NetScaler CPX integration with MetalLB in layer 2 mode for on-premises Kubernetes clusters
Kubernetes service of type LoadBalancer
support is provided by cloud load balancers in a cloud environment. Cloud service providers enable this support by automatically creates a load balancer and assign an IP address which is displayed as part of the service status. Any traffic destined to the external IP address is load balanced on NodeIP and NodePort by the cloud load balancer.
NetScaler provides different options to support the type LoadBalancer
services in an on-premises environment including:
- Using an external NetScaler VPX or NetScaler MPX as a tier-1 load balancer to load balance the incoming traffic to Kubernetes services.
For more information on such a deployment, see Expose services of type LoadBalancer.
-
Expose applications running in a Kubernetes cluster using the NetScaler CPX daemonset running inside the Kubernetes cluster along with a router supporting ECMP over BGP. ECMP router load balances the traffic to multiple NetScaler CPX instances. NetScaler CPX instances load balances the actual application pods. For more information on such a deployment, see BGP advertisement of external IP addresses for type LoadBalancer services and Ingresses using NetScaler CPX.
-
Expose the NetScaler CPX services as an external IP service with a node external IP address. You can use this option if an external ADC as tier-1 is not feasible, and a BGP router does not exist. In this deployment, Kubernetes routes the traffic coming to the
spec.externalIP
of the NetScaler CPX service on service ports to NetScaler CPX pods. Ingress resources can be configured using the NetScaler Ingress Controller to perform SSL (Secure Sockets Layer) offloading and load balancing applications. However, this deployment has the major drawback of not being reliable if there is a node failure. -
Use MetalLB which is a load-balancer implementation for bare metal Kubernetes clusters in the layer 2 mode with NetScaler CPX to achieve ingress capability.
This documentation shows how you can leverage MetalLB along with NetScaler CPX to achieve ingress capability in bare-metal clusters when the other solutions are not feasible. MetalLB in layer 2 mode configures one node to send all the traffic to the NetScaler CPX service. MetalB automatically moves the IP address to a different node if there is a node failure. Thus providing better reliability than the ExternalIP service.
Note: MetalLB is still in the beta version. See the official documentation to know about the project maturity and any limitations.
Perform the following steps to deploy NetScaler CPX integration with MetalLB in layer 2 mode for on-premises Kubernetes clusters.
- Install and configure MetalLB
- Configure MetalLB configuration for layer 2
- Install NetScaler CPX service
Install and configure MetalLB
First, you should install MetalLB in layer 2 mode. For more information on different types of installations for MetalLB, see the MetalLB documentation.
Perform the following steps to install MetalLB:
-
Create a namespace for deploying MetalLB.
kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.9.5/manifests/namespace.yaml
-
Deploy MetalLB using the following command.
kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.9.5/manifests/metallb.yaml
-
Perform the following step if you are performing the installation for the first time.
kubectl create secret generic -n metallb-system memberlist --from-literal=secretkey="$(openssl rand -base64 128)"
-
Verify the MetalLB installation and ensure that the speaker and controller is in the running state using the following command:
kubectl get pods -n metallb-system
These steps deploy MetalLB to your cluster, under the metallb-system
namespace.
The MetalLB deployment YAML file contains the following components:
-
The metallb-system/controller deployment: This component is the cluster-wide controller that handles IP address assignments.
-
The metallb-system/speaker daemonset. This component communicates using protocols of your choice to make the services reachable.
-
Service accounts for the controller and speaker, along with the RBAC permissions that the components need to function.
MetalLB configuration for Layer 2
Once MetalLB is installed, you should configure the MetalLB for layer 2 mode. MetalLB takes a range of IP addresses to be allocated to the type LoadBalancer services as external IP. In this deployment, a NetScaler CPX service acts as a front-end for all other applications. Hence, a single IP address is sufficient.
Create a ConfigMap for MetalLB using the following command where metallb-config.yaml is the YAML file with the MetalLB configuration.
kubectl create –f metallb-config.yaml
Following is a sample MetalLB configuration for layer2 mode. In this example, 192.168.1.240-192.168.1.240 is specified as the IP address range.
apiVersion: v1
kind: ConfigMap
metadata:
namespace: metallb-system
name: config
data:
config: |
address-pools:
- name: default
protocol: layer2
addresses:
- 192.168.1.240-192.168.1.240
<!--NeedCopy-->
NetScaler CPX service installation
Once the metal LB is successfully installed, you can install the NetScaler CPX deployment and a service of type LoadBalancer
.
To install NetScaler CPX, you can either use the YAML file or Helm charts.
To install NetScaler CPX using the YAML file, perform the following steps:
-
Download the NetScaler CPX deployment manifests.
wget https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/deployment/baremetal/citrix-k8s-cpx-ingress.yml
-
Edit the NetScaler CPX deployment YAML:
- Set the replica count as needed. It is better to have more than one replica for high availability.
- Change the service type to
LoadBalancer
.
-
Apply the edited YAML file using the Kubectl command.
kubectl apply –f citrix-k8s-cpx-ingress.yaml
-
View the service using the following command:
kubectl get svc cpx-service -output yaml
You can see that MetalLB allocates an external IP address to the NetScaler CPX service as follows:
apiVersion: v1
kind: Service
metadata:
name: cpx-service
namespace: default
spec:
clusterIP: 10.107.136.241
externalTrafficPolicy: Cluster
healthCheckNodePort: 31916
ports:
- name: http
nodePort: 31528
port: 80
protocol: TCP
targetPort: 80
- name: https
nodePort: 31137
port: 443
protocol: TCP
targetPort: 443
selector:
app: cpx-ingress
sessionAffinity: None
type: LoadBalancer
status:
loadBalancer:
ingress:
- ip: 192.168.1.240
<!--NeedCopy-->
Deploy a sample application
Perform the following steps to deploy a sample application and verify the deployment.
-
Create a sample deployment using the sample-deployment.yaml file.
kubectl create –f sample-deployment.yaml
-
Expose the application with a service using the sample-service.yaml file.
kubectl create –f sample-service.yaml
-
Once the service is created, you can add an ingress resource using the sample-ingress.yaml.
kubectl create –f sample-ingress.yaml
You can test the Ingress by accessing the application using a cpx-service
external IP address as follows:
curl -v http://192.168.1.240 -H ‘host: testdomain.com’
Additional references
For more information on configuration and troubleshooting for MetalLB see the following links: