Releasing Citrix xDS-adaptor v0.9.9 (#94)

Signed-off-by: “Subash <subash.dangol@citrix.com>

citrix-adc-istio-egress-gateway/Chart.yaml

@@ -1,14 +1,14 @@
 apiVersion: v2
 name: citrix-adc-istio-egress-gateway
-appVersion: 1.9.2
-kubeVersion: ">=v1.16.0 < v1.22"
+appVersion: 1.11.0
+kubeVersion: ">=v1.16.0-0"
 description: A Helm chart for Citrix ADC as Egress Gateway installation in Istio Service Mesh on Kubernetes platform
 icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png
 type: application
 home: https://www.citrix.com
 sources:
 - https://github.com/citrix/citrix-xds-adaptor
-version: 1.9.2
+version: 1.11.0
 maintainers:
 - name: ajeetas
   email: ajeeta.shakeet@citrix.com

citrix-adc-istio-egress-gateway/README.md

@@ -15,6 +15,7 @@ Citrix Application Delivery Controller (ADC) can be deployed as an Istio Egress
 9. [Citrix ADC as Egress Gateway: a sample deployment](#citrix-adc-as-egress-gateway-a-sample-deployment)
 10. [Uninstalling the Helm chart](#uninstalling-the-helm-chart)
 11. [Configuration Parameters](#configuration-parameters)
+
 ## <a name="tldr">TL; DR;</a>
 
 ### To deploy Citrix ADC VPX or MPX as an Egress Gateway:
@@ -23,8 +24,7 @@ Citrix Application Delivery Controller (ADC) can be deployed as an Istio Egress
 
        helm repo add citrix https://citrix.github.io/citrix-helm-charts/
 
-       helm install citrix-adc-istio-egress-gateway citrix/citrix-adc-istio-egress-gateway --namespace citrix-system --set egressGateway.EULA=YES --set egressGateway.netscalerUrl=https://<nsip>[:port] --set egressGateway.vserverIP=<IPv4 Address> --set secretName=nsloginegress
-
+        helm install citrix-adc-istio-egress-gateway citrix/citrix-adc-istio-egress-gateway --namespace citrix-system --set egressGateway.EULA=YES --set egressGateway.netscalerUrl=https://<nsip>[:port] --set egressGateway.vserverIP=<IPv4 Address> --set secretName=nsloginegress
 
 ### To deploy Citrix ADC CPX as an Egress Gateway:
 
@@ -33,17 +33,28 @@ Citrix Application Delivery Controller (ADC) can be deployed as an Istio Egress
        helm install citrix-adc-istio-egress-gateway citrix/citrix-adc-istio-egress-gateway --namespace citrix-system --set egressGateway.EULA=true --set citrixCPX=true
 
 
+
 ## <a name="introduction">Introduction</a>
 
     This chart deploys Citrix CPX as an Egress Gateway. An egress gateway defines the exit point from the mesh. It provides features like load balancing at the edge of the mesh, monitoring, and routing rules to exiting the mesh. 
 
+### Compatibility Matrix between Citrix xDS-adaptor and Istio version
+
+Below table provides info about recommended Citrix xDS-Adaptor version to be used for various Istio versions.
+
+| Citrix xDS-Adaptor version | Istio version |
+|----------------------------|---------------|
+| quay.io/citrix/citrix-xds-adaptor:0.9.9 | Istio v1.10+ |
+| quay.io/citrix/citrix-xds-adaptor:0.9.8 | Istio v1.8 to Istio v1.9 |
+| quay.io/citrix/citrix-xds-adaptor:0.9.5 | Istio v1.6 |
+
 ### Prerequisites
 
 The following prerequisites are required for deploying Citrix ADC as an Egress Gateway in Istio service mesh:
 
 - Ensure that **Istio version 1.8 onwards**  is installed
 - Ensure that Helm with version 3.x is installed. Follow this [step](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same.
-- Ensure that your cluster Kubernetes version should be in range 1.16 to 1.21 and the `admissionregistration.k8s.io/v1`, `admissionregistration.k8s.io/v1beta1` API is enabled
+- Ensure that your cluster Kubernetes version should be 1.16 onwards and the `admissionregistration.k8s.io/v1`, `admissionregistration.k8s.io/v1beta1` API is enabled
 
   You can verify the API by using the following command:
 
