Manage the Kubernetes Ingress configuration in Citrix ADM

Kubernetes (K8s) is an open source container orchestration platform that automates the deployment, scaling, and management of cloud-native applications.

Kubernetes provides the Ingress feature which allows client traffic outside the cluster to access microservices of an application running inside the Kubernetes cluster. Citrix ADC instances can act as the Ingress to applications running inside a Kubernetes cluster. Citrix ADC instances can load balance and content route North-South traffic from the clients to any microservices inside the Kubernetes cluster.

Note

  • Citrix ADM supports the Ingress feature on the clusters with Kubernetes version 1.14 and above.
  • Citrix ADM supports Citrix ADC VPX and MPX appliances as Ingress devices.
  • In Kubernetes environment, the Citrix ADC instance load balances only the “NodePort” service type.

You can configure multiple ADC instances to act as Ingress devices on the same cluster or different clusters or namespaces. After you configure the instances, you can assign each instance to different applications based on the Ingress policy.

You can create and deploy an Ingress configuration using Kubernetes kubectl or APIs. You can also configure and deploy an Ingress from Citrix ADM.

You can specify the following aspects of Kubernetes integration in ADM:

  • Cluster – You can register or unregister Kubernetes clusters for which ADM can deploy Ingress configurations. When you register a cluster in Citrix ADM, specify the Kubernetes API server information. Then, select an ADM agent that can reach the Kubernetes cluster and deploy Ingress configurations.

  • Policies – Ingress policies are used to select the ADC instance based on cluster or namespace to deploy an Ingress configuration. Specify the cluster, site, and instance information when you add a policy.

  • Ingress Configuration – This configuration is the Kubernetes Ingress configuration, which includes the content switching rules and the corresponding URL paths of the microservices and their ports. You can also specify the SSL/TLS certificates (to offload SSL processing on the ADC instance) using Kubernetes secret resources.

The Citrix ADM automatically maps the Ingress configurations to ADC instances using Ingress policies.

For each successful Ingress configuration, Citrix ADM generates a StyleBook ConfigPack. The ConfigPack represents the ADC configuration applied to the ADC instance that corresponds to the Ingress configuration. To view the ConfigPack, navigate to Applications > StyleBooks > Configurations.

Before you begin

To use Citrix ADC instances as Ingress devices on Kubernetes clusters, ensure you have:

  • Kubernetes cluster in place.

  • Citrix ADM agent installed and configured to enable communication between Citrix ADM and Kubernetes cluster or managed instances in your data center or cloud.

  • Kubernetes cluster registered in Citrix ADM.

Configure Citrix ADM agent to register with Kubernetes cluster

To enable communication between Kubernetes cluster and Citrix ADM, you must install and configure a Citrix ADM agent. You can deploy an agent on the following platforms:

  • Hypervisor (ESX, XenServer, KVM, Hyper-V)

  • Public Cloud Services (such as Microsoft Azure, AWS)

Follow the procedure to configure an agent.

Note

You can also use an existing ADM agent if one is already deployed.

Configure the Citrix ADM with a secret token to manage a Kubernetes cluster

For Citrix ADM to be able to receive events from Kubernetes, you need to create a service account in Kubernetes for Citrix ADM and configure the service account with necessary RBAC permissions in the Clutser.

  1. Create a service account for Citrix ADM. For example, the service account name can be citrixadm-sa. To create a service account, see Use Multiple Service Accounts.

  2. Use the cluster-admin role to bind the Citrix ADM service account. This binding grants a ClusterRole across the cluster to a service account. The following is an example command to bind a cluster-admin role to the service account.

    kubectl create clusterrolebinding citrixadm-sa-admin --clusterrole=cluster-admin --serviceaccount=default:citrixadm-sa
    

    After binding the Citrix ADM service account to the cluster-admin role, the service account has the cluster-wide access. For more information, see kubectl create clusterrolebinding.

