Citrix ADC in OpenShift Service Mesh

This is a guest post by Dhiraj Gedam, Principal Software Engineer, Citrix Systems.

Citrix is proud and thankful to achieve Red Hat OpenShift Operator Certification. Operators enable users to deploy and manage resources in an OpenShift environment in an easier and more simplified manner. This blog post talks about various benefits of Citrix Cloud Native Stack and deployment of Citrix ADC to act as OpenShift Ingress. 

I believe that readers are familiar with Kubernetes, Istio, and Istio resources such as Gateway, VirtualService etc. It is recommended to glance through this blog post to gain perspective about aforementioned resources.  

In this blog, I shall talk about deploying Citrix ADC as Gateway in OpenShift Service Mesh using the Citrix ADC Istio Ingress Gateway Operator. 

Red Hat OpenShift Service Mesh

Red Hat OpenShift Service Mesh provides a platform for behavioral insight and operational control over microservices deployed in a service mesh. OpenShift Service Mesh is based on Istio open source project. Detailed information about OpenShift Service Mesh can be found here

Red Hat OpenShift Service Mesh is based on the Istio community release, with additional features and integration automation for OpenShift. In addition to delivering enhanced security and hardened, production-ready code, it adds features, such as tracing with Jaeger and visibility with Kiali, when deploying the Service Mesh on OpenShift Container Platform. This page describes the differences between Red Hat OpenShift Service Mesh and Istio. 

Citrix ADC as Ingress Gateway in Red Hat OpenShift Service Mesh

Citrix ADC solution comes in various form factors such as Hardware based (MPX), Virtualized (VPX), and container-based (CPX). Hardware and Virtual devices can be deployed traditionally, whereas deployment of container solutions differs slightly which will be evident in the rest of this post. Citrix provides an operator namely ‘Citrix ADC Istio Ingress Gateway Operator’ to facilitate the deployment of Citrix ADC as an Ingress Gateway in OpenShift Service Mesh. This single operator can be used to deploy various form factors of Citrix ADC. 

 

Deploying Citrix ADC MPX or VPX as Ingress Gateway

Figure 1 Citrix ADC MPX/VPX as Ingress Gateway in Red Hat OpenShift Service Mesh

Before deploying Citrix ADC MPX/VPX as an Ingress Gateway, you need to establish connectivity between Citrix ADC and the OpenShift Container Platform. You can achieve this with a route-based configuration on Citrix ADC or by using the Citrix K8s Node Controller (CNC). This connectivity is required so the ADC can send packets to application pods inside the Kubernetes cluster. Citrix ADC also monitors application pods’ health status so requests go to healthy pods.

When Citrix ADC MPX/VPX is deployed as an Ingress Gateway device, the Istio-adaptor container primarily runs inside a pod managed by the Ingress Gateway deployment. Keep reading for more on the Istio-adaptor.

 

Deploying Citrix ADC CPX as Istio Ingress Gateway

Figure 2 Citrix ADC CPX as Istio Ingress Gateway

When Citrix ADC CPX is deployed as Ingress Gateway, CPX and Istio-adaptor, both run as containers inside the Ingress Gateway Pod.

Citrix Istio Adaptor

Citrix Istio Adaptor is an open source software written in Go by Citrix Systems. It’s main job is to automatically configure the Citrix ADC deployed in the Istio service mesh. 

Components such as Istio Pilot, Citadel, Mixer, and more comprise the Istio control plane. Pilot is the control plane component that provides service discovery to proxies in the mesh. It’s essentially a gRPC xDS server, and it’s also responsible for configuring proxies at runtime.

Istio-adaptor is a gRPC client to the xDS server and receives xDS resources such as clusters, listeners, routes, and endpoints from the xDS server over a secure gRPC channel. After receiving these resources, the Istio-adaptor converts them to the equivalent Citrix ADC configuration blocks and configures the associated Citrix ADC using RESTful NITRO calls.

This blog talks about Citrix Istio Adaptor in great detail.

 

Deploying Citrix ADC as Gateway using the Citrix ADC Istio Ingress Gateway Operator Operator

Prerequisites

  • Active OpenShift Container Platform subscription
  • OpenShift Container Platform (OCP) 4.1/4.2 should be installed 
  • Appropriate version OCP CLI i.e. oc client tool
  • Red Hat OpenShift Service Mesh should be installed. Follow this link.
  • For deploying Citrix ADC VPX or MPX as an Ingress gateway:
  • Create a Kubernetes secret for the Citrix ADC user name and password using the following command:
oc create secret generic nslogin --from-literal=username=<citrix-adc-user> --from-literal=password=<citrix-adc-password>

 

Steps

  1. Login  to the OpenShift Container Platform web console.
  2. Create a project named citrix-system
  3. Add the citrix-system project to the member list in the Service Mesh Member Roll using the information provided in Red Hat documentation.
  4. Navigate to Catalog → OperatorHub.
  5. Type Citrix into the filter box. Select and Install ‘Citrix ADC Istio Ingress Gateway Operator’.
  6. Under Create Operator Subscription, select the following and then click Subscribe.
    1. Installation Mode: specific namespace on the cluster. Select citrix-system
    2. Update Channel: alpha
    3. Approval Strategy: Automatic
  7. Provide below SCC privileges to the service account which will be used by the Ingress gateway using the following commands.
oc adm policy add-scc-to-user privileged -z builder  -n citrix-system
oc adm policy add-scc-to-user privileged -z default  -n citrix-system
oc adm policy add-scc-to-user privileged -z deployer -n citrix-system
oc adm policy add-scc-to-user anyuid     -z builder -n citrix-system
oc adm policy add-scc-to-user anyuid     -z default -n citrix-system
oc adm policy add-scc-to-user anyuid     -z deployer -n citrix-system

 

 8. Under citrix-system project, navigate to Operators 🡪  Installed Operators and select Citrix ADC Istio Ingress Gateway Operator.

 9. Click Citrix ADC Istio Ingress Gateway Operator and in the Overview tab, select Create Instance to create the CRD for Citrix ADC.

a. For Citrix ADC CPX as the Ingress Gateway:

You need to set the following environment variables with the specified values:

i. Citrix ADC CPX – Yes

ii. ingressGateway.EULA – True

iii. istioAdaptor.tag- 1.0.1

b. For Citrix ADC MPX/VPX as the Ingress Gateway:

You need to set the following environment variables:

i. istioAdaptor version: 1.0.1

ii. netscalerUrl: Specify Citrix ADC IP or URL

iii. vserverIP: Specify yet to be used IP Address for Citrix ADC Virtual Server

 10. Once you update values of required parameters, click Create.

 

Deploying Citrix ADC CPX as Sidecar

When an application is deployed in Service Mesh, application pods are injected with a sidecar proxy. By default, Envoy proxy is injected as a sidecar. It is possible that the user might be interested in deploying other vendor specific proxies as a sidecar for various reasons. This sidecar proxy can be deployed either manually or automatically.

Citrix provides an OpenShift Operator to enable users for automatic injection of Citrix ADC CPX as the sidecar proxy in application pods. In this section, I shall describe steps to achieve the same.

 

Prerequisites

  • Active OpenShift Container Platform subscription
  • OpenShift Container Platform (OCP) 4.1/4.2 should be installed 
  • Appropriate version OCP CLI i.e. oc client tool
  • Red Hat OpenShift Service Mesh should be installed. Follow this link.
  • kubectl and OpenSSL should be installed on the Master node to run below script
  • Create resources required for automatic sidecar injection by performing the following steps:

 1. Download the webhook-create-signed-cert.sh script.

curl -L https://raw.githubusercontent.com/citrix/citrix-istio-adaptor/master/deployment/webhook-create-signed-cert.sh > webhook-create-signed-cert.sh

 

2. Change permissions of the script to executable mode.

chmod +x webhook-create-signed-cert.sh

 

3. Create a signed certificate, key pair and store it in a Kubernetes secret.

./webhook-create-signed-cert.sh \
 --service cpx-sidecar-injector \
 --secret cpx-sidecar-injector-certs \
 --namespace citrix-system

 

Steps

  1. Login  to the OpenShift Container Platform web console.
  2. Create a project named citrix-system
  3. Navigate to Operators  OperatorHub and select Citrix ADC CPX Istio Sidecar Injector Operator, and click Install.
  4. Under Create Operator Subscription, select the following and then click Subscribe.
    1. Installation Mode: specific namespace on the cluster. Select citrix-system
    2. Update Channel: alpha
    3. Approval Strategy: Automatic
  5. Under the citrix-system project, navigate to Operators –> Installed Operators and select Citrix ADC Istio Sidecar Injector Operator.
  6. Click Citrix ADC CPX Istio Sidecar Injector Operator and in the Overview tab, select Create Instance to create the CRD for Citrix ADC.
  7. Set the environment variable cpxProxy.EULA to YES
  8. Update the values of the required parameters, click Create.
  9. Navigate to Workloads  Pods and verify that Citrix ADC CPX sidecar is running.

    10. Label the application namespace/project with cpx-injection=enabled. For example, if the application is being deployed in bookinfo namespaces, then fire below command.

oc label namespace bookinfo cpx-injection=enabled

 

Accessing an application using Citrix ADC

Once the Citrix ADC is deployed in Open Shift Service MeshOSSM, an application deployed in the cluster can be accessed via Citrix ADC. For this, the application must be exposed using Istio’s Gateway CRD.

An example of deploying the sample Bookinfo application can be found here.

 

If the application is exposed using Citrix ADC MPX/VPX, it can be browsed by accessing the  vserverIP mentioned in step 10.b of the previous section.

If the application is exposed using Citrix ADC CPX, then retrieve the service address in below fashion.

Navigate to Networking  Services and check citrix-ingressgateway service. You can use Service Address as the URL to access the Citrix ADC which is acting as the Ingress Gateway.

Exposing HTTP-based applications is the most common use-case. I have written a blog which gives an insight into exposing HTTP and TCP applications in both secure and insecure fashion. It also talks about configuring a secure gateway for multiple hosts using Server Name Indication. It’ll be good if you can read the same and provide your valuable comments. 

 

Categories
OpenShift Container Platform, Operators
Tags
, ,