citrix Ingress Controller will add NodeIP and NodePort as service group members,This variable if set to True will change the behaviour to add pod IP and Pod port instead of nodeIP and nodePort." - label: podIPsforServiceGroupMembers - group: "Deployment Settings" -- variable: ignoreNodeExternalIP - required: false - default: False - type: boolean - label: ignoreNodeExternalIP - group: "Deployment Settings" -- variable: ipam - required: false - default: False - type: boolean - description: "Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer" - label: ipam - group: "Deployment Settings" -- variable: logProxy - required: false - default: False - type: string - description: "Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter." - label: Log Proxy - group: "Deployment Settings" -- variable: nodeWatch - required: false - default: false - type: boolean - description: "nodeWatch is used for automatic route configuration on NetScaler towards the pod network" - label: NodeWatch - group: "ADC Settings" -- variable: cncPbr - required: false - default: false - type: boolean - description: "Use this argument to inform CIC that Citrix Node Controller(CNC) is configuring Policy Based Routes(PBR) on the Citrix ADC." - label: CNC PBR - group: "ADC Settings" -- variable: nodeSelector.key - required: false - type: string - description: "Node label key to be used for nodeSelector option in CIC deployment" - label: NodeSelector Key - group: "Deployment Settings" -- variable: nodeSelector.value - required: false - type: string - description: "Node label value to be used for nodeSelector option in CIC deployment." - label: NodeSelector value - group: "Deployment Settings" -- variable: tolerations[0] - required: false - type: string - description: "Specify the tolerations for the CIC deployment" - label: Tolerations - group: "Deployment Settings" -- variable: updateIngressStatus - required: false - default: false - type: boolean - description: "Set this argurment if Status.LoadBalancer.Ingress field of the Ingress resources managed by the Citrix ingress controller needs to be updated with allocated IP addresses" - label: Update Ingress Status - group: "Deployment Settings" -- variable: nsHTTP2ServerSide - required: false - default: "OFF" - type: string - description: "Set this argument to ON for enabling HTTP2 for Citrix ADC service group configurations." - label: nsHTTP2ServerSide - group: "Deployment Settings" -- variable: nsCookieVersion - required: false - default: "0" - type: string - description: "Specify the persistence cookie version (0 or 1)" - label: nsCookieVersion - group: "Deployment Settings" -- variable: routeLabels - required: false - type: string - description: "You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster." - label: Route Labels - group: "Deployment Settings" -- variable: namespaceLabels - required: false - type: string - description: "you can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster" - label: namespaceLabels - group: "Deployment Settings" -- variable: cic.image - required: true - type: string - default: "quay.io/citrix/citrix-k8s-ingress-controller:1.19.6" - label: CIC Image - group: "CIC Image Settings" -- variable: cic.pullpolicy - required: true - default: "IfNotPresent" - type: enum - label: CIC Image Pullpolicy - group: "CIC Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: logLevel - required: false - default: "INFO" - type: enum - label: CIC Loglevel - group: "CIC Image Settings" - options: - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - - "TRACE" -- variable: exporter.required - default: false - type: boolean - description: "If set to true exporter will be deployed as sidecar" - label: Enable Exporter - group: "Exporter Settings" -- variable: exporter.image - default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.9" - required: false - type: string - description: "Exporter Image" - label: Exporter Image - group: "Exporter Settings" -- variable: exporter.pullPolicy - required: false - default: IfNotPresent - type: string - description: "Exporter Image pull policy" - label: Exporter Image PullPolicy - group: "Exporter Settings" -- variable: exporter.ports.containerPort - required: false - default: 8888 - type: int - label: Exporter ContainerPort - group: "Exporter Settings" -- variable: crds.install - required: false - default: true - type: boolean - description: "If set to true the charts will install CustomResourceDefinitions which are consumed by CIC." - label: CRD flag - group: "Deployment Settings" -- variable: crds.retainOnDelete - required: false - default: false - type: boolean - description: "Set this argument to true if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation." - label: CRD retainOnDelete flag - group: "Deployment Settings" -- variable: coeConfig.required - required: true - default: false - type: boolean - description: "Set this to true if you want to configure Citrix ADC to send metrics and transaction records to COE" - label: Enable COE - group: "COE Settings" -- variable: coeConfig.distributedTracing.enable - required: false - default: false - type: boolean - description: "Set this value to true to enable OpenTracing in Citrix ADC." - label: Enable coeConfig DistributedTracing - group: "COE Settings" -- variable: coeConfig.distributedTracing.samplingrate - required: false - default: "100" - type: string - description: "Specifies the OpenTracing sampling rate in percentage." - label: coeConfig DistributedTracing Samplingrate - group: "COE Settings" -- variable: coeConfig.endpoint.server - required: false - type: string - description: "Set this value as the IP address or DNS address of the analytics server" - label: coeConfig Endpoint Server - group: "COE Settings" -- variable: coeConfig.timeseries.port - required: false - default: "30002" - type: string - description: "Specify the port used to expose COE service outside cluster for timeseries endpoint" - label: coeConfig timeseries Port - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.enable - required: false - default: False - type: boolean - description: "Set this value to true to enable sending metrics from Citrix ADC" - label: Enable coeConfig Timeseries Metrics - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.mode - required: false - default: "avro" - type: string - description: "Specifies the mode of metric endpoint" - label: coeConfig Timeseries Metrics Mode - group: "COE Settings" -- variable: coeConfig.timeseries.auditlogs.enable - required: false - default: False - type: boolean - description: "Set this value to true to export audit log data from Citrix ADC" - label: coeConfig Timeseries Auditlogs Enable - group: "COE Settings" -- variable: coeConfig.timeseries.events.enable - required: false - default: False - type: boolean - description: "Set this value to true to export events from the Citrix ADC" - label: Enable coeConfig Timeseries Events - group: "COE Settings" -- variable: coeConfig.transactions.enable - required: false - default: False - type: boolean - description: "Set this value to true to export transactions from Citrix ADC" - label: Enable coeConfig Transactions - group: "COE Settings" -- variable: coeConfig.transactions.port - required: false - default: 30001 - type: string - description: "Specify the port used to expose COE service outside cluster for transaction endpoint" - label: coeConfig Transactions Port - group: "COE Settings" -- variable: serviceAccount.create - required: false - default: true - type: boolean - description: "Specifies whether a ServiceAccount should be created" - label: ServiceAccount Create - group: "Deployment Settings" diff --git a/charts/citrix/citrix-ingress-controller/1.34.16/templates/NOTES.txt b/charts/citrix/citrix-ingress-controller/1.34.16/templates/NOTES.txt deleted file mode 100644 index 4d07f639fb..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.34.16/templates/NOTES.txt +++ /dev/null @@ -1,15 +0,0 @@ -Thank you for installing {{ .Chart.Name }}. - -Your release is named {{ .Release.Name }}. - - -To learn more about the release, try: - - $ helm status {{ .Release.Name }} - $ helm get {{ .Release.Name }} - - -To delete : - helm delete {{ .Release.Name }} - - diff --git a/charts/citrix/citrix-ingress-controller/1.34.16/templates/_helpers.tpl b/charts/citrix/citrix-ingress-controller/1.34.16/templates/_helpers.tpl deleted file mode 100644 index efca8083c7..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.34.16/templates/_helpers.tpl +++ /dev/null @@ -1,94 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Analytics Server IP or DNS -*/}} -{{- define "analytics.server" -}} -{{- if .Values.analyticsConfig.endpoint.server -}} -{{- printf .Values.analyticsConfig.endpoint.server -}} -{{- else -}} -{{- $addresses := first (first (lookup "v1" "Node" "" "").items).status.addresses -}} -{{- printf "%s" ($addresses).address -}} -{{- end -}} -{{- end -}} - - - -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "citrix-ingress-controller.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "citrix-ingress-controller.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "exporter.fullname" -}} -{{- $name := default .Chart.Name "exporter" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "servicemonitor.fullname" -}} -{{- $name := default .Chart.Name "citrix-adc-servicemonitor" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "servicemonitorlabel" -}} -{{- $name := default .Chart.Name "citrix-adc-svcmon" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cicconfigmap.fullname" -}} -{{- $name := default .Chart.Name "cic-configmap" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "citrix-ingress-controller.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "citrix-ingress-controller.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "citrix-ingress-controller.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} diff --git a/charts/citrix/citrix-ingress-controller/1.34.16/templates/cic_crds.yaml b/charts/citrix/citrix-ingress-controller/1.34.16/templates/cic_crds.yaml deleted file mode 100644 index 085d7d271d..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.34.16/templates/cic_crds.yaml +++ /dev/null @@ -1,2549 +0,0 @@ -{{- if .Values.crds.install }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: rewritepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: rewritepolicy - plural: rewritepolicies - singular: rewritepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - rewrite-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to rewrite policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - rewrite-policy: - type: object - properties: - rewrite-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOREWRITE', 'RESET', 'DROP'] - operation: - description: 'Type of user-defined rewrite action.' - type: string - enum: ["noop", "delete", "insert_http_header", "delete_http_header", - "corrupt_http_header", "insert_before", "insert_after", "replace", - "replace_http_res", "delete_all", "replace_all", "insert_before_all", - "insert_after_all", "clientless_vpn_encode", "clientless_vpn_encode_all", - "clientless_vpn_decode", "clientless_vpn_decode_all", "insert_sip_header", - "delete_sip_header", "corrupt_sip_header", "replace_sip_res", "replace_diameter_header_field", - "replace_dns_header_field", "replace_dns_answer_section"] - target: - description: 'Default syntax expression that specifies which part of the request or response to rewrite.' - type: string - maxLength: 1229 - modify-expression: - description: 'Default syntax expression that specifies the content to insert into the request - or response at the specified location, or that replaces the specified string.' - type: string - maxLength: 7991 - multiple-occurence-modify: - description: 'Search facility that is used to match multiple strings in the request or response.' - type: string - maxLength: 171 - additional-multiple-occurence-modify: - description: 'Specify additional criteria to refine the results of the search. - Always starts with the "extend(m,n)" operation, where "m" specifies number of bytes to the left of selected data - and "n" specifies number of bytes to the right of selected data. - You can use refineSearch only on body expressions, and only when rewrite-criteria is any one of this: - INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - comment: - description: 'Any comments to preserve information about this rewrite policy.' - type: string - maxLength: 255 - required: [rewrite-criteria, operation, target, direction] - required: [rewrite-policy] - - responder-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to responder policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", - "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - responder-policy: - type: object - properties: - redirect: - type: object - description: 'Use this option when you want to Redirect the request when request matches to policy.' - properties: - url: - description: 'URL on which you want to redirect the request.' - type: string - maxLength: 7991 - redirect-status-code: - description: 'HTTP response status code, for example 200, 302, 404, etc.' - type: integer - minimum: 100 - maximum: 599 - redirect-reason: - description: 'Expression specifying the reason for redirecting the request.' - type: string - maxLength: 7991 - required: [url] - respondwith: - type: object - description: 'Use this parameter when you want to respond to the request when request matches to policy.' - properties: - http-payload-string: - description: 'Expression that you want to sent as response to the request.' - type: string - maxLength: 7991 - required: [http-payload-string] - noop: - type: string - description: 'Use this option when you want to send the request to the protected server instead of - responding to it when request matches to policy.' - properties: - target: - description: 'Default syntax expression that specifies to perform noop operation on' - type: string - maxLength: 1229 - reset: - type: string - description: 'Use this option when you want to Reset the client connection by closing it when request matches to policy.' - properties: - drop: - type: string - description: 'Use this option when you want to drop the request without sending a response to the user when request matches to policy.' - properties: - respond-criteria: - description: 'Default syntax expression that the policy uses to determine whether to respond to the specified request.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOOP', 'RESET', 'DROP'] - comment: - description: 'Any comments to preserve information about this responder policy.' - type: string - maxLength: 255 - required: [respond-criteria] - oneOf: [required: [redirect], required: [respondwith], required: [noop], required: [reset], required: [drop]] - required: [responder-policy] - - dataset: - type: array - items: - type: object - properties: - name: - description: 'Name of the dataset.' - type: string - maxLength: 32 - type: - description: 'Type of value to bind to the dataset.' - type: string - enum: ["ipv4", "number", "ipv6", "ulong", "double", "mac"] - comment: - description: 'Any comments to preserve information about this dataset.' - type: string - maxLength: 255 - values: - description: 'Value of the specified type that is associated with this dataset.' - type: array - items: - type: string - required: [name, type, values] - - patset: - type: array - items: - type: object - properties: - name: - description: 'Name of the Patset.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this patset.' - type: string - maxLength: 255 - values: - description: 'String of characters that constitutes a pattern and is associated with this patset.' - type: array - items: - type: string - required: [name, values] - - stringmap: - type: array - items: - type: object - properties: - name: - description: 'Name of the Stringmap.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this stringmap.' - type: string - maxLength: 255 - values: - description: 'List of (key,value) pairs to be bound to this string map.' - type: array - items: - type: object - properties: - key: - description: 'Character string constituting the key to be bound to this string map.' - type: string - maxLength: 2047 - value: - description: 'Character string constituting the value associated with the key.' - type: string - maxLength: 2047 - required: [name, values] - - httpcallout_policy: - type: array - items: - type: object - properties: - name: - description: 'httpcallout name' - type: string - maxLength: 32 - server_ip: - description: 'IP Address of the server(callout agent) to which the callout is sent.' - type: string - server_port: - description: 'Port of the server(callout agent) to which the callout is sent.' - type: integer - minimum: 1 - maximum: 65535 - http_method: - description: |+ - 'Method used in the HTTP request that this callout sends. - Default http method is GET' - type: string - enum: ['GET', 'POST'] - host_expr: - description: |+ - 'String expression to configure the Host header. Can contain a literal value - (for example, 10.101.10.11) or a derived value (for example, http.req.header("Host")). - The literal value can be an IP address or a fully qualified domain name. Mutually - exclusive with the full HTTP request expression.' - type: string - maxLength: 255 - url_stem_expr: - description: |+ - 'String expression for generating the URL stem. Can contain a literal string - (for example, "/mysite/index.html") or an expression that derives the value - (for example, http.req.url).' - type: string - maxLength: 8191 - headers: - type: array - description: |+ - 'One or more headers to insert into the HTTP request. Each header is represented by - name and expr, where expr is an expression that is evaluated at runtime to provide - the value for the named header. You can configure a maximum of eight headers for - an HTTP callout.' - items: - type: object - properties: - name: - description: 'header name' - type: string - expr: - description: 'header expression' - type: string - parameters: - type: array - description: |+ - 'One or more query parameters to insert into the HTTP request URL (for a GET request) - or into the request body (for a POST request). Each parameter is represented by - name and expr, where expr is an expression that is evaluated at run time to provide - the value for the named parameter (name=value). The parameter values are URL encoded.' - items: - type: object - properties: - name: - description: 'parameter name' - type: string - expr: - description: 'parameter expression' - type: string - body_expr: - description: |+ - 'An advanced string expression for generating the body of the request. - The expression can contain a literal string or an expression that derives - the value (for example, client.ip.src).' - type: string - full_req_expr: - description: |+ - 'Exact HTTP request, in the form of an expression, which the Citrix ADC sends - to the callout agent. The request expression is constrained by the feature - for which the callout is used. For example, an HTTP.RES expression cannot be - used in a request-time policy bank or in a TCP content switching policy bank.' - type: string - scheme: - description: |+ - 'Type of scheme for the callout server. - Default scheme is HTTP' - type: string - enum: ['HTTP', 'HTTPS'] - cache_for_secs: - description: |+ - 'Duration, in seconds, for which the callout response is cached. - The cached responses are stored in an integrated caching content - group named "calloutContentGroup". If no duration is configured, - the callout responses will not be cached unless normal caching - configuration is used to cache them. This parameter takes precedence over any - normal caching configuration that would otherwise apply to these responses.' - type: integer - minimum: 1 - maximum: 31536000 - return_type: - description: |+ - 'Type of data that the target callout agent returns in response to the callout - Available settings function as follows: - * TEXT - Treat the returned value as a text string. - * NUM - Treat the returned value as a number. - * BOOL - Treat the returned value as a Boolean value.' - type: string - enum: ['TEXT', 'NUM', 'BOOL'] - result_expr: - description: |+ - 'Expression that extracts the callout results from the response sent by the HTTP callout - agent. Must be a response based expression, that is, it must begin with HTTP.RES. The - operations in this expression must match the return type. For example, if you configure - a return type of TEXT, the result expression must be a text based expression. If the - return type is NUM, the result expression (resultExpr) must return a numeric value, - as in the following example: http.res.body(10000).length.' - type: string - maxLength: 8191 - comment: - description: 'Any comments to preserve information about this HTTP callout.' - type: string - maxLength: 255 - allOf: - - properties: - required: [name, server_ip, server_port] - - properties: - oneOf: - - properties: - required: [full_req_expr] - - properties: - anyOf: - - properties: - required: [http_method] - - properties: - required: [host_expr] - - properties: - required: [url_stem_expr] - - properties: - required: [headers] - - properties: - required: [parameters] - - properties: - required: [body_expr] - anyOf: [required: [rewrite-policies], required: [responder-policies]] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ratelimits.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: ratelimit - plural: ratelimits - singular: ratelimit - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the ratelimit policies are applied.' - type: array - items: - type: string - maxLength: 127 - selector_keys: - type: object - description: 'Traffic match criteria to which apply above rate-limit/throttling. All keys are applied as AND condition. If no keys are specified, rate-limit applies at service level' - properties: - basic: - type: object - description: "Basic traffic stream selection criteria to which to apply the ratelimit" - properties: - path: - type: array - description: "api resource path prefix match. e.g. /api/v1/products" - items: - type: string - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - header_name: - description: "HTTP header that identifies the unique API client for e.g. X-apikey" - type: string - per_client_ip: - description: "Setting this applies the throttling limit to each unique Client IP address accessing the API resource" - type: boolean - req_threshold: - description: 'Max requests per timeslice units to be allowed' - type: integer - timeslice: - description: 'Timeslice in miliseconds in multiple of 10. Defaults to 1000 miliseconds' - type: integer - limittype: - description: "Burst mode or smooth. Defaults to smooth limittype if not specified" - type: string - enum: ['BURSTY','SMOOTH'] - throttle_action: - type: string - enum: ['DROP', 'RESET','REDIRECT', 'RESPOND'] - description: "Drop will drop the requests exceeding limits, RESET will reset the client connection, Redirect will redirect to specified URL, respond will respond with 429 'Exceeded allowed rate of requests'" - redirect_url: - type: string - description: "Redirect-URL" - logpackets: - type: object - description: 'Adds an audit message action. The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - required: [req_threshold] ---- -#Sample CRD instance - -#apiVersion: citrix.com/v1 -#description: VIP for apache service -#kind: vip -#metadata: -# name: service-apache -# namespace: default -#spec: -# description: VIP for the apache Service -# ipaddress: 10.99.98.90 -# kind: service -# name: apache - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vips.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: vip - plural: vips - singular: vip - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - jsonPath: .spec.ipaddress - name: VIP - type: string - - name: Age - type: date - jsonPath: .metadata.creationTimestamp - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - ipaddress: - type: string - name: - type: string - kind: - type: string - enum: ["service", "ingress"] - description: - type: string - range-name: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: authpolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: authpolicy - plural: authpolicies - singular: authpolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: |+ - 'Name of the services for which the policies applied' - type: array - items: - type: string - maxLength: 63 - authentication_mechanism: - type: object - description: |+ - 'Authentication mechanism. Options: using forms or using request header. - Default is Authentication using request header, when no option is specified' - properties: - using_request_header: - description: |+ - 'Enable user authentication using request header. Use when the credentials - or api keys are passed in a header. For example, when using Basic, Digest, - Bearer authentication or api keys. - When authentication using forms is provided, this is set to OFF' - - type: string - using_forms: - type: object - description: 'Enables authentication using forms. Use with user/web authentication.' - properties: - authentication_host: - description: |+ - 'Fully qualified domain name (FQDN) for authentication. - This FQDN should be unique and should resolve to frontend IP of - ADC with Ingress/service type LoadBalancer (or) vip of Listener CRD' - type: string - maxLength: 255 - authentication_host_cert: - description: |+ - 'Name of the SSL certificate to be used with authentication_host. - This certificate is mandatory while using_forms' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - ingress_name: - description: |+ - 'Ingress name for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - lb_service_name: - description: |+ - 'Service of type LoadBalancer for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - listener_name: - description: |+ - 'Listener CRD name for which the authentication using forms is applicable.' - type: string - maxLength: 63 - vip: - description: |+ - 'Frontend IP of ingress for which the authentication - using forms is applicable. This refers to frontend-ip provided - with Ingress. It is suggested to use vip, if more than one Ingress - resource use the same frontend-ip' - type: string - required: [authentication_host, authentication_host_cert] - oneOf: - - properties: - required: [ingress_name] - - properties: - required: [lb_service_name] - - properties: - required: [listener_name] - - properties: - required: [vip] - oneOf: - - properties: - using_request_header: - enum: ['ON'] - required: [using_request_header] - - properties: - required: [using_forms] - - authentication_providers: - description: |+ - 'Authentication Configuration for required authentication providers/schemes. - One or more of these can be created' - type: array - items: - description: 'Create config for a single authentication provider of a particular type' - type: object - properties: - name: - description: 'Name for this provider, has to be unique, referenced by authentication policies' - type: string - maxLength: 127 - - oauth: - description: 'Authentication provided by external oAuth provider' - type: object - properties: - issuer: - description: 'Identity of the server whose tokens are to be accepted' - type: string - maxLength: 127 - audience: - description: 'Audience for which token sent by Authorization server is applicable' - type: array - items: - type: string - maxLength: 127 - jwks_uri: - description: |+ - 'URL of the endpoint that contains JWKs (Json Web Key) for - JWT (Json Web Token) verification' - type: string - maxLength: 127 - introspect_url: - description: ' URL of the introspection server' - type: string - maxLength: 127 - client_credentials: - description: |+ - 'secrets object that contains Client Id and secret as known - to Introspection server' - type: string - maxLength: 253 - token_in_hdr: - description: |+ - 'custom header name where token is present, - default is Authorization header' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - token_in_param: - description: 'query parameter name where token is present' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - signature_algorithms: - description: 'list of allowed signature algorithms, by default HS256, RS256, RS512 are allowed' - type: array - items: - type: string - enum: ['HS256', 'RS256', 'RS512'] - claims_to_save: - description: 'list of claims to be saved, used to create authorization policies' - type: array - items: - type: string - maxLength: 127 - metadata_url: - description: 'URL used to get OAUTH/OIDC provider metadata' - type: string - maxLength: 255 - user_field: - description: |+ - 'Attribute in the token from which username should be extracted. - by default, ADC looks at email attribute for user id' - type: string - maxLength: 127 - default_group: - description: |+ - 'group assigned to the request if authentication succeeds, - this is in addition to any extracted groups from token' - type: string - maxLength: 63 - grant_type: - description: 'used to specify the type of flow to the token end point, defaults to CODE' - type: array - items: - type: string - enum: ['CODE','PASSWORD'] - pkce: - description: 'specify whether to enable Proof Key Code Exchange, defaults to ENABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - token_ep_auth_method: - description: |+ - 'authentication method to be used with token end point, - defaults to client_secret_post' - type: string - enum: ['client_secret_post', 'client_secret_jwt'] - - anyOf: - - properties: - required : [jwks_uri] - - properties: - required : [introspect_url, client_credentials] - - properties: - required : [metadata_url] - - ldap: - description: 'LDAP authentication provider' - type: object - properties: - server_ip: - description: 'IP address assigned to the LDAP server' - type: string - server_name: - description: 'LDAP server name as a FQDN' - type: string - maxLength: 127 - server_port: - description: 'Port on which the LDAP server accepts connections. Default is 389' - type: integer - minimum: 1 - maximum: 65535 - base: - description: |+ - 'Base (node) from which to start LDAP searches. If the LDAP server is - running locally, the default value of base is dc=netscaler, dc=com' - type: string - maxLength: 127 - server_login_credentials: - description: |+ - 'Kubernetes secret object providing credentials to login to LDAP server, - The secret data should have username and password' - type: string - login_name: - description: |+ - 'LDAP login name attribute. The Citrix ADC uses the LDAP login name - to query external LDAP servers or Active Directories' - type: string - maxLength: 127 - security_type: - description: |+ - 'Type of security used for communications between the Citrix ADC - and the LDAP server. Default is TLS' - type: string - enum: ['PLAINTEXT', 'TLS', 'SSL'] - validate_server_cert: - description: 'Validate LDAP Server certs. Default is NO' - type: string - enum: ['YES', 'NO'] - hostname: - description: |+ - 'Hostname for the LDAP server. If validate_server_cert is ON, - this must be the host name on the certificate from the LDAP - A hostname mismatch will cause a connection failure' - type: string - maxLength: 127 - sub_attribute_name: - description: 'LDAP group sub-attribute name. Used for group extraction from the LDAP server.' - type: string - maxLength: 31 - group_attribute_name: - description: 'LDAP group attribute name. Used for group extraction on the LDAP server.' - type: string - maxLength: 31 - search_filter: - description: |+ - 'String to be combined with the default LDAP user search string to form the - search value. For example, if the search filter "vpnallowed=true" is combined - with the LDAP login name "samaccount" and the user-supplied username is "bob", - the result is the LDAP search string ""(&(vpnallowed=true)(samaccount=bob)"" - (Be sure to enclose the search string in two sets of double quotation marks)' - type: string - maxLength: 255 - auth_timeout: - description: |+ - 'Number of seconds the Citrix ADC waits for a response from the server - Default is 3' - type: integer - minimum: 1 - maximum: 4294967295 - password_change: - description: 'Allow password change requests. Default is DISABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be fetched - from LDAP server and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - oneOf: - - properties: - required: [server_ip] - - properties: - required: [server_name] - - saml: - description: |+ - 'SAML authentication provider. - Currently SAML is supported only with authentication mechanism using forms' - type: object - properties: - metadata_url: - description: 'URL is used for obtaining saml metadata.' - type: string - maxLength: 255 - metadata_refresh_interval: - description: |+ - 'Interval in minutes for fetching metadata from specified metadata URL. - Default is 36000' - type: integer - minimum: 1 - maximum: 4294967295 - signing_cert: - description: 'SSL certificate to sign requests from SP to IDP' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - audience: - description: 'Audience for which assertion sent by IdP is applicable' - type: string - maxLength: 127 - issuer_name: - description: 'The name to be used in requests sent from SP to IDP to identify citrix ADC' - type: string - maxLength: 63 - binding: - description: 'Specifies the transport mechanism of saml message. Default is POST' - type: string - enum: ['REDIRECT', 'POST', 'ARTIFACT'] - artifact_resolution_service_url: - description: 'URL of the Artifact Resolution Service on IdP' - type: string - maxLength: 255 - logout_binding: - description: 'Specifies the transport mechanism of saml logout. Default is POST' - type: string - enum: ['REDIRECT', 'POST'] - reject_unsigned_assertion: - description: |+ - 'Reject unsigned SAML assertions. ON, rejects assertion without signature. - STRICT ensure that both Response and Assertion are signed. Default is ON' - type: string - enum: ['ON', 'OFF', 'STRICT'] - user_field: - description: 'SAML user ID, as given in the SAML assertion' - type: string - maxLength: 63 - default_authentication_group: - description: |+ - 'This is the default group that is chosen when the authentication - succeeds in addition to extracted groups' - type: string - maxLength: 63 - skew_time: - description: |+ - 'Allowed clock skew in number of minutes on an incoming assertion. - Default is 5' - type: integer - minimum: 1 - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be extracted - and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - required: - - metadata_url - - basic_local_db: - type: object - description: |+ - 'Basic HTTP authentication supported by ADC, user data in local DB of ADC. - Users needs to be added on ADC' - properties: - use_local_auth: - description: 'Use ADC authentication' - type: string - enum: ['YES'] - - required: - - name - - authentication_policies: - description: 'Authentication policies' - type: array - items: - type: object - description: 'Authentication policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - required: - - path - expression: - description: 'ADC syntax expression for authentication' - type: string - maxLength: 1229 - provider: - description: 'name of the authentication provider for the policy, empty if no authentication required' - type: array - items: - type: string - maxLength: 127 - maxItems: 1 - oneOf: - - required: [resource, provider] - - required: [expression, provider] - - authorization_policies: - description: 'Authorization policies' - type: array - items: - type: object - description: 'Authorization policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - description: ' http method' - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - claims: - description: 'authorization scopes required for selected resource saved as claims or attributes' - type: array - items: - type: object - properties: - name: - description: 'name of the claim/attribute to check' - type: string - maxLength: 127 - values: - description: 'list of claim values required for the request' - type: array - items: - type: string - maxLength: 127 - minItems: 1 - required: - - name - - values - required: - - claims - expression: - description: 'ADC syntax expression for authorization' - type: string - maxLength: 1229 - oneOf: - - required: [resource] - - required: [expression] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: listeners.