Deploy NetScaler Ingress Controller (NSIC) in OpenShift using NetScaler Operator
An Operator is an open source toolkit designed to package, deploy, and manage OpenShift native applications in an effective, automated, and scalable way.
The NetScaler Operator enables you to deploy NetScaler Ingress Controller in an OpenShift cluster.
Deployment options
Based on your requirement of NetScalers, there are two ways to deploy NetScaler Ingress Controller in an OpenShift cluster using the NetScaler Operator:
- As a standalone pod in the OpenShift cluster: In this mode, NetScaler Ingress Controller configures NetScaler MPX NetScaler VPX residing outside the OpenShift cluster.
- As a sidecar container alongside NetScaler CPX in the same pod: In this mode, NetScaler Ingress Controller configures NetScaler CPX deployed in the OpenShift cluster.
Deploy NetScaler Operator
Perform the following steps:
-
Log in to the OpenShift cluster console.
-
Navigate to Operators > OperatorHub, select Certified source in the left panel, select NetScaler Operator, and then click Install.
-
To subscribe to NetScaler Operator, select one of the following options:
-
All namespaces on the cluster (default): NetScaler Operator is available in all the namespaces on the OpenShift cluster. Hence, this option enables you to initiate the NetScaler instance from any namespace on the cluster.
-
A specific namespace on the cluster: NetScaler Operator is available in the selected namespace on the OpenShift cluster. Hence, this option enables you to initiate the NetScaler Operator instance on the selected namespace only.
-
-
In this case, let’s select A specific namespace on the cluster.
-
Click Install.
Wait until the NetScaler Operator is subscribed successfully.
-
Navigate to Workloads > Pods section and verify that the netscaler-Operator-controller-manager pod is up and running.
Deploy NetScaler Ingress Controller as a standalone pod using NetScaler Operator
Using the NetScaler Operator you can deploy NetScaler Ingress Controller as a standalone pod in an OpenShift cluster. NetScaler Ingress Controller configures the NetScaler VPX or MPX which is deployed as an Ingress device or router for an application running in the OpenShift cluster. The following diagram explains the topology:
Prerequisites
- Red Hat OpenShift Cluster (version 4.1 or later).
- Identify the IP address that NetScaler Ingress Controller needs to communicate with NetScaler. This IP address might be any one of the following IP addresses depending on the type of NetScaler deployment:
- NSIP (for standalone appliances) - The management IP address of a standalone NetScaler appliance. For more information, see IP Addressing in NetScaler.
- SNIP (for appliances in High Availability mode) - The subnet IP address. For more information, see IP Addressing in NetScaler.
- CLIP (for appliances in Cluster mode) - The cluster management IP (CLIP) address for a clustered NetScaler deployment. For more information, see IP addressing for a cluster.
-
The user name and password of NetScaler VPX or NetScaler MPX used as the Ingress device. NetScaler must have a system user account (non-default) with certain privileges so that the NetScaler Ingress Controller can configure NetScaler VPX or NetScaler MPX. For instructions to create a system user account on NetScaler, see Create a NetScaler user account to configure NetScaler using NetScaler Ingress Controller.
You can directly pass the user name and password as environment variables to the controller, or use OpenShift secrets (recommended). To create a secret for the user name and password using the following command, modify the
<username>
and<password>
to required values:oc create secret generic nslogin --from-literal=username=<username> --from-literal=password=<password> <!--NeedCopy-->
Deploy NetScaler Ingress Controller as a standalone pod using NetScaler Operator
Perform the following steps:
-
Log in to OpenShift 4.x Cluster console.
-
Deploy an Apache application using the console.
-
Navigate to Workloads > Deployments > Create Deployment and use the following YAML file to create the deployment.
NOTE:
The Apache application is for the demonstration purpose only. You can modify the YAML file based on your requirement.
--- apiVersion: apps/v1 kind: Deployment metadata: name: apache labels: name: apache spec: selector: matchLabels: app: apache replicas: 2 template: metadata: labels: app: apache spec: containers: - name: apache image: httpd:latest ports: - containerPort: 80 --- <!--NeedCopy-->
-
Navigate to Workloads > Pods section and ensure that the Apache application pods are up and running.
-
-
Create a service for the Apache application. Navigate to Networking > Services > Create Service and use the following YAML file.
apiVersion: v1 kind: Service metadata: name: apache spec: ports: - port: 80 targetPort: 80 selector: app: apache <!--NeedCopy-->
-
Create an ingress for the Apache application. Navigate to Networking > Ingress > Create Ingress and use the following YAML to create the ingress. Ensure that you update the VIP address of NetScaler VPX in the ingress YAML before applying it in the cluster.
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: ingress.citrix.com/frontend-ip: <NSVIP> name: vpx-ingress spec: ingressClassName: nsic-vpx rules: - host: citrix-ingress-operator.com http: paths: - backend: service: name: apache port: number: 80 path: / pathType: Prefix --- apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: name: nsic-vpx spec: controller: citrix.com/ingress-controller <!--NeedCopy-->
-
Navigate to Operators > Installed Operators and select NetScaler Operator.
-
Click the NetScaler Ingress Controller tab and select Create NetScalerIngressController.
The NetScaler Ingress Controller YAML definition is displayed.
-
Refer this table that lists the mandatory and optional parameters that you can configure during installation.
Note:
- Ensure that the
license.accept
parameter is set toyes
. - Provide the IP address of NetScaler VPX instance for
nsIP
parameter and Kubernetes secret created using NetScaler VPX credentials inadcCredentialSecret
parameter. - To associate NSIC with the ingress resource specified in this procedure, provide the ingress class name using the
ingressClass
parameter asingressClass: [‘nsic-vpx’]
.
