This is a guest post by Dhiraj Gedam, Principal Software Engineer, Citrix Systems.
Citrix is proud and thankful to achieve Red Hat OpenShift Operator Certification. Operators enable users to deploy and manage resources in an OpenShift environment in an easier and more simplified manner. This blog post talks about various benefits of Citrix Cloud Native Stack and deployment of Citrix ADC to act as OpenShift Ingress.
I believe that readers are familiar with Kubernetes, Istio, and Istio resources such as Gateway, VirtualService etc. It is recommended to glance through this blog post to gain perspective about aforementioned resources.
In this blog, I shall talk about deploying Citrix ADC as Gateway in OpenShift Service Mesh using the Citrix ADC Istio Ingress Gateway Operator.
Red Hat OpenShift Service Mesh
Red Hat OpenShift Service Mesh provides a platform for behavioral insight and operational control over microservices deployed in a service mesh. OpenShift Service Mesh is based on Istio open source project. Detailed information about OpenShift Service Mesh can be found here.
Red Hat OpenShift Service Mesh is based on the Istio community release, with additional features and integration automation for OpenShift. In addition to delivering enhanced security and hardened, production-ready code, it adds features, such as tracing with Jaeger and visibility with Kiali, when deploying the Service Mesh on OpenShift Container Platform. This page describes the differences between Red Hat OpenShift Service Mesh and Istio.
Citrix ADC as Ingress Gateway in Red Hat OpenShift Service Mesh
Citrix ADC solution comes in various form factors such as Hardware based (MPX), Virtualized (VPX), and container-based (CPX). Hardware and Virtual devices can be deployed traditionally, whereas deployment of container solutions differs slightly which will be evident in the rest of this post. Citrix provides an operator namely ‘Citrix ADC Istio Ingress Gateway Operator’ to facilitate the deployment of Citrix ADC as an Ingress Gateway in OpenShift Service Mesh. This single operator can be used to deploy various form factors of Citrix ADC.
Deploying Citrix ADC MPX or VPX as Ingress Gateway
Figure 1 Citrix ADC MPX/VPX as Ingress Gateway in Red Hat OpenShift Service Mesh
Before deploying Citrix ADC MPX/VPX as an Ingress Gateway, you need to establish connectivity between Citrix ADC and the OpenShift Container Platform. You can achieve this with a route-based configuration on Citrix ADC or by using the Citrix K8s Node Controller (CNC). This connectivity is required so the ADC can send packets to application pods inside the Kubernetes cluster. Citrix ADC also monitors application pods’ health status so requests go to healthy pods.
When Citrix ADC MPX/VPX is deployed as an Ingress Gateway device, the Istio-adaptor container primarily runs inside a pod managed by the Ingress Gateway deployment. Keep reading for more on the Istio-adaptor.
Deploying Citrix ADC CPX as Istio Ingress Gateway
Figure 2 Citrix ADC CPX as Istio Ingress Gateway
When Citrix ADC CPX is deployed as Ingress Gateway, CPX and Istio-adaptor, both run as containers inside the Ingress Gateway Pod.
Citrix Istio Adaptor
Citrix Istio Adaptor is an open source software written in Go by Citrix Systems. It’s main job is to automatically configure the Citrix ADC deployed in the Istio service mesh.
Components such as Istio Pilot, Citadel, Mixer, and more comprise the Istio control plane. Pilot is the control plane component that provides service discovery to proxies in the mesh. It’s essentially a gRPC xDS server, and it’s also responsible for configuring proxies at runtime.
Istio-adaptor is a gRPC client to the xDS server and receives xDS resources such as clusters, listeners, routes, and endpoints from the xDS server over a secure gRPC channel. After receiving these resources, the Istio-adaptor converts them to the equivalent Citrix ADC configuration blocks and configures the associated Citrix ADC using RESTful NITRO calls.
This blog talks about Citrix Istio Adaptor in great detail.
Deploying Citrix ADC as Gateway using the Citrix ADC Istio Ingress Gateway Operator Operator
Prerequisites
Active OpenShift Container Platform subscription
OpenShift Container Platform (OCP) 4.1/4.2 should be installed
Appropriate version OCP CLI i.e. oc client tool
Red Hat OpenShift Service Mesh should be installed. Follow this link.
For deploying Citrix ADC VPX or MPX as an Ingress gateway:
Create a Kubernetes secret for the Citrix ADC user name and password using the following command:
oc create secret generic nslogin –from-literal=username=<citrix-adc-user> –from-literal=password=<citrix-adc-password>
Steps
Login to the OpenShift Container Platform web console.
Create a project named citrix-system
Add the citrix-system project to the member list in the Service Mesh Member Roll using the information provided in Red Hat documentation.
Navigate to Catalog → OperatorHub.
Type Citrix into the filter box. Select and Install ‘Citrix ADC Istio Ingress Gateway Operator’.
Under Create Operator Subscription, select the following and then click Subscribe.
Installation Mode: specific namespace on the cluster. Select citrix-system
Update Channel: alpha
Approval Strategy: Automatic
Provide below SCC privileges to the service account which will be used by the Ingress gateway using the following commands.
oc adm policy add-scc-to-user privileged -z builder -n citrix-system
oc adm policy add-scc-to-user privileged -z default -n citrix-system
oc adm policy add-scc-to-user privileged -z deployer -n citrix-system
oc adm policy add-scc-to-user anyuid -z builder -n citrix-system
oc adm policy add-scc-to-user anyuid -z default -n citrix-system
oc adm policy add-scc-to-user anyuid -z deployer -n citrix-system
8. Under citrix-system project, navigate to Operators
Published by