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: Listener - plural: listeners - singular: listener - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - required: [spec] - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [protocol] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - protocol: - type: string - enum: ["https", "http"] - description: "Protocol for this listener" - vip: - type: string - description: "VIP address, Optional for CPX, required for Tier-1 deployments" - secondaryVips: - type: array - description: "An array of Secondary VIPs. All the VIPs will be part of an ipset" - minItems: 1 - items: - type: string - redirectPort: - type: integer - minimum: 1 - maximum: 65535 - description: "Port from which http traffic should be redirected to https" - port: - type: integer - minimum: 1 - maximum: 65535 - certificates: - type: array - description: "certificates attached to the endpoints - Not applicable for HTTP" - minItems: 1 - items: - type: object - properties: - preconfigured: - type: string - description: "Preconfigured Certificate name on ADC " - secret: - type: object - description: "Kuberentes secret object" - required: [name] - properties: - name: - type: string - description: "name of the Kubernetes Secret object where Cert is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the kubernetes secret object; Default is same namespace where the Listener object is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - default: - type: boolean - description: "Only one of the certificate can be marked as default which will be presented if none of the cert matches with the hostname" - oneOf: - - required: ["preconfigured"] - - required: ["secret"] - policies: - type: object - description: "Policies attached to the Listener" - properties: - httpprofile: - type: object - description: "HTTP profile configurations for the Listener, HTTP level configurations" - properties: - preconfigured: - type: string - description: "Preconfigured or Built-in HTTP profile name" - config: - type: object - description: "HTTP profile configuration for the listener. For individual fields, refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nshttpprofile/nshttpprofile/ Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - tcpprofile: - type: object - description: "TCP level configurations, uses ns tcpprofile of citrix ADC" - properties: - preconfigured: - description: "Preconfigured or Built-in TCP profile name" - type: string - config: - type: object - description: "TCPprofile configurations for the listener. For individual fields refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nstcpprofile/ ; Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - csvserverConfig: - type: object - description: "CS Vserver configuration for the listener" - additionalProperties: - type: string - sslprofile: - type: object - description: "SSL profile configuration" - properties: - preconfigured: - type: string - description: "SSL profile which is preconfigured in ADC. Ciphers bound to the profile is not overriden" - config: - description: "Citrix ADC frontend SSL profile configurations. Refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ssl/sslprofile/ for all configurations; Name field is auto generated" - type: object - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - sslciphers: - type: array - description: "List of ciphers to be bound to the ssl profile for the listener. Priority is as per the order in the list. A cipher suite, predefined cipher group or User created cipher group can be mentioned" - minItems: 1 - items: - type: string - description: "Cipher suite, cipher group name" - analyticsprofile: - type: object - description: "Analytics profile configuration" - properties: - preconfigured: - type: array - description: "Preconfigured Analytics profile that needs to be bound to the vserver" - minItems: 1 - items: - type: string - description: "Name of the analytics profile preconfigured that will be bound to the Vserver" - config: - type: array - description: "An array of analytics to be enabled" - minItems: 1 - items: - type: object - description: "Anlytics to be enabled" - required: ['type'] - properties: - type: - description: "Analytics profile to be enabled, you can enable one or more of the webinsight, tcpinsight, securityinsight, videoinsight, hdxinsight, gatewayinsight, timeseries, lsninsight, botinsight " - type: string - enum: ["webinsight", "tcpinsight", "securityinsight", "videoinsight", "hdxinsight", "gatewayinsight", "timeseries", "lsninsight", "botinsight"] - parameters: - type: object - description: "Additional parameters for analytics profile. Please refer:https://developer-docs.citrix.com/projects/citrix-adc-nitro-api-reference/en/latest/configuration/analytics/analyticsprofile/" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - routes: - type: array - description: "List of route objects attached to the listener" - minItems: 1 - items: - type: object - properties: - name: - type: string - description: "Name of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - labelSelector: - description: "Labels key value pair, if the route carries the same labels, it is automatically attached" - type: object - additionalProperties: - type: string - oneOf: - - required: [name, namespace] - - required: [labelSelector] - defaultAction: - type: object - description: "Default action for the listener: One of Backend or Redirect" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - namespace: - description: "Service namespace" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - backendConfig: - description: "General backend service options" - type: object - properties: - secure_backend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: httproutes.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: HTTPRoute - plural: httproutes - singular: httproute - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [rules] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - hostname: - type: array - description: "List of domain names that share the same route, default is '*'" - minItems: 1 - items: - type: string - description: "Domain name" - rules: - type: array - description: "List Content routing rules with an action defined" - minItems: 1 - items: - type: object - required: [name, action] - properties: - name: - type: string - description: "A name to represent the rule, this is used as an identifier in content routing policy name in ADC" - minLength: 1 - maxLength: 20 - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - match: - type: array - description: "List of rules with same action" - minItems: 1 - items: - type: object - anyOf: - - required: [path] - - required: [headers] - - required: [cookies] - - required: [queryParams] - - required: [method] - - required: [policyExpression] - properties: - path: - type: object - description: "URL Path based content routing" - properties: - prefix: - type: string - description: "URL path matches the prefix expression" - exact: - type: string - description: "URL Path must match exact path" - regex: - type: string - description: "PCRE based regex expression for path matching" - headers: - type: array - description: "List of header for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Header details for content routing, Check for existence of a header or header name-value match" - properties: - headerName: - type: object - description: "Header name based content routing, Here existence of header is used for routing" - properties: - exact: - type: string - description: "Header Name - treated as exact must exist" - contains: - type: string - description: "Header Name - A header must exist that contain the string the name" - regex: - type: string - description: "header Name - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header name must not exist" - oneOf: - - required: [exact] - - required: [contains] - - required: [regex] - headerValue: - type: object - description: "Header Name and Value based match" - properties: - name: - type: string - description: "Header name that must match the value" - exact: - type: string - description: "Header value - treated as exact" - contains: - type: string - description: "Header value - treated as contains" - regex: - type: string - description: "header value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header if present must not match the value" - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - queryParams: - type: array - description: "List of Query parameters for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Query parameters Name and Value based match" - properties: - name: - type: string - description: "Query name that must match the value. If no value is specified, matches with any value" - exact: - type: string - description: "Query value - Exact match" - contains: - type: string - description: "Query value - value must have the string(substring)" - regex: - type: string - description: "Query value - Value must match this regex patterm" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e query if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - cookies: - type: array - description: "List of Cookie params for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Cookie based routing" - properties: - name: - type: string - description: "cookie name that must match the value. If no value specified, it matches with any value" - exact: - type: string - description: "cookie value - treated as exact" - contains: - type: string - description: "cookie value - treated as substring" - regex: - type: string - description: "cookie value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e cookie if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - method: - type: string - description: "HTTP method for content routing eg: POST, PUT, DELETE etc" - policyExpression: - type: string - description: "Citrix ADC policy expressions; refer: https://docs.citrix.com/en-us/netscaler/media/expression-prefix.pdf" - action: - type: object - description: "Action for the matched rule" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - backendConfig: - type: object - description: "General backend service options" - properties: - secureBackend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - # name must match the spec fields below, and be in the form: . - name: continuousdeployments.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: continuousdeployment - plural: continuousdeployments - singular: continuousdeployment - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - cronSpec: - type: integer - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wafs.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: waf - plural: wafs - singular: waf - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the waf policies are applied.' - type: array - items: - type: string - maxLength: 127 - application_type: - description: 'Type of applications to protect' - type: array - items: - type: string - enum: ['HTML', 'JSON', 'XML'] - signatures: - description: 'Location of external signature file' - type: string - redirect_url: - description: 'When a URL is blocked/down, redirect_url represents the alternate URL where the client requests should be sent.' - type: string - html_error_object: - description: 'Location of customized error page to respond when html or common violation are hit' - type: string - xml_error_object: - description: 'Location of customized error page to respond when xml violations are hit' - type: string - json_error_object: - description: 'Location of customized error page to respond when json violations are hit' - type: string - ip_reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - description: 'Enabling IP reputation feature' - target: - description: 'To control what traffic to be inspected by Web Application Firewall. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable application firewall security checks' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - settings: - description: 'To fine tune application firewall security checks default settings' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - relaxations: - description: 'Section which contains relaxation rules for known traffic and false positives' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - enforcements: - description: 'Section which contains enforcement or restriction rules' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: bots.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: bot - plural: bots - singular: bot - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the bot policies are applied.' - type: array - items: - type: string - maxLength: 127 - signatures: - description: 'Location of external bot signature file' - type: string - redirect_url: - description: 'url to redirect when bot violation is hit' - type: string - target: - description: 'To control what traffic to be inspected by BOT. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable bot ecurity checks' - type: object - properties: - allow_list: - type: string - enum: ['ON', 'OFF'] - block_list: - type: string - enum: ['ON', 'OFF'] - device_fingerprint: - type: string - enum: ['ON', 'OFF'] - device_fingerprint_action: - type: object - x-kubernetes-preserve-unknown-fields: true - headless_browser: - type: string - enum: ['ON','OFF'] - reputation: - type: string - enum: ['ON', 'OFF'] - ratelimit: - type: string - enum: ['ON', 'OFF'] - tps: - type: string - enum: ['ON', 'OFF'] - trap: - type: object - x-kubernetes-preserve-unknown-fields: true - bindings: - description: 'Section which contains binding rules for bot security checks' - type: object - properties: - allow_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6_subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - - block_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6_subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - ratelimit: - type: array - items: - type: object - properties: - url: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - cookie: - type: object - x-kubernetes-preserve-unknown-fields: true - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - captcha: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - logexp: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - kbmexpr: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - tps: - type: object - properties: - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - host: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - url: - type: object - x-kubernetes-preserve-unknown-fields: true - trapinsertion: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: apigatewaypolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: apigatewaypolicy - plural: apigatewaypolicies - singular: apigatewaypolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - api_definition: - type: object - properties: - repository: - type: string - branch: - type: string - oas_secret_ref: - type: string - files: - type: array - items: - type: string - maxLength: 127 - api_proxy: - type: object - properties: - ipaddress: - type: string - port: - type: integer - protocol: - type: string - secret: - type: string - policies: - type: array - items: - type: object - properties: - name: - type: string - selector: - type: array - items: - type: object - properties: - tags: - type: array - items: - type: string - api: - type: string - method: - type: array - items: - type: string - maxLength: 127 - upstream: - type: object - properties: - service: - type: string - port: - type: integer - policy_bindings: - type: object - properties: - ratelimit: - type: object - properties: - name: - type: string - waf: - type: object - properties: - name: - type: string - rewritepolicy: - type: object - properties: - name: - type: string - bot: - type: object - properties: - name: - type: string - aaa: - type: array - items: - type: object - properties: - crd_name: - type: string - mappings: - type: array - items: - type: object - properties: - petstore_auth: - type: string - api_key: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: corspolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: corspolicy - plural: corspolicies - singular: corspolicy - shortNames: - - cp - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'The list of Kubernetes services to which you want to apply the cors policies.' - type: array - items: - type: string - maxLength: 63 - allow_origin: - description: 'Represents list of allowed origins, it is used to screen the “origin” in the cors pre flight request' - type: array - items: - type: string - maxLength: 2083 - allow_methods: - description: 'Indicates which methods are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Methods in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - allow_headers: - description: 'Indicates which headers are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Headers in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - max_age: - description: 'Indicates the number of seconds (5 by default) the information provided by the `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` headers can be cached. This variable will be used to set Access-Control-Max-Age in the pre-flight cors response.' - type: integer - allow_credentials: - description: 'Indicates whether the response can be shared when the request’s credentials mode is "include". This variable will be set to Access-Control-Allow-Credentials in the rewrite action.' - type: boolean - required: [servicenames, allow_origin, allow_methods, allow_headers] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: appqoepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: appqoepolicy - plural: appqoepolicies - singular: appqoepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - appqoe-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to appqoe policy.' - type: array - items: - type: string - maxLength: 127 - appqoe-policy: - type: object - properties: - operation-retry: - type: object - properties: - on-reset: - description: "To set Retry on Connection Reset or Not" - type: string - enum: ['YES','NO'] - on-timeout: - description: "Time in milliseconds for retry" - type: integer - minimum: 30 - maximum: 2000 - number-of-retries: - description: "To set number of retries" - type: integer - minimum: 1 - maximum: 7 - required: [operation-retry] - appqoe-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - required: [appqoe-criteria, operation-retry] - required: [appqoe-policy] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wildcarddnsentries.citrix.com -spec: - group: citrix.com - names: - kind: wildcarddnsentry - plural: wildcarddnsentries - singular: wildcarddnsentry - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: Current Status of the CRD - jsonPath: .status.state - - name: Message - type: string - description: Status Message - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - zone: - type: object - description: DNS configuration for a zone - properties: - domain: - type: string - description: Domain name - dnsaddrec: - type: object - description: DNS Address record - properties: - domain-ip: - type: string - description: IPv4 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - dnsaaaarec: - type: object - description: DNS AAAA record - properties: - domain-ip: - type: string - description: IPv6 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - soarec: - type: object - description: SOA record - properties: - origin-server: - type: string - description: Origin server domain - contact: - type: string - description: Admin contact - serial: - type: integer - description: >- - The secondary server uses this parameter to - determine whether it requires a zone transfer from - the primary server. - refresh: - type: integer - description: >- - Time, in seconds, for which a secondary server must - wait between successive checks on the value of the - serial number. - retry: - type: integer - description: >- - Time, in seconds, between retries if a secondary server's - attempt to contact the primary server for a zone refresh fails. - expire: - type: integer - description: >- - Time, in seconds, after which the zone data on a secondary - nameserver can no longer be considered authoritative because - all refresh and retry attempts made during the period have failed." - nsrec: - type: object - description: Name server record - properties: - nameserver: - type: string - description: Host name of the name server to add to the domain. - ttl: - type: integer - description: >- - Time to Live (TTL), in seconds, for the record. TTL - is the time for which the record must be cached by - DNS proxies. The specified TTL is applied to all the - resource records that are of the same record type - and belong to the specified domain name ---- -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.34.16/templates/citrix-k8s-ingress.yaml b/charts/citrix/citrix-ingress-controller/1.34.16/templates/citrix-k8s-ingress.yaml deleted file mode 100644 index 45d14b69c4..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.34.16/templates/citrix-k8s-ingress.yaml +++ /dev/null @@ -1,267 +0,0 @@ -{{- if .Values.openshift }} -apiVersion: apps.openshift.io/v1 -kind: DeploymentConfig -{{- else }} -apiVersion: apps/v1 -kind: Deployment -{{- end }} -metadata: - name: {{ include "citrix-ingress-controller.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - selector: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - matchLabels: - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} - replicas: 1 -{{- if .Values.openshift }} - strategy: - resources: {} - rollingParams: - intervalSeconds: 1 - maxSurge: 0 - maxUnavailable: 25% - timeoutSeconds: 600 - updatePeriodSeconds: 1 - type: Rolling -{{- end }} - template: - metadata: - name: cic - labels: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} -{{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} -{{- end }} - spec: - serviceAccountName: {{ include "citrix-ingress-controller.serviceAccountName" . }} - containers: - - name: cic - image: "{{ tpl .Values.image . }}" - imagePullPolicy: {{ .Values.pullPolicy }} - args: - - --configmap - {{ .Release.Namespace }}/{{ include "cicconfigmap.fullname" . }} -{{- if .Values.defaultSSLCertSecret }} - - --default-ssl-certificate - {{ .Release.Namespace }}/{{ .Values.defaultSSLCertSecret }} -{{- end }} -{{- if .Values.ingressClass }} - - --ingress-classes -{{- range .Values.ingressClass}} - {{.}} -{{- end }} -{{- end }} -{{- if .Values.serviceClass }} - - --service-classes -{{- range .Values.serviceClass}} - {{.}} -{{- end }} -{{- end }} - - --feature-node-watch - {{ .Values.nodeWatch }} - - --enable-cnc-pbr - {{ .Values.cncPbr }} -{{- if .Values.ipam }} - - --ipam - citrix-ipam-controller -{{- end }} -{{- if .Values.disableAPIServerCertVerify }} - - --disable-apiserver-cert-verify - {{ .Values.disableAPIServerCertVerify }} -{{- end }} -{{- if .Values.updateIngressStatus }} - - --update-ingress-status - yes -{{- end }} - env: - - name: "NS_IP" - value: "{{ .Values.nsIP }}" -{{- if .Values.nsVIP }} - - name: "NS_VIP" - value: "{{ .Values.nsVIP }}" -{{- end }} -{{- if .Values.rbacRole }} - - name: "SCOPE" - value: "local" -{{- end }} -{{- if .Values.nitroReadTimeout }} - - name: "NS_NITRO_READ_TIMEOUT" - value: "{{ .Values.nitroReadTimeout }}" -{{- end }} - - name: "NS_USER" - {{- if and .Values.secretStore.enabled .Values.secretStore.username}} - {{- toYaml .Values.secretStore.username | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: username - {{- end }} - - name: "NS_PASSWORD" - {{- if and .Values.secretStore.enabled .Values.secretStore.password}} - {{- toYaml .Values.secretStore.password | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: password - {{- end }} - - name: "EULA" - value: "{{ .Values.license.accept }}" -{{- if and .Values.openshift .Values.routeLabels }} - - name: "ROUTE_LABELS" - value: {{ .Values.routeLabels | quote}} -{{- end }} -{{- if and .Values.openshift .Values.namespaceLabels }} - - name: "NAMESPACE_LABELS" - value: {{ .Values.namespaceLabels | quote }} -{{- end }} - - name: "NS_APPS_NAME_PREFIX" - value: {{ .Values.entityPrefix | default "k8s"| quote }} -{{- if .Values.kubernetesURL }} - - name: "kubernetes_url" - value: "{{ .Values.kubernetesURL }}" -{{- end }} -{{- if .Values.clusterName }} - - name: "CLUSTER_NAME" - value: "{{ .Values.clusterName }}" -{{- end }} -{{- if .Values.logProxy }} - - name: "NS_LOGPROXY" - value: "{{ .Values.logProxy }}" -{{- end }} -{{- if .Values.disableOpenshiftRoutes }} - - name: "DISABLE_OPENSHIFT_ROUTES" - value: "{{ .Values.disableOpenshiftRoutes }}" -{{- end }} -{{- if .Values.nsConfigDnsRec }} - - name: "NS_CONFIG_DNS_REC" - value: "{{ .Values.nsConfigDnsRec }}" -{{- end }} -{{- if .Values.nsSvcLbDnsRec }} - - name: "NS_SVC_LB_DNS_REC" - value: "{{ .Values.nsSvcLbDnsRec }}" -{{- end }} -{{- if .Values.optimizeEndpointBinding }} - - name: "OPTIMIZE_ENDPOINT_BINDING" - value: "{{ .Values.optimizeEndpointBinding }}" -{{- end }} - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- if ne (len .Values.extraVolumeMounts) 0 }} - volumeMounts: -{{- toYaml .Values.extraVolumeMounts | nindent 8 }} - {{- end }} -{{- if .Values.exporter.required }} - - name: exporter - image: "{{ tpl .Values.exporter.image . }}" - imagePullPolicy: {{ .Values.exporter.pullPolicy }} - args: - - "--target-nsip={{ .Values.nsIP }}" - - "--port={{ .Values.exporter.ports.containerPort }}" - env: - - name: "NS_USER" - {{- if and .Values.secretStore.enabled .Values.secretStore.username}} - {{- toYaml .Values.secretStore.username | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: username - {{- end }} - - name: "NS_PASSWORD" - {{- if and .Values.secretStore.enabled .Values.secretStore.password}} - {{- toYaml .Values.secretStore.password | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: password - {{- end }} - {{- if ne (len .Values.exporter.extraVolumeMounts) 0 }} - volumeMounts: - {{- toYaml .Values.exporter.extraVolumeMounts | nindent 8 }} - {{- end }} - securityContext: - readOnlyRootFilesystem: true - resources: -{{- toYaml .Values.exporter.resources | nindent 12 }} -{{- end }} -{{- if or (and .Values.extraVolumeMounts .Values.extraVolumes) (and .Values.exporter.extraVolumeMounts .Values.extraVolumes) }} - volumes: -{{- end }} -{{- if ne (len .Values.extraVolumes) 0 }} -{{ toYaml .Values.extraVolumes | indent 6 }} -{{- end }} -{{- if and .Values.nodeSelector.key .Values.nodeSelector.value }} - nodeSelector: - {{ .Values.nodeSelector.key }}: {{ .Values.nodeSelector.value }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: {{ .Values.tolerations | toYaml | nindent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} -{{- end }} - ---- - -{{- if .Values.exporter.required }} - - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "exporter.fullname" . }} - labels: - app: {{ include "exporter.fullname" . }} - service-type: {{ include "servicemonitorlabel" . }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port - selector: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} - ---- - -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "servicemonitor.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - servicemonitor: citrix-adc - {{- with .Values.exporter.serviceMonitorExtraLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - endpoints: - - interval: 30s - port: exporter-port - selector: - matchLabels: - service-type: {{ include "servicemonitorlabel" . }} - namespaceSelector: - matchNames: - - monitoring - - default - - {{ .Release.Namespace }} - -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.34.16/templates/configmap.yaml b/charts/citrix/citrix-ingress-controller/1.34.16/templates/configmap.yaml deleted file mode 100644 index 586906391b..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.34.16/templates/configmap.yaml +++ /dev/null @@ -1,75 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "cicconfigmap.fullname" . }} - namespace: {{ .Release.Namespace }} -data: - LOGLEVEL: {{ .Values.logLevel | quote | lower }} - JSONLOG: {{ .Values.jsonLog | quote | lower }} - NS_PROTOCOL: {{ .Values.nsProtocol | quote | lower }} - NS_PORT: {{ .Values.nsPort | quote }} -{{- if .Values.nsSNIPS }} - NS_SNIPS: {{ .Values.nsSNIPS | toJson}} -{{- end }} -{{- if and .Values.analyticsConfig.required .Values.nsEnableLabel }} - NS_ENABLE_LABELS: {{ .Values.nsEnableLabel | quote}} -{{- end }} -{{- if .Values.podIPsforServiceGroupMembers }} - POD_IPS_FOR_SERVICEGROUP_MEMBERS: {{ .Values.podIPsforServiceGroupMembers | quote }} -{{- end }} -{{- if .Values.ignoreNodeExternalIP }} - IGNORE_NODE_EXTERNAL_IP: {{ .Values.ignoreNodeExternalIP | quote }} -{{- end }} - -{{- if ne (upper .Values.nsHTTP2ServerSide) "OFF" }} - NS_HTTP2_SERVER_SIDE: {{ .Values.nsHTTP2ServerSide | quote }} -{{- end }} -{{- if ne (toString .Values.nsCookieVersion) "0" }} - NS_COOKIE_VERSION: {{ .Values.nsCookieVersion | quote }} -{{- end }} -{{- if .Values.nsDnsNameserver }} - NS_DNS_NAMESERVER: {{ .Values.nsDnsNameserver }} -{{- end }} - -{{- if .Values.analyticsConfig.required }} - NS_ANALYTICS_CONFIG: | - distributed_tracing: - enable: {{ .Values.analyticsConfig.distributedTracing.enable | quote }} - samplingrate: {{ .Values.analyticsConfig.distributedTracing.samplingrate }} - endpoint: - server: {{ include "analytics.server" . | quote }} - service: {{ .Values.analyticsConfig.endpoint.service | quote }} - timeseries: - port: {{ .Values.analyticsConfig.timeseries.port }} - metrics: - enable: {{ .Values.analyticsConfig.timeseries.metrics.enable | quote }} - mode: {{ .Values.analyticsConfig.timeseries.metrics.mode | quote }} - auditlogs: - enable: {{ .Values.analyticsConfig.timeseries.auditlogs.enable | quote }} - events: - enable: {{ .Values.analyticsConfig.timeseries.events.enable | quote }} - transactions: - enable: {{ .Values.analyticsConfig.transactions.enable | quote }} - port: {{ .Values.analyticsConfig.transactions.port }} -{{- end }} - -{{- if .Values.nsLbHashAlgo.required }} - NS_LB_HASH_ALGO: | - hashFingers: {{ .Values.nsLbHashAlgo.hashFingers }} - hashAlgorithm: {{ .Values.nsLbHashAlgo.hashAlgorithm | quote }} -{{- end }} - -{{- if .Values.profileSslFrontend }} - FRONTEND_SSL_PROFILE: | - {{- toYaml .Values.profileSslFrontend | nindent 4 }} -{{- end }} - -{{- if .Values.profileTcpFrontend }} - FRONTEND_TCP_PROFILE: | - {{- toYaml .Values.profileTcpFrontend | nindent 4 }} -{{- end }} - -{{- if .Values.profileHttpFrontend }} - FRONTEND_HTTP_PROFILE: | - {{- toYaml .Values.profileHttpFrontend | nindent 4 }} -{{- end }} \ No newline at end of file diff --git a/charts/citrix/citrix-ingress-controller/1.34.16/templates/ingressclass.yaml b/charts/citrix/citrix-ingress-controller/1.34.16/templates/ingressclass.yaml deleted file mode 100644 index d75537b79f..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.34.16/templates/ingressclass.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- $default := .Values.setAsDefaultIngressClass -}} -{{- if semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.GitVersion }} -{{- if .Values.ingressClass }} -{{- range .Values.ingressClass }} -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: {{ . | quote }} -{{- if $default }} - annotations: - ingressclass.kubernetes.io/is-default-class: "true" -{{- end }} -spec: - controller: citrix.com/ingress-controller ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.34.16/templates/rbac.yaml b/charts/citrix/citrix-ingress-controller/1.34.16/templates/rbac.yaml deleted file mode 100644 index c20c1512e0..