NetScaler ingress controller

Deploy NetScaler Ingress Controller (NSIC) in OpenShift using NetScaler Operator

An Operator is an open source toolkit designed to package, deploy, and manage OpenShift native applications in an effective, automated, and scalable way.

The NetScaler Operator enables you to deploy NetScaler Ingress Controller in an OpenShift cluster.

Deployment options

Based on your requirement of NetScalers, there are two ways to deploy NetScaler Ingress Controller in an OpenShift cluster using the NetScaler Operator:

Deploy NetScaler Operator

Perform the following steps:

  1. Log in to the OpenShift cluster console.

  2. Navigate to Operators > OperatorHub, select Certified source in the left panel, select NetScaler Operator, and then click Install.

    NetScaler Operator

    Install

  3. To subscribe to NetScaler Operator, select one of the following options:

    • All namespaces on the cluster (default): NetScaler Operator is available in all the namespaces on the OpenShift cluster. Hence, this option enables you to initiate the NetScaler instance from any namespace on the cluster.

    • A specific namespace on the cluster: NetScaler Operator is available in the selected namespace on the OpenShift cluster. Hence, this option enables you to initiate the NetScaler Operator instance on the selected namespace only.

  4. In this case, let’s select A specific namespace on the cluster.

    NetScaler Operator Subscription

  5. Click Install.

    Wait until the NetScaler Operator is subscribed successfully.

    NetScaler Operator Subscription confirmation

  6. Navigate to Workloads > Pods section and verify that the netscaler-Operator-controller-manager pod is up and running.

NetScaler Operator Pod UP and Running

Deploy NetScaler Ingress Controller as a standalone pod using NetScaler Operator

Using the NetScaler Operator you can deploy NetScaler Ingress Controller as a standalone pod in an OpenShift cluster. NetScaler Ingress Controller configures the NetScaler VPX or MPX which is deployed as an Ingress device or router for an application running in the OpenShift cluster. The following diagram explains the topology:

Topology

Prerequisites

  • Red Hat OpenShift Cluster (version 4.1 or later).
  • Identify the IP address that NetScaler Ingress Controller needs to communicate with NetScaler. This IP address might be any one of the following IP addresses depending on the type of NetScaler deployment:
    • NSIP (for standalone appliances) - The management IP address of a standalone NetScaler appliance. For more information, see IP Addressing in NetScaler.
    • SNIP (for appliances in High Availability mode) - The subnet IP address. For more information, see IP Addressing in NetScaler.
    • CLIP (for appliances in Cluster mode) - The cluster management IP (CLIP) address for a clustered NetScaler deployment. For more information, see IP addressing for a cluster.
  • The user name and password of NetScaler VPX or NetScaler MPX used as the Ingress device. NetScaler must have a system user account (non-default) with certain privileges so that the NetScaler Ingress Controller can configure NetScaler VPX or NetScaler MPX. For instructions to create a system user account on NetScaler, see Create system user account for NetScaler Ingress Controller in NetScaler.

    You can directly pass the user name and password as environment variables to the controller, or use OpenShift secrets (recommended). To create a secret for the user name and password using the following command, modify the <username> and <password> to required values:

         oc create secret  generic nslogin --from-literal=username=<username> --from-literal=password=<password>
     <!--NeedCopy-->
    

Deploy NetScaler Ingress Controller as a standalone pod using NetScaler Operator

Perform the following steps:

  1. Log in to OpenShift 4.x Cluster console.

  2. Deploy an Apache application using the console.

    1. Navigate to Workloads > Deployments > Create Deployment and use the following YAML file to create the deployment.

      NOTE:

      The Apache application is for the demonstration purpose only. You can modify the YAML file based on your requirement.

