NetScaler ingress controller

Deploy the NetScaler Ingress Controller using Helm charts

You can deploy the NetScaler Ingress Controller in the following modes on your bare metal and cloud deployments:

  • As a standalone pod in the Kubernetes cluster. Use this mode if you are controlling NetScalers (NetScaler MPX or NetScaler VPX) outside the cluster. For example, with dual-tier topologies, or single-tier topology where the single tier is a NetScaler MPX or VPX.

  • As a sidecar (in the same pod) with NetScaler CPX in the Kubernetes cluster. The sidecar controller is only responsible for the associated NetScaler CPX within the same pod. This mode is used in dual-tier or cloud topologies.

The helm charts for the NetScaler Ingress Controller are available on Artifact Hub.

When you deploy using the Helm charts, you can use a values.yaml file to specify the values of the configurable parameters instead of providing each parameter as an argument. For ease of use, NetScaler provides the NetScaler deployment builder which is a GUI for generating the values.yaml file for NetScaler cloud native deployments.

Deploy the NetScaler Ingress Controller as a standalone pod in the Kubernetes cluster

Use the netscaler-ingress-controller chart to run the NetScaler Ingress Controller as a pod in your Kubernetes cluster. The chart deploys the NetScaler Ingress Controller as a pod in your Kubernetes cluster and configures the NetScaler VPX or MPX ingress device.

Prerequisites

  • Determine the NS_IP address needed by the controller to communicate with the appliance. The IP address might be anyone of the following depending on the type of NetScaler deployment:

    • (Standalone appliances) NSIP - The management IP address of a standalone NetScaler appliance. For more information, see IP Addressing in NetScaler.

    • (Appliances in High Availability mode) SNIP - The subnet IP address. For more information, see IP Addressing in NetScaler.

    • (Appliances in Clustered mode) CLIP - The cluster management IP (CLIP) address for a clustered NetScaler deployment. For more information, see IP addressing for a cluster.

  • The user name and password of the NetScaler VPX or MPX appliance used as the Ingress device. The NetScaler appliance needs to have a system user account (non-default) with certain privileges so that the NetScaler Ingress Controller can configure the NetScaler VPX or MPX appliance. For instructions to create the system user account on NetScaler, see Create System User Account for NetScaler Ingress Controller in NetScaler.

    You can directly pass the user name and password or use Kubernetes secrets. If you want to use Kubernetes secrets, create a secret for the user name and password using the following command:

     kubectl create secret  generic nslogin --from-literal=username=<username> --from-literal=password=<password>
    

Create a system user account for the NetScaler Ingress Controller in NetScaler

The NetScaler Ingress Controller configures the NetScaler using a system user account of the NetScaler. The system user account should have certain privileges so that the NetScaler Ingress Controller has permission to configure the following on the NetScaler:

  • Add, delete, or view content switching (CS) virtual server
  • Configure CS policies and actions
  • Configure Load Balancing (LB) virtual server
  • Configure service groups
  • Cofigure SSL certkeys
  • Configure routes
  • Configure user monitors
  • Add system file (for uploading SSL certkeys from Kubernetes)
  • Configure Virtual IP address (VIP)
  • Check the status of the NetScaler appliance

To create the system user account, perform the following:

  1. Log on to the NetScaler appliance. Perform the following:
    1. Use an SSH client, such as PuTTy, to open an SSH connection to the NetScaler appliance.

    2. Log on to the appliance by using the administrator credentials.

  2. Create the system user account using the following command:

    add system user <username> <password>
    

    For example:

    add system user cic mypassword
    
  3. Create a policy to provide required permissions to the system user account. Use the following command:

    add cmdpolicy cic-policy ALLOW '^\(\?!shell)\(\?!sftp)\(\?!scp)\(\?!batch)\(\?!source)\(\?!.\*superuser)\(\?!.\*nsroot)\(\?!install)\(\?!show\s+system\s+\(user|cmdPolicy|file))\(\?!\(set|add|rm|create|export|kill)\s+system)\(\?!\(unbind|bind)\s+system\s+\(user|group))\(\?!diff\s+ns\s+config)\(\?!\(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).\*|\(^install\s\*\(wi|wf))|\(^\S+\s+system\s+file)^\(\?!shell)\(\?!sftp)\(\?!scp)\(\?!batch)\(\?!source)\(\?!.\*superuser)\(\?!.\*nsroot)\(\?!install)\(\?!show\s+system\s+\(user|cmdPolicy|file))\(\?!\(set|add|rm|create|export|kill)\s+system)\(\?!\(unbind|bind)\s+system\s+\(user|group))\(\?!diff\s+ns\s+config)\(\?!\(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).\*|\(^install\s\*\(wi|wf))|\(^\S+\s+system\s+file)'
    

    Note: The system user account would have privileges based on the command policy that you define.

    The command policy mentioned in step 3 is similar to the built-in sysAdmin command policy with additional permission to upload files.

    In the command policy specification provided, special characters which need to be escaped are already omitted to easily copy-paste into the NetScaler command line.

    For configuring the command policy from NetScaler configuration wizard (GUI), use the following command policy specification.

    ^\(?!shell)\(?!sftp)\(?!scp)\(?!batch)\(?!source)\(?!.\*superuser)\(?!.\*nsroot)\(?!install)\(?!show\s+system\s+\(user|cmdPolicy|file))\(?!\(set|add|rm|create|export|kill)\s+system)\(?!\(unbind|bind)\s+system\s+\(user|group))\(?!diff\s+ns\s+config)\(?!\(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).\*|\(^install\s\*\(wi|wf))|\(^\S+\s+system\s+file)^\(?!shell)\(?!sftp)\(?!scp)\(?!batch)\(?!source)\(?!.\*superuser)\(?!.\*nsroot)\(?!install)\(?!show\s+system\s+\(user|cmdPolicy|file))\(?!\(set|add|rm|create|export|kill)\s+system)\(?!\(unbind|bind)\s+system\s+\(user|group))\(?!diff\s+ns\s+config)\(?!\(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).\*|\(^install\s\*\(wi|wf))|\(^\S+\s+system\s+file)
    
  4. Bind the policy to the system user account using the following command:

    bind system user cic cic-policy 0
    

To deploy the NetScaler Ingress Controller as a standalone pod:

To deploy the NetScaler Ingress Controller as standalone pod, follow the instructions provided in the NetScaler Ingress Controller Artifact Hub.

Deploy the NetScaler Ingress Controller as a sidecar with NetScaler CPX in the Kubernetes cluster

Use the citrix-cpx-with-ingress-controller chart to deploy a NetScaler CPX with NetScaler Ingress Controller as a sidecar. The chart deploys a NetScaler CPX instance that is used for load balancing the North-South traffic to the microservices in your Kubernetes cluster. The sidecar NetScaler Ingress Controller configures the NetScaler CPX.

To deploy NetScaler CPX with the NetScaler Ingress Controller as a sidecar, follow the instruction provided in the NetScaler Ingress Controller Helm Hub.

Deploy the NetScaler Ingress Controller using Helm charts