diff --git a/adm-agent/Chart.yaml b/adm-agent/Chart.yaml index eb6e73e..c13fc46 100644 --- a/adm-agent/Chart.yaml +++ b/adm-agent/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 141.31.38 +appVersion: 141.37.40 description: A Helm chart for NetScaler ADM Agent home: https://adm.cloud.com kubeVersion: '>=v1.16.0-0' @@ -11,4 +11,4 @@ maintainers: name: swapnil name: adm-agent type: application -version: 141.31.38 +version: 141.37.40 diff --git a/adm-agent/README.md b/adm-agent/README.md index e35e651..0702894 100644 --- a/adm-agent/README.md +++ b/adm-agent/README.md @@ -129,7 +129,7 @@ The following table provides the configurable parameters and their default value |--------------------------------|-------------------------------|---------------------------| | `imageRegistry` | Image registry of the ADM agent onboarding container | `quay.io` | | `imageRepository` | Image repository of the ADM agent onboarding container | `citrix/adm-agent` | -| `imageTag` | Image tag of the ADM agent container | `141.31.38` | +| `imageTag` | Image tag of the ADM agent container | `141.37.40` | | `pullPolicy` | Specifies the image pull policy for ADM agent. | IfNotPresent | | `accessSecret`| Specifies the ID and Secret to access ADM Service.| Nil| | `loginSecret`| Specifies the login Secret of NetScaler ADM agent.| Nil| diff --git a/adm-agent/values.yaml b/adm-agent/values.yaml index a7cda96..1636289 100644 --- a/adm-agent/values.yaml +++ b/adm-agent/values.yaml @@ -4,7 +4,7 @@ imageRegistry: quay.io imageRepository: citrix/adm-agent -imageTag: 14.1-31.38 +imageTag: 14.1-37.40 image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}" pullPolicy: IfNotPresent diff --git a/netscaler-cpx-with-ingress-controller/Chart.yaml b/netscaler-cpx-with-ingress-controller/Chart.yaml index 5013aa1..0d95557 100644 --- a/netscaler-cpx-with-ingress-controller/Chart.yaml +++ b/netscaler-cpx-with-ingress-controller/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: "2.1.4" +appVersion: "2.2.10" kubeVersion: ">=v1.16.0-0" description: A Helm chart for NetScaler CPX with NetScaler ingress Controller running as sidecar. name: netscaler-cpx-with-ingress-controller -version: 2.1.4 +version: 2.2.10 icon: https://raw.githubusercontent.com/netscaler/netscaler-helm-charts/gh-pages/netscaler.png home: https://www.netscaler.com sources: diff --git a/netscaler-cpx-with-ingress-controller/README.md b/netscaler-cpx-with-ingress-controller/README.md index 3fbef96..abf31c9 100644 --- a/netscaler-cpx-with-ingress-controller/README.md +++ b/netscaler-cpx-with-ingress-controller/README.md @@ -612,7 +612,7 @@ The following table lists the configurable parameters of the NetScaler CPX with | hostName | Optional | N/A | This entity will be used to set Hostname of the CPX | | nsic.imageRegistry | Mandatory | `quay.io` | The NetScaler ingress controller image registry | | nsic.imageRepository | Mandatory | `netscaler/netscaler-k8s-ingress-controller` | The NetScaler ingress controller image repository | -| nsic.imageTag | Mandatory | `2.1.4` | The NetScaler ingress controller image tag | +| nsic.imageTag | Mandatory | `2.2.10` | The NetScaler ingress controller image tag | | nsic.pullPolicy | Mandatory | IfNotPresent | The NetScaler ingress controller image pull policy. | | nsic.required | Mandatory | true | NSIC to be run as sidecar with NetScaler CPX | | nsic.enableLivenessProbe| Optional | True | Enable liveness probe settings for NetScaler Ingress Controller | @@ -653,7 +653,7 @@ The following table lists the configurable parameters of the NetScaler CPX with | entityPrefix | Optional | k8s | The prefix for the resources on the NetScaler CPX. | | ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify NetScaler ingress controller to configure NetScaler associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here | | setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 | -| updateIngressStatus | Optional | False | Set this argument if you want to update ingress status of the ingress resources exposed via CPX. This is only applicable if servicetype of CPX service is LoadBalancer. | +| updateIngressStatus | Optional | False | Set this argument if you want to update ingress status of the ingress resources exposed via CPX. | | disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. | | openshift | Optional | false | Set this argument if OpenShift environment is being used. | | disableOpenshiftRoutes | false | By default Openshift routes are processed in openshift environment, this variable can be used to disable Ingress controller processing the openshift routes. | diff --git a/netscaler-cpx-with-ingress-controller/crds/crds.yaml b/netscaler-cpx-with-ingress-controller/crds/crds.yaml index 02cda1e..553b938 100644 --- a/netscaler-cpx-with-ingress-controller/crds/crds.yaml +++ b/netscaler-cpx-with-ingress-controller/crds/crds.yaml @@ -603,11 +603,14 @@ spec: type: string kind: type: string - enum: ["service", "ingress"] + enum: ["service", "ingress", "listener"] description: type: string range-name: type: string + multicluster: + description: "The setting of this indicates that the VIP/csvserver IP address is shared by multiple netscaler ingress controllers on the VPX/MPX. For CPX, this field is not applicable" + type: boolean --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -2500,3 +2503,204 @@ spec: resource records that are of the same record type and belong to the specified domain name --- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: icappolicies.citrix.com +spec: + group: citrix.com + names: + kind: icappolicy + plural: icappolicies + singular: icappolicy + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: "Current Status of the CRD" + jsonPath: .status.state + - name: Message + type: string + description: "Status Message" + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + ingressclass: + description: "Ingress class, if not specified then all NetScaler ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + type: string + maxLength: 127 + services: + type: array + description: 'Name of the services for which the icap policy needs to be bound' + items: + type: string + icap-servers: + type: object + description: "ICAP service for the ICAP server that will be part of the load balancing setup. The service that you add provides the ICAP connection between the NetScaler appliance and load balancing virtual servers." + properties: + servers: + type: array + items: + type: object + properties: + ip: + type: string + description: 'IP of the ICAP Server' + format: ipv4 + port: + type: integer + description: 'Port number of the ICAP Server.' + minimum: 1 + maximum: 65535 + required: + - ip + - port + server-type: + type: string + description: 'Type of ICAP Server.' + enum: ['TCP', 'SSL_TCP'] + default: 'SSL_TCP' + server_host_cert: + description: |+ + 'Name of the SSL certificate to be used with ICAP server. + This certificate is mandatory for server-type SSL_TCP' + type: object + properties: + tls_secret: + type: string + description: 'Name of the Kubernetes Secret of type tls referring to Certificate' + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + preconfigured: + type: string + maxLength: 63 + description: |+ + 'Preconfigured SSL certkey name on NetScaler with the + certificate and key already added on NetScaler' + oneOf: + - required: [tls_secret] + - required: [preconfigured] + required: + - servers + icap: + type: array + items: + type: object + properties: + preconfigured-profile: + description: 'Names of the preconfigured ICAP profile.' + type: string + maxLength: 127 + direction: + description: 'ICAP Mode of operation. It is a mandatory argument while creating an icapprofile.' + type: string + enum: ['REQUEST','RESPONSE'] + profile: + type: object + description: 'ICAP profile(s) of the NetScaler.' + properties: + preview: + description: 'Enable or Disable preview header with ICAP request. This feature allows an ICAP server to see the beginning of a transaction, then decide if it wants to opt-out of the transaction early instead of receiving the remainder of the request message.' + type: string + enum: ["ENABLED", "DISABLED"] + preview-length: + description: 'Value of Preview Header field. NetScaler uses the minimum of this set value and the preview size received on OPTIONS' + type: integer + minimum: 0 + maximum: 4294967294 + uri: + description: 'URI representing icap service. It is a mandatory argument while creating an icapprofile.' + type: string + maxLength: 511 + host-header: + description: 'ICAP Host Header.' + type: string + maxLength: 255 + user-agent-header: + description: 'ICAP User Agent Header' + type: string + maxLength: 255 + query-params: + description: 'Query parameters to be included with ICAP request URI. Entered values should be in arg=value format. For more than one parameters, add & separated values. e.g.: arg1=val1&arg2=val2' + type: string + maxLength: 511 + connection-keep-alive: + description: 'Enable or Disable sending Allow: 204 header in ICAP request.' + type: string + enum: ["ENABLED", "DISABLED"] + insert-icap-headers: + description: 'Insert custom ICAP headers in the ICAP request to send to ICAP server. The headers can be static or can be dynamically constructed using PI Policy Expression. For example, to send static user agent and Client''s IP address, the expression can be specified as "User-Agent: NS-ICAP-Client/V1.0r0-Client-IP: "+CLIENT.IP.SRC+"r0. The NetScaler does not check the validity of the specified header name-value. You must manually validate the specified header syntax.' + type: string + maxLength: 8191 + insert-http-request: + description: 'Exact HTTP request, in the form of an expression, which the NetScaler