Annotations
Ingress annotations
The following ingress annotations are supported by NetScaler:
| Annotations | Type | Required | Description | Default | Possible value |
|---|---|---|---|---|---|
ingress.citrix.com/multicluster-policy-priority-order |
String | Optional | When load balancing different applications in the multi-cluster ingress setup, separate content switching policies are created for each application. In such cases, if you require a particular sequence for policy binding, you must assign a priority number to the content switching policies by using the ingress.citrix.com/multicluster-policy-priority-order annotation. For more information, see Policy bindings. |
NA | ingress.citrix.com/multicluster-policy-priority-order: ‘{“frontend”: {“80”: “3”, “9443”: “1”}, “backend”: “2”}’ |
ingress.citrix.com/frontend-ip
|
String
|
Optional
|
Specify an IP address that needs to be used as the content switching virtual server IP address.
Note: There are multiple ways to configure content switching virtual server IP address such as IPAM configuration, default nsVIP, and so on. |
NA
|
Numeric IP address. For example, 1.2.3.4 |
ingress.citrix.com/frontend-ipset-name
|
String
|
Optional
|
Specify the IPSET name that needs to be bound to the content switching virtual server. Use this annotation along with ingress.citrix.com/frontend-ip.
Note: The IPSET name that you specify in the annotation should already be configured in NetScaler. |
NA
|
NetScaler IPSET entity name
|
ingress.citrix.com/insecure-service-type |
String | Optional | Specify the protocols among HTTP/TCP/UDP/sip_UDP/any for content switching virtual server. | http |
http, tcp, udp, sip_udp, or any
|
ingress.citrix.com/insecure-port |
String | Optional | Configure the port for content switching virtual server for http/tcp/udp/sip_udp/any protocols. | 80 |
Valid port number |
ingress.citrix.com/secure-service-type |
String | Optional | Specify the protocols among SSL/SSL_TCP as the protocol for content switching virtual server. | ssl |
ssl, ssl_tcp
|
ingress.citrix.com/secure-port |
String | Optional | Configure the port for content switching virtual server for HTTPS traffic. | 443 |
Valid port number |
ingress.citrix.com/insecure-termination |
String | Optional | Configure the behavior for HTTP traffic. Use allow to allow HTTP traffic; use redirect to redirect the HTTP request to HTTPS; or use disallow if you want to drop the HTTP traffic. |
disallow |
allow, redirect, or disallow
|
ingress.citrix.com/default-response-code
|
String
|
Optional
|
Configure NetScaler to trigger an HTTP response code when a request lands on NetScaler and if any of the following conditions are met for all the backend services defined in the ingress resource: 1. None of the content switching policies match. 2. All the backend service endpoints are down.
Example: ingress.citrix.com/default-response-code: '{response-code: "404"}'
|
NA
|
Possible HTTP response codes are 404 and 503.
|
ingress.citrix.com/secure-backend
|
String/JSON
|
Optional
|
Specify if you want a secure HTTPS connection between NetScaler and the backend Kubernetes application. If the Value provided is either true or false, it applies for all the services in the ingress YAML. If you want different settings for each service, provide the values as JSON as following.
Example: ingress.citrix.com/secure-backend: '{"app1":"True", "app2":"False", "app3":"True"}'. Here app1 and app3 will communicate with backend via HTTPS. app2 will be plain HTTP |
False
|
As string: True/False. As JSON: '{"<Service_Name>": "True/False", ...}'.
|
ingress.citrix.com/backend-secret |
String/JSON | Optional | Specify the certificate that you want to use for backend communication between NetScaler and Kubernetes pods. | NA | As string: "Kubernetes secret". As JSON: '{"<Service_Name>": "<kubernetes secret>", ...}'
|
ingress.citrix.com/backend-ca-secret |
String/JSON | Optional | Specify the CA certificate that you want to use for backend communication between NetScaler and Kubernetes pods. | NA | As string: "kubernetes secret" , As JSON: '{"<Service_Name>": "<kubernetes secret>", ...}'
|
ingress.citrix.com/preconfigured-certkey
|
JSON
|
Optional
|
Specify already existing SSL certificate keys on NetScaler that needs to be configured for content switching virtual server.
