NetScaler ingress controller

How to use Kubernetes secrets for storing NetScaler credentials

In most organizations, Tier 1 NetScaler Ingress devices and Kubernetes clusters are managed by separate teams. The NetScaler Ingress Controller requires NetScaler credentials such as NetScaler user name and password to configure the NetScaler. Usually, NetScaler credentials are specified as environment variables in the NetScaler Ingress Controller pod specification. But, another secure option is to use Kubernetes secrets to store the NetScaler credentials.

This topic describes how to use Kubernetes secrets to store the ADC credentials and various ways to provide the credentials stored as secret data for the NetScaler Ingress Controller.

Create a Kubernetes secret

Perform the following steps to create a Kubernetes secret.

  1. Create a file adc-credential-secret.yaml which defines a Kubernetes secret YAML with NetScaler user name and password in the data section as follows.

    apiVersion: v1
    kind: Secret
    metadata:
      name: adc-credential
    data:
      username: <ADC user name>
      password: <ADC password>
    
  2. Apply the adc-credential-secret.yaml file to create a secret.

    kubectl apply -f adc-credential-secret.yaml
    

    Alternatively, you can also create the Kubernetes secret using --from-literal option of the kubectl command as shown as follows:

    kubectl create secret generic adc-credentials --from-literal=username=<username> --from-literal=password=<password>
    

Once you have created a Kubernetes secret, you can use one of the following options to use the secret data in the NetScaler Ingress Controller pod specification.

Use secret data as environment variables in the NetScaler Ingress Controller pod specification

You can use secret data from the Kubernetes secret as the values for the environment variables in the NetScaler Ingress Controller deployment specification.

A snippet of the YAML file is shown as follows.

  - name: "NS_USER"
    valueFrom:
      secretKeyRef:
        name: adc-credentials
        key: username
  # Set user password for Nitro
  - name: "NS_PASSWORD"
    valueFrom:
      secretKeyRef:
        name: adc-credentials
        key: password

Here is an example of the NetScaler Ingress Controller deployment with value of environment variables sourced from the secret object.


apiVersion: apps/v1
kind: Deployment
metadata:
  name: cic-k8s-ingress-controller
spec:
  selector:
    matchLabels:
      app: cic-k8s-ingress-controller
  replicas: 1
  template:
    metadata:
      name: cic-k8s-ingress-controller
      labels:
        app: cic-k8s-ingress-controller
      annotations:
    spec:
      serviceAccountName: cic-k8s-role
      containers:
      - name: cic-k8s-ingress-controller
        image: <image location>
        env:
         # Set NetScaler NSIP/SNIP, SNIP in case of HA (mgmt has to be enabled)
         - name: "NS_IP"
           value: "x.x.x.x"
         # Set username for Nitro
         - name: "NS_USER"
           valueFrom:
            secretKeyRef:
             name: adc-credentials
             key: username
         # Set user password for Nitro
         - name: "NS_PASSWORD"
           valueFrom:
            secretKeyRef:
             name: adc-credentials
             key: password
         # Set log level
         - name: "EULA"
           value: "yes"
        imagePullPolicy: Always
<!--NeedCopy-->

Use a secret volume mount to pass credentials to the NetScaler Ingress Controller

Alternatively, you can also use a volume mount using the secret object as a source for the NetScaler credentials. The NetScaler Ingress Controller expects the secret to be mounted at path /etc/citrix and it looks for the credentials in files username and password.

You can create a volume from the secret object and then mount the volume using volumeMounts at /etc/citrix as shown in the following deployment example.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: cic-k8s-ingress-controller
spec:
  selector:
    matchLabels:
      app: cic-k8s-ingress-controller
  replicas: 1
  template:
    metadata:
      name: cic-k8s-ingress-controller
      labels:
        app: cic-k8s-ingress-controller
      annotations:
    spec:
      serviceAccountName: cic-k8s-role
      containers:
      - name: cic-k8s-ingress-controller
        image: <image location>
        env:
         # Set NetScaler NSIP/SNIP, SNIP in case of HA (mgmt has to be enabled)
         - name: "NS_IP"
           value: "x.x.x.x"
         # Set log level
         - name: "EULA"
           value: "yes"
        volumeMounts:
        # name must match the volume name below
          - name: secret-volume
            mountPath: /etc/citrix
        imagePullPolicy: Always
      # The secret data is exposed to Containers in the Pod through a Volume.
      volumes:
      - name: secret-volume
        secret:
          secretName: adc-credentials
<!--NeedCopy-->

Use NetScaler credentials stored in a Hashicorp Vault server

You can also use the NetScaler credentials stored in a Hashicorp Vault server for the NetScaler Ingress Controller and push the credentials through a sidecar container.

For more information, see Using NetScaler credentials stored in a Vault server.