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.34.16/templates/rbac.yaml +++ /dev/null @@ -1,106 +0,0 @@ -{{- if not .Values.rbacRole }} -kind: ClusterRole -{{- else }} -kind: Role -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -rules: - - apiGroups: [""] -{{- if .Values.openshift }} - resources: ["endpoints", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"] -{{- else }} - resources: ["endpoints", "pods", "secrets", "routes", "nodes", "namespaces", "configmaps", "services"] -{{- end }} - verbs: ["get", "list", "watch"] - # services/status is needed to update the loadbalancer IP in service status for integrating - # service of type LoadBalancer with external-dns - - apiGroups: [""] - resources: ["services/status"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions","networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["patch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "watch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"] - verbs: ["get", "list", "watch", "create", "delete", "patch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"] - verbs: ["patch"] - - apiGroups: ["citrix.com"] - resources: ["vips"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["crd.projectcalico.org"] - resources: ["ipamblocks"] - verbs: ["get", "list", "watch"] -{{- if .Values.openshift }} - - apiGroups: ["route.openshift.io"] - resources: ["routes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["network.openshift.io"] - resources: ["hostsubnets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["config.openshift.io"] - resources: ["networks"] - verbs: ["get", "list"] -{{- end }} - ---- - -{{- if not .Values.rbacRole }} -kind: ClusterRoleBinding -{{- else }} -kind: RoleBinding -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io -{{- if not .Values.rbacRole }} - kind: ClusterRole -{{- else }} - kind: Role -{{- end }} - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- if .Values.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.imagePullSecrets }} -- name: {{.}} -{{- end }} -{{- end }} - diff --git a/charts/citrix/citrix-ingress-controller/1.34.16/values.yaml b/charts/citrix/citrix-ingress-controller/1.34.16/values.yaml deleted file mode 100644 index fa2551fca2..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.34.16/values.yaml +++ /dev/null @@ -1,200 +0,0 @@ -# Default values for citrix-ingress-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# Citrix Ingress Controller config details -imageRegistry: quay.io -imageRepository: citrix/citrix-k8s-ingress-controller -imageTag: 1.34.16 -image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}" -pullPolicy: IfNotPresent -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" -openshift: false -adcCredentialSecret: # K8s Secret Name -# Enable secretStore to implement CSI Secret Provider classes for holding the nslogin credentials -secretStore: - enabled: false - username: {} - #valueFrom: - # configMapKeyRef: - # name: test1 - # key: username - password: {} - #valueFrom: - # configMapKeyRef: - # name: test1 - # key: password -nsIP: x.x.x.x -nsVIP: -nsSNIPS: -license: - accept: no -nsPort: 443 -nsProtocol: HTTPS -nsEnableLabel: true -# nitroReadTimeout is timeout value in seconds for nitro api read timeout(default is 20) -nitroReadTimeout: -logLevel: INFO -jsonLog: false -entityPrefix: -kubernetesURL: -clusterName: -ingressClass: -setAsDefaultIngressClass: False -serviceClass: -defaultSSLCertSecret: -podIPsforServiceGroupMembers: False -ignoreNodeExternalIP: False -ipam: False -# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True -disableAPIServerCertVerify: False -logProxy: -nodeWatch: false -cncPbr: False -nodeSelector: - key: - value: -tolerations: [] -updateIngressStatus: True -nsHTTP2ServerSide: "OFF" -nsCookieVersion: "0" -nsConfigDnsRec: -nsSvcLbDnsRec: -nsDnsNameserver: -optimizeEndpointBinding: -routeLabels: -namespaceLabels: -disableOpenshiftRoutes: -profileSslFrontend: {} - # preconfigured: my_ssl_profile - # OR - # config: - # tls13: 'ENABLED' - # hsts: 'ENABLED' -profileHttpFrontend: {} - # preconfigured: my_http_profile - # OR - # config: - # dropinvalreqs: 'ENABLED' - # websocket: 'ENABLED' -profileTcpFrontend: {} - # preconfigured: my_tcp_profile - # OR - # config: - # sack: 'ENABLED' - # nagle: 'ENABLED' - -# Exporter config details -exporter: - required: false - imageRegistry: quay.io - imageRepository: citrix/citrix-adc-metrics-exporter - imageTag: 1.4.9 - image: "{{ .Values.exporter.imageRegistry }}/{{ .Values.exporter.imageRepository }}:{{ .Values.exporter.imageTag }}" - pullPolicy: IfNotPresent - ports: - containerPort: 8888 - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - extraVolumeMounts: [] - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. - #- name: github-key - # mountPath: /etc/config/keys/ - # readOnly: true - #- name: agent-init-scripts - # mountPath: /docker-entrypoint.d/ - serviceMonitorExtraLabels: {} - -# For CRDs supported by Citrix Ingress Controller -crds: - install: false - retainOnDelete: false - -# Enable RBAC role (so called local role), by default CIC deployed with ClusterRole. -# below variable to deploy CIC with RBAC role, only ingress service supported with this config -rbacRole: False - -# Config required to be done by Citrix Ingress Controller for sending metrics to Citrix Observability Exporter -analyticsConfig: - required: false - distributedTracing: - enable: false - samplingrate: 100 - endpoint: - server: - service: - timeseries: - port: 30002 - metrics: - enable: false - mode: 'avro' - auditlogs: - enable: false - events: - enable: false - transactions: - enable: false - port: 30001 - -nsLbHashAlgo: - required: false - hashFingers: 256 - hashAlgorithm: 'DEFAULT' - -# Specifies whether a ServiceAccount should be created -serviceAccount: - create: true - # The name of the ServiceAccount to use. - # If not set and `create` is true, a name is generated using the fullname template - # name: - -podAnnotations: {} - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # Following values depends on no of ingresses configured by Ingress Controllers, so it is - # advised to test with maximum no of ingresses to set these values. - # limits: - # cpu: 1000m - # memory: 1000Mi - # requests: - # cpu: 500m - # memory: 500Mi - -affinity: {} - -extraVolumeMounts: [] - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. - #- name: github-key - # mountPath: /etc/config/keys/ - # readOnly: true - #- name: agent-init-scripts - # mountPath: /docker-entrypoint.d/ - -extraVolumes: [] - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. - #- name: agent-init-scripts - # configMap: - # name: agent-init-scripts - # defaultMode: 0755 - #- name: github-key - # secret: - # secretName: github-key - # defaultMode: 0744 diff --git a/charts/citrix/citrix-ingress-controller/1.35.6/Chart.yaml b/charts/citrix/citrix-ingress-controller/1.35.6/Chart.yaml deleted file mode 100644 index 3277e7ee93..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.35.6/Chart.yaml +++ /dev/null @@ -1,21 +0,0 @@ -annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-ingress-controller -apiVersion: v2 -appVersion: 1.35.6 -deprecated: true -description: A Helm chart for Citrix Ingress Controller configuring MPX/VPX. -home: https://www.cloud.com -icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png -kubeVersion: '>=v1.16.0-0' -maintainers: -- email: priyanka.sharma@cloud.com - name: priyankash-citrix -- email: subash.dangol@cloud.com - name: subashd -name: citrix-ingress-controller -sources: -- https://github.com/citrix/citrix-k8s-ingress-controller -version: 1.35.6 diff --git a/charts/citrix/citrix-ingress-controller/1.35.6/README.md b/charts/citrix/citrix-ingress-controller/1.35.6/README.md deleted file mode 100644 index 687a9f6e13..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.35.6/README.md +++ /dev/null @@ -1,512 +0,0 @@ -# Citrix Ingress Controller - -[Citrix](https://www.citrix.com/en-in/) provides an Ingress Controller for Citrix ADC MPX (hardware), Citrix ADC VPX (virtualized), and [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx/13/about.html) (containerized) for [bare metal](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/deployment/baremetal) and [cloud](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/deployment) deployments. It configures one or more Citrix ADC based on the Ingress resource configuration in [Kubernetes](https://kubernetes.io/) or in [OpenShift](https://www.openshift.com) cluster. - -## TL;DR; - -### For Kubernetes - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret= - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,crds.install=true - ``` - -### For OpenShift - - ``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ - - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true - ``` - - To install Citrix Provided Custom Resource Definition(CRDs) along with Citrix Ingress Controller - ``` - helm install cic citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true,crds.install=true - ``` - -> **Important:** -> -> The `license.accept` argument is mandatory. Ensure that you set the value as `yes` to accept the terms and conditions of the Citrix license. - -## Introduction -This Helm chart deploys Citrix ingress controller in the [Kubernetes](https://kubernetes.io) or in the [Openshift](https://www.openshift.com) cluster using [Helm](https://helm.sh) package manager. - -### Prerequisites - -- The [Kubernetes](https://kubernetes.io/) version should be 1.16 and above if using Kubernetes environment. -- The [Openshift](https://www.openshift.com) version 4.8 or later if using OpenShift platform. -- The [Helm](https://helm.sh/) version 3.x or later. You can follow instruction given [here](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. -- You determine the NS_IP IP address needed by the controller to communicate with Citrix ADC. The IP address might be anyone of the following depending on the type of Citrix ADC deployment: - - - (Standalone appliances) NSIP - The management IP address of a standalone Citrix ADC appliance. For more information, see [IP Addressing in Citrix ADC](https://docs.citrix.com/en-us/citrix-adc/12-1/networking/ip-addressing.html). - - - (Appliances in High Availability mode) SNIP - The subnet IP address. For more information, see [IP Addressing in Citrix ADC](https://docs.citrix.com/en-us/citrix-adc/12-1/networking/ip-addressing.html). - - - (Appliances in Clustered mode) CLIP - The cluster management IP (CLIP) address for a clustered Citrix ADC deployment. For more information, see [IP addressing for a cluster](https://docs.citrix.com/en-us/citrix-adc/12-1/clustering/cluster-overview/ip-addressing.html). - -- You have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator), if you want to view the metrics of the Citrix ADC CPX collected by the [metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics). - -- The user name and password of the Citrix ADC VPX or MPX appliance used as the ingress device. The Citrix ADC appliance needs to have system user account (non-default) with certain privileges so that Citrix ingress controller can configure the Citrix ADC VPX or MPX appliance. For instructions to create the system user account on Citrix ADC, see [Create System User Account for CIC in Citrix ADC](#create-system-user-account-for-cic-in-citrix-adc). - - You can pass user name and password using Kubernetes secrets. Create a Kubernetes secret for the user name and password using the following command: - - ``` - kubectl create secret generic nslogin --from-literal=username='cic' --from-literal=password='mypassword' - ``` - -#### Create system User account for Citrix ingress controller in Citrix ADC - -Citrix ingress controller configures the Citrix ADC using a system user account of the Citrix ADC. The system user account should have certain privileges so that the CIC has permission configure the following on the Citrix ADC: - -- Add, Delete, or View Content Switching (CS) virtual server -- Configure CS policies and actions -- Configure Load Balancing (LB) virtual server -- Configure Service groups -- Cofigure SSl certkeys -- Configure routes -- Configure user monitors -- Add system file (for uploading SSL certkeys from Kubernetes) -- Configure Virtual IP address (VIP) -- Check the status of the Citrix ADC appliance - -> **Note:** -> -> The system user account would have privileges based on the command policy that you define. - -To create the system user account, do the following: - -1. Log on to the Citrix ADC appliance. Perform the following: - 1. Use an SSH client, such as PuTTy, to open an SSH connection to the Citrix ADC appliance. - - 2. Log on to the appliance by using the administrator credentials. - -2. Create the system user account using the following command: - - ``` - add system user - ``` - - For example: - - ``` - add system user cic mypassword - ``` - -3. Create a policy to provide required permissions to the system user account. Use the following command: - - ``` - add cmdpolicy cic-policy ALLOW '^(\?!shell)(\?!sftp)(\?!scp)(\?!batch)(\?!source)(\?!.*superuser)(\?!.*nsroot)(\?!install)(\?!show\s+system\s+(user|cmdPolicy|file))(\?!(set|add|rm|create|export|kill)\s+system)(\?!(unbind|bind)\s+system\s+(user|group))(\?!diff\s+ns\s+config)(\?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)^(\?!shell)(\?!sftp)(\?!scp)(\?!batch)(\?!source)(\?!.*superuser)(\?!.*nsroot)(\?!install)(\?!show\s+system\s+(user|cmdPolicy|file))(\?!(set|add|rm|create|export|kill)\s+system)(\?!(unbind|bind)\s+system\s+(user|group))(\?!diff\s+ns\s+config)(\?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)' - ``` - - **Note**: The system user account would have privileges based on the command policy that you define. - The command policy mentioned in ***step 3*** is similar to the built-in `sysAdmin` command policy with another permission to upload files. - - The command policy spec provided above have already escaped special characters for easier copy pasting into the Citrix ADC command line. - - For configuring the command policy from Citrix ADC Configuration Wizard (GUI), use the below command policy spec. - - ``` - ^(?!shell)(?!sftp)(?!scp)(?!batch)(?!source)(?!.*superuser)(?!.*nsroot)(?!install)(?!show\s+system\s+(user|cmdPolicy|file))(?!(set|add|rm|create|export|kill)\s+system)(?!(unbind|bind)\s+system\s+(user|group))(?!diff\s+ns\s+config)(?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)^(?!shell)(?!sftp)(?!scp)(?!batch)(?!source)(?!.*superuser)(?!.*nsroot)(?!install)(?!show\s+system\s+(user|cmdPolicy|file))(?!(set|add|rm|create|export|kill)\s+system)(?!(unbind|bind)\s+system\s+(user|group))(?!diff\s+ns\s+config)(?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file) - ``` - -4. Bind the policy to the system user account using the following command: - - ``` - bind system user cic cic-policy 0 - ``` - -## Installing the Chart -Add the Citrix Ingress Controller helm chart repository using command: - -``` - helm repo add citrix https://citrix.github.io/citrix-helm-charts/ -``` - -### For Kubernetes: -#### 1. Citrix Ingress Controller -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,ingressClass[0]= - ``` - -> **Note:** -> -> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. - -The command deploys Citrix ingress controller on Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix Ingress Controller with Exporter -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed along with Citrix ingress controller and collects metrics from the Citrix ADC instances. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. - -> **Note:** -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -Use the following command for this: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,ingressClass[0]=,exporter.required=true - ``` - -### For Openshift: -Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: - - ``` - oc adm policy add-scc-to-user privileged system:serviceaccount:: - ``` - -#### 1. Citrix Ingress Controller -To install the chart with the release name, `my-release`, use the following command: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true - ``` - -The command deploys Citrix ingress controller on your Openshift cluster in the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. - -#### 2. Citrix Ingress Controller with Exporter -[Metrics exporter](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed along with Citrix ingress controller and collects metrics from the Citrix ADC instances. You can then [visualize these metrics](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/metrics/promotheus-grafana/) using Prometheus Operator and Grafana. - -> **Note:** -> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator) - -Use the following command for this: - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true,exporter.required=true - ``` - -### Installed components - -The following components are installed: - -- [Citrix ingress controller](https://github.com/citrix/citrix-k8s-ingress-controller) -- [Exporter](https://github.com/citrix/citrix-adc-metrics-exporter) (if enabled) - -## Configuration for ServiceGraph: - If Citrix ADC VPX/MPX need to send data to the Citrix ADM to bring up the servicegraph, then the below steps can be followed to install Citrix ingress controller for Citrix ADC VPX/MPX. Citrix ingress controller configures Citrix ADC VPX/MPX with the configuration required for servicegraph. - - 1. Create secret using Citrix ADC VPX credentials, which will be used by Citrix ingress controller for configuring Citrix ADC VPX/MPX: - - kubectl create secret generic nslogin --from-literal=username='cic' --from-literal=password='mypassword' - - 2. Deploy Citrix ingress controller using helm command: - - helm install my-release citrix/citrix-ingress-controller --set nsIP=,nsVIP=,license.accept=yes,adcCredentialSecret=,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.timeseries.port=5563,analyticsConfig.distributedTracing.enable=true,analyticsConfig.transactions.enable=true,analyticsConfig.transactions.port=5557,analyticsConfig.endpoint.server= - -> **Note:** -> If container agent is being used here for Citrix ADM, please provide `podIP` of container agent in the `analyticsConfig.endpoint.server` parameter. - -## CRDs configuration - -CRDs can be installed/upgraded when we install/upgrade Citrix ingress controller using `crds.install=true` parameter in Helm. If you do not want to install CRDs, then set the option `crds.install` to `false`. By default, CRDs too get deleted if you uninstall through Helm. This means, even the CustomResource objects created by the customer will get deleted. If you want to avoid this data loss set `crds.retainOnDelete` to `true`. - -> **Note:** -> Installing again may fail due to the presence of CRDs. Make sure that you back up all CustomResource objects and clean up CRDs before re-installing Citrix Ingress Controller. - -There are a few examples of how to use these CRDs, which are placed in the folder: [Example-CRDs](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds). Refer to them and install as needed, using the following command: -```kubectl create -f ``` - -### Details of the supported CRDs: - -#### authpolicies CRD: - -Authentication policies are used to enforce access restrictions to resources hosted by an application or an API server. - -Citrix provides a Kubernetes CustomResourceDefinitions (CRDs) called the [Auth CRD](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/auth) that you can use with the Citrix ingress controller to define authentication policies on the ingress Citrix ADC. - -Example file: [auth_example.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/auth_example.yaml) - -#### continuousdeployments CRD for canary: - -Canary release is a technique to reduce the risk of introducing a new software version in production by first rolling out the change to a small subset of users. After user validation, the application is rolled out to the larger set of users. Citrix ADC-Integrated [Canary Deployment solution](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/canary) stitches together all components of continuous delivery (CD) and makes canary deployment easier for the application developers. - -#### httproutes and listeners CRDs for contentrouting: - -[Content Routing (CR)](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/contentrouting) is the execution of defined rules that determine the placement and configuration of network traffic between users and web applications, based on the content being sent. For example, a pattern in the URL or header fields of the request. - -Example files: [HTTPRoute_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/HTTPRoute_crd.yaml), [Listener_crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/Listener_crd.yaml) - -#### ratelimits CRD: - -In a Kubernetes deployment, you can [rate limit the requests](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/ratelimit) to the resources on the back end server or services using rate limiting feature provided by the ingress Citrix ADC. - -Example files: [ratelimit-example1.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example1.yaml), [ratelimit-example2.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/ratelimit-example2.yaml) - -#### vips CRD: - -Citrix provides a CustomResourceDefinitions (CRD) called [VIP](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/crd/vip) for asynchronous communication between the IPAM controller and Citrix ingress controller. - -The IPAM controller is provided by Citrix for IP address management. It allocates IP address to the service from a defined IP address range. The Citrix ingress controller configures the IP address allocated to the service as virtual IP (VIP) in Citrix ADX VPX. And, the service is exposed using the IP address. - -When a new service is created, the Citrix ingress controller creates a CRD object for the service with an empty IP address field. The IPAM Controller listens to addition, deletion, or modification of the CRD and updates it with an IP address to the CRD. Once the CRD object is updated, the Citrix ingress controller automatically configures Citrix ADC-specfic configuration in the tier-1 Citrix ADC VPX. - -#### rewritepolicies CRD: - -In kubernetes environment, to deploy specific layer 7 policies to handle scenarios such as, redirecting HTTP traffic to a specific URL, blocking a set of IP addresses to mitigate DDoS attacks, imposing HTTP to HTTPS and so on, requires you to add appropriate libraries within the microservices and manually configure the policies. Instead, you can use the [Rewrite and Responder features](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/crd/rewrite-responder-policies-deployment.yaml) provided by the Ingress Citrix ADC device to deploy these policies. - -Example files: [target-url-rewrite.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/target-url-rewrite.yaml) - -#### wafs CRD: - -[WAF CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/waf.md) can be used to configure the web application firewall policies with the Citrix ingress controller on the Citrix ADC VPX, MPX, SDX, and CPX. The WAF CRD enables communication between the Citrix ingress controller and Citrix ADC for enforcing web application firewall policies. - -In a Kubernetes deployment, you can enforce a web application firewall policy to protect the server using the WAF CRD. For more information about web application firewall, see [Web application security](https://docs.citrix.com/en-us/citrix-adc/13/application-firewall/introduction/web-application-security.html). - -Example files: [wafhtmlxsssql.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wafhtmlxsssql.yaml) - -#### apigateway CRD: - -API Gateway CRD is used to configure gitops framework on citrix API gateway. This solution enables citrix ingress controller to generate API gateway configurations out of Open API Specification documents checked in to git repository by API developers and designers. - -Example files: [api-gateway-crd-instance.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/api-gateway-crd-instance.yaml) -#### bots CRD: - -[BOT CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/bot.md) You can use Bot CRDs to configure the bot management policies with the Citrix ingress controller on the Citrix ADC VPX. The Bot custom resource definition enables communication between the Citrix ingress controller and Citrix ADC for enforcing bot management policies. - -In a Kubernetes deployment, you can enforce bot management policy on therequests and responses from and to the server using the Bot CRDs. For more information on security vulnerabilities, see [Bot Detection](https://docs.citrix.com/en-us/citrix-adc/current-release/bot-management/bot-detection.html). - -Example files: [botallowlist.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/botallowlist.yaml) - -#### CORS CRD: - -[CORS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) Cross-origin resource sharing (CORS) is a mechanism allows a web application running under one domain to securely access resources in another domain. You can configure CORS policies on Citrix ADC using Citrix ingress controller to allow one domain (the origin domain) to call APIs in another domain. For more information, see the [cross-origin resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/cors.md) documentation. - -Example files: [cors-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/corspolicy-example.yaml) - -#### APPQOE CRD: - -[APPQOE CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) When a Citrix ADC appliance receives an HTTP request and forwards it to a back-end server, sometimes there may be connection failures with the back-end server. You can configure the request-retry feature on Citrix ADC to forward the request to the next available server, instead of sending the reset to the client. Hence, the client saves round trip time when Citrix ADC initiates the same request to the next available service. -For more information, see the AppQoE support documentation. [Appqoe resource sharing CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) documentation. - -Example files: [appqoe-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/appqoe_example.yaml) - -#### WILDCARDDNS CRD: - -[WILDCARDDNS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) Wildcard DNS domains are used to handle requests for nonexistent domains and subdomains. In a zone, use wildcard domains to redirect queries for all nonexistent domains or subdomains to a particular server, instead of creating a separate Resource Record (RR) for each domain. The most common use of a wildcard DNS domain is to create a zone that can be used to forward mail from the internet to some other mail system. -For more information, see the Wild card DNS domains support documentation. [Wildcard DNS Entry CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) documentation. - -Example files: [wildcarddns-crd.yaml](https://github.com/citrix/citrix-helm-charts/tree/master/example-crds/wildcarddns-example.yaml) - -### Tolerations - -Taints are applied on cluster nodes whereas tolerations are applied on pods. Tolerations enable pods to be scheduled on node with matching taints. For more information see [Taints and Tolerations in Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). - -Toleration can be applied to Citrix ingress controller pod using `tolerations` argument while deploying CIC using helm chart. This argument takes list of tolerations that user need to apply on the CIC pods. - -For example, following command can be used to apply toleration on the CIC pod: - -``` -helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,tolerations[0].key=,tolerations[0].value=,tolerations[0].operator=,tolerations[0].effect= -``` - -Here tolerations[0].key, tolerations[0].value and tolerations[0].effect are the key, value and effect that was used while tainting the node. -Effect represents what should happen to the pod if the pod don't have any matching toleration. It can have values `NoSchedule`, `NoExecute` and `PreferNoSchedule`. -Operator represents the operation to be used for key and value comparison between taint and tolerations. It can have values `Exists` and `Equal`. The default value for operator is `Equal`. - -### Resource Quotas -There are various use-cases when resource quotas are configured on the Kubernetes cluster. If quota is enabled in a namespace for compute resources like cpu and memory, users must specify requests or limits for those values; otherwise, the quota system may reject pod creation. The resource quotas for the CIC containers can be provided explicitly in the helm chart. - -To set requests and limits for the CIC container, use the variables `resources.requests` and `resources.limits` respectively. - -Below is an example of the helm command that configures -- For CIC container: -``` - CPU request for 500milli CPUs - CPU limit at 1000m - Memory request for 512M - Memory limit at 1000M -``` -``` -helm install my-release citrix/citrix-ingress-controller --set nsIP=,nsVIP=,license.accept=yes,adcCredentialSecret=,resources.requests.cpu=500m,resources.requests.memory=512Mi --set resources.limits.cpu=1000m,resources.limits.memory=1000Mi -``` - -### Configuration - -The following table lists the mandatory and optional parameters that you can configure during installation: - -| Parameters | Mandatory or Optional | Default value | Description | -| --------- | --------------------- | ------------- | ----------- | -| license.accept | Mandatory | no | Set `yes` to accept the CIC end user license agreement. | -| imageRegistry | Mandatory | `quay.io` | The Citrix ingress controller image registry | -| imageRepository | Mandatory | `citrix/citrix-k8s-ingress-controller` | The Citrix ingress controller image repository | -| imageTag | Mandatory | `1.35.6` | The Citrix ingress controller image tag | -| pullPolicy | Mandatory | IfNotPresent | The CIC image pull policy. | -| imagePullSecrets | Optional | N/A | Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret please see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). | -| nameOverride | Optional | N/A | String to partially override deployment fullname template with a string (will prepend the release name) | -| fullNameOverride | Optional | N/A | String to fully override deployment fullname template with a string | -| resources | Optional | {} | CPU/Memory resource requests/limits for Citrix Ingress Controller container | -| adcCredentialSecret | Mandatory | N/A | The secret key to log on to the Citrix ADC VPX or MPX. For information on how to create the secret keys, see [Prerequisites](#prerequistes). | -| secretStore.enabled | Optional | False | Set to "True" for deploying other Secret Provider classes | -| secretStore.username | Optional | N/A | if `secretStore.enabled`, `username` of ADC will be fetched from the Secret Provider | -| secretStore.password | Optional | N/A | if `secretStore.enabled`, `password` of ADC will be fetched from the Secret Provider | -| nsIP | Mandatory | N/A | The IP address of the Citrix ADC device. For details, see [Prerequisites](#prerequistes). | -| nsVIP | Optional | N/A | The Virtual IP address on the Citrix ADC device. | -| nsSNIPS | Optional | N/A | The list of subnet IPAddresses on the Citrix ADC device, which will be used to create PBR Routes instead of Static Routes [PBR support](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md) | -| nsPort | Optional | 443 | The port used by CIC to communicate with Citrix ADC. You can use port 80 for HTTP. | -| nsProtocol | Optional | HTTPS | The protocol used by CIC to communicate with Citrix ADC. You can also use HTTP on port 80. | -| nsEnableLabel | Optional | True | Set to true for plotting Servicegraph. Ensure ``analyticsConfig` are set. | -| nitroReadTimeout | Optional | 20 | The nitro Read timeout in seconds, defaults to 20 | -| logLevel | Optional | DEBUG | The loglevel to control the logs generated by CIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG and TRACE. For more information, see [Logging](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).| -| jsonLog | Optional | false | Set this argument to true if log messages are required in JSON format | -| nsConfigDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Ingress | -| nsSvcLbDnsRec | Optional | false | To enable/disable DNS address Record addition in ADC through Type Load Balancer Service | -| nsDnsNameserver | Optional | N/A | To add DNS Nameservers in ADC | -| optimizeEndpointBinding | Optional | false | To enable/disable binding of backend endpoints to servicegroup in a single API-call. Recommended when endpoints(pods) per application are large in number. Applicable only for Citrix ADC Version >=13.0-45.7 | -| kubernetesURL | Optional | N/A | The kube-apiserver url that CIC uses to register the events. If the value is not specified, CIC uses the [internal kube-apiserver IP address](https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod). | -| clusterName | Optional | N/A | The unique identifier of the kubernetes cluster on which the CIC is deployed. Used in gslb-controller deployments. | -| ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify CIC to configure Citrix ADC associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here | -| setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default ingress class. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 | -| serviceClass | Optional | N/A | By Default ingress controller configures all TypeLB Service on the ADC. You can use this parameter to finetune this behavior by specifing CIC to only configure TypeLB Service with specific service class. For more information on Service class, see [Service class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/service-classes/). | -| nodeWatch | Optional | false | Use the argument if you want to automatically configure network route from the Ingress Citrix ADC VPX or MPX to the pods in the Kubernetes cluster. For more information, see [Automatically configure route on the Citrix ADC instance](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/network/staticrouting/#automatically-configure-route-on-the-citrix-adc-instance). | -| cncPbr | Optional | False | Use this argument to inform CIC that Citrix Node Controller(CNC) is configuring Policy Based Routes(PBR) on the Citrix ADC. For more information, see [CNC-PBR-SUPPORT](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md#configure-pbr-using-the-citrix-node-controller) | -| defaultSSLCertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC. | -| podIPsforServiceGroupMembers | Optional | False | By default Citrix Ingress Controller will add NodeIP and NodePort as service group members while configuring type LoadBalancer Services and NodePort services. This variable if set to `True` will change the behaviour to add pod IP and Pod port instead of nodeIP and nodePort. Users can set this to `True` if there is a route between ADC and K8s clusters internal pods either using feature-node-watch argument or using Citrix Node Controller. | -| ignoreNodeExternalIP | Optional | False | While adding NodeIP, as Service group members for type LoadBalancer services or NodePort services, Citrix Ingress Controller has a selection criteria whereas it choose Node ExternalIP if available and Node InternalIP, if Node ExternalIP is not present. But some users may want to use Node InternalIP over Node ExternalIP even if Node ExternalIP is present. If this variable is set to `True`, then it prioritises the Node Internal IP to be used for service group members even if node ExternalIP is present | -| nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for Citrix ADC service group configurations. | -| nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). | -| profileSslFrontend | Optional | N/A | Specify the frontend SSL profile. For Details see [Configuration using FRONTEND_SSL_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| profileTcpFrontend | Optional | N/A | Specify the frontend TCP profile. For Details see [Configuration using FRONTEND_TCP_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| profileHttpFrontend | Optional | N/A | Specify the frontend HTTP profile. For Details see [Configuration using FRONTEND_HTTP_PROFILE](https://docs.citrix.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | -| ipam | Optional | False | Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer. | -| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. | -| logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter. | -| entityPrefix | Optional | k8s | The prefix for the resources on the Citrix ADC VPX/MPX. | -| updateIngressStatus | Optional | True | Set this argurment if `Status.LoadBalancer.Ingress` field of the Ingress resources managed by the Citrix ingress controller needs to be updated with allocated IP addresses. For more information see [this](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/ingress-classes.md#updating-the-ingress-status-for-the-ingress-resources-with-the-specified-ip-address). | -| routeLabels | Optional | N/A | You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| namespaceLabels | Optional | N/A | You can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. | -| podAnnotations | Optional | N/A | Map of annotations to add to the pods. | -| affinity | Optional | N/A | Affinity labels for pod assignment. | -| exporter.required | Optional | false | Use the argument, if you want to run the [Exporter for Citrix ADC Stats](https://github.com/citrix/citrix-adc-metrics-exporter) along with CIC to pull metrics for the Citrix ADC VPX or MPX| -| exporter.imageRegistry | Optional | `quay.io` | The Exporter for Citrix ADC Stats image registry | -| exporter.imageRepository | Optional | `citrix/citrix-adc-metrics-exporter` | The Exporter for Citrix ADC Stats image repository | -| exporter.imageTag | Optional | `1.4.9` | The Exporter for Citrix ADC Stats image tag | -| exporter.pullPolicy | Optional | IfNotPresent | The Exporter image pull policy. | -| exporter.ports.containerPort | Optional | 8888 | The Exporter container port. | -| exporter.resources | Optional | {} | CPU/Memory resource requests/limits for Metrics exporter container | -| exporter.extraVolumeMounts | Optional | [] | Specify the Additional VolumeMounts to be mounted in Exporter container. Specify the volumes in `extraVolumes` | -| exporter.serviceMonitorExtraLabels | Optional | | Extra labels for service monitor whem Citrix-adc-metrics-exporter is enabled. |s -| openshift | Optional | false | Set this argument if OpenShift environment is being used. | -| disableOpenshiftRoutes | Optional | false | By default Openshift routes are processed in openshift environment, this variable can be used to disable Ingress controller processing the openshift routes. | -| nodeSelector.key | Optional | N/A | Node label key to be used for nodeSelector option in CIC deployment. | -| nodeSelector.value | Optional | N/A | Node label value to be used for nodeSelector option in CIC deployment. | -| tolerations | Optional | N/A | Specify the tolerations for the CIC deployment. | -| crds.install | Optional | False | Unset this argument if you don't want to install CustomResourceDefinitions which are consumed by CIC. | -| crds.retainOnDelete | Optional | false | Set this argument if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation. | -| analyticsConfig.required | Mandatory | false | Set this to true if you want to configure Citrix ADC to send metrics and transaction records to analytics . | -| analyticsConfig.distributedTracing.enable | Optional | false | Set this value to true to enable OpenTracing in Citrix ADC. | -| analyticsConfig.distributedTracing.samplingrate | Optional | 100 | Specifies the OpenTracing sampling rate in percentage. | -| analyticsConfig.endpoint.server | Optional | N/A | Set this value as the IP address or DNS address of the analytics server. | -| analyticsConfig.endpoint.service | Optional | N/A | Set this value as the IP address or service name with namespace of the analytics service deployed in k8s environment. Format: namespace/servicename | -| analyticsConfig.timeseries.port | Optional | 30002 | Specify the port used to expose analytics service outside cluster for timeseries endpoint. | -| analyticsConfig.timeseries.metrics.enable | Optional | False | Set this value to true to enable sending metrics from Citrix ADC. | -| analyticsConfig.timeseries.metrics.mode | Optional | avro | Specifies the mode of metric endpoint. | -| analyticsConfig.timeseries.auditlogs.enable | Optional | false | Set this value to true to export audit log data from Citrix ADC. | -| analyticsConfig.timeseries.events.enable | Optional | false | Set this value to true to export events from the Citrix ADC. | -| analyticsConfig.transactions.enable | Optional | false | Set this value to true to export transactions from Citrix ADC. | -| analyticsConfig.transactions.port | Optional | 30001 | Specify the port used to expose analytics service outside cluster for transaction endpoint. | -| nsLbHashAlgo.required | Optional | false | Set this value to set the LB consistent hashing Algorithm | -| nsLbHashAlgo.hashFingers | Optional | 256 | Specifies the number of fingers to be used for hashing algorithm. Possible values are from 1 to 1024, Default value is 256 | -| nsLbHashAlgo.hashAlgorithm | Optional | 'default' | Specifies the supported algorithm. Supported algorithms are "default", "jarh", "prac", Default value is 'default' | -| extraVolumeMounts | Optional | [] | Specify the Additional VolumeMounts to be mounted in CIC container | -| extraVolumes | Optional | [] | Specify the Additional Volumes for additional volumeMounts | -| rbacRole | Optional | false | To deploy CIC with RBAC Role set rbacRole=true; by default CIC gets installed with RBAC ClusterRole(rbacRole=false)) | - -Alternatively, you can define a YAML file with the values for the parameters and pass the values while installing the chart. - -For example: - ``` - helm install my-release citrix/citrix-ingress-controller -f values.yaml - ``` - -> **Tip:** -> -> The [values.yaml](https://github.com/citrix/citrix-helm-charts/blob/master/citrix-ingress-controller/values.yaml) contains the default values of the parameters. - -> **Note:** -> -> Please provide frontend-ip (VIP) in your application ingress yaml file. For more info refer [this](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/annotations.md). - -## Route Addition in MPX/VPX -For seamless functioning of services deployed in the Kubernetes cluster, it is essential that Ingress NetScaler device should be able to reach the underlying overlay network over which Pods are running. -`feature-node-watch` knob of Citrix Ingress Controller can be used for automatic route configuration on NetScaler towards the pod network. Refer [Static Route Configuration](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) for further details regarding the same. -By default, `feature-node-watch` is false. It needs to be explicitly set to true if auto route configuration is required. - -This can also be achieved by deploying [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller). - -If your deployment uses one single Citrix ADC Device to loadbalance between multiple k8s clusters, there is a possibilty of CNI subnets to overlap, causing the above mentioned static routing to fail due to route conflicts. In such deployments [Policy Based Routing(PBR)] (https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-policy-based-routes/configuring-policy-based-routes-pbrs-for-ipv4-traffic.html) can be used instead. This would require you to provide one or more subnet IP Addresses unique for each kubernetes cluster either via Environment variable or Configmap, see [PBR Support](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md) - - Use the following command to provide subnet IPAddresses(SNIPs) to configure Policy Based Routes(PBR) on the Citrix ADC - - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,nsSNIPS='[\, \, ...]' - ``` - - [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller) by default also adds static routes while creating the VXLAN tunnel. To use [Policy Based Routing(PBR)] (https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-policy-based-routes/configuring-policy-based-routes-pbrs-for-ipv4-traffic.html) to avoid static route clash, both Citrix Node Controller and Citrix Ingress Controller has to work in conjunction and has to be started with specific arguments. For more details refer [CNC-PBR-SUPPORT](https://github.com/citrix/citrix-k8s-ingress-controller/tree/master/docs/how-to/pbr.md#configure-pbr-using-the-citrix-node-controller). - - Use the following command to inform Citrix Ingress Controller that Citrix Node Controller is configuring Policy Based Routes(PBR) on the Citrix ADC - - ``` - helm install my-release citrix/citrix-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,clusterName=,cncPbr= - ``` - -For configuring static routes manually on Citrix ADC VPX or MPX to reach the pods inside the cluster follow: -### For Kubernetes: -1. Obtain podCIDR using below options: - ``` - kubectl get nodes -o yaml | grep podCIDR - ``` - * podCIDR: 10.244.0.0/24 - * podCIDR: 10.244.1.0/24 - * podCIDR: 10.244.2.0/24 - -2. Log on to the Citrix ADC instance. - -3. Add Route in Netscaler VPX/MPX - ``` - add route - ``` -4. Ensure that Ingress MPX/VPX has a SNIP present in the host-network (i.e. network over which K8S nodes communicate with each other. Usually eth0 IP is from this network). - - Example: - * Node1 IP = 192.0.2.1 - * podCIDR = 10.244.1.0/24 - * add route 10.244.1.0 255.255.255.0 192.0.2.1 - -### For OpenShift: -1. Use the following command to get the information about host names, host IP addresses, and subnets for static route configuration. - ``` - oc get hostsubnet - ``` - -2. Log on to the Citrix ADC instance. - -3. Add the route on the Citrix ADC instance using the following command. - ```add route ``` - -4. Ensure that Ingress MPX/VPX has a SNIP present in the host-network (i.e. network over which OpenShift nodes communicate with each other. Usually eth0 IP is from this network). - - For example, if the output of the `oc get hostsubnet` is as follows: - * oc get hostsubnet - - NAME HOST HOST IP SUBNET - os.example.com os.example.com 192.0.2.1 10.1.1.0/24 - - * The required static route is as follows: - - add route 10.1.1.0 255.255.255.0 192.0.2.1 - -## Uninstalling the Chart -To uninstall/delete the ```my-release``` deployment: - - ``` - helm delete my-release - ``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Related documentation - -- [Citrix ingress controller Documentation](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/) -- [Citrix ingress controller GitHub](https://github.com/citrix/citrix-k8s-ingress-controller) diff --git a/charts/citrix/citrix-ingress-controller/1.35.6/app-readme.md b/charts/citrix/citrix-ingress-controller/1.35.6/app-readme.md deleted file mode 100644 index a8a8ebc15a..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.35.6/app-readme.md +++ /dev/null @@ -1,5 +0,0 @@ -# Citrix Ingress Controller - -[Citrix Ingress Controler](https://github.com/citrix/citrix-k8s-ingress-controller) is an ingress controller for Citrix ADC MPX (hardware), Citrix ADC VPX (virtualized), and Citrix ADC CPX (containerized) for bare metal and cloud deployments. It is built around Kubernetes Ingress and automatically configures Citrix ADC based on the Ingress resource configuration. - -This Chart bootstraps standalone Citrix Ingress Controller which can be used to configure Citrix MPX or VPX. diff --git a/charts/citrix/citrix-ingress-controller/1.35.6/questions.yml b/charts/citrix/citrix-ingress-controller/1.35.6/questions.yml deleted file mode 100644 index 89389ae11e..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.35.6/questions.yml +++ /dev/null @@ -1,348 +0,0 @@ -labels: - io.rancher.certified: partner -questions: -- variable: license.accept - required: true - type: enum - description: "Set to yes to accept the terms and conditions of the Citrix license." - label: Accept License - group: "Deployment Settings" - options: - - "yes" - - "no" -- variable: openshift - default: false - type: boolean - description: "openshift is set to true if charts are being deployed in OpenShift environment" - label: Openshift flag - group: "Deployment Settings" -- variable: adcCredentialSecret - required: true - default: "" - type: string - description: "adcCredentialSecret is secret file for NetScaler login" - label: adcCredentialSecret Name - group: "Deployment Settings" -- variable: imagePullSecrets[0] - required: false - type: string - description: "Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository" - label: imagePullSecrets - group: "Deployment Settings" -- variable: nsIP - required: true - type: string - description: "nsIP is NetScaler NSIP/SNIP, SNIP in case of HA (mgmt has to be enabled)" - label: Citrix ADC IP - group: "ADC Settings" -- variable: nsVIP - required: false - type: string - label: Virtual IP of Citrix ADC - group: "ADC Settings" -- variable: nsSNIPS - required: false - type: string - description: "The list of subnet IPAddresses on the Citrix ADC device, which will be used to create PBR Routes instead of Static Routes" - label: Citrix ADC nsSNIPS - group: "ADC Settings" -- variable: nsPort - required: false - default: 443 - type: int - description: "nsPort is port for ADC NITRO" - label: nsPort - group: "ADC Settings" -- variable: nsProtocol - required: false - default: "HTTPS" - type: string - description: "nsProtocol is protocol for ADC NITRO" - label: nsProtocol - group: "ADC Settings" -- variable: entityPrefix - required: false - type: string - description: "The prefix for the resources on the Citrix ADC VPX/MPX" - label: entityPrefix - group: "ADC Settings" -- variable: kubernetesURL - required: false - type: string - description: "kubernetesURL is for registering events to kubeapi server" - label: Kubernetes API-server URL - group: "Deployment Settings" -- variable: clusterName - required: false - type: string - description: "The unique identifier of the kubernetes cluster on which the CIC is deployed" - label: Cluster Name - group: "Deployment Settings" -- variable: ingressClass[0] - required: false - type: string - description: "ingressClass is the name of the Ingress Class" - label: Ingress Class - group: "Deployment Settings" -- variable: setAsDefaultIngressClass - required: false - default: False - type: boolean - description: "Set the IngressClass object as default ingress class. New Ingresses without an `ingressClassName` field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19" - label: setAsDefaultIngressClass - group: "Deployment Settings" -- variable: serviceClass[0] - required: false - type: string - description: "serviceClass is the name of the Service Class" - label: Service Class - group: "Deployment Settings" -- variable: defaultSSLCertSecret - required: false - type: string - description: "Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC." - label: defaultSSLCertSecret - group: "ADC Settings" -- variable: podIPsforServiceGroupMembers - required: false - default: False - type: boolean - description: "By default Citrix Ingress Controller will add NodeIP and NodePort as service group members,This variable if set to True will change the behaviour to add pod IP and Pod port instead of nodeIP and nodePort." - label: podIPsforServiceGroupMembers - group: "Deployment Settings" -- variable: ignoreNodeExternalIP - required: false - default: False - type: boolean - label: ignoreNodeExternalIP - group: "Deployment Settings" -- variable: ipam - required: false - default: False - type: boolean - description: "Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer" - label: ipam - group: "Deployment Settings" -- variable: logProxy - required: false - default: False - type: string - description: "Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter." - label: Log Proxy - group: "Deployment Settings" -- variable: nodeWatch - required: false - default: false - type: boolean - description: "nodeWatch is used for automatic route configuration on NetScaler towards the pod network" - label: NodeWatch - group: "ADC Settings" -- variable: cncPbr - required: false - default: false - type: boolean - description: "Use this argument to inform CIC that Citrix Node Controller(CNC) is configuring Policy Based Routes(PBR) on the Citrix ADC." - label: CNC PBR - group: "ADC Settings" -- variable: nodeSelector.key - required: false - type: string - description: "Node label key to be used for nodeSelector option in CIC deployment" - label: NodeSelector Key - group: "Deployment Settings" -- variable: nodeSelector.value - required: false - type: string - description: "Node label value to be used for nodeSelector option in CIC deployment." - label: NodeSelector value - group: "Deployment Settings" -- variable: tolerations[0] - required: false - type: string - description: "Specify the tolerations for the CIC deployment" - label: Tolerations - group: "Deployment Settings" -- variable: updateIngressStatus - required: false - default: false - type: boolean - description: "Set this argurment if Status.LoadBalancer.Ingress field of the Ingress resources managed by the Citrix ingress controller needs to be updated with allocated IP addresses" - label: Update Ingress Status - group: "Deployment Settings" -- variable: nsHTTP2ServerSide - required: false - default: "OFF" - type: string - description: "Set this argument to ON for enabling HTTP2 for Citrix ADC service group configurations." - label: nsHTTP2ServerSide - group: "Deployment Settings" -- variable: nsCookieVersion - required: false - default: "0" - type: string - description: "Specify the persistence cookie version (0 or 1)" - label: nsCookieVersion - group: "Deployment Settings" -- variable: routeLabels - required: false - type: string - description: "You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster." - label: Route Labels - group: "Deployment Settings" -- variable: namespaceLabels - required: false - type: string - description: "you can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster" - label: namespaceLabels - group: "Deployment Settings" -- variable: cic.image - required: true - type: string - default: "quay.io/citrix/citrix-k8s-ingress-controller:1.19.6" - label: CIC Image - group: "CIC Image Settings" -- variable: cic.pullpolicy - required: true - default: "IfNotPresent" - type: enum - label: CIC Image Pullpolicy - group: "CIC Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: logLevel - required: false - default: "INFO" - type: enum - label: CIC Loglevel - group: "CIC Image Settings" - options: - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - - "TRACE" -- variable: exporter.required - default: false - type: boolean - description: "If set to true exporter will be deployed as sidecar" - label: Enable Exporter - group: "Exporter Settings" -- variable: exporter.image - default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.9" - required: false - type: string - description: "Exporter Image" - label: Exporter Image - group: "Exporter Settings" -- variable: exporter.pullPolicy - required: false - default: IfNotPresent - type: string - description: "Exporter Image pull policy" - label: Exporter Image PullPolicy - group: "Exporter Settings" -- variable: exporter.ports.containerPort - required: false - default: 8888 - type: int - label: Exporter ContainerPort - group: "Exporter Settings" -- variable: crds.install - required: false - default: true - type: boolean - description: "If set to true the charts will install CustomResourceDefinitions which are consumed by CIC." - label: CRD flag - group: "Deployment Settings" -- variable: crds.retainOnDelete - required: false - default: false - type: boolean - description: "Set this argument to true if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation." - label: CRD retainOnDelete flag - group: "Deployment Settings" -- variable: coeConfig.required - required: true - default: false - type: boolean - description: "Set this to true if you want to configure Citrix ADC to send metrics and transaction records to COE" - label: Enable COE - group: "COE Settings" -- variable: coeConfig.distributedTracing.enable - required: false - default: false - type: boolean - description: "Set this value to true to enable OpenTracing in Citrix ADC." - label: Enable coeConfig DistributedTracing - group: "COE Settings" -- variable: coeConfig.distributedTracing.samplingrate - required: false - default: "100" - type: string - description: "Specifies the OpenTracing sampling rate in percentage." - label: coeConfig DistributedTracing Samplingrate - group: "COE Settings" -- variable: coeConfig.endpoint.server - required: false - type: string - description: "Set this value as the IP address or DNS address of the analytics server" - label: coeConfig Endpoint Server - group: "COE Settings" -- variable: coeConfig.timeseries.port - required: false - default: "30002" - type: string - description: "Specify the port used to expose COE service outside cluster for timeseries endpoint" - label: coeConfig timeseries Port - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.enable - required: false - default: False - type: boolean - description: "Set this value to true to enable sending metrics from Citrix ADC" - label: Enable coeConfig Timeseries Metrics - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.mode - required: false - default: "avro" - type: string - description: "Specifies the mode of metric endpoint" - label: coeConfig Timeseries Metrics Mode - group: "COE Settings" -- variable: coeConfig.timeseries.auditlogs.enable - required: false - default: False - type: boolean - description: "Set this value to true to export audit log data from Citrix ADC" - label: coeConfig Timeseries Auditlogs Enable - group: "COE Settings" -- variable: coeConfig.timeseries.events.enable - required: false - default: False - type: boolean - description: "Set this value to true to export events from the Citrix ADC" - label: Enable coeConfig Timeseries Events - group: "COE Settings" -- variable: coeConfig.transactions.enable - required: false - default: False - type: boolean - description: "Set this value to true to export transactions from Citrix ADC" - label: Enable coeConfig Transactions - group: "COE Settings" -- variable: coeConfig.transactions.port - required: false - default: 30001 - type: string - description: "Specify the port used to expose COE service outside cluster for transaction endpoint" - label: coeConfig Transactions Port - group: "COE Settings" -- variable: serviceAccount.create - required: false - default: true - type: boolean - description: "Specifies whether a ServiceAccount should be created" - label: ServiceAccount Create - group: "Deployment Settings" diff --git a/charts/citrix/citrix-ingress-controller/1.35.6/templates/NOTES.txt b/charts/citrix/citrix-ingress-controller/1.35.6/templates/NOTES.txt deleted file mode 100644 index 4d07f639fb..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.35.6/templates/NOTES.txt +++ /dev/null @@ -1,15 +0,0 @@ -Thank you for installing {{ .Chart.Name }}. - -Your release is named {{ .Release.Name }}. - - -To learn more about the release, try: - - $ helm status {{ .Release.Name }} - $ helm get {{ .Release.Name }} - - -To delete : - helm delete {{ .Release.Name }} - - diff --git a/charts/citrix/citrix-ingress-controller/1.35.6/templates/_helpers.tpl b/charts/citrix/citrix-ingress-controller/1.35.6/templates/_helpers.tpl deleted file mode 100644 index efca8083c7..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.35.6/templates/_helpers.tpl +++ /dev/null @@ -1,94 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Analytics Server IP or DNS -*/}} -{{- define "analytics.server" -}} -{{- if .Values.analyticsConfig.endpoint.server -}} -{{- printf .Values.analyticsConfig.endpoint.server -}} -{{- else -}} -{{- $addresses := first (first (lookup "v1" "Node" "" "").items).status.addresses -}} -{{- printf "%s" ($addresses).address -}} -{{- end -}} -{{- end -}} - - - -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "citrix-ingress-controller.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "citrix-ingress-controller.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "exporter.fullname" -}} -{{- $name := default .Chart.Name "exporter" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "servicemonitor.fullname" -}} -{{- $name := default .Chart.Name "citrix-adc-servicemonitor" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "servicemonitorlabel" -}} -{{- $name := default .Chart.Name "citrix-adc-svcmon" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{- define "cicconfigmap.fullname" -}} -{{- $name := default .Chart.Name "cic-configmap" .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "citrix-ingress-controller.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "citrix-ingress-controller.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "citrix-ingress-controller.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} diff --git a/charts/citrix/citrix-ingress-controller/1.35.6/templates/cic_crds.yaml b/charts/citrix/citrix-ingress-controller/1.35.6/templates/cic_crds.yaml deleted file mode 100644 index 085d7d271d..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.35.6/templates/cic_crds.yaml +++ /dev/null @@ -1,2549 +0,0 @@ -{{- if .Values.crds.install }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: rewritepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: rewritepolicy - plural: rewritepolicies - singular: rewritepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - rewrite-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to rewrite policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - rewrite-policy: - type: object - properties: - rewrite-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOREWRITE', 'RESET', 'DROP'] - operation: - description: 'Type of user-defined rewrite action.' - type: string - enum: ["noop", "delete", "insert_http_header", "delete_http_header", - "corrupt_http_header", "insert_before", "insert_after", "replace", - "replace_http_res", "delete_all", "replace_all", "insert_before_all", - "insert_after_all", "clientless_vpn_encode", "clientless_vpn_encode_all", - "clientless_vpn_decode", "clientless_vpn_decode_all", "insert_sip_header", - "delete_sip_header", "corrupt_sip_header", "replace_sip_res", "replace_diameter_header_field", - "replace_dns_header_field", "replace_dns_answer_section"] - target: - description: 'Default syntax expression that specifies which part of the request or response to rewrite.' - type: string - maxLength: 1229 - modify-expression: - description: 'Default syntax expression that specifies the content to insert into the request - or response at the specified location, or that replaces the specified string.' - type: string - maxLength: 7991 - multiple-occurence-modify: - description: 'Search facility that is used to match multiple strings in the request or response.' - type: string - maxLength: 171 - additional-multiple-occurence-modify: - description: 'Specify additional criteria to refine the results of the search. - Always starts with the "extend(m,n)" operation, where "m" specifies number of bytes to the left of selected data - and "n" specifies number of bytes to the right of selected data. - You can use refineSearch only on body expressions, and only when rewrite-criteria is any one of this: - INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - comment: - description: 'Any comments to preserve information about this rewrite policy.' - type: string - maxLength: 255 - required: [rewrite-criteria, operation, target, direction] - required: [rewrite-policy] - - responder-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to responder policy.' - type: array - items: - type: string - maxLength: 127 - goto-priority-expression: - description: 'Expression or other value specifying the next policy to be - evaluated if the current policy evaluates to TRUE. - Specify one of the following values: - * NEXT - Evaluate the policy with the next higher priority number. - * END - End policy evaluation. - Default value of goto-priority-expression: END' - type: string - maxLength: 1499 - logpackets: - type: object - description: 'Adds an audit message action. - The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", - "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - responder-policy: - type: object - properties: - redirect: - type: object - description: 'Use this option when you want to Redirect the request when request matches to policy.' - properties: - url: - description: 'URL on which you want to redirect the request.' - type: string - maxLength: 7991 - redirect-status-code: - description: 'HTTP response status code, for example 200, 302, 404, etc.' - type: integer - minimum: 100 - maximum: 599 - redirect-reason: - description: 'Expression specifying the reason for redirecting the request.' - type: string - maxLength: 7991 - required: [url] - respondwith: - type: object - description: 'Use this parameter when you want to respond to the request when request matches to policy.' - properties: - http-payload-string: - description: 'Expression that you want to sent as response to the request.' - type: string - maxLength: 7991 - required: [http-payload-string] - noop: - type: string - description: 'Use this option when you want to send the request to the protected server instead of - responding to it when request matches to policy.' - properties: - target: - description: 'Default syntax expression that specifies to perform noop operation on' - type: string - maxLength: 1229 - reset: - type: string - description: 'Use this option when you want to Reset the client connection by closing it when request matches to policy.' - properties: - drop: - type: string - description: 'Use this option when you want to drop the request without sending a response to the user when request matches to policy.' - properties: - respond-criteria: - description: 'Default syntax expression that the policy uses to determine whether to respond to the specified request.' - type: string - maxLength: 1299 - default-action: - description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). - An UNDEF event indicates an internal error condition.' - type: string - maxLength: 77 - enum: ['NOOP', 'RESET', 'DROP'] - comment: - description: 'Any comments to preserve information about this responder policy.' - type: string - maxLength: 255 - required: [respond-criteria] - oneOf: [required: [redirect], required: [respondwith], required: [noop], required: [reset], required: [drop]] - required: [responder-policy] - - dataset: - type: array - items: - type: object - properties: - name: - description: 'Name of the dataset.' - type: string - maxLength: 32 - type: - description: 'Type of value to bind to the dataset.' - type: string - enum: ["ipv4", "number", "ipv6", "ulong", "double", "mac"] - comment: - description: 'Any comments to preserve information about this dataset.' - type: string - maxLength: 255 - values: - description: 'Value of the specified type that is associated with this dataset.' - type: array - items: - type: string - required: [name, type, values] - - patset: - type: array - items: - type: object - properties: - name: - description: 'Name of the Patset.