Example: ingress.citrix.com/preconfigured-certkey : '{"certs": [{"name": "certkey1", "type": "default"}, {"name": "certkey2", "type": "sni"}]}'. Here certkey1 is used as a non-SNI default certificate and certkey2 is used as a SNI certificate. See this section. |
NA
|
One or more NetScaler sslcertkey entity names with certificate type default/sni/ca.
|
ingress.citrix.com/lbvserver
|
JSON
|
Optional
|
Configure the settings/parameters of NetScaler LBVserver entity.
Example: ingress.citrix.com/lbvserver: '{"app1":{"lbmethod":"SRCIPDESTIPHASH"}}'. Different use cases can be achieved by setting these parameters. See this section. |
NA
|
Valid NetScaler entity parameter in key:value format.
|
ingress.citrix.com/servicegroup
|
JSON
|
Optional
|
Configure the settings/parameters of NetScaler Servicegroup entity.
Example: ingress.citrix.com/servicegroup: '{"appname":{"cip": "Enabled","cipHeader":"X-Forwarded-For"}}'. Different use cases can be achieved by setting these parameters. See this section. |
NA
|
Valid NetScaler entity parameter in key:value format.
|
ingress.citrix.com/monitor
|
JSON
|
Optional
|
Configure the settings/parameters of NetScaler monitor entity.
Example: ingress.citrix.com/monitor: '{"appname":{"type":"http"}}'. See this section. |
NA
|
Valid NetScaler entity parameter in key:value format.
|
ingress.citrix.com/deployment
|
String
|
Optional
|
Create Direct Server Return (DSR) configuration on NetScaler.
Example: ingress.citrix.com/deployment: "dsr"
|
NA
|
dsr
|
kubernetes.io/ingress.class
|
String
|
Optional
|
Associate the ingress resource to a particular ingress controller.
Example: kubernetes.io/ingress.class:"Citrix". This class is mantained for backward compatibilty. Use IngressingressClassName in spec instead. See this section. |
NA
|
Ingress classes mentioned in Ingress Controller deployment.
|
ingress.citrix.com/path-match-method
|
String
|
Optional
|
Specify the path matching for applications in the ingress.
Example: ingress.citrix.com/path-match-method: "prefix". This class is mantained for backward compatibilty. Use pathType: in spec instead. |
prefix
|
prefix or exact.
|
ingress.citrix.com/ipam-range
|
String
|
Optional
|
Select a particular IP address range from a set of ranges specified to the NetScaler IPAM controller.
Example: ingress.citrix.com/ipam-range: 'Dev'
|
NA
|
Value matching any of the range names configured in IPAM controller.
|
ingress.citrix.com/external-service
|
JSON
|
Optional
|
Provide a domain name to configure DNS server on NetScaler. See this section.
Example: ingress.citrix.com/external-service: '{"external-svc": {"domain": "www.externalsvc.com"}}'
|
||
|
|
|
||||
ingress.citrix.com/canary-weight
|
String
|
Optional
|
Specify the percentage of traffic to be directed to the canary version. See this section.
Example: ingress.citrix.com/canary-weight: "10"
|
||
ingress.citrix.com/canary-by-header
|
String
|
Optional
|
Provide an HTTP header key to direct traffic to the canary version. See this section.
Example: ingress.citrix.com/canary-by-header: 'some-header-info'
|
NA
|
|
ingress.citrix.com/canary-by-header-value
|
List
|
Optional
|
Provide HTTP header values to direct traffic to the canary version. See this section.
Example: ingress.citrix.com/canary-by-header-value: '["value1","value2","value3"]'
|
NA
|
List of header values as strings.
|
ingress.citrix.com/bot_crd
|
String/JSON
|
Optional
|
Bind the policies created by BOT CRD to the application’s load balancing virtual server. See this section.
Example: ingress.citrix.com/bot_crd: "botdefense" binds the policy to all the services in the ingress or ingress.citrix.com/bot_crd: '{"appname": "botdefense"}' binds the policy to only the front-end service. |
NA
|
As a string: "CRD_Instance_Name". As JSON: '{"<Service_Name>":"CRD_Instance_Name"}' |
ingress.citrix.com/ratelimit_crd
|
String/JSON
|
Optional
|
Bind the policies created by Ratelimit CRD to the application’s load balancing virtual server. See this section. | NA
|
As a string: "CRD_Instance_Name". As JSON: '{"<Service_Name>":"CRD_Instance_Name"}'.