      ---
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: apache
        labels:
            name: apache
      spec:
        selector:
          matchLabels:
            app: apache
        replicas: 2
        template:
          metadata:
            labels:
              app: apache
          spec:
            containers:
            - name: apache
              image: httpd:latest
              ports:
              - containerPort: 80
          ---
      
      <!--NeedCopy-->
      
    2. Navigate to Workloads > Pods section and ensure that the Apache application pods are up and running.

      Application pod

  3. Create a service for the Apache application. Navigate to Networking > Services > Create Service and use the following YAML file.

    apiVersion: v1
    kind: Service
    metadata:
      name: apache
    spec:
      ports:
      - port: 80
        targetPort: 80
      selector:
        app: apache
    
    <!--NeedCopy-->
    

    Application Service

  4. Create an ingress for the Apache application. Navigate to Networking > Ingress > Create Ingress and use the following YAML to create the ingress. Ensure that you update the VIP address of NetScaler VPX in the ingress YAML before applying it in the cluster.

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      annotations:
        ingress.citrix.com/frontend-ip: <NSVIP>
      name: vpx-ingress
      spec:
        ingressClassName: nsic-vpx
        rules:
        - host: citrix-ingress-operator.com
          http:
            paths:
            - backend:
                service:
                  name: apache
                  port:
                    number: 80
              path: /
              pathType: Prefix
    ---
    apiVersion: networking.k8s.io/v1
    kind: IngressClass
    metadata:
      name: nsic-vpx
    spec:
      controller: citrix.com/ingress-controller
    <!--NeedCopy-->
    

    Application Ingress

  5. Navigate to Operators > Installed Operators and select NetScaler Operator.

    NetScaler Ingress Controller Operator

  6. Click the NetScaler Ingress Controller tab and select Create NetScalerIngressController.

    NetScaler Ingress Controller Create

    The NetScaler Ingress Controller YAML definition is displayed.

    Parameter lists

  7. Refer this table that lists the mandatory and optional parameters that you can configure during installation.

    Note:

    • Ensure that the license.accept parameter is set to yes.
    • Provide the IP address of NetScaler VPX instance for nsIP parameter and Kubernetes secret created using NetScaler VPX credentials in adcCredentialSecret parameter.
    • To associate NSIC with the ingress resource specified in this procedure, provide the ingress class name using the ingressClass parameter as ingressClass: [‘nsic-vpx’].

    You can configure other available parameters depending on your use case.

  8. After updating the values for the required parameters, click Create.

    Ensure that NetScaler Ingress Controller is successfully deployed and initialized.

    NetScaler Ingress Controller Instance

  9. Navigate to Workloads > Pods section and verify whether the NetScaler Ingress Controller pod is up and running.

    Application Pod UP and Running

  10. Verify the deployment by sending traffic:

    curl http://citrix-ingress-Operator.com --resolve citrix-ingress-Operator.com:80:<VIP>
    <!--NeedCopy-->
    

    The previous curl command should return the following:

    <html><body><h1>It works!</h1></body></html>
    <!--NeedCopy-->
    

Note:

Ensure that the pod network in OpenShift cluster is reachable from NetScaler VPX or NetScaler MPX if you are using service of type ClusterIP for your application. To configure static route automatically using NSIC, see Configure static route.

Deploy NetScaler Ingress Controller as a sidecar with NetScaler CPX

Using the NetScaler Operator, you can deploy NetScaler CPX with the NetScaler Ingress Controller as a sidecar. The NetScaler Ingress Controller configures the NetScaler CPX which is deployed as an Ingress or router for an application running in the OpenShift cluster. The following diagram explains the topology.

CPX Topology

Prerequisites

Deploy NetScaler Ingress Controller as a sidecar with NetScaler CPX using NetScaler Operator

Perform the following steps:

  1. Log in to OpenShift 4.x Cluster console.

  2. Deploy an Apache application using the console.

    1. Navigate to Workloads > Deployments > Create Deployment and use the following YAML to create the deployment.

      ---
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: apache
        labels:
           name: apache
      spec:
        selector:
          matchLabels:
            app: apache
        replicas: 2
        template:
          metadata:
            labels:
              app: apache
          spec:
            containers:
            - name: apache
              image: httpd:latest
              ports:
              - containerPort: 80
          ---
      
      <!--NeedCopy-->
      

      Application Deployment

      Note:

      The Apache application is for the demonstration purpose only, you can modify the YAML file based on your requirement.