@@ -59,7 +70,7 @@ The following prerequisites are required for deploying Citrix ADC as an Egress G
   Create a Kubernetes secret for the Citrix ADC user name and password using the following command:
 
         kubectl create secret generic nsloginegress --from-literal=username=<citrix-adc-user> --from-literal=password=<citrix-adc-password> -n citrix-system
-- Ensure that your cluster has Kubernetes version 1.14.0 or later and the `admissionregistration.k8s.io/v1beta1` API is enabled
+- Ensure that your cluster has Kubernetes version 1.16.0 or later and the `admissionregistration.k8s.io/v1beta1` API is enabled
 
 - **Create system user account for xDS-adaptor in Citrix ADC:**
 
@@ -301,7 +312,7 @@ The following table lists the configurable parameters in the Helm chart and thei
 | Parameter                      | Description                   | Default                   | Optional/Mandatory                  |
 |--------------------------------|-------------------------------|---------------------------|---------------------------|
 | `citrixCPX`                    | Citrix ADC CPX                    | FALSE                  | Mandatory for Citrix ADC CPX |
-| `xDSAdaptor.image`            | Image of the Citrix xDS adaptor container |quay.io/citrix/citrix-xds-adaptor:0.9.8 | Mandatory|
+| `xDSAdaptor.image`            | Image of the Citrix xDS adaptor container |quay.io/citrix/citrix-xds-adaptor:0.9.9 | Mandatory|
 | `xDSAdaptor.imagePullPolicy`   | Image pull policy for xDS adaptor | IfNotPresent       | Optional|
 | `xDSAdaptor.secureConnect`     | If this value is set to true, xDS-adaptor establishes secure gRPC channel with Istio Pilot   | TRUE                       | Optional|
 | `xDSAdaptor.logLevel`   | Log level to be set for xDS-adaptor log messages. Possible values: TRACE (most verbose), DEBUG, INFO, WARN, ERROR (least verbose) | DEBUG       | Optional|
@@ -337,6 +348,7 @@ The following table lists the configurable parameters in the Helm chart and thei
 | `certProvider.caPort`   | Certificate Authority (CA) port issuing certificate to application                              | 15012 | Optional |
 | `certProvider.trustDomain`   | SPIFFE Trust Domain                         | cluster.local | Optional |
 | `certProvider.certTTLinHours`   | Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours. Default is 30 days validity              | 720 | Optional |
-| `certProvider.jwtPolicy`   | Service Account token type. Kubernetes platform supports First party tokens and Third party tokens.  | first-party-jwt | Optional |
+| `certProvider.clusterId`   | clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in multicluster environments. For example, in Anthos servicemesh, it might be of the format of `cn<project-name>-<region>-<cluster_name>`. In multiCluster environments, it is the value of global.multiCluster.clusterName provided during servicemesh control plane installation        | Kubernetes | Optional |
+| `certProvider.jwtPolicy`   | Service Account token type. Kubernetes platform supports First party tokens and Third party tokens. Usually public cloud based Kubernetes has third-party-jwt | null | Optional |
 | `secretName`   | Name of the Kubernetes secret holding Citrix ADC credentials | nsloginegress | Mandatory for Citrix ADC VPX/MPX |
 

citrix-adc-istio-egress-gateway/templates/_helpers.tpl

@@ -33,3 +33,23 @@
 {{- $match := .Values.egressGateway.netscalerUrl | toString | regexFind "//.*[:]*" -}}
 {{- $match | trimAll ":" | trimAll "/" -}}
 {{- end -}}
+
+{{/* Below function is used to identify default value of jwtPolicy if not provided.
+   * For on-prem Kubernetes v1.21+, it is third-party-jwt. Else first-party-jwt.
+   * Note: Don't just do "helm template" to generate yaml file. Else https://github.com/helm/helm/issues/7991 
+   * is possible. Use "helm template --validate" or "helm install --dry-run --debug".
+   * Note2: For cloud environments, semverCompare should be ideally done with "<1.21.x-x" as 
+   * Kubernetes version is generally of the format v1.20.7-eks-xxxxxx. So, it fails the "v1.21.x" check but that's fine
+   * as in cloud environments third-party-jwt is enabled. 
+*/}}
+{{- define "jwtValue" -}}
+{{- if .Values.certProvider.jwtPolicy -}}
+{{- printf .Values.certProvider.jwtPolicy -}}
+{{- else -}}
+{{- if semverCompare "<1.21.x" .Capabilities.KubeVersion.Version -}}
+{{- printf "first-party-jwt" -}}
+{{- else -}}
+{{- printf "third-party-jwt" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}

