Deploy NetScaler Cloud Controller using NetScaler Operator
Introduction
NetScaler Cloud Controller creates and maintains route entries for pod networks in the appropriate Azure route table.
Note:
NetScaler Cloud Controller only creates Azure routes between NetScaler and the Azure Red Hat OpenShift (ARO) cluster that resides in the same resource group.
This section provides information about deploying, configuring, and managing NetScaler Cloud Controller within Azure and ARO environments.
Prerequisites
-
An active Azure subscription.
Note down the subscription ID.
-
An Azure account with sufficient permissions to create and manage resources. You must have access to create resources within the resource group and manage service principals.
-
Note down the TENANT_ID, CLIENT_ID, and CLIENT_SECRET for your Azure account.
-
A running ARO cluster in Azure (version 4.11 or later).
-
The ARO cluster and the subnet to which the route needs to be established must be in the same VNet.
Note down the following details: Resource Group Name, VNet Name, and Subnet Name and Azure location where the ARO cluster and NetScaler are located.
-
Create a secret as described in the namespace where you want to deploy NetScaler Cloud Controller.
oc create secret generic azsecret --from-literal=clientid="<CLIENT_ID>" --from-literal=clientsecret=”<CLIENT_SECRET>” -n <namespace> <!--NeedCopy-->
-
Create a service principal and assign a custom role to the service principal. For information, see Create service principal and assign a role.
-
Verify if any NetScaler Operator version is already deployed in your cluster. If it is, you must deploy NetScaler Operator 3.0.1 using the OpenShift CLI. Otherwise, continue to Steps to deploy NetScaler Cloud Controller instance.
Note:
Currently, OpenShift does not permit the deployment of different versions of certified operators within the same cluster using the web console. For detailed information, see this page. Therefore, in cases where NetScaler Operator exists, you must deploy NetScaler Operator 3.0.1 using the OpenShift CLI.
Create a service principal and assign a role
Create a service principal and assign a role to it to set up the authentication details for the NetScaler Cloud Controller to manage Azure resources. There are two scenarios to consider while creating a service principal and assigning a role to it described as the following.
Case I: The subnet on which the routes are to be created is not part of the ARO cluster
Follow the steps to create a service principal with the desired roles or add the roles to an existing service principal.
Note:
If a service principal exists, skip to step 9 to assign a role to the service principal.
-
Log in to Microsoft Azure Portal.
-
Go to the App registrations service.
-
Click New Registration.
-
Enter the details such as name and supported account types.
-
Click Register to create your service principal.
Note down the clientID from your service principal details.
-
Click Certifications & Secrets in the left pane and click New client secret.
-
Enter a description and choose an expiry.
-
Note down the secret value. This value is clientSecret.
-
Go to Resource Group →
<Your Resource Group>
→ Access Control (IAM).Select the resource group where the ARO cluster and the VNet exist.
-
Click Add and select Add custom role.
-
Add the following custom.JSON sample.
{ "properties": { "roleName": "NetScaler Cloud Controller Role", "description": "Allows managing cloud controller role", "assignableScopes": [ "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>" ], "permissions": [ { "actions": [ "Microsoft.Network/routeTables/routes/write", "Microsoft.Network/routeTables/routes/read", "Microsoft.Network/routeTables/routes/delete", "Microsoft.Network/routeTables/delete", "Microsoft.Network/routeTables/write", "Microsoft.Network/routeTables/read", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/write" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] } } <!--NeedCopy-->
-
Modify the
custom_role.json
file as per your desired settings.You must add your Resource Group and Subscription ID in the JSON file.
-
Select Start from JSON in Baseline Permissions and upload the modified
custom_role.json
file. -
Click Review + Create.
-
Go to Add role assignment.
-
Search for the custom role created in step 14.
-
Select the role, and press next.
-
Under Members, select the service principal created in step 5.
-
Click Review + Assign.
Case II: The subnet on which the routes are to be created is part of the ARO cluster
In this case, you must have access to the service principal created during the OpenShift installation. The automatically created service principal during the ARO installation has a aro-app- prefix.
-
Go to Resource Group →
<Your Resource Group>
where the ARO cluster and the VNet exist. Go to Resource Group →<Your Resource Group>
→ Access Control (IAM) -
Click
Add
and selectAdd custom role
. -
Copy the following in a JSON file named
custom_role.json.
{ "properties": { "roleName": "NetScaler Cloud Controller Role", "description": "Allows managing cloud controller role", "assignableScopes": [ "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>" ], "permissions": [ { "actions": [ "Microsoft.Network/routeTables/routes/write", "Microsoft.Network/routeTables/routes/read", "Microsoft.Network/routeTables/routes/delete", "Microsoft.Network/routeTables/delete", "Microsoft.Network/routeTables/write", "Microsoft.Network/routeTables/read", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/write" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] } } <!--NeedCopy-->
-
Modify the
custom_role.json
file as per your desired settings.You must add your Resource Group and Subscription ID in the JSON file.
-
Select Start from JSON in Baseline Permissions and upload the modified
custom_role.json
file. -
Click Review + Create.
-
Click Add role assignment.
-
Search for the custom role created in step 4. Select the role, and click next.