|
Example: ingress.citrix.com/ratelimit_crd: "ratelimitexample" binds the policy to all the services in the ingress or ingress.citrix.com/ratelimit_crd: '{"appname": "ratelimitexample"}' binds the policy to only frontend service. |
|||||
ingress.citrix.com/auth_crd
|
String/JSON
|
Optional
|
Bind the policies created by Auth CRD to the application’s load balancing virtual server. See this section. | NA
|
As a string: "CRD_Instance_Name", As JSON: {"<Service_Name>":"CRD_Instance_Name"} |
Example: ingress.citrix.com/auth_crd: "authexample" binds the policy to all the services in the ingress or ingress.citrix.com/auth_crd: '{"appname": "authexample"}' binds the policy to only the front-end service. |
|||||
ingress.citrix.com/waf_crd
|
String/JSON
|
Optional
|
Bind the policies created by WAF CRD to the application’s load balancing virtual server. See this section. | NA
|
As a string: “CRD_Instance_Name”, As JSON: '{"<Service_Name>":"CRD_Instance_Name"}' |
Example: ingress.citrix.com/waf_crd: "wafbasic" binds the policy to all the services in the ingress or ingress.citrix.com/waf_crd: '{"appname": "wafbasic"}' binds the policy to only the front-end service |
|||||
ingress.citrix.com/rewrite-responder_crd
|
String/JSON
|
Optional
|
Bind the policies created by Rewrite-Responder CRD to the application’s load balancing virtual server. See this section. | NA
|
As a string: "CRD_Instance_Name", As JSON: '{"<Service_Name>":"CRD_Instance_Name"}' |
Example: ingress.citrix.com/rewrite-responder_crd: "blockurlpolicy" Binds the policy to all the services in the ingress or ingress.citrix.com/rewrite-responder_crd: '{"appname": "blockurlpolicy"}' binds the policy to only the front-end service. |
|||||
ingress.citrix.com/rewrite-responder_crd
|
String/JSON
|
Optional
|
Bind the policies created by rewrite-responder CRD to the application’s load balancing virtual server. See this section. | NA
|
As a string: "CRD_Instance_Name". As JSON: '{"<Service_Name>":"CRD_Instance_Name"}'.
|
Example: ingress.citrix.com/rewrite-responder_crd: "blockurlpolicy" binds the policy to all the services in the ingress or ingress.citrix.com/rewrite-responder_crd: '{"appname": "blockurlpolicy"}' binds the policy to only the front-end service. |
Service annotations
The following are the service annotations supported by NetScaler.
In service annotations, index is the ordered index of the ports in a service specification file. For example, if there are two ports in the service specification, then the index for the first port is zero and for the second port is one.
| Annotations | Type | Required | Description | Default | Possible value |
|---|---|---|---|---|---|
service.citrix.com/frontend-ip
|
String
|
Optional
|
Specify an IP adress that needs to be used as content switching virtual server IP address.
There are multiple ways to provide content switching virtual server IP address. |
NA
|
Numeric IP address, for example, ‘1.2.3.4’
|
service.citrix.com/ipam-range
|
String
|
Optional
|
Select a particular IP address range from a set of ranges specified to NetScaler IPAM controller. This annotation is used for services of type LoadBalancer.
Example: service.citrix.com/ipam-range: 'Dev'
|
NA
|
Value matching any of the range names configured in IPAM Controller
|
service.citrix.com/insecure-redirect
|
JSON
|
Optional
|
Redirect HTTP traffic to a secure port.
Example: service.citrix.com/insecure-redirect: '{"port-443": 80 }' or service.citrix.com/insecure-redirect: '{"443-tcp": 80 }'
|
NA
|
|
service.citrix.com/ssl-termination-<index>
|
String
|
Optional
|
Specify the SSL termination.
Example: service.citrix.com/ssl-termination-0: 'EDGE'
|
NA
|
EDGE and REENCRYPT |
service.citrix.com/service-type-<index>
|
String
|
Optional
|
Specify a protocol for the NetScaler entities to be created.
Example: service.citrix.com/service-type-0: ‘SSL’. |
HTTP
|
TCP, HTTP, SSL,UDP,ANY, SSL_TCP, and SIP_UDP.
|
service.citrix.com/ssl-certificate-data-<index>
|
String
|
Optional
|
Specify the server certificate value in the PEM format.