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this patset.' - type: string - maxLength: 255 - values: - description: 'String of characters that constitutes a pattern and is associated with this patset.' - type: array - items: - type: string - required: [name, values] - - stringmap: - type: array - items: - type: object - properties: - name: - description: 'Name of the Stringmap.' - type: string - maxLength: 32 - comment: - description: 'Any comments to preserve information about this stringmap.' - type: string - maxLength: 255 - values: - description: 'List of (key,value) pairs to be bound to this string map.' - type: array - items: - type: object - properties: - key: - description: 'Character string constituting the key to be bound to this string map.' - type: string - maxLength: 2047 - value: - description: 'Character string constituting the value associated with the key.' - type: string - maxLength: 2047 - required: [name, values] - - httpcallout_policy: - type: array - items: - type: object - properties: - name: - description: 'httpcallout name' - type: string - maxLength: 32 - server_ip: - description: 'IP Address of the server(callout agent) to which the callout is sent.' - type: string - server_port: - description: 'Port of the server(callout agent) to which the callout is sent.' - type: integer - minimum: 1 - maximum: 65535 - http_method: - description: |+ - 'Method used in the HTTP request that this callout sends. - Default http method is GET' - type: string - enum: ['GET', 'POST'] - host_expr: - description: |+ - 'String expression to configure the Host header. Can contain a literal value - (for example, 10.101.10.11) or a derived value (for example, http.req.header("Host")). - The literal value can be an IP address or a fully qualified domain name. Mutually - exclusive with the full HTTP request expression.' - type: string - maxLength: 255 - url_stem_expr: - description: |+ - 'String expression for generating the URL stem. Can contain a literal string - (for example, "/mysite/index.html") or an expression that derives the value - (for example, http.req.url).' - type: string - maxLength: 8191 - headers: - type: array - description: |+ - 'One or more headers to insert into the HTTP request. Each header is represented by - name and expr, where expr is an expression that is evaluated at runtime to provide - the value for the named header. You can configure a maximum of eight headers for - an HTTP callout.' - items: - type: object - properties: - name: - description: 'header name' - type: string - expr: - description: 'header expression' - type: string - parameters: - type: array - description: |+ - 'One or more query parameters to insert into the HTTP request URL (for a GET request) - or into the request body (for a POST request). Each parameter is represented by - name and expr, where expr is an expression that is evaluated at run time to provide - the value for the named parameter (name=value). The parameter values are URL encoded.' - items: - type: object - properties: - name: - description: 'parameter name' - type: string - expr: - description: 'parameter expression' - type: string - body_expr: - description: |+ - 'An advanced string expression for generating the body of the request. - The expression can contain a literal string or an expression that derives - the value (for example, client.ip.src).' - type: string - full_req_expr: - description: |+ - 'Exact HTTP request, in the form of an expression, which the Citrix ADC sends - to the callout agent. The request expression is constrained by the feature - for which the callout is used. For example, an HTTP.RES expression cannot be - used in a request-time policy bank or in a TCP content switching policy bank.' - type: string - scheme: - description: |+ - 'Type of scheme for the callout server. - Default scheme is HTTP' - type: string - enum: ['HTTP', 'HTTPS'] - cache_for_secs: - description: |+ - 'Duration, in seconds, for which the callout response is cached. - The cached responses are stored in an integrated caching content - group named "calloutContentGroup". If no duration is configured, - the callout responses will not be cached unless normal caching - configuration is used to cache them. This parameter takes precedence over any - normal caching configuration that would otherwise apply to these responses.' - type: integer - minimum: 1 - maximum: 31536000 - return_type: - description: |+ - 'Type of data that the target callout agent returns in response to the callout - Available settings function as follows: - * TEXT - Treat the returned value as a text string. - * NUM - Treat the returned value as a number. - * BOOL - Treat the returned value as a Boolean value.' - type: string - enum: ['TEXT', 'NUM', 'BOOL'] - result_expr: - description: |+ - 'Expression that extracts the callout results from the response sent by the HTTP callout - agent. Must be a response based expression, that is, it must begin with HTTP.RES. The - operations in this expression must match the return type. For example, if you configure - a return type of TEXT, the result expression must be a text based expression. If the - return type is NUM, the result expression (resultExpr) must return a numeric value, - as in the following example: http.res.body(10000).length.' - type: string - maxLength: 8191 - comment: - description: 'Any comments to preserve information about this HTTP callout.' - type: string - maxLength: 255 - allOf: - - properties: - required: [name, server_ip, server_port] - - properties: - oneOf: - - properties: - required: [full_req_expr] - - properties: - anyOf: - - properties: - required: [http_method] - - properties: - required: [host_expr] - - properties: - required: [url_stem_expr] - - properties: - required: [headers] - - properties: - required: [parameters] - - properties: - required: [body_expr] - anyOf: [required: [rewrite-policies], required: [responder-policies]] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ratelimits.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: ratelimit - plural: ratelimits - singular: ratelimit - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the ratelimit policies are applied.' - type: array - items: - type: string - maxLength: 127 - selector_keys: - type: object - description: 'Traffic match criteria to which apply above rate-limit/throttling. All keys are applied as AND condition. If no keys are specified, rate-limit applies at service level' - properties: - basic: - type: object - description: "Basic traffic stream selection criteria to which to apply the ratelimit" - properties: - path: - type: array - description: "api resource path prefix match. e.g. /api/v1/products" - items: - type: string - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - header_name: - description: "HTTP header that identifies the unique API client for e.g. X-apikey" - type: string - per_client_ip: - description: "Setting this applies the throttling limit to each unique Client IP address accessing the API resource" - type: boolean - req_threshold: - description: 'Max requests per timeslice units to be allowed' - type: integer - timeslice: - description: 'Timeslice in miliseconds in multiple of 10. Defaults to 1000 miliseconds' - type: integer - limittype: - description: "Burst mode or smooth. Defaults to smooth limittype if not specified" - type: string - enum: ['BURSTY','SMOOTH'] - throttle_action: - type: string - enum: ['DROP', 'RESET','REDIRECT', 'RESPOND'] - description: "Drop will drop the requests exceeding limits, RESET will reset the client connection, Redirect will redirect to specified URL, respond will respond with 429 'Exceeded allowed rate of requests'" - redirect_url: - type: string - description: "Redirect-URL" - logpackets: - type: object - description: 'Adds an audit message action. The action specifies whether to log the message, and to which log.' - properties: - logexpression: - description: 'Default-syntax expression that defines the format and content of the log message.' - type: string - maxLength: 7991 - loglevel: - description: 'Audit log level, which specifies the severity level of the log message being generated.' - type: string - enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] - required: [logexpression, loglevel] - required: [req_threshold] ---- -#Sample CRD instance - -#apiVersion: citrix.com/v1 -#description: VIP for apache service -#kind: vip -#metadata: -# name: service-apache -# namespace: default -#spec: -# description: VIP for the apache Service -# ipaddress: 10.99.98.90 -# kind: service -# name: apache - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vips.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: vip - plural: vips - singular: vip - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - jsonPath: .spec.ipaddress - name: VIP - type: string - - name: Age - type: date - jsonPath: .metadata.creationTimestamp - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - ipaddress: - type: string - name: - type: string - kind: - type: string - enum: ["service", "ingress"] - description: - type: string - range-name: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: authpolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: authpolicy - plural: authpolicies - singular: authpolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: |+ - 'Name of the services for which the policies applied' - type: array - items: - type: string - maxLength: 63 - authentication_mechanism: - type: object - description: |+ - 'Authentication mechanism. Options: using forms or using request header. - Default is Authentication using request header, when no option is specified' - properties: - using_request_header: - description: |+ - 'Enable user authentication using request header. Use when the credentials - or api keys are passed in a header. For example, when using Basic, Digest, - Bearer authentication or api keys. - When authentication using forms is provided, this is set to OFF' - - type: string - using_forms: - type: object - description: 'Enables authentication using forms. Use with user/web authentication.' - properties: - authentication_host: - description: |+ - 'Fully qualified domain name (FQDN) for authentication. - This FQDN should be unique and should resolve to frontend IP of - ADC with Ingress/service type LoadBalancer (or) vip of Listener CRD' - type: string - maxLength: 255 - authentication_host_cert: - description: |+ - 'Name of the SSL certificate to be used with authentication_host. - This certificate is mandatory while using_forms' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - ingress_name: - description: |+ - 'Ingress name for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - lb_service_name: - description: |+ - 'Service of type LoadBalancer for which the authentication using forms - is applicable.' - type: string - maxLength: 63 - listener_name: - description: |+ - 'Listener CRD name for which the authentication using forms is applicable.' - type: string - maxLength: 63 - vip: - description: |+ - 'Frontend IP of ingress for which the authentication - using forms is applicable. This refers to frontend-ip provided - with Ingress. It is suggested to use vip, if more than one Ingress - resource use the same frontend-ip' - type: string - required: [authentication_host, authentication_host_cert] - oneOf: - - properties: - required: [ingress_name] - - properties: - required: [lb_service_name] - - properties: - required: [listener_name] - - properties: - required: [vip] - oneOf: - - properties: - using_request_header: - enum: ['ON'] - required: [using_request_header] - - properties: - required: [using_forms] - - authentication_providers: - description: |+ - 'Authentication Configuration for required authentication providers/schemes. - One or more of these can be created' - type: array - items: - description: 'Create config for a single authentication provider of a particular type' - type: object - properties: - name: - description: 'Name for this provider, has to be unique, referenced by authentication policies' - type: string - maxLength: 127 - - oauth: - description: 'Authentication provided by external oAuth provider' - type: object - properties: - issuer: - description: 'Identity of the server whose tokens are to be accepted' - type: string - maxLength: 127 - audience: - description: 'Audience for which token sent by Authorization server is applicable' - type: array - items: - type: string - maxLength: 127 - jwks_uri: - description: |+ - 'URL of the endpoint that contains JWKs (Json Web Key) for - JWT (Json Web Token) verification' - type: string - maxLength: 127 - introspect_url: - description: ' URL of the introspection server' - type: string - maxLength: 127 - client_credentials: - description: |+ - 'secrets object that contains Client Id and secret as known - to Introspection server' - type: string - maxLength: 253 - token_in_hdr: - description: |+ - 'custom header name where token is present, - default is Authorization header' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - token_in_param: - description: 'query parameter name where token is present' - type: array - items: - type: string - maxLength: 127 - maxItems: 2 - signature_algorithms: - description: 'list of allowed signature algorithms, by default HS256, RS256, RS512 are allowed' - type: array - items: - type: string - enum: ['HS256', 'RS256', 'RS512'] - claims_to_save: - description: 'list of claims to be saved, used to create authorization policies' - type: array - items: - type: string - maxLength: 127 - metadata_url: - description: 'URL used to get OAUTH/OIDC provider metadata' - type: string - maxLength: 255 - user_field: - description: |+ - 'Attribute in the token from which username should be extracted. - by default, ADC looks at email attribute for user id' - type: string - maxLength: 127 - default_group: - description: |+ - 'group assigned to the request if authentication succeeds, - this is in addition to any extracted groups from token' - type: string - maxLength: 63 - grant_type: - description: 'used to specify the type of flow to the token end point, defaults to CODE' - type: array - items: - type: string - enum: ['CODE','PASSWORD'] - pkce: - description: 'specify whether to enable Proof Key Code Exchange, defaults to ENABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - token_ep_auth_method: - description: |+ - 'authentication method to be used with token end point, - defaults to client_secret_post' - type: string - enum: ['client_secret_post', 'client_secret_jwt'] - - anyOf: - - properties: - required : [jwks_uri] - - properties: - required : [introspect_url, client_credentials] - - properties: - required : [metadata_url] - - ldap: - description: 'LDAP authentication provider' - type: object - properties: - server_ip: - description: 'IP address assigned to the LDAP server' - type: string - server_name: - description: 'LDAP server name as a FQDN' - type: string - maxLength: 127 - server_port: - description: 'Port on which the LDAP server accepts connections. Default is 389' - type: integer - minimum: 1 - maximum: 65535 - base: - description: |+ - 'Base (node) from which to start LDAP searches. If the LDAP server is - running locally, the default value of base is dc=netscaler, dc=com' - type: string - maxLength: 127 - server_login_credentials: - description: |+ - 'Kubernetes secret object providing credentials to login to LDAP server, - The secret data should have username and password' - type: string - login_name: - description: |+ - 'LDAP login name attribute. The Citrix ADC uses the LDAP login name - to query external LDAP servers or Active Directories' - type: string - maxLength: 127 - security_type: - description: |+ - 'Type of security used for communications between the Citrix ADC - and the LDAP server. Default is TLS' - type: string - enum: ['PLAINTEXT', 'TLS', 'SSL'] - validate_server_cert: - description: 'Validate LDAP Server certs. Default is NO' - type: string - enum: ['YES', 'NO'] - hostname: - description: |+ - 'Hostname for the LDAP server. If validate_server_cert is ON, - this must be the host name on the certificate from the LDAP - A hostname mismatch will cause a connection failure' - type: string - maxLength: 127 - sub_attribute_name: - description: 'LDAP group sub-attribute name. Used for group extraction from the LDAP server.' - type: string - maxLength: 31 - group_attribute_name: - description: 'LDAP group attribute name. Used for group extraction on the LDAP server.' - type: string - maxLength: 31 - search_filter: - description: |+ - 'String to be combined with the default LDAP user search string to form the - search value. For example, if the search filter "vpnallowed=true" is combined - with the LDAP login name "samaccount" and the user-supplied username is "bob", - the result is the LDAP search string ""(&(vpnallowed=true)(samaccount=bob)"" - (Be sure to enclose the search string in two sets of double quotation marks)' - type: string - maxLength: 255 - auth_timeout: - description: |+ - 'Number of seconds the Citrix ADC waits for a response from the server - Default is 3' - type: integer - minimum: 1 - maximum: 4294967295 - password_change: - description: 'Allow password change requests. Default is DISABLED' - type: string - enum: ['ENABLED', 'DISABLED'] - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be fetched - from LDAP server and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - oneOf: - - properties: - required: [server_ip] - - properties: - required: [server_name] - - saml: - description: |+ - 'SAML authentication provider. - Currently SAML is supported only with authentication mechanism using forms' - type: object - properties: - metadata_url: - description: 'URL is used for obtaining saml metadata.' - type: string - maxLength: 255 - metadata_refresh_interval: - description: |+ - 'Interval in minutes for fetching metadata from specified metadata URL. - Default is 36000' - type: integer - minimum: 1 - maximum: 4294967295 - signing_cert: - description: 'SSL certificate to sign requests from SP to IDP' - type: object - properties: - tls_secret: - type: string - description: 'Name of the Kubernetes Secret of type tls referring to Certificate' - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - preconfigured: - type: string - maxLength: 63 - description: |+ - 'Preconfigured SSL certkey name on ADC with the - certificate and key already added on ADC' - oneOf: - - properties: - required: [tls_secret] - - properties: - required: [preconfigured] - audience: - description: 'Audience for which assertion sent by IdP is applicable' - type: string - maxLength: 127 - issuer_name: - description: 'The name to be used in requests sent from SP to IDP to identify citrix ADC' - type: string - maxLength: 63 - binding: - description: 'Specifies the transport mechanism of saml message. Default is POST' - type: string - enum: ['REDIRECT', 'POST', 'ARTIFACT'] - artifact_resolution_service_url: - description: 'URL of the Artifact Resolution Service on IdP' - type: string - maxLength: 255 - logout_binding: - description: 'Specifies the transport mechanism of saml logout. Default is POST' - type: string - enum: ['REDIRECT', 'POST'] - reject_unsigned_assertion: - description: |+ - 'Reject unsigned SAML assertions. ON, rejects assertion without signature. - STRICT ensure that both Response and Assertion are signed. Default is ON' - type: string - enum: ['ON', 'OFF', 'STRICT'] - user_field: - description: 'SAML user ID, as given in the SAML assertion' - type: string - maxLength: 63 - default_authentication_group: - description: |+ - 'This is the default group that is chosen when the authentication - succeeds in addition to extracted groups' - type: string - maxLength: 63 - skew_time: - description: |+ - 'Allowed clock skew in number of minutes on an incoming assertion. - Default is 5' - type: integer - minimum: 1 - attributes_to_save: - description: |+ - 'List of attribute names separated by comma which needs to be extracted - and stored as key-value pair for the session on ADC' - type: string - maxLength: 2047 - required: - - metadata_url - - basic_local_db: - type: object - description: |+ - 'Basic HTTP authentication supported by ADC, user data in local DB of ADC. - Users needs to be added on ADC' - properties: - use_local_auth: - description: 'Use ADC authentication' - type: string - enum: ['YES'] - - required: - - name - - authentication_policies: - description: 'Authentication policies' - type: array - items: - type: object - description: 'Authentication policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - required: - - path - expression: - description: 'ADC syntax expression for authentication' - type: string - maxLength: 1229 - provider: - description: 'name of the authentication provider for the policy, empty if no authentication required' - type: array - items: - type: string - maxLength: 127 - maxItems: 1 - oneOf: - - required: [resource, provider] - - required: [expression, provider] - - authorization_policies: - description: 'Authorization policies' - type: array - items: - type: object - description: 'Authorization policy' - properties: - resource: - type: object - description: 'endpoint/resource selection criteria' - properties: - path: - description: 'api resource path e.g. /products. ' - type: array - items: - type: string - maxLength: 511 - method: - description: ' http method' - type: array - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - claims: - description: 'authorization scopes required for selected resource saved as claims or attributes' - type: array - items: - type: object - properties: - name: - description: 'name of the claim/attribute to check' - type: string - maxLength: 127 - values: - description: 'list of claim values required for the request' - type: array - items: - type: string - maxLength: 127 - minItems: 1 - required: - - name - - values - required: - - claims - expression: - description: 'ADC syntax expression for authorization' - type: string - maxLength: 1229 - oneOf: - - required: [resource] - - required: [expression] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: listeners.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: Listener - plural: listeners - singular: listener - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - required: [spec] - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [protocol] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - protocol: - type: string - enum: ["https", "http"] - description: "Protocol for this listener" - vip: - type: string - description: "VIP address, Optional for CPX, required for Tier-1 deployments" - secondaryVips: - type: array - description: "An array of Secondary VIPs. All the VIPs will be part of an ipset" - minItems: 1 - items: - type: string - redirectPort: - type: integer - minimum: 1 - maximum: 65535 - description: "Port from which http traffic should be redirected to https" - port: - type: integer - minimum: 1 - maximum: 65535 - certificates: - type: array - description: "certificates attached to the endpoints - Not applicable for HTTP" - minItems: 1 - items: - type: object - properties: - preconfigured: - type: string - description: "Preconfigured Certificate name on ADC " - secret: - type: object - description: "Kuberentes secret object" - required: [name] - properties: - name: - type: string - description: "name of the Kubernetes Secret object where Cert is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the kubernetes secret object; Default is same namespace where the Listener object is located" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - default: - type: boolean - description: "Only one of the certificate can be marked as default which will be presented if none of the cert matches with the hostname" - oneOf: - - required: ["preconfigured"] - - required: ["secret"] - policies: - type: object - description: "Policies attached to the Listener" - properties: - httpprofile: - type: object - description: "HTTP profile configurations for the Listener, HTTP level configurations" - properties: - preconfigured: - type: string - description: "Preconfigured or Built-in HTTP profile name" - config: - type: object - description: "HTTP profile configuration for the listener. For individual fields, refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nshttpprofile/nshttpprofile/ Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - tcpprofile: - type: object - description: "TCP level configurations, uses ns tcpprofile of citrix ADC" - properties: - preconfigured: - description: "Preconfigured or Built-in TCP profile name" - type: string - config: - type: object - description: "TCPprofile configurations for the listener. For individual fields refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nstcpprofile/ ; Name field is auto populated" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - csvserverConfig: - type: object - description: "CS Vserver configuration for the listener" - additionalProperties: - type: string - sslprofile: - type: object - description: "SSL profile configuration" - properties: - preconfigured: - type: string - description: "SSL profile which is preconfigured in ADC. Ciphers bound to the profile is not overriden" - config: - description: "Citrix ADC frontend SSL profile configurations. Refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ssl/sslprofile/ for all configurations; Name field is auto generated" - type: object - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - sslciphers: - type: array - description: "List of ciphers to be bound to the ssl profile for the listener. Priority is as per the order in the list. A cipher suite, predefined cipher group or User created cipher group can be mentioned" - minItems: 1 - items: - type: string - description: "Cipher suite, cipher group name" - analyticsprofile: - type: object - description: "Analytics profile configuration" - properties: - preconfigured: - type: array - description: "Preconfigured Analytics profile that needs to be bound to the vserver" - minItems: 1 - items: - type: string - description: "Name of the analytics profile preconfigured that will be bound to the Vserver" - config: - type: array - description: "An array of analytics to be enabled" - minItems: 1 - items: - type: object - description: "Anlytics to be enabled" - required: ['type'] - properties: - type: - description: "Analytics profile to be enabled, you can enable one or more of the webinsight, tcpinsight, securityinsight, videoinsight, hdxinsight, gatewayinsight, timeseries, lsninsight, botinsight " - type: string - enum: ["webinsight", "tcpinsight", "securityinsight", "videoinsight", "hdxinsight", "gatewayinsight", "timeseries", "lsninsight", "botinsight"] - parameters: - type: object - description: "Additional parameters for analytics profile. Please refer:https://developer-docs.citrix.com/projects/citrix-adc-nitro-api-reference/en/latest/configuration/analytics/analyticsprofile/" - additionalProperties: - type: string - oneOf: - - required: ["preconfigured"] - - required: ["config"] - routes: - type: array - description: "List of route objects attached to the listener" - minItems: 1 - items: - type: object - properties: - name: - type: string - description: "Name of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - namespace: - type: string - description: "Namespace of the HTTPRoute object" - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - labelSelector: - description: "Labels key value pair, if the route carries the same labels, it is automatically attached" - type: object - additionalProperties: - type: string - oneOf: - - required: [name, namespace] - - required: [labelSelector] - defaultAction: - type: object - description: "Default action for the listener: One of Backend or Redirect" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - namespace: - description: "Service namespace" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - backendConfig: - description: "General backend service options" - type: object - properties: - secure_backend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: httproutes.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: HTTPRoute - plural: httproutes - singular: httproute - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - required: [rules] - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - hostname: - type: array - description: "List of domain names that share the same route, default is '*'" - minItems: 1 - items: - type: string - description: "Domain name" - rules: - type: array - description: "List Content routing rules with an action defined" - minItems: 1 - items: - type: object - required: [name, action] - properties: - name: - type: string - description: "A name to represent the rule, this is used as an identifier in content routing policy name in ADC" - minLength: 1 - maxLength: 20 - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - match: - type: array - description: "List of rules with same action" - minItems: 1 - items: - type: object - anyOf: - - required: [path] - - required: [headers] - - required: [cookies] - - required: [queryParams] - - required: [method] - - required: [policyExpression] - properties: - path: - type: object - description: "URL Path based content routing" - properties: - prefix: - type: string - description: "URL path matches the prefix expression" - exact: - type: string - description: "URL Path must match exact path" - regex: - type: string - description: "PCRE based regex expression for path matching" - headers: - type: array - description: "List of header for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Header details for content routing, Check for existence of a header or header name-value match" - properties: - headerName: - type: object - description: "Header name based content routing, Here existence of header is used for routing" - properties: - exact: - type: string - description: "Header Name - treated as exact must exist" - contains: - type: string - description: "Header Name - A header must exist that contain the string the name" - regex: - type: string - description: "header Name - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header name must not exist" - oneOf: - - required: [exact] - - required: [contains] - - required: [regex] - headerValue: - type: object - description: "Header Name and Value based match" - properties: - name: - type: string - description: "Header name that must match the value" - exact: - type: string - description: "Header value - treated as exact" - contains: - type: string - description: "Header value - treated as contains" - regex: - type: string - description: "header value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e header if present must not match the value" - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - queryParams: - type: array - description: "List of Query parameters for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Query parameters Name and Value based match" - properties: - name: - type: string - description: "Query name that must match the value. If no value is specified, matches with any value" - exact: - type: string - description: "Query value - Exact match" - contains: - type: string - description: "Query value - value must have the string(substring)" - regex: - type: string - description: "Query value - Value must match this regex patterm" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e query if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - cookies: - type: array - description: "List of Cookie params for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" - minItems: 1 - items: - type: object - description: "Cookie based routing" - properties: - name: - type: string - description: "cookie name that must match the value. If no value specified, it matches with any value" - exact: - type: string - description: "cookie value - treated as exact" - contains: - type: string - description: "cookie value - treated as substring" - regex: - type: string - description: "cookie value - treated as PCRE regex expression" - not: - type: boolean - description: "Default False, if present, rules are inverted. I.e cookie if present must not match the value" - anyOf: - - required: [name] - - oneOf: - - required: [name, exact] - - required: [name, contains] - - required: [name, regex] - method: - type: string - description: "HTTP method for content routing eg: POST, PUT, DELETE etc" - policyExpression: - type: string - description: "Citrix ADC policy expressions; refer: https://docs.citrix.com/en-us/netscaler/media/expression-prefix.pdf" - action: - type: object - description: "Action for the matched rule" - properties: - backend: - type: object - oneOf: - - required: [kube] - properties: - kube: - type: object - required: [service, port] - properties: - service: - description: "Name of the backend service" - type: string - pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' - port: - description: "Service port" - type: integer - minimum: 1 - maximum: 65535 - backendConfig: - type: object - description: "General backend service options" - properties: - secureBackend: - description: "Use Secure communications to the backends" - type: boolean - lbConfig: - description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" - type: object - additionalProperties: - type: string - servicegroupConfig: - description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" - type: object - additionalProperties: - type: string - redirect: - type: object - oneOf: - - required: [targetExpression] - - required: [hostRedirect] - - required: [httpsRedirect] - properties: - httpsRedirect: - description: "Change the scheme from http to https keeping URL intact" - type: boolean - hostRedirect: - description: "Host name specified is used for redirection with URL intact" - type: string - targetExpression: - description: "A target can be specified using Citrix ADC policy expression" - type: string - responseCode: - description: "Default response code is 302, which can be customised using this attribute" - type: integer - minimum: 100 - maximum: 599 - oneOf: - - required: ["backend"] - - required: ["redirect"] - subresources: - # status enables the status subresource. - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - # name must match the spec fields below, and be in the form: . - name: continuousdeployments.