encapsulates and sends to the ICAP server. If you set this parameter, the ICAP request is sent using only this header. This can be used when the HTTP header is not available to send or ICAP server only needs part of the incoming HTTP request. The request expression is constrained by the feature for which it is used. The NetScaler does not check the validity of this request. You must manually validate the request.' + type: string + maxLength: 8191 + req-timeout: + description: 'Time, in seconds, within which the remote server should respond to the ICAP-request. If the Netscaler does not receive full response with this time, the specified request timeout action is performed. Zero value disables this timeout functionality.' + type: integer + minimum: 0 + maximum: 86400 + req-timeout-action: + description: 'Name of the action to perform if the Vserver/Server representing the remote service does not respond with any response within the timeout value configured. The Supported actions are * BYPASS - This Ignores the remote server response and sends the request/response to Client/Server. * If the ICAP response with Encapsulated headers is not received within the request-timeout value configured, this Ignores the remote ICAP server response and sends the Full request/response to Server/Client' + type: string + enum: ['BYPASS', 'DROP', 'RESET'] + log-action: + description: 'Name of the audit message action which would be evaluated on receiving the ICAP response to emit the logs' + type: string + maxLength: 127 + required: + - uri + content-inspection-criteria: + description: 'Expression that the policy uses to determine whether to execute the specified action.' + type: string + maxLength: 1499 + default-action: + description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). An UNDEF event indicates an internal error condition. Only the above built-in actions can be used' + type: string + maxLength: 127 + log-action: + description: 'Name of the messagelog action to use for requests that match this policy.' + type: string + maxLength: 127 + goto-priority-expression: + description: 'Expression or other value specifying the next policy to be evaluated if the current policy evaluates to TRUE.Specify one of the following values:* NEXT - Evaluate the policy with the next higher priority number.* END - End policy evaluation.Default value of goto-priority-expression: END' + type: string + operation: + description: 'Type of operation this action is going to perform. following actions are available to configure: * ICAP - forward the incoming request or response to an ICAP server for modification. * INLINEINSPECTION - forward the incoming or outgoing packets to IPS server for Intrusion Prevention. * MIRROR - Forwards cloned packets for Intrusion Detection. * NOINSPECTION - This does not forward incoming and outgoing packets to the Inspection device. * NSTRACE - capture current and further incoming packets on this transaction.' + type: string + enum: ['ICAP', 'INLINEINSPECTION', 'MIRROR', 'NOINSPECTION'] + server-failure-action: + description: 'Name of the action to perform if the Vserver representing the remote service is not UP. This is not supported for NOINSPECTION Type. The Supported actions are: * RESET - Reset the client connection by closing it. The client program, such as a browser, will handle this and may inform the user. The client may then resend the request if desired. * DROP - Drop the request without sending a response to the user. * CONTINUE - It bypasses the ContentIsnpection and Continues/resumes the Traffic-Flow to Client/Server.' + type: string + enum: ['CONTINUE', 'DROP', 'RESET'] + oneOf: + - required: [preconfigured-profile] + - required: [profile] + required: + - direction + - content-inspection-criteria + - operation + required: + - ingressclass + - services + - icap-servers + - icap +--- diff --git a/netscaler-cpx-with-ingress-controller/templates/_helpers.tpl b/netscaler-cpx-with-ingress-controller/templates/_helpers.tpl index efd154b..193de17 100755 --- a/netscaler-cpx-with-ingress-controller/templates/_helpers.tpl +++ b/netscaler-cpx-with-ingress-controller/templates/_helpers.tpl @@ -90,4 +90,4 @@ Create the name of the service account to use {{- else -}} {{ default "default" .Values.serviceAccount.name }} {{- end -}} -{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/netscaler-cpx-with-ingress-controller/templates/deployment.yaml b/netscaler-cpx-with-ingress-controller/templates/deployment.yaml index c5f1034..0378af0 100644 --- a/netscaler-cpx-with-ingress-controller/templates/deployment.yaml +++ b/netscaler-cpx-with-ingress-controller/templates/deployment.yaml @@ -158,6 +158,8 @@ spec: - name: "LIVENESS_FILE_PATH" value: '/tmp/liveness_path.log' {{- end }} + - name: "ENABLE_LIVENESS_PROBE" + value: {{ .Values.nsic.enableLivenessProbe | quote }} {{- if .Values.analyticsConfig.timeseries.metrics.enableNativeScrape }} - name: "PROM_USER" valueFrom: @@ -305,13 +307,8 @@ spec: {{ .Release.Namespace }}/{{ .Values.defaultSSLSNICertSecret }} {{- end }} {{- if .Values.updateIngressStatus }} -{{- if .Values.cpxBgpRouter }} - --update-ingress-status yes -{{- else }} - - --cpx-service - {{ .Release.Namespace }}/{{ include "cpxservice.fullname" . }} -{{- end }} {{- end }} volumeMounts: - mountPath: /var/deviceinfo @@ -399,6 +396,7 @@ metadata: labels: app: cpx-service service-type: {{ include "cpxservicemonitorlabel" . }} + cpx: {{ include "netscaler-cpx-ingress-controller.fullname" . }} {{- if .Values.serviceAnnotations }} annotations: {{- with .Values.serviceAnnotations }} @@ -406,15 +404,16 @@ metadata: {{- end }} {{- end }} spec: -{{- if or .Values.serviceType.loadBalancer.enabled ( and (.Values.updateIngressStatus) (not .Values.cpxBgpRouter)) }} +{{- if or .Values.serviceType.loadBalancer.enabled .Values.serviceType.nodePort.enabled }} externalTrafficPolicy: {{ .Values.serviceSpec.externalTrafficPolicy }} +{{- end }} +{{- if .Values.serviceType.loadBalancer.enabled }} type: LoadBalancer {{- if .Values.serviceSpec.loadBalancerIP }} loadBalancerIP: {{ .Values.serviceSpec.loadBalancerIP }} {{- end }} {{- else if .Values.serviceType.nodePort.enabled }} type: NodePort - externalTrafficPolicy: {{ .Values.serviceSpec.externalTrafficPolicy }} {{- end }} {{- if and .Values.serviceType.loadBalancer.enabled .Values.serviceSpec.loadBalancerSourceRanges }} loadBalancerSourceRanges: diff --git a/netscaler-cpx-with-ingress-controller/templates/rbac.yaml b/netscaler-cpx-with-ingress-controller/templates/rbac.yaml index b2e4ebe..abb2129 100644 --- a/netscaler-cpx-with-ingress-controller/templates/rbac.yaml +++ b/netscaler-cpx-with-ingress-controller/templates/rbac.yaml @@ -41,10 +41,10 @@ rules: resources: ["deployments"] verbs: ["get", "list", "watch"] - apiGroups: ["citrix.com"] - resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"] + resources: ["rewritepolicies", "icappolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"] verbs: ["get", "list", "watch", "create", "delete", "patch"] - apiGroups: ["citrix.com"] - resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"] + resources: ["rewritepolicies/status", "icappolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"] verbs: ["patch"] - apiGroups: ["citrix.com"] resources: ["vips"] diff --git a/netscaler-cpx-with-ingress-controller/values.yaml b/netscaler-cpx-with-ingress-controller/values.yaml index 3e292b3..6e57ed3 100644 --- a/netscaler-cpx-with-ingress-controller/values.yaml +++ b/netscaler-cpx-with-ingress-controller/values.yaml @@ -56,8 +56,6 @@ disableAPIServerCertVerify: False cpxLicenseAggregator: "" -sslCertManagedByAWS: False - nodeSelector: key: "" value: "" @@ -84,7 +82,7 @@ servicePorts: [] nsic: imageRegistry: quay.io imageRepository: netscaler/netscaler-k8s-ingress-controller - imageTag: 2.1.4 + imageTag: 2.2.10 image: "{{ .Values.nsic.imageRegistry }}/{{ .Values.nsic.imageRepository }}:{{ .Values.nsic.imageTag }}" pullPolicy: IfNotPresent required: true @@ -127,9 +125,9 @@ nsic: failureThreshold: 3 successThreshold: 1 -entityPrefix: "" +entityPrefix: '' license: - accept: no + accept: no ingressClass: [] setAsDefaultIngressClass: False # nitroReadTimeout is timeout value in seconds for nitro api read timeout(default is 20) diff --git a/netscaler-gslb-controller/Chart.yaml b/netscaler-gslb-controller/Chart.yaml index 9c6a5b9..f5d276a 100644 --- a/netscaler-gslb-controller/Chart.yaml +++ b/netscaler-gslb-controller/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 -appVersion: "2.1.4" +appVersion: "2.2.10" description: A Helm chart for NetScaler GSLB Controller configuring MPX/VPX. name: netscaler-gslb-controller -version: 2.1.4 +version: 2.2.10 icon: https://raw.githubusercontent.com/netscaler/netscaler-helm-charts/gh-pages/netscaler.png home: https://www.cloud.com maintainers: diff --git a/netscaler-gslb-controller/README.md b/netscaler-gslb-controller/README.md index e1dd179..1dee95a 100644 --- a/netscaler-gslb-controller/README.md +++ b/netscaler-gslb-controller/README.md @@ -198,7 +198,7 @@ The following table lists the mandatory and optional parameters that you can con | license.accept | Mandatory | no | Set `yes` to accept the NSIC end user license agreement. | | imageRegistry | Optional | `quay.io` | The NetScaler ingress controller image registry | | imageRepository | Optional | `netscaler/netscaler-k8s-ingress-controller` | The NetScaler ingress controller image repository | -| imageTag | Optional | `2.1.4` | The NetScaler ingress controller image tag | +| imageTag | Optional | `2.2.10` | The NetScaler ingress controller image tag | | pullPolicy | Optional | Always | The NSIC image pull policy. | | imagePullSecrets | Optional | N/A | Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret please see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). | | nsIP | Optional | N/A | The IP address of the NetScaler device. For details, see [Prerequisites](#prerequistes). | diff --git a/netscaler-gslb-controller/values.yaml b/netscaler-gslb-controller/values.yaml index 6863e20..2984fc2 100644 --- a/netscaler-gslb-controller/values.yaml +++ b/netscaler-gslb-controller/values.yaml @@ -5,7 +5,7 @@ # image contains information needed to fetch NSIC image imageRegistry: quay.io imageRepository: netscaler/netscaler-k8s-ingress-controller -imageTag: 2.1.4 +imageTag: 2.2.10 image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}" pullPolicy: IfNotPresent imagePullSecrets: [] diff --git a/netscaler-ingress-controller/Chart.yaml b/netscaler-ingress-controller/Chart.yaml index b9111ad..899fa02 100644 --- a/netscaler-ingress-controller/Chart.yaml +++ b/netscaler-ingress-controller/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: "2.1.4" +appVersion: "2.2.10" kubeVersion: ">=v1.16.0-0" description: A Helm chart for NetScaler Ingress Controller configuring MPX/VPX. name: netscaler-ingress-controller -version: 2.1.4 +version: 2.2.10 icon: https://raw.githubusercontent.com/netscaler/netscaler-helm-charts/gh-pages/netscaler.png home: https://www.netscaler.com sources: diff --git a/netscaler-ingress-controller/README.md b/netscaler-ingress-controller/README.md index 227f2ab..2567065 100644 --- a/netscaler-ingress-controller/README.md +++ b/netscaler-ingress-controller/README.md @@ -342,7 +342,7 @@ The following table lists the mandatory and optional parameters that you can con | license.accept | Mandatory | no | Set `yes` to accept the NSIC end user license agreement. | | imageRegistry | Mandatory | `quay.io` | The NetScaler ingress controller image registry | | imageRepository | Mandatory | `netscaler/netscaler-k8s-ingress-controller` | The NetScaler ingress controller image repository | -| imageTag | Mandatory | `2.1.4` | The NetScaler ingress controller image tag | +| imageTag | Mandatory | `2.2.10` | The NetScaler ingress controller image tag | | pullPolicy | Mandatory | IfNotPresent | The NSIC image pull policy. | | imagePullSecrets | Optional | N/A | Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret please see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). | | nameOverride | Optional | N/A | String to partially override deployment fullname template with a string (will prepend the release name) | diff --git a/netscaler-ingress-controller/crds/crds.yaml b/netscaler-ingress-controller/crds/crds.yaml index 02cda1e..553b938 100644 --- a/netscaler-ingress-controller/crds/crds.yaml +++ b/netscaler-ingress-controller/crds/crds.yaml @@ -603,11 +603,14 @@ spec: type: string kind: type: string - enum: ["service", "ingress"] + enum: ["service", "ingress", "listener"] description: type: string range-name: type: string + multicluster: + description: "The setting of this indicates that the VIP/csvserver IP address is shared by multiple netscaler ingress controllers on the VPX/MPX. For CPX, this field is not applicable" + type: boolean --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -2500,3 +2503,204 @@ spec: resource records that are of the same record type and belong to the specified domain name --- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: icappolicies.citrix.com +spec: + group: citrix.com + names: + kind: icappolicy + plural: icappolicies + singular: icappolicy + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: "Current Status of the CRD" + jsonPath: .status.state + - name: Message + type: string + description: "Status Message" + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + ingressclass: + description: "Ingress class, if not specified then all NetScaler ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + type: string + maxLength: 127 + services: + type: array + description: 'Name of the services for which the icap policy needs to be bound' + items: + type: string + icap-servers: + type: object + description: "ICAP service for the ICAP server that will be part of the load balancing setup. The service that you add provides the ICAP connection between the NetScaler appliance and load balancing virtual servers." + properties: + servers: + type: array + items: + type: object + properties: + ip: + type: string + description: 'IP of the ICAP Server' + format: ipv4 + port: + type: integer + description: 'Port number of the ICAP Server.' + minimum: 1 + maximum: 65535 + required: + - ip + - port + server-type: + type: string + description: 'Type of ICAP Server.' + enum: ['TCP', 'SSL_TCP'] + default: 'SSL_TCP' + server_host_cert: + description: |+ + 'Name of the SSL certificate to be used with ICAP server. + This certificate is mandatory for server-type SSL_TCP' + type: object + properties: + tls_secret: + type: string + description: 'Name of the Kubernetes Secret of type tls referring to Certificate' + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + preconfigured: + type: string + maxLength: 63 + description: |+ + 'Preconfigured SSL certkey name on NetScaler with the + certificate and key already added on NetScaler' + oneOf: + - required: [tls_secret] + - required: [preconfigured] + required: + - servers + icap: + type: array + items: + type: object + properties: + preconfigured-profile: + description: 'Names of the preconfigured ICAP profile.' + type: string + maxLength: 127 + direction: + description: 'ICAP Mode of operation. It is a mandatory argument while creating an icapprofile.' + type: string + enum: ['REQUEST','RESPONSE'] + profile: + type: object + description: 'ICAP profile(s) of the NetScaler.' + properties: + preview: + description: 'Enable or Disable preview header with ICAP request. This feature allows an ICAP server to see the beginning of a transaction, then decide if it wants to opt-out of the transaction early instead of receiving the remainder of the request message.' + type: string + enum: ["ENABLED", "DISABLED"] + preview-length: + description: 'Value of Preview Header field. NetScaler uses the minimum of this set value and the preview size received on OPTIONS' + type: integer + minimum: 0 + maximum: 4294967294 + uri: + description: 'URI representing icap service. It is a mandatory argument while creating an icapprofile.' + type: string + maxLength: 511 + host-header: + description: 'ICAP Host Header.' + type: string + maxLength: 255 + user-agent-header: + description: 'ICAP User Agent Header' + type: string + maxLength: 255 + query-params: + description: 'Query parameters to be included with ICAP request URI. Entered values should be in arg=value format. For more than one parameters, add & separated values. e.g.: arg1=val1&arg2=val2' + type: string + maxLength: 511 + connection-keep-alive: + description: 'Enable or Disable sending Allow: 204 header in ICAP request.' + type: string + enum: ["ENABLED", "DISABLED"] + insert-icap-headers: + description: 'Insert custom ICAP headers in the ICAP request to send to ICAP server. The headers can be static or can be dynamically constructed using PI Policy Expression. For example, to send static user agent and Client''s IP address, the expression can be specified as "User-Agent: NS-ICAP-Client/V1.0r0-Client-IP: "+CLIENT.IP.SRC+"r0. The NetScaler does not check the validity of the specified header name-value. You must manually validate the specified header syntax.' + type: string + maxLength: 8191 + insert-http-request: + description: 'Exact HTTP request, in the form of an expression, which the NetScaler encapsulates and sends to the ICAP server. If you set this parameter, the ICAP request is sent using only this header. This can be used when the HTTP header is not available to send or ICAP server only needs part of the incoming HTTP request. The request expression is constrained by the feature for which it is used. The NetScaler does not check the validity of this request. You must manually validate the request.' + type: string + maxLength: 8191 + req-timeout: + description: 'Time, in seconds, within which the remote server should respond to the ICAP-request. If the Netscaler does not receive full response with this time, the specified request timeout action is performed. Zero value disables this timeout functionality.' + type: integer + minimum: 0 + maximum: 86400 + req-timeout-action: + description: 'Name of the action to perform if the Vserver/Server representing the remote service does not respond with any response within the timeout value configured. The Supported actions are * BYPASS - This Ignores the remote server response and sends the request/response to Client/Server. * If the ICAP response with Encapsulated headers is not received within the request-timeout value configured, this Ignores the remote ICAP server response and sends the Full request/response to Server/Client' + type: string + enum: ['BYPASS', 'DROP', 'RESET'] + log-action: + description: 'Name of the audit message action which would be evaluated on receiving the ICAP response to emit the logs' + type: string + maxLength: 127 + required: + - uri + content-inspection-criteria: + description: 'Expression that the policy uses to determine whether to execute the specified action.' + type: string + maxLength: 1499 + default-action: + description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). An UNDEF event indicates an internal error condition. Only the above built-in actions can be used' + type: string + maxLength: 127 + log-action: + description: 'Name of the messagelog action to use for requests that match this policy.' + type: string + maxLength: 127 + goto-priority-expression: + description: 'Expression or other value specifying the next policy to be evaluated if the current policy evaluates to TRUE.Specify one of the following values:* NEXT - Evaluate the policy with the next higher priority number.