Example: service.citrix.com/ssl-certificate-data-0: \| <certificate>
|
NA
|
Certificate Data in PEM Format
|
service.citrix.com/ssl-key-data-<index>
|
String
|
Optional
|
Specify the server key value in the PEM format.
Example: service.citrix.com/ssl-key-data-0: \| <key>
|
NA
|
Key data in PEM Format
|
service.citrix.com/ssl-ca-certificate-data-<index>
|
String
|
Optional
|
Specify the server CA certificate value to verify the client certificate in PEM format.
Example: service.citrix.com/ssl-ca-certificate-data-0: \| <certificate>
|
NA
|
CA certificate data in PEM Format
|
service.citrix.com/ssl-backend-ca-certificate-data-<index>
|
String
|
Optional
|
Specify the CA certificate value to verify the server certificate of the back end in PEM format.
Example: service.citrix.com/ssl-backend-ca-certificate-data-0: \| <certificate>
|
NA
|
CA certificate data in PEM format
|
service.citrix.com/secret
|
String
|
Optional
|
Specify a name of a secret resource for the front-end server certificate. To bind multiple front-end server certificates, provide a list of comma-separated secrets configured for certificates. For more information and example, see SSL certificate for services of type LoadBalancer.
Examples: service.citrix.com/secret: hotdrink-secret, service.citrix.com/secret: apache-secret1,apache-secret2
|
NA
|
Kubernetes secret Name
|
service.citrix.com/ca-secret
|
String
|
Optional
|
Provide a CA certificate for client certificate authentication. This certificate is bound to the front-end SSL virtual server in NetScaler. For more information and example, see SSL certificate for services of type LoadBalancer.
Example: service.citrix.com/ca-secret: 'hotdrink-ca-secret'
|
NA
|
Kubernetes secret Name
|
service.citrix.com/backend-secret
|
String
|
Optional
|
Use this annotation if the back-end communication between NetScaler and your workload is on an encrypted channel, and you need the client authentication in your workload. This certificate is sent to the server during the SSL handshake and it is bound to the backend SSL service group. For more information and example, see SSL certificate for services of type LoadBalancer.
Example: service.citrix.com/backend-secret: 'hotdrink-secret'
|
NA
|
Kubernetes secret Name
|
service.citrix.com/backend-ca-secret
|
String
|
Optional
|
Enable server authentication which authenticates the back-end server certificate. For more information and example, see SSL certificate for services of type LoadBalancer.
Example: service.citrix.com/backend-ca-secret: 'hotdrink-ca-secret'
|
NA
|
Kubernetes secret Name
|
service.citrix.com/preconfigured-certkey
|
String
|
Optional
|
Specify the name of an existing SSL certification key from NetScaler to be used as a front-end server certificate. To bind multiple front-end server certificates, provide a list of comma-separated cert keys that are already configured for certificates.
Examples: - service.citrix.com/preconfigured-certkey: coffee-cert, service.citrix.com/preconfigured-certkey: preconfcert1,preconfcert2
|
NA
|
NetScaler sslcertkey entity name
|
service.citrix.com/preconfigured-ca-certkey
|
String
|
Optional
|
Specify the name of a pre-configured certificate key in NetScaler to be used as a CA certificate for client certificate authentication. This certificate is bound to the front-end SSL virtual server in NetScaler.
Example: service.citrix.com/preconfigured-backend-certkey: 'coffee-cert'
|
NA
|
NetScaler sslcertkey entity name
|
service.citrix.com/preconfigured-backend-certkey
|
String
|
Optional
|
Specify the name of a pre-configured certificate key in NetScaler to be bound to the back-end SSL service group. This certificate is sent to the server during the SSL handshake for server authentication.
Example: service.citrix.com/preconfigured-ca-certkey: 'coffee-ca-cert'
|
NA
|
NetScaler sslcertkey entity name
|
service.citrix.com/preconfigured-backend-ca-certkey
|
String
|
Optional
|
Specify the name of a pre-configured CA certificate key in NetScaler to bound to the back-end SSL service group for server authentication.
