Product Documentation
NetScaler ingress controller
View PDF

IP address management using the IPAM controller

December 10, 2024
Contributed by: 
C C

The IPAM controller is an application provided by NetScaler for IP address management and it runs in parallel to NetScaler Ingress Controller in the Kubernetes cluster. You can assign IP addresses to ingress resources, services of type LoadBalalncer, and listener resources from a specified IP address range using the IPAM controller. NetScaler Ingress Controller configures an IP address allocated to a service, or ingress, or listener resource as a virtual IP address (VIP) in NetScaler MPX or NetScaler VPX.

The IPAM controller requires the VIP CustomResourceDefinition (CRD) provided by NetScaler. The VIP CRD is used for internal communication between NetScaler Ingress Controller and the IPAM controller.

Infoblox integration with IPAM controller

With Infoblox integration, the IPAM controller assigns IP addresses to services of type LoadBalancer, ingress, or listener resources from Infoblox.

The following annotations are supported in an ingress resource, listener resource, and service of type LoadBalancer respectively: ingress.citrix.com/ipam-range, listeners.citrix.com/ipam-range, and service.citrix.com/ipam-range. You can define the IP address range for an IPAM controller by using these annotations. The IP address range must either be an IPAM VIP range or an Infoblox VIP range.

Note:

  • Infoblox integration is supported for versions up to 2.12.3, starting from IPAM Controller version 2.2.10.
  • You must not update or delete the IP address allocated by IPAM using Infoblox.

The IPAM controller poses the following challenges in a multi-cluster setup:

  • An IP address must be provided manually.
  • A common IP address must be assigned for each application deployed across multiple clusters.
  • Limitations in sharing the IP address range between IPAM controllers in other clusters, adding complexity to the task.

Infoblox integration with IPAM helps with the following tasks:

  • Assign an available IP address from the specified IP address range using Infoblox network management.
  • Request the IP address associated with a domain name, ensuring the retrieval of a pre-existing IP address.
  • In a multi-cluster ingress setup, the application deployed across various clusters can be accessed using a single, consistent IP address.

During initialization, the IPAM controller connects with Infoblox and creates a network view if it’s not already available. This network view creation is based on the network range in the DNS view that you provide. If the network range in the DNS view is not provided, the IPAM controller creates a network view.

Assign an IP address using the IPAM controller

To configure an ingress resource or listener resource or service of type LoadBalancer with an IP address from the IPAM controller, perform the following steps:

  1. Deploy the VIP CRD
  2. Deploy the NetScaler Ingress Controller
  3. Deploy the IPAM controller
  4. Deploy the application and ingress resource

Step 1: Deploy the VIP CRD

Perform the following step to deploy the NetScaler VIP CRD which enables communication between the NetScaler Ingress Controller and the IPAM controller.

kubectl create -f https://raw.githubusercontent.com/netscaler/netscaler-k8s-ingress-controller/master/crd/vip/vip.yaml

For more information on VIP CRD, see the VIP CustomResourceDefinition.

Step 2: Deploy NetScaler Ingress Controller

Prerequisites

  • Kubernetes cluster and a kubectl command-line tool to communicate with the cluster.

  • Create a secret using NetScaler VPX or NetScaler MPX credentials by using the following command:

       kubectl create secret  generic nslogin --from-literal=username=<username> --from-literal=password=<password>
   <!--NeedCopy-->

  • Add the NetScaler Helm chart repository by using the following command:

       helm repo add netscaler https://netscaler.github.io/netscaler-helm-charts/
   <!--NeedCopy-->
Deploy NSIC

  1. Update the NetScaler Helm chart repository by using the following command:

    helm repo update netscaler
<!--NeedCopy-->

  2. Update values.yaml to configure NetScaler Ingress Controller as described as following.

    Sample values.yaml:

      license:
    accept: yes
  adcCredentialSecret: nslogin # K8s Secret Name
  nsIP: <x.x.x> # CLIP (for appliances in Cluster mode), SNIP (for appliances in High Availability mode) , NSIP (for standalone appliances)
  openshift: false # set to true for OpenShift deployments
  entityPrefix: cluster1 # unique for each NSIC instance.
  ipam: true
  ingressClass: ['cic-vpx'] # ingress class used in the ingress resources
  serviceClass: ['netscaler'] # To use service type LB, specify the service class
<!--NeedCopy-->

  3. Install NetScaler Ingress Controller for your NetScaler VPX or using the following Helm command:

    helm install nsic netscaler/netscaler-ingress-controller -f values.yaml
<!--NeedCopy-->

For detailed information about deploying and configuring NetScaler Ingress Controller using Helm charts, see the Helm chart repository.

Step 3: Deploy IPAM controller

Prerequisites

  • For Infoblox integration, ensure that you create a user role in Infoblox with the following permissions:

    • IP Address Management:
      • Allocate and manage IP addresses.
      • Create, update, and delete host records.
    • Extensible Attributes Management:
      • Create, update, and delete extensible attributes.

