Entity name change for CRDs
When a NetScaler Custom Resource Definition (CRD) instance is created, the NetScaler Ingress Controller generates multiple NetScaler entities associated with that CRD instance. The NetScaler Ingress Controller maintains unique names for each entity to preserve its association with the CRD instance. Since entity naming is based directly on CRD names, some NetScaler entity names exceeded the maximum character limit.
Starting with NetScaler Ingress Controller 4.0.x, the naming convention is optimized by using the following approach to generate shorter entity names during CRD creation:
- Hashed naming: A portion of the entity name is hashed to reduce the overall length
- Preserved information: The necessary Kubernetes related metadata is retained in the entity’s comment field, if the entity comment is supported by NetScaler
- Improved compatibility: Names comply with NetScaler character restrictions while maintaining full traceability
The following table explains the entity name changes introduced in the NetScaler Ingress Controller version 4.0.x release:
| Entity Name | Old Naming Format | New Naming Format |
|---|---|---|
| appfwpolicy | k8s_crd_waf_wafbasicdefault | k8S_c21_wafbasic_default_DTUHVZOZSCSV4SPAPPQPZSON6VF656I6JSHGRVAB5SCMU6AC5HNA |
| appfwprofile | k8s_crd_waf_wafbasicdefault | k8s_c21_wafbasic_default_UXHDUNMOOGVVLEMJ3QRBQSZE24UN2NYR223J365CFRGKLQUZYJQQ |
| appfwsignatures | k8s_crd_waf_wafbasicdefault | k8s_c21_wafbasic_default_WNORDMGMY2XDLGL6QBJB27EIM5YWKRGECIXDESDKYJ23IBIUQ6HA |
| appqoeaction | k8s_crd_appqoepolicy_aqaction_targeturlappqoe_0_default | k8s_c02_targeturlappqoe_default_IYTOAY6HRWAJQDMHDS3KNLTACGGJEZXZTW4CKQRCD33ALSFZTALQ |
| appqoepolicy | k8s_crd_appqoepolicy_aqpolicy_targeturlappqoe_0_default | k8s_c02_targeturlappqoe_default_L3LV3IFDRMXAMDK3IIKAR3HLIM5CNRUYDS36ONBGX5TV7XXWTYFA |
| auditmessageaction | k8s_crd_rewritepolicy_rwaudmesaction_multipolicy1_1_default | k8s_c17_multipolicy1_default_P6NUHC62V4KJE442YEVGOMTBJWANVCQ4KTXUURS4SEVD4V2PQUQQ |
| authenticationldapaction | k8s_crd_authpolicy_authhotdrinks_ldap-auth-provider_1_default | k8s_c03_authhotdrinks_default_TZZOEQ2I5R5U7RFHNK5IPPOQCIXP2O4R6P4ZMCMZMXIOLCPTCMFA |
| authenticationloginschema | k8s_crd_authpolicy_autht1_lp_jwt-auth-provider_1_default | k8s_c03_autht1_default_2XOCNX67BWBEASZ7V3TT3BJTUOFILRZ6UYTRUH6DS3CRUPATPOMA |
| authenticationloginschemapolicy | k8s_crd_authpolicy_autht1_lp_jwt-auth-provider_1_default | k8s_c03_autht1_default_2XOCNX67BWBEASZ7V3TT3BJTUOFILRZ6UYTRUH6DS3CRUPATPOMA |
| authenticationoauthaction | k8s_crd_authpolicy_autht1_authpolicy_1_default | k8s_c03_autht1_default_LOJ53HJPDB56SFB67CJ6NBBTO3XC7NHQ54SCP4MMWSBGJR5QS3LQ |
| authenticationpolicy | k8s_crd_authpolicy_authhotdrinks_authpolicy_1_default | k8s_c03_authhotdrinks_default_GMA6HKR4ZM6LGWQZ7RNLDCRB3TXWSUFBEHEE3TVOJTXZO6DKYDTQ |
| authenticationsamlaction | k8S_crd_authpolicy_authhotdrinks_saml-auth-provider_1_default | k8s_c03_authhotdrinks_default_UODCZMVDCPIFBZXWP3BBV2RCWWXGF3ZRZ4V3UED2W4HNI6POBVXQ |