citrix-adc-istio-egress-gateway/templates/citrix-adc-egress-deployment.yaml

@@ -6,6 +6,7 @@ metadata:
   namespace: {{.Release.Namespace}}
   labels:
     app: {{default "citrix-egressgateway" .Values.egressGateway.label}}
+    deployment: "cpx-egressgateway" # This label is useful in ServiceGraph
 spec:
   replicas: 1
   selector:
@@ -36,7 +37,8 @@ spec:
         configMap:
           defaultMode: 0777
           name: istio-ca-root-cert
-{{- if eq .Values.certProvider.jwtPolicy "third-party-jwt" }}       
+{{- $jwtpolicy := include "jwtValue" . }}
+{{- if eq $jwtpolicy "third-party-jwt" }}
       - name: istio-token
         projected:
           sources:
@@ -135,7 +137,7 @@ spec:
           - name: CERT_TTL_IN_HOURS
             value: {{ .Values.certProvider.certTTLinHours | quote }}
           - name: JWT_POLICY
-            value: {{ .Values.certProvider.jwtPolicy | default "first-party-jwt" | quote }} # third-party-jwt if Kubernetes cluster supports third-party tokens
+            value: {{ include "jwtValue" . | quote  }} # If value not provided then third-party-jwt for v>=1.21 otherwise first-party-jwt
 {{- end }}
 {{- if eq .Values.coe.coeTracing true }}
           - name: COE_TRACING
@@ -174,7 +176,8 @@ spec:
           - mountPath: /etc/istio/egressgateway-ca-certs # Make sure that Gateway definition has this path mentioned in server.tls section for MUTUAL TLS
             name: citrix-egressgateway-ca-certs
             readOnly: true
-{{- if eq .Values.certProvider.jwtPolicy "third-party-jwt" }}
+{{- $jwtpolicy := include "jwtValue" . }}
+{{- if eq $jwtpolicy "third-party-jwt" }}       
           - mountPath: /var/run/secrets/tokens
             name: istio-token
 {{- end }}
@@ -322,7 +325,7 @@ spec:
         - name: CERT_TTL_IN_HOURS
           value: {{ .Values.certProvider.certTTLinHours | quote }}
         - name: JWT_POLICY
-          value: {{ .Values.certProvider.jwtPolicy | default "first-party-jwt" | quote }} # third-party-jwt if Kubernetes cluster supports third-party tokens
+          value: {{ include "jwtValue" . | quote }} # third-party-jwt if Kubernetes cluster supports third-party tokens
 {{- end }}
 {{- if eq .Values.coe.coeTracing true }}
         - name: COE_TRACING
@@ -393,7 +396,8 @@ spec:
           name: certs
         - name: istiod-ca-cert
           mountPath: /etc/rootcert/
-{{- if eq .Values.certProvider.jwtPolicy "third-party-jwt" }}
+{{- $jwtpolicy := include "jwtValue" . }}
+{{- if eq $jwtpolicy "third-party-jwt" }}       
         - mountPath: /var/run/secrets/tokens
           name: istio-token
 {{- end }}
@@ -431,7 +435,8 @@ spec:
           optional: true
           secretName: "citrix-adc-cert" # IMPORTANT: This secret MUST BE created before deploying gateway and egress-gateway
 {{- end }}
-{{- if eq .Values.certProvider.jwtPolicy "third-party-jwt" }}       
+{{- $jwtpolicy := include "jwtValue" . }}
+{{- if eq $jwtpolicy "third-party-jwt" }}         
       - name: istio-token
         projected:
           sources:

citrix-adc-istio-egress-gateway/templates/egress-service.yaml

@@ -25,6 +25,9 @@ metadata:
   annotations:
   labels:
     app: {{ .Values.egressGateway.label | default "citrix-egressgateway" }}
+{{- if eq .Values.citrixCPX true }}
+    deployment: "cpx-egressgateway" # This label is useful in ServiceGraph
+{{- end }}
 spec:
   ports:
   - port: 80

citrix-adc-istio-egress-gateway/values.yaml

@@ -24,7 +24,7 @@ istioPilot:
 