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: continuousdeployment - plural: continuousdeployments - singular: continuousdeployment - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - cronSpec: - type: integer - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wafs.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: waf - plural: wafs - singular: waf - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the waf policies are applied.' - type: array - items: - type: string - maxLength: 127 - application_type: - description: 'Type of applications to protect' - type: array - items: - type: string - enum: ['HTML', 'JSON', 'XML'] - signatures: - description: 'Location of external signature file' - type: string - redirect_url: - description: 'When a URL is blocked/down, redirect_url represents the alternate URL where the client requests should be sent.' - type: string - html_error_object: - description: 'Location of customized error page to respond when html or common violation are hit' - type: string - xml_error_object: - description: 'Location of customized error page to respond when xml violations are hit' - type: string - json_error_object: - description: 'Location of customized error page to respond when json violations are hit' - type: string - ip_reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - description: 'Enabling IP reputation feature' - target: - description: 'To control what traffic to be inspected by Web Application Firewall. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable application firewall security checks' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - settings: - description: 'To fine tune application firewall security checks default settings' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - relaxations: - description: 'Section which contains relaxation rules for known traffic and false positives' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true - enforcements: - description: 'Section which contains enforcement or restriction rules' - type: object - properties: - common: - type: object - x-kubernetes-preserve-unknown-fields: true - html: - type: object - x-kubernetes-preserve-unknown-fields: true - json: - type: object - x-kubernetes-preserve-unknown-fields: true - xml: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: bots.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: bot - plural: bots - singular: bot - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'Name of the services to which the bot policies are applied.' - type: array - items: - type: string - maxLength: 127 - signatures: - description: 'Location of external bot signature file' - type: string - redirect_url: - description: 'url to redirect when bot violation is hit' - type: string - target: - description: 'To control what traffic to be inspected by BOT. If you do not provide the target, everything will be inspected by default' - type: object - properties: - path: - type: array - description: "List of http urls to inspect" - items: - type: string - description: "URL path" - method: - type: array - description: "List of http methods to inspect" - items: - type: string - enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] - header: - type: array - description: "List of http headers to inspect" - items: - type: string - description: "header name" - security_checks: - description: 'To enable/disable bot ecurity checks' - type: object - properties: - allow_list: - type: string - enum: ['ON', 'OFF'] - block_list: - type: string - enum: ['ON', 'OFF'] - device_fingerprint: - type: string - enum: ['ON', 'OFF'] - device_fingerprint_action: - type: object - x-kubernetes-preserve-unknown-fields: true - headless_browser: - type: string - enum: ['ON','OFF'] - reputation: - type: string - enum: ['ON', 'OFF'] - ratelimit: - type: string - enum: ['ON', 'OFF'] - tps: - type: string - enum: ['ON', 'OFF'] - trap: - type: object - x-kubernetes-preserve-unknown-fields: true - bindings: - description: 'Section which contains binding rules for bot security checks' - type: object - properties: - allow_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6_subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - - block_list: - type: array - items: - type: object - properties: - subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6: - type: object - x-kubernetes-preserve-unknown-fields: true - ipv6_subnet: - type: object - x-kubernetes-preserve-unknown-fields: true - expression: - type: object - x-kubernetes-preserve-unknown-fields: true - ratelimit: - type: array - items: - type: object - properties: - url: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - cookie: - type: object - x-kubernetes-preserve-unknown-fields: true - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - reputation: - type: object - x-kubernetes-preserve-unknown-fields: true - captcha: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - logexp: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - kbmexpr: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - tps: - type: object - properties: - geolocation: - type: object - x-kubernetes-preserve-unknown-fields: true - host: - type: object - x-kubernetes-preserve-unknown-fields: true - ip: - type: object - x-kubernetes-preserve-unknown-fields: true - url: - type: object - x-kubernetes-preserve-unknown-fields: true - trapinsertion: - type: object - x-kubernetes-preserve-unknown-fields: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: apigatewaypolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: apigatewaypolicy - plural: apigatewaypolicies - singular: apigatewaypolicy - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - required: [spec] - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - api_definition: - type: object - properties: - repository: - type: string - branch: - type: string - oas_secret_ref: - type: string - files: - type: array - items: - type: string - maxLength: 127 - api_proxy: - type: object - properties: - ipaddress: - type: string - port: - type: integer - protocol: - type: string - secret: - type: string - policies: - type: array - items: - type: object - properties: - name: - type: string - selector: - type: array - items: - type: object - properties: - tags: - type: array - items: - type: string - api: - type: string - method: - type: array - items: - type: string - maxLength: 127 - upstream: - type: object - properties: - service: - type: string - port: - type: integer - policy_bindings: - type: object - properties: - ratelimit: - type: object - properties: - name: - type: string - waf: - type: object - properties: - name: - type: string - rewritepolicy: - type: object - properties: - name: - type: string - bot: - type: object - properties: - name: - type: string - aaa: - type: array - items: - type: object - properties: - crd_name: - type: string - mappings: - type: array - items: - type: object - properties: - petstore_auth: - type: string - api_key: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: corspolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: corspolicy - plural: corspolicies - singular: corspolicy - shortNames: - - cp - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: 'Current Status of the CRD' - jsonPath: .status.state - - name: Message - type: string - description: 'Status Message' - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - ingressclass: - type: string - description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" - servicenames: - description: 'The list of Kubernetes services to which you want to apply the cors policies.' - type: array - items: - type: string - maxLength: 63 - allow_origin: - description: 'Represents list of allowed origins, it is used to screen the “origin” in the cors pre flight request' - type: array - items: - type: string - maxLength: 2083 - allow_methods: - description: 'Indicates which methods are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Methods in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - allow_headers: - description: 'Indicates which headers are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Headers in the pre-flight cors response.' - type: array - items: - type: string - maxLength: 127 - max_age: - description: 'Indicates the number of seconds (5 by default) the information provided by the `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` headers can be cached. This variable will be used to set Access-Control-Max-Age in the pre-flight cors response.' - type: integer - allow_credentials: - description: 'Indicates whether the response can be shared when the request’s credentials mode is "include". This variable will be set to Access-Control-Allow-Credentials in the rewrite action.' - type: boolean - required: [servicenames, allow_origin, allow_methods, allow_headers] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: appqoepolicies.citrix.com -{{- if .Values.crds.retainOnDelete }} - annotations: - "helm.sh/resource-policy": keep -{{- end }} -spec: - group: citrix.com - names: - kind: appqoepolicy - plural: appqoepolicies - singular: appqoepolicy - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: "Current Status of the CRD" - jsonPath: .status.state - - name: Message - type: string - description: "Status Message" - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - appqoe-policies: - type: array - items: - type: object - properties: - servicenames: - description: 'Name of the services that needs to be binded to appqoe policy.' - type: array - items: - type: string - maxLength: 127 - appqoe-policy: - type: object - properties: - operation-retry: - type: object - properties: - on-reset: - description: "To set Retry on Connection Reset or Not" - type: string - enum: ['YES','NO'] - on-timeout: - description: "Time in milliseconds for retry" - type: integer - minimum: 30 - maximum: 2000 - number-of-retries: - description: "To set number of retries" - type: integer - minimum: 1 - maximum: 7 - required: [operation-retry] - appqoe-criteria: - description: 'Expression against which traffic is evaluated.' - type: string - maxLength: 1299 - direction: - description: 'Bind point to which to bind the policy.' - type: string - enum: ["REQUEST","RESPONSE"] - required: [appqoe-criteria, operation-retry] - required: [appqoe-policy] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: wildcarddnsentries.citrix.com -spec: - group: citrix.com - names: - kind: wildcarddnsentry - plural: wildcarddnsentries - singular: wildcarddnsentry - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Status - type: string - description: Current Status of the CRD - jsonPath: .status.state - - name: Message - type: string - description: Status Message - jsonPath: .status.status_message - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - state: - type: string - status_message: - type: string - spec: - type: object - properties: - zone: - type: object - description: DNS configuration for a zone - properties: - domain: - type: string - description: Domain name - dnsaddrec: - type: object - description: DNS Address record - properties: - domain-ip: - type: string - description: IPv4 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - dnsaaaarec: - type: object - description: DNS AAAA record - properties: - domain-ip: - type: string - description: IPv6 addresses to assign to the domain name - ttl: - type: integer - description: >- - TTL is the time for which the record must be cached - by DNS proxies - soarec: - type: object - description: SOA record - properties: - origin-server: - type: string - description: Origin server domain - contact: - type: string - description: Admin contact - serial: - type: integer - description: >- - The secondary server uses this parameter to - determine whether it requires a zone transfer from - the primary server. - refresh: - type: integer - description: >- - Time, in seconds, for which a secondary server must - wait between successive checks on the value of the - serial number. - retry: - type: integer - description: >- - Time, in seconds, between retries if a secondary server's - attempt to contact the primary server for a zone refresh fails. - expire: - type: integer - description: >- - Time, in seconds, after which the zone data on a secondary - nameserver can no longer be considered authoritative because - all refresh and retry attempts made during the period have failed." - nsrec: - type: object - description: Name server record - properties: - nameserver: - type: string - description: Host name of the name server to add to the domain. - ttl: - type: integer - description: >- - Time to Live (TTL), in seconds, for the record. TTL - is the time for which the record must be cached by - DNS proxies. The specified TTL is applied to all the - resource records that are of the same record type - and belong to the specified domain name ---- -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.35.6/templates/citrix-k8s-ingress.yaml b/charts/citrix/citrix-ingress-controller/1.35.6/templates/citrix-k8s-ingress.yaml deleted file mode 100644 index 45d14b69c4..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.35.6/templates/citrix-k8s-ingress.yaml +++ /dev/null @@ -1,267 +0,0 @@ -{{- if .Values.openshift }} -apiVersion: apps.openshift.io/v1 -kind: DeploymentConfig -{{- else }} -apiVersion: apps/v1 -kind: Deployment -{{- end }} -metadata: - name: {{ include "citrix-ingress-controller.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - selector: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - matchLabels: - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} - replicas: 1 -{{- if .Values.openshift }} - strategy: - resources: {} - rollingParams: - intervalSeconds: 1 - maxSurge: 0 - maxUnavailable: 25% - timeoutSeconds: 600 - updatePeriodSeconds: 1 - type: Rolling -{{- end }} - template: - metadata: - name: cic - labels: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} -{{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} -{{- end }} - spec: - serviceAccountName: {{ include "citrix-ingress-controller.serviceAccountName" . }} - containers: - - name: cic - image: "{{ tpl .Values.image . }}" - imagePullPolicy: {{ .Values.pullPolicy }} - args: - - --configmap - {{ .Release.Namespace }}/{{ include "cicconfigmap.fullname" . }} -{{- if .Values.defaultSSLCertSecret }} - - --default-ssl-certificate - {{ .Release.Namespace }}/{{ .Values.defaultSSLCertSecret }} -{{- end }} -{{- if .Values.ingressClass }} - - --ingress-classes -{{- range .Values.ingressClass}} - {{.}} -{{- end }} -{{- end }} -{{- if .Values.serviceClass }} - - --service-classes -{{- range .Values.serviceClass}} - {{.}} -{{- end }} -{{- end }} - - --feature-node-watch - {{ .Values.nodeWatch }} - - --enable-cnc-pbr - {{ .Values.cncPbr }} -{{- if .Values.ipam }} - - --ipam - citrix-ipam-controller -{{- end }} -{{- if .Values.disableAPIServerCertVerify }} - - --disable-apiserver-cert-verify - {{ .Values.disableAPIServerCertVerify }} -{{- end }} -{{- if .Values.updateIngressStatus }} - - --update-ingress-status - yes -{{- end }} - env: - - name: "NS_IP" - value: "{{ .Values.nsIP }}" -{{- if .Values.nsVIP }} - - name: "NS_VIP" - value: "{{ .Values.nsVIP }}" -{{- end }} -{{- if .Values.rbacRole }} - - name: "SCOPE" - value: "local" -{{- end }} -{{- if .Values.nitroReadTimeout }} - - name: "NS_NITRO_READ_TIMEOUT" - value: "{{ .Values.nitroReadTimeout }}" -{{- end }} - - name: "NS_USER" - {{- if and .Values.secretStore.enabled .Values.secretStore.username}} - {{- toYaml .Values.secretStore.username | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: username - {{- end }} - - name: "NS_PASSWORD" - {{- if and .Values.secretStore.enabled .Values.secretStore.password}} - {{- toYaml .Values.secretStore.password | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: password - {{- end }} - - name: "EULA" - value: "{{ .Values.license.accept }}" -{{- if and .Values.openshift .Values.routeLabels }} - - name: "ROUTE_LABELS" - value: {{ .Values.routeLabels | quote}} -{{- end }} -{{- if and .Values.openshift .Values.namespaceLabels }} - - name: "NAMESPACE_LABELS" - value: {{ .Values.namespaceLabels | quote }} -{{- end }} - - name: "NS_APPS_NAME_PREFIX" - value: {{ .Values.entityPrefix | default "k8s"| quote }} -{{- if .Values.kubernetesURL }} - - name: "kubernetes_url" - value: "{{ .Values.kubernetesURL }}" -{{- end }} -{{- if .Values.clusterName }} - - name: "CLUSTER_NAME" - value: "{{ .Values.clusterName }}" -{{- end }} -{{- if .Values.logProxy }} - - name: "NS_LOGPROXY" - value: "{{ .Values.logProxy }}" -{{- end }} -{{- if .Values.disableOpenshiftRoutes }} - - name: "DISABLE_OPENSHIFT_ROUTES" - value: "{{ .Values.disableOpenshiftRoutes }}" -{{- end }} -{{- if .Values.nsConfigDnsRec }} - - name: "NS_CONFIG_DNS_REC" - value: "{{ .Values.nsConfigDnsRec }}" -{{- end }} -{{- if .Values.nsSvcLbDnsRec }} - - name: "NS_SVC_LB_DNS_REC" - value: "{{ .Values.nsSvcLbDnsRec }}" -{{- end }} -{{- if .Values.optimizeEndpointBinding }} - - name: "OPTIMIZE_ENDPOINT_BINDING" - value: "{{ .Values.optimizeEndpointBinding }}" -{{- end }} - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- if ne (len .Values.extraVolumeMounts) 0 }} - volumeMounts: -{{- toYaml .Values.extraVolumeMounts | nindent 8 }} - {{- end }} -{{- if .Values.exporter.required }} - - name: exporter - image: "{{ tpl .Values.exporter.image . }}" - imagePullPolicy: {{ .Values.exporter.pullPolicy }} - args: - - "--target-nsip={{ .Values.nsIP }}" - - "--port={{ .Values.exporter.ports.containerPort }}" - env: - - name: "NS_USER" - {{- if and .Values.secretStore.enabled .Values.secretStore.username}} - {{- toYaml .Values.secretStore.username | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: username - {{- end }} - - name: "NS_PASSWORD" - {{- if and .Values.secretStore.enabled .Values.secretStore.password}} - {{- toYaml .Values.secretStore.password | nindent 10 }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ .Values.adcCredentialSecret }} - key: password - {{- end }} - {{- if ne (len .Values.exporter.extraVolumeMounts) 0 }} - volumeMounts: - {{- toYaml .Values.exporter.extraVolumeMounts | nindent 8 }} - {{- end }} - securityContext: - readOnlyRootFilesystem: true - resources: -{{- toYaml .Values.exporter.resources | nindent 12 }} -{{- end }} -{{- if or (and .Values.extraVolumeMounts .Values.extraVolumes) (and .Values.exporter.extraVolumeMounts .Values.extraVolumes) }} - volumes: -{{- end }} -{{- if ne (len .Values.extraVolumes) 0 }} -{{ toYaml .Values.extraVolumes | indent 6 }} -{{- end }} -{{- if and .Values.nodeSelector.key .Values.nodeSelector.value }} - nodeSelector: - {{ .Values.nodeSelector.key }}: {{ .Values.nodeSelector.value }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: {{ .Values.tolerations | toYaml | nindent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} -{{- end }} - ---- - -{{- if .Values.exporter.required }} - - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "exporter.fullname" . }} - labels: - app: {{ include "exporter.fullname" . }} - service-type: {{ include "servicemonitorlabel" . }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.exporter.ports.containerPort }} - targetPort: {{ .Values.exporter.ports.containerPort }} - name: exporter-port - selector: -{{- if .Values.openshift }} - router: {{ include "citrix-ingress-controller.fullname" . }} -{{- else }} - app: {{ include "citrix-ingress-controller.fullname" . }} -{{- end }} - ---- - -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "servicemonitor.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - servicemonitor: citrix-adc - {{- with .Values.exporter.serviceMonitorExtraLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - endpoints: - - interval: 30s - port: exporter-port - selector: - matchLabels: - service-type: {{ include "servicemonitorlabel" . }} - namespaceSelector: - matchNames: - - monitoring - - default - - {{ .Release.Namespace }} - -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.35.6/templates/configmap.yaml b/charts/citrix/citrix-ingress-controller/1.35.6/templates/configmap.yaml deleted file mode 100644 index 586906391b..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.35.6/templates/configmap.yaml +++ /dev/null @@ -1,75 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "cicconfigmap.fullname" . }} - namespace: {{ .Release.Namespace }} -data: - LOGLEVEL: {{ .Values.logLevel | quote | lower }} - JSONLOG: {{ .Values.jsonLog | quote | lower }} - NS_PROTOCOL: {{ .Values.nsProtocol | quote | lower }} - NS_PORT: {{ .Values.nsPort | quote }} -{{- if .Values.nsSNIPS }} - NS_SNIPS: {{ .Values.nsSNIPS | toJson}} -{{- end }} -{{- if and .Values.analyticsConfig.required .Values.nsEnableLabel }} - NS_ENABLE_LABELS: {{ .Values.nsEnableLabel | quote}} -{{- end }} -{{- if .Values.podIPsforServiceGroupMembers }} - POD_IPS_FOR_SERVICEGROUP_MEMBERS: {{ .Values.podIPsforServiceGroupMembers | quote }} -{{- end }} -{{- if .Values.ignoreNodeExternalIP }} - IGNORE_NODE_EXTERNAL_IP: {{ .Values.ignoreNodeExternalIP | quote }} -{{- end }} - -{{- if ne (upper .Values.nsHTTP2ServerSide) "OFF" }} - NS_HTTP2_SERVER_SIDE: {{ .Values.nsHTTP2ServerSide | quote }} -{{- end }} -{{- if ne (toString .Values.nsCookieVersion) "0" }} - NS_COOKIE_VERSION: {{ .Values.nsCookieVersion | quote }} -{{- end }} -{{- if .Values.nsDnsNameserver }} - NS_DNS_NAMESERVER: {{ .Values.nsDnsNameserver }} -{{- end }} - -{{- if .Values.analyticsConfig.required }} - NS_ANALYTICS_CONFIG: | - distributed_tracing: - enable: {{ .Values.analyticsConfig.distributedTracing.enable | quote }} - samplingrate: {{ .Values.analyticsConfig.distributedTracing.samplingrate }} - endpoint: - server: {{ include "analytics.server" . | quote }} - service: {{ .Values.analyticsConfig.endpoint.service | quote }} - timeseries: - port: {{ .Values.analyticsConfig.timeseries.port }} - metrics: - enable: {{ .Values.analyticsConfig.timeseries.metrics.enable | quote }} - mode: {{ .Values.analyticsConfig.timeseries.metrics.mode | quote }} - auditlogs: - enable: {{ .Values.analyticsConfig.timeseries.auditlogs.enable | quote }} - events: - enable: {{ .Values.analyticsConfig.timeseries.events.enable | quote }} - transactions: - enable: {{ .Values.analyticsConfig.transactions.enable | quote }} - port: {{ .Values.analyticsConfig.transactions.port }} -{{- end }} - -{{- if .Values.nsLbHashAlgo.required }} - NS_LB_HASH_ALGO: | - hashFingers: {{ .Values.nsLbHashAlgo.hashFingers }} - hashAlgorithm: {{ .Values.nsLbHashAlgo.hashAlgorithm | quote }} -{{- end }} - -{{- if .Values.profileSslFrontend }} - FRONTEND_SSL_PROFILE: | - {{- toYaml .Values.profileSslFrontend | nindent 4 }} -{{- end }} - -{{- if .Values.profileTcpFrontend }} - FRONTEND_TCP_PROFILE: | - {{- toYaml .Values.profileTcpFrontend | nindent 4 }} -{{- end }} - -{{- if .Values.profileHttpFrontend }} - FRONTEND_HTTP_PROFILE: | - {{- toYaml .Values.profileHttpFrontend | nindent 4 }} -{{- end }} \ No newline at end of file diff --git a/charts/citrix/citrix-ingress-controller/1.35.6/templates/ingressclass.yaml b/charts/citrix/citrix-ingress-controller/1.35.6/templates/ingressclass.yaml deleted file mode 100644 index d75537b79f..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.35.6/templates/ingressclass.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- $default := .Values.setAsDefaultIngressClass -}} -{{- if semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.GitVersion }} -{{- if .Values.ingressClass }} -{{- range .Values.ingressClass }} -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: {{ . | quote }} -{{- if $default }} - annotations: - ingressclass.kubernetes.io/is-default-class: "true" -{{- end }} -spec: - controller: citrix.com/ingress-controller ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/citrix/citrix-ingress-controller/1.35.6/templates/rbac.yaml b/charts/citrix/citrix-ingress-controller/1.35.6/templates/rbac.yaml deleted file mode 100644 index c20c1512e0..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.35.6/templates/rbac.yaml +++ /dev/null @@ -1,106 +0,0 @@ -{{- if not .Values.rbacRole }} -kind: ClusterRole -{{- else }} -kind: Role -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -rules: - - apiGroups: [""] -{{- if .Values.openshift }} - resources: ["endpoints", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"] -{{- else }} - resources: ["endpoints", "pods", "secrets", "routes", "nodes", "namespaces", "configmaps", "services"] -{{- end }} - verbs: ["get", "list", "watch"] - # services/status is needed to update the loadbalancer IP in service status for integrating - # service of type LoadBalancer with external-dns - - apiGroups: [""] - resources: ["services/status"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions","networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["patch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "watch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"] - verbs: ["get", "list", "watch", "create", "delete", "patch"] - - apiGroups: ["citrix.com"] - resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"] - verbs: ["patch"] - - apiGroups: ["citrix.com"] - resources: ["vips"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["crd.projectcalico.org"] - resources: ["ipamblocks"] - verbs: ["get", "list", "watch"] -{{- if .Values.openshift }} - - apiGroups: ["route.openshift.io"] - resources: ["routes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["network.openshift.io"] - resources: ["hostsubnets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["config.openshift.io"] - resources: ["networks"] - verbs: ["get", "list"] -{{- end }} - ---- - -{{- if not .Values.rbacRole }} -kind: ClusterRoleBinding -{{- else }} -kind: RoleBinding -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -{{- if .Values.rbacRole }} - namespace: {{ .Release.Namespace }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io -{{- if not .Values.rbacRole }} - kind: ClusterRole -{{- else }} - kind: Role -{{- end }} - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "citrix-ingress-controller.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- if .Values.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.imagePullSecrets }} -- name: {{.}} -{{- end }} -{{- end }} - diff --git a/charts/citrix/citrix-ingress-controller/1.35.6/values.yaml b/charts/citrix/citrix-ingress-controller/1.35.6/values.yaml deleted file mode 100644 index 9abb3b0a27..0000000000 --- a/charts/citrix/citrix-ingress-controller/1.35.6/values.yaml +++ /dev/null @@ -1,202 +0,0 @@ -# Default values for citrix-ingress-controller. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# Citrix Ingress Controller config details -imageRegistry: quay.io -imageRepository: citrix/citrix-k8s-ingress-controller -imageTag: 1.35.6 -image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}" -pullPolicy: IfNotPresent -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" -openshift: false -adcCredentialSecret: # K8s Secret Name -# Enable secretStore to implement CSI Secret Provider classes for holding the nslogin credentials -secretStore: - enabled: false - username: {} - #valueFrom: - # configMapKeyRef: - # name: test1 - # key: username - password: {} - #valueFrom: - # configMapKeyRef: - # name: test1 - # key: password -nsIP: x.x.x.x -nsVIP: -nsSNIPS: -license: - accept: no -nsPort: 443 -nsProtocol: HTTPS -nsEnableLabel: true -# nitroReadTimeout is timeout value in seconds for nitro api read timeout(default is 20) -nitroReadTimeout: -logLevel: INFO -jsonLog: false -entityPrefix: -kubernetesURL: -clusterName: -ingressClass: -setAsDefaultIngressClass: False -serviceClass: -defaultSSLCertSecret: -podIPsforServiceGroupMembers: False -ignoreNodeExternalIP: False -ipam: False -# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True -disableAPIServerCertVerify: False -logProxy: -nodeWatch: false -cncPbr: False -nodeSelector: - key: - value: -tolerations: [] -updateIngressStatus: True -nsHTTP2ServerSide: "OFF" -nsCookieVersion: "0" -nsConfigDnsRec: -nsSvcLbDnsRec: -nsDnsNameserver: -optimizeEndpointBinding: -routeLabels: -namespaceLabels: -disableOpenshiftRoutes: -profileSslFrontend: {} - # preconfigured: my_ssl_profile - # OR - # config: - # tls13: 'ENABLED' - # hsts: 'ENABLED' -profileHttpFrontend: {} - # preconfigured: my_http_profile - # OR - # config: - # dropinvalreqs: 'ENABLED' - # websocket: 'ENABLED' -profileTcpFrontend: {} - # preconfigured: my_tcp_profile - # OR - # config: - # sack: 'ENABLED' - # nagle: 'ENABLED' - -# Exporter config details -exporter: - required: false - imageRegistry: quay.io - imageRepository: citrix/citrix-adc-metrics-exporter - imageTag: 1.4.9 - image: "{{ .Values.exporter.imageRegistry }}/{{ .Values.exporter.imageRepository }}:{{ .Values.exporter.imageTag }}" - pullPolicy: IfNotPresent - ports: - containerPort: 8888 - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - extraVolumeMounts: [] - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. - #- name: github-key - # mountPath: /etc/config/keys/ - # readOnly: true - #- name: agent-init-scripts - # mountPath: /docker-entrypoint.d/ - serviceMonitorExtraLabels: {} - -# For CRDs supported by Citrix Ingress Controller -crds: - install: false - retainOnDelete: false - -# Enable RBAC role (so called local role), by default CIC deployed with ClusterRole. -# below variable to deploy CIC with RBAC role, only ingress service supported with this config -rbacRole: False - -# Config required to be done by Citrix Ingress Controller for sending metrics to Citrix Observability Exporter -analyticsConfig: - required: false - distributedTracing: - enable: false - samplingrate: 100 - endpoint: - server: - service: - timeseries: - port: 30002 - metrics: - enable: false - mode: 'avro' - auditlogs: - enable: false - events: - enable: false - transactions: - enable: false - port: 30001 - -nsLbHashAlgo: - required: false - hashFingers: 256 - hashAlgorithm: 'DEFAULT' - -# Specifies whether a ServiceAccount should be created -serviceAccount: - create: true - # The name of the ServiceAccount to use. - # If not set and `create` is true, a name is generated using the fullname template - # name: - -podAnnotations: {} - -resources: - requests: - cpu: 32m - memory: 128Mi - # Following values depends on no of ingresses configured by Ingress Controllers, so it is - # advised to test with maximum no of ingresses to set these values. - # limits: - # cpu: 1000m - # memory: 1000Mi - limits: {} - # Following values depends on no of ingresses configured by Ingress Controllers, so it is - # advised to test with maximum no of ingresses to set these values. - # limits: - # cpu: 1000m - # memory: 1000Mi - -affinity: {} - -extraVolumeMounts: [] - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. - #- name: github-key - # mountPath: /etc/config/keys/ - # readOnly: true - #- name: agent-init-scripts - # mountPath: /docker-entrypoint.d/ - -extraVolumes: [] - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. - #- name: agent-init-scripts - # configMap: - # name: agent-init-scripts - # defaultMode: 0755 - #- name: github-key - # secret: - # secretName: github-key - # defaultMode: 0744 diff --git a/index.yaml b/index.yaml index 39e3e02375..723ad55f63 100644 --- a/index.yaml +++ b/index.yaml @@ -6253,648 +6253,6 @@ entries: urls: - assets/paravela/chronicle-0.1.15.tgz version: 0.1.15 - citrix-adc-istio-ingress-gateway: - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Adc Istio Ingress Gateway - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-adc-istio-ingress-gateway - apiVersion: v2 - appVersion: 1.14.0 - created: "2022-12-01T23:59:01.209934-05:00" - deprecated: true - description: A Helm chart for Citrix ADC as Ingress Gateway installation in Istio - Service Mesh on Kubernetes platform - digest: 2f413c0992f7965febc2971e004271e4a95813ea7d14991873f909666dce094b - home: https://www.citrix.com - icon: file://assets/icons/citrix-adc-istio-ingress-gateway.png - kubeVersion: '>=v1.16.0-0' - maintainers: - - email: dhiraj.gedam@citrix.com - name: dheerajng - - email: subash.dangol@citrix.com - name: subashd - name: citrix-adc-istio-ingress-gateway - sources: - - https://github.com/citrix/citrix-xds-adaptor - urls: - - assets/citrix/citrix-adc-istio-ingress-gateway-1.14.0.tgz - version: 1.14.0 - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Adc Istio Ingress Gateway - catalog.cattle.io/release-name: citrix-adc-istio-ingress-gateway - apiVersion: v2 - appVersion: 1.11.0 - created: "2021-11-22T18:13:00.552885-05:00" - deprecated: true - description: A Helm chart for Citrix ADC as Ingress Gateway installation in Istio - Service Mesh on Kubernetes platform - digest: 061cad0a6a38fe27edbcef0c155c97af9714c9f8144592a8719ff71b38e8f492 - home: https://www.citrix.com - icon: file://assets/icons/citrix-adc-istio-ingress-gateway.png - kubeVersion: '>=v1.16.0-0' - maintainers: - - email: dhiraj.gedam@citrix.com - name: dheerajng - - email: subash.dangol@citrix.com - name: subashd - - email: ajeeta.shaket@citrix.com - name: ajeetas - name: citrix-adc-istio-ingress-gateway - sources: - - https://github.com/citrix/citrix-xds-adaptor - urls: - - assets/citrix/citrix-adc-istio-ingress-gateway-1.11.1.tgz - version: 1.11.1 - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Adc Istio Ingress Gateway - catalog.cattle.io/release-name: citrix-adc-istio-ingress-gateway - apiVersion: v2 - appVersion: 1.11.0 - created: "2021-10-20T19:31:46.936224057+05:30" - deprecated: true - description: A Helm chart for Citrix ADC as Ingress Gateway installation in Istio - Service Mesh on Kubernetes platform - digest: abfdb4aa0acdc3e62b49b73d917a2799381f98cfe021ae16da432aabbe1f5074 - home: https://www.citrix.com - icon: file://assets/icons/citrix-adc-istio-ingress-gateway.png - kubeVersion: '>=v1.16.0-0' - maintainers: - - email: dhiraj.gedam@citrix.com - name: dheerajng - - email: subash.dangol@citrix.com - name: subashd - - email: ajeeta.shaket@citrix.com - name: ajeetas - name: citrix-adc-istio-ingress-gateway - sources: - - https://github.com/citrix/citrix-xds-adaptor - urls: - - assets/citrix/citrix-adc-istio-ingress-gateway-1.11.0.tgz - version: 1.11.0 - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/release-name: citrix-adc-istio-ingress-gateway - apiVersion: v1 - appVersion: 1.2.1 - created: "2021-06-23T17:44:55.442927-07:00" - deprecated: true - description: A Helm chart for Citrix ADC as Ingress Gateway installation in Istio - Service Mesh on Kubernetes platform - digest: 1b5f4a44d018a7b5fb698cc476ab402705271a2340d02abffd38ed41292ea54a - home: https://www.citrix.com - icon: file://assets/icons/citrix-adc-istio-ingress-gateway.png - maintainers: - - email: dhiraj.gedam@citrix.com - name: dheerajng - - email: subash.dangol@citrix.com - name: subashd - name: citrix-adc-istio-ingress-gateway - sources: - - https://github.com/citrix/citrix-istio-adaptor - urls: - - assets/citrix/citrix-adc-istio-ingress-gateway-1.2.100.tgz - version: 1.2.100 - citrix-cpx-istio-sidecar-injector: - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Cpx Istio Sidecar Injector - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-cpx-istio-sidecar-injector - apiVersion: v2 - appVersion: 1.14.1 - created: "2022-12-01T23:59:01.212143-05:00" - deprecated: true - description: A Helm chart to deploy resources which install Citrix ADC CPX in - Istio Service Mesh as sidecar in application pod - digest: acc0395a2257c822819666e2ce72189fb1a99bde2a3440ba55b68617d1d12324 - home: https://www.citrix.com - icon: file://assets/icons/citrix-cpx-istio-sidecar-injector.png - kubeVersion: '>=v1.16.0-0' - maintainers: - - email: dhiraj.gedam@citrix.com - name: dheerajng - - email: subash.dangol@citrix.com - name: subashd - name: citrix-cpx-istio-sidecar-injector - sources: - - https://github.com/citrix/citrix-xds-adaptor - urls: - - assets/citrix/citrix-cpx-istio-sidecar-injector-1.14.1.tgz - version: 1.14.1 - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Cpx Istio Sidecar Injector - catalog.cattle.io/release-name: citrix-cpx-istio-sidecar-injector - apiVersion: v2 - appVersion: 1.11.0 - created: "2021-11-22T18:14:45.857822-05:00" - deprecated: true - description: A Helm chart to deploy resources which install Citrix ADC CPX in - Istio Service Mesh as sidecar in application pod - digest: c352aa99c2b4473b826c2a946f3d5edaa32714127981e113e5d8157551c4b8bd - home: https://www.citrix.com - icon: file://assets/icons/citrix-cpx-istio-sidecar-injector.png - kubeVersion: '>=v1.16.0-0' - maintainers: - - email: dhiraj.gedam@citrix.com - name: dheerajng - - email: subash.dangol@citrix.com - name: subashd - - email: ajeeta.shakeet@citrix.com - name: ajeetas - name: citrix-cpx-istio-sidecar-injector - sources: - - https://github.com/citrix/citrix-xds-adaptor - urls: - - assets/citrix/citrix-cpx-istio-sidecar-injector-1.11.1.tgz - version: 1.11.1 - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Cpx Istio Sidecar Injector - catalog.cattle.io/release-name: citrix-cpx-istio-sidecar-injector - apiVersion: v2 - appVersion: 1.11.0 - created: "2021-10-20T21:24:39.548842707+05:30" - deprecated: true - description: A Helm chart to deploy resources which install Citrix ADC CPX in - Istio Service Mesh as sidecar in application pod - digest: 2f9c061aa2e4eccd17fbcbc6379e7917e13a0c09cd0a9261de2b62d8e0494a17 - home: https://www.citrix.com - icon: file://assets/icons/citrix-cpx-istio-sidecar-injector.png - kubeVersion: '>=v1.16.0-0' - maintainers: - - email: dhiraj.gedam@citrix.com - name: dheerajng - - email: subash.dangol@citrix.com - name: subashd - - email: ajeeta.shakeet@citrix.com - name: ajeetas - name: citrix-cpx-istio-sidecar-injector - sources: - - https://github.com/citrix/citrix-xds-adaptor - urls: - - assets/citrix/citrix-cpx-istio-sidecar-injector-1.11.0.tgz - version: 1.11.0 - citrix-cpx-with-ingress-controller: - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Cpx with Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-cpx-with-ingress-controller - apiVersion: v2 - appVersion: 1.35.6 - created: "2023-09-13T13:34:03.811806061Z" - deprecated: true - description: A Helm chart for Citrix ADC CPX with Citrix ingress Controller running - as sidecar. - digest: e3b14ad8e59588c747f31177ed6b587c63f0bb6dfeffb70d268643eb77e4800b - home: https://www.cloud.com - icon: file://assets/icons/citrix-cpx-with-ingress-controller.png - kubeVersion: '>=v1.16.0-0' - maintainers: - - email: priyanka.sharma@cloud.com - name: priyankash-citrix - - email: subash.dangol@cloud.com - name: subashd - name: citrix-cpx-with-ingress-controller - sources: - - https://github.com/citrix/citrix-k8s-ingress-controller - urls: - - assets/citrix/citrix-cpx-with-ingress-controller-1.35.6.tgz - version: 1.35.6 - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Cpx with Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-cpx-with-ingress-controller - apiVersion: v2 - appVersion: 1.34.16 - created: "2023-07-26T12:01:03.326882581Z" - deprecated: true - description: A Helm chart for Citrix ADC CPX with Citrix ingress Controller running - as sidecar. - digest: 4609339bb53e4969665318f8440591a44364831b1ac55fcb9191449555f041b0 - home: https://www.cloud.com - icon: file://assets/icons/citrix-cpx-with-ingress-controller.png - kubeVersion: '>=v1.16.0-0' - maintainers: - - email: priyanka.sharma@cloud.com - name: priyankash-citrix - - email: subash.dangol@cloud.com - name: subashd - name: citrix-cpx-with-ingress-controller - sources: - - https://github.com/citrix/citrix-k8s-ingress-controller - urls: - - assets/citrix/citrix-cpx-with-ingress-controller-1.34.16.tgz - version: 1.34.16 - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Cpx with Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-cpx-with-ingress-controller - apiVersion: v2 - appVersion: 1.33.4 - created: "2023-06-02T14:45:22.2753468Z" - deprecated: true - description: A Helm chart for Citrix ADC CPX with Citrix ingress Controller running - as sidecar. - digest: 6149999a17cda6e531d3fee34be995955614ac6944f80c9cf57eaa72a790e9f9 - home: https://www.cloud.com - icon: file://assets/icons/citrix-cpx-with-ingress-controller.png - kubeVersion: '>=v1.16.0-0' - maintainers: - - email: priyanka.sharma@cloud.com - name: priyankash-citrix - - email: subash.dangol@cloud.com - name: subashd - name: citrix-cpx-with-ingress-controller - sources: - - https://github.com/citrix/citrix-k8s-ingress-controller - urls: - - assets/citrix/citrix-cpx-with-ingress-controller-1.33.4.tgz - version: 1.33.4 - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Cpx with Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-cpx-with-ingress-controller - apiVersion: v2 - appVersion: 1.32.7 - created: "2023-05-18T13:48:09.852506659Z" - deprecated: true - description: A Helm chart for Citrix ADC CPX with Citrix ingress Controller running - as sidecar. - digest: bcd137e8de018b906cab1e02aab429d1faa6a08a2727e5aa51e160af8b7a18ed - home: https://www.cloud.com - icon: file://assets/icons/citrix-cpx-with-ingress-controller.png - kubeVersion: '>=v1.16.0-0' - maintainers: - - email: priyanka.sharma@cloud.com - name: priyankash-citrix - - email: subash.dangol@cloud.com - name: subashd - name: citrix-cpx-with-ingress-controller - sources: - - https://github.com/citrix/citrix-k8s-ingress-controller - urls: - - assets/citrix/citrix-cpx-with-ingress-controller-1.32.7.tgz - version: 1.32.7 - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Cpx with Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-cpx-with-ingress-controller - apiVersion: v2 - appVersion: 1.30.1 - created: "2023-03-21T16:28:41.471190884Z" - deprecated: true - description: A Helm chart for Citrix ADC CPX with Citrix ingress Controller running - as sidecar. - digest: 049cb13de12287d72f885fdda6396f7f3c85d035f8a45235d61f20f8c435378f - home: https://www.cloud.com - icon: file://assets/icons/citrix-cpx-with-ingress-controller.png - kubeVersion: '>=v1.16.0-0' - maintainers: - - email: priyanka.sharma@cloud.com - name: priyankash-citrix - - email: subash.dangol@cloud.com - name: subashd - name: citrix-cpx-with-ingress-controller - sources: - - https://github.com/citrix/citrix-k8s-ingress-controller - urls: - - assets/citrix/citrix-cpx-with-ingress-controller-1.30.1.tgz - version: 1.30.1 - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Cpx with Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-cpx-with-ingress-controller - apiVersion: v2 - appVersion: 1.29.5 - created: "2023-01-31T17:19:03.595225298Z" - deprecated: true - description: A Helm chart for Citrix ADC CPX with Citrix ingress Controller running - as sidecar. - digest: 27f2ca62409deda0ae588ff70a1df61f680cc13cbd3a1011611d18d6c13c5ce9 - home: https://www.citrix.com - icon: file://assets/icons/citrix-cpx-with-ingress-controller.png - kubeVersion: '>=v1.16.0-0' - maintainers: - - email: priyanka.sharma@citrix.com - name: priyankash-citrix - - email: subash.dangol@citrix.com - name: subashd - name: citrix-cpx-with-ingress-controller - sources: - - https://github.com/citrix/citrix-k8s-ingress-controller - urls: - - assets/citrix/citrix-cpx-with-ingress-controller-1.29.5.tgz - version: 1.29.5 - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Cpx with Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-cpx-with-ingress-controller - apiVersion: v2 - appVersion: 1.28.2 - created: "2022-12-08T12:25:37.223034326-07:00" - deprecated: true - description: A Helm chart for Citrix ADC CPX with Citrix ingress Controller running - as sidecar. - digest: 90e7d48a8c7200a9ff6b96eb11e66247a59f3fe37db9c883279b262922dad500 - home: https://www.citrix.com - icon: file://assets/icons/citrix-cpx-with-ingress-controller.png - kubeVersion: '>=v1.16.0-0' - maintainers: - - email: priyanka.sharma@citrix.com - name: priyankash-citrix - - email: subash.dangol@citrix.com - name: subashd - name: citrix-cpx-with-ingress-controller - sources: - - https://github.com/citrix/citrix-k8s-ingress-controller - urls: - - assets/citrix/citrix-cpx-with-ingress-controller-1.28.2.tgz - version: 1.28.2 - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Cpx with Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-cpx-with-ingress-controller - apiVersion: v2 - appVersion: 1.27.15 - created: "2022-12-01T23:59:01.213129-05:00" - deprecated: true - description: A Helm chart for Citrix ADC CPX with Citrix ingress Controller running - as sidecar. - digest: 0854299ab2be619921fcc19e433830468a49717a911d182c6570fa64b9751560 - home: https://www.citrix.com - icon: file://assets/icons/citrix-cpx-with-ingress-controller.png - kubeVersion: '>=v1.16.0-0' - maintainers: - - email: priyanka.sharma@citrix.com - name: priyankash-citrix - - email: subash.dangol@citrix.com - name: subashd - name: citrix-cpx-with-ingress-controller - sources: - - https://github.com/citrix/citrix-k8s-ingress-controller - urls: - - assets/citrix/citrix-cpx-with-ingress-controller-1.27.15.tgz - version: 1.27.15 - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/release-name: citrix-cpx-with-ingress-controller - apiVersion: v1 - appVersion: 1.8.28 - created: "2021-06-23T17:44:55.443962-07:00" - deprecated: true - description: A Helm chart for Citrix ADC CPX with Citrix ingress Controller running - as sidecar. - digest: ca1f88dc88100856e4f15004e0fe39a8ab732ed8ae55218da6428bb7827bde7b - home: https://www.citrix.com - icon: file://assets/icons/citrix-cpx-with-ingress-controller.png - maintainers: - - email: priyanka.sharma@citrix.com - name: priyankash-citrix - - email: subash.dangol@citrix.com - name: subashd - name: citrix-cpx-with-ingress-controller - sources: - - https://github.com/citrix/citrix-k8s-ingress-controller - urls: - - assets/citrix/citrix-cpx-with-ingress-controller-1.8.2800.tgz - version: 1.8.2800 - citrix-ingress-controller: - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-ingress-controller - apiVersion: v2 - appVersion: 1.35.6 - created: "2023-09-13T13:34:03.833733779Z" - deprecated: true - description: A Helm chart for Citrix Ingress Controller configuring MPX/VPX. - digest: fada5b02269d9b6d69cd9ac6c2a1b5488da2da610955882a72ca01ae919e3144 - home: https://www.cloud.com - icon: file://assets/icons/citrix-ingress-controller.png - kubeVersion: '>=v1.16.0-0' - maintainers: - - email: priyanka.sharma@cloud.com - name: priyankash-citrix - - email: subash.dangol@cloud.com - name: subashd - name: citrix-ingress-controller - sources: - - https://github.com/citrix/citrix-k8s-ingress-controller - urls: - - assets/citrix/citrix-ingress-controller-1.35.6.tgz - version: 1.35.6 - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-ingress-controller - apiVersion: v2 - appVersion: 1.34.16 - created: "2023-07-26T12:01:03.345551921Z" - deprecated: true - description: A Helm chart for Citrix Ingress Controller configuring MPX/VPX. - digest: 5d77a8624f11dc81f8ebb650651bb6ab891b4df2f8994054feed29406112c336 - home: https://www.cloud.com - icon: file://assets/icons/citrix-ingress-controller.png - kubeVersion: '>=v1.16.0-0' - maintainers: - - email: priyanka.sharma@cloud.com - name: priyankash-citrix - - email: subash.dangol@cloud.com - name: subashd - name: citrix-ingress-controller - sources: - - https://github.com/citrix/citrix-k8s-ingress-controller - urls: - - assets/citrix/citrix-ingress-controller-1.34.16.tgz - version: 1.34.16 - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-ingress-controller - apiVersion: v2 - appVersion: 1.33.4 - created: "2023-06-02T14:45:22.288251408Z" - deprecated: true - description: A Helm chart for Citrix Ingress Controller configuring MPX/VPX. - digest: ce9532597842628cf01a68636731f010e61a2fc13c4c3413484590ae0305713d - home: https://www.cloud.com - icon: file://assets/icons/citrix-ingress-controller.png - kubeVersion: '>=v1.16.0-0' - maintainers: - - email: priyanka.sharma@cloud.com - name: priyankash-citrix - - email: subash.dangol@cloud.com - name: subashd - name: citrix-ingress-controller - sources: - - https://github.com/citrix/citrix-k8s-ingress-controller - urls: - - assets/citrix/citrix-ingress-controller-1.33.4.tgz - version: 1.33.4 - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-ingress-controller - apiVersion: v2 - appVersion: 1.32.7 - created: "2023-05-18T13:48:09.864000415Z" - deprecated: true - description: A Helm chart for Citrix Ingress Controller configuring MPX/VPX. - digest: dbda1fec6d6de20ddc73d1b0c77677dfd3d6d95ff39cf1606473137a62ed5b3c - home: https://www.cloud.com - icon: file://assets/icons/citrix-ingress-controller.png - kubeVersion: '>=v1.16.0-0' - maintainers: - - email: priyanka.sharma@cloud.com - name: priyankash-citrix - - email: subash.dangol@cloud.com - name: subashd - name: citrix-ingress-controller - sources: - - https://github.com/citrix/citrix-k8s-ingress-controller - urls: - - assets/citrix/citrix-ingress-controller-1.32.7.tgz - version: 1.32.7 - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-ingress-controller - apiVersion: v2 - appVersion: 1.30.1 - created: "2023-03-21T16:28:41.480551583Z" - deprecated: true - description: A Helm chart for Citrix Ingress Controller configuring MPX/VPX. - digest: a39d1f4250b5355e0edb7d3e039b8da4abec06974afb4d016aa325ba19e8c3c9 - home: https://www.cloud.com - icon: file://assets/icons/citrix-ingress-controller.png - kubeVersion: '>=v1.16.0-0' - maintainers: - - email: priyanka.sharma@cloud.com - name: priyankash-citrix - - email: subash.dangol@cloud.com - name: subashd - name: citrix-ingress-controller - sources: - - https://github.com/citrix/citrix-k8s-ingress-controller - urls: - - assets/citrix/citrix-ingress-controller-1.30.1.tgz - version: 1.30.1 - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-ingress-controller - apiVersion: v2 - appVersion: 1.29.5 - created: "2023-01-31T17:19:03.605897645Z" - deprecated: true - description: A Helm chart for Citrix Ingress Controller configuring MPX/VPX. - digest: 9957394dd84bb4c900adf4925500f4e683e48bc7aa564db636daccdf8f465a86 - home: https://www.citrix.com - icon: file://assets/icons/citrix-ingress-controller.png - kubeVersion: '>=v1.16.0-0' - maintainers: - - email: priyanka.sharma@citrix.com - name: priyankash-citrix - - email: subash.dangol@citrix.com - name: subashd - name: citrix-ingress-controller - sources: - - https://github.com/citrix/citrix-k8s-ingress-controller - urls: - - assets/citrix/citrix-ingress-controller-1.29.5.tgz - version: 1.29.5 - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-ingress-controller - apiVersion: v2 - appVersion: 1.28.2 - created: "2022-12-08T12:25:37.232323747-07:00" - deprecated: true - description: A Helm chart for Citrix Ingress Controller configuring MPX/VPX. - digest: 3feed1ee1548271438ae60135a7be8154ce0e39cc923abccbe1660f56cc5a133 - home: https://www.citrix.com - icon: file://assets/icons/citrix-ingress-controller.png - kubeVersion: '>=v1.16.0-0' - maintainers: - - email: priyanka.sharma@citrix.com - name: priyankash-citrix - - email: subash.dangol@citrix.com - name: subashd - name: citrix-ingress-controller - sources: - - https://github.com/citrix/citrix-k8s-ingress-controller - urls: - - assets/citrix/citrix-ingress-controller-1.28.2.tgz - version: 1.28.2 - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Ingress Controller - catalog.cattle.io/kube-version: '>=v1.16.0-0' - catalog.cattle.io/release-name: citrix-ingress-controller - apiVersion: v2 - appVersion: 1.27.15 - created: "2022-12-01T23:59:01.21585-05:00" - deprecated: true - description: A Helm chart for Citrix Ingress Controller configuring MPX/VPX. - digest: a87b8a8be0d9dacc9d3ac78c64e53081a4f482bd27ad52451b771a2a3428a17a - home: https://www.citrix.com - icon: file://assets/icons/citrix-ingress-controller.png - kubeVersion: '>=v1.16.0-0' - maintainers: - - email: priyanka.sharma@citrix.com - name: priyankash-citrix - - email: subash.dangol@citrix.com - name: subashd - name: citrix-ingress-controller - sources: - - https://github.com/citrix/citrix-k8s-ingress-controller - urls: - - assets/citrix/citrix-ingress-controller-1.27.15.tgz - version: 1.27.15 - - annotations: - catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Citrix Ingress Controller - catalog.cattle.io/release-name: citrix-ingress-controller - apiVersion: v2 - appVersion: 1.19.6 - created: "2021-11-02T15:55:30.585834681+05:30" - deprecated: true - description: A Helm chart for Citrix Ingress Controller configuring MPX/VPX. - digest: 98453bb4c2dccacdc83eaad1c5369c5007bf821164911256c5c3eaf10b9795e7 - home: https://www.citrix.com - icon: file://assets/icons/citrix-ingress-controller.png - kubeVersion: '>=v1.16.0-0' - maintainers: - - email: priyanka.sharma@citrix.com - name: priyankash-citrix - - email: subash.dangol@citrix.com - name: subashd - name: citrix-ingress-controller - sources: - - https://github.com/citrix/citrix-k8s-ingress-controller - urls: - - assets/citrix/citrix-ingress-controller-1.19.600.tgz - version: 1.19.600 cloudcasa: - annotations: catalog.cattle.io/certified: partner diff --git a/packages/citrix/citrix-adc-istio-ingress-gateway/overlay/app-readme.md b/packages/citrix/citrix-adc-istio-ingress-gateway/overlay/app-readme.md deleted file mode 100644 index dc4ee42acd..0000000000 --- a/packages/citrix/citrix-adc-istio-ingress-gateway/overlay/app-readme.md +++ /dev/null @@ -1,38 +0,0 @@ -# Citrix ADC as an Ingress Gateway for Istio - -An [Istio](https://istio.io/) ingress gateway acts as an entry point for the incoming traffic and secures and controls access to the service mesh. It also performs routing and load balancing. Citrix ADC [CPX](https://docs.citrix.com/en-us/citrix-adc-cpx), MPX, or [VPX](https://docs.citrix.com/en-us/citrix-adc.html), can be deployed as an ingress gateway to the Istio service mesh. - -### Prerequisites - -The following prerequisites are required for deploying Citrix ADC as an Ingress Gateway in Istio service mesh: - -- Ensure that **Istio** is enabled. -- Ensure that your cluster has Kubernetes version 1.16.0 or later. -- Ensure to create secret named **nslogin** with username and password in same namespace in case of VPX/MPX . Choose the **Cluster Explorer > Storage > Secrets** in the navigation bar. - -### Important NOTE: -- Follow this [link](https://github.com/citrix/citrix-helm-charts/blob/master/examples/citrix-adc-in-istio/README.md -) to deploy Citrix ADC as an ingress gateway for application. -- For deploying Citrix ADC VPX or MPX as ingress gateway, you should establish the connectivity between Citrix ADC VPX or MPX and cluster nodes. This connectivity can be established by configuring routes on Citrix ADC as mentioned [here](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) or by deploying [Citrix Node Controller](https://github.com/citrix/citrix-k8s-node-controller). -- To use the certificate and key for authenticating access to an application using Citrix ADC Ingress Gateway. In that case, you can create a Kubernetes secret from the existing certificate and key. You can mount the Kubernetes secret as data volumes in Citrix ADC Ingress Gateway. Then specify a list of secret, volume name, mount path in subsequent fields of `SecretVolume` section: - - Go to `Edit as YAML` option and update below values . - ``` - secretVolumes: - - name: - secretName: - mountPath: - ``` - For more details, follow this [link](https://github.com/citrix/citrix-helm-charts/tree/master/citrix-adc-istio-ingress-gateway#using-existing-certificates-to-deploy-citrix-adc-as-an-ingress-gateway) - -- By default, gateway is configured to expose HTTP(S) services. To expose non-HTTP services, Then specify a list of port, port-name, target-port, nodeport (if applicable) in subsequent fields of `tcpPort` section. - - Go to `Edit as YAML` option and update below values. - ``` - tcpPort: - - name: - nodePort: - port: - targetPort: - ``` - For more details follow this [link](https://github.com/citrix/citrix-helm-charts/tree/master/citrix-adc-istio-ingress-gateway#exposing-services-running-on-non-http-ports) - -This catalog deploys Citrix ADC VPX, MPX, or CPX as an Ingress Gateway in the Istio service mesh. For detailed information on various deployment options,checkout this [link](https://github.com/citrix/citrix-istio-adaptor). diff --git a/packages/citrix/citrix-adc-istio-ingress-gateway/overlay/questions.yml b/packages/citrix/citrix-adc-istio-ingress-gateway/overlay/questions.yml deleted file mode 100644 index 36a7b00354..0000000000 --- a/packages/citrix/citrix-adc-istio-ingress-gateway/overlay/questions.yml +++ /dev/null @@ -1,405 +0,0 @@ -labels: - io.rancher.certified: partner -questions: -- variable: citrixCPX - required: true - type: boolean - default: true - description: "Set true to use Citrix ADC CPX as ingress device. Set false to use VPX/MPX as ingress device" - label: citrixCPX - group: "Deployment Settings" -- variable: secrets.name - required: true - type: string - default: "nslogin" - description: "Ensure to create nslogin secret in same namespace" - show_if: "citrixCPX=false" - group: "nslogin Settings" -- variable: xDSAdaptor.image - required: true - type: string - default: "quay.io/citrix/citrix-xds-adaptor:0.9.9" - label: xDSAdaptor Image - description: "xDSAdaptor Image to be used with version" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.imagePullPolicy - required: true - type: enum - default: IfNotPresent - label: xDSAdaptor imagePullPolicy - description: "xDSAdaptor Image pull policy" - options: - - "Always" - - "IfNotPresent" - - "Never" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.proxyType - required: false - type: string - default: "router" - label: xDSAdaptor proxyType - description: "xDSAdaptor proxyType type set to router by default" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.secureConnect - required: true - type: boolean - default: true - label: xDSAdaptor secureConnect - description: "If this value is set to true, xDSAdaptor establishes secure gRPC channel with Istio Pilot" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.logLevel - required: false - type: enum - default: DEBUG - label: xDSAdaptor logLevel - description: "xDSAdaptor logLevel" - options: - - "TRACE" - - "DEBUG" - - "INFO" - - "WARN" - - "ERROR" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.jsonLog - required: false - type: string - default: "true" - label: xDSAdaptor jsonLog - description: "Set this argument to true if log messages are required in JSON format" - group: "xDSAdaptor Settings" -- variable: coe.coeURL - required: false - type: string - label: coe coeURL - description: "Name of Citrix Observability Exporter Service" - group: "COE Settings" -- variable: coe.coeTracing - required: false - type: boolean - label: coe coeTracing - description: "Used to send appflow transactions to Zipkin endpoint,if true ADM servicegraph (if configured) can be impacted" - group: "COE Settings" -- variable: istioPilot.name - required: true - type: string - default: istiod - label: istio-pilot name - group: "istio-pilot Settings" - description: "Name of the Istio Pilot service" -- variable: istioPilot.namespace - required: true - type: string - default: istio-system - label: istio-pilot namespace - description: "Namespace where Istio Pilot is running" - group: "istio-pilot Settings" -- variable: istioPilot.secureGrpcPort - required: true - type: int - default: 15012 - label: istio-pilot secureGrpcPort - show_if: "xDSAdaptor.secureConnect=true" - description: "Secure GRPC port where Istio Pilot is listening" - group: "istio-pilot Settings" -- variable: istioPilot.insecureGrpcPort - required: true - type: int - default: 15010 - show_if: "xDSAdaptor.secureConnect=false" - label: istio-pilot insecureGrpcPort - description: "Insecure GRPC port where Istio Pilot is listening" - group: "istio-pilot Settings" -- variable: istioPilot.SAN - required: false - type: string - default: - label: istio-pilot SAN - description: "Subject alternative name for Istio Pilot which is (SPIFFE) ID of Istio Pilot" - show_if: "xDSAdaptor.secureConnect=true" - group: "istio-pilot Settings" -- variable: ingressGateway.netscalerUrl - required: true - type: string - default: - label: ingressGateway netscalerUrl - description: "URL or IP address of the Citrix ADC which Istio-adaptor configures (Mandatory if citrixCPX=false)" - show_if: "citrixCPX=false" - group: "ingressGateway Settings" -- variable: ingressGateway.image - required: true - type: string - default: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-79.64" - label: ingressGateway Image - description: "ingressGateway image to be used" - group: "ingressGateway Settings" -- variable: ingressGateway.imagePullPolicy - required: true - type: enum - default: IfNotPresent - label: ingressGateway imagePullPolicy - description: Ingress-gateway Image pull policy - group: "ingressGateway Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: ingressGateway.EULA - required: true - type: enum - description: "End user license agreement (read EULA before accepting it yes)" - label: ingressGateway EULA - options: - - "YES" - - "NO" - group: "ingressGateway Settings" -- variable: ingressGateway.mgmtHttpPort - required: true - type: int - default: 10080 - label: ingressGateway mgmtHttpPort - description: "Management port of the Citrix ADC CPX" - show_if: "citrixCPX=true" - group: "ingressGateway Settings" -- variable: ingressGateway.mgmtHttpsPort - required: true - type: int - default: 10443 - show_if: "citrixCPX=true" - label: ingressGateway mgmtHttpsPort - description: "Secure management port of Citrix ADC CPX" - group: "ingressGateway Settings" -- variable: ingressGateway.httpNodePort - required: true - type: int - default: 30180 - show_if: "citrixCPX=true" - label: ingressGateway httpNodePort - description: "Port on host machine which is used to expose HTTP port of Citrix ADC CPX" - group: "ingressGateway Settings" -- variable: ingressGateway.httpsNodePort - required: true - type: int - default: 31443 - show_if: "citrixCPX=true" - label: ingressGateway httpsNodePort - description: "Port on host machine which is used to expose HTTPS port of Citrix ADC CPX" - group: "ingressGateway Settings" -- variable: ingressGateway.nodePortRequired - required: true - type: boolean - default: true - label: ingressGateway nodePortRequired - description: "Set this argument if servicetype to be NodePort of Citrix ADC CPX, else it will be loadbalancer type" - group: "ingressGateway Settings" -- variable: ingressGateway.lightWeightCPX - required: false - type: int - default: 1 - show_if: "citrixCPX=true" - label: ingressGateway lightWeightCPX - description: "Set this argument if lighter version of Citrix ADC CPX used" - group: "ingressGateway Settings" -- variable: ingressGateway.label - required: true - type: string - default: "citrix-ingressgateway" - label: ingressGateway label - description: "Custom label for the Ingress Gateway service" - group: "ingressGateway Settings" -- variable: ingressGateway.vserverIP - required: true - type: string - default: "nsip" - show_if: "citrixCPX=false" - label: ingressGateway vserverIP - description: "Virtual server IP address on Citrix ADC" - group: "ingressGateway Settings" -- variable: ingressGateway.adcServerName - required: false - type: string - default: - label: ingressGateway adcServerName - description: "Citrix ADC ServerName used in the Citrix ADC certificate" - group: "ingressGateway Settings" -- variable: ingressGateway.netProfile - required: false - type: string - default: - label: ingressGateway netProfile - description: "Network profile name used to configure Citrix ADC VPX or MPX which is deployed as Ingress Gateway" - show_if: "citrixCPX=false" - group: "ingressGateway Settings" -- variable: ingressGateway.multiClusterIngress - required: false - type: boolean - default: false - label: ingressGateway multiClusterIngress - description: "Flag indicating if Citrix ADC is acting as Ingress gateway to multi cluster Istio mesh installation" - group: "ingressGateway Settings" -- variable: ingressGateway.multiClusterListenerPort - required: true - type: int - default: 15443 - label: ingressGateway multiClusterListenerPort - description: "Port opened on Citrix ADC to enable inter-cluster service to service (E-W) communication" - show_if: "ingressGateway.multiClusterIngress=true" - group: "ingressGateway Settings" -- variable: ingressGateway.multiClusterListenerNodePort - required: true - type: int - default: 15443 - label: ingressGateway multiClusterListenerNodePort - description: "Nodeport for multiClusterListenerPort in case of Citrix ADC CPX acting as Ingress gateway" - show_if: "ingressGateway.multiClusterIngress=true" - group: "ingressGateway Settings" -- variable: ingressGateway.multiClusterSvcDomain - required: true - type: string - default: global - label: ingressGateway multiClusterSvcDomain - description: "Domain suffix of remote service (deployed in other cluster) used in E-W communication" - show_if: "ingressGateway.multiClusterIngress=true" - group: "ingressGateway Settings" -- variable: metricExporter.required - required: false - type: boolean - default: true - label: Exporter required - description: "Metrics exporter for Citrix ADC" - group: "metricExporter Settings" -- variable: metricExporter.image - required: true - type: string - default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.8" - label: Exporter Image - description: "Exporter Image to be used with version" - show_if: "metricExporter.required=true" - group: "metricExporter Settings" -- variable: metricExporter.port - required: true - type: int - default: 8888 - label: metricExporter Port - show_if: "metricExporter.required=true" - group: "metricExporter Settings" -- variable: metricExporter.logLevel - required: true - type: enum - default: ERROR - label: metricExporter logLevel - show_if: "metricExporter.required=true" - group: "metricExporter Settings" - options: - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - - "TRACE" -- variable: metricExporter.imagePullPolicy - required: true - type: enum - default: IfNotPresent - label: metricExporter imagePullPolicy - description: "Exporter Image pull policy" - show_if: "metricExporter.required=true" - group: "metricExporter Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: certProvider.caAddr - required: true - type: string - default: "istiod.istio-system.svc" - label: certProvider caAddr - description: "Certificate Authority (CA) address issuing certificate to application" - group: "certProvider Settings" -- variable: certProvider.caPort - required: true - type: int - default: 15012 - label: certProvider caPort - description: "Certificate Authority (CA) port issuing certificate to application" - group: "certProvider Settings" -- variable: certProvider.trustDomain - required: true - type: string - default: "cluster.local" - label: certProvider trustDomain - description: "SPIFFE Trust Domain" - group: "certProvider Settings" -- variable: certProvider.certTTLinHours - required: true - type: int - default: 720 - label: certProvider certTTLinHours - description: "Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours." - group: "certProvider Settings" -- variable: certProvider.clusterId - required: true - type: string - default: "Kubernetes" - label: certProvider clusterId - description: "clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in m -ulticluster environments. For example, in Anthos servicemesh, it might be of the