| authenticationvserver | k8s_crd_authpolicy_aaa_FormsName_authvsrv | k8s_c03_authhotdrinks_default_4X6TDA5WAIGTDSFED56OC526NQQAMV76DHKZOETVJRWMURP4AJ4Q |
| authorizationpolicy | k8s_crd_authpolicy_authhotdrinks_authzpolicy_1_default | k8s_c03_authhotdrinks_default_C7HVMV336LZ2IS6WRQQLY2N3ETNQN22DBY4LD7AHSXV7YKQ2JLYQ |
| botpolicy | k8s_crd_bot_btdefault | k8s_c04_SBKZMNXAVR4HHP |
| botpolicylabel | k8s_crd_bot_btdefault | k8s_c04_SBKZMNXAVR4HHP |
| botprofile | k8s_crd_bot_btdefault | k8s_c04_SBKZMNXAVR4HHP |
| botsignature | k8s_crd_bot_btdefault | k8s_c04_SBKZMNXAVR4HHP |
| contentinspectionaction | k8s_crd_icappolicy_exampleicappolicy_ci-action_0_default | k8s_c12_exampleicappolicy_default_MCQ3EFMGPJXSE2O7FFCJNL347VB6PNZTBAQZMGW4DOHBBE4MNE |
| contentinspectionpolicy | k8s_crd_icappolicy_exampleicappolicy_ci-policy_0_default | k8s_c12_exampleicappolicy_default_MI33BP5BZP7ZKXMIBXD4A6ZZNRQG5YS4ZRXUQI3N34KVDZ4UG7 |
| csaction | k8s_crd_k8shttproute_route-for-all_other-namespace_0 | k8s_c15_route-for-all_other-name_NSOCBGCEIEMS3U2KWEA563VB5SWRUPWYZ4QJCCCYEOHOUDQ4SP_0 |
| cspolicy | k8s_crd_k8shttproute_route-for-all_other-namespace_0 | k8s_c15_route-for-all_other-name_D74FE2SLZD7KJPVIGHR5CDOOOK75S2FOINBCFDQU6NEM5R7QBN_0 |
| csvserver | k8s_crd_Listener_10.1.3.1_80_http | k8s_c14_my-listener_default_10.1.3.1_80_http |
| gslbservicegroup | k8s_crd_globaltrafficpolicy_cid_east_cluster1_default_cold1_cocacola-com | k8s_c10_cid_east_cluster1_cold1_default_cocacola_com_0_HTTP |
| gslbvserver | k8s_crd_globaltrafficpolicy_default_cold1_cocacola-com | k8s_c10_cold1_default_cocacola_com_0_HTTP |
| ipset | k8s_crd_Listener_1.1.1.1_443_ssl_ipset | k8s_c14_my-listener_default_HTDWUDXLSZW2UM6UX4X3MGVUPWTINT7YVANRWA_ipset |
| lbmonitor | k8s_crd_globaltrafficpolicy_RZHNBQRQKJYYRRY6NXQ2MM6QVMQPCJ6C3PL | k8s_c10_cold1_default_ATG3IPNGAVACEEMIYRZIVYYFNKXVCKXI66C5RISIXAHXQIGGS5RA |
| lbvserver | k8s_crd_k8shttproute_route-for-all_other-namespace_0_lb | k8s_c15_route-for-all_other-name_0.0.0.0_0_http_0 |
| nshttpprofile | k8s_crd_Listener_10.1.3.1_80_http | k8s_c14_my-listener_default_10.1.3.1_80_http |
| nsicapprofile | k8s_crd_icappolicy_exampleicappolicy_icap-profile_0_default | k8s_c12_example_default_PJZLCPKQX6PPR6Y57O37PYBEHD6PT2YSRKPC4JNPBLTD2 |
| nslimitidentifier | k8s_crd_ratelimit_default_throttle_apis_codecov | k8s_c17_throttle_default_HUADSDGHAHJKSHUBSD |
| nstcpprofile | k8s_crd_Listener_10.1.3.1_80_http | k8s_c14_my-listener_default_10.1.3.1_80_http |
| policydataset | k8s_crd_rewritepolicy_dataset_multipolicy3_0_default_redirectIPs | k8s_c17_multipolicy3_default_6NGFYEUJWIQOOO5ZUUKSGVMIP6O3BNPJIZ5OTWAXPVCLCC5GEZRA |
| policyhttpcallout | k8s_crd_httpcallout_dbf2bfba | k8s_c17_DD6U4WGWATNEL7 |
| policypatset | k8s_crd_authpolicy_authhotdrinks_authpatset_1_default | k8s_c03_authhotdrinks_default_SHZXI2Z3WFHEZVA5BDAJ53R7TZSEUFJXSKRN5YQCRAZSO5V4N4SA |
| policystringmap | k8s_crd_rewritepolicy_stringmap_basicconfig_0_default_s1 | k8s_c17_basicconfig_default_XBMDW6QHZINFHIWFRLWHHGAAWOXTDIGJQTLNZST3MVYOY2QYFYSQ |
| responderaction | k8s_crd_rewritepolicy_respaction_basicconfig_0_default | k8s_c17_basicconfig_default_ZOHREQM7YYCY3CZ7IOP7YLSVDKVDRPMJYAHG4ODFY76R3ZFOR74Q_rw |
