NetScaler ingress controller

SSL certificate for services of type LoadBalancer through the Kubernetes secret resource

This section provides information on how to use the SSL certificate stored as a Kubernetes secret with services of type LoadBalancer. The certificate is applied if the annotation service.citrix.com/service-type is SSL or SSL_TCP.

Using the NetScaler Ingress Controller default certificate

If the SSL certificate is not provided, you can use the default NetScaler Ingress Controller certificate to configure SSL and SSL SNI certificates. You can use default-ssl-certificate and default-ssl-sni-certificate arguments to provide a secret to configure non-SNI and SNI certificates respectively.

  `--default-ssl-certificate <NAMESPACE>/<SECRET_NAME>` 
  `--default-ssl-sni-certificate <NAMESPACE>/<SECRET_NAME>`

Service annotations for SSL certificate as Kubernetes secrets

NetScaler Ingress Controller provides the following service annotations to use SSL certificates stored as Kubernetes secrets for services of type LoadBalancer.

Service annotation Description
service.citrix.com/secret Use this annotation to specify the name of the secret resource for the front-end server certificate. It must contain a certificate and key. You can also provide a list of intermediate CA certificates in the certificate section followed by the server certificate. These intermediate CAs are automatically linked and sent to the client during the SSL handshake. To bind multiple front-end server certificates, provide a list of comma-separated secrets configured for certificates. For example, service.citrix.com/secret: apache-secret1,apache-secret2.
service.citrix.com/ca-secret Use this annotation to provide a CA certificate for client certificate authentication. This certificate is bound to the front-end SSL virtual server in NetScaler.
service.citrix.com/backend-secret Use this annotation if the back-end communication between NetScaler and your workload is on an encrypted channel, and you need the client authentication in your workload. This certificate is sent to the server during the SSL handshake and it is bound to the back end SSL service group.
service.citrix.com/backend-ca-secret Use this annotation to enable server authentication which authenticates the back-end server certificate. This configuration binds the CA certificate of the server to the SSL service on the NetScaler.
service.citrix.com/preconfigured-certkey Use this annotation to specify the name of an already existing cert key in the NetScaler to be used as a front-end server certificate. To bind multiple front-end server certificates, provide a list of comma-separated cert keys that are already configured for certificates. For example, service.citrix.com/preconfigured-certkey: preconfcert1,preconfcert2.
service.citrix.com/preconfigured-ca-certkey Use this annotation to specify the name of the preconfigured cert key in the NetScaler to be used as a CA certificate for client certificate authentication. This certificate is bound to the front-end SSL virtual server in NetScaler.
service.citrix.com/preconfigured-backend-certkey Use this annotation to specify the name of the preconfigured cert key in the NetScaler to be bound to the back-end SSL service group. This certificate is sent to the server during the SSL handshake for server authentication.
service.citrix.com/preconfigured-backend-ca-certkey Use this annotation to specify the name of the preconfigured CA cert key in the NetScaler to bound to back-end SSL service group for server authentication.

Examples: Front-end secret and Front-end CA secret

Following are some examples for the service.citrix.com/secret annotation:

The following annotation is applicable to all ports in the service.

        service.citrix.com/secret: hotdrink-secret

You can use the following notation to specify the certificate applicable to specific ports by giving either portname or port-protocol as key.

        # port-protocol : secret

        service.citrix.com/secret: '{"443-tcp": "hotdrink-secret", "8443-tcp": "hotdrink-secret"}' 

         # portname: secret

        service.citrix.com/secret: '{"https": "hotdrink-secret"}' 

Following are some examples for the service.citrix.com/ca-secret annotation.

You need to specify the following annotation to attach the generated CA secret which is used for client certificate authentication for a service deployed in Kubernetes.

The following annotation is applicable to all ports in the service.

  service.citrix.com/ca-secret: hotdrink-ca-secret

You can use the following notation to specify the certificate applicable to specific ports by giving either portname or port-protocol as key.

  # port-protocol: secret
  service.citrix.com/ca-secret: '{"443-tcp": "hotdrink-ca-secret", "8443-tcp": "hotdrink-ca-secret"}'      

  # portname: secret

  service.citrix.com/ca-secret: '{"https": "hotdrink-ca-secret"}' 

Examples: back-end secret and back-end CA secret

Following are some examples for the service.citrix.com/backend-secret annotation.

  # port-protocol: secret
  service.citrix.com/backend-secret: '{"443-tcp": "hotdrink-secret", "8443-tcp": "hotdrink-secret"}'      

  # portname: secret

  service.citrix.com/backend-secret: '{"tea-443": "hotdrink-secret", "tea-8443": "hotdrink-secret"}' 

  # applicable to all ports

  service.citrix.com/backend-secret: "hotdrink-secret"

Following are some examples for the service.citrix.com/backend-ca-secret annotation.

  # port-proto: secret
  service.citrix.com/backend-ca-secret: '{"443-tcp": "coffee-ca", "8443-tcp": "tea-ca"}'      

  # portname: secret

  service.citrix.com/backend-ca-secret: '{"coffee-443": "coffee-ca", "tea-8443": "tea-ca"}' 

  # applicable to all ports

  service.citrix.com/backend-ca-secret: "hotdrink-ca-secret"
SSL certificate for services of type LoadBalancer through the Kubernetes secret resource