-
In the Members section, select the service principal that is managing the OpenShift cluster.
-
Click Review + Assign.
Steps to deploy NetScaler Cloud Controller instance
-
Log in to the 4.x OpenShift console.
-
Navigate to Operators > OperatorHub, select Certified source in the left panel, and then select NetScaler Operator.
-
Select tech-preview under Channel, select version 3.0.1, and click Install.
-
To subscribe to NetScaler Operator, select one of the following options:
-
All namespaces on the cluster (default): NetScaler Operator is available in all the namespaces on the OpenShift cluster. Hence, this option enables you to start the NetScaler instance from any namespace on the cluster.
-
A specific namespace on the cluster: NetScaler Operator is available in the selected namespace on the OpenShift cluster. Hence, this option enables you to start the NetScaler Operator instance on the selected namespace only.
-
-
Click Install.
Wait until the NetScaler Operator is subscribed successfully.
-
Navigate to Operators > Installed Operators and select NetScaler Operator.
-
Switch to the project where you want to deploy the cloud controller.
-
Navigate to Operators > Installed Operators and select NetScaler Operator.
-
Go to NetScaler Operator, click the
NetScaler Cloud Controller
tab, and then click Create NetScaler Cloud Controller.The YAML for NetScaler Cloud Controller CRD is displayed.
-
Edit the CRD to add the following values obtained in the prerequisites section.
metadata: name: <NAME> spec: azure: image: quay.io/netscaler/netscaler-cloud-controller@sha256:6897df79411bd1b4ddb5195d570f10e01bd3c084772b918112797a346980f4cb vnetname: "<VNET_NAME>" subnetname: "<SUBNET_NAME>" resourcegroupname: "<RESOURCE_GROUP_NAME>" location: <LOCATION> clientsecret: <AZURE_SECRET> tenantid: <TENANT_ID> subscriptionid: <SUBSCRIPTION_ID> <!--NeedCopy-->
Refer to the following table for the descriptions of the fields in the YAML file.
Field Description <NAME>
Name of the controller instance <VNET_NAME>
Azure VNet name in which the required subnet and the OpenShift Cluster exists <SUBNET_NAME>
Azure VNet subnet name from where the route is to be established to the ARO cluster. This subnet has to be in the same VNet as the same ARO Cluster <LOCATION>
Azure location <TENANT_ID>
Tenant ID of the Azure service principal <SUBSCRIPTION_ID>
Subscription ID for your Azure account <RESOURCE_GROUP_NAME>
Resource group name where the VNet exists <AZURE_SECRET>
Secret name created in the prerequisites section -
After updating the values for the required parameters, click Create.
-
Navigate to the Workloads > Pods section and verify whether the NetScaler Cloud Controller pod is up and running.
After the controller pod is up and running, the required route table with the subnet is created.
Notes:
- The controller creates a route table and associates it with the given subnet if the route table does not exist. The format of the new table will be
<SUBNET_NAME>_<LOCATION>_rt
.- To avoid conflicts with routes created/updated by the NetScaler Cloud Controller from other automation processes or users, the routes managed by NetScaler Cloud Controller start with the prefix NSCC_, followed by a hash value for tracking. Do not create routes with the same name prefixes to avoid conflicts.
The following roles are installed when NetScaler Cloud Controller is deployed. NetScaler Cloud Controller requires these roles to manage its CRD and get node-specific information.
API Group | Resources | Verbs |
---|---|---|
rbac.authorization.k8s.io | clusterrolebindings | create, delete, get, list, patch, update, watch |
rbac.authorization.k8s.io | clusterroles | create, delete, get, list, patch, update, watch |
core | nodes | All |
core | serviceaccounts | create, delete, get, list, patch, update, watch |
apps | deployments | create, delete, get, list, patch, update, watch |
core | pods | create, delete, get, list, patch, update, watch, serviceaccounts |
Deploy NetScaler Operator 3.0.1 using the OpenShift CLI
This procedure describes how to deploy NetScaler Operator 3.0.1 when you already have a different NetScaler Operator version installed in the cluster.
Note:
Installation of operands using the GUI is not possible.
-
Create a namespace and switch to that namespace.
oc create ns <namespace> oc project <namespace> <!--NeedCopy-->
-
Install the following operand CRDs.
oc create -f https://raw.githubusercontent.com/netscaler/netscaler-k8s-ingress-controller/master/deployment/operator/netscaler.com_netscalergslbcontrollers.yaml oc create -f https://raw.githubusercontent.com/netscaler/netscaler-k8s-ingress-controller/master/deployment/operator/netscaler.com_netscalercloudcontrollers.yaml <!--NeedCopy-->
-
Update the namespace in
rbac.yaml
to the one created in step 1 and then install therbac.yaml
file.oc create -f rbac.yaml <!--NeedCopy-->
-
Install the manager.
oc create -f https://raw.githubusercontent.com/netscaler/netscaler-k8s-ingress-controller/master/deployment/operator/operator_manager.yaml <!--NeedCopy-->
Now, NetScaler Operator is ready. Install NetScaler Cloud Controller using the YAML available in step 10 of the Steps to deploy NetScaler Cloud Controller instance section.