    2. Navigate to Workloads > Pods section and ensure that the Apache application pods are up and running.

      Application pod

  3. Create a service for the Apache application. Navigate to Networking > Services > Create Service and use the following YAML to create the service.

        apiVersion: v1
        kind: Service
        metadata:
          name: apache
        spec:
          ports:
          - port: 80
            targetPort: 80
          selector:
            app: apache
    <!--NeedCopy-->
    

    Application Service

  4. Create an Ingress for the Apache application. Navigate to Networking > Ingress > Create Ingress and use the following YAML to create the ingress.

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: cpx-ingress
    spec:
      ingressClassName: nsic-cpx
      rules:
      - host: citrix-ingress-operator.com
        http:
          paths:
          - backend:
              service:
                name: apache
                port:
                  number: 80
            path: /
            pathType: Prefix
    ---
    apiVersion: networking.k8s.io/v1
    kind: IngressClass
    metadata:
      name: nsic-cpx
    spec:
      controller: citrix.com/ingress-controller
    <!--NeedCopy-->
    

    Application CPX Ingress

  5. Navigate to Operators > Installed Operators and select NetScaler Operator.

    NetScaler Ingress Controller Operator

  6. Click NetScaler CPX with Ingress Controller tab and click Create NetScalerCpxWithIngressController .

    deploy CPX with Ingress Controller

    The NetScaler CPX with ingress controller YAML definition is displayed.

    cpx with nsic YAML

    See this table that lists the mandatory and optional parameters that you can configure during installation.

    Note:

    • Ensure that the license.accept parameter is set to yes.
    • To expose NetScaler CPX service using type nodePort to access the Apache application, set serviceType.nodePort.enabled to true.
    • To associate NSIC with the ingress resource specified in this procedure, provide the ingress class name using the ingressClass parameter as ingressClass: [‘nsic-cpx].

    You can configure other available parameters depending on your use case.

  7. After updating the values for required parameters, click Create. Ensure that the NetScaler CPX with Ingress Controller is succesfully deployed and initialised.

    deploy CPX with Ingress Controller deployed

  8. Attach privileged security context constraints to the service account of NetScaler CPX (as it runs as a privileged pod) by using the following commands:

    • Get the service account name used by NetScaler CPX using the following command in the namespace where NetScaler CPX has been deployed: oc get sa

    • Attach privileged SCC to the service account of NetScaler CPX:

    oc adm policy add-scc-to-user privileged system:serviceaccount:<namespace>:<CPX-ServiceAccount-Name retrieved in the previous step>
    <!--NeedCopy-->
    
  9. Navigate to Workloads > Pods section and verify that the netscaler-cpx-with-ingress-controller pod is up and running.

    deploy CPX with Ingress Controller pods

  10. Verify the deployment by sending traffic.

    1. Obtain the NodePort details using the following command:

      oc get svc
      <!--NeedCopy-->
      
    2. Use cpx-service NodePort and send the traffic as shown in the following command:

      curl http://citrix-ingress-Operator.com:<NodePort> --resolve citrix-ingress-Operator.com:<NodePort>:<Master-Node-IP>
      <!--NeedCopy-->
      

    The above curl command should return the following output:

    <html><body><h1>It works!</h1></body></html>
    <!--NeedCopy-->
    

Note:

When you delete an NSIC instance, the ClusterRole and ClusterRole binding associated with the service account of the NSIC instance are not deleted automatically. You must manually delete the ClusterRole and ClusterRole binding associated with the service account of the deleted NSIC instance.

References

Deploy NetScaler Ingress Controller (NSIC) in OpenShift using NetScaler Operator