NetScaler ingress controller

Deploy NetScaler Ingress Controller in OpenShift using NetScaler Operator

In this setup, NetScaler Ingress Controller configures NetScaler MPX or NetScaler VPX residing outside the OpenShift cluster.

Prerequisites

  • Red Hat OpenShift Cluster (version 4.1 or later).
  • Deploy NetScaler Operator. For information on how to deploy NetScaler Operator, see Deploy NetScaler Operator.
  • Identify the IP address that NetScaler Ingress Controller needs to communicate with NetScaler. This IP address might be any one of the following IP addresses depending on the type of NetScaler deployment:
    • NSIP (for standalone appliances) - The management IP address of a standalone NetScaler appliance. For more information, see IP Addressing in NetScaler.
    • SNIP (for appliances in High Availability mode) - The subnet IP address. For more information, see IP Addressing in NetScaler.
    • CLIP (for appliances in Cluster mode) - The cluster management IP (CLIP) address for a clustered NetScaler deployment. For more information, see IP addressing for a cluster.
  • The user name and password of NetScaler VPX or NetScaler MPX used as the ingress device. NetScaler must have a system user account (non-default) with certain privileges so that the NetScaler Ingress Controller can configure NetScaler VPX or NetScaler MPX. For instructions to create a system user account on NetScaler, see Create system user account for NetScaler NetScaler Ingress Controller in NetScaler.

    You can directly pass the user name and password as environment variables to the controller, or use OpenShift secrets (recommended). To create a secret for the user name and password using the following command, modify the <username> and <password> to required values:

         oc create secret  generic nslogin --from-literal=username=<username> --from-literal=password=<password>
     <!--NeedCopy-->
    
  • To export to any service monitor, install the service monitor CRD by using the following command:

     kubectl create -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/refs/heads/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml
     <!--NeedCopy-->
    

Deploy NetScaler Ingress Controller as a standalone pod using NetScaler Operator

Using NetScaler Operator you can deploy NetScaler Ingress Controller as a standalone pod in an OpenShift cluster. NetScaler Ingress Controller configures NetScaler MPX or NetScaler VPX, which is deployed as an ingress device or router for an application running in the OpenShift cluster. The following diagram explains the topology:

vpx Topology

Perform the following steps:

  1. Log in to the OpenShift 4.x Cluster console.

  2. Deploy an Apache application using the console.

    1. Navigate to Workloads > Deployments > Create Deployment and use the following YAML file to create the deployment.

      NOTE:

      The Apache application is for the demonstration purpose only. You can modify the YAML file based on your requirement.

      ---
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: apache
        labels:
            name: apache
      spec:
        selector:
          matchLabels:
            app: apache
        replicas: 2
        template:
          metadata:
            labels:
              app: apache
          spec:
            containers:
            - name: apache
              image: httpd:latest
              ports:
              - containerPort: 80
          ---
      
      <!--NeedCopy-->
      
    2. Navigate to Workloads > Pods section and ensure that the Apache application pods are up and running.

      Application pod

  3. Create a service for the Apache application. Navigate to Networking > Services > Create Service and use the following YAML file.

    apiVersion: v1
    kind: Service
    metadata:
      name: apache
    spec:
      ports:
      - port: 80
        targetPort: 80
      selector:
        app: apache
    
    <!--NeedCopy-->
    

    Application Service

  4. Create an ingress for the Apache application. Navigate to Networking > Ingress > Create Ingress and use the following YAML to create the ingress. Ensure that you update the VIP address of NetScaler VPX in the ingress YAML before applying it in the cluster.

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      annotations:
        ingress.citrix.com/frontend-ip: <NSVIP>
      name: vpx-ingress
      spec:
        ingressClassName: nsic-vpx
        rules:
        - host: citrix-ingress-operator.com
          http:
            paths:
            - backend:
                service:
                  name: apache
                  port:
                    number: 80
              path: /
              pathType: Prefix
    <!--NeedCopy-->
    

    Application Ingress

  5. Navigate to Operators > Installed Operators and click NetScaler Operator.

    NetScaler Ingress Controller Operator

  6. Click the NetScaler NetScaler Ingress Controller tab and select Create NetScalerIngressController.

    NetScaler NetScaler Ingress Controller Create

    The NetScaler NetScaler Ingress Controller YAML definition is displayed. Optionally, you can select Form view button and update the parameters in a form.