  3. Obtain the token from the created service account.

    For example, run the following command to view the token for the citrixadm-sa service account:

    kubectl describe sa citrixadm-sa
    
  4. Run the following command to obtain the secret string of the token:

    kubectl describe secret <token-name>
    

Add the Kubernetes cluster in Citrix ADM

After you configure a Citrix ADM agent and configure static routes, you must register the Kubernetes cluster in Citrix ADM.

To register the Kubernetes cluster:

  1. Log on to Citrix ADM with administrator credentials.

  2. Navigate to Orchestration > Kubernetes > Cluster. The Clusters page is displayed.

  3. Click Add.

  4. In the Add Cluster page, specify the following parameters:

    1. Name - Specify a name of your choice.

    2. API Server URL - You can get the API Server URL details from the Kubernetes Master node.

      1. On the Kubernetes master node, run the command kubectl cluster-info.

        API Server URL

      2. Enter the URL that displays for “Kubernetes master is running at.”

    3. Authentication Token - Specify the authentication token string obtained while you configure Citrix ADM to manage a Kubernetes cluster. The authentication token is required to validate access for communication between Kubernetes cluster and Citrix ADM. To generate an authentication token:

      1. On the Kubernetes master node, run the following commands:

        kubectl describe secret <token-name>
        
      2. Copy the token that is generated and paste it as the Authentication Token

        For more information, see Kubernetes documentation.

    4. Select the agent from the list.

    5. Click Create.

      add cluster

Define an Ingress policy

The Ingress policy decides which Citrix ADC is used to deploy a Ingress configuration, based on the Ingress Cluster and/or Namespace.

  1. Navigate to Orchestration > Kubernetes > Policy.

  2. Click Add to create a policy.

    1. Specify the policy name.

    2. Define Conditions to deploy the Ingress configuration on a Kubernetes cluster, which typically are based on Ingress Cluster and Namespace.

    3. In the Infrastructure panel,

      • Site - Select a site from the list.

      • Instance - Select the ADC instance from the list.

      The Site and Instance lists populate the options based on the cluster selection in the Conditions panel.

      These lists display the sites or instances that are associated with the Citrix ADM agent configured with the Kubernetes cluster.

    4. Click Create.

Deploy the Ingress configuration

You can deploy the Ingress configuration from Kubernetes using kubectl, Kubernetes API or other tools. You can also deploy the Ingress configuration directly from Citrix ADM.

  1. Navigate to Orchestration > Kubernetes > Ingress.

  2. Click Add.

  3. In the Create Ingress field, specify the following details:

    1. Specify the name of the Ingress.

    2. In Cluster, select the Kubernetes cluster on which you want to deploy an Ingress.

    3. Select the Cluster Namespace from the list. This field lists the namespaces that are present in the specified Kubernetes cluster.

    4. In the Frontend IP address field, specify the virtual IP address. This IP address is assigned to this Ingress configuration on the ADC instance.

    5. If your Ingress configuration need HTTPS communication:

      1. Select Yes in the Enable TLS field.

      2. In the TLS secret field, select the Kubernetes secret resource that embeds the HTTPS certificate and private key.

      A HTTPS Ingress requires a TLS based secret configured on the Kubernetes cluster. Specify the tls.crt and tls.key fields to include the server certificate and the certificate key respectively.

    6. For content routing, specify the URL paths and its corresponding Kubernetes service and ports. Click Add to add more URL paths and ports to the Ingress configuration.

      After deployment, the Ingress configuration redirects the client traffic to a specific service based on the requested URL path.

      Note: Kubernetes Services used in an Ingress Configuration are expected to be of type NodePort.

    7. Optional, specify an Ingress Description.

    8. click Deploy.

      if you want to review the configuration before you deploy, click Generate Ingress Spec. The specified Ingress configuration appears in the YAML format. After reviewing the configuration, click Deploy.

Note Apply licenses to the virtual servers that are created using Ingress configurations. To apply license, perform the following steps:

  1. Go to System > Licensing & Analytics.
  2. Under Virtual Server License Summary, enable Auto-select virtual servers.