 
 xDSAdaptor:
-    image: quay.io/citrix/citrix-xds-adaptor:0.9.8
+    image: quay.io/citrix/citrix-xds-adaptor:0.9.9
     imagePullPolicy: IfNotPresent
     proxyType: router
     secureConnect: true
@@ -38,7 +38,7 @@ certProvider:
     trustDomain: cluster.local
     certTTLinHours: 720
     clusterId: Kubernetes
-    jwtPolicy: first-party-jwt #specify third-party-jwt if Kubernetes cluster supports third-party tokens
+    jwtPolicy: #specify third-party-jwt if Kubernetes cluster supports third-party tokens
 
 
 egressGateway:

citrix-adc-istio-ingress-gateway/Chart.yaml

@@ -1,9 +1,9 @@
 apiVersion: v2
-appVersion: "1.9.2"
-kubeVersion: ">=v1.16 < v1.22"
+appVersion: "1.11.0"
+kubeVersion: ">=v1.16.0-0"
 description: A Helm chart for Citrix ADC as Ingress Gateway installation in Istio Service Mesh on Kubernetes platform
 name: citrix-adc-istio-ingress-gateway
-version: 1.9.2
+version: 1.11.0
 icon: https://raw.githubusercontent.com/citrix/citrix-helm-charts/gh-pages/icon.png
 home: https://www.citrix.com
 sources:

citrix-adc-istio-ingress-gateway/README.md

@@ -13,12 +13,13 @@ Citrix Application Delivery Controller (ADC) can be deployed as an Istio Ingress
 8. [Visualizing statistics of Citrix ADC Ingress Gateway with Metrics Exporter](#visualizing-statistics-of-citrix-adc-ingress-gateway-with-metrics-exporter)
 9. [Exposing services running on non-HTTP ports](#exposing-services-running-on-non-http-ports)
 10. [Generate Certificate for Ingress Gateway](#generate-certificate-for-ingress-gateway)
-11. [Citrix ADC CPX License Provisioning](#citrix-adc-cpx-license-provisioning)
-12. [Service Graph configuration](#configuration-for-servicegraph)
-13. [Citrix ADC as Ingress Gateway: a sample deployment](#citrix-adc-as-ingress-gateway-a-sample-deployment)
-14. [Uninstalling the Helm chart](#uninstalling-the-helm-chart)
-15. [Citrix ADC VPX/MPX Certificate Verification](#citrix-adc-vpx-or-mpx-certificate-verification)
-16. [Configuration Parameters](#configuration-parameters)
+11. [Configure Third Party Service Account Tokens](#using-third-party-service-account-tokens)
+12. [Citrix ADC CPX License Provisioning](#citrix-adc-cpx-license-provisioning)
+13. [Service Graph configuration](#configuration-for-servicegraph)
+14. [Citrix ADC as Ingress Gateway: a sample deployment](#citrix-adc-as-ingress-gateway-a-sample-deployment)
+15. [Uninstalling the Helm chart](#uninstalling-the-helm-chart)
+16. [Citrix ADC VPX/MPX Certificate Verification](#citrix-adc-vpx-or-mpx-certificate-verification)
+17. [Configuration Parameters](#configuration-parameters)
 
 
 ## <a name="tldr">TL; DR;</a>
@@ -31,6 +32,8 @@ Citrix Application Delivery Controller (ADC) can be deployed as an Istio Ingress
 
        helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set ingressGateway.netscalerUrl=https://<nsip>[:port] --set ingressGateway.vserverIP=<IPv4 Address> --set secretName=nslogin
 
+
+
 ### To deploy Citrix ADC CPX as an Ingress Gateway:
 
        helm repo add citrix https://citrix.github.io/citrix-helm-charts/
@@ -42,13 +45,23 @@ Citrix Application Delivery Controller (ADC) can be deployed as an Istio Ingress
 
 This chart deploys Citrix ADC VPX, MPX, or CPX as an Ingress Gateway in the Istio service mesh using the Helm package manager. For detailed information on different deployment options, see [Deployment Architecture](https://github.com/citrix/citrix-istio-adaptor/blob/master/docs/istio-integration/architecture.md).
 