    Parameter lists

  7. Refer the following table that lists the mandatory and optional parameters that you can configure during installation.

    Note:

    • Ensure that the acceptLicense parameter is set to Yes.
    • Specify a unique value for entityPrefix.
    • Provide the IP address of NetScaler VPX instance for nsIP parameter and Kubernetes secret created using NetScaler VPX credentials in adcCredentialSecret parameter.
    • To associate NetScaler Ingress Controller with the ingress resource specified in this procedure, provide the ingress class name using the ingressClass parameter as ingressClass: [‘NSIC-vpx’].

Note:

Optionally, you can click the form view and set the parameters as required.

You can configure other available parameters depending on your use case.

Parameters Mandatory or Optional Default value Description
acceptLicense Mandatory no Set this value to Yes to accept the NetScaler Ingress Controller EULA.
affinity Optional N/A Affinity labels for pod assignment.
extraVolumes Optional N/A Additional VolumeMounts to be mounted.
imagePullSecrets Optional N/A List of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret, see Pull an Image from a Private Registry.
nodeSelector Optional N/A The node label key:value pair to be used for nodeSelector option in NetScaler Ingress Controller deployment.
podAnnotations Optional N/A Map of annotations to add to the pods.
tolerations Optional N/A The tolerations for the NetScaler Ingress Controller deployment.
Parameter Mandatory/Optional Default value Description
analyticsConfig  
distributedTracing.enable Optional false Set this value to true to enable OpenTracing in NetScaler.
distributedTracing.samplingrate Optional 100 OpenTracing sampling rate in percentage.
required Mandatory false Set this value to true if you want to configure NetScaler to send metrics and transaction records to the analytics server.
endpoint.metrics.service Optional N/A The IP address or DNS address of the analytics server. Format: servicename.namespace, servicename.namespace.svc.cluster.local,namespace/servicename.
endpoint.transactions.service Optional N/A An IP address or a service name with the namespace of the analytics service deployed in the Kubernetes environment. Format: namespace/servicename.
timeseries.port Optional 30002 The port used to expose the analytics service outside the cluster for a time-series endpoint.
timeseries.auditlogs.enable Optional false Set this value to true to export audit log data from NetScaler.
timeseries.events.enable Optional false Set this value to true to export events from NetScaler.
timeseries.metrics.enable Optional false Set this value to true to enable sending metrics from NetScaler.
timeseries.metrics.mode Optional Avro Mode of the metric endpoint.
timeseries.metrics.exportFrequency Optional 30 Time interval for exporting time-series data. Possible values range from 30 to 300 seconds.
timeseries.metrics.schemaFile Optional schema.json Name of a schema file with the required NetScaler counters to be added and configured for metrics collector. A reference schema file reference_schema.json with all the supported counters is also available in the path /var/metrics_conf/. This schema file can be used as a reference to build a custom list of counters.
timeseries.metrics.enableNativeScrape Optional false Set this value to true for native export of metrics.
transactions.port Optional 30001 The port used to expose analytics service outside the cluster for a transaction endpoint.
transactions.enable Optional false Set this value to true to export transactions from NetScaler.
Parameter Mandatory/Optional Default value Description
exporter  
extraVolumeMounts Optional N/A Additional VolumeMounts to be mounted in the exporter container.
image Optional quay.io/netscaler/netscaler-adc-metrics-exporter@sha<sha value of the latest release> The metrics exporter image hosted on Quay.io.
required Optional false Set to true to run the Exporter for NetScaler Stats along with NetScaler Ingress Controller to pull metrics for the NetScaler MPX or NetScaler VPX.
pullPolicy Optional IfNotPresent The exporter image pull policy.
ports.containerPort Optional 8888 The exporter container port.
resources Optional N/A CPU/memory resources for a metrics exporter container.
serviceMonitorExtraLabels Optional N/A Extra labels for a service monitor when exporter is enabled.
Parameter Mandatory/Optional Default value Description
ingressController  
clusterName Optional N/A A unique identifier of the Kubernetes cluster on which NetScaler Ingress Controller is deployed.
defaultSSLCertSecret Optional N/A Kubernetes secret name that needs to be used as a default non-SNI certificate in NetScaler.