* END - End policy evaluation.Default value of goto-priority-expression: END' + type: string + operation: + description: 'Type of operation this action is going to perform. following actions are available to configure: * ICAP - forward the incoming request or response to an ICAP server for modification. * INLINEINSPECTION - forward the incoming or outgoing packets to IPS server for Intrusion Prevention. * MIRROR - Forwards cloned packets for Intrusion Detection. * NOINSPECTION - This does not forward incoming and outgoing packets to the Inspection device. * NSTRACE - capture current and further incoming packets on this transaction.' + type: string + enum: ['ICAP', 'INLINEINSPECTION', 'MIRROR', 'NOINSPECTION'] + server-failure-action: + description: 'Name of the action to perform if the Vserver representing the remote service is not UP. This is not supported for NOINSPECTION Type. The Supported actions are: * RESET - Reset the client connection by closing it. The client program, such as a browser, will handle this and may inform the user. The client may then resend the request if desired. * DROP - Drop the request without sending a response to the user. * CONTINUE - It bypasses the ContentIsnpection and Continues/resumes the Traffic-Flow to Client/Server.' + type: string + enum: ['CONTINUE', 'DROP', 'RESET'] + oneOf: + - required: [preconfigured-profile] + - required: [profile] + required: + - direction + - content-inspection-criteria + - operation + required: + - ingressclass + - services + - icap-servers + - icap +--- diff --git a/netscaler-ingress-controller/templates/deployment.yaml b/netscaler-ingress-controller/templates/deployment.yaml index d818371..15831c2 100644 --- a/netscaler-ingress-controller/templates/deployment.yaml +++ b/netscaler-ingress-controller/templates/deployment.yaml @@ -93,10 +93,12 @@ spec: - name: "NS_NITRO_READ_TIMEOUT" value: "{{ .Values.nitroReadTimeout }}" {{- end }} -{{- if .Values.enableLivenessProbe}} +{{- if .Values.enableLivenessProbe }} - name: "LIVENESS_FILE_PATH" value: '/tmp/liveness_path.log' {{- end }} + - name: "ENABLE_LIVENESS_PROBE" + value: {{ .Values.enableLivenessProbe | quote }} - name: "NS_USER" {{- if and .Values.secretStore.enabled .Values.secretStore.username}} {{- toYaml .Values.secretStore.username | nindent 10 }} diff --git a/netscaler-ingress-controller/templates/rbac.yaml b/netscaler-ingress-controller/templates/rbac.yaml index 44c9328..c25ee3e 100644 --- a/netscaler-ingress-controller/templates/rbac.yaml +++ b/netscaler-ingress-controller/templates/rbac.yaml @@ -41,10 +41,10 @@ rules: resources: ["deployments"] verbs: ["get", "list", "watch"] - apiGroups: ["citrix.com"] - resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"] + resources: ["rewritepolicies", "icappolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"] verbs: ["get", "list", "watch", "create", "delete", "patch"] - apiGroups: ["citrix.com"] - resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"] + resources: ["rewritepolicies/status", "icappolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"] verbs: ["patch"] - apiGroups: ["citrix.com"] resources: ["vips"] diff --git a/netscaler-ingress-controller/values.yaml b/netscaler-ingress-controller/values.yaml index 480efd8..801677c 100644 --- a/netscaler-ingress-controller/values.yaml +++ b/netscaler-ingress-controller/values.yaml @@ -5,7 +5,7 @@ # NetScaler Ingress Controller config details imageRegistry: quay.io imageRepository: netscaler/netscaler-k8s-ingress-controller -imageTag: 2.1.4 +imageTag: 2.2.10 image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}" pullPolicy: IfNotPresent imagePullSecrets: [] diff --git a/netscaler-ipam-controller/Chart.yaml b/netscaler-ipam-controller/Chart.yaml index 9a391a8..bf92cb3 100644 --- a/netscaler-ipam-controller/Chart.yaml +++ b/netscaler-ipam-controller/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: netscaler-ipam-controller description: A Helm chart for NetScaler IPAM Controller which automatically allocate an IP address to the service of type LoadBalancer. -version: 1.2.0 -appVersion: "1.2.0" +version: 2.0.1 +appVersion: "2.0.1" type: application icon: https://raw.githubusercontent.com/netscaler/netscaler-helm-charts/gh-pages/netscaler.png home: https://www.cloud.com diff --git a/netscaler-ipam-controller/README.md b/netscaler-ipam-controller/README.md index 4028d1e..1566214 100644 --- a/netscaler-ipam-controller/README.md +++ b/netscaler-ipam-controller/README.md @@ -52,10 +52,18 @@ The following table lists the configurable parameters of the NetScaler CPX with | ---------- | --------------------- | ------------- | ----------- | | imageRegistry | Mandatory | `quay.io` | The