+### Compatibility Matrix between Citrix xDS-adaptor and Istio version
+
+Below table provides info about recommended Citrix xDS-Adaptor version to be used for various Istio versions.
+
+| Citrix xDS-Adaptor version | Istio version |
+|----------------------------|---------------|
+| quay.io/citrix/citrix-xds-adaptor:0.9.9 | Istio v1.10+ |
+| quay.io/citrix/citrix-xds-adaptor:0.9.8 | Istio v1.8 to Istio v1.9 |
+| quay.io/citrix/citrix-xds-adaptor:0.9.5 | Istio v1.6 |
+
 ### Prerequisites
 
 The following prerequisites are required for deploying Citrix ADC as an Ingress Gateway in Istio service mesh:
 
 - Ensure that **Istio version 1.8 onwards** is installed
 - Ensure that Helm with version 3.x is installed. Follow this [step](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same.
-- Ensure that your cluster Kubernetes version should be in range 1.16 to 1.21 and the `admissionregistration.k8s.io/v1`, `admissionregistration.k8s.io/v1beta1` API is enabled
+- Ensure that your cluster Kubernetes version should be above 1.16 and the `admissionregistration.k8s.io/v1`, `admissionregistration.k8s.io/v1beta1` API is enabled
 
   You can verify the API by using the following command:
 
@@ -297,7 +310,7 @@ Kubernetes supports two forms of these tokens:
 ```
         helm repo add citrix https://citrix.github.io/citrix-helm-charts/
 
-        helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set certProvider.caAddr="istiod.istio-system.svc" --set certProvider.jwtPolicy="third-party-jwt"
+        helm install citrix-adc-istio-ingress-gateway citrix/citrix-adc-istio-ingress-gateway --namespace citrix-system --set ingressGateway.EULA=YES --set citrixCPX=true --set certProvider.caAddr="istiod.istio-system.svc" --set certProvider.jwtPolicy="third-party-jwt"
 
 ```
 
@@ -413,7 +426,7 @@ The following table lists the configurable parameters in the Helm chart and thei
 | Parameter                      | Description                   | Default                   | Optional/Mandatory                  |
 |--------------------------------|-------------------------------|---------------------------|---------------------------|
 | `citrixCPX`                    | Citrix ADC CPX                    | FALSE                  | Mandatory for Citrix ADC CPX |
-| `xDSAdaptor.image`            | Image of the Citrix xDS adaptor container |quay.io/citrix/citrix-xds-adaptor:0.9.8 | Mandatory|
+| `xDSAdaptor.image`            | Image of the Citrix xDS adaptor container (Refer compatibility matrix) |quay.io/citrix/citrix-xds-adaptor:0.9.9 | Mandatory|
 | `xDSAdaptor.imagePullPolicy`   | Image pull policy for xDS adaptor | IfNotPresent       | Optional|
 | `xDSAdaptor.secureConnect`     | If this value is set to true, xDS-adaptor establishes secure gRPC channel with Istio Pilot   | TRUE                       | Optional|
 | `xDSAdaptor.logLevel`   | Log level to be set for xDS-adaptor log messages. Possible values: TRACE (most verbose), DEBUG, INFO, WARN, ERROR (least verbose) | DEBUG       | Optional|
@@ -459,7 +472,8 @@ The following table lists the configurable parameters in the Helm chart and thei
 | `certProvider.caPort`   | Certificate Authority (CA) port issuing certificate to application                              | 15012 | Optional |
 | `certProvider.trustDomain`   | SPIFFE Trust Domain                         | cluster.local | Optional |
 | `certProvider.certTTLinHours`   | Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours. Default is 30 days validity              | 720 | Optional |
-| `certProvider.jwtPolicy`   | Service Account token type. Kubernetes platform supports First party tokens and Third party tokens.  | first-party-jwt | Optional |
+| `certProvider.clusterId`   | clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in multicluster environments. For example, in Anthos servicemesh, it might be of the format of `cn<project-name>-<region>-<cluster_name>`. In multiCluster environments, it is the value of global.multiCluster.clusterName provided during servicemesh control plane installation            | Kubernetes | Optional |
+| `certProvider.jwtPolicy`   | Service Account token type. Kubernetes platform supports First party tokens and Third party tokens. Usually public cloud based Kubernetes has third-party-jwt | null | Optional |
 | `secretName`   | Name of the Kubernetes secret holding Citrix ADC credentials | nslogin | Mandatory for Citrix ADC VPX/MPX |
 
 **Note:** You can use the `values.yaml` file packaged in the chart. This file contains the default configuration values for the chart.