format of `cn--`. In multiCluster environments, it is the val -ue of global.multiCluster.clusterName provided during servicemesh control plane installation" - group: "certProvider Settings" -- variable: certProvider.jwtPolicy - required: true - type: enum - default: "first-party-jwt" - label: certProvider jwtPolicy - description: "Kubernetes platform supports First party tokens and Third party tokens" - options: - - "first-party-jwt" - - "third-party-jwt" - group: "certProvider Settings" -- variable: ADMSettings.ADMIP - required: false - type: string - default: - label: ADMSettings ADMIP - description: "Citrix Application Delivery Management (ADM) IP address" - group: "ADMSettings Settings" -- variable: ADMSettings.licenseServerIP - required: false - type: string - default: - label: ADMSettings licenseServerIP - description: "Citrix License Server IP address" - group: "ADMSettings Settings" -- variable: ADMSettings.licenseServerPort - required: false - type: int - default: 27000 - label: ADMSettings licenseServerPort - description: "Citrix ADM port if a non-default port is used" - group: "ADMSettings Settings" -- variable: ADMSettings.bandWidthLicense - required: false - type: boolean - default: false - label: ADMSettings bandWidthLicense - description: "To specify bandwidth based licensing" - group: "ADMSettings Settings" -- variable: ADMSettings.bandWidth - required: false - type: string - default: - label: ADMSettings bandWidth - description: "Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps" - group: "ADMSettings Settings" -- variable: ADMSettings.vCPULicense - required: false - type: boolean - default: "false" - label: ADMSettings vCPULicense - description: "To specify vCPULicense based licensing" - group: "ADMSettings Settings" -- variable: ADMSettings.cpxCores - required: false - type: string - default: - label: ADMSettings cpxCores - description: "To specify cpxCores in licensing" - group: "ADMSettings Settings" diff --git a/packages/citrix/citrix-adc-istio-ingress-gateway/upstream.yaml b/packages/citrix/citrix-adc-istio-ingress-gateway/upstream.yaml deleted file mode 100644 index fc4c4a1ccf..0000000000 --- a/packages/citrix/citrix-adc-istio-ingress-gateway/upstream.yaml +++ /dev/null @@ -1,6 +0,0 @@ -ChartMetadata: {} -Deprecated: true -DisplayName: Citrix Adc Istio Ingress Gateway -HelmChart: citrix-adc-istio-ingress-gateway -HelmRepo: https://citrix.github.io/citrix-helm-charts -Vendor: Citrix diff --git a/packages/citrix/citrix-cpx-istio-sidecar-injector/overlay/app-readme.md b/packages/citrix/citrix-cpx-istio-sidecar-injector/overlay/app-readme.md deleted file mode 100644 index aa16d21361..0000000000 --- a/packages/citrix/citrix-cpx-istio-sidecar-injector/overlay/app-readme.md +++ /dev/null @@ -1,28 +0,0 @@ -# Citrix ADC as a Sidecar for Istio - -Citrix ADC [CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) can act as a sidecar proxy to an application container in Istio. You can inject the Citrix ADC CPX manually or automatically using the [Istio sidecar injector](https://istio.io/docs/setup/additional-setup/sidecar-injection/). - - -### Prerequisites - -The following prerequisites are required for deploying Citrix ADC as a sidecar in an application pod - -- Ensure that **Istio** is enabled. -- Ensure that your cluster has Kubernetes version 1.16.0 or later. -- Ensure the [Kubernetes controller manager](https://rancher.com/docs/rke/latest/en/config-options/services/#kubernetes-controller-manager)’s default certificate signer is enabled. - -**Note**: For RKE based cluster, extra arguments need to be provided for kube-controller service. -```services: - kube-controller: - extra_args: - cluster-signing-cert-file: "/etc/kubernetes/ssl/kube-ca.pem" - cluster-signing-key-file: "/etc/kubernetes/ssl/kube-ca-key.pem" -``` -For detailed information follow this [link](https://github.com/citrix/citrix-xds-adaptor/blob/master/docs/istio-integration/rancher-provisioned-cluster.md) - -### Important NOTE: - - We should not **Enable Istio Auto Injection** on Application namespace. - - The cpx-injection=enabled label is mandatory for injecting sidecars. - - An example to deploy application along with Citrix ADC CPX sidecar is provided [here](https://github.com/citrix/citrix-helm-charts/blob/master/examples/citrix-adc-in-istio/README.md). - -This catalog create resources required for automatically deploying Citrix ADC CPX as a sidecar proxy.For detailed information follow this [link](https://github.com/citrix/citrix-helm-charts/tree/master/citrix-cpx-istio-sidecar-injector) diff --git a/packages/citrix/citrix-cpx-istio-sidecar-injector/overlay/questions.yml b/packages/citrix/citrix-cpx-istio-sidecar-injector/overlay/questions.yml deleted file mode 100644 index 18483b84a7..0000000000 --- a/packages/citrix/citrix-cpx-istio-sidecar-injector/overlay/questions.yml +++ /dev/null @@ -1,291 +0,0 @@ -labels: - io.rancher.certified: partner -questions: -- variable: xDSAdaptor.image - required: true - type: string - default: "quay.io/citrix/citrix-xds-adaptor:0.9.9" - description: "xds-adaptor Image to be used" - label: xDSAdaptor Image - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.imagePullPolicy - required: true - type: enum - default: IfNotPresent - description: "Istio-adaptor Image pull policy" - label: istioAdaptor imagePullPolicy - options: - - "Always" - - "IfNotPresent" - - "Never" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.proxyType - required: true - type: string - default: true - label: xDSAdaptor proxyType - description: "xDSAdaptor proxyType type set to router by default" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.secureConnect - required: false - type: boolean - default: true - label: xDSAdaptor secureConnect - description: "xDSAdaptor establishes secure gRPC channel with Istio Pilot, if value is set to true" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.logLevel - required: false - type: enum - default: DEBUG - label: xDSAdaptor logLevel - description: "xDSAdaptor logLevel" - options: - - "TRACE" - - "DEBUG" - - "INFO" - - "WARN" - - "ERROR" - group: "xDSAdaptor Settings" -- variable: xDSAdaptor.jsonLog - required: false - type: string - default: "true" - label: xDSAdaptor jsonLog - description: "Set this argument to true if log messages are required in JSON format" - group: "xDSAdaptor Settings" -- variable: coe.coeURL - required: false - type: string - label: coe coeURL - description: "Name of Citrix Observability Exporter Service" - group: "COE Settings" -- variable: coe.coeTracing - required: false - type: boolean - label: coe coeTracing - description: "Used to send appflow transactions to Zipkin endpoint,if true ADM servicegraph (if configured) can be impacted" - group: "COE Settings" -- variable: istioPilot.name - required: true - type: string - default: istio-pilot - label: istio-pilot name - group: "istio-pilot Settings" -- variable: istioPilot.namespace - required: true - type: string - default: istio-system - label: istio-pilot namespace - description: "Name of the Istio Pilot service" - group: "istio-pilot Settings" -- variable: istioPilot.secureGrpcPort - required: true - type: int - default: 15011 - description: "Secure GRPC port where Istio Pilot is listening" - label: istio-pilot secureGrpcPort - show_if: "xDSAdaptor.secureConnect=true" - group: "istio-pilot Settings" -- variable: istioPilot.insecureGrpcPort - required: true - type: int - default: 15010 - label: istio-pilot insecureGrpcPort - description: "Insecure GRPC port where Istio Pilot is listening" - show_if: "xDSAdaptor.secureConnect=false" - group: "istio-pilot Settings" -- variable: istioPilot.SAN - required: false - type: string - default: - label: istio-pilot SAN - description: "Subject alternative name for Istio Pilot which is (SPIFFE) ID of Istio Pilot" - show_if: "xDSAdaptor.secureConnect=true" - group: "istio-pilot Settings" -- variable: certProvider.caAddr - required: true - type: string - default: "istiod.istio-system.svc" - label: certProvider caAddr - description: "Certificate Authority (CA) address issuing certificate to application" - group: "certProvider Settings" -- variable: certProvider.caPort - required: true - type: int - default: 15012 - label: certProvider caPort - description: "Certificate Authority (CA) port issuing certificate to application" - group: "certProvider Settings" -- variable: certProvider.trustDomain - required: true - type: string - default: "cluster.local" - label: certProvider trustDomain - description: "SPIFFE Trust Domain" - group: "certProvider Settings" -- variable: certProvider.certTTLinHours - required: true - type: int - default: 720 - label: certProvider certTTLinHours - description: "Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours." - group: "certProvider Settings" -- variable: certProvider.clusterId - required: true - type: string - default: "Kubernetes" - label: certProvider clusterId - description: "clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in m -ulticluster environments. For example, in Anthos servicemesh, it might be of the format of `cn--`. In multiCluster environments, it is the val -ue of global.multiCluster.clusterName provided during servicemesh control plane installation" - group: "certProvider Settings" -- variable: certProvider.jwtPolicy - required: true - type: enum - default: "first-party-jwt" - label: certProvider jwtPolicy - description: "Kubernetes platform supports First party tokens and Third party tokens" - options: - - "first-party-jwt" - - "third-party-jwt" -- variable: cpxProxy.netscalerUrl - required: true - type: string - default: "http://127.0.0.1" - description: "Citrix ADC CPX image used as sidecar proxy" - label: cpxProxy image - group: "cpxProxy Settings" -- variable: cpxProxy.image - required: true - type: string - default: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-79.64" - description: "Citrix ADC CPX image used as sidecar proxy" - label: cpxProxy image - group: "cpxProxy Settings" -- variable: cpxProxy.imagePullPolicy - required: true - type: enum - default: IfNotPresent - description: "cpxProxy Image pull policy" - label: cpxProxy imagePullPolicy - options: - - "Always" - - "IfNotPresent" - - "Never" - group: "cpxProxy Settings" -- variable: cpxProxy.EULA - required: true - type: enum - label: cpxProxy EULA license - options: - - "YES" - - "NO" - group: "cpxProxy Settings" -- variable: cpxProxy.cpxSidecarMode - required: true - type: string - default: "YES" - description: "Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX is running as sidecar mode or not" - label: cpxProxy image - options: - - "YES" - - "NO" - group: "cpxProxy Settings" -- variable: cpxProxy.mgmtHttpPort - required: true - type: int - default: 10080 - label: cpxProxy mgmtHttpPort - group: "cpxProxy Settings" -- variable: cpxProxy.mgmtHttpsPort - required: true - type: int - default: 10443 - label: cpxProxy mgmtHttpsPort - group: "cpxProxy Settings" -- variable: cpxProxy.cpxDisableProbe - required: true - type: string - default: YES - description: "Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX will disable probing dynamic services. It should be enabled for multicluster setup." - label: cpxProxy cpxDisableProbe - options: - - "YES" - - "NO" - group: "cpxProxy Settings" -- variable: sidecarWebHook.webhookImage - required: true - type: string - default: "quay.io/citrix/cpx-istio-sidecar-injector:1.0.0" - label: sidecarWebHook webhookImage - description: "webhookImage image to be used" - group: "sidecarWebHook Settings" -- variable: sidecarWebHook.imagePullPolicy - required: true - type: enum - default: IfNotPresent - label: sidecarWebHook imagePullPolicy - options: - - "Always" - - "IfNotPresent" - - "Never" - group: "sidecarWebHook Settings" -- variable: sidecarCertsGenerator.image - required: true - type: string - default: " quay.io/citrix/cpx-sidecar-injector-certgen:1.1.0" - label: sidecarWebHook webhookImage - description: "webhookImage image to be used" - group: "sidecarCertsGenerator Settings" -- variable: sidecarCertsGenerator.imagePullPolicy - required: true - type: enum - default: IfNotPresent - label: sidecarWebHook imagePullPolicy - options: - - "Always" - - "IfNotPresent" - - "Never" - group: "sidecarCertsGenerator Settings" -- variable: ADMSettings.ADMIP - required: false - type: string - default: - label: ADMSettings ADMIP - description: "Citrix Application Delivery Management (ADM) IP address" - group: "ADMSettings Settings" -- variable: ADMSettings.licenseServerIP - required: false - type: string - default: - label: ADMSettings licenseServerIP - description: "Citrix License Server IP address" - group: "ADMSettings Settings" -- variable: ADMSettings.licenseServerPort - required: false - type: int - default: 27000 - label: ADMSettings licenseServerPort - description: "Citrix ADM port if a non-default port is used" - group: "ADMSettings Settings" -- variable: ADMSettings.bandWidthLicense - required: false - type: boolean - default: false - label: ADMSettings bandWidthLicense - description: "To specify bandwidth based licensing" - group: "ADMSettings Settings" -- variable: ADMSettings.bandWidth - required: false - type: string - default: - label: ADMSettings bandWidth - description: "Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps" - group: "ADMSettings Settings" -- variable: webhook.injectionLabelName - required: true - type: string - default: "cpx-injection" - label: webhook injectionLabelName - description: "Label of namespace, where automatic sidecr injection is required" - group: "webhook Settings" diff --git a/packages/citrix/citrix-cpx-istio-sidecar-injector/upstream.yaml b/packages/citrix/citrix-cpx-istio-sidecar-injector/upstream.yaml deleted file mode 100644 index 9e3179273c..0000000000 --- a/packages/citrix/citrix-cpx-istio-sidecar-injector/upstream.yaml +++ /dev/null @@ -1,6 +0,0 @@ -ChartMetadata: {} -Deprecated: true -DisplayName: Citrix Cpx Istio Sidecar Injector -HelmChart: citrix-cpx-istio-sidecar-injector -HelmRepo: https://citrix.github.io/citrix-helm-charts -Vendor: Citrix diff --git a/packages/citrix/citrix-cpx-with-ingress-controller/overlay/app-readme.md b/packages/citrix/citrix-cpx-with-ingress-controller/overlay/app-readme.md deleted file mode 100644 index ef45a3d907..0000000000 --- a/packages/citrix/citrix-cpx-with-ingress-controller/overlay/app-readme.md +++ /dev/null @@ -1,5 +0,0 @@ -# Citrix ADC CPX with Citrix Ingress Controller running as sidecar. - -In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [Citrix ADC CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) with Citrix ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). The Citrix ADC CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar Citrix ingress controller configures the Citrix ADC CPX. - -This Chart bootstraps deployment of Citrix ADC CPX with Citrix Ingress Controller as sidecar. diff --git a/packages/citrix/citrix-cpx-with-ingress-controller/overlay/questions.yml b/packages/citrix/citrix-cpx-with-ingress-controller/overlay/questions.yml deleted file mode 100644 index 0c87144137..0000000000 --- a/packages/citrix/citrix-cpx-with-ingress-controller/overlay/questions.yml +++ /dev/null @@ -1,211 +0,0 @@ -questions: -- variable: license.accept - required: true - default: "no" - type: enum - description: "Set to yes to accept the terms and conditions of the Citrix license." - label: Accept License - group: "Deployment Settings" - options: - - "yes" - - "no" -- variable: openshift - default: false - type: boolean - description: "openshift is set to true if charts are being deployed in OpenShift environment" - label: Openshift flag - group: "Deployment Settings" -- variable: nsNamespace - type: string - description: "Prefix for the resources on Citrix ADC" - label: Resource Prefix - group: "Deployment Settings" -- variable: ingressClass[0] - type: string - description: "ingressClass is the name of the Ingress Class" - label: Ingress Class - group: "Deployment Settings" -- variable: logLevel - default: "DEBUG" - type: enum - options: - - "TRACE" - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - description: "logLevel of Citrix Ingress Controller pod" - label: LogLevel - group: "Deployment Settings" -- variable: defaultSSLCert - type: string - description: "Secret containing the default ceritifcate for SSL vservers" - label: Default SSLCert - group: "ADC Settings" -- variable: logProxy - type: string - description: "Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporte" - label: LogProxy - group: "Deployment Settings" -- variable: http2ServerSide - default: "OFF" - type: enum - options: - - "ON" - - "OFF" - description: "Set to ON to enable HTTP2 for Citrix ADC service group configurations" - label: HTTP2 on ADC - group: "ADC Settings" -- variable: nodeSelector.key - type: string - label: NodeSelector Key - group: "Deployment Settings" -- variable: nodeSelector.value - type: string - label: NodeSelector Value - group: "Deployment Settings" - - -- variable: ADMSettings.licenseServerIP - type: string - label: ADM LicenseServerIP - group: "ADM Settings" -- variable: ADMSettings.licenseServerPort - default: 27000 - type: int - label: ADM LicenseServerPort - group: "ADM Settings" -- variable: ADMSettings.ADMIP - type: string - label: ADM IP - group: "ADM Settings" -- variable: ADMSettings.ADMFingerPrint - type: string - label: ADM FingerPrint - group: "ADM Settings" -- variable: ADMSettings.loginSecret - type: string - label: ADM Login Secret - group: "ADM Settings" -- variable: ADMSettings.bandWidthLicense - type: boolean - label: CPX Bandwidth License - group: "ADM Settings" -- variable: ADMSettings.bandWidth - type: int - label: CPX Bandwidth - group: "ADM Settings" -- variable: ADMSettings.vCPULicense - type: boolean - label: CPX vCPU License - group: "ADM Settings" -- variable: ADMSettings.cpxCores - type: int - label: CPX Cores - group: "ADM Settings" -- variable: cic.pullpolicy - default: "IfNotPresent" - type: enum - label: CIC Image Pullpolicy - group: "CIC/CPX Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: pullpolicy - default: "IfNotPresent" - type: enum - label: CPX Image Pullpolicy - group: "CIC/CPX Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: cic.image - default: "quay.io/citrix/citrix-k8s-ingress-controller:1.8.28" - type: string - label: CIC Image - group: "CIC/CPX Image Settings" -- variable: image - type: string - default: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-58.30" - label: CPX Image - group: "CIC/CPX Image Settings" -- variable: exporter.image - default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.5" - type: string - description: "Exporter Image to be used" - label: Exporter Image - group: "Exporter Settings" -- variable: exporter.pullPolicy - default: "IfNotPresent" - type: string - description: "Exporter Image pull policy" - label: Exporter Image PullPolicy - group: "Exporter Settings" -- variable: exporter.ports.containerPort - default: 8888 - type: int - label: Exporter ContainerPort - group: "Exporter Settings" -- variable: coeConfig.distributedTracing.enable - default: false - type: boolean - label: Enable distributedTracing - group: "COE Settings" -- variable: coeConfig.distributedTracing.samplingrate - default: 100 - type: int - label: COE Sampling Rate - group: "COE Settings" -- variable: coeConfig.endpoint.server - type: string - label: COE Endpoint Server - group: "COE Settings" -- variable: coeConfig.timeseries.port - default: 5563 - type: int - label: COE timeseries port - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.enable - default: false - type: boolean - label: Enable timeseries metrics - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.mode - default: 'avro' - type: string - label: COE timeseries metrics Mode - group: "COE Settings" -- variable: coeConfig.timeseries.auditlogs.enable - default: false - type: string - label: Enable timeseries auditlogs - group: "COE Settings" -- variable: coeConfig.timeseries.events.enable - default: false - type: string - label: Enable timeseries events - group: "COE Settings" -- variable: coeConfig.transactions.enable - default: false - type: string - label: Enable transactions - group: "COE Settings" -- variable: coeConfig.transactions.port - default: 5557 - type: int - label: COE transactions port - group: "COE Settings" -- variable: crds.install - default: true - type: boolean - description: "If set to true the charts will install CustomResourceDefinitions which are consumed by CIC." - label: CRD flag - group: "Deployment Settings" -- variable: crds.retainOnDelete - default: false - type: boolean - description: "Set this argument to true if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation." - label: CRD retainOnDelete flag - group: "Deployment Settings" diff --git a/packages/citrix/citrix-cpx-with-ingress-controller/upstream.yaml b/packages/citrix/citrix-cpx-with-ingress-controller/upstream.yaml deleted file mode 100644 index 8ec5f9903e..0000000000 --- a/packages/citrix/citrix-cpx-with-ingress-controller/upstream.yaml +++ /dev/null @@ -1,6 +0,0 @@ -ChartMetadata: {} -Deprecated: true -DisplayName: Citrix Cpx with Ingress Controller -HelmChart: citrix-cpx-with-ingress-controller -HelmRepo: https://citrix.github.io/citrix-helm-charts -Vendor: Citrix diff --git a/packages/citrix/citrix-ingress-controller/overlay/app-readme.md b/packages/citrix/citrix-ingress-controller/overlay/app-readme.md deleted file mode 100644 index a8a8ebc15a..0000000000 --- a/packages/citrix/citrix-ingress-controller/overlay/app-readme.md +++ /dev/null @@ -1,5 +0,0 @@ -# Citrix Ingress Controller - -[Citrix Ingress Controler](https://github.com/citrix/citrix-k8s-ingress-controller) is an ingress controller for Citrix ADC MPX (hardware), Citrix ADC VPX (virtualized), and Citrix ADC CPX (containerized) for bare metal and cloud deployments. It is built around Kubernetes Ingress and automatically configures Citrix ADC based on the Ingress resource configuration. - -This Chart bootstraps standalone Citrix Ingress Controller which can be used to configure Citrix MPX or VPX. diff --git a/packages/citrix/citrix-ingress-controller/overlay/questions.yml b/packages/citrix/citrix-ingress-controller/overlay/questions.yml deleted file mode 100644 index 89389ae11e..0000000000 --- a/packages/citrix/citrix-ingress-controller/overlay/questions.yml +++ /dev/null @@ -1,348 +0,0 @@ -labels: - io.rancher.certified: partner -questions: -- variable: license.accept - required: true - type: enum - description: "Set to yes to accept the terms and conditions of the Citrix license." - label: Accept License - group: "Deployment Settings" - options: - - "yes" - - "no" -- variable: openshift - default: false - type: boolean - description: "openshift is set to true if charts are being deployed in OpenShift environment" - label: Openshift flag - group: "Deployment Settings" -- variable: adcCredentialSecret - required: true - default: "" - type: string - description: "adcCredentialSecret is secret file for NetScaler login" - label: adcCredentialSecret Name - group: "Deployment Settings" -- variable: imagePullSecrets[0] - required: false - type: string - description: "Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository" - label: imagePullSecrets - group: "Deployment Settings" -- variable: nsIP - required: true - type: string - description: "nsIP is NetScaler NSIP/SNIP, SNIP in case of HA (mgmt has to be enabled)" - label: Citrix ADC IP - group: "ADC Settings" -- variable: nsVIP - required: false - type: string - label: Virtual IP of Citrix ADC - group: "ADC Settings" -- variable: nsSNIPS - required: false - type: string - description: "The list of subnet IPAddresses on the Citrix ADC device, which will be used to create PBR Routes instead of Static Routes" - label: Citrix ADC nsSNIPS - group: "ADC Settings" -- variable: nsPort - required: false - default: 443 - type: int - description: "nsPort is port for ADC NITRO" - label: nsPort - group: "ADC Settings" -- variable: nsProtocol - required: false - default: "HTTPS" - type: string - description: "nsProtocol is protocol for ADC NITRO" - label: nsProtocol - group: "ADC Settings" -- variable: entityPrefix - required: false - type: string - description: "The prefix for the resources on the Citrix ADC VPX/MPX" - label: entityPrefix - group: "ADC Settings" -- variable: kubernetesURL - required: false - type: string - description: "kubernetesURL is for registering events to kubeapi server" - label: Kubernetes API-server URL - group: "Deployment Settings" -- variable: clusterName - required: false - type: string - description: "The unique identifier of the kubernetes cluster on which the CIC is deployed" - label: Cluster Name - group: "Deployment Settings" -- variable: ingressClass[0] - required: false - type: string - description: "ingressClass is the name of the Ingress Class" - label: Ingress Class - group: "Deployment Settings" -- variable: setAsDefaultIngressClass - required: false - default: False - type: boolean - description: "Set the IngressClass object as default ingress class. New Ingresses without an `ingressClassName` field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19" - label: setAsDefaultIngressClass - group: "Deployment Settings" -- variable: serviceClass[0] - required: false - type: string - description: "serviceClass is the name of the Service Class" - label: Service Class - group: "Deployment Settings" -- variable: defaultSSLCertSecret - required: false - type: string - description: "Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in Citrix ADC." - label: defaultSSLCertSecret - group: "ADC Settings" -- variable: podIPsforServiceGroupMembers - required: false - default: False - type: boolean - description: "By default Citrix Ingress Controller will add NodeIP and NodePort as service group members,This variable if set to True will change the behaviour to add pod IP and Pod port instead of nodeIP and nodePort." - label: podIPsforServiceGroupMembers - group: "Deployment Settings" -- variable: ignoreNodeExternalIP - required: false - default: False - type: boolean - label: ignoreNodeExternalIP - group: "Deployment Settings" -- variable: ipam - required: false - default: False - type: boolean - description: "Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer" - label: ipam - group: "Deployment Settings" -- variable: logProxy - required: false - default: False - type: string - description: "Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter." - label: Log Proxy - group: "Deployment Settings" -- variable: nodeWatch - required: false - default: false - type: boolean - description: "nodeWatch is used for automatic route configuration on NetScaler towards the pod network" - label: NodeWatch - group: "ADC Settings" -- variable: cncPbr - required: false - default: false - type: boolean - description: "Use this argument to inform CIC that Citrix Node Controller(CNC) is configuring Policy Based Routes(PBR) on the Citrix ADC." - label: CNC PBR - group: "ADC Settings" -- variable: nodeSelector.key - required: false - type: string - description: "Node label key to be used for nodeSelector option in CIC deployment" - label: NodeSelector Key - group: "Deployment Settings" -- variable: nodeSelector.value - required: false - type: string - description: "Node label value to be used for nodeSelector option in CIC deployment." - label: NodeSelector value - group: "Deployment Settings" -- variable: tolerations[0] - required: false - type: string - description: "Specify the tolerations for the CIC deployment" - label: Tolerations - group: "Deployment Settings" -- variable: updateIngressStatus - required: false - default: false - type: boolean - description: "Set this argurment if Status.LoadBalancer.Ingress field of the Ingress resources managed by the Citrix ingress controller needs to be updated with allocated IP addresses" - label: Update Ingress Status - group: "Deployment Settings" -- variable: nsHTTP2ServerSide - required: false - default: "OFF" - type: string - description: "Set this argument to ON for enabling HTTP2 for Citrix ADC service group configurations." - label: nsHTTP2ServerSide - group: "Deployment Settings" -- variable: nsCookieVersion - required: false - default: "0" - type: string - description: "Specify the persistence cookie version (0 or 1)" - label: nsCookieVersion - group: "Deployment Settings" -- variable: routeLabels - required: false - type: string - description: "You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster." - label: Route Labels - group: "Deployment Settings" -- variable: namespaceLabels - required: false - type: string - description: "you can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster" - label: namespaceLabels - group: "Deployment Settings" -- variable: cic.image - required: true - type: string - default: "quay.io/citrix/citrix-k8s-ingress-controller:1.19.6" - label: CIC Image - group: "CIC Image Settings" -- variable: cic.pullpolicy - required: true - default: "IfNotPresent" - type: enum - label: CIC Image Pullpolicy - group: "CIC Image Settings" - options: - - "Always" - - "IfNotPresent" - - "Never" -- variable: logLevel - required: false - default: "INFO" - type: enum - label: CIC Loglevel - group: "CIC Image Settings" - options: - - "DEBUG" - - "INFO" - - "WARNING" - - "ERROR" - - "TRACE" -- variable: exporter.required - default: false - type: boolean - description: "If set to true exporter will be deployed as sidecar" - label: Enable Exporter - group: "Exporter Settings" -- variable: exporter.image - default: "quay.io/citrix/citrix-adc-metrics-exporter:1.4.9" - required: false - type: string - description: "Exporter Image" - label: Exporter Image - group: "Exporter Settings" -- variable: exporter.pullPolicy - required: false - default: IfNotPresent - type: string - description: "Exporter Image pull policy" - label: Exporter Image PullPolicy - group: "Exporter Settings" -- variable: exporter.ports.containerPort - required: false - default: 8888 - type: int - label: Exporter ContainerPort - group: "Exporter Settings" -- variable: crds.install - required: false - default: true - type: boolean - description: "If set to true the charts will install CustomResourceDefinitions which are consumed by CIC." - label: CRD flag - group: "Deployment Settings" -- variable: crds.retainOnDelete - required: false - default: false - type: boolean - description: "Set this argument to true if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation." - label: CRD retainOnDelete flag - group: "Deployment Settings" -- variable: coeConfig.required - required: true - default: false - type: boolean - description: "Set this to true if you want to configure Citrix ADC to send metrics and transaction records to COE" - label: Enable COE - group: "COE Settings" -- variable: coeConfig.distributedTracing.enable - required: false - default: false - type: boolean - description: "Set this value to true to enable OpenTracing in Citrix ADC." - label: Enable coeConfig DistributedTracing - group: "COE Settings" -- variable: coeConfig.distributedTracing.samplingrate - required: false - default: "100" - type: string - description: "Specifies the OpenTracing sampling rate in percentage." - label: coeConfig DistributedTracing Samplingrate - group: "COE Settings" -- variable: coeConfig.endpoint.server - required: false - type: string - description: "Set this value as the IP address or DNS address of the analytics server" - label: coeConfig Endpoint Server - group: "COE Settings" -- variable: coeConfig.timeseries.port - required: false - default: "30002" - type: string - description: "Specify the port used to expose COE service outside cluster for timeseries endpoint" - label: coeConfig timeseries Port - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.enable - required: false - default: False - type: boolean - description: "Set this value to true to enable sending metrics from Citrix ADC" - label: Enable coeConfig Timeseries Metrics - group: "COE Settings" -- variable: coeConfig.timeseries.metrics.mode - required: false - default: "avro" - type: string - description: "Specifies the mode of metric endpoint" - label: coeConfig Timeseries Metrics Mode - group: "COE Settings" -- variable: coeConfig.timeseries.auditlogs.enable - required: false - default: False - type: boolean - description: "Set this value to true to export audit log data from Citrix ADC" - label: coeConfig Timeseries Auditlogs Enable - group: "COE Settings" -- variable: coeConfig.timeseries.events.enable - required: false - default: False - type: boolean - description: "Set this value to true to export events from the Citrix ADC" - label: Enable coeConfig Timeseries Events - group: "COE Settings" -- variable: coeConfig.transactions.enable - required: false - default: False - type: boolean - description: "Set this value to true to export transactions from Citrix ADC" - label: Enable coeConfig Transactions - group: "COE Settings" -- variable: coeConfig.transactions.port - required: false - default: 30001 - type: string - description: "Specify the port used to expose COE service outside cluster for transaction endpoint" - label: coeConfig Transactions Port - group: "COE Settings" -- variable: serviceAccount.create - required: false - default: true - type: boolean - description: "Specifies whether a ServiceAccount should be created" - label: ServiceAccount Create - group: "Deployment Settings" diff --git a/packages/citrix/citrix-ingress-controller/upstream.yaml b/packages/citrix/citrix-ingress-controller/upstream.yaml deleted file mode 100644 index c559c60a2c..0000000000 --- a/packages/citrix/citrix-ingress-controller/upstream.yaml +++ /dev/null @@ -1,6 +0,0 @@ -ChartMetadata: {} -Deprecated: true -DisplayName: Citrix Ingress Controller -HelmChart: citrix-ingress-controller -HelmRepo: https://citrix.github.io/citrix-helm-charts -Vendor: Citrix