NetScaler IPAM Contoller image registry | | imageRepository | Mandatory | `netscaler/netscaler-ipam-controller` | The NetScaler IPAM Contoller image repository | -| imageTag | Mandatory | `1.2.0` | The NetScaler IPAM Contoller image tag | +| imageTag | Mandatory | `2.0.1` | The NetScaler IPAM Contoller image tag | | pullPolicy | Mandatory | `IfNotPresent` | The NetScaler IPAM Contoller image pull policy. | | vipRange | Mandatory | N/A | This variable allows you to define the IP address range. You can either define IP address range or an IP address range associated with a unique name. NetScaler IPAM controller assigns the IP address from this IP address range to the service of type LoadBalancer. | | reuseIngressVip| Optional | True | This variable allows you to use same IP for all ingresses using the same vipRange. | +| cluster| Mandatory if infoblox.enabled is true| N/A | This variable allows you to provide cluster name thatis used to identify the cluster in which the IPAM controller is deployed. | +| infoblox.enabled| Optional | false | Boolean value that allows yout to enable/disable infoblox IPAM. | +| infoblox.gridHost| Mandatory if infoblox.enabled is true| N/A | This variable allows yout to provide infoblox grid host IP or FQDN. | +| infoblox.credentialSecret| Mandatory if infoblox.enabled is true| N/A | This variable allows yout to provide infoblox grid host IP or FQDN. | +| infoblox.httpTimeout| Optional | 10 | This variable allows yout to provide infoblox client HTTP Timeout in seconds. | +| infoblox.maxRetries| Optional | 3 | This variable allows yout to provide infoblox client max retries in case of failure | +| infoblox.netView| Optional | default | This variable allows yout to provide infoblox Netview | +| infoblox.vipRange| Mandatory if infoblox.enabled is true | N/A | This variable allows yout to provide infoblox IPAM VIP Range | Alternatively, you can define a YAML file with the values for the parameters and pass the values while installing the chart. diff --git a/netscaler-ipam-controller/templates/deployment.yaml b/netscaler-ipam-controller/templates/deployment.yaml index 8a32556..7e0f24b 100644 --- a/netscaler-ipam-controller/templates/deployment.yaml +++ b/netscaler-ipam-controller/templates/deployment.yaml @@ -30,3 +30,47 @@ spec: - name: "REUSE_INGRESS_VIP" value: {{ .Values.reuseIngressVip | squote }} {{- end }} +{{- if .Values.infoblox.enabled}} + # Cluster name is used to identify the cluster in which the IPAM controller is deployed. This is required + - name: "CLUSTER_NAME" + value: {{ required "Provide a Cluster name where IPAM Controller is deployed" .Values.cluster | squote }} + - name: "IPAM_PROVIDER" + value: "infoblox" + - name: "INFOBLOX_GRID_HOST" + value: {{ required "Provide Infoblox Grid Host IP or FQDN" .Values.infoblox.gridHost | squote }} + - name: "INFOBLOX_USERNAME" + valueFrom: + secretKeyRef: + name: {{ required "Provide Infoblox credential Secret" .Values.infoblox.credentialSecret }} + key: username + - name: "INFOBLOX_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ required "Provide Infoblox credential Secret" .Values.infoblox.credentialSecret }} + key: password +{{- if .Values.infoblox.httpTimeout }} + - name: "HTTP_TIMEOUT" + value: {{ .Values.infoblox.httpTimeout | squote }} +{{ else }} + - name: "HTTP_TIMEOUT" + value: "10" +{{- end }} +{{- if .Values.infoblox.maxRetries }} + - name: "MAX_RETRIES" + value: {{ .Values.infoblox.maxRetries | squote }} +{{ else }} + - name: "MAX_RETRIES" + value: "3" +{{- end }} +{{- if .Values.infoblox.netView }} + # InfoBlox NetView is used to identify the network view. If this is not given, the default network view is used + - name: "INFOBLOX_NETVIEW" + value: {{ .Values.infoblox.netView | squote }} +{{ else }} + - name: "INFOBLOX_NETVIEW" + value: "default" +{{- end }} + # InfoBlox Network Range is used to identify the network range from where IPs will be assigned. There should not be a conflict with the existing IPs + - name: "INFOBLOX_NETWORKS" + value: {{ required "Provide IPs or IP range for Infoblox in CIDR form" .Values.infoblox.vipRange | squote }} +{{- end }} diff --git a/netscaler-ipam-controller/values.yaml b/netscaler-ipam-controller/values.yaml index f33843c..1775619 100644 --- a/netscaler-ipam-controller/values.yaml +++ b/netscaler-ipam-controller/values.yaml @@ -4,7 +4,7 @@ imageRegistry: quay.io imageRepository: netscaler/netscaler-ipam-controller -imageTag: 1.2.0 +imageTag: 2.0.1 image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}" pullPolicy: IfNotPresent @@ -13,6 +13,16 @@ nameOverride: "" fullnameOverride: "" reuseIngressVip: "True" +cluster: "" +infoblox: + enabled: false + gridHost: "" + credentialSecret: "" + httpTimeout: "" + maxRetries: "" + netView: "" + vipRange: + serviceAccount: # Specifies whether a service account should be created create: true