Example: service.citrix.com/preconfigured-backend-ca-certkey: 'coffee-ca-cert'
|
NA
|
NetScaler sslcertkey entity name
|
Smart annotations for HTTP, TCP, or SSL profiles
| Annotations | Type | Required | Description | Default | Possible value |
|---|---|---|---|---|---|
ingress.citrix.com/frontend-httpprofile |
String/JSON | Optional | Create the front-end HTTP profile (Client Plane) | NA |
Example: ingress.citrix.com/frontend-httpprofile: '{"dropinvalreqs":"enabled", "websocket" : "enabled"}'
|
ingress.citrix.com/backend-httpprofile |
String/JSON | Optional | Create the back-end HTTP profile (Server Plane). | NA |
Example: ingress.citrix.com/backend-httpprofile: '{"app-1": {"dropinvalreqs":"enabled", "websocket" : "enabled"}}'
|
ingress.citrix.com/frontend-tcpprofile |
String/JSON | Optional | Create the front-end TCP profile (Client Plane) | NA |
Example: ingress.citrix.com/frontend-tcpprofile: '{"ws":"enabled", "sack" : "enabled"}'
|
ingress.citrix.com/backend-tcpprofile |
String/JSON | Optional | Create the back-end TCP profile (Server Plane) | NA |
Example:ingress.citrix.com/backend-tcpprofile: '{"citrix-svc":{"ws":"enabled", "sack" : "enabled"}}'
|
ingress.citrix.com/frontend-sslprofile |
String/JSON | Optional | Create the front-end SSL profile (Client Plane). The front-end SSL profile is required only if you have enabled TLS on the Client Plane. | NA |
Example: ingress.citrix.com/frontend-sslprofile: '{"hsts":"enabled", "tls12" : "enabled"}'
|
ingress.citrix.com/backend-sslprofile |
String/JSON | Optional | Create the back-end SSL profile (Server Plane). The SSL back-end profile is required only if you use ingress.citrix.com/secure-backend. |
NA |
Example: ingress.citrix.com/backend-sslprofile: '{"citrix-svc":{"hsts":"enabled", "tls1" : "enabled"}}'
|
Smart annotations for Ingress
Smart annotation is an option provided by NetScaler Ingress Controller to efficiently enable NetScaler features using the NetScaler entity name. The NetScaler Ingress Controller converts the Ingress in Kubernetes to a set of NetScaler objects. You can efficiently control these objects using smart annotations.
Note
To use smart annotations, you must have a good understanding of NetScaler features and their respective entity names. For more information about NetScaler features and entity names, see NetScaler documentation.
Smart annotation takes JSON format as input. The key and value that you pass in the JSON format must match the NetScaler NITRO format. For more information about the NetScaler NITRO API, see NetScaler REST APIs - NITRO documentation.
For example, if you want to enable the SRCIPDESTIPHASH based lb method, you must use the corresponding NITRO key and value format lbmethod, SRCIPDESTIPHASH respectively.
The following table details the smart annotations provided by NetScaler Ingress Controller:
| NetScaler Entity Name | Smart Annotation | Example |
|---|---|---|
| lbvserver | ingress.citrix.com/lbvserver |
ingress.citrix.com/lbvserver: '{"appname":{"lbmethod":"SRCIPDESTIPHASH"}}' |
| servicegroup | ingress.citrix.com/servicegroup |
ingress.citrix.com/servicegroup: '{"appname":{"cip": "Enabled","cipHeader":"X-Forwarded-For"}}' |
| monitor | ingress.citrix.com/monitor |
ingress.citrix.com/monitor: '{"appname":{"type":"http"}}' |
| csvserver | ingress.citrix.com/csvserver |
ingress.citrix.com/csvserver: '{"stateupdate": "ENABLED"}' |
For information on smart annotations for HTTP, TCP, and SSL profiles, see Configure HTTP, TCP, or SSL profiles on NetScaler.
