Application Delivery Management

Manage the Kubernetes Ingress configuration in Citrix ADM

Kubernetes (K8s) is an open source container orchestration platform that automates the deployment, scaling, and management of cloud-native applications.

Kubernetes provides the Ingress feature which allows client traffic outside the cluster to access microservices of an application running inside the Kubernetes cluster. ADC instances can act as the Ingress to applications running inside a Kubernetes cluster. ADC instances can load balance and content route North-South traffic from the clients to any microservices inside the Kubernetes cluster.

Note

  • Citrix ADM supports the Ingress feature on the clusters with Kubernetes version 1.14 and above.
  • Citrix ADM supports Citrix ADC VPX and MPX appliances as Ingress devices.
  • In the Kubernetes environment, the Citrix ADC instance load balances only the “NodePort” service type.

You can configure multiple ADC instances to act as Ingress devices on the same cluster or different clusters or namespaces. After you configure the instances, you can assign each instance to different applications based on the Ingress policy.

You can create and deploy an Ingress configuration using Kubernetes kubectl or APIs. You can also configure and deploy an Ingress from Citrix ADM.

You can specify the following aspects of Kubernetes integration in ADM:

  • Cluster – You can register or unregister Kubernetes clusters for which ADM can deploy Ingress configurations. When you register a cluster in Citrix ADM, specify the Kubernetes API server information. Then, select an ADM agent that can reach the Kubernetes cluster and deploy Ingress configurations.

  • Policies – Ingress policies are used to select the ADC instance based on cluster or namespace to deploy an Ingress configuration. Specify the cluster, site, and instance information when you add a policy.

  • Ingress Configuration – This configuration is the Kubernetes Ingress configuration, which includes the content switching rules and the corresponding URL paths of the microservices and their ports. You can also specify the SSL/TLS certificates (to offload SSL processing on the ADC instance) using Kubernetes secret resources.

The Citrix ADM automatically maps the Ingress configurations to ADC instances using Ingress policies.

For each successful Ingress configuration, Citrix ADM generates a StyleBook ConfigPack. The ConfigPack represents the ADC configuration applied to the ADC instance that corresponds to the Ingress configuration. To view the ConfigPack, navigate to Applications > StyleBooks > Configurations.

Before you begin

To use Citrix ADC instances as Ingress devices on Kubernetes clusters, ensure you have:

  • Kubernetes cluster in place.

  • Kubernetes cluster registered in Citrix ADM.

Configure the Citrix ADM with a secret token to manage a Kubernetes cluster

For Citrix ADM to be able to receive events from Kubernetes, you need to create a service account in Kubernetes for Citrix ADM. And, configure the service account with the necessary RBAC permissions in the Cluster.

  1. Create a service account for Citrix ADM. For example, the service account name can be citrixadm-sa. To create a service account, see Use Multiple Service Accounts.

  2. Use the cluster-admin role to bind the Citrix ADM service account. This binding grants a ClusterRole across the cluster to a service account. The following is an example command to bind a cluster-admin role to the service account.

    kubectl create clusterrolebinding citrixadm-sa-admin --clusterrole=cluster-admin --serviceaccount=default:citrixadm-sa
    <!--NeedCopy-->
    

    After binding the Citrix ADM service account to the cluster-admin role, the service account has the cluster-wide access. For more information, see kubectl create clusterrolebinding.

  3. Obtain the token from the created service account.

    For example, run the following command to view the token for the citrixadm-sa service account:

    kubectl describe sa citrixadm-sa
    <!--NeedCopy-->
    
  4. Run the following command to obtain the secret string of the token:

    kubectl describe secret <token-name>
    <!--NeedCopy-->
    

Add the Kubernetes cluster in Citrix ADM

After you configure a Citrix ADM agent and configure static routes, you must register the Kubernetes cluster in Citrix ADM.