| responderpolicy | k8s_crd_rewritepolicy_resppolicy_basicconfig_0_default | k8s_c17_basicconfig_default_YTSRW4EDTQ5HEQKXD6SDS2KOBO7N26P5HQCIQHCS5GV3YXOI473A |
| rewriteaction | k8s_crd_k8shttproute_my-httproute_default_urlrewrite_host_0_0 | k8s_c15_my-httproute_default_YDWIG6XAYI5RJDIHCFHHKGK6VGNMIKOTPJYUNWVRB_urlrw_host_0_0 |
| rewritepolicy | k8s_crd_rewritepolicy_rwpolicy_multipolicy1_0_default | k8s_c17_multipolicy1_default_AY2LPEUWN6JPESA4L4RO7FZTQJ7P66CVA4NW2LHHR3IJF6GJWKVA |
| servicegroup | k8s_crd_icappolicy_exampleicappolicy_icap-sg_0_default | k8s_c12_exampleicappolicy_default_GD3T7QZNKV5EDOYDI2KBB5JTPM4EMBLATOUJVZMGVX7WJNCQAN |
| sslcipher | k8s_crd_Listener_1.1.1.1_443_ssl | k8s_c14_DZ5VMPYNSHVTTYF26BTLAS |
| sslprofile | k8s_crd_Listener_10.1.3.1_443_ssl | k8s_c14_my-listener_default_10.1.3.1_443_ssl |
| sslvserver | k8s_crd_Listener_10.1.3.1_443_ssl | k8s_c14_my-listener_default_10.1.3.1_443_ssl |
| streamselector | k8s_crd_ratelimit_default_throttlecoffeeperclientip | k8s_c17_throttle_default_HUADSDGHAHJKSHUBSD |
Upgrade Scenario
When you upgrade from an older version of NetScaler Ingress Controller version to version 4.0.x, NetScaler Ingress Controller renames all the entities with the new naming format. During the upgrade, there is disruption in the traffic as entities are being deleted and recreated and therefore results in downtime.
Note:
NetScaler Ingress Controller does not handle the downgrade from the latest version to an older version.
Downgrade NetScaler Ingress Controller from 4.0.x version to 3.x.x versions
To safely downgrade the NetScaler Ingress Controller while preserving your Citrix CRD configurations, perform the following steps:
-
Back up all Citrix CRD instances. This command backs up all Citrix CRD instances from all namespaces to a single YAML file with proper document separators.
rm -f all_crd_instances.yaml for crd in $(kubectl get crds -o jsonpath='{.items[*].metadata.name}' | tr ' ' '\n' | grep 'citrix.com'); do echo "Getting instances for CRD: $crd" kubectl get $crd --all-namespaces -o name | while read resource; do kubectl get $resource -o yaml echo "---" done >> all_crd_instances.yaml done <!--NeedCopy-->Verify that the backup file is created:
ls -lh all_crd_instances.yaml <!--NeedCopy--> -
Delete the CRD instances from your existing deployment using the following command:
kubectl delete -f all_crd_instances.yaml <!--NeedCopy--> -
Allow NetScaler Ingress Controller to process the delete events and clean up associated resources:
kubectl logs -n <nsic-namespace> <nsic-pod-name> -f <!--NeedCopy--> -
Downgrade NetScaler Ingress Controller by updating your NetScaler Ingress Controller deployment to the desired 3.x.x version:
# Example: using Helm helm upgrade nsic citrix/citrix-ingress-controller --version <3.x.x-version> # Or: using kubectl kubectl set image deployment/nsic nsic-container=<image:3.x.x-tag> -n <nsic-namespace> <!--NeedCopy--> -
Once the downgraded NetScaler Ingress Controller pod is running and ready, restore the backed-up CRD instances:
kubectl apply -f all_crd_instances.yaml <!--NeedCopy-->