You can configure other available parameters depending on your use case.
- Ensure that the
-
After updating the values for the required parameters, click Create.
Ensure that NetScaler Ingress Controller is successfully deployed and initialized.
-
Navigate to Workloads > Pods section and verify whether the NetScaler Ingress Controller pod is up and running.
-
Verify the deployment by sending traffic:
curl http://citrix-ingress-Operator.com --resolve citrix-ingress-Operator.com:80:<VIP> <!--NeedCopy-->
The previous curl command should return the following:
<html><body><h1>It works!</h1></body></html> <!--NeedCopy-->
Note:
Ensure that the pod network in OpenShift cluster is reachable from NetScaler VPX or NetScaler MPX if you are using service of type ClusterIP for your application. To configure static route automatically using NSIC, see Configure static route.
Deploy NetScaler Ingress Controller as a sidecar with NetScaler CPX
Using the NetScaler Operator, you can deploy NetScaler CPX with the NetScaler Ingress Controller as a sidecar. The NetScaler Ingress Controller configures the NetScaler CPX which is deployed as an Ingress or router for an application running in the OpenShift cluster. The following diagram explains the topology.
Prerequisites
- Red Hat Openshift Cluster (version 4.1 or later).
- Install Prometheus Operator if you want to view the metrics of the NetScaler CPX collected through the direct Prometheus export.
Deploy NetScaler Ingress Controller as a sidecar with NetScaler CPX using NetScaler Operator
Perform the following steps:
-
Log in to OpenShift 4.x Cluster console.
-
Deploy an Apache application using the console.
-
Navigate to Workloads > Deployments > Create Deployment and use the following YAML to create the deployment.
--- apiVersion: apps/v1 kind: Deployment metadata: name: apache labels: name: apache spec: selector: matchLabels: app: apache replicas: 2 template: metadata: labels: app: apache spec: containers: - name: apache image: httpd:latest ports: - containerPort: 80 --- <!--NeedCopy-->
Note:
The Apache application is for the demonstration purpose only, you can modify the YAML file based on your requirement.
-
Navigate to Workloads > Pods section and ensure that the Apache application pods are up and running.
-
-
Create a service for the Apache application. Navigate to Networking > Services > Create Service and use the following YAML to create the service.
apiVersion: v1 kind: Service metadata: name: apache spec: ports: - port: 80 targetPort: 80 selector: app: apache <!--NeedCopy-->
-
Create an Ingress for the Apache application. Navigate to Networking > Ingress > Create Ingress and use the following YAML to create the ingress.
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: cpx-ingress spec: ingressClassName: nsic-cpx rules: - host: citrix-ingress-operator.com http: paths: - backend: service: name: apache port: number: 80 path: / pathType: Prefix --- apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: name: nsic-cpx spec: controller: citrix.com/ingress-controller <!--NeedCopy-->
-
Navigate to Operators > Installed Operators and select NetScaler Operator.
-
Click NetScaler CPX with Ingress Controller tab and click Create NetScalerCpxWithIngressController .
The NetScaler CPX with ingress controller YAML definition is displayed.
See this table that lists the mandatory and optional parameters that you can configure during installation.
Note:
- Ensure that the
license.accept
parameter is set toyes
. - To expose NetScaler CPX service using type
nodePort
to access the Apache application, setserviceType.nodePort.enabled
to true. - To associate NSIC with the ingress resource specified in this procedure, provide the ingress class name using the
ingressClass
parameter asingressClass: [‘nsic-cpx]
.
You can configure other available parameters depending on your use case.
- Ensure that the
-
After updating the values for required parameters, click Create. Ensure that the NetScaler CPX with Ingress Controller is succesfully deployed and initialised.
-
Attach privileged security context constraints to the service account of NetScaler CPX (as it runs as a privileged pod) by using the following commands:
-
Get the service account name used by NetScaler CPX using the following command in the namespace where NetScaler CPX has been deployed:
oc get sa
-
Attach privileged SCC to the service account of NetScaler CPX:
oc adm policy add-scc-to-user privileged -z <CPX-ServiceAccount-Name retrieved in the previous step> <!--NeedCopy-->
-
-
Navigate to Workloads > Pods section and verify that the
netscaler-cpx-with-ingress-controller
pod is up and running. -
Verify the deployment by sending traffic.
-
Obtain the NodePort details using the following command:
oc get svc <!--NeedCopy-->
-
Use
cpx-service
NodePort and send the traffic as shown in the following command:curl http://citrix-ingress-Operator.com:<NodePort> --resolve citrix-ingress-Operator.com:<NodePort>:<Master-Node-IP> <!--NeedCopy-->
The above curl command should return the following output:
<html><body><h1>It works!</h1></body></html> <!--NeedCopy-->
-
Note:
When you delete an NSIC instance, the ClusterRole and ClusterRole binding associated with the service account of the NSIC instance are not deleted automatically. You must manually delete the ClusterRole and ClusterRole binding associated with the service account of the deleted NSIC instance.
References
- For information about how to deploy NetScaler Observability Exporter using NetScaler Operator, see Deploy NetScaler Observability Exporter using NetScaler Operator.
- For information about how to deploy NetScaler ADM Agent using NetScaler Agent Operator, see Install a NetScaler agent operator using the OpenShift console.
- Alternatively, you can deploy NetScaler Ingress Controller using Helm charts. See Deploy the NetScaler Ingress Controller using Helm charts.