To register the Kubernetes cluster:

  1. Log on to Citrix ADM with administrator credentials.

  2. Navigate to Orchestration > Kubernetes > Cluster. The Clusters page is displayed.

  3. Click Add.

  4. In the Add Cluster page, specify the following parameters:

    1. Name - Specify a name of your choice.

    2. API Server URL - You can get the API Server URL details from the Kubernetes main node.

      1. On the Kubernetes main node, run the command kubectl cluster-info.

        API Server URL

      2. Enter the URL that displays for “Kubernetes master is running at.”

    3. Authentication Token - Specify the authentication token string obtained while you configure Citrix ADM to manage a Kubernetes cluster. The authentication token is required to validate access for communication between the Kubernetes cluster and Citrix ADM. To generate an authentication token:

      1. On the Kubernetes main node, run the following commands:

        kubectl describe secret <token-name>
        <!--NeedCopy-->
        
      2. Copy the token that is generated and paste it as the Authentication Token

        For more information, see Kubernetes documentation.

    4. Select the agent from the list.

    5. Click Create.

      add cluster

Define an Ingress policy

The Ingress policy decides which Citrix ADC is used to deploy an Ingress configuration, based on the Ingress Cluster or Namespace.

  1. Navigate to Orchestration > Kubernetes > Policy.

  2. Click Add to create a policy.

    1. Specify the policy name.

    2. Define Conditions to deploy the Ingress configuration on a Kubernetes cluster. These conditions are typically based on Ingress Cluster and Namespace.

    3. In the Infrastructure panel,

      • Site - Select a site from the list.

      • Instance - Select the ADC instance from the list.

      The Site and Instance lists populate the options based on the cluster selection in the Conditions panel.

      These lists display the sites or instances that are associated with the Citrix ADM agent configured with the Kubernetes cluster.

    4. In Choose Network, select the network from which ADM auto-assigns the virtual IP addresses to an Ingress configuration.

      This list displays the networks created in Networks > IPAM.

    5. Click Create.

Deploy the Ingress configuration

You can deploy the Ingress configuration from Kubernetes using kubectl, Kubernetes API, or other tools. You can also deploy the Ingress configuration directly from Citrix ADM.

  1. Navigate to Orchestration > Kubernetes > Ingresses.

  2. Click Add.

  3. In the Create Ingress field, specify the following details:

    1. Specify the name of the Ingress.

    2. In Cluster, select the Kubernetes cluster on which you want to deploy an Ingress.

    3. Select the Cluster Namespace from the list. This field lists the namespaces that are present in the specified Kubernetes cluster.

    4. Optional, select Auto Assign Frontend IP address.

    5. Select Ingress Protocol from the list. If you select HTTPS, specify TLS secret.

      This secret embeds the Kubernetes secret resource that embeds the HTTPS certificate and private key.

      An HTTPS Ingress requires a TLS based secret configured on the Kubernetes cluster. Specify the tls.crt and tls.key fields to include the server certificate and the certificate key respectively.

    6. For content routing, specify the following details:

      • URL paths - Specify the path that is associated with the Kubernetes service and port.

      • Kubernetes service - Specify the desired service.

      • Port - Specify the service port.

      • LB method - Select the preferred load-balancing method to the selected Kubernetes service.

        The selected method updates the Ingress Specification with an appropriate annotation. For example, if you select ROUNDROBIN method, the Citrix annotation appears as follows:

         "lbmethod":"ROUNDROBIN"
         <!--NeedCopy-->
        
      • Persistence Type - Select the preferred load-balancing persistence type to the selected Kubernetes service.

        The selected persistence type updates the Ingress Specification with an appropriate annotation. For example, if you select COOKIEINSERT, the Citrix annotation appears as follows:

         "persistenceType":"COOKIEINSERT"
         <!--NeedCopy-->
        

      Click Add to add more URL paths and ports to the Ingress configuration.

      Add content routing rules

      After deployment, the Ingress configuration redirects the client traffic to a specific service based on the following:

      • The requested URL path and port.
      • The defined LB method and persistence type.

      Note

      Kubernetes Services used in an Ingress Configuration are expected to be of type NodePort.

    7. Optional, specify an Ingress Description.

    8. click Deploy.

      If you want to review the configuration before you deploy, click Generate Ingress Spec. The specified Ingress configuration appears in the YAML format. After reviewing the configuration, click Deploy.

Note Apply licenses to the virtual servers that are created using Ingress configurations. To apply license, perform the following steps:

  1. Go to System > Licensing & Analytics.
  2. Under Virtual Server License Summary, enable Auto-select virtual servers.
Manage the Kubernetes Ingress configuration in Citrix ADM