Sample ingress YAML with smart annotations
The following sample Ingress YAML includes smart annotations to enable NetScaler features using the entities such as, lbvserver, servicegroup, and monitor:
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
ingress.citrix.com/frontend-ip: 192.168.1.1
ingress.citrix.com/insecure-port: "80"
ingress.citrix.com/lbvserver: '{"appname":{"lbmethod":"LEASTCONNECTION", "persistenceType":"SOURCEIP"}}'
ingress.citrix.com/monitor: '{"appname":{"type":"http"}}'
ingress.citrix.com/servicegroup: '{"appname":{"usip":"yes"}}'
name: citrix
spec:
rules:
- host: citrix.org
http:
paths:
- backend:
service:
name: appname
port:
number: 80
path: /
pathType: Prefix
EOF
<!--NeedCopy-->
The sample Ingress YAML includes use cases related to the service, citrix-svc, and the following table explains the smart annotations used in the sample:
| Smart Annotation | Description |
|---|---|
ingress.citrix.com/lbvserver: '{"appname":{"lbmethod":"LEASTCONNECTION", "persistenceType":"SOURCEIP"}}' |
Sets the load balancing method as Least Connection and also configures Source IP address persistence. |
ingress.citrix.com/servicegroup: '{"appname":{"usip":"yes"}}' |
Enables Use Source IP Mode (USIP) on NetScaler device. When you enable USIP on NetScaler, it uses the client’s IP address for communication with the back-end pods. |
ingress.citrix.com/monitor: '{"appname":{"type":"http"}}' |
Creates a custom HTTP monitor for the service group. |
Note:
When multiple ingresses are sharing the same front-end IP address and port, you cannot have conflicting configurations provided through multiple ingress configurations.
By default, the content switching virtual server does not depend on the state of the target load balancing virtual servers bound to it. The annotation ingress.citrix.com/csvserver: '{"stateupdate": "ENABLED"}' sets the content switching virtual server to consider its state based on the state of the load balancing virtual server bound to it using the content switching policies.
Smart annotations for routes
Similar to Ingress, you can also use smart annotations with OpenShift routes. NetScaler Ingress Controller converts the routes in OpenShift to a set of NetScaler objects.
The following table details the smart annotations provided by NetScaler Ingress Controller:
| NetScaler entity name | Smart annotation | Example |
|---|---|---|
lbvserver |
route.citrix.com/lbvserver |
route.citrix.com/lbvserver: '{"appname":{"lbmethod":"SRCIPDESTIPHASH"}}' |
servicegroup |
route.citrix.com/servicegroup |
route.citrix.com/servicegroup: '{"appname":{"cip": "Enabled","cipHeader":"X-Forwarded-For"}}' |
monitor |
route.citrix.com/monitor |
route.citrix.com/monitor: '{"appname":{"type":"http"}}' |
Sample route manifest with smart annotations
The following example is a route YAML file.
kubectl apply -f - <<EOF
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: citrix
annotations:
route.citrix.com/lbvserver: '{"appname":{"lbmethod":"LEASTCONNECTION", "persistenceType":"SOURCEIP"}}'
route.citrix.com/servicegroup: '{"appname":{"usip":"yes"}}'
route.citrix.com/monitor: '{"appname":{"type":"http"}}'
spec:
host: citrix.org
port:
targetPort: 80
to:
kind: Service
name: appname
weight: 100
wildcardPolicy: None
EOF
<!--NeedCopy-->
The sample route manifest includes use cases related to the service citrix-svc and the following table explains the smart annotations used in the sample route:
| Smart annotation | Description |
|---|---|
route.citrix.com/lbvserver: '{"appname":{"lbmethod":"LEASTCONNECTION", "persistenceType":"SOURCEIP"}}' |
Sets the load balancing method as Least Connection and also configures Source IP address persistence. |
route.citrix.com/servicegroup: '{"appname":{"usip":"yes"}}' |
Enables Use Source IP Mode (USIP) on NetScaler. When you enable USIP on the NetScaler, it uses the IP address of the client for communication with the back-end pods. |
route.citrix.com/monitor: '{"appname":{"type":"http"}}' |
Creates a custom HTTP monitor for the service group. |
Sample YAML with the service annotation to redirect insecure traffic
This example shows how to redirect traffic from clients making requests on an insecure port 80 to the secure port 443.
The following annotation is specified in the service YAML file to redirect traffic:
service.citrix.com/insecure-redirect: '{"port-443": 80}'
<!--NeedCopy-->
Sample service definition:
kubectl apply -f - <<EOF
apiVersion: v1
kind: Service
metadata:
name: frontend-service
annotations:
service.citrix.com/service-type-0: SSL
service.citrix.com/frontend-ip: '192.2.170.26'
service.citrix.com/secret: '{"port-443": "web-ingress-secret"}'
service.citrix.com/ssl-termination-0: 'EDGE'
service.citrix.com/insecure-redirect: '{"port-443": 80}'
spec:
type: LoadBalancer
selector:
app: frontend
ports:
- port: 443
targetPort: 80
name: port-443
EOF
<!--NeedCopy-->
Smart annotations for services
Smart annotations for services are used to configure NetScaler with custom values for NetScaler configuration parameters. The annotations are used for services of type LoadBalancer and for the services in NetScaler CPX used for East-West traffic.
Note:
If you have configured a service with NodePort or ClusterIP for the North-South traffic, then NetScaler is configured using the applicable ingress smart annotations rather than service annotations.
Smart annotations for services take JSON format as input. The key and value that you pass in the JSON format must match the NetScaler NITRO format. For more information about the NetScaler NITRO API, see NetScaler REST APIs - NITRO Documentation.
Example smart annotation for services:
service.citrix.com/lbvserver: '{"80-tcp":{"lbmethod":"SRCIPDESTIPHASH"}}'
<!--NeedCopy-->
This annotation sets the load balancing method as SRCIPDESTIPHASH in the load balancing virtual server for the 80-tcp port of the given service.
The following table describes the smart annotations for services:
| NetScaler Entity Name | Smart Annotation for Service | Example |
|---|---|---|
| lbvserver | service.citrix.com/lbvserver |
service.citrix.com/lbvserver: '{"80-tcp":{"lbmethod":"SRCIPDESTIPHASH"}}' |
| csvserver | service.citrix.com/csvserver |
service.citrix.com/csvserver: '{"l2conn":"on"}' |
| servicegroup | service.citrix.com/servicegroup |
service.citrix.com/servicegroup: '{"80-tcp":{"usip":"yes"}}' |
| monitor | service.citrix.com/monitor |
service.citrix.com/monitor: '{"80-tcp":{"type":"http"}}' |
| analyticsprofile | service.citrix.com/analyticsprofile |
service.citrix.com/analyticsprofile: '{"80-tcp":{"webinsight": {"httpurl":"ENABLED", "httpuseragent":"ENABLED"}}}' |
You can use the smart annotations for services as follows:
- By providing the
port-protocolvalue in the annotation: In the service definition, if you provide theport-protocolvalue in the annotation then the annotation is restricted to the particular port of that service. - By not providing the
port-protocolvalue in the annotation: If you do not provide theport-protocolvalue in the annotation, then the annotation is applicable to all the ports used by the service.
Sample ingress YAML with smart annotations for services
The following YAML is a sample deployment and service definition for a basic apache web-server based application. It includes smart annotations for services to enable NetScaler features using the entities such as lbvserver, csvserver, servicegroup, monitor, and analyticsprofile:
kubectl apply -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: apache
labels:
name: apache
spec:
selector:
matchLabels:
app: apache
replicas: 8
template:
metadata:
labels:
app: apache
spec:
containers:
- name: apache
image: httpd:latest
ports:
- name: http
containerPort: 80
imagePullPolicy: IfNotPresent
---
#Expose the apache web server as a service
apiVersion: apps/v1
kind: Service
metadata:
name: apache
annotations:
service.citrix.com/csvserver: '{"l2conn":"on"}'
service.citrix.com/lbvserver: '{"80-tcp":{"lbmethod":"SRCIPDESTIPHASH"}}'
service.citrix.com/servicegroup: '{"80-tcp":{"usip":"yes"}}'
service.citrix.com/monitor: '{"80-tcp":{"type":"http"}}'
service.citrix.com/frontend-ip: '10.217.212.16'
service.citrix.com/analyticsprofile: '{"80-tcp":{"webinsight": {"httpurl":"ENABLED", "httpuseragent":"ENABLED"}}}'
NETSCALER_VPORT: '80'
labels:
name: apache
spec:
externalTrafficPolicy: Local
type: LoadBalancer
selector:
name: apache
ports:
- name: http
port: 80
targetPort: http
selector:
app: apache
---
EOF
<!--NeedCopy-->
Examples
Sample ingress YAML for SIP_UDP support in insecure service type annotation
The following sample ingress YAML includes the configuration for enabling SIP over UDP support using the ingress.citrix.com/insecure-service-type annotation.
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
ingress.citrix.com/frontend-ip: 1.1.1.1
ingress.citrix.com/insecure-port: "5060"
ingress.citrix.com/insecure-service-type: sip_udp
ingress.citrix.com/lbvserver: '{"asterisk17":{"lbmethod":"CALLIDHASH","persistenceType":"CALLID"}}'
name: sip-ingress
spec:
defaultBackend:
service:
name: asterisk17
port:
number: 5060
EOF
<!--NeedCopy-->
Copied!
Failed!