  • For Infoblox integration, create a Kubernetes secret with Infoblox user credentials by running the following command:

     kubectl create secret  generic infobloxlogin --from-literal=username=<Infoblox_username> --from-literal=password=<Infoblox_password>
 <!--NeedCopy-->

In this procedure, let’s deploy an IPAM controller and integrate Infoblox with the IPAM controller.

  1. Add the NetScaler Helm chart repository to your local registry by using the following command:

    helm repo add netscaler https://netscaler.github.io/netscaler-helm-charts/
<!--NeedCopy-->

  2. Install NetScaler IPAM controller by using the following command:

    helm install netscaler-ipam-controller netscaler/netscaler-ipam-controller -f values.yaml
<!--NeedCopy-->

Sample values.yaml:

  cluster: <cluster-name> # enables you to know in which cluster IPAM is installed in multi-cluster slolution
  vipRange: <ip-address-range>
  reuseIngressVip: "True"  # set to false to assigns  different IP address to each ingress resource
  infoblox:
    enabled: True #set to false to disable Infoblox integration with IPAM controller
    credentialSecret: <secret> # Kubernetes secret created using Infoblox user credentials
    gridHost: <x.x.x.x>  # Infoblox grid host IP or FQDN
    vipRange: <Infoblox-vip-range>  # Infoblox IPAM VIP Range, which is different from the vipRange mentioned above
<!--NeedCopy-->

For information about all the configurable parameters while installing the IPAM controller by using Helm charts, see the Helm chart repository.

Step 4: Deploy Ingress resources

Perform the following steps to deploy a sample application and ingress resource.

  1. Deploy the CNN application by using the following command:

    kubectl apply -f - <<EOF 
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cnn-website
  labels:
    name: cnn-website     
    app: cnn-website    
spec:
  selector:
    matchLabels:
      app: cnn-website    
  replicas: 2
  template:
    metadata:
      labels:
        name: cnn-website    
        app: cnn-website    
    spec:
      containers:
      - name: cnn-website    
        image: quay.io/sample-apps/cnn-website:v1.0.0    
        ports:
        - name: http-80
          containerPort: 80
        - name: https-443
          containerPort: 443
---
apiVersion: v1
kind: Service
metadata:
  name: cnn-website    
  labels:
    app: cnn-website    
spec:
  type: NodePort
  ports:
  - name: http-80
    port: 80
    targetPort: 80
  - name: https-443
    port: 443
    targetPort: 443
  selector:
    name: cnn-website
EOF
<!--NeedCopy-->

  2. Deploy the ingress resource to send traffic to the CNN application by using the following command:

      kubectl apply -f - <<EOF
  apiVersion: networking.k8s.io/v1
  kind: Ingress
  metadata:
    name: cnn-ingress
    annotations:
      ingress.citrix.com/ipam-range: "<IPAM-vip-range or Infoblox-vip-range>"
  spec:
    ingressClassName: cic-vpx
    rules:
    - host: www.cnn.com
      http:
        paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: cnn-website
              port:
                number: 80
  EOF
  <!--NeedCopy-->

For the preceding ingress example, the order of IP assignment is as follows:

  • If the default NS_VIP environment variable is provided, NetScaler Ingress Controller makes a request to IPAM controller only if the range-name (ingress.citrix.com/ipam-range:) is provided in the ingress. If the annotation is not provided, NS_VIP is used for that ingress.

  • If the default NS_VIP environment variable is not provided, NetScaler Ingress Controller always make a request to IPAM controller for IP assignment.

IP address allocations

  • For services of type LoadBalancer, a unique IP address is allocated to each service from the VIP range or Infoblox VIP range.

  • For an ingress resource, an IP address in the specified IP range is allocated. When more ingress resources refer to the same VIP range, the IP address allocated to the first ingress resource is allocated to all the other ingress resources.

  • Services of type LoadBalancer, ingress resources, and listener resources can use NetScaler IPAM controller for IP address allocations at the same time. If an IP address is allocated to any one resource type, it is not available for another resource type. But, the same IP address can be allocated to multiple ingress resources.

IP address range associated with a unique name

You can assign a unique name to the IP address range and define the range in the VIP_RANGE environment variable. This way of assigning the IP address range enables you to differentiate between the IP address ranges. When you create the services of type LoadBalancer, you can use the service.citrix.com/ipam-range annotation in the service definition to specify the IP address range to use for IP address allocation.

Multiple IP address allocations

For ingress resources, an IP address can be allocated multiple times by specifying the Helm chart parameter reuseIngressVip as true, because multiple ingress resources might be handled by a single content switching virtual server. If the specified IP range has only a single IP address, it is allocated multiple times. And, if the IP range consists of multiple IP addresses, only one of them is allocated repeatedly.

To facilitate multiple allocations, the IPAM controller tracks the allocated IP addresses. The IPAM controller places an IP address into the free pool only when all allocations of that IP address by ingress resources are released.

IP address management using the IPAM controller
December 10, 2024
Contributed by: 
C C
December 10, 2024
Contributed by: 
C C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.