defaultSSLSNICertSecret Optional N/A Kubernetes secret name that needs to be used as a default SNI certificate in NetScaler.
disableAPIServerCertVerify Optional false Set this parameter to True for disabling API Server certificate verification.
disableOpenshiftRoutes Optional false By default OpenShift routes are processed in the OpenShift environment. This parameter can be used to disable NetScaler Ingress Controller processing the OpenShift routes.
enableLivenessProbe Optional true Set to false to disable liveness porbe settings for NetScaler Ingress Controller.
enableReadinessProbe Optional true Set to false to disable readiness probe settings for NetScaler Ingress Controller.
entityPrefix Optional N/A The prefix for the resources on NetScaler MPX or NetScaler VPX.
ignoreNodeExternalIP Optional False While adding node IP address as a service group member for type LoadBalancer services or NodePort services, NetScaler Ingress Controller has a selection criteria where it chooses Node ExternalIP if available and Node InternalIP if Node ExternalIP is not available. But some users might want to use Node InternalIP over Node ExternalIP even if Node ExternalIP is present. If this variable is set to true, NSIC prioritizes the Node InternalIP to be used for service group members even if Node ExternalIP is present.
image Mandatory quay.io/netscaler/netscaler-k8s-ingress-controller@sha value of latest release The NetScaler Ingress Controller image hosted on Quay.io.
ingressClass Optional N/A Parameter to associate a particular ingress resource with NetScaler Ingress Controller. For more information on ingress class, see Ingress class support. For Kubernetes version >= 1.19, this parameter creates an IngressClass object with the name specified here.
extraVolumeMounts Optional N/A Additional VolumeMounts to be mounted in the NetScaler Ingress Controller container.
ipam Optional false Set this paramter to true to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer.
jsonLog Optional false Set this argument to true if log messages are required in the JSON format.
kubernetesURL Optional N/A The kube-apiserver url that NetScaler Ingress Controller uses to register the events. If the value is not specified, NetScaler Ingress Controller uses the internal kube-apiserver IP address.
livenessProbe Optional N/A LivenessPorbe settings for NetScaler Ingress Controller.
logLevel Optional INFO The log level to control the logs generated by NetScaler Ingress Controller. The supported log levels are: CRITICAL, ERROR, WARNING, INFO, DEBUG, TRACE, and NONE.
logProxy Optional N/A Elasticsearch or Kafka or Zipkin endpoint for NetScaler observability exporter.
multiClusterPrefix Optional mc The prefix for the shared resources on NetScaler MPX or NetScaler VPX for multicluster ingress feature. NetScaler Ingress Controllers that are collaboratively sharing the content switching virtual server IP address must be configured with the same value for multiclusterPrefix. For more information see this.
namespaceLabels Optional N/A Provide the namespace labels selectors to be used by NetScaler Ingress Controller for routeSharding in the OpenShift cluster.
nodeLabels Optional ”” If there are pods on nodes with node labels, NetScaler Ingress Controller configures NetScaler to advertise the VIP using BGP.
nodeWatch Optional false Set the parameter to true if you want to automatically configure network route from NetScaler MPX or NetScaler VPX to the pods in the Kubernetes cluster. For more information, see Automatically configure route on the NetScaler instance.
nsncPbr Optional false Set this parameter to true to inform NetScaler Ingress Controller that NetScaler Node Controller is configuring Policy Based Routes (PBR) on NetScaler. For more information, see NSNC-PBR-SUPPORT
openShift Optional true Set this parameter to false if the OpenShift environment is not being used.
optimizeEndpointBinding Optional false Set this parameter to true to enable binding of back-end endpoints to a service group in a single API-call. Recommended when endpoints (pods) per application are large in number. Applicable only for NetScaler version >=13.0-45.7.
podIPsforServiceGroupMembers Optional false By default, NetScaler Ingress Controller adds node IP address and node port as service group members while configuring type LoadBalancer Services and NodePort services. If set to True NetScaler Ingress Controller adds pod IP address and pod port instead of node IP address and node port. You can set this parameter to true if there is a route between NetScaler and K8s clusters internal pods either using feature-node-watch argument or using NetScaler Node Controller.
profileHttpFrontend Optional N/A The front-end HTTP profile. For details, see Configuration using FRONTEND_HTTP_PROFILE
profileSslFrontend Optional N/A The front-end SSL profile. For details, see Configuration using FRONTEND_SSL_PROFILE
profileTcpFrontend Optional N/A The front-end TCP profile. For details, see Configuration using FRONTEND_TCP_PROFILE
pullPolicy Mandatory IfNotPresent The NetScaler Ingress Controller image pull policy.
rbacRole Optional false Set this parameter to true to deploy NetScaler Ingress Controller with RBAC role set rbacRole=true; by default NetScaler Ingress Controller gets installed with RBAC ClusterRole(rbacRole=false).
readinessProbe Optional N/A Readiness probe settings of NetScaler Ingress Controller.
resources Optional N/A CPU/memory resources for the NetScaler Ingress Controller container.
routeLabels Optional N/A The route labels selectors to be used by NetScaler Ingress Controller for routeSharding in OpenShift cluster.
serviceClass Optional N/A Parameter used to associate only specific services to NetScaler Ingress Controller if multiple ingress controllers are deployed. For more information on service class, see Service class support.
setAsDefaultIngressClass Optional False Sets the IngressClass object as the default ingress class. New ingresses without an “ingressClassName” field specified will be assigned this ingress class. This parameter is applicable only for Kubernetes versions >= 1.19.
updateIngressStatus Optional true Set this parameter if Status.LoadBalancer.Ingress field of the ingress resources managed by NetScaler Ingress Controller needs to be updated with allocated IP addresses. For more information see this.
Parameter Mandatory/Optional Default value Description
netscaler  
adcCredentialSecret Mandatory NA Secret required for NetScaler Ingress Controller to connect to NetScaler.
nitroReadTimeout Optional 20 The nitro read timeout in seconds.
nsConfigDnsRec Optional false Set to true to enable DNS address record addition in NetScaler through ingress.
nsCookieVersion Optional 0 The persistence cookie version (0 or 1).
nsDnsNameserver Optional N/A DNS nameservers in NetScaler.
nsHTTP2ServerSide Optional OFF Set this parameter to ON for enabling HTTP2 for NetScaler service group configurations.
nsIP Mandatory N/A NetScaler IP address.
nsLbHashAlgo.required Optional false The load balancing consistent hashing algorithm.
nsLbHashAlgo.hashFingers Optional 256 The number of fingers to be used for the hashing algorithm. Possible values are from 1 to 1024.
nsLbHashAlgo.hashAlgorithm Optional default The supported algorithm. The supported algorithms are default, jarh, and prac.
nsPort Optional 443 The port used by NetScaler Ingress Controller to communicate with NetScaler. You can use port 80 for HTTP.
nsProtocol The protocol used by NetScaler Ingress Controller to communicate with NetScaler. You can use HTTP on port 80. Optional  
nsSNIPS Optional N/A The list of subnet IP addresses on the NetScaler, which is used to create PBR routes instead of static routes PBR support
nsSvcLbDnsRec Optional false Set this parameter to true to enable DNS address record addition in NetScaler through yype LoadBalancer Service.
nsVIP Optional N/A The virtual IP address on NetScaler.
  1. After updating the values for the required parameters, click Create.

    Ensure that NetScaler Ingress Controller is successfully deployed and initialized.

    NetScaler NetScaler Ingress Controller Instance

  2. Navigate to Workloads > Pods section and verify whether the NetScaler NetScaler Ingress Controller pod is up and running.

    Application Pod UP and Running

  3. Verify the deployment by sending traffic:

    curl http://citrix-ingress-Operator.com --resolve citrix-ingress-Operator.com:80:<VIP>
    <!--NeedCopy-->
    

    The previous curl command should return the following:

    <html><body><h1>It works!</h1></body></html>
    <!--NeedCopy-->
    

Note:

  • Ensure that the pod network in OpenShift cluster is reachable from NetScaler VPX or NetScaler MPX if you are using a service of type ClusterIP for your application. To configure static route automatically using NetScaler Ingress Controller, see Configure static route.
  • When you delete an NetScaler Ingress Controller instance, the ClusterRole and ClusterRole binding associated with the service account of the NetScaler Ingress Controller instance are not deleted automatically. You must manually delete the ClusterRole and ClusterRole binding associated with the service account of the deleted NetScaler Ingress Controller instance.

References

Deploy NetScaler Ingress